1 <?xml version="1.0" encoding="US-ASCII"?>
2 <schema targetNamespace="urn:mace:shibboleth:target:config:1.0"
3 xmlns="http://www.w3.org/2001/XMLSchema"
4 xmlns:conf="urn:mace:shibboleth:target:config:1.0"
5 xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
6 xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
7 elementFormDefault="qualified"
8 attributeFormDefault="unqualified"
9 blockDefault="substitution"
12 <import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="cs-sstc-schema-assertion-1.1.xsd"/>
13 <import namespace="urn:oasis:names:tc:SAML:2.0:metadata" schemaLocation="saml-schema-metadata-2.0.xsd"/>
17 1.0 schema for XML-based configuration of Shibboleth target libraries and modules.
18 First appearing in Shibboleth 1.2 release.
22 <simpleType name="string">
23 <restriction base="string">
24 <minLength value="1"/>
28 <simpleType name="listOfStrings">
29 <list itemType="conf:string"/>
32 <simpleType name="listOfURIs">
33 <list itemType="anyURI"/>
36 <complexType name="PluggableType">
38 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
40 <attribute name="type" type="conf:string" use="required"/>
41 <attribute name="uri" type="anyURI" use="optional"/>
42 <anyAttribute namespace="##any" processContents="lax"/>
45 <element name="ShibbolethTargetConfig" type="conf:SPConfigType"/>
46 <element name="SPConfig" type="conf:SPConfigType"/>
47 <complexType name="SPConfigType">
49 <documentation>Root element of configuration file</documentation>
52 <element ref="conf:Extensions" minOccurs="0"/>
53 <choice minOccurs="0">
54 <element name="Global" type="conf:GlobalConfigurationType"/>
55 <element name="SHAR" type="conf:GlobalConfigurationType"/>
57 <choice minOccurs="0">
58 <element name="Local" type="conf:LocalConfigurationType"/>
59 <element name="SHIRE" type="conf:LocalConfigurationType"/>
61 <element ref="conf:Applications"/>
62 <element name="CredentialsProvider" type="conf:PluggableType" minOccurs="0" maxOccurs="unbounded"/>
63 <element ref="conf:AttributeFactory" minOccurs="0" maxOccurs="unbounded"/>
65 <attribute name="logger" type="anyURI" use="optional"/>
66 <attribute name="clockSkew" type="unsignedInt" use="optional"/>
67 <anyAttribute namespace="##other" processContents="lax"/>
70 <element name="Extensions">
72 <documentation>Container for extension libraries and custom configuration</documentation>
76 <element name="Library" minOccurs="0" maxOccurs="unbounded">
79 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
81 <attribute name="path" type="anyURI" use="required"/>
82 <attribute name="fatal" type="boolean" use="optional"/>
83 <anyAttribute namespace="##other" processContents="lax"/>
86 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
91 <complexType name="GlobalConfigurationType">
93 <documentation>Container for global (server independent) configuration</documentation>
96 <element ref="conf:Extensions" minOccurs="0"/>
98 <element name="UnixListener">
100 <attribute name="address" type="conf:string" use="required"/>
103 <element name="TCPListener">
105 <attribute name="address" type="conf:string" use="required"/>
106 <attribute name="port" type="unsignedInt" use="required"/>
107 <attribute name="acl" type="conf:listOfStrings" default="127.0.0.1"/>
110 <element name="MemoryListener" type="conf:PluggableType"/>
111 <element name="Listener" type="conf:PluggableType"/>
114 <element name="MemorySessionCache">
116 <attributeGroup ref="conf:SessionCacheProperties"/>
117 <anyAttribute namespace="##other" processContents="lax"/>
120 <element name="MySQLSessionCache">
123 <element name="Argument" type="conf:string" minOccurs="0" maxOccurs="unbounded"/>
125 <attributeGroup ref="conf:SessionCacheProperties"/>
126 <attribute name="mysqlTimeout" type="unsignedInt" use="optional" default="14400"/>
127 <attribute name="storeAttributes" type="boolean" use="optional" default="false"/>
128 <anyAttribute namespace="##other" processContents="lax"/>
131 <element name="SessionCache">
134 <extension base="conf:PluggableType">
135 <attributeGroup ref="conf:SessionCacheProperties"/>
141 <choice minOccurs="0">
142 <element name="MySQLReplayCache">
145 <element name="Argument" type="conf:string" minOccurs="0" maxOccurs="unbounded"/>
147 <anyAttribute namespace="##other" processContents="lax"/>
150 <element name="ReplayCache" type="conf:PluggableType"/>
152 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
154 <attribute name="logger" type="anyURI" use="optional"/>
155 <anyAttribute namespace="##other" processContents="lax"/>
158 <attributeGroup name="SessionCacheProperties">
159 <attribute name="cleanupInterval" type="unsignedInt" use="optional" default="300"/>
160 <attribute name="cacheTimeout" type="unsignedInt" use="optional" default="28800"/>
161 <attribute name="AAConnectTimeout" type="unsignedInt" use="optional" default="15"/>
162 <attribute name="AATimeout" type="unsignedInt" use="optional" default="30"/>
163 <attribute name="defaultLifetime" type="unsignedInt" use="optional" default="1800"/>
164 <attribute name="retryInterval" type="unsignedInt" use="optional" default="300"/>
165 <attribute name="strictValidity" type="boolean" use="optional" default="true"/>
166 <attribute name="propagateErrors" type="boolean" use="optional" default="false"/>
169 <complexType name="LocalConfigurationType">
172 Container for configuration of locally integrated or platform-specific
173 features (e.g. web server filters)
177 <element ref="conf:Extensions" minOccurs="0"/>
178 <element name="RequestMapProvider" type="conf:PluggableType" minOccurs="0"/>
179 <element name="Implementation" minOccurs="0">
181 <choice maxOccurs="unbounded">
182 <element ref="conf:ISAPI"/>
183 <any namespace="##other" processContents="lax"/>
187 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
189 <attribute name="logger" type="anyURI" use="optional"/>
190 <attribute name="localRelayState" type="boolean" use="optional" default="false"/>
191 <attribute name="unsetHeaderValue" type="conf:string" use="optional"/>
192 <attribute name="checkSpoofing" type="boolean" use="optional"/>
193 <attribute name="catchAll" type="boolean" use="optional"/>
194 <anyAttribute namespace="##other" processContents="lax"/>
197 <element name="ISAPI">
200 <element name="Site" maxOccurs="unbounded">
203 <element name="Alias" type="conf:string" minOccurs="0" maxOccurs="unbounded"/>
