+<SecurityPolicies xmlns="urn:mace:shibboleth:2.0:native:sp:config">\r
+\r
+ <!-- Each policy defines a set of rules to use to secure messages. -->\r
+\r
+ <!--\r
+ The predefined policy enforces replay/freshness, standard\r
+ condition processing, and permits signing and client TLS.\r
+ -->\r
+ <Policy id="default" validate="false">\r
+ <PolicyRule type="MessageFlow" checkReplay="true" expires="60"/>\r
+ <PolicyRule type="Conditions">\r
+ <PolicyRule type="Audience"/>\r
+ <!-- Enable Delegation rule to permit delegated access. -->\r
+ <!-- <PolicyRule type="Delegation"/> -->\r
+ </PolicyRule>\r
+ <PolicyRule type="ClientCertAuth" errorFatal="true"/>\r
+ <PolicyRule type="XMLSigning" errorFatal="true"/>\r
+ <PolicyRule type="SimpleSigning" errorFatal="true"/>\r
+ </Policy>\r
+\r
+ <!--\r
+ This policy is a place-holder for use of assertions in metadata\r
+ as a way of attaching signed information about particular IdPs.\r
+ -->\r
+ <Policy id="entity-attributes">\r
+ <PolicyRule type="Conditions"/>\r
+ <PolicyRule type="XMLSigning" errorFatal="true"/>\r
+ </Policy>\r
+ \r
+ <!-- Disables known weak algorithms. -->\r
+ <AlgorithmBlacklist>\r
+ http://www.w3.org/2001/04/xmldsig-more#md5\r
+ http://www.w3.org/2001/04/xmldsig-more#rsa-md5\r
+ </AlgorithmBlacklist>\r
+\r
+</SecurityPolicies>\r