<?xml version="1.0" encoding="US-ASCII"?>
-<schema targetNamespace="urn:mace:shibboleth:1.0" xmlns="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:shib="urn:mace:shibboleth:1.0" elementFormDefault="qualified" attributeFormDefault="unqualified">
- <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/>
- <import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd"/>
+<schema targetNamespace="urn:mace:shibboleth:1.0"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ xmlns:xml="http://www.w3.org/XML/1998/namespace"
+ xmlns:shib="urn:mace:shibboleth:1.0"
+ elementFormDefault="qualified"
+ attributeFormDefault="unqualified"
+ version="1.3">
+
+ <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/>
+ <import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/>
- <element name="RealTimeReleaseURL" type="anyURI">
- <annotation>Used by AA in samlp:StatusDetail to signal user wants real-time attribute release.</annotation>
- </element>
+ <!-- Status-Related Information -->
<!--
The following SAML sub-status codes are defined in this namespace:
- "RealTimeRelease"
- Used with samlp:Responder, signals user wants real-time attribute release
-
"InvalidHandle"
Used with samlp:Requester, signals AA did not recognize handle as valid
-->
+
+ <!--
+ Relaxes SAML AttributeValue type definition. Xerces-C has a bug that prevents
+ anyAttribute content appearing on anyType. It works in 2.2 but not in later versions.
+ -->
+
+ <complexType name="AttributeValueType" mixed="true">
+ <annotation>
+ <documentation xml:lang="en">
+ By convention, all Shibboleth 1.1 origin attribute values carry this unconstrained xsi:type.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="anyType"/>
+ </complexContent>
+ </complexType>
+
+ <!-- Attribute Acceptance Policies -->
+
+ <simpleType name="AttributeRuleValueType">
+ <restriction base="string">
+ <enumeration value="literal"/>
+ <enumeration value="regexp"/>
+ <enumeration value="xpath"/>
+ </restriction>
+ </simpleType>
+
+ <complexType name="SiteRuleType">
+ <sequence>
+ <element name="Scope" minOccurs="0" maxOccurs="unbounded">
+ <complexType>
+ <simpleContent>
+ <extension base="string">
+ <attribute name="Accept" type="boolean" use="optional" default="true"/>
+ <attribute name="Type" type="shib:AttributeRuleValueType" use="optional" default="literal"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ <choice minOccurs="0">
+ <element name="AnyValue">
+ <complexType>
+ <sequence/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+ </element>
+ <element name="Value" maxOccurs="unbounded">
+ <complexType>
+ <simpleContent>
+ <extension base="string">
+ <attribute name="Accept" type="boolean" use="optional" default="true"/>
+ <attribute name="Type" type="shib:AttributeRuleValueType" use="optional" default="literal"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ </choice>
+ </sequence>
+ </complexType>
+
+ <element name="AnySite" type="shib:SiteRuleType"/>
+ <element name="SiteRule">
+ <complexType>
+ <complexContent>
+ <extension base="shib:SiteRuleType">
+ <attribute name="Name" type="string" use="required"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ </element>
+
+ <complexType name="AttributeRuleType">
+ <sequence>
+ <element ref="shib:AnySite" minOccurs="0"/>
+ <element ref="shib:SiteRule" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Name" type="string" use="required"/>
+ <attribute name="Namespace" type="string" use="optional"/>
+ <attribute name="Alias" type="string" use="optional"/>
+ <attribute name="Header" type="string" use="optional"/>
+ <attribute name="Scoped" type="boolean" use="optional" default="false"/>
+ <attribute name="CaseSensitive" type="boolean" use="optional" default="true"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+
+ <element name="AttributeRule" type="shib:AttributeRuleType">
+ <key name="SiteRuleKey">
+ <selector xpath="./shib:SiteRule"/>
+ <field xpath="@Name"/>
+ </key>
+ </element>
+
+ <element name="AttributeAcceptancePolicy">
+ <complexType>
+ <sequence>
+ <element name="AnyAttribute" minOccurs="0">
+ <complexType>
+ <sequence/>
+ </complexType>
+ </element>
+ <element ref="shib:AttributeRule" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+ </element>
+
+
+ <!-- Shibboleth Metadata -->
<complexType name="SiteType">
- <annotation> All sites have a Name attribute, plus optional i18n-ized aliases. </annotation>
+ <annotation>
+ <documentation xml:lang="en">All sites have a Name attribute, plus optional i18n-ized aliases.</documentation>
+ </annotation>
<sequence>
<element name="Alias" minOccurs="0" maxOccurs="unbounded">
<complexType>
</simpleContent>
</complexType>
</element>
+ <element name="Contact" type="shib:ContactType" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="Name" type="string" use="required"/>
+ <attribute name="ErrorURL" type="anyURI" use="optional"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
</complexType>
-
+
+ <simpleType name="ContactTypeType">
+ <restriction base="string">
+ <enumeration value="technical"/>
+ <enumeration value="support"/>
+ <enumeration value="administrative"/>
+ <enumeration value="billing"/>
+ <enumeration value="other"/>
+ </restriction>
+ </simpleType>
+
+ <complexType name="ContactType">
+ <annotation><documentation xml:lang="en">A human contact for a site.</documentation></annotation>
+ <sequence/>
+ <attribute name="Type" type="shib:ContactTypeType" use="required"/>
+ <attribute name="Name" type="string" use="required"/>
+ <attribute name="Email" type="string" use="optional"/>
+ </complexType>
+
+ <complexType name="regexp_string">
+ <annotation>
+ <documentation xml:lang="en">A string element with an optional attribute signaling regexp content.</documentation>
+ </annotation>
+ <simpleContent>
+ <extension base="string">
+ <attribute name="regexp" type="boolean" use="optional" default="false"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+
+ <complexType name="AuthorityType">
+ <annotation>
+ <documentation xml:lang="en">Metadata about a SAML authority.</documentation>
+ </annotation>
+ <sequence/>
+ <attribute name="Name" type="string" use="required"/>
+ <attribute name="Location" type="anyURI" use="required"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </complexType>
+
<complexType name="OriginSiteType">
- <annotation>Origin sites add at least one handle service (with a name and optional KeyInfo), plus optional domains trusted for attribute scoping.</annotation>
+ <annotation>
+ <documentation xml:lang="en">
+ Origin sites add at least one handle service (with a name), plus optional domains trusted for attribute scoping.
