<AccessControl> element is the root of an XML-based access control policy that prevents access to a resource unless the user's session satisfies the policy. It's a simple, boolean-capable language provided as an example of how to implement an access control plugin.
<AccessControl> <AND> <Rule require="affiliation">email@example.com firstname.lastname@example.org</Rule> <NOT> <Rule require="user">email@example.com</Rule> </NOT> <OR> <Rule require="authnContextClassRef">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</Rule> <Rule require="authnContextClassRef">urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken</Rule> </OR> </AND> </AccessControl>
The example above would enforce a policy that allows only Ohio State faculty or students, other than a single blacklisted person, if they have authenticated with a password or a time-synchronized token.
If you are using the AccessControl element in an external file outside of shibboleth2.xml, you may have to add the "type" attribute shown below.
Any one (and only one) of the following elements can appear: