1 <?xml version="1.0" encoding="US-ASCII"?>
2 <schema targetNamespace="urn:mace:shibboleth:1.0"
3 xmlns="http://www.w3.org/2001/XMLSchema"
4 xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
5 xmlns:xml="http://www.w3.org/XML/1998/namespace"
6 xmlns:shib="urn:mace:shibboleth:1.0"
7 elementFormDefault="qualified"
8 attributeFormDefault="unqualified"
11 <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/>
12 <import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/>
14 <!-- Status-Related Information -->
17 The following SAML sub-status codes are defined in this namespace:
20 Used with samlp:Requester, signals AA did not recognize handle as valid
24 Relaxes SAML AttributeValue type definition. Xerces-C has a bug that prevents
25 anyAttribute content appearing on anyType. It works in 2.2 but not in later versions.
28 <complexType name="AttributeValueType" mixed="true">
30 <documentation xml:lang="en">
31 By convention, all Shibboleth 1.1 origin attribute values carry this unconstrained xsi:type.
35 <extension base="anyType"/>
39 <!-- Attribute Acceptance Policies -->
41 <simpleType name="AttributeRuleValueType">
42 <restriction base="string">
43 <enumeration value="literal"/>
44 <enumeration value="regexp"/>
45 <enumeration value="xpath"/>
49 <complexType name="SiteRuleType">
51 <element name="Scope" minOccurs="0" maxOccurs="unbounded">
54 <extension base="string">
55 <attribute name="Accept" type="boolean" use="optional" default="true"/>
56 <attribute name="Type" type="shib:AttributeRuleValueType" use="optional" default="literal"/>
57 <anyAttribute namespace="##other" processContents="lax"/>
62 <choice minOccurs="0">
63 <element name="AnyValue">
66 <anyAttribute namespace="##other" processContents="lax"/>
69 <element name="Value" maxOccurs="unbounded">
72 <extension base="string">
73 <attribute name="Accept" type="boolean" use="optional" default="true"/>
74 <attribute name="Type" type="shib:AttributeRuleValueType" use="optional" default="literal"/>
75 <anyAttribute namespace="##other" processContents="lax"/>
84 <element name="AnySite" type="shib:SiteRuleType"/>
85 <element name="SiteRule">
88 <extension base="shib:SiteRuleType">
89 <attribute name="Name" type="string" use="required"/>
90 <anyAttribute namespace="##other" processContents="lax"/>
96 <complexType name="AttributeRuleType">
98 <element ref="shib:AnySite" minOccurs="0"/>
99 <element ref="shib:SiteRule" minOccurs="0" maxOccurs="unbounded"/>
101 <attribute name="Name" type="string" use="required"/>
102 <attribute name="Namespace" type="string" use="optional"/>
103 <attribute name="Alias" type="string" use="optional"/>
104 <attribute name="Header" type="string" use="optional"/>
105 <attribute name="Scoped" type="boolean" use="optional" default="false"/>
106 <attribute name="CaseSensitive" type="boolean" use="optional" default="true"/>
107 <anyAttribute namespace="##other" processContents="lax"/>
110 <element name="AttributeRule" type="shib:AttributeRuleType">
111 <key name="SiteRuleKey">
112 <selector xpath="./shib:SiteRule"/>
113 <field xpath="@Name"/>
117 <element name="AttributeAcceptancePolicy">
120 <element name="AnyAttribute" minOccurs="0">
125 <element ref="shib:AttributeRule" minOccurs="0" maxOccurs="unbounded"/>
127 <anyAttribute namespace="##other" processContents="lax"/>
132 <!-- Shibboleth Metadata -->
134 <complexType name="SiteType">
136 <documentation xml:lang="en">All sites have a Name attribute, plus optional i18n-ized aliases.</documentation>
139 <element name="Alias" minOccurs="0" maxOccurs="unbounded">
142 <extension base="string">
143 <attribute ref="xml:lang"/>
148 <element name="Contact" type="shib:ContactType" minOccurs="0" maxOccurs="unbounded"/>
150 <attribute name="Name" type="string" use="required"/>
151 <attribute name="ErrorURL" type="anyURI" use="optional"/>
152 <anyAttribute namespace="##any" processContents="lax"/>
155 <simpleType name="ContactTypeType">
156 <restriction base="string">
157 <enumeration value="technical"/>
158 <enumeration value="support"/>
159 <enumeration value="administrative"/>
160 <enumeration value="billing"/>
161 <enumeration value="other"/>
165 <complexType name="ContactType">
166 <annotation><documentation xml:lang="en">A human contact for a site.</documentation></annotation>
168 <attribute name="Type" type="shib:ContactTypeType" use="required"/>
169 <attribute name="Name" type="string" use="required"/>
170 <attribute name="Email" type="string" use="optional"/>
173 <complexType name="regexp_string">
175 <documentation xml:lang="en">A string element with an optional attribute signaling regexp content.</documentation>
178 <extension base="string">
179 <attribute name="regexp" type="boolean" use="optional" default="false"/>
184 <complexType name="AuthorityType">
186 <documentation xml:lang="en">Metadata about a SAML authority.</documentation>
