1 <?xml version="1.0" encoding="US-ASCII"?>
2 <schema targetNamespace="urn:mace:shibboleth:2.0:native:sp:config"
3 xmlns="http://www.w3.org/2001/XMLSchema"
4 xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
5 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
6 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
7 xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
8 elementFormDefault="qualified"
9 attributeFormDefault="unqualified"
10 blockDefault="substitution"
13 <import namespace="urn:oasis:names:tc:SAML:2.0:assertion" schemaLocation="saml-schema-assertion-2.0.xsd"/>
14 <import namespace="urn:oasis:names:tc:SAML:2.0:protocol" schemaLocation="saml-schema-protocol-2.0.xsd"/>
15 <import namespace="urn:oasis:names:tc:SAML:2.0:metadata" schemaLocation="saml-schema-metadata-2.0.xsd"/>
19 2.0 schema for XML-based configuration of Shibboleth Native SP instances.
20 First appearing in Shibboleth 2.0 release.
24 <simpleType name="string">
25 <restriction base="string">
26 <minLength value="1"/>
30 <simpleType name="listOfStrings">
31 <list itemType="conf:string"/>
34 <simpleType name="listOfURIs">
35 <list itemType="anyURI"/>
38 <simpleType name="bindingBoolean">
39 <restriction base="string">
40 <enumeration value="true"/>
41 <enumeration value="false"/>
42 <enumeration value="front"/>
43 <enumeration value="back"/>
47 <complexType name="PluggableType">
49 <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
51 <attribute name="type" type="conf:string" use="required"/>
52 <anyAttribute namespace="##any" processContents="skip"/>
55 <element name="SPConfig">
58 <documentation>Root of configuration</documentation>
61 <element ref="conf:Extensions" minOccurs="0"/>
62 <element ref="conf:OutOfProcess"/>
63 <element ref="conf:InProcess"/>
64 <choice minOccurs="0">
65 <element name="UnixListener">
67 <attribute name="address" type="conf:string" use="required"/>
68 <attribute name="stackSize" type="unsignedInt"/>
71 <element name="TCPListener">
73 <attribute name="address" type="conf:string" use="required"/>
74 <attribute name="port" type="unsignedInt" use="required"/>
75 <attribute name="acl" type="conf:listOfStrings"/>
76 <attribute name="stackSize" type="unsignedInt"/>
79 <element name="Listener" type="conf:PluggableType"/>
81 <element ref="conf:StorageService" minOccurs="0" maxOccurs="unbounded"/>
82 <element ref="conf:SessionCache" minOccurs="0"/>
83 <element ref="conf:ReplayCache" minOccurs="0"/>
84 <element ref="conf:ArtifactMap" minOccurs="0"/>
85 <element name="RequestMapper" type="conf:PluggableType" minOccurs="0"/>
86 <element ref="conf:ApplicationDefaults"/>
87 <element ref="conf:SecurityPolicies"/>
88 <element ref="conf:TransportOption" minOccurs="0" maxOccurs="unbounded"/>
90 <attribute name="logger" type="anyURI"/>
91 <attribute name="clockSkew" type="unsignedInt"/>
92 <attribute name="unsafeChars" type="conf:string"/>
93 <attribute name="allowedSchemes" type="conf:listOfStrings"/>
94 <anyAttribute namespace="##other" processContents="lax"/>
98 <element name="Extensions">
100 <documentation>Container for extension libraries and custom configuration</documentation>
104 <element name="Library" minOccurs="0" maxOccurs="unbounded">
107 <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
109 <attribute name="path" type="anyURI" use="required"/>
110 <attribute name="fatal" type="boolean"/>
111 <anyAttribute namespace="##any" processContents="skip"/>
114 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
119 <element name="StorageService">
121 <documentation>References StorageService plugins</documentation>
125 <restriction base="conf:PluggableType">
127 <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
