-<?xml version="1.0" encoding="UTF-8"?>\r
-<xs:schema \r
- xmlns:xs="http://www.w3.org/2001/XMLSchema"\r
- elementFormDefault="qualified"\r
- version="2.0">\r
-\r
- <xs:annotation>\r
- <xs:documentation>\r
- Document identifier: saml-schema-authn-context-types-2.0\r
- Location: http://docs.oasis-open.org/security/saml/v2.0/\r
- Revision history:\r
- V2.0 (March, 2005):\r
- New core authentication context schema types for SAML V2.0. \r
- </xs:documentation>\r
- </xs:annotation>\r
-\r
- <xs:element name="AuthenticationContextDeclaration" type="AuthnContextDeclarationBaseType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- A particular assertion on an identity\r
- provider's part with respect to the authentication\r
- context associated with an authentication assertion.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="Identification" type="IdentificationType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- Refers to those characteristics that describe the\r
- processes and mechanisms\r
- the Authentication Authority uses to initially create\r
- an association between a Principal\r
- and the identity (or name) by which the Principal will\r
- be known\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="PhysicalVerification">\r
- <xs:annotation>\r
- <xs:documentation>\r
- This element indicates that identification has been\r
- performed in a physical\r
- face-to-face meeting with the principal and not in an\r
- online manner.\r
- </xs:documentation>\r
- </xs:annotation>\r
- <xs:complexType>\r
- <xs:attribute name="credentialLevel">\r
- <xs:simpleType>\r
- <xs:restriction base="xs:NMTOKEN">\r
- <xs:enumeration value="primary"/>\r
- <xs:enumeration value="secondary"/>\r
- </xs:restriction>\r
- </xs:simpleType>\r
- </xs:attribute>\r
- </xs:complexType>\r
- </xs:element>\r
-\r
- <xs:element name="WrittenConsent" type="ExtensionOnlyType"/>\r
-\r
- <xs:element name="TechnicalProtection" type="TechnicalProtectionBaseType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- Refers to those characterstics that describe how the\r
- 'secret' (the knowledge or possession\r
- of which allows the Principal to authenticate to the\r
- Authentication Authority) is kept secure\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="SecretKeyProtection" type="SecretKeyProtectionType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- This element indicates the types and strengths of\r
- facilities\r
- of a UA used to protect a shared secret key from\r
- unauthorized access and/or use.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="PrivateKeyProtection" type="PrivateKeyProtectionType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- This element indicates the types and strengths of\r
- facilities\r
- of a UA used to protect a private key from\r
- unauthorized access and/or use.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="KeyActivation" type="KeyActivationType">\r
- <xs:annotation>\r
- <xs:documentation>The actions that must be performed\r
- before the private key can be used. </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="KeySharing" type="KeySharingType">\r
- <xs:annotation>\r
- <xs:documentation>Whether or not the private key is shared\r
- with the certificate authority.</xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="KeyStorage" type="KeyStorageType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- In which medium is the key stored.\r
- memory - the key is stored in memory.\r
- smartcard - the key is stored in a smartcard.\r
- token - the key is stored in a hardware token.\r
- MobileDevice - the key is stored in a mobile device.\r
- MobileAuthCard - the key is stored in a mobile\r
- authentication card.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="SubscriberLineNumber" type="ExtensionOnlyType"/>\r
- <xs:element name="UserSuffix" type="ExtensionOnlyType"/>\r
-\r
- <xs:element name="Password" type="PasswordType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- This element indicates that a password (or passphrase)\r
- has been used to\r
- authenticate the Principal to a remote system.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="ActivationPin" type="ActivationPinType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- This element indicates that a Pin (Personal\r
- Identification Number) has been used to authenticate the Principal to\r
- some local system in order to activate a key.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="Token" type="TokenType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- This element indicates that a hardware or software\r
- token is used\r
- as a method of identifying the Principal.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="TimeSyncToken" type="TimeSyncTokenType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- This element indicates that a time synchronization\r
- token is used to identify the Principal. hardware -\r
- the time synchonization\r
- token has been implemented in hardware. software - the\r
- time synchronization\r
- token has been implemented in software. SeedLength -\r
- the length, in bits, of the\r
- random seed used in the time synchronization token.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="Smartcard" type="ExtensionOnlyType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- This element indicates that a smartcard is used to\r
- identity the Principal.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="Length" type="LengthType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- This element indicates the minimum and/or maximum\r
- ASCII length of the password which is enforced (by the UA or the\r
- IdP). In other words, this is the minimum and/or maximum number of\r
- ASCII characters required to represent a valid password.\r
- min - the minimum number of ASCII characters required\r
- in a valid password, as enforced by the UA or the IdP.\r
- max - the maximum number of ASCII characters required\r
- in a valid password, as enforced by the UA or the IdP.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="ActivationLimit" type="ActivationLimitType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- This element indicates the length of time for which an\r
- PIN-based authentication is valid.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="Generation">\r
- <xs:annotation>\r
- <xs:documentation>\r
- Indicates whether the password was chosen by the\r
- Principal or auto-supplied by the Authentication Authority.\r
- principalchosen - the Principal is allowed to choose\r
- the value of the password. This is true even if\r
