1 <?xml version="1.0" encoding="US-ASCII"?>
2 <schema targetNamespace="urn:mace:shibboleth:target:config:1.0"
3 xmlns="http://www.w3.org/2001/XMLSchema"
4 xmlns:conf="urn:mace:shibboleth:target:config:1.0"
5 xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
6 xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
7 elementFormDefault="qualified"
8 attributeFormDefault="unqualified"
9 blockDefault="substitution"
12 <import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="cs-sstc-schema-assertion-1.1.xsd"/>
13 <import namespace="urn:oasis:names:tc:SAML:2.0:metadata" schemaLocation="saml-schema-metadata-2.0.xsd"/>
17 1.0 schema for XML-based configuration of Shibboleth target libraries and modules.
18 First appearing in Shibboleth 1.2 release.
22 <complexType name="PluggableType">
24 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
26 <attribute name="type" type="string" use="required"/>
27 <attribute name="uri" type="anyURI" use="optional"/>
28 <anyAttribute namespace="##any" processContents="lax"/>
31 <element name="ShibbolethTargetConfig" type="conf:SPConfigType"/>
32 <element name="SPConfig" type="conf:SPConfigType"/>
33 <complexType name="SPConfigType">
35 <documentation>Root element of configuration file</documentation>
38 <element ref="conf:Extensions" minOccurs="0"/>
39 <choice minOccurs="0">
40 <element name="Global" type="conf:GlobalConfigurationType"/>
41 <element name="SHAR" type="conf:GlobalConfigurationType"/>
43 <choice minOccurs="0">
44 <element name="Local" type="conf:LocalConfigurationType"/>
45 <element name="SHIRE" type="conf:LocalConfigurationType"/>
47 <element ref="conf:Applications"/>
48 <element name="CredentialsProvider" type="conf:PluggableType" minOccurs="0" maxOccurs="unbounded"/>
49 <element ref="conf:AttributeFactory" minOccurs="0" maxOccurs="unbounded"/>
51 <attribute name="logger" type="anyURI" use="optional"/>
52 <attribute name="clockSkew" type="unsignedInt" use="optional"/>
53 <anyAttribute namespace="##other" processContents="lax"/>
56 <element name="Extensions">
58 <documentation>Container for extension libraries and custom configuration</documentation>
62 <element name="Library" minOccurs="0" maxOccurs="unbounded">
65 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
67 <attribute name="path" type="anyURI" use="required"/>
68 <attribute name="fatal" type="boolean" use="optional"/>
69 <anyAttribute namespace="##other" processContents="lax"/>
72 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
77 <complexType name="GlobalConfigurationType">
79 <documentation>Container for global (server independent) configuration</documentation>
82 <element ref="conf:Extensions" minOccurs="0"/>
84 <element name="UnixListener">
86 <attribute name="address" type="string" use="required"/>
89 <element name="TCPListener">
91 <attribute name="address" type="string" use="required"/>
92 <attribute name="port" type="unsignedInt" use="required"/>
93 <attribute name="acl" use="optional" default="127.0.0.1">
95 <list itemType="string"/>
100 <element name="MemoryListener" type="conf:PluggableType"/>
101 <element name="Listener" type="conf:PluggableType"/>
104 <element name="MemorySessionCache">
106 <attributeGroup ref="conf:SessionCacheProperties"/>
107 <anyAttribute namespace="##other" processContents="lax"/>
110 <element name="MySQLSessionCache">
113 <element name="Argument" type="string" minOccurs="0" maxOccurs="unbounded"/>
115 <attributeGroup ref="conf:SessionCacheProperties"/>
116 <attribute name="mysqlTimeout" type="unsignedInt" use="optional" default="14400"/>
117 <attribute name="storeAttributes" type="boolean" use="optional" default="false"/>
118 <anyAttribute namespace="##other" processContents="lax"/>
121 <element name="SessionCache">
124 <extension base="conf:PluggableType">
125 <attributeGroup ref="conf:SessionCacheProperties"/>
131 <choice minOccurs="0">
132 <element name="MySQLReplayCache">
135 <element name="Argument" type="string" minOccurs="0" maxOccurs="unbounded"/>
137 <anyAttribute namespace="##other" processContents="lax"/>
140 <element name="ReplayCache" type="conf:PluggableType"/>
142 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
144 <attribute name="logger" type="anyURI" use="optional"/>
145 <anyAttribute namespace="##other" processContents="lax"/>
148 <attributeGroup name="SessionCacheProperties">
149 <attribute name="cleanupInterval" type="unsignedInt" use="optional" default="300"/>
150 <attribute name="cacheTimeout" type="unsignedInt" use="optional" default="28800"/>
151 <attribute name="AAConnectTimeout" type="unsignedInt" use="optional" default="15"/>
152 <attribute name="AATimeout" type="unsignedInt" use="optional" default="30"/>
153 <attribute name="defaultLifetime" type="unsignedInt" use="optional" default="1800"/>
154 <attribute name="retryInterval" type="unsignedInt" use="optional" default="300"/>
155 <attribute name="strictValidity" type="boolean" use="optional" default="true"/>
156 <attribute name="propagateErrors" type="boolean" use="optional" default="false"/>
159 <complexType name="LocalConfigurationType">
162 Container for configuration of locally integrated or platform-specific
163 features (e.g. web server filters)
167 <element ref="conf:Extensions" minOccurs="0"/>
168 <element name="RequestMapProvider" type="conf:PluggableType" minOccurs="0"/>
169 <element name="Implementation" minOccurs="0">
171 <choice maxOccurs="unbounded">
172 <element ref="conf:ISAPI"/>
173 <any namespace="##other" processContents="lax"/>
177 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
179 <attribute name="logger" type="anyURI" use="optional"/>
180 <attribute name="localRelayState" type="boolean" use="optional" default="false"/>
181 <attribute name="unsetHeaderValue" type="string" use="optional"/>
182 <anyAttribute namespace="##other" processContents="lax"/>
185 <element name="ISAPI">
188 <element name="Site" maxOccurs="unbounded">
191 <element name="Alias" type="string" minOccurs="0" maxOccurs="unbounded"/>
193 <attribute name="id" type="unsignedInt" use="required"/>
194 <attribute name="name" type="string" use="required"/>
195 <attribute name="port" type="unsignedInt" use="optional"/>
196 <attribute name="sslport" type="unsignedInt" use="optional"/>
197 <attribute name="scheme" type="string" use="optional"/>
200 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
202 <attribute name="normalizeRequest" type="boolean" use="optional"/>
203 <anyAttribute namespace="##other" processContents="lax"/>
206 <element name="NSAPI" type="anyType"/>
207 <element name="Java" type="anyType"/>
209 <element name="AccessControl" type="conf:UniOperatorType">
212 A simple example access policy language extension that supersedes Apache .htaccess
216 <element name="OR" type="conf:MultiOperatorType"/>
217 <element name="AND" type="conf:MultiOperatorType"/>
218 <element name="NOT" type="conf:UniOperatorType"/>
219 <complexType name="UniOperatorType">
221 <element ref="conf:AND"/>
222 <element ref="conf:OR"/>
223 <element ref="conf:NOT"/>
224 <element ref="conf:Rule"/>
227 <complexType name="MultiOperatorType">
228 <choice minOccurs="2" maxOccurs="unbounded">
229 <element ref="conf:AND"/>
230 <element ref="conf:OR"/>
231 <element ref="conf:NOT"/>
232 <element ref="conf:Rule"/>
235 <element name="Rule">
238 <extension base="conf:listOfStrings">
239 <attribute name="require" type="string" use="required"/>
244 <simpleType name="listOfStrings">
245 <list itemType="string"/>
248 <attributeGroup name="ContentSettings">
249 <attribute name="authType" type="string" use="optional"/>
250 <attribute name="requireSession" type="boolean" use="optional"/>
251 <attribute name="requireSessionWith" type="string" use="optional"/>
252 <attribute name="exportAssertion" type="boolean" use="optional"/>
253 <attribute name="redirectToSSL" type="unsignedInt" use="optional"/>
254 <anyAttribute namespace="##other" processContents="lax"/>
256 <element name="AccessControlProvider" type="conf:PluggableType"/>
257 <element name="htaccess" type="conf:PluggableType"/>
259 <element name="RequestMap">
262 Built-in request mapping syntax, decomposes URLs into Host/Path/Path/...
267 <choice minOccurs="0">
268 <element ref="conf:htaccess"/>
269 <element ref="conf:AccessControl"/>
270 <element ref="conf:AccessControlProvider"/>
272 <element ref="conf:Host" minOccurs="0" maxOccurs="unbounded"/>
274 <attribute name="applicationId" type="string" fixed="default"/>