129 <attribute name="id" type="ID" use="required"/>
130 <attribute name="cleanupInterval" type="unsignedInt"/>
131 <anyAttribute namespace="##any" processContents="skip"/>
137 <element name="SessionCache">
139 <documentation>References SessionCache plugins</documentation>
143 <restriction base="conf:PluggableType">
145 <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
147 <attribute name="StorageService" type="IDREF"/>
148 <attribute name="cacheTimeout" type="unsignedInt"/>
149 <anyAttribute namespace="##any" processContents="skip"/>
155 <element name="ReplayCache">
157 <documentation>Ties ReplayCache to a custom StorageService</documentation>
161 <attribute name="StorageService" type="IDREF" use="required"/>
165 <element name="ArtifactMap">
167 <documentation>Customizes an ArtifactMap</documentation>
171 <attribute name="StorageService" type="IDREF"/>
172 <attribute name="context" type="conf:string"/>
173 <attribute name="artifactTTL" type="unsignedInt"/>
177 <element name="OutOfProcess">
179 <documentation>Container for out-of-process (shibd) configuration</documentation>
183 <element ref="conf:Extensions" minOccurs="0"/>
184 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
186 <attribute name="logger" type="anyURI"/>
187 <attribute name="catchAll" type="boolean"/>
188 <anyAttribute namespace="##other" processContents="lax"/>
192 <element name="InProcess">
195 Container for configuration of locally integrated or platform-specific
196 features (e.g. web server filters)
201 <element ref="conf:Extensions" minOccurs="0"/>
202 <element ref="conf:ISAPI" minOccurs="0"/>
203 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
205 <attribute name="logger" type="anyURI"/>
206 <attribute name="unsetHeaderValue" type="conf:string"/>
207 <attribute name="checkSpoofing" type="boolean"/>
208 <attribute name="spoofKey" type="conf:string"/>
209 <attribute name="catchAll" type="boolean"/>
210 <anyAttribute namespace="##other" processContents="lax"/>
214 <element name="ISAPI">
217 <element name="Site" maxOccurs="unbounded">
220 <element name="Alias" type="string" minOccurs="0" maxOccurs="unbounded"/>
222 <attribute name="id" type="unsignedInt" use="required"/>
223 <attribute name="name" type="conf:string" use="required"/>
224 <attribute name="port" type="unsignedInt"/>
225 <attribute name="sslport" type="unsignedInt"/>
226 <attribute name="scheme" type="conf:string"/>
229 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
231 <attribute name="normalizeRequest" type="boolean"/>
232 <attribute name="safeHeaderNames" type="boolean"/>
233 <anyAttribute namespace="##other" processContents="lax"/>
237 <element name="AccessControl" type="conf:UniOperatorType">
240 A simple example access policy language extension that supersedes Apache .htaccess
244 <element name="OR" type="conf:MultiOperatorType"/>
245 <element name="AND" type="conf:MultiOperatorType"/>
246 <element name="NOT" type="conf:UniOperatorType"/>
247 <complexType name="UniOperatorType">
249 <element ref="conf:AND"/>
250 <element ref="conf:OR"/>
251 <element ref="conf:NOT"/>
252 <element ref="conf:Rule"/>
253 <element ref="conf:RuleRegex"/>
256 <complexType name="MultiOperatorType">
257 <choice minOccurs="2" maxOccurs="unbounded">
258 <element ref="conf:AND"/>
259 <element ref="conf:OR"/>
260 <element ref="conf:NOT"/>
261 <element ref="conf:Rule"/>
262 <element ref="conf:RuleRegex"/>
265 <element name="Rule">
268 <extension base="conf:listOfStrings">
269 <attribute name="require" type="conf:string" use="required"/>
270 <attribute name="list" type="boolean"/>
275 <element name="RuleRegex">
278 <extension base="conf:string">
279 <attribute name="require" type="conf:string" use="required"/>
280 <attribute name="ignoreCase" type="boolean"/>