205 <attribute name="id" type="unsignedInt" use="required"/>
206 <attribute name="name" type="conf:string" use="required"/>
207 <attribute name="port" type="unsignedInt" use="optional"/>
208 <attribute name="sslport" type="unsignedInt" use="optional"/>
209 <attribute name="scheme" type="conf:string" use="optional"/>
212 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
214 <attribute name="normalizeRequest" type="boolean" use="optional"/>
215 <anyAttribute namespace="##other" processContents="lax"/>
218 <element name="NSAPI" type="anyType"/>
219 <element name="Java" type="anyType"/>
221 <element name="AccessControl" type="conf:UniOperatorType">
224 A simple example access policy language extension that supersedes Apache .htaccess
228 <element name="OR" type="conf:MultiOperatorType"/>
229 <element name="AND" type="conf:MultiOperatorType"/>
230 <element name="NOT" type="conf:UniOperatorType"/>
231 <complexType name="UniOperatorType">
233 <element ref="conf:AND"/>
234 <element ref="conf:OR"/>
235 <element ref="conf:NOT"/>
236 <element ref="conf:Rule"/>
239 <complexType name="MultiOperatorType">
240 <choice minOccurs="2" maxOccurs="unbounded">
241 <element ref="conf:AND"/>
242 <element ref="conf:OR"/>
243 <element ref="conf:NOT"/>
244 <element ref="conf:Rule"/>
247 <element name="Rule">
250 <extension base="conf:listOfStrings">
251 <attribute name="require" type="conf:string" use="required"/>
257 <attributeGroup name="ContentSettings">
258 <attribute name="authType" type="conf:string" use="optional"/>
259 <attribute name="requireSession" type="boolean" use="optional"/>
260 <attribute name="requireSessionWith" type="conf:string" use="optional"/>
261 <attribute name="exportAssertion" type="boolean" use="optional"/>
262 <attribute name="redirectToSSL" type="unsignedInt" use="optional"/>
263 <anyAttribute namespace="##other" processContents="lax"/>
265 <element name="AccessControlProvider" type="conf:PluggableType"/>
266 <element name="htaccess" type="conf:PluggableType"/>
268 <element name="RequestMap">
271 Built-in request mapping syntax, decomposes URLs into Host/Path/Path/...
276 <choice minOccurs="0">
277 <element ref="conf:htaccess"/>
278 <element ref="conf:AccessControl"/>
279 <element ref="conf:AccessControlProvider"/>
281 <choice minOccurs="0" maxOccurs="unbounded">
282 <element ref="conf:Host"/>
283 <element ref="conf:HostRegex"/>
286 <attribute name="applicationId" type="conf:string" fixed="default"/>
287 <attributeGroup ref="conf:ContentSettings"/>
291 <element name="Host">
294 <choice minOccurs="0">
295 <element ref="conf:htaccess"/>
296 <element ref="conf:AccessControl"/>
297 <element ref="conf:AccessControlProvider"/>
299 <choice minOccurs="0" maxOccurs="unbounded">
300 <element ref="conf:Path"/>
301 <element ref="conf:PathRegex"/>
304 <attribute name="scheme" use="optional">
306 <restriction base="string">
307 <enumeration value="http"/>
308 <enumeration value="https"/>
309 <enumeration value="ftp"/>
310 <enumeration value="ldap"/>
311 <enumeration value="ldaps"/>
315 <attribute name="name" type="conf:string" use="required"/>