- the initial password is chosen at random by the UA or\r
- the IdP and the Principal is then free to change\r
- the password.\r
- automatic - the password is chosen by the UA or the\r
- IdP to be cryptographically strong in some sense,\r
- or to satisfy certain password rules, and that the\r
- Principal is not free to change it or to choose a new password.\r
- </xs:documentation>\r
- </xs:annotation>\r
-\r
- <xs:complexType>\r
- <xs:attribute name="mechanism" use="required">\r
- <xs:simpleType>\r
- <xs:restriction base="xs:NMTOKEN">\r
- <xs:enumeration value="principalchosen"/>\r
- <xs:enumeration value="automatic"/>\r
- </xs:restriction>\r
- </xs:simpleType>\r
- </xs:attribute>\r
- </xs:complexType>\r
- </xs:element>\r
-\r
- <xs:element name="AuthnMethod" type="AuthnMethodBaseType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- Refers to those characteristics that define the\r
- mechanisms by which the Principal authenticates to the Authentication\r
- Authority.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="PrincipalAuthenticationMechanism" type="PrincipalAuthenticationMechanismType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- The method that a Principal employs to perform\r
- authentication to local system components.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="Authenticator" type="AuthenticatorBaseType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- The method applied to validate a principal's\r
- authentication across a network\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="ComplexAuthenticator" type="ComplexAuthenticatorType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- Supports Authenticators with nested combinations of\r
- additional complexity.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="PreviousSession" type="ExtensionOnlyType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- Indicates that the Principal has been strongly\r
- authenticated in a previous session during which the IdP has set a\r
- cookie in the UA. During the present session the Principal has only\r
- been authenticated by the UA returning the cookie to the IdP.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="ResumeSession" type="ExtensionOnlyType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- Rather like PreviousSession but using stronger\r
- security. A secret that was established in a previous session with\r
- the Authentication Authority has been cached by the local system and\r
- is now re-used (e.g. a Master Secret is used to derive new session\r
- keys in TLS, SSL, WTLS).\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="ZeroKnowledge" type="ExtensionOnlyType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- This element indicates that the Principal has been\r
- authenticated by a zero knowledge technique as specified in ISO/IEC\r
- 9798-5.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="SharedSecretChallengeResponse" type="SharedSecretChallengeResponseType"/>\r
-\r
- <xs:complexType name="SharedSecretChallengeResponseType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- This element indicates that the Principal has been\r
- authenticated by a challenge-response protocol utilizing shared secret\r
- keys and symmetric cryptography.\r
- </xs:documentation>\r
- </xs:annotation>\r
- <xs:sequence>\r
- <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>\r
- </xs:sequence>\r
- <xs:attribute name="method" type="xs:anyURI" use="optional"/>\r
- </xs:complexType>\r
-\r
- <xs:element name="DigSig" type="PublicKeyType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- This element indicates that the Principal has been\r
- authenticated by a mechanism which involves the Principal computing a\r
- digital signature over at least challenge data provided by the IdP.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="AsymmetricDecryption" type="PublicKeyType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- The local system has a private key but it is used\r
- in decryption mode, rather than signature mode. For example, the\r
- Authentication Authority generates a secret and encrypts it using the\r
- local system's public key: the local system then proves it has\r
- decrypted the secret.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="AsymmetricKeyAgreement" type="PublicKeyType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- The local system has a private key and uses it for\r
- shared secret key agreement with the Authentication Authority (e.g.\r
- via Diffie Helman).\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:complexType name="PublicKeyType">\r
- <xs:sequence>\r
- <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>\r
- </xs:sequence>\r
- <xs:attribute name="keyValidation" use="optional"/>\r
- </xs:complexType>\r
-\r
- <xs:element name="IPAddress" type="ExtensionOnlyType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- This element indicates that the Principal has been\r
- authenticated through connection from a particular IP address.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="SharedSecretDynamicPlaintext" type="ExtensionOnlyType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- The local system and Authentication Authority\r
- share a secret key. The local system uses this to encrypt a\r
- randomised string to pass to the Authentication Authority.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="AuthenticatorTransportProtocol" type="AuthenticatorTransportProtocolType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- The protocol across which Authenticator information is\r
- transferred to an Authentication Authority verifier.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="HTTP" type="ExtensionOnlyType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- This element indicates that the Authenticator has been\r
- transmitted using bare HTTP utilizing no additional security\r
- protocols.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="IPSec" type="ExtensionOnlyType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- This element indicates that the Authenticator has been\r
- transmitted using a transport mechanism protected by an IPSEC session.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
- \r
- <xs:element name="WTLS" type="ExtensionOnlyType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- This element indicates that the Authenticator has been\r
- transmitted using a transport mechanism protected by a WTLS session.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="MobileNetworkNoEncryption" type="ExtensionOnlyType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- This element indicates that the Authenticator has been\r
