schemas/shibboleth.xsd

   1 <?xml version="1.0" encoding="US-ASCII"?>
   2 <schema targetNamespace="urn:mace:shibboleth:1.0" xmlns="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:shib="urn:mace:shibboleth:1.0" elementFormDefault="qualified" attributeFormDefault="unqualified" version="1.0">
   3     <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/>
   4     <import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd"/>
   5
   6
   7     <!-- Status-Related Information -->
   8
   9     <!--
  10     The following SAML sub-status codes are defined in this namespace:
  11
  12         "RealTimeRelease"
  13             Used with samlp:Responder, signals user wants real-time attribute release
  14
  15         "InvalidHandle"
  16             Used with samlp:Requester, signals AA did not recognize handle as valid
  17     -->
  18
  19     <element name="RealTimeReleaseURL" type="anyURI">
  20         <annotation>
  21                 <documentation xml:lang="en">Used by AA in samlp:StatusDetail to signal user wants real-time attribute release.</documentation>
  22         </annotation>
  23     </element>
  24
  25
  26     <!-- Relaxes SAML AttributeValue type definition -->
  27
  28         <complexType name="AttributeValueType" mixed="true">
  29                 <annotation>
  30                         <documentation xml:lang="en">By convention, all Shibboleth attribute values carry this unconstrained xsi:type.</documentation>
  31                 </annotation>
  32                 <sequence>
  33                         <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
  34                 </sequence>
  35                 <anyAttribute namespace="##any" processContents="lax"/>
  36         </complexType>
  37
  38
  39     <!-- Attribute Acceptance Policies -->
  40
  41     <simpleType name="AttributeRuleValueType">
  42         <restriction base="string">
  43             <enumeration value="literal"/>
  44             <enumeration value="regexp"/>
  45             <enumeration value="xpath"/>
  46         </restriction>
  47     </simpleType>
  48
  49     <complexType name="SiteRuleType">
  50         <sequence>
  51                 <element name="Scope" minOccurs="0" maxOccurs="unbounded">
  52                         <complexType>
  53                     <simpleContent>
  54                         <extension base="string">
  55                                 <attribute name="Accept" type="boolean" use="optional" default="true"/>
  56                             <attribute name="Type" type="shib:AttributeRuleValueType" use="optional" default="literal"/>
  57                         </extension>
  58                     </simpleContent>
  59                         </complexType>
  60                 </element>
  61                 <choice minOccurs="0">
  62                         <element name="AnyValue">
  63                                 <complexType>
  64                                         <sequence/>
  65                                 </complexType>
  66                         </element>
  67                     <element name="Value" maxOccurs="unbounded">
  68                         <complexType>
  69                             <simpleContent>
  70                                 <extension base="string">
  71                                     <attribute name="Type" type="shib:AttributeRuleValueType" use="optional" default="literal"/>
  72                                 </extension>
  73                             </simpleContent>
  74                         </complexType>
  75                     </element>
  76                 </choice>
  77         </sequence>
  78     </complexType>
  79
  80     <element name="AnySite" type="shib:SiteRuleType"/>
  81     <element name="SiteRule">
  82         <complexType>
  83             <complexContent>
  84                 <extension base="shib:SiteRuleType">
  85                     <attribute name="Name" type="string" use="required"/>
  86                 </extension>
  87             </complexContent>
  88         </complexType>
  89     </element>
  90
  91     <complexType name="AttributeRuleType">
  92         <sequence>
  93             <element ref="shib:AnySite" minOccurs="0"/>
  94             <element ref="shib:SiteRule" minOccurs="0" maxOccurs="unbounded"/>
  95         </sequence>
  96         <attribute name="Name" type="string" use="required"/>
  97         <attribute name="Namespace" type="string" use="optional"/>
  98         <attribute name="Factory" type="string" use="optional"/>