316 <attribute name="port" type="unsignedInt" use="optional"/>
317 <attribute name="applicationId" type="conf:string" use="optional"/>
318 <attributeGroup ref="conf:ContentSettings"/>
322 <element name="HostRegex">
325 <choice minOccurs="0">
326 <element ref="conf:htaccess"/>
327 <element ref="conf:AccessControl"/>
328 <element ref="conf:AccessControlProvider"/>
330 <choice minOccurs="0" maxOccurs="unbounded">
331 <element ref="conf:Path"/>
332 <element ref="conf:PathRegex"/>
335 <attribute name="regex" type="conf:string" use="required"/>
336 <attribute name="ignoreCase" type="boolean" default="true"/>
337 <attribute name="applicationId" type="conf:string"/>
338 <attributeGroup ref="conf:ContentSettings"/>
342 <element name="Path">
345 <choice minOccurs="0">
346 <element ref="conf:htaccess"/>
347 <element ref="conf:AccessControl"/>
348 <element ref="conf:AccessControlProvider"/>
350 <choice minOccurs="0" maxOccurs="unbounded">
351 <element ref="conf:Path"/>
352 <element ref="conf:PathRegex"/>
355 <attribute name="name" type="conf:string" use="required"/>
356 <attribute name="applicationId" type="conf:string" use="optional"/>
357 <attributeGroup ref="conf:ContentSettings"/>
361 <element name="PathRegex">
364 <choice minOccurs="0">
365 <element ref="conf:htaccess"/>
366 <element ref="conf:AccessControl"/>
367 <element ref="conf:AccessControlProvider"/>
370 <attribute name="regex" type="conf:string" use="required"/>
371 <attribute name="ignoreCase" type="boolean" default="true"/>
372 <attribute name="applicationId" type="conf:string"/>
373 <attributeGroup ref="conf:ContentSettings"/>
377 <element name="Applications">
379 <documentation>Container for global target settings and application-specific overrides</documentation>
383 <element ref="conf:Sessions"/>
384 <element ref="conf:Errors"/>
385 <element ref="conf:CredentialUse" minOccurs="0"/>
386 <choice minOccurs="0" maxOccurs="unbounded">
387 <element ref="saml:AttributeDesignator"/>
388 <element ref="saml:Audience"/>
389 <element name="AAPProvider" type="conf:PluggableType"/>
390 <!-- deprecated --> <element name="FederationProvider" type="conf:PluggableType"/>
391 <element name="MetadataProvider" type="conf:PluggableType"/>
392 <element name="TrustProvider" type="conf:PluggableType"/>
394 <element ref="conf:Application" minOccurs="0" maxOccurs="unbounded"/>
396 <attribute name="id" type="conf:string" fixed="default"/>
397 <attribute name="providerId" type="anyURI" use="required"/>
398 <attribute name="homeURL" type="anyURI" use="optional"/>
399 <anyAttribute namespace="##other" processContents="lax"/>
403 <element name="Application">
405 <documentation>Container for application-specific overrides</documentation>
409 <element ref="conf:Sessions" minOccurs="0"/>
410 <element ref="conf:Errors" minOccurs="0"/>
411 <element ref="conf:CredentialUse" minOccurs="0"/>
412 <choice minOccurs="0" maxOccurs="unbounded">
413 <element ref="saml:AttributeDesignator"/>
414 <element ref="saml:Audience"/>
415 <element name="AAPProvider" type="conf:PluggableType"/>
416 <!-- deprecated --> <element name="FederationProvider" type="conf:PluggableType"/>