- transmitted solely across a mobile network using no additional\r
- security mechanism.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="MobileNetworkRadioEncryption" type="ExtensionOnlyType"/>\r
- <xs:element name="MobileNetworkEndToEndEncryption" type="ExtensionOnlyType"/>\r
-\r
- <xs:element name="SSL" type="ExtensionOnlyType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- This element indicates that the Authenticator has been\r
- transmitted using a transport mechnanism protected by an SSL or TLS\r
- session.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
- \r
- <xs:element name="PSTN" type="ExtensionOnlyType"/>\r
- <xs:element name="ISDN" type="ExtensionOnlyType"/>\r
- <xs:element name="ADSL" type="ExtensionOnlyType"/>\r
-\r
- <xs:element name="OperationalProtection" type="OperationalProtectionType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- Refers to those characteristics that describe\r
- procedural security controls employed by the Authentication Authority.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="SecurityAudit" type="SecurityAuditType"/>\r
- <xs:element name="SwitchAudit" type="ExtensionOnlyType"/>\r
- <xs:element name="DeactivationCallCenter" type="ExtensionOnlyType"/>\r
-\r
- <xs:element name="GoverningAgreements" type="GoverningAgreementsType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- Provides a mechanism for linking to external (likely\r
- human readable) documents in which additional business agreements,\r
- (e.g. liability constraints, obligations, etc) can be placed.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
-\r
- <xs:element name="GoverningAgreementRef" type="GoverningAgreementRefType"/>\r
-\r
- <xs:simpleType name="nymType">\r
- <xs:restriction base="xs:NMTOKEN">\r
- <xs:enumeration value="anonymity"/>\r
- <xs:enumeration value="verinymity"/>\r
- <xs:enumeration value="pseudonymity"/>\r
- </xs:restriction>\r
- </xs:simpleType>\r
-\r
- <xs:complexType name="AuthnContextDeclarationBaseType">\r
- <xs:sequence>\r
- <xs:element ref="Identification" minOccurs="0"/>\r
- <xs:element ref="TechnicalProtection" minOccurs="0"/>\r
- <xs:element ref="OperationalProtection" minOccurs="0"/>\r
- <xs:element ref="AuthnMethod" minOccurs="0"/>\r
- <xs:element ref="GoverningAgreements" minOccurs="0"/>\r
- <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>\r
- </xs:sequence>\r
- <xs:attribute name="ID" type="xs:ID" use="optional"/>\r
- </xs:complexType>\r
- \r
- <xs:complexType name="IdentificationType">\r
- <xs:sequence>\r
- <xs:element ref="PhysicalVerification" minOccurs="0"/>\r
- <xs:element ref="WrittenConsent" minOccurs="0"/>\r
- <xs:element ref="GoverningAgreements" minOccurs="0"/>\r
- <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>\r
- </xs:sequence>\r
- <xs:attribute name="nym" type="nymType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- This attribute indicates whether or not the\r
- Identification mechanisms allow the actions of the Principal to be\r
- linked to an actual end user.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:attribute>\r
- </xs:complexType>\r
-\r
- <xs:complexType name="TechnicalProtectionBaseType">\r
- <xs:sequence>\r
- <xs:choice minOccurs="0">\r
- <xs:element ref="PrivateKeyProtection"/>\r
- <xs:element ref="SecretKeyProtection"/>\r
- </xs:choice>\r
- <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>\r
- </xs:sequence>\r
- </xs:complexType>\r
-\r
- <xs:complexType name="OperationalProtectionType">\r
- <xs:sequence>\r
- <xs:element ref="SecurityAudit" minOccurs="0"/>\r
- <xs:element ref="DeactivationCallCenter" minOccurs="0"/>\r
- <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>\r
- </xs:sequence>\r
- </xs:complexType>\r
-\r
- <xs:complexType name="AuthnMethodBaseType">\r
- <xs:sequence>\r
- <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/>\r
- <xs:element ref="Authenticator" minOccurs="0"/>\r
- <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/>\r
- <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>\r
- </xs:sequence>\r
- </xs:complexType>\r
-\r
- <xs:complexType name="GoverningAgreementsType">\r
- <xs:sequence>\r
- <xs:element ref="GoverningAgreementRef" maxOccurs="unbounded"/>\r
- </xs:sequence>\r
- </xs:complexType>\r
-\r
- <xs:complexType name="GoverningAgreementRefType">\r
- <xs:attribute name="governingAgreementRef" type="xs:anyURI" use="required"/>\r
- </xs:complexType>\r
-\r
- <xs:complexType name="PrincipalAuthenticationMechanismType">\r
- <xs:sequence>\r
- <xs:element ref="Password" minOccurs="0"/>\r
- <xs:element ref="RestrictedPassword" minOccurs="0"/>\r
- <xs:element ref="Token" minOccurs="0"/>\r
- <xs:element ref="Smartcard" minOccurs="0"/>\r
- <xs:element ref="ActivationPin" minOccurs="0"/>\r
- <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>\r
- </xs:sequence>\r
- <xs:attribute name="preauth" type="xs:integer" use="optional"/>\r
- </xs:complexType>\r
- \r
- <xs:group name="AuthenticatorChoiceGroup">\r
- <xs:choice>\r
- <xs:element ref="PreviousSession"/>\r
- <xs:element ref="ResumeSession"/>\r
- <xs:element ref="DigSig"/>\r
- <xs:element ref="Password"/>\r
- <xs:element ref="RestrictedPassword"/>\r
- <xs:element ref="ZeroKnowledge"/>\r
- <xs:element ref="SharedSecretChallengeResponse"/>\r
- <xs:element ref="SharedSecretDynamicPlaintext"/>\r
- <xs:element ref="IPAddress"/>\r
- <xs:element ref="AsymmetricDecryption"/>\r
- <xs:element ref="AsymmetricKeyAgreement"/>\r
- <xs:element ref="SubscriberLineNumber"/>\r
- <xs:element ref="UserSuffix"/>\r
- <xs:element ref="ComplexAuthenticator"/>\r
- </xs:choice>\r
- </xs:group>\r
- \r
- <xs:group name="AuthenticatorSequenceGroup">\r
- <xs:sequence>\r
- <xs:element ref="PreviousSession" minOccurs="0"/>\r
- <xs:element ref="ResumeSession" minOccurs="0"/>\r
- <xs:element ref="DigSig" minOccurs="0"/>\r
- <xs:element ref="Password" minOccurs="0"/>\r
- <xs:element ref="RestrictedPassword" minOccurs="0"/>\r
- <xs:element ref="ZeroKnowledge" minOccurs="0"/>\r
- <xs:element ref="SharedSecretChallengeResponse" minOccurs="0"/>\r
- <xs:element ref="SharedSecretDynamicPlaintext" minOccurs="0"/>\r
- <xs:element ref="IPAddress" minOccurs="0"/>\r
- <xs:element ref="AsymmetricDecryption" minOccurs="0"/>\r
- <xs:element ref="AsymmetricKeyAgreement" minOccurs="0"/>\r
- <xs:element ref="SubscriberLineNumber" minOccurs="0"/>\r
- <xs:element ref="UserSuffix" minOccurs="0"/>\r
- <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>\r
- </xs:sequence>\r
