1 <?xml version="1.0" encoding="US-ASCII"?>
2 <schema targetNamespace="urn:mace:shibboleth:2.0:native:sp:config"
3 xmlns="http://www.w3.org/2001/XMLSchema"
4 xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
5 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
6 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
7 xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
8 elementFormDefault="qualified"
9 attributeFormDefault="unqualified"
10 blockDefault="substitution"
13 <import namespace="urn:oasis:names:tc:SAML:2.0:assertion" schemaLocation="saml-schema-assertion-2.0.xsd"/>
14 <import namespace="urn:oasis:names:tc:SAML:2.0:protocol" schemaLocation="saml-schema-protocol-2.0.xsd"/>
15 <import namespace="urn:oasis:names:tc:SAML:2.0:metadata" schemaLocation="saml-schema-metadata-2.0.xsd"/>
19 2.0 schema for XML-based configuration of Shibboleth Native SP instances.
20 First appearing in Shibboleth 2.0 release.
24 <simpleType name="string">
25 <restriction base="string">
26 <minLength value="1"/>
30 <simpleType name="listOfStrings">
31 <list itemType="conf:string"/>
34 <simpleType name="listOfURIs">
35 <list itemType="anyURI"/>
38 <simpleType name="bindingBoolean">
39 <restriction base="string">
40 <enumeration value="true"/>
41 <enumeration value="false"/>
42 <enumeration value="front"/>
43 <enumeration value="back"/>
47 <complexType name="PluggableType">
49 <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
51 <attribute name="type" type="conf:string" use="required"/>
52 <anyAttribute namespace="##any" processContents="skip"/>
55 <element name="SPConfig">
58 <documentation>Root of configuration</documentation>
61 <element ref="conf:Extensions" minOccurs="0"/>
62 <element ref="conf:OutOfProcess"/>
63 <element ref="conf:InProcess"/>
64 <choice minOccurs="0">
65 <element name="UnixListener">
67 <attribute name="address" type="conf:string" use="required"/>
68 <attribute name="stackSize" type="unsignedInt"/>
71 <element name="TCPListener">
73 <attribute name="address" type="conf:string" use="required"/>
74 <attribute name="port" type="unsignedInt" use="required"/>
75 <attribute name="acl" type="conf:listOfStrings"/>
76 <attribute name="stackSize" type="unsignedInt"/>
79 <element name="Listener" type="conf:PluggableType"/>
81 <element ref="conf:StorageService" minOccurs="0" maxOccurs="unbounded"/>
82 <element ref="conf:SessionCache" minOccurs="0"/>
83 <element ref="conf:ReplayCache" minOccurs="0"/>
84 <element ref="conf:ArtifactMap" minOccurs="0"/>
85 <element name="RequestMapper" type="conf:PluggableType" minOccurs="0"/>
86 <element ref="conf:ApplicationDefaults"/>
87 <element ref="conf:SecurityPolicies"/>
88 <element ref="conf:TransportOption" minOccurs="0" maxOccurs="unbounded"/>
90 <attribute name="logger" type="anyURI"/>
91 <attribute name="clockSkew" type="unsignedInt"/>
92 <attribute name="unsafeChars" type="conf:string"/>
93 <attribute name="allowedSchemes" type="conf:listOfStrings"/>
94 <anyAttribute namespace="##other" processContents="lax"/>
98 <element name="Extensions">
100 <documentation>Container for extension libraries and custom configuration</documentation>
104 <element name="Library" minOccurs="0" maxOccurs="unbounded">
107 <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
109 <attribute name="path" type="anyURI" use="required"/>
110 <attribute name="fatal" type="boolean"/>
111 <anyAttribute namespace="##any" processContents="skip"/>
114 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
119 <element name="StorageService">
121 <documentation>References StorageService plugins</documentation>
125 <restriction base="conf:PluggableType">
127 <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
