Page tree

The Shibboleth 2.x software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 and SP3 wiki spaces for current documentation on the supported versions.

Skip to end of metadata
Go to start of metadata

The <Rule> element defines a specific access control requirement.


  • require (string)
    • One of a set of predefined "aliases", or the ID/alias of an attribute to examine. The predefined aliases are:
      • valid-user
        • A rule that requires an authenticated session, but nothing else.
      • user
        • A rule based on the REMOTE_USER identity for the request.
      • authnContextClassRef
        • A rule based on the SAML authentication context class or method asserted by the IdP.
      • authnContextDeclRef
        • A rule based on the SAML authentication context declaration asserted by the IdP.
  • list (boolean) (defaults to true)
    • Enables "list" processing on the element's content. If false, the element content is treated as a single value; otherwise, it's a space-delimited list of values.

Element Content

The element's content consists of the data to use as input to the rule. Multiple values can be supplied in a space-separated list, making the rule an implicit <OR>.

  • No labels