- </xs:group>\r
-\r
- <xs:complexType name="AuthenticatorBaseType">\r
- <xs:sequence>\r
- <xs:group ref="AuthenticatorChoiceGroup"/>\r
- <xs:group ref="AuthenticatorSequenceGroup"/>\r
- </xs:sequence>\r
- </xs:complexType>\r
- \r
- <xs:complexType name="ComplexAuthenticatorType">\r
- <xs:sequence>\r
- <xs:group ref="AuthenticatorChoiceGroup"/>\r
- <xs:group ref="AuthenticatorSequenceGroup"/>\r
- </xs:sequence>\r
- </xs:complexType>\r
- \r
- <xs:complexType name="AuthenticatorTransportProtocolType">\r
- <xs:sequence>\r
- <xs:choice minOccurs="0">\r
- <xs:element ref="HTTP"/>\r
- <xs:element ref="SSL"/>\r
- <xs:element ref="MobileNetworkNoEncryption"/>\r
- <xs:element ref="MobileNetworkRadioEncryption"/>\r
- <xs:element ref="MobileNetworkEndToEndEncryption"/>\r
- <xs:element ref="WTLS"/>\r
- <xs:element ref="IPSec"/>\r
- <xs:element ref="PSTN"/>\r
- <xs:element ref="ISDN"/>\r
- <xs:element ref="ADSL"/>\r
- </xs:choice>\r
- <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>\r
- </xs:sequence>\r
- </xs:complexType>\r
-\r
- <xs:complexType name="KeyActivationType">\r
- <xs:sequence>\r
- <xs:element ref="ActivationPin" minOccurs="0"/>\r
- <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>\r
- </xs:sequence>\r
- </xs:complexType>\r
-\r
- <xs:complexType name="KeySharingType">\r
- <xs:attribute name="sharing" type="xs:boolean" use="required"/>\r
- </xs:complexType>\r
-\r
- <xs:complexType name="PrivateKeyProtectionType">\r
- <xs:sequence>\r
- <xs:element ref="KeyActivation" minOccurs="0"/>\r
- <xs:element ref="KeyStorage" minOccurs="0"/>\r
- <xs:element ref="KeySharing" minOccurs="0"/>\r
- <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>\r
- </xs:sequence>\r
- </xs:complexType>\r
-\r
- <xs:complexType name="PasswordType">\r
- <xs:sequence>\r
- <xs:element ref="Length" minOccurs="0"/>\r
- <xs:element ref="Alphabet" minOccurs="0"/>\r
- <xs:element ref="Generation" minOccurs="0"/>\r
- <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>\r
- </xs:sequence>\r
- <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/>\r
- </xs:complexType>\r
-\r
- <xs:element name="RestrictedPassword" type="RestrictedPasswordType"/>\r
-\r
- <xs:complexType name="RestrictedPasswordType">\r
- <xs:complexContent>\r
- <xs:restriction base="PasswordType">\r
- <xs:sequence>\r
- <xs:element name="Length" type="RestrictedLengthType" minOccurs="1"/>\r
- <xs:element ref="Generation" minOccurs="0"/>\r
- <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>\r
- </xs:sequence>\r
- <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/>\r
- </xs:restriction>\r
- </xs:complexContent>\r
- </xs:complexType>\r
- \r
- <xs:complexType name="RestrictedLengthType">\r
- <xs:complexContent>\r
- <xs:restriction base="LengthType">\r
- <xs:attribute name="min" use="required">\r
- <xs:simpleType>\r
- <xs:restriction base="xs:integer">\r
- <xs:minInclusive value="3"/>\r
- </xs:restriction>\r
- </xs:simpleType>\r
- </xs:attribute>\r
- <xs:attribute name="max" type="xs:integer" use="optional"/>\r
- </xs:restriction>\r
- </xs:complexContent>\r
- </xs:complexType>\r
-\r
- <xs:complexType name="ActivationPinType">\r
- <xs:sequence>\r
- <xs:element ref="Length" minOccurs="0"/>\r
- <xs:element ref="Alphabet" minOccurs="0"/>\r
- <xs:element ref="Generation" minOccurs="0"/>\r
- <xs:element ref="ActivationLimit" minOccurs="0"/>\r
- <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>\r
- </xs:sequence>\r
- </xs:complexType>\r
- \r
- <xs:element name="Alphabet" type="AlphabetType"/>\r
- <xs:complexType name="AlphabetType">\r
- <xs:attribute name="requiredChars" type="xs:string" use="required"/>\r
- <xs:attribute name="excludedChars" type="xs:string" use="optional"/>\r
- <xs:attribute name="case" type="xs:string" use="optional"/>\r
- </xs:complexType>\r
- \r
- <xs:complexType name="TokenType">\r
- <xs:sequence>\r
- <xs:element ref="TimeSyncToken"/>\r
- <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>\r
- </xs:sequence>\r
- </xs:complexType>\r
- \r
- <xs:simpleType name="DeviceTypeType">\r
- <xs:restriction base="xs:NMTOKEN">\r
- <xs:enumeration value="hardware"/>\r
- <xs:enumeration value="software"/>\r
- </xs:restriction>\r
- </xs:simpleType>\r
- \r
- <xs:simpleType name="booleanType">\r
- <xs:restriction base="xs:NMTOKEN">\r
- <xs:enumeration value="true"/>\r
- <xs:enumeration value="false"/>\r
- </xs:restriction>\r
- </xs:simpleType>\r
- \r
- <xs:complexType name="TimeSyncTokenType">\r
- <xs:attribute name="DeviceType" type="DeviceTypeType" use="required"/>\r
- <xs:attribute name="SeedLength" type="xs:integer" use="required"/>\r
- <xs:attribute name="DeviceInHand" type="booleanType" use="required"/>\r
- </xs:complexType>\r
- \r
- <xs:complexType name="ActivationLimitType">\r
- <xs:choice>\r
- <xs:element ref="ActivationLimitDuration"/>\r
- <xs:element ref="ActivationLimitUsages"/>\r
- <xs:element ref="ActivationLimitSession"/>\r
- </xs:choice>\r
- </xs:complexType>\r
- \r
- <xs:element name="ActivationLimitDuration" type="ActivationLimitDurationType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- This element indicates that the Key Activation Limit is\r
- defined as a specific duration of time.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
- \r
- <xs:element name="ActivationLimitUsages" type="ActivationLimitUsagesType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- This element indicates that the Key Activation Limit is\r
- defined as a number of usages.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
- \r
- <xs:element name="ActivationLimitSession" type="ActivationLimitSessionType">\r
- <xs:annotation>\r
- <xs:documentation>\r
- This element indicates that the Key Activation Limit is\r
- the session.\r
- </xs:documentation>\r
- </xs:annotation>\r
- </xs:element>\r
- \r
- <xs:complexType name="ActivationLimitDurationType">\r
- <xs:attribute name="duration" type="xs:duration" use="required"/>\r
- </xs:complexType>\r
- \r
- <xs:complexType name="ActivationLimitUsagesType">\r
- <xs:attribute name="number" type="xs:integer" use="required"/>\r
- </xs:complexType>\r
- \r
- <xs:complexType name="ActivationLimitSessionType"/>\r
- \r
- <xs:complexType name="LengthType">\r
- <xs:attribute name="min" type="xs:integer" use="required"/>\r
- <xs:attribute name="max" type="xs:integer" use="optional"/>\r
- </xs:complexType>\r
-\r
- <xs:simpleType name="mediumType">\r
- <xs:restriction base="xs:NMTOKEN">\r
- <xs:enumeration value="memory"/>\r
- <xs:enumeration value="smartcard"/>\r
- <xs:enumeration value="token"/>\r
- <xs:enumeration value="MobileDevice"/>\r
- <xs:enumeration value="MobileAuthCard"/>\r