189 <attribute name="Name" type="string" use="required"/>
190 <attribute name="Location" type="anyURI" use="required"/>
191 <anyAttribute namespace="##any" processContents="lax"/>
194 <complexType name="OriginSiteType">
196 <documentation xml:lang="en">
197 Origin sites add at least one handle service (with a name), plus optional domains trusted for attribute scoping.
201 <extension base="shib:SiteType">
203 <element name="HandleService" type="shib:AuthorityType" maxOccurs="unbounded"/>
204 <element name="AttributeAuthority" type="shib:AuthorityType" minOccurs="0" maxOccurs="unbounded"/>
205 <element ref="shib:Domain" minOccurs="0" maxOccurs="unbounded"/>
211 <element name="Domain" type="shib:regexp_string">
213 <documentation xml:lang="en">A metadata extension used to regulate allowable attribute scopes.</documentation>
217 <complexType name="DestinationSiteType">
219 <documentation xml:lang="en">
220 Destination sites add at least one attribute requester (with a name).
224 <extension base="shib:SiteType">
226 <element name="AssertionConsumerServiceURL" maxOccurs="unbounded">
228 <attribute name="Location" type="string" use="required"/>
229 <attribute name="Id" type="string" use="optional"/>
230 <anyAttribute namespace="##any" processContents="lax"/>
233 <element name="AttributeRequester" maxOccurs="unbounded">
235 <attribute name="Name" type="string" use="required"/>
236 <anyAttribute namespace="##any" processContents="lax"/>
244 <complexType name="SiteGroupType">
246 <documentation xml:lang="en">Used to logically group sites together, optionally signed.</documentation>
249 <choice maxOccurs="unbounded">
250 <element ref="shib:OriginSite"/>
251 <element ref="shib:DestinationSite"/>
252 <element ref="shib:SiteGroup"/>
254 <element ref="ds:Signature" minOccurs="0"/>
256 <attribute name="Name" type="string" use="required"/>
257 <attribute name="lastChanged" type="dateTime" use="optional"/>
258 <attribute name="validUntil" type="dateTime" use="optional"/>
259 <attribute name="cacheDuration" type="duration" use="optional"/>
260 <anyAttribute namespace="##any" processContents="lax"/>
263 <element name="OriginSite" type="shib:OriginSiteType"/>
264 <element name="DestinationSite" type="shib:DestinationSiteType"/>
265 <element name="SiteGroup" type="shib:SiteGroupType"/>
268 <!-- Old (pre 1.2) Trust Metadata -->
270 <complexType name="KeyAuthorityType">
272 <documentation xml:lang="en">
273 Binds a set of keying material to one or more named system entities.
277 <element ref="ds:KeyInfo"/>
278 <element name="Subject" type="shib:regexp_string" minOccurs="0" maxOccurs="unbounded"/>
280 <anyAttribute namespace="##any" processContents="lax"/>
282 <element name="KeyAuthority" type="shib:KeyAuthorityType"/>
284 <element name="Trust">
286 <documentation xml:lang="en">An optionally signed collection of KeyAuthority data.</documentation>
290 <element ref="shib:KeyAuthority" maxOccurs="unbounded"/>
291 <element ref="ds:Signature" minOccurs="0"/>
293 <attribute name="lastChanged" type="dateTime" use="optional"/>
294 <attribute name="validUntil" type="dateTime" use="optional"/>
295 <attribute name="cacheDuration" type="duration" use="optional"/>
296 <anyAttribute namespace="##any" processContents="lax"/>