417 <element name="MetadataProvider" type="conf:PluggableType"/>
418 <element name="TrustProvider" type="conf:PluggableType"/>
421 <attribute name="id" type="conf:string" use="required"/>
422 <attribute name="providerId" type="anyURI" use="optional"/>
423 <attribute name="homeURL" type="anyURI" use="optional"/>
424 <anyAttribute namespace="##other" processContents="lax"/>
428 <element name="KeyInfoResolver" type="conf:PluggableType">
431 Custom plug-in that resolves ds:KeyInfo elements into public keys, used in
432 TrustProvider elements.
437 <element name="Sessions">
439 <documentation>Container for specifying app session establishment and policy</documentation>
442 <choice minOccurs="0" maxOccurs="unbounded">
443 <element ref="conf:SessionInitiator"/>
444 <element ref="md:AssertionConsumerService"/>
445 <element ref="md:SingleLogoutService"/>
446 <element name="ExtensionService" type="conf:PluggableType"/>
448 <!-- deprecated --> <attribute name="wayfURL" type="anyURI" use="optional"/>
449 <!-- deprecated --> <attribute name="shireURL" type="anyURI" use="optional"/>
450 <!-- deprecated --> <attribute name="shireSSL" type="boolean" use="optional"/>
451 <attribute name="handlerURL" type="anyURI" use="optional"/>
452 <attribute name="handlerSSL" type="boolean" use="optional" default="true"/>
453 <attribute name="cookieName" type="conf:string" use="optional"/>
454 <attribute name="cookieProps" type="conf:string" use="optional"/>
455 <attribute name="idpHistory" type="boolean" use="optional" default="true"/>
456 <attribute name="idpHistoryDays" type="unsignedInt" use="optional"/>
457 <attribute name="lifetime" type="unsignedInt" use="optional"/>
458 <attribute name="timeout" type="unsignedInt" use="optional"/>
459 <attribute name="checkAddress" type="boolean" use="optional"/>
460 <attribute name="consistentAddress" type="boolean" use="optional" default="true"/>
461 <attribute name="checkReplay" type="boolean" use="optional" default="true"/>
462 <anyAttribute namespace="##other" processContents="lax"/>
465 <element name="SessionInitiator">
467 <documentation>Used to specify WAYF/Discovery services (external or internal)</documentation>
471 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
473 <attribute name="Location" type="anyURI" use="required"/>
474 <attribute name="Binding" type="anyURI" use="required"/>
475 <attribute name="wayfURL" type="anyURI" use="optional"/>
476 <attribute name="wayfBinding" type="anyURI" use="optional"/>
477 <attribute name="checkCDC" type="anyURI" use="optional"/>
478 <attribute name="isDefault" type="boolean" use="optional"/>
479 <attribute name="id" type="conf:string" use="optional"/>
480 <anyAttribute namespace="##any" processContents="lax"/>
484 <element name="Errors">
486 <documentation>Container for error templates and associated details</documentation>
490 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
492 <!-- deprecated --> <attribute name="shire" type="anyURI" use="optional"/>
493 <attribute name="session" type="anyURI" use="optional"/>
494 <attribute name="metadata" type="anyURI" use="optional"/>
495 <attribute name="rm" type="anyURI" use="required"/>
496 <attribute name="access" type="anyURI" use="optional"/>
497 <attribute name="ssl" type="anyURI" use="optional"/>
498 <attribute name="supportContact" type="conf:string" use="optional"/>
499 <attribute name="logoLocation" type="anyURI" use="optional"/>
500 <attribute name="styleSheet" type="anyURI" use="optional"/>
501 <anyAttribute namespace="##any" processContents="lax"/>
505 <attributeGroup name="CredentialUseGroup">
506 <attribute name="TLS" type="conf:string" use="optional"/>
507 <attribute name="Signing" type="conf:string" use="optional"/>
508 <attribute name="signRequest" type="boolean" use="optional" default="false"/>
509 <attribute name="signatureAlg" type="anyURI" use="optional"/>
510 <attribute name="digestAlg" type="anyURI" use="optional"/>
511 <attribute name="signedResponse" type="boolean" use="optional" default="false"/>
512 <attribute name="signedAssertions" type="boolean" use="optional" default="false"/>
513 <attribute name="authType" use="optional">
515 <restriction base="string">
516 <enumeration value="basic"/>
517 <enumeration value="digest"/>
518 <enumeration value="ntlm"/>
519 <enumeration value="gss"/>
523 <attribute name="authUsername" use="optional"/>
524 <attribute name="authPassword" use="optional"/>
527 <element name="CredentialUse">
529 <documentation>Container for specifying credentials to use</documentation>
533 <element name="RelyingParty" minOccurs="0" maxOccurs="unbounded">
536 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
538 <attribute name="Name" type="conf:string" use="required"/>
539 <attributeGroup ref="conf:CredentialUseGroup"/>
540 <anyAttribute namespace="##other" processContents="lax"/>
543 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
545 <attributeGroup ref="conf:CredentialUseGroup"/>
546 <anyAttribute namespace="##other" processContents="lax"/>
550 <element name="AttributeFactory">
552 <documentation>Specifies a plugin that implements a specialized SAML attribute</documentation>
556 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
558 <attribute name="type" type="conf:string" use="required"/>
559 <attribute name="AttributeName" type="conf:string" use="required"/>
560 <anyAttribute namespace="##other" processContents="lax"/>