286 <attributeGroup name="ContentSettings">
287 <attribute name="authType" type="conf:string"/>
288 <attribute name="requireSession" type="boolean"/>
289 <attribute name="requireSessionWith" type="conf:string"/>
290 <attribute name="exportAssertion" type="boolean"/>
291 <attribute name="redirectToSSL" type="unsignedInt"/>
292 <attribute name="entityID" type="anyURI"/>
293 <attribute name="discoveryURL" type="anyURI"/>
294 <attribute name="isPassive" type="boolean"/>
295 <attribute name="returnOnError" type="boolean"/>
296 <attribute name="forceAuthn" type="boolean"/>
297 <attribute name="authnContextClassRef" type="anyURI"/>
298 <attribute name="authnContextComparison" type="samlp:AuthnContextComparisonType"/>
299 <attribute name="NameIDFormat" type="anyURI"/>
300 <attribute name="SPNameQualifier" type="conf:string"/>
301 <attribute name="redirectErrors" type="anyURI"/>
302 <attribute name="sessionError" type="anyURI"/>
303 <attribute name="metadataError" type="anyURI"/>
304 <attribute name="accessError" type="anyURI"/>
305 <attribute name="sslError" type="anyURI"/>
306 <attribute name="REMOTE_ADDR" type="conf:string"/>
307 <anyAttribute namespace="##other" processContents="lax"/>
309 <element name="AccessControlProvider" type="conf:PluggableType"/>
310 <element name="htaccess" type="conf:PluggableType"/>
312 <element name="RequestMap">
315 Built-in request mapping syntax, decomposes URLs into Host/Path/Path/...
320 <choice minOccurs="0">
321 <element ref="conf:htaccess"/>
322 <element ref="conf:AccessControl"/>
323 <element ref="conf:AccessControlProvider"/>
325 <choice minOccurs="0" maxOccurs="unbounded">
326 <element ref="conf:Host"/>
327 <element ref="conf:HostRegex"/>
330 <attribute name="applicationId" type="conf:string" fixed="default"/>
331 <attributeGroup ref="conf:ContentSettings"/>
335 <element name="Host">
338 <choice minOccurs="0">
339 <element ref="conf:htaccess"/>
340 <element ref="conf:AccessControl"/>
341 <element ref="conf:AccessControlProvider"/>
343 <choice minOccurs="0" maxOccurs="unbounded">
344 <element ref="conf:Path"/>
345 <element ref="conf:PathRegex"/>
346 <element ref="conf:Query"/>
349 <attribute name="scheme">
351 <restriction base="conf:string">
352 <enumeration value="http"/>
353 <enumeration value="https"/>
354 <enumeration value="ftp"/>
355 <enumeration value="ldap"/>
356 <enumeration value="ldaps"/>
360 <attribute name="name" type="conf:string" use="required"/>
361 <attribute name="port" type="unsignedInt"/>
362 <attribute name="applicationId" type="conf:string"/>
363 <attributeGroup ref="conf:ContentSettings"/>
367 <element name="HostRegex">
370 <choice minOccurs="0">
371 <element ref="conf:htaccess"/>
372 <element ref="conf:AccessControl"/>
373 <element ref="conf:AccessControlProvider"/>
375 <choice minOccurs="0" maxOccurs="unbounded">
376 <element ref="conf:Path"/>
377 <element ref="conf:PathRegex"/>
378 <element ref="conf:Query"/>
381 <attribute name="regex" type="conf:string" use="required"/>
382 <attribute name="ignoreCase" type="boolean"/>
383 <attribute name="applicationId" type="conf:string"/>
384 <attributeGroup ref="conf:ContentSettings"/>
388 <element name="Path">
391 <choice minOccurs="0">
392 <element ref="conf:htaccess"/>
393 <element ref="conf:AccessControl"/>
394 <element ref="conf:AccessControlProvider"/>
396 <choice minOccurs="0" maxOccurs="unbounded">
397 <element ref="conf:Path"/>
398 <element ref="conf:PathRegex"/>
399 <element ref="conf:Query"/>
402 <attribute name="name" type="conf:string" use="required"/>
403 <attribute name="applicationId" type="conf:string"/>
404 <attributeGroup ref="conf:ContentSettings"/>
408 <element name="PathRegex">
411 <choice minOccurs="0">