275 <attributeGroup ref="conf:ContentSettings"/>
279 <element name="Host">
282 <choice minOccurs="0">
283 <element ref="conf:htaccess"/>
284 <element ref="conf:AccessControl"/>
285 <element ref="conf:AccessControlProvider"/>
287 <element ref="conf:Path" minOccurs="0" maxOccurs="unbounded"/>
289 <attribute name="scheme" use="optional">
291 <restriction base="string">
292 <enumeration value="http"/>
293 <enumeration value="https"/>
294 <enumeration value="ftp"/>
295 <enumeration value="ldap"/>
296 <enumeration value="ldaps"/>
300 <attribute name="name" type="string" use="required"/>
301 <attribute name="port" type="unsignedInt" use="optional"/>
302 <attribute name="applicationId" type="string" use="optional"/>
303 <attributeGroup ref="conf:ContentSettings"/>
307 <element name="Path">
310 <choice minOccurs="0">
311 <element ref="conf:htaccess"/>
312 <element ref="conf:AccessControl"/>
313 <element ref="conf:AccessControlProvider"/>
315 <element ref="conf:Path" minOccurs="0" maxOccurs="unbounded"/>
317 <attribute name="name" type="string" use="required"/>
318 <attribute name="applicationId" type="string" use="optional"/>
319 <attributeGroup ref="conf:ContentSettings"/>
323 <element name="Applications">
325 <documentation>Container for global target settings and application-specific overrides</documentation>
329 <element ref="conf:Sessions"/>
330 <element ref="conf:Errors"/>
331 <element ref="conf:CredentialUse" minOccurs="0"/>
332 <choice minOccurs="0" maxOccurs="unbounded">
333 <element ref="saml:AttributeDesignator"/>
334 <element ref="saml:Audience"/>
335 <element name="AAPProvider" type="conf:PluggableType"/>
336 <!-- deprecated --> <element name="FederationProvider" type="conf:PluggableType"/>
337 <element name="MetadataProvider" type="conf:PluggableType"/>
338 <element name="TrustProvider" type="conf:PluggableType"/>
340 <element ref="conf:Application" minOccurs="0" maxOccurs="unbounded"/>
342 <attribute name="id" type="string" fixed="default"/>
343 <attribute name="providerId" type="anyURI" use="required"/>
344 <attribute name="homeURL" type="anyURI" use="optional"/>
345 <anyAttribute namespace="##other" processContents="lax"/>
349 <element name="Application">
351 <documentation>Container for application-specific overrides</documentation>
355 <element ref="conf:Sessions" minOccurs="0"/>
356 <element ref="conf:Errors" minOccurs="0"/>
357 <element ref="conf:CredentialUse" minOccurs="0"/>
358 <choice minOccurs="0" maxOccurs="unbounded">
359 <element ref="saml:AttributeDesignator"/>
360 <element ref="saml:Audience"/>
361 <element name="AAPProvider" type="conf:PluggableType"/>
362 <!-- deprecated --> <element name="FederationProvider" type="conf:PluggableType"/>