  99         <attribute name="Alias" type="string" use="optional"/>
 100                 <attribute name="Header" type="string" use="optional"/>
 101     </complexType>
 102
 103     <element name="AttributeRule" type="shib:AttributeRuleType">
 104         <key name="SiteRuleKey">
 105             <selector xpath="./shib:SiteRule"/>
 106             <field xpath="@Name"/>
 107         </key>
 108     </element>
 109
 110     <element name="AttributeAcceptancePolicy">
 111         <complexType>
 112             <sequence>
 113                 <element ref="shib:AttributeRule" minOccurs="0" maxOccurs="unbounded"/>
 114             </sequence>
 115         </complexType>
 116     </element>
 117
 118
 119     <!-- Shibboleth Metadata -->
 120
 121     <complexType name="SiteType">
 122         <annotation>
 123                 <documentation xml:lang="en">All sites have a Name attribute, plus optional i18n-ized aliases.</documentation>
 124         </annotation>
 125         <sequence>
 126             <element name="Alias" minOccurs="0" maxOccurs="unbounded">
 127                 <complexType>
 128                     <simpleContent>
 129                         <extension base="string">
 130                             <attribute ref="xml:lang"/>
 131                         </extension>
 132                     </simpleContent>
 133                 </complexType>
 134             </element>
 135             <element name="Contact" type="shib:ContactType" minOccurs="0" maxOccurs="unbounded"/>
 136         </sequence>
 137         <attribute name="Name" type="string" use="required"/>
 138         <attribute name="ErrorURL" type="anyURI" use="optional"/>
 139     </complexType>
 140
 141         <simpleType name="ContactTypeType">
 142                 <restriction base="string">
 143             <enumeration value="technical"/>
 144             <enumeration value="administrative"/>
 145             <enumeration value="billing"/>
 146             <enumeration value="other"/>
 147         </restriction>
 148     </simpleType>
 149
 150         <complexType name="ContactType">
 151                 <annotation><documentation xml:lang="en">A human contact for a site.</documentation></annotation>
 152                 <sequence/>
 153         <attribute name="Type" type="shib:ContactTypeType" use="required"/>
 154         <attribute name="Name" type="string" use="required"/>
 155         <attribute name="Email" type="string" use="optional"/>
 156         </complexType>
 157
 158     <complexType name="regexp_string">
 159         <annotation>
 160                 <documentation xml:lang="en">A string element with an optional attribute signaling regexp content.</documentation>
 161         </annotation>
 162         <simpleContent>
 163             <extension base="string">
 164                 <attribute name="regexp" type="boolean" use="optional" default="false"/>
 165             </extension>
 166         </simpleContent>
 167     </complexType>
 168
 169         <complexType name="AuthorityType">
 170                 <annotation>
 171                         <documentation xml:lang="en">Metadata about a SAML authority.</documentation>
 172                 </annotation>
 173         <sequence/>
 174         <attribute name="Name" type="string" use="required"/>
 175         <attribute name="Location" type="anyURI" use="required"/>
 176         </complexType>
 177
 178     <complexType name="OriginSiteType">
 179         <annotation>
 180                 <documentation xml:lang="en">Origin sites add at least one handle service (with a name and optional KeyInfo), plus optional domains trusted for attribute scoping.</documentation>
 181         </annotation>
 182         <complexContent>
 183                 <extension base="shib:SiteType">
 184                     <sequence>
 185                         <element name="HandleService" type="shib:AuthorityType" maxOccurs="unbounded"/>
 186                         <element name="AttributeAuthority" type="shib:AuthorityType" minOccurs="0" maxOccurs="unbounded"/>
 187                         <element name="Domain" type="shib:regexp_string" minOccurs="0" maxOccurs="unbounded"/>
 188                     </sequence>
 189                 </extension>
 190         </complexContent>
 191     </complexType>
 192
 193     <complexType name="SiteGroupType">
 194         <annotation>
 195                 <documentation xml:lang="en">Used to logically group sites together, optionally signed.</documentation>