412 <element ref="conf:htaccess"/>
413 <element ref="conf:AccessControl"/>
414 <element ref="conf:AccessControlProvider"/>
416 <element ref="conf:Query" minOccurs="0" maxOccurs="unbounded"/>
418 <attribute name="regex" type="conf:string" use="required"/>
419 <attribute name="ignoreCase" type="boolean"/>
420 <attribute name="applicationId" type="conf:string"/>
421 <attributeGroup ref="conf:ContentSettings"/>
425 <element name="Query">
428 <choice minOccurs="0">
429 <element ref="conf:htaccess"/>
430 <element ref="conf:AccessControl"/>
431 <element ref="conf:AccessControlProvider"/>
433 <element ref="conf:Query" minOccurs="0" maxOccurs="unbounded"/>
435 <attribute name="name" type="conf:string" use="required"/>
436 <attribute name="regex" type="conf:string"/>
437 <attributeGroup ref="conf:ContentSettings"/>
441 <element name="ApplicationDefaults">
443 <documentation>Container for default settings and application-specific overrides</documentation>
447 <element ref="conf:Sessions"/>
448 <element ref="conf:Errors" minOccurs="0"/>
449 <element ref="conf:RelyingParty" minOccurs="0" maxOccurs="unbounded"/>
450 <element ref="conf:Notify" minOccurs="0" maxOccurs="unbounded"/>
451 <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
452 <element name="MetadataProvider" type="conf:PluggableType"/>
453 <element name="TrustEngine" type="conf:PluggableType"/>
454 <element name="AttributeExtractor" type="conf:PluggableType" minOccurs="0"/>
455 <element name="AttributeResolver" type="conf:PluggableType" minOccurs="0"/>
456 <element name="AttributeFilter" type="conf:PluggableType" minOccurs="0"/>
457 <element name="CredentialResolver" type="conf:PluggableType" minOccurs="0"/>
458 <element ref="conf:ApplicationOverride" minOccurs="0" maxOccurs="unbounded"/>
460 <attribute name="id" type="conf:string" fixed="default"/>
461 <attribute name="entityID" type="anyURI" use="required"/>
462 <attribute name="policyId" type="conf:string" use="required"/>
463 <attributeGroup ref="conf:ApplicationGroup"/>
464 <attributeGroup ref="conf:RelyingPartyGroup"/>
465 <anyAttribute namespace="##other" processContents="lax"/>
469 <element name="ApplicationOverride">
471 <documentation>Container for application-specific overrides</documentation>
475 <element ref="conf:Sessions" minOccurs="0"/>
476 <element ref="conf:Errors" minOccurs="0"/>
477 <element ref="conf:RelyingParty" minOccurs="0" maxOccurs="unbounded"/>
478 <element ref="conf:Notify" minOccurs="0" maxOccurs="unbounded"/>
479 <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
480 <element name="MetadataProvider" type="conf:PluggableType" minOccurs="0"/>
481 <element name="TrustEngine" type="conf:PluggableType" minOccurs="0"/>
482 <element name="AttributeExtractor" type="conf:PluggableType" minOccurs="0"/>
483 <element name="AttributeResolver" type="conf:PluggableType" minOccurs="0"/>
484 <element name="AttributeFilter" type="conf:PluggableType" minOccurs="0"/>
485 <element name="CredentialResolver" type="conf:PluggableType" minOccurs="0"/>
487 <attribute name="id" type="conf:string" use="required"/>
488 <attribute name="entityID" type="anyURI"/>
489 <attribute name="policyId" type="conf:string"/>
490 <attributeGroup ref="conf:ApplicationGroup"/>
491 <attributeGroup ref="conf:RelyingPartyGroup"/>
492 <anyAttribute namespace="##other" processContents="lax"/>
496 <attributeGroup name="ApplicationGroup">
497 <attribute name="homeURL" type="anyURI"/>
498 <attribute name="REMOTE_USER" type="conf:listOfStrings"/>
499 <attribute name="unsetHeaders" type="conf:listOfStrings"/>
500 <attribute name="metadataAttributePrefix" type="conf:string"/>
501 <attribute name="attributePrefix" type="conf:string"/>
504 <attributeGroup name="RelyingPartyGroup">
