AccessControl, or Authorization, is technically outside the scope of the Shibboleth ServiceProvider software. It is sometimes considered to be a function of a ResourceManager, a component that intercepts requests for resources and decides whether to accept them or not. Often an application acts as its own ResourceManager by examining user attributes while processing requests. Most web servers provide an API for extending them with additional ResourceManager components (Shibboleth itself is implemented with such an API).

The SP software includes a limited ResourceManager component that supports the following features:

The first bullet is not really an AccessControl feature; it simply allows a declarative requirement for authentication based on the URL via the RequestMap facility. Note that the Apache commands supported (e.g. ShibRequireSession) are implemented as an extended RequestMap plugin that permits these settings to be declared either in the Apache configuration, .htaccess files, or ShibbolethXml.

The IAccessControl plugin API is the primary means of implementing AccessControl within Shibboleth itself. There are 2 implementations of the interface supplied with the source code:

Others might of course be available in the future, possible from independent sources.