 196         </annotation>
 197         <sequence>
 198             <choice maxOccurs="unbounded">
 199                 <element ref="shib:OriginSite"/>
 200                 <element ref="shib:DestinationSite"/>
 201                 <element ref="shib:SiteGroup"/>
 202             </choice>
 203             <element ref="ds:Signature" minOccurs="0"/>
 204         </sequence>
 205         <attribute name="Name" type="string" use="required"/>
 206         <attribute name="lastChanged" type="datetime" use="optional"/>
 207         <attribute name="validUntil" type="datetime" use="optional"/>
 208         <attribute name="cacheDuration" type="duration" use="optional"/>
 209         <anyAttribute/>
 210     </complexType>
 211
 212     <element name="OriginSite" type="shib:OriginSiteType"/>
 213     <element name="DestinationSite" type="shib:SiteType"/>
 214     <element name="SiteGroup" type="shib:SiteGroupType"/>
 215
 216
 217         <!-- Trust Metadata -->
 218
 219         <complexType name="KeyAuthorityType">
 220                 <annotation>
 221                         <documentation xml:lang="en">
 222                         Binds a set of keying material to one or more named system entities.
 223                         </documentation>
 224                 </annotation>
 225                 <sequence>
 226                         <element ref="ds:KeyInfo"/>
 227                         <element name="Subject" type="shib:regexp_string" minOccurs="0" maxOccurs="unbounded"/>
 228                 </sequence>
 229                 <attribute name="VerifyDepth" type="unsignedByte" use="optional"/>
 230                 <attribute name="Type" use="optional" default="authority">
 231                         <restriction base="string">
 232                                 <enumeration value="authority"/>
 233                                 <enumeration value="entity"/>
 234                         </restriction>
 235                 </attribute>
 236         </complexType>
 237         <element name="KeyAuthority" type="shib:KeyAuthorityType"/>
 238
 239         <element name="Trust">
 240                 <annotation>
 241                         <documentation xml:lang="en">An optionally signed collection of KeyAuthority data.</documentation>
 242                 </annotation>
 243                 <complexType>
 244                         <sequence>
 245                                 <element ref="shib:KeyAuthority" maxOccurs="unbounded"/>
 246                                 <element ref="ds:Signature" minOccurs="0"/>
 247                         </sequence>
 248                 </complexType>
 249         <attribute name="lastChanged" type="datetime" use="optional"/>
 250         <attribute name="validUntil" type="datetime" use="optional"/>
 251         <attribute name="cacheDuration" type="duration" use="optional"/>
 252         <anyAttribute/>
 253         </element>
 254
 255         <complexType name="JavaKeyInfoType">
 256                 <annotation>
 257                         <documentation xml:lang="en">Describes a credential in a Java keystore.</documentation>
 258                 </annotation>
 259                 <sequence/>
 260                 <attribute name="KeyStore" type="string" use="required"/>
 261                 <attribute name="KeyStoreType" type="string" use="optional" default="JKS"/>
 262                 <attribute name="KeyStorePassword" type="string" use="required"/>
 263                 <attribute name="Alias" type="string" use="required"/>
 264                 <attribute name="AliasPassword" type="string" use="optional"/>
 265         </complexType>
 266         <element name="JavaKeyValue" type="shib:JavaKeyInfoType"/>
 267         <element name="JavaX509Data" type="shib:JavaKeyInfoType"/>
 268
 269         <complexType name="KeyUseType">
 270                 <annotation>
 271                         <documentation xml:lang="en">
 272                         Binds a set of credentials to one or more named system entities with additional controls over
 273                         which relying parties are capable of accepting them.
 274                         </documentation>
 275                 </annotation>
 276                 <extension base="shib:KeyAuthorityType">
 277                         <sequence>
 278                                 <element name="RelyingParty" type="shib:regexp_string" minOccurs="0" maxOccurs="unbounded"/>
 279                         </sequence>
 280                 </extension>
 281         </complexType>
 282         <element name="KeyUse" type="shib:KeyUseType"/>
 283
 284         <element name="Credentials">
 285                 <annotation>
 286                         <documentation xml:lang="en">A set of KeyUse data that provides local credentials.</documentation>
 287                 </annotation>
 288                 <complexType>
 289                         <sequence>
 290                                 <element ref="shib:KeyUse" maxOccurs="unbounded"/>
 291                         </sequence>
 292                 </complexType>
 293         <anyAttribute/>
 294         </element>
 295
 296 </schema>