505 <attribute name="authType" type="conf:string"/>
506 <attribute name="authUsername" type="conf:string"/>
507 <attribute name="authPassword" type="conf:string"/>
508 <attribute name="signing" type="conf:bindingBoolean"/>
509 <attribute name="signingAlg" type="anyURI"/>
510 <attribute name="digestAlg" type="anyURI"/>
511 <attribute name="encryption" type="conf:bindingBoolean"/>
512 <attribute name="encryptionAlg" type="anyURI"/>
513 <attribute name="keyName" type="conf:string"/>
514 <attribute name="artifactEndpointIndex" type="unsignedShort"/>
515 <attribute name="chunkedEncoding" type="boolean"/>
516 <attribute name="connectTimeout" type="unsignedShort"/>
517 <attribute name="timeout" type="unsignedShort"/>
518 <attribute name="requireConfidentiality" type="boolean"/>
519 <attribute name="requireTransportAuth" type="boolean"/>
520 <attribute name="requireSignedAssertions" type="boolean"/>
523 <element name="Sessions">
525 <documentation>Container for specifying protocol handlers and session policy</documentation>
528 <choice minOccurs="0" maxOccurs="unbounded">
529 <element ref="conf:SessionInitiator"/>
530 <element ref="conf:LogoutInitiator"/>
531 <element ref="md:AssertionConsumerService"/>
532 <element ref="md:ArtifactResolutionService"/>
533 <element ref="md:SingleLogoutService"/>
534 <element ref="md:ManageNameIDService"/>
535 <element name="Handler">
538 <restriction base="conf:PluggableType">
540 <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
542 <attribute name="Location" type="anyURI" use="required"/>
543 <attribute name="acl" type="conf:listOfStrings"/>
544 <anyAttribute namespace="##any" processContents="skip"/>
550 <attribute name="handlerURL" type="anyURI" use="required"/>
551 <attribute name="handlerSSL" type="boolean"/>
552 <attribute name="exportLocation" type="conf:string"/>
553 <attribute name="exportACL" type="conf:listOfStrings"/>
554 <attribute name="cookieName" type="conf:string"/>
555 <attribute name="cookieProps" type="conf:string"/>
556 <attribute name="cookieLifetime" type="unsignedInt"/>
557 <attribute name="idpHistory" type="boolean"/>
558 <attribute name="idpHistoryDays" type="unsignedInt"/>
559 <attribute name="lifetime" type="unsignedInt"/>
560 <attribute name="timeout" type="unsignedInt"/>
561 <attribute name="maxTimeSinceAuthn" type="unsignedInt"/>
562 <attribute name="checkAddress" type="boolean"/>
563 <attribute name="consistentAddress" type="boolean"/>
564 <attribute name="postData" type="conf:string"/>
565 <attribute name="postLimit" type="positiveInteger"/>
566 <attribute name="postTemplate" type="conf:string"/>
567 <attribute name="postExpire" type="boolean"/>
568 <anyAttribute namespace="##other" processContents="lax"/>
572 <attribute name="policyId" type="conf:string">
574 <documentation>Used to reference Policy elements from profile endpoints.</documentation>
578 <element name="SessionInitiator">
580 <documentation>Used to specify handlers that can issue AuthnRequests or perform discovery</documentation>
584 <restriction base="conf:PluggableType">
586 <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
588 <attribute name="Location" type="anyURI"/>
589 <attribute name="id" type="conf:string"/>
590 <attribute name="isDefault" type="boolean"/>
591 <attribute name="relayState" type="conf:string"/>
592 <attribute name="entityIDParam" type="conf:string"/>
593 <attribute name="entityID" type="anyURI"/>
594 <attribute name="URL" type="anyURI"/>
595 <attribute name="outgoingBindings" type="conf:listOfURIs"/>
596 <attribute name="template" type="anyURI"/>
597 <attribute name="postArtifact" type="boolean"/>
598 <attribute name="acsByIndex" type="boolean"/>