+ </documentation>
+ </annotation>
<complexContent>
- <extension base="shib:SiteType">
- <sequence>
- <element name="HandleService" maxOccurs="unbounded">
- <complexType>
- <sequence>
- <element ref="ds:KeyInfo" minOccurs="0"/>
- </sequence>
- <attribute name="Name" type="string" use="required"/>
- <attribute name="Location" type="anyURI" use="required"/>
- </complexType>
- </element>
- <element name="Domain" type="string" minOccurs="0" maxOccurs="unbounded"/>
- </sequence>
- </extension>
+ <extension base="shib:SiteType">
+ <sequence>
+ <element name="HandleService" type="shib:AuthorityType" maxOccurs="unbounded"/>
+ <element name="AttributeAuthority" type="shib:AuthorityType" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="shib:Domain" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <element name="Domain" type="shib:regexp_string">
+ <annotation>
+ <documentation xml:lang="en">A metadata extension used to regulate allowable attribute scopes.</documentation>
+ </annotation>
+ </element>
+
+ <complexType name="DestinationSiteType">
+ <annotation>
+ <documentation xml:lang="en">
+ Destination sites add at least one attribute requester (with a name).
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="shib:SiteType">
+ <sequence>
+ <element name="AssertionConsumerServiceURL" maxOccurs="unbounded">
+ <complexType>
+ <attribute name="Location" type="string" use="required"/>
+ <attribute name="Id" type="string" use="optional"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </complexType>
+ </element>
+ <element name="AttributeRequester" maxOccurs="unbounded">
+ <complexType>
+ <attribute name="Name" type="string" use="required"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </complexType>
+ </element>
+ </sequence>
+ </extension>
</complexContent>
</complexType>
<complexType name="SiteGroupType">
- <annotation>Used to logically group sites together.</annotation>
+ <annotation>
+ <documentation xml:lang="en">Used to logically group sites together, optionally signed.</documentation>
+ </annotation>
<sequence>
<choice maxOccurs="unbounded">
<element ref="shib:OriginSite"/>
<element ref="shib:DestinationSite"/>
<element ref="shib:SiteGroup"/>
</choice>
+ <element ref="ds:Signature" minOccurs="0"/>
</sequence>
<attribute name="Name" type="string" use="required"/>
+ <attribute name="lastChanged" type="dateTime" use="optional"/>
+ <attribute name="validUntil" type="dateTime" use="optional"/>
+ <attribute name="cacheDuration" type="duration" use="optional"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
</complexType>
<element name="OriginSite" type="shib:OriginSiteType"/>
- <element name="DestinationSite" type="shib:SiteType"/>
+ <element name="DestinationSite" type="shib:DestinationSiteType"/>
<element name="SiteGroup" type="shib:SiteGroupType"/>
- <element name="Sites">
- <annotation>The registry of sites plus an optional enveloped signature.</annotation>
- <complexType>
- <sequence>
- <choice maxOccurs="unbounded">
- <element ref="shib:OriginSite"/>
- <element ref="shib:DestinationSite"/>
- <element ref="shib:SiteGroup"/>
- </choice>
- <element ref="ds:Signature" minOccurs="0"/>
- </sequence>
- </complexType>
- </element>
+
+ <!-- Old (pre 1.2) Trust Metadata -->
+
+ <complexType name="KeyAuthorityType">
+ <annotation>
+ <documentation xml:lang="en">
+ Binds a set of keying material to one or more named system entities.
+ </documentation>
+ </annotation>
+ <sequence>
+ <element ref="ds:KeyInfo"/>
+ <element name="Subject" type="shib:regexp_string" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </complexType>
+ <element name="KeyAuthority" type="shib:KeyAuthorityType"/>
+
+ <element name="Trust">
+ <annotation>
+ <documentation xml:lang="en">An optionally signed collection of KeyAuthority data.</documentation>
+ </annotation>
+ <complexType>
+ <sequence>
+ <element ref="shib:KeyAuthority" maxOccurs="unbounded"/>
+ <element ref="ds:Signature" minOccurs="0"/>
+ </sequence>
+ <attribute name="lastChanged" type="dateTime" use="optional"/>
+ <attribute name="validUntil" type="dateTime" use="optional"/>
+ <attribute name="cacheDuration" type="duration" use="optional"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </complexType>
+ </element>
+
</schema>
projects / shibboleth / sp.git / blobdiff