129 <attribute name="id" type="ID" use="required"/>
130 <attribute name="cleanupInterval" type="unsignedInt"/>
131 <anyAttribute namespace="##any" processContents="skip"/>
137 <element name="SessionCache">
139 <documentation>References SessionCache plugins</documentation>
143 <restriction base="conf:PluggableType">
145 <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
147 <attribute name="StorageService" type="IDREF"/>
148 <attribute name="cacheTimeout" type="unsignedInt"/>
149 <anyAttribute namespace="##any" processContents="skip"/>
155 <element name="ReplayCache">
157 <documentation>Ties ReplayCache to a custom StorageService</documentation>
161 <attribute name="StorageService" type="IDREF" use="required"/>
165 <element name="ArtifactMap">
167 <documentation>Customizes an ArtifactMap</documentation>
171 <attribute name="StorageService" type="IDREF"/>
172 <attribute name="context" type="conf:string"/>
173 <attribute name="artifactTTL" type="unsignedInt"/>
177 <element name="OutOfProcess">
179 <documentation>Container for out-of-process (shibd) configuration</documentation>
183 <element ref="conf:Extensions" minOccurs="0"/>
184 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
186 <attribute name="logger" type="anyURI"/>
187 <attribute name="catchAll" type="boolean"/>
188 <anyAttribute namespace="##other" processContents="lax"/>
192 <element name="InProcess">
195 Container for configuration of locally integrated or platform-specific
196 features (e.g. web server filters)
201 <element ref="conf:Extensions" minOccurs="0"/>
202 <element ref="conf:ISAPI" minOccurs="0"/>
203 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
205 <attribute name="logger" type="anyURI"/>
206 <attribute name="unsetHeaderValue" type="conf:string"/>
207 <attribute name="checkSpoofing" type="boolean"/>
208 <attribute name="spoofKey" type="conf:string"/>
209 <attribute name="catchAll" type="boolean"/>
210 <anyAttribute namespace="##other" processContents="lax"/>
214 <element name="ISAPI">
217 <element name="Site" maxOccurs="unbounded">
220 <element name="Alias" type="string" minOccurs="0" maxOccurs="unbounded"/>
222 <attribute name="id" type="unsignedInt" use="required"/>
223 <attribute name="name" type="conf:string" use="required"/>
224 <attribute name="port" type="unsignedInt"/>
225 <attribute name="sslport" type="unsignedInt"/>
226 <attribute name="scheme" type="conf:string"/>
229 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
231 <attribute name="normalizeRequest" type="boolean"/>
232 <attribute name="safeHeaderNames" type="boolean"/>
233 <anyAttribute namespace="##other" processContents="lax"/>
237 <element name="AccessControl" type="conf:UniOperatorType">
240 A simple example access policy language extension that supersedes Apache .htaccess
244 <element name="OR" type="conf:MultiOperatorType"/>
245 <element name="AND" type="conf:MultiOperatorType"/>
246 <element name="NOT" type="conf:UniOperatorType"/>
247 <complexType name="UniOperatorType">
249 <element ref="conf:AND"/>
250 <element ref="conf:OR"/>
251 <element ref="conf:NOT"/>
252 <element ref="conf:Rule"/>
253 <element ref="conf:RuleRegex"/>
256 <complexType name="MultiOperatorType">
257 <choice minOccurs="2" maxOccurs="unbounded">
258 <element ref="conf:AND"/>
259 <element ref="conf:OR"/>
260 <element ref="conf:NOT"/>
261 <element ref="conf:Rule"/>
262 <element ref="conf:RuleRegex"/>
265 <element name="Rule">
268 <extension base="conf:listOfStrings">
269 <attribute name="require" type="conf:string" use="required"/>
270 <attribute name="list" type="boolean"/>
275 <element name="RuleRegex">
278 <extension base="conf:string">
279 <attribute name="require" type="conf:string" use="required"/>