599 <attribute name="acsIndex" type="unsignedShort"/>
600 <attribute name="defaultACSIndex" type="unsignedShort"/> <!-- deprecated -->
601 <attribute name="isPassive" type="boolean"/>
602 <attribute name="returnOnError" type="boolean"/>
603 <attribute name="forceAuthn" type="boolean"/>
604 <attribute name="authnContextClassRef" type="anyURI"/>
605 <attribute name="authnContextComparison" type="samlp:AuthnContextComparisonType"/>
606 <attribute name="NameIDFormat" type="anyURI"/>
607 <attribute name="SPNameQualifier" type="conf:string"/>
608 <attribute name="requestDelegation" type="boolean"/>
609 <anyAttribute namespace="##any" processContents="skip"/>
615 <element name="LogoutInitiator">
617 <documentation>Used to specify handlers that can issue LogoutRequests</documentation>
621 <restriction base="conf:PluggableType">
623 <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
625 <attribute name="Location" type="anyURI"/>
626 <attribute name="relayState" type="conf:string"/>
627 <attribute name="outgoingBindings" type="conf:listOfURIs"/>
628 <attribute name="template" type="anyURI"/>
629 <attribute name="postArtifact" type="boolean"/>
630 <anyAttribute namespace="##any" processContents="skip"/>
636 <element name="Errors">
638 <documentation>Container for error templates and associated details</documentation>
642 <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
644 <attribute name="redirectErrors" type="anyURI"/>
645 <attribute name="session" type="anyURI"/>
646 <attribute name="metadata" type="anyURI"/>
647 <attribute name="access" type="anyURI"/>
648 <attribute name="ssl" type="anyURI"/>
649 <attribute name="localLogout" type="anyURI"/>
650 <attribute name="globalLogout" type="anyURI"/>
651 <attribute name="partialLogout" type="anyURI"/>
652 <attribute name="supportContact" type="conf:string"/>
653 <attribute name="logoLocation" type="anyURI"/>
654 <attribute name="styleSheet" type="anyURI"/>
655 <anyAttribute namespace="##any" processContents="skip"/>
659 <element name="RelyingParty">
661 <documentation>Container for specifying settings to use with particular peers</documentation>
665 <attribute name="Name" type="conf:string" use="required"/>
666 <attributeGroup ref="conf:RelyingPartyGroup"/>
667 <attribute name="entityID" type="anyURI"/>
668 <anyAttribute namespace="##other" processContents="lax"/>
672 <element name="Notify">
674 <documentation>Used to specify locations to receive application notifications</documentation>
678 <attribute name="Channel" use="required">
680 <restriction base="string">
681 <enumeration value="front"/>
682 <enumeration value="back"/>
686 <attribute name="Location" type="anyURI" use="required"/>
687 <anyAttribute namespace="##any" processContents="skip"/>
691 <element name="SecurityPolicies">
693 <documentation>Container for specifying sets of policy rules to apply to incoming messages</documentation>
697 <element name="Policy" minOccurs="1" maxOccurs="unbounded">
699 <documentation>Specifies a set of SecurityPolicyRule plugins</documentation>
703 <element name="Rule" type="conf:PluggableType" minOccurs="1" maxOccurs="unbounded"/>
704 <element name="PolicyRule" type="conf:PluggableType" minOccurs="1" maxOccurs="unbounded"/>
706 <attribute name="id" type="conf:string" use="required"/>
707 <attribute name="validate" type="boolean"/>
708 <anyAttribute namespace="##any" processContents="skip"/>
715 <element name="TransportOption">
717 <documentation>Implementation-specific option to pass to SOAPTransport provider.</documentation>
721 <extension base="anySimpleType">
722 <attribute name="provider" type="conf:string" use="required"/>
723 <attribute name="option" type="conf:string" use="required"/>
projects / shibboleth / cpp-sp.git / blob