<SecurityPolicies> element is a container for one or more uniquely identified
<Policy> elements that control low-level security and profile processing performed by the SP. It also contains mechanisms to enable and disable security algorithms.
The system is flexible enough to allow very fine-grained selection of different policies to use for different use cases or even different IdPs, but this is not a commonly needed feature and the vast majority of deployments will just use the defaults, or at least a single default policy.
|1 or more|
Security policy rules.
These must be the first child elements.
|0 or 1||Algorithms to explicitly enable.|
|0 or 1||Algorithms to explicitly disable.|
Custom security policies can be defined at the level of a specific application or protocol endpoint and referenced via a
policyId attribute, but in most cases, the default policy is appropriate for all typical exchanges.
The example below is the default shipping version at the time of authoring. The default policy is the one used for all the typical interactions in the SP. For safety's sake, you will find that just removing some of the obviously named rules won't actually open your system to attacks but you might learn a bit about the system by playing with them.
The second named policy is an example of how to define a special set of rules for an unusual use case, the evaluation of signed SAML Assertions inside SAML metadata. It has only a couple of rules because a lot of the usual message oriented checks don't apply to that use case.
The last line essentially delegates the rules for disabling insecure algorithms to the software's defaults, allowing us to change them easily.