280 <attribute name="ignoreCase" type="boolean"/>
286 <attributeGroup name="ContentSettings">
287 <attribute name="authType" type="conf:string"/>
288 <attribute name="requireSession" type="boolean"/>
289 <attribute name="requireSessionWith" type="conf:string"/>
290 <attribute name="exportAssertion" type="boolean"/>
291 <attribute name="redirectToSSL" type="unsignedInt"/>
292 <attribute name="entityID" type="anyURI"/>
293 <attribute name="discoveryURL" type="anyURI"/>
294 <attribute name="isPassive" type="boolean"/>
295 <attribute name="forceAuthn" type="boolean"/>
296 <attribute name="authnContextClassRef" type="anyURI"/>
297 <attribute name="authnContextComparison" type="samlp:AuthnContextComparisonType"/>
298 <attribute name="NameIDFormat" type="anyURI"/>
299 <attribute name="SPNameQualifier" type="conf:string"/>
300 <attribute name="redirectErrors" type="anyURI"/>
301 <attribute name="sessionError" type="anyURI"/>
302 <attribute name="metadataError" type="anyURI"/>
303 <attribute name="accessError" type="anyURI"/>
304 <attribute name="sslError" type="anyURI"/>
305 <attribute name="REMOTE_ADDR" type="conf:string"/>
306 <anyAttribute namespace="##other" processContents="lax"/>
308 <element name="AccessControlProvider" type="conf:PluggableType"/>
309 <element name="htaccess" type="conf:PluggableType"/>
311 <element name="RequestMap">
314 Built-in request mapping syntax, decomposes URLs into Host/Path/Path/...
319 <choice minOccurs="0">
320 <element ref="conf:htaccess"/>
321 <element ref="conf:AccessControl"/>
322 <element ref="conf:AccessControlProvider"/>
324 <choice minOccurs="0" maxOccurs="unbounded">
325 <element ref="conf:Host"/>
326 <element ref="conf:HostRegex"/>
329 <attribute name="applicationId" type="conf:string" fixed="default"/>
330 <attributeGroup ref="conf:ContentSettings"/>
334 <element name="Host">
337 <choice minOccurs="0">
338 <element ref="conf:htaccess"/>
339 <element ref="conf:AccessControl"/>
340 <element ref="conf:AccessControlProvider"/>
342 <choice minOccurs="0" maxOccurs="unbounded">
343 <element ref="conf:Path"/>
344 <element ref="conf:PathRegex"/>
345 <element ref="conf:Query"/>
348 <attribute name="scheme">
350 <restriction base="conf:string">
351 <enumeration value="http"/>
352 <enumeration value="https"/>
353 <enumeration value="ftp"/>
354 <enumeration value="ldap"/>
355 <enumeration value="ldaps"/>
359 <attribute name="name" type="conf:string" use="required"/>
360 <attribute name="port" type="unsignedInt"/>
361 <attribute name="applicationId" type="conf:string"/>
362 <attributeGroup ref="conf:ContentSettings"/>
366 <element name="HostRegex">
369 <choice minOccurs="0">
370 <element ref="conf:htaccess"/>
371 <element ref="conf:AccessControl"/>
372 <element ref="conf:AccessControlProvider"/>
374 <choice minOccurs="0" maxOccurs="unbounded">
375 <element ref="conf:Path"/>
376 <element ref="conf:PathRegex"/>
377 <element ref="conf:Query"/>
380 <attribute name="regex" type="conf:string" use="required"/>
381 <attribute name="ignoreCase" type="boolean"/>
382 <attribute name="applicationId" type="conf:string"/>
383 <attributeGroup ref="conf:ContentSettings"/>
387 <element name="Path">
390 <choice minOccurs="0">
391 <element ref="conf:htaccess"/>
392 <element ref="conf:AccessControl"/>
393 <element ref="conf:AccessControlProvider"/>
395 <choice minOccurs="0" maxOccurs="unbounded">
396 <element ref="conf:Path"/>
397 <element ref="conf:PathRegex"/>
398 <element ref="conf:Query"/>
401 <attribute name="name" type="conf:string" use="required"/>
402 <attribute name="applicationId" type="conf:string"/>
403 <attributeGroup ref="conf:ContentSettings"/>
407 <element name="PathRegex">
