1 <?xml version="1.0" encoding="US-ASCII"?>
2 <schema targetNamespace="urn:mace:shibboleth:2.0:native:sp:config"
3 xmlns="http://www.w3.org/2001/XMLSchema"
4 xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
5 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
6 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
7 xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
8 elementFormDefault="qualified"
9 attributeFormDefault="unqualified"
10 blockDefault="substitution"
13 <import namespace="urn:oasis:names:tc:SAML:2.0:assertion" schemaLocation="saml-schema-assertion-2.0.xsd"/>
14 <import namespace="urn:oasis:names:tc:SAML:2.0:protocol" schemaLocation="saml-schema-protocol-2.0.xsd"/>
15 <import namespace="urn:oasis:names:tc:SAML:2.0:metadata" schemaLocation="saml-schema-metadata-2.0.xsd"/>
19 2.0 schema for XML-based configuration of Shibboleth Native SP instances.
20 First appearing in Shibboleth 2.0 release.
24 <simpleType name="string">
25 <restriction base="string">
26 <minLength value="1"/>
30 <simpleType name="listOfStrings">
31 <list itemType="conf:string"/>
34 <simpleType name="listOfURIs">
35 <list itemType="anyURI"/>
38 <simpleType name="bindingBoolean">
39 <restriction base="string">
40 <enumeration value="true"/>
41 <enumeration value="false"/>
42 <enumeration value="front"/>
43 <enumeration value="back"/>
47 <complexType name="PluggableType">
49 <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
51 <attribute name="type" type="conf:string" use="required"/>
52 <anyAttribute namespace="##any" processContents="skip"/>
55 <element name="SPConfig">
58 <documentation>Root of configuration</documentation>
61 <element ref="conf:Extensions" minOccurs="0"/>
62 <element ref="conf:OutOfProcess"/>
63 <element ref="conf:InProcess"/>
64 <choice minOccurs="0">
65 <element name="UnixListener">
67 <attribute name="address" type="conf:string" use="required"/>
70 <element name="TCPListener">
72 <attribute name="address" type="conf:string" use="required"/>
73 <attribute name="port" type="unsignedInt" use="required"/>
74 <attribute name="acl" type="conf:listOfStrings"/>
77 <element name="Listener" type="conf:PluggableType"/>
79 <element ref="conf:StorageService" minOccurs="0" maxOccurs="unbounded"/>
80 <element ref="conf:SessionCache" minOccurs="0"/>
81 <element ref="conf:ReplayCache" minOccurs="0"/>
82 <element ref="conf:ArtifactMap" minOccurs="0"/>
83 <element name="RequestMapper" type="conf:PluggableType" minOccurs="0"/>
84 <element ref="conf:ApplicationDefaults"/>
85 <element ref="conf:SecurityPolicies"/>
86 <element ref="conf:TransportOption" minOccurs="0" maxOccurs="unbounded"/>
88 <attribute name="logger" type="anyURI"/>
89 <attribute name="clockSkew" type="unsignedInt"/>
90 <attribute name="unsafeChars" type="conf:string"/>
91 <attribute name="allowedSchemes" type="conf:listOfStrings"/>
92 <anyAttribute namespace="##other" processContents="lax"/>
96 <element name="Extensions">
98 <documentation>Container for extension libraries and custom configuration</documentation>
102 <element name="Library" minOccurs="0" maxOccurs="unbounded">
105 <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
107 <attribute name="path" type="anyURI" use="required"/>
108 <attribute name="fatal" type="boolean"/>
109 <anyAttribute namespace="##any" processContents="skip"/>
112 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
117 <element name="StorageService">
119 <documentation>References StorageService plugins</documentation>
123 <restriction base="conf:PluggableType">
125 <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
127 <attribute name="id" type="ID" use="required"/>
128 <attribute name="cleanupInterval" type="unsignedInt"/>
129 <anyAttribute namespace="##any" processContents="skip"/>
135 <element name="SessionCache">
137 <documentation>References SessionCache plugins</documentation>
141 <restriction base="conf:PluggableType">
143 <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
145 <attribute name="StorageService" type="IDREF"/>
146 <attribute name="cacheTimeout" type="unsignedInt"/>
147 <anyAttribute namespace="##any" processContents="skip"/>
153 <element name="ReplayCache">
155 <documentation>Ties ReplayCache to a custom StorageService</documentation>
159 <attribute name="StorageService" type="IDREF" use="required"/>
163 <element name="ArtifactMap">
165 <documentation>Customizes an ArtifactMap</documentation>
169 <attribute name="StorageService" type="IDREF"/>
170 <attribute name="context" type="conf:string"/>
171 <attribute name="artifactTTL" type="unsignedInt"/>
175 <element name="OutOfProcess">
177 <documentation>Container for out-of-process (shibd) configuration</documentation>
181 <element ref="conf:Extensions" minOccurs="0"/>
182 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
184 <attribute name="logger" type="anyURI"/>
185 <attribute name="catchAll" type="boolean"/>
186 <anyAttribute namespace="##other" processContents="lax"/>
190 <element name="InProcess">
193 Container for configuration of locally integrated or platform-specific
194 features (e.g. web server filters)
199 <element ref="conf:Extensions" minOccurs="0"/>
200 <element ref="conf:ISAPI" minOccurs="0"/>
201 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
203 <attribute name="logger" type="anyURI"/>
204 <attribute name="unsetHeaderValue" type="conf:string"/>
205 <attribute name="checkSpoofing" type="boolean"/>
206 <attribute name="spoofKey" type="conf:string"/>
207 <attribute name="catchAll" type="boolean"/>
208 <anyAttribute namespace="##other" processContents="lax"/>
212 <element name="ISAPI">
215 <element name="Site" maxOccurs="unbounded">
218 <element name="Alias" type="string" minOccurs="0" maxOccurs="unbounded"/>
220 <attribute name="id" type="unsignedInt" use="required"/>
221 <attribute name="name" type="conf:string" use="required"/>
222 <attribute name="port" type="unsignedInt"/>
223 <attribute name="sslport" type="unsignedInt"/>
224 <attribute name="scheme" type="conf:string"/>
227 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
229 <attribute name="normalizeRequest" type="boolean"/>
230 <attribute name="safeHeaderNames" type="boolean"/>
231 <anyAttribute namespace="##other" processContents="lax"/>
235 <element name="AccessControl" type="conf:UniOperatorType">
238 A simple example access policy language extension that supersedes Apache .htaccess
242 <element name="OR" type="conf:MultiOperatorType"/>
243 <element name="AND" type="conf:MultiOperatorType"/>
244 <element name="NOT" type="conf:UniOperatorType"/>
245 <complexType name="UniOperatorType">
247 <element ref="conf:AND"/>
248 <element ref="conf:OR"/>
249 <element ref="conf:NOT"/>
250 <element ref="conf:Rule"/>
251 <element ref="conf:RuleRegex"/>
254 <complexType name="MultiOperatorType">
255 <choice minOccurs="2" maxOccurs="unbounded">
256 <element ref="conf:AND"/>
257 <element ref="conf:OR"/>
258 <element ref="conf:NOT"/>
259 <element ref="conf:Rule"/>
260 <element ref="conf:RuleRegex"/>
263 <element name="Rule">
266 <extension base="conf:listOfStrings">
267 <attribute name="require" type="conf:string" use="required"/>
268 <attribute name="list" type="boolean"/>
273 <element name="RuleRegex">
276 <extension base="conf:string">
277 <attribute name="require" type="conf:string" use="required"/>
278 <attribute name="ignoreCase" type="boolean"/>
284 <attributeGroup name="ContentSettings">
285 <attribute name="authType" type="conf:string"/>
286 <attribute name="requireSession" type="boolean"/>
287 <attribute name="requireSessionWith" type="conf:string"/>
288 <attribute name="exportAssertion" type="boolean"/>
289 <attribute name="redirectToSSL" type="unsignedInt"/>
290 <attribute name="entityID" type="anyURI"/>
291 <attribute name="discoveryURL" type="anyURI"/>
292 <attribute name="isPassive" type="boolean"/>
293 <attribute name="forceAuthn" type="boolean"/>
294 <attribute name="authnContextClassRef" type="anyURI"/>
295 <attribute name="authnContextComparison" type="samlp:AuthnContextComparisonType"/>
296 <attribute name="NameIDFormat" type="anyURI"/>
297 <attribute name="SPNameQualifier" type="conf:string"/>
298 <attribute name="redirectErrors" type="anyURI"/>
299 <attribute name="sessionError" type="anyURI"/>
300 <attribute name="metadataError" type="anyURI"/>
301 <attribute name="accessError" type="anyURI"/>
302 <attribute name="sslError" type="anyURI"/>
303 <attribute name="REMOTE_ADDR" type="conf:string"/>
304 <anyAttribute namespace="##other" processContents="lax"/>
306 <element name="AccessControlProvider" type="conf:PluggableType"/>
307 <element name="htaccess" type="conf:PluggableType"/>
309 <element name="RequestMap">
312 Built-in request mapping syntax, decomposes URLs into Host/Path/Path/...
317 <choice minOccurs="0">
318 <element ref="conf:htaccess"/>
319 <element ref="conf:AccessControl"/>
320 <element ref="conf:AccessControlProvider"/>
322 <choice minOccurs="0" maxOccurs="unbounded">
323 <element ref="conf:Host"/>
324 <element ref="conf:HostRegex"/>
327 <attribute name="applicationId" type="conf:string" fixed="default"/>
328 <attributeGroup ref="conf:ContentSettings"/>
332 <element name="Host">
335 <choice minOccurs="0">
336 <element ref="conf:htaccess"/>
337 <element ref="conf:AccessControl"/>
338 <element ref="conf:AccessControlProvider"/>
340 <choice minOccurs="0" maxOccurs="unbounded">
341 <element ref="conf:Path"/>
342 <element ref="conf:PathRegex"/>
343 <element ref="conf:Query"/>
346 <attribute name="scheme">
348 <restriction base="conf:string">
349 <enumeration value="http"/>
350 <enumeration value="https"/>
351 <enumeration value="ftp"/>
352 <enumeration value="ldap"/>
353 <enumeration value="ldaps"/>
357 <attribute name="name" type="conf:string" use="required"/>
358 <attribute name="port" type="unsignedInt"/>
359 <attribute name="applicationId" type="conf:string"/>
360 <attributeGroup ref="conf:ContentSettings"/>
364 <element name="HostRegex">
367 <choice minOccurs="0">
368 <element ref="conf:htaccess"/>
369 <element ref="conf:AccessControl"/>
370 <element ref="conf:AccessControlProvider"/>
372 <choice minOccurs="0" maxOccurs="unbounded">
373 <element ref="conf:Path"/>
374 <element ref="conf:PathRegex"/>
375 <element ref="conf:Query"/>
378 <attribute name="regex" type="conf:string" use="required"/>
379 <attribute name="ignoreCase" type="boolean"/>
380 <attribute name="applicationId" type="conf:string"/>
381 <attributeGroup ref="conf:ContentSettings"/>
385 <element name="Path">
388 <choice minOccurs="0">
389 <element ref="conf:htaccess"/>
390 <element ref="conf:AccessControl"/>
391 <element ref="conf:AccessControlProvider"/>
393 <choice minOccurs="0" maxOccurs="unbounded">
394 <element ref="conf:Path"/>
395 <element ref="conf:PathRegex"/>
396 <element ref="conf:Query"/>
399 <attribute name="name" type="conf:string" use="required"/>
400 <attribute name="applicationId" type="conf:string"/>
401 <attributeGroup ref="conf:ContentSettings"/>
405 <element name="PathRegex">
408 <choice minOccurs="0">
409 <element ref="conf:htaccess"/>
410 <element ref="conf:AccessControl"/>
411 <element ref="conf:AccessControlProvider"/>
413 <element ref="conf:Query" minOccurs="0" maxOccurs="unbounded"/>
415 <attribute name="regex" type="conf:string" use="required"/>
416 <attribute name="ignoreCase" type="boolean"/>
417 <attribute name="applicationId" type="conf:string"/>
418 <attributeGroup ref="conf:ContentSettings"/>
422 <element name="Query">
425 <choice minOccurs="0">
426 <element ref="conf:htaccess"/>
427 <element ref="conf:AccessControl"/>
428 <element ref="conf:AccessControlProvider"/>
430 <element ref="conf:Query" minOccurs="0" maxOccurs="unbounded"/>
432 <attribute name="name" type="conf:string" use="required"/>
433 <attribute name="regex" type="conf:string"/>
434 <attributeGroup ref="conf:ContentSettings"/>
438 <element name="ApplicationDefaults">
440 <documentation>Container for default settings and application-specific overrides</documentation>
444 <element ref="conf:Sessions"/>
445 <element ref="conf:Errors" minOccurs="0"/>
446 <element ref="conf:RelyingParty" minOccurs="0" maxOccurs="unbounded"/>
447 <element ref="conf:Notify" minOccurs="0" maxOccurs="unbounded"/>
448 <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
449 <element name="MetadataProvider" type="conf:PluggableType"/>
450 <element name="TrustEngine" type="conf:PluggableType"/>
451 <element name="AttributeExtractor" type="conf:PluggableType" minOccurs="0"/>
452 <element name="AttributeResolver" type="conf:PluggableType" minOccurs="0"/>
453 <element name="AttributeFilter" type="conf:PluggableType" minOccurs="0"/>
454 <element name="CredentialResolver" type="conf:PluggableType" minOccurs="0"/>
455 <element ref="conf:ApplicationOverride" minOccurs="0" maxOccurs="unbounded"/>
457 <attribute name="id" type="conf:string" fixed="default"/>
458 <attribute name="entityID" type="anyURI" use="required"/>
459 <attribute name="policyId" type="conf:string" use="required"/>
460 <attributeGroup ref="conf:ApplicationGroup"/>
461 <attributeGroup ref="conf:RelyingPartyGroup"/>
462 <anyAttribute namespace="##other" processContents="lax"/>
466 <element name="ApplicationOverride">
468 <documentation>Container for application-specific overrides</documentation>
472 <element ref="conf:Sessions" minOccurs="0"/>
473 <element ref="conf:Errors" minOccurs="0"/>
474 <element ref="conf:RelyingParty" minOccurs="0" maxOccurs="unbounded"/>
475 <element ref="conf:Notify" minOccurs="0" maxOccurs="unbounded"/>
476 <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
477 <element name="MetadataProvider" type="conf:PluggableType" minOccurs="0"/>
478 <element name="TrustEngine" type="conf:PluggableType" minOccurs="0"/>
479 <element name="AttributeExtractor" type="conf:PluggableType" minOccurs="0"/>
480 <element name="AttributeResolver" type="conf:PluggableType" minOccurs="0"/>
481 <element name="AttributeFilter" type="conf:PluggableType" minOccurs="0"/>
482 <element name="CredentialResolver" type="conf:PluggableType" minOccurs="0"/>
484 <attribute name="id" type="conf:string" use="required"/>
485 <attribute name="entityID" type="anyURI"/>
486 <attribute name="policyId" type="conf:string"/>
487 <attributeGroup ref="conf:ApplicationGroup"/>
488 <attributeGroup ref="conf:RelyingPartyGroup"/>
489 <anyAttribute namespace="##other" processContents="lax"/>
493 <attributeGroup name="ApplicationGroup">
494 <attribute name="homeURL" type="anyURI"/>
495 <attribute name="REMOTE_USER" type="conf:listOfStrings"/>
496 <attribute name="unsetHeaders" type="conf:listOfStrings"/>
497 <attribute name="metadataAttributePrefix" type="conf:string"/>
498 <attribute name="attributePrefix" type="conf:string"/>
501 <attributeGroup name="RelyingPartyGroup">
502 <attribute name="authType" type="conf:string"/>
503 <attribute name="authUsername" type="conf:string"/>
504 <attribute name="authPassword" type="conf:string"/>
505 <attribute name="signing" type="conf:bindingBoolean"/>
506 <attribute name="signingAlg" type="anyURI"/>
507 <attribute name="digestAlg" type="anyURI"/>
508 <attribute name="encryption" type="conf:bindingBoolean"/>
509 <attribute name="encryptionAlg" type="anyURI"/>
510 <attribute name="keyName" type="conf:string"/>
511 <attribute name="artifactEndpointIndex" type="unsignedShort"/>
512 <attribute name="chunkedEncoding" type="boolean"/>
513 <attribute name="connectTimeout" type="unsignedShort"/>
514 <attribute name="timeout" type="unsignedShort"/>
515 <attribute name="requireConfidentiality" type="boolean"/>
516 <attribute name="requireTransportAuth" type="boolean"/>
517 <attribute name="requireSignedAssertions" type="boolean"/>
520 <element name="Sessions">
522 <documentation>Container for specifying protocol handlers and session policy</documentation>
525 <choice minOccurs="0" maxOccurs="unbounded">
526 <element ref="conf:SessionInitiator"/>
527 <element ref="conf:LogoutInitiator"/>
528 <element ref="md:AssertionConsumerService"/>
529 <element ref="md:ArtifactResolutionService"/>
530 <element ref="md:SingleLogoutService"/>
531 <element ref="md:ManageNameIDService"/>
532 <element name="Handler">
535 <restriction base="conf:PluggableType">
537 <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
539 <attribute name="Location" type="anyURI" use="required"/>
540 <attribute name="acl" type="conf:listOfStrings"/>
541 <anyAttribute namespace="##any" processContents="skip"/>
547 <attribute name="handlerURL" type="anyURI" use="required"/>
548 <attribute name="handlerSSL" type="boolean"/>
549 <attribute name="exportLocation" type="conf:string"/>
550 <attribute name="exportACL" type="conf:listOfStrings"/>
551 <attribute name="cookieName" type="conf:string"/>
552 <attribute name="cookieProps" type="conf:string"/>
553 <attribute name="cookieLifetime" type="unsignedInt"/>
554 <attribute name="idpHistory" type="boolean"/>
555 <attribute name="idpHistoryDays" type="unsignedInt"/>
556 <attribute name="lifetime" type="unsignedInt"/>
557 <attribute name="timeout" type="unsignedInt"/>
558 <attribute name="maxTimeSinceAuthn" type="unsignedInt"/>
559 <attribute name="checkAddress" type="boolean"/>
560 <attribute name="consistentAddress" type="boolean"/>
561 <attribute name="postData" type="conf:string"/>
562 <attribute name="postLimit" type="positiveInteger"/>
563 <attribute name="postTemplate" type="conf:string"/>
564 <attribute name="postExpire" type="boolean"/>
565 <anyAttribute namespace="##other" processContents="lax"/>
569 <attribute name="policyId" type="conf:string">
571 <documentation>Used to reference Policy elements from profile endpoints.</documentation>
575 <element name="SessionInitiator">
577 <documentation>Used to specify handlers that can issue AuthnRequests or perform discovery</documentation>
581 <restriction base="conf:PluggableType">
583 <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
585 <attribute name="Location" type="anyURI"/>
586 <attribute name="id" type="conf:string"/>
587 <attribute name="isDefault" type="boolean"/>
588 <attribute name="relayState" type="conf:string"/>
589 <attribute name="entityIDParam" type="conf:string"/>
590 <attribute name="entityID" type="anyURI"/>
591 <attribute name="URL" type="anyURI"/>
592 <attribute name="outgoingBindings" type="conf:listOfURIs"/>
593 <attribute name="template" type="anyURI"/>
594 <attribute name="postArtifact" type="boolean"/>
595 <attribute name="acsByIndex" type="boolean"/>
596 <attribute name="acsIndex" type="unsignedShort"/>
597 <attribute name="defaultACSIndex" type="unsignedShort"/> <!-- deprecated -->
598 <attribute name="isPassive" type="boolean"/>
599 <attribute name="forceAuthn" type="boolean"/>
600 <attribute name="authnContextClassRef" type="anyURI"/>
601 <attribute name="authnContextComparison" type="samlp:AuthnContextComparisonType"/>
602 <attribute name="NameIDFormat" type="anyURI"/>
603 <attribute name="SPNameQualifier" type="conf:string"/>
604 <attribute name="requestDelegation" type="boolean"/>
605 <anyAttribute namespace="##any" processContents="skip"/>
611 <element name="LogoutInitiator">
613 <documentation>Used to specify handlers that can issue LogoutRequests</documentation>
617 <restriction base="conf:PluggableType">
619 <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
621 <attribute name="Location" type="anyURI"/>
622 <attribute name="relayState" type="conf:string"/>
623 <attribute name="outgoingBindings" type="conf:listOfURIs"/>
624 <attribute name="template" type="anyURI"/>
625 <attribute name="postArtifact" type="boolean"/>
626 <anyAttribute namespace="##any" processContents="skip"/>
632 <element name="Errors">
634 <documentation>Container for error templates and associated details</documentation>
638 <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
640 <attribute name="redirectErrors" type="anyURI"/>
641 <attribute name="session" type="anyURI"/>
642 <attribute name="metadata" type="anyURI"/>
643 <attribute name="access" type="anyURI"/>
644 <attribute name="ssl" type="anyURI"/>
645 <attribute name="localLogout" type="anyURI"/>
646 <attribute name="globalLogout" type="anyURI"/>
647 <attribute name="partialLogout" type="anyURI"/>
648 <attribute name="supportContact" type="conf:string"/>
649 <attribute name="logoLocation" type="anyURI"/>
650 <attribute name="styleSheet" type="anyURI"/>
651 <anyAttribute namespace="##any" processContents="skip"/>
655 <element name="RelyingParty">
657 <documentation>Container for specifying settings to use with particular peers</documentation>
661 <attribute name="Name" type="conf:string" use="required"/>
662 <attributeGroup ref="conf:RelyingPartyGroup"/>
663 <attribute name="entityID" type="anyURI"/>
664 <anyAttribute namespace="##other" processContents="lax"/>
668 <element name="Notify">
670 <documentation>Used to specify locations to receive application notifications</documentation>
674 <attribute name="Channel" use="required">
676 <restriction base="string">
677 <enumeration value="front"/>
678 <enumeration value="back"/>
682 <attribute name="Location" type="anyURI" use="required"/>
683 <anyAttribute namespace="##any" processContents="skip"/>
687 <element name="SecurityPolicies">
689 <documentation>Container for specifying sets of policy rules to apply to incoming messages</documentation>
693 <element name="Policy" minOccurs="1" maxOccurs="unbounded">
695 <documentation>Specifies a set of SecurityPolicyRule plugins</documentation>
699 <element name="Rule" type="conf:PluggableType" minOccurs="1" maxOccurs="unbounded"/>
700 <element name="PolicyRule" type="conf:PluggableType" minOccurs="1" maxOccurs="unbounded"/>
702 <attribute name="id" type="conf:string" use="required"/>
703 <attribute name="validate" type="boolean"/>
704 <anyAttribute namespace="##any" processContents="skip"/>
711 <element name="TransportOption">
713 <documentation>Implementation-specific option to pass to SOAPTransport provider.</documentation>
717 <extension base="anySimpleType">
718 <attribute name="provider" type="conf:string" use="required"/>
719 <attribute name="option" type="conf:string" use="required"/>