- </xs:restriction>\r
- </xs:simpleType>\r
-\r
- <xs:complexType name="KeyStorageType">\r
- <xs:attribute name="medium" type="mediumType" use="required"/>\r
- </xs:complexType>\r
-\r
- <xs:complexType name="SecretKeyProtectionType">\r
- <xs:sequence>\r
- <xs:element ref="KeyActivation" minOccurs="0"/>\r
- <xs:element ref="KeyStorage" minOccurs="0"/>\r
- <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>\r
- </xs:sequence>\r
- </xs:complexType>\r
-\r
- <xs:complexType name="SecurityAuditType">\r
- <xs:sequence>\r
- <xs:element ref="SwitchAudit" minOccurs="0"/>\r
- <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>\r
- </xs:sequence>\r
- </xs:complexType>\r
-\r
- <xs:complexType name="ExtensionOnlyType">\r
- <xs:sequence>\r
- <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>\r
- </xs:sequence>\r
- </xs:complexType>\r
- \r
- <xs:element name="Extension" type="ExtensionType"/>\r
-\r
- <xs:complexType name="ExtensionType">\r
- <xs:sequence>\r
- <xs:any namespace="##other" processContents="lax" maxOccurs="unbounded"/>\r
- </xs:sequence>\r
- </xs:complexType>\r
-\r
-</xs:schema>\r
+<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema
+ xmlns:xs="http://www.w3.org/2001/XMLSchema"
+ elementFormDefault="qualified"
+ version="2.0">
+
+ <xs:annotation>
+ <xs:documentation>
+ Document identifier: saml-schema-authn-context-types-2.0
+ Location: http://docs.oasis-open.org/security/saml/v2.0/
+ Revision history:
+ V2.0 (March, 2005):
+ New core authentication context schema types for SAML V2.0.
+ </xs:documentation>
+ </xs:annotation>
+
+ <xs:element name="AuthenticationContextDeclaration" type="AuthnContextDeclarationBaseType">
+ <xs:annotation>
+ <xs:documentation>
+ A particular assertion on an identity
+ provider's part with respect to the authentication
+ context associated with an authentication assertion.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="Identification" type="IdentificationType">
+ <xs:annotation>
+ <xs:documentation>
+ Refers to those characteristics that describe the
+ processes and mechanisms
+ the Authentication Authority uses to initially create
+ an association between a Principal
+ and the identity (or name) by which the Principal will
+ be known
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="PhysicalVerification">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that identification has been
+ performed in a physical
+ face-to-face meeting with the principal and not in an
+ online manner.
+ </xs:documentation>
+ </xs:annotation>
+ <xs:complexType>
+ <xs:attribute name="credentialLevel">
+ <xs:simpleType>
+ <xs:restriction base="xs:NMTOKEN">
+ <xs:enumeration value="primary"/>
+ <xs:enumeration value="secondary"/>
+ </xs:restriction>
+ </xs:simpleType>
+ </xs:attribute>
+ </xs:complexType>
+ </xs:element>
+
+ <xs:element name="WrittenConsent" type="ExtensionOnlyType"/>
+
+ <xs:element name="TechnicalProtection" type="TechnicalProtectionBaseType">
+ <xs:annotation>
+ <xs:documentation>
+ Refers to those characterstics that describe how the
+ 'secret' (the knowledge or possession
+ of which allows the Principal to authenticate to the
+ Authentication Authority) is kept secure
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="SecretKeyProtection" type="SecretKeyProtectionType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates the types and strengths of
+ facilities
+ of a UA used to protect a shared secret key from
+ unauthorized access and/or use.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="PrivateKeyProtection" type="PrivateKeyProtectionType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates the types and strengths of
+ facilities
+ of a UA used to protect a private key from
+ unauthorized access and/or use.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="KeyActivation" type="KeyActivationType">
+ <xs:annotation>
+ <xs:documentation>The actions that must be performed
+ before the private key can be used. </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="KeySharing" type="KeySharingType">
+ <xs:annotation>
+ <xs:documentation>Whether or not the private key is shared
+ with the certificate authority.</xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="KeyStorage" type="KeyStorageType">
+ <xs:annotation>
+ <xs:documentation>
+ In which medium is the key stored.
+ memory - the key is stored in memory.
+ smartcard - the key is stored in a smartcard.
+ token - the key is stored in a hardware token.
+ MobileDevice - the key is stored in a mobile device.
+ MobileAuthCard - the key is stored in a mobile
+ authentication card.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="SubscriberLineNumber" type="ExtensionOnlyType"/>
+ <xs:element name="UserSuffix" type="ExtensionOnlyType"/>
+
+ <xs:element name="Password" type="PasswordType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that a password (or passphrase)
+ has been used to
+ authenticate the Principal to a remote system.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="ActivationPin" type="ActivationPinType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that a Pin (Personal
+ Identification Number) has been used to authenticate the Principal to
+ some local system in order to activate a key.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="Token" type="TokenType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that a hardware or software
+ token is used
+ as a method of identifying the Principal.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="TimeSyncToken" type="TimeSyncTokenType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that a time synchronization
+ token is used to identify the Principal. hardware -
+ the time synchonization
+ token has been implemented in hardware. software - the
+ time synchronization
+ token has been implemented in software. SeedLength -
+ the length, in bits, of the
+ random seed used in the time synchronization token.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="Smartcard" type="ExtensionOnlyType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that a smartcard is used to
+ identity the Principal.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="Length" type="LengthType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates the minimum and/or maximum
+ ASCII length of the password which is enforced (by the UA or the
+ IdP). In other words, this is the minimum and/or maximum number of
+ ASCII characters required to represent a valid password.
+ min - the minimum number of ASCII characters required
+ in a valid password, as enforced by the UA or the IdP.