410 <choice minOccurs="0">
411 <element ref="conf:htaccess"/>
412 <element ref="conf:AccessControl"/>
413 <element ref="conf:AccessControlProvider"/>
415 <element ref="conf:Query" minOccurs="0" maxOccurs="unbounded"/>
417 <attribute name="regex" type="conf:string" use="required"/>
418 <attribute name="ignoreCase" type="boolean"/>
419 <attribute name="applicationId" type="conf:string"/>
420 <attributeGroup ref="conf:ContentSettings"/>
424 <element name="Query">
427 <choice minOccurs="0">
428 <element ref="conf:htaccess"/>
429 <element ref="conf:AccessControl"/>
430 <element ref="conf:AccessControlProvider"/>
432 <element ref="conf:Query" minOccurs="0" maxOccurs="unbounded"/>
434 <attribute name="name" type="conf:string" use="required"/>
435 <attribute name="regex" type="conf:string"/>
436 <attributeGroup ref="conf:ContentSettings"/>
440 <element name="ApplicationDefaults">
442 <documentation>Container for default settings and application-specific overrides</documentation>
446 <element ref="conf:Sessions"/>
447 <element ref="conf:Errors" minOccurs="0"/>
448 <element ref="conf:RelyingParty" minOccurs="0" maxOccurs="unbounded"/>
449 <element ref="conf:Notify" minOccurs="0" maxOccurs="unbounded"/>
450 <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
451 <element name="MetadataProvider" type="conf:PluggableType"/>
452 <element name="TrustEngine" type="conf:PluggableType"/>
453 <element name="AttributeExtractor" type="conf:PluggableType" minOccurs="0"/>
454 <element name="AttributeResolver" type="conf:PluggableType" minOccurs="0"/>
455 <element name="AttributeFilter" type="conf:PluggableType" minOccurs="0"/>
456 <element name="CredentialResolver" type="conf:PluggableType" minOccurs="0"/>
457 <element ref="conf:ApplicationOverride" minOccurs="0" maxOccurs="unbounded"/>
459 <attribute name="id" type="conf:string" fixed="default"/>
460 <attribute name="entityID" type="anyURI" use="required"/>
461 <attribute name="policyId" type="conf:string" use="required"/>
462 <attributeGroup ref="conf:ApplicationGroup"/>
463 <attributeGroup ref="conf:RelyingPartyGroup"/>
464 <anyAttribute namespace="##other" processContents="lax"/>
468 <element name="ApplicationOverride">
470 <documentation>Container for application-specific overrides</documentation>
474 <element ref="conf:Sessions" minOccurs="0"/>
475 <element ref="conf:Errors" minOccurs="0"/>
476 <element ref="conf:RelyingParty" minOccurs="0" maxOccurs="unbounded"/>
477 <element ref="conf:Notify" minOccurs="0" maxOccurs="unbounded"/>
478 <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
479 <element name="MetadataProvider" type="conf:PluggableType" minOccurs="0"/>
480 <element name="TrustEngine" type="conf:PluggableType" minOccurs="0"/>
481 <element name="AttributeExtractor" type="conf:PluggableType" minOccurs="0"/>
482 <element name="AttributeResolver" type="conf:PluggableType" minOccurs="0"/>
483 <element name="AttributeFilter" type="conf:PluggableType" minOccurs="0"/>
484 <element name="CredentialResolver" type="conf:PluggableType" minOccurs="0"/>
486 <attribute name="id" type="conf:string" use="required"/>
487 <attribute name="entityID" type="anyURI"/>
488 <attribute name="policyId" type="conf:string"/>
489 <attributeGroup ref="conf:ApplicationGroup"/>
490 <attributeGroup ref="conf:RelyingPartyGroup"/>
491 <anyAttribute namespace="##other" processContents="lax"/>
495 <attributeGroup name="ApplicationGroup">
496 <attribute name="homeURL" type="anyURI"/>
497 <attribute name="REMOTE_USER" type="conf:listOfStrings"/>
498 <attribute name="unsetHeaders" type="conf:listOfStrings"/>
499 <attribute name="metadataAttributePrefix" type="conf:string"/>
500 <attribute name="attributePrefix" type="conf:string"/>