363 <element name="MetadataProvider" type="conf:PluggableType"/>
364 <element name="TrustProvider" type="conf:PluggableType"/>
367 <attribute name="id" type="string" use="required"/>
368 <attribute name="providerId" type="anyURI" use="optional"/>
369 <attribute name="homeURL" type="anyURI" use="optional"/>
370 <anyAttribute namespace="##other" processContents="lax"/>
374 <element name="KeyInfoResolver" type="conf:PluggableType">
377 Custom plug-in that resolves ds:KeyInfo elements into public keys, used in
378 TrustProvider elements.
383 <element name="Sessions">
385 <documentation>Container for specifying app session establishment and policy</documentation>
388 <choice minOccurs="0" maxOccurs="unbounded">
389 <element ref="conf:SessionInitiator"/>
390 <element ref="md:AssertionConsumerService"/>
391 <element ref="md:SingleLogoutService"/>
392 <element ref="conf:DiagnosticService"/>
393 <element name="ExtensionService" type="conf:PluggableType"/>
395 <!-- deprecated --> <attribute name="wayfURL" type="anyURI" use="optional"/>
396 <!-- deprecated --> <attribute name="shireURL" type="anyURI" use="optional"/>
397 <!-- deprecated --> <attribute name="shireSSL" type="boolean" use="optional"/>
398 <attribute name="handlerURL" type="anyURI" use="optional"/>
399 <attribute name="handlerSSL" type="boolean" use="optional" default="true"/>
400 <attribute name="cookieName" type="string" use="optional"/>
401 <attribute name="cookieProps" type="string" use="optional"/>
402 <attribute name="idpHistory" type="boolean" use="optional" default="true"/>
403 <attribute name="idpHistoryDays" type="unsignedInt" use="optional"/>
404 <attribute name="lifetime" type="unsignedInt" use="optional"/>
405 <attribute name="timeout" type="unsignedInt" use="optional"/>
406 <attribute name="checkAddress" type="boolean" use="optional"/>
407 <attribute name="consistentAddress" type="boolean" use="optional" default="true"/>
408 <attribute name="checkReplay" type="boolean" use="optional" default="true"/>
409 <anyAttribute namespace="##other" processContents="lax"/>
412 <element name="SessionInitiator">
414 <documentation>Used to specify WAYF/Discovery services (external or internal)</documentation>
418 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
420 <attribute name="Location" type="anyURI" use="required"/>
421 <attribute name="Binding" type="anyURI" use="required"/>
422 <attribute name="wayfURL" type="anyURI" use="optional"/>
423 <attribute name="wayfBinding" type="anyURI" use="optional"/>
424 <attribute name="checkCDC" type="anyURI" use="optional"/>
425 <attribute name="isDefault" type="boolean" use="optional"/>
426 <attribute name="id" type="string" use="optional"/>
427 <anyAttribute namespace="##any" processContents="lax"/>
430 <element name="DiagnosticService">
432 <documentation>Used to specify internal diagnostic capabilities</documentation>
436 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
438 <attribute name="Location" type="anyURI" use="required"/>
439 <attribute name="Binding" type="anyURI" use="required"/>
440 <attribute name="echo" type="boolean" use="optional"/>
441 <attribute name="log" type="boolean" use="optional"/>
442 <attribute name="config" type="boolean" use="optional"/>
443 <attribute name="acl" use="optional">
445 <list itemType="string"/>
448 <anyAttribute namespace="##any" processContents="lax"/>
452 <element name="Errors">
454 <documentation>Container for error templates and associated details</documentation>
458 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
460 <!-- deprecated --> <attribute name="shire" type="anyURI" use="optional"/>
461 <attribute name="session" type="anyURI" use="optional"/>
462 <attribute name="metadata" type="anyURI" use="optional"/>
463 <attribute name="rm" type="anyURI" use="required"/>
464 <attribute name="access" type="anyURI" use="optional"/>
465 <attribute name="ssl" type="anyURI" use="optional"/>
466 <attribute name="supportContact" type="string" use="optional"/>
467 <attribute name="logoLocation" type="anyURI" use="optional"/>
468 <attribute name="styleSheet" type="anyURI" use="optional"/>
469 <anyAttribute namespace="##any" processContents="lax"/>
473 <attributeGroup name="CredentialUseGroup">
474 <attribute name="TLS" type="string" use="optional"/>
475 <attribute name="Signing" type="string" use="optional"/>
476 <attribute name="signRequest" type="boolean" use="optional" default="false"/>
477 <attribute name="signatureAlg" type="anyURI" use="optional"/>
478 <attribute name="digestAlg" type="anyURI" use="optional"/>
479 <attribute name="signedResponse" type="boolean" use="optional" default="false"/>
480 <attribute name="signedAssertions" type="boolean" use="optional" default="false"/>
481 <attribute name="authType" use="optional">
483 <restriction base="string">
484 <enumeration value="basic"/>
485 <enumeration value="digest"/>
486 <enumeration value="ntlm"/>
487 <enumeration value="gss"/>
491 <attribute name="authUsername" use="optional"/>
492 <attribute name="authPassword" use="optional"/>
495 <element name="CredentialUse">
497 <documentation>Container for specifying credentials to use</documentation>
501 <element name="RelyingParty" minOccurs="0" maxOccurs="unbounded">
504 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
506 <attribute name="Name" type="string" use="required"/>
507 <attributeGroup ref="conf:CredentialUseGroup"/>
508 <anyAttribute namespace="##other" processContents="lax"/>
511 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
513 <attributeGroup ref="conf:CredentialUseGroup"/>
514 <anyAttribute namespace="##other" processContents="lax"/>
518 <element name="AttributeFactory">
520 <documentation>Specifies a plugin that implements a specialized SAML attribute</documentation>
524 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
526 <attribute name="type" type="string" use="required"/>
527 <attribute name="AttributeName" type="string" use="required"/>
528 <anyAttribute namespace="##other" processContents="lax"/>