+ max - the maximum number of ASCII characters required
+ in a valid password, as enforced by the UA or the IdP.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="ActivationLimit" type="ActivationLimitType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates the length of time for which an
+ PIN-based authentication is valid.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="Generation">
+ <xs:annotation>
+ <xs:documentation>
+ Indicates whether the password was chosen by the
+ Principal or auto-supplied by the Authentication Authority.
+ principalchosen - the Principal is allowed to choose
+ the value of the password. This is true even if
+ the initial password is chosen at random by the UA or
+ the IdP and the Principal is then free to change
+ the password.
+ automatic - the password is chosen by the UA or the
+ IdP to be cryptographically strong in some sense,
+ or to satisfy certain password rules, and that the
+ Principal is not free to change it or to choose a new password.
+ </xs:documentation>
+ </xs:annotation>
+
+ <xs:complexType>
+ <xs:attribute name="mechanism" use="required">
+ <xs:simpleType>
+ <xs:restriction base="xs:NMTOKEN">
+ <xs:enumeration value="principalchosen"/>
+ <xs:enumeration value="automatic"/>
+ </xs:restriction>
+ </xs:simpleType>
+ </xs:attribute>
+ </xs:complexType>
+ </xs:element>
+
+ <xs:element name="AuthnMethod" type="AuthnMethodBaseType">
+ <xs:annotation>
+ <xs:documentation>
+ Refers to those characteristics that define the
+ mechanisms by which the Principal authenticates to the Authentication
+ Authority.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="PrincipalAuthenticationMechanism" type="PrincipalAuthenticationMechanismType">
+ <xs:annotation>
+ <xs:documentation>
+ The method that a Principal employs to perform
+ authentication to local system components.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="Authenticator" type="AuthenticatorBaseType">
+ <xs:annotation>
+ <xs:documentation>
+ The method applied to validate a principal's
+ authentication across a network
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="ComplexAuthenticator" type="ComplexAuthenticatorType">
+ <xs:annotation>
+ <xs:documentation>
+ Supports Authenticators with nested combinations of
+ additional complexity.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="PreviousSession" type="ExtensionOnlyType">
+ <xs:annotation>
+ <xs:documentation>
+ Indicates that the Principal has been strongly
+ authenticated in a previous session during which the IdP has set a
+ cookie in the UA. During the present session the Principal has only
+ been authenticated by the UA returning the cookie to the IdP.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="ResumeSession" type="ExtensionOnlyType">
+ <xs:annotation>
+ <xs:documentation>
+ Rather like PreviousSession but using stronger
+ security. A secret that was established in a previous session with
+ the Authentication Authority has been cached by the local system and
+ is now re-used (e.g. a Master Secret is used to derive new session
+ keys in TLS, SSL, WTLS).
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="ZeroKnowledge" type="ExtensionOnlyType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that the Principal has been
+ authenticated by a zero knowledge technique as specified in ISO/IEC
+ 9798-5.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="SharedSecretChallengeResponse" type="SharedSecretChallengeResponseType"/>
+
+ <xs:complexType name="SharedSecretChallengeResponseType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that the Principal has been
+ authenticated by a challenge-response protocol utilizing shared secret
+ keys and symmetric cryptography.
+ </xs:documentation>
+ </xs:annotation>
+ <xs:sequence>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ <xs:attribute name="method" type="xs:anyURI" use="optional"/>
+ </xs:complexType>
+
+ <xs:element name="DigSig" type="PublicKeyType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that the Principal has been
+ authenticated by a mechanism which involves the Principal computing a
+ digital signature over at least challenge data provided by the IdP.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="AsymmetricDecryption" type="PublicKeyType">
+ <xs:annotation>
+ <xs:documentation>
+ The local system has a private key but it is used
+ in decryption mode, rather than signature mode. For example, the
+ Authentication Authority generates a secret and encrypts it using the
+ local system's public key: the local system then proves it has
+ decrypted the secret.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="AsymmetricKeyAgreement" type="PublicKeyType">
+ <xs:annotation>
+ <xs:documentation>
+ The local system has a private key and uses it for
+ shared secret key agreement with the Authentication Authority (e.g.
+ via Diffie Helman).
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:complexType name="PublicKeyType">
+ <xs:sequence>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ <xs:attribute name="keyValidation" use="optional"/>
+ </xs:complexType>
+
+ <xs:element name="IPAddress" type="ExtensionOnlyType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that the Principal has been
+ authenticated through connection from a particular IP address.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="SharedSecretDynamicPlaintext" type="ExtensionOnlyType">
+ <xs:annotation>
+ <xs:documentation>
+ The local system and Authentication Authority
+ share a secret key. The local system uses this to encrypt a
+ randomised string to pass to the Authentication Authority.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="AuthenticatorTransportProtocol" type="AuthenticatorTransportProtocolType">
+ <xs:annotation>
+ <xs:documentation>
+ The protocol across which Authenticator information is
+ transferred to an Authentication Authority verifier.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="HTTP" type="ExtensionOnlyType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that the Authenticator has been
+ transmitted using bare HTTP utilizing no additional security
+ protocols.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="IPSec" type="ExtensionOnlyType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that the Authenticator has been