503 <attributeGroup name="RelyingPartyGroup">
504 <attribute name="authType" type="conf:string"/>
505 <attribute name="authUsername" type="conf:string"/>
506 <attribute name="authPassword" type="conf:string"/>
507 <attribute name="signing" type="conf:bindingBoolean"/>
508 <attribute name="signingAlg" type="anyURI"/>
509 <attribute name="digestAlg" type="anyURI"/>
510 <attribute name="encryption" type="conf:bindingBoolean"/>
511 <attribute name="encryptionAlg" type="anyURI"/>
512 <attribute name="keyName" type="conf:string"/>
513 <attribute name="artifactEndpointIndex" type="unsignedShort"/>
514 <attribute name="chunkedEncoding" type="boolean"/>
515 <attribute name="connectTimeout" type="unsignedShort"/>
516 <attribute name="timeout" type="unsignedShort"/>
517 <attribute name="requireConfidentiality" type="boolean"/>
518 <attribute name="requireTransportAuth" type="boolean"/>
519 <attribute name="requireSignedAssertions" type="boolean"/>
522 <element name="Sessions">
524 <documentation>Container for specifying protocol handlers and session policy</documentation>
527 <choice minOccurs="0" maxOccurs="unbounded">
528 <element ref="conf:SessionInitiator"/>
529 <element ref="conf:LogoutInitiator"/>
530 <element ref="md:AssertionConsumerService"/>
531 <element ref="md:ArtifactResolutionService"/>
532 <element ref="md:SingleLogoutService"/>
533 <element ref="md:ManageNameIDService"/>
534 <element name="Handler">
537 <restriction base="conf:PluggableType">
539 <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
541 <attribute name="Location" type="anyURI" use="required"/>
542 <attribute name="acl" type="conf:listOfStrings"/>
543 <anyAttribute namespace="##any" processContents="skip"/>
549 <attribute name="handlerURL" type="anyURI" use="required"/>
550 <attribute name="handlerSSL" type="boolean"/>
551 <attribute name="exportLocation" type="conf:string"/>
552 <attribute name="exportACL" type="conf:listOfStrings"/>
553 <attribute name="cookieName" type="conf:string"/>
554 <attribute name="cookieProps" type="conf:string"/>
555 <attribute name="cookieLifetime" type="unsignedInt"/>
556 <attribute name="idpHistory" type="boolean"/>
557 <attribute name="idpHistoryDays" type="unsignedInt"/>
558 <attribute name="lifetime" type="unsignedInt"/>
559 <attribute name="timeout" type="unsignedInt"/>
560 <attribute name="maxTimeSinceAuthn" type="unsignedInt"/>
561 <attribute name="checkAddress" type="boolean"/>
562 <attribute name="consistentAddress" type="boolean"/>
563 <attribute name="postData" type="conf:string"/>
564 <attribute name="postLimit" type="positiveInteger"/>
565 <attribute name="postTemplate" type="conf:string"/>
566 <attribute name="postExpire" type="boolean"/>
567 <anyAttribute namespace="##other" processContents="lax"/>
571 <attribute name="policyId" type="conf:string">
573 <documentation>Used to reference Policy elements from profile endpoints.</documentation>
577 <element name="SessionInitiator">
579 <documentation>Used to specify handlers that can issue AuthnRequests or perform discovery</documentation>
583 <restriction base="conf:PluggableType">
585 <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
587 <attribute name="Location" type="anyURI"/>
588 <attribute name="id" type="conf:string"/>
589 <attribute name="isDefault" type="boolean"/>
590 <attribute name="relayState" type="conf:string"/>
591 <attribute name="entityIDParam" type="conf:string"/>
592 <attribute name="entityID" type="anyURI"/>
593 <attribute name="URL" type="anyURI"/>
594 <attribute name="outgoingBindings" type="conf:listOfURIs"/>
595 <attribute name="template" type="anyURI"/>
596 <attribute name="postArtifact" type="boolean"/>