+ transmitted using a transport mechanism protected by an IPSEC session.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="WTLS" type="ExtensionOnlyType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that the Authenticator has been
+ transmitted using a transport mechanism protected by a WTLS session.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="MobileNetworkNoEncryption" type="ExtensionOnlyType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that the Authenticator has been
+ transmitted solely across a mobile network using no additional
+ security mechanism.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="MobileNetworkRadioEncryption" type="ExtensionOnlyType"/>
+ <xs:element name="MobileNetworkEndToEndEncryption" type="ExtensionOnlyType"/>
+
+ <xs:element name="SSL" type="ExtensionOnlyType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that the Authenticator has been
+ transmitted using a transport mechnanism protected by an SSL or TLS
+ session.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="PSTN" type="ExtensionOnlyType"/>
+ <xs:element name="ISDN" type="ExtensionOnlyType"/>
+ <xs:element name="ADSL" type="ExtensionOnlyType"/>
+
+ <xs:element name="OperationalProtection" type="OperationalProtectionType">
+ <xs:annotation>
+ <xs:documentation>
+ Refers to those characteristics that describe
+ procedural security controls employed by the Authentication Authority.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="SecurityAudit" type="SecurityAuditType"/>
+ <xs:element name="SwitchAudit" type="ExtensionOnlyType"/>
+ <xs:element name="DeactivationCallCenter" type="ExtensionOnlyType"/>
+
+ <xs:element name="GoverningAgreements" type="GoverningAgreementsType">
+ <xs:annotation>
+ <xs:documentation>
+ Provides a mechanism for linking to external (likely
+ human readable) documents in which additional business agreements,
+ (e.g. liability constraints, obligations, etc) can be placed.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="GoverningAgreementRef" type="GoverningAgreementRefType"/>
+
+ <xs:simpleType name="nymType">
+ <xs:restriction base="xs:NMTOKEN">
+ <xs:enumeration value="anonymity"/>
+ <xs:enumeration value="verinymity"/>
+ <xs:enumeration value="pseudonymity"/>
+ </xs:restriction>
+ </xs:simpleType>
+
+ <xs:complexType name="AuthnContextDeclarationBaseType">
+ <xs:sequence>
+ <xs:element ref="Identification" minOccurs="0"/>
+ <xs:element ref="TechnicalProtection" minOccurs="0"/>
+ <xs:element ref="OperationalProtection" minOccurs="0"/>
+ <xs:element ref="AuthnMethod" minOccurs="0"/>
+ <xs:element ref="GoverningAgreements" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ <xs:attribute name="ID" type="xs:ID" use="optional"/>
+ </xs:complexType>
+
+ <xs:complexType name="IdentificationType">
+ <xs:sequence>
+ <xs:element ref="PhysicalVerification" minOccurs="0"/>
+ <xs:element ref="WrittenConsent" minOccurs="0"/>
+ <xs:element ref="GoverningAgreements" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ <xs:attribute name="nym" type="nymType">
+ <xs:annotation>
+ <xs:documentation>
+ This attribute indicates whether or not the
+ Identification mechanisms allow the actions of the Principal to be
+ linked to an actual end user.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:attribute>
+ </xs:complexType>
+
+ <xs:complexType name="TechnicalProtectionBaseType">
+ <xs:sequence>
+ <xs:choice minOccurs="0">
+ <xs:element ref="PrivateKeyProtection"/>
+ <xs:element ref="SecretKeyProtection"/>
+ </xs:choice>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:complexType name="OperationalProtectionType">
+ <xs:sequence>
+ <xs:element ref="SecurityAudit" minOccurs="0"/>
+ <xs:element ref="DeactivationCallCenter" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:complexType name="AuthnMethodBaseType">
+ <xs:sequence>
+ <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/>
+ <xs:element ref="Authenticator" minOccurs="0"/>
+ <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:complexType name="GoverningAgreementsType">
+ <xs:sequence>
+ <xs:element ref="GoverningAgreementRef" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:complexType name="GoverningAgreementRefType">
+ <xs:attribute name="governingAgreementRef" type="xs:anyURI" use="required"/>
+ </xs:complexType>
+
+ <xs:complexType name="PrincipalAuthenticationMechanismType">
+ <xs:sequence>
+ <xs:element ref="Password" minOccurs="0"/>
+ <xs:element ref="RestrictedPassword" minOccurs="0"/>
+ <xs:element ref="Token" minOccurs="0"/>
+ <xs:element ref="Smartcard" minOccurs="0"/>
+ <xs:element ref="ActivationPin" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ <xs:attribute name="preauth" type="xs:integer" use="optional"/>
+ </xs:complexType>
+
+ <xs:group name="AuthenticatorChoiceGroup">
+ <xs:choice>
+ <xs:element ref="PreviousSession"/>
+ <xs:element ref="ResumeSession"/>
+ <xs:element ref="DigSig"/>
+ <xs:element ref="Password"/>
+ <xs:element ref="RestrictedPassword"/>
+ <xs:element ref="ZeroKnowledge"/>
+ <xs:element ref="SharedSecretChallengeResponse"/>
+ <xs:element ref="SharedSecretDynamicPlaintext"/>
+ <xs:element ref="IPAddress"/>
+ <xs:element ref="AsymmetricDecryption"/>
+ <xs:element ref="AsymmetricKeyAgreement"/>
+ <xs:element ref="SubscriberLineNumber"/>
+ <xs:element ref="UserSuffix"/>
+ <xs:element ref="ComplexAuthenticator"/>
+ </xs:choice>
+ </xs:group>
+
+ <xs:group name="AuthenticatorSequenceGroup">
+ <xs:sequence>
+ <xs:element ref="PreviousSession" minOccurs="0"/>
+ <xs:element ref="ResumeSession" minOccurs="0"/>
+ <xs:element ref="DigSig" minOccurs="0"/>
+ <xs:element ref="Password" minOccurs="0"/>
+ <xs:element ref="RestrictedPassword" minOccurs="0"/>
+ <xs:element ref="ZeroKnowledge" minOccurs="0"/>
+ <xs:element ref="SharedSecretChallengeResponse" minOccurs="0"/>
+ <xs:element ref="SharedSecretDynamicPlaintext" minOccurs="0"/>
+ <xs:element ref="IPAddress" minOccurs="0"/>
+ <xs:element ref="AsymmetricDecryption" minOccurs="0"/>
+ <xs:element ref="AsymmetricKeyAgreement" minOccurs="0"/>
+ <xs:element ref="SubscriberLineNumber" minOccurs="0"/>
+ <xs:element ref="UserSuffix" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:group>
+
+ <xs:complexType name="AuthenticatorBaseType">
+ <xs:sequence>
+ <xs:group ref="AuthenticatorChoiceGroup"/>
+ <xs:group ref="AuthenticatorSequenceGroup"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:complexType name="ComplexAuthenticatorType">
+ <xs:sequence>
+ <xs:group ref="AuthenticatorChoiceGroup"/>
+ <xs:group ref="AuthenticatorSequenceGroup"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:complexType name="AuthenticatorTransportProtocolType">
+ <xs:sequence>
+ <xs:choice minOccurs="0">
+ <xs:element ref="HTTP"/>
+ <xs:element ref="SSL"/>
+ <xs:element ref="MobileNetworkNoEncryption"/>
+ <xs:element ref="MobileNetworkRadioEncryption"/>
+ <xs:element ref="MobileNetworkEndToEndEncryption"/>
+ <xs:element ref="WTLS"/>
+ <xs:element ref="IPSec"/>
+ <xs:element ref="PSTN"/>
+ <xs:element ref="ISDN"/>
+ <xs:element ref="ADSL"/>
+ </xs:choice>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:complexType name="KeyActivationType">
+ <xs:sequence>
+ <xs:element ref="ActivationPin" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:complexType name="KeySharingType">
+ <xs:attribute name="sharing" type="xs:boolean" use="required"/>
+ </xs:complexType>
+
+ <xs:complexType name="PrivateKeyProtectionType">
+ <xs:sequence>
+ <xs:element ref="KeyActivation" minOccurs="0"/>
+ <xs:element ref="KeyStorage" minOccurs="0"/>
+ <xs:element ref="KeySharing" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:complexType name="PasswordType">
+ <xs:sequence>
+ <xs:element ref="Length" minOccurs="0"/>
+ <xs:element ref="Alphabet" minOccurs="0"/>
+ <xs:element ref="Generation" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/>
+ </xs:complexType>
+
+ <xs:element name="RestrictedPassword" type="RestrictedPasswordType"/>
+
+ <xs:complexType name="RestrictedPasswordType">
+ <xs:complexContent>
+ <xs:restriction base="PasswordType">
+ <xs:sequence>
+ <xs:element name="Length" type="RestrictedLengthType" minOccurs="1"/>
+ <xs:element ref="Generation" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/>
+ </xs:restriction>
+ </xs:complexContent>
+ </xs:complexType>
+
+ <xs:complexType name="RestrictedLengthType">
+ <xs:complexContent>
+ <xs:restriction base="LengthType">
+ <xs:attribute name="min" use="required">
+ <xs:simpleType>
+ <xs:restriction base="xs:integer">
+ <xs:minInclusive value="3"/>
+ </xs:restriction>
+ </xs:simpleType>
+ </xs:attribute>
+ <xs:attribute name="max" type="xs:integer" use="optional"/>
+ </xs:restriction>
+ </xs:complexContent>
+ </xs:complexType>
+
+ <xs:complexType name="ActivationPinType">
+ <xs:sequence>
+ <xs:element ref="Length" minOccurs="0"/>
+ <xs:element ref="Alphabet" minOccurs="0"/>
+ <xs:element ref="Generation" minOccurs="0"/>
+ <xs:element ref="ActivationLimit" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:element name="Alphabet" type="AlphabetType"/>
+ <xs:complexType name="AlphabetType">
+ <xs:attribute name="requiredChars" type="xs:string" use="required"/>
+ <xs:attribute name="excludedChars" type="xs:string" use="optional"/>
+ <xs:attribute name="case" type="xs:string" use="optional"/>
+ </xs:complexType>
+
+ <xs:complexType name="TokenType">
+ <xs:sequence>
+ <xs:element ref="TimeSyncToken"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:simpleType name="DeviceTypeType">
+ <xs:restriction base="xs:NMTOKEN">
+ <xs:enumeration value="hardware"/>
+ <xs:enumeration value="software"/>
+ </xs:restriction>
+ </xs:simpleType>
+
+ <xs:simpleType name="booleanType">
+ <xs:restriction base="xs:NMTOKEN">
+ <xs:enumeration value="true"/>
+ <xs:enumeration value="false"/>
+ </xs:restriction>
+ </xs:simpleType>
+
+ <xs:complexType name="TimeSyncTokenType">
+ <xs:attribute name="DeviceType" type="DeviceTypeType" use="required"/>
+ <xs:attribute name="SeedLength" type="xs:integer" use="required"/>
+ <xs:attribute name="DeviceInHand" type="booleanType" use="required"/>
+ </xs:complexType>
+
+ <xs:complexType name="ActivationLimitType">
+ <xs:choice>
+ <xs:element ref="ActivationLimitDuration"/>
+ <xs:element ref="ActivationLimitUsages"/>
+ <xs:element ref="ActivationLimitSession"/>
+ </xs:choice>
+ </xs:complexType>
+
+ <xs:element name="ActivationLimitDuration" type="ActivationLimitDurationType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that the Key Activation Limit is
+ defined as a specific duration of time.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="ActivationLimitUsages" type="ActivationLimitUsagesType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that the Key Activation Limit is
+ defined as a number of usages.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="ActivationLimitSession" type="ActivationLimitSessionType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that the Key Activation Limit is
+ the session.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:complexType name="ActivationLimitDurationType">
+ <xs:attribute name="duration" type="xs:duration" use="required"/>
+ </xs:complexType>
+
+ <xs:complexType name="ActivationLimitUsagesType">
+ <xs:attribute name="number" type="xs:integer" use="required"/>
+ </xs:complexType>
+
+ <xs:complexType name="ActivationLimitSessionType"/>
+
+ <xs:complexType name="LengthType">
+ <xs:attribute name="min" type="xs:integer" use="required"/>
+ <xs:attribute name="max" type="xs:integer" use="optional"/>
+ </xs:complexType>
+
+ <xs:simpleType name="mediumType">
+ <xs:restriction base="xs:NMTOKEN">
+ <xs:enumeration value="memory"/>
+ <xs:enumeration value="smartcard"/>
+ <xs:enumeration value="token"/>
+ <xs:enumeration value="MobileDevice"/>
+ <xs:enumeration value="MobileAuthCard"/>
+ </xs:restriction>
+ </xs:simpleType>
+
+ <xs:complexType name="KeyStorageType">
+ <xs:attribute name="medium" type="mediumType" use="required"/>
+ </xs:complexType>
+
+ <xs:complexType name="SecretKeyProtectionType">
+ <xs:sequence>
+ <xs:element ref="KeyActivation" minOccurs="0"/>
+ <xs:element ref="KeyStorage" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:complexType name="SecurityAuditType">
+ <xs:sequence>
+ <xs:element ref="SwitchAudit" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:complexType name="ExtensionOnlyType">
+ <xs:sequence>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:element name="Extension" type="ExtensionType"/>
+
+ <xs:complexType name="ExtensionType">
+ <xs:sequence>
+ <xs:any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+</xs:schema>