597 <attribute name="acsByIndex" type="boolean"/>
598 <attribute name="acsIndex" type="unsignedShort"/>
599 <attribute name="defaultACSIndex" type="unsignedShort"/> <!-- deprecated -->
600 <attribute name="isPassive" type="boolean"/>
601 <attribute name="forceAuthn" type="boolean"/>
602 <attribute name="authnContextClassRef" type="anyURI"/>
603 <attribute name="authnContextComparison" type="samlp:AuthnContextComparisonType"/>
604 <attribute name="NameIDFormat" type="anyURI"/>
605 <attribute name="SPNameQualifier" type="conf:string"/>
606 <attribute name="requestDelegation" type="boolean"/>
607 <anyAttribute namespace="##any" processContents="skip"/>
613 <element name="LogoutInitiator">
615 <documentation>Used to specify handlers that can issue LogoutRequests</documentation>
619 <restriction base="conf:PluggableType">
621 <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
623 <attribute name="Location" type="anyURI"/>
624 <attribute name="relayState" type="conf:string"/>
625 <attribute name="outgoingBindings" type="conf:listOfURIs"/>
626 <attribute name="template" type="anyURI"/>
627 <attribute name="postArtifact" type="boolean"/>
628 <anyAttribute namespace="##any" processContents="skip"/>
634 <element name="Errors">
636 <documentation>Container for error templates and associated details</documentation>
640 <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
642 <attribute name="redirectErrors" type="anyURI"/>
643 <attribute name="session" type="anyURI"/>
644 <attribute name="metadata" type="anyURI"/>
645 <attribute name="access" type="anyURI"/>
646 <attribute name="ssl" type="anyURI"/>
647 <attribute name="localLogout" type="anyURI"/>
648 <attribute name="globalLogout" type="anyURI"/>
649 <attribute name="partialLogout" type="anyURI"/>
650 <attribute name="supportContact" type="conf:string"/>
651 <attribute name="logoLocation" type="anyURI"/>
652 <attribute name="styleSheet" type="anyURI"/>
653 <anyAttribute namespace="##any" processContents="skip"/>
657 <element name="RelyingParty">
659 <documentation>Container for specifying settings to use with particular peers</documentation>
663 <attribute name="Name" type="conf:string" use="required"/>
664 <attributeGroup ref="conf:RelyingPartyGroup"/>
665 <attribute name="entityID" type="anyURI"/>
666 <anyAttribute namespace="##other" processContents="lax"/>
670 <element name="Notify">
672 <documentation>Used to specify locations to receive application notifications</documentation>
676 <attribute name="Channel" use="required">
678 <restriction base="string">
679 <enumeration value="front"/>
680 <enumeration value="back"/>
684 <attribute name="Location" type="anyURI" use="required"/>
685 <anyAttribute namespace="##any" processContents="skip"/>
689 <element name="SecurityPolicies">
691 <documentation>Container for specifying sets of policy rules to apply to incoming messages</documentation>
695 <element name="Policy" minOccurs="1" maxOccurs="unbounded">
697 <documentation>Specifies a set of SecurityPolicyRule plugins</documentation>
701 <element name="Rule" type="conf:PluggableType" minOccurs="1" maxOccurs="unbounded"/>
702 <element name="PolicyRule" type="conf:PluggableType" minOccurs="1" maxOccurs="unbounded"/>
704 <attribute name="id" type="conf:string" use="required"/>
705 <attribute name="validate" type="boolean"/>
706 <anyAttribute namespace="##any" processContents="skip"/>
713 <element name="TransportOption">
715 <documentation>Implementation-specific option to pass to SOAPTransport provider.</documentation>
719 <extension base="anySimpleType">
720 <attribute name="provider" type="conf:string" use="required"/>
721 <attribute name="option" type="conf:string" use="required"/>