1 <?xml version="1.0" encoding="US-ASCII"?>
2 <schema targetNamespace="urn:mace:shibboleth:target:config:1.0"
3 xmlns="http://www.w3.org/2001/XMLSchema"
4 xmlns:conf="urn:mace:shibboleth:target:config:1.0"
5 xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
6 xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
7 elementFormDefault="qualified"
8 attributeFormDefault="unqualified"
9 blockDefault="substitution"
12 <import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="cs-sstc-schema-assertion-1.1.xsd"/>
13 <import namespace="urn:oasis:names:tc:SAML:2.0:metadata" schemaLocation="saml-schema-metadata-2.0.xsd"/>
17 1.0 schema for XML-based configuration of Shibboleth target libraries and modules.
18 First appearing in Shibboleth 1.2 release.
22 <simpleType name="string">
23 <restriction base="string">
24 <minLength value="1"/>
28 <simpleType name="listOfStrings">
29 <list itemType="conf:string"/>
32 <simpleType name="listOfURIs">
33 <list itemType="anyURI"/>
36 <complexType name="PluggableType">
38 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
40 <attribute name="type" type="conf:string" use="required"/>
41 <attribute name="uri" type="anyURI"/>
42 <anyAttribute namespace="##any" processContents="lax"/>
45 <element name="ShibbolethTargetConfig" type="conf:SPConfigType"/>
46 <element name="SPConfig" type="conf:SPConfigType"/>
47 <complexType name="SPConfigType">
49 <documentation>Root element of configuration file</documentation>
52 <element ref="conf:Extensions" minOccurs="0"/>
53 <choice minOccurs="0">
54 <element name="Global" type="conf:GlobalConfigurationType"/>
55 <element name="SHAR" type="conf:GlobalConfigurationType"/>
57 <choice minOccurs="0">
58 <element name="Local" type="conf:LocalConfigurationType"/>
59 <element name="SHIRE" type="conf:LocalConfigurationType"/>
61 <element ref="conf:Applications"/>
62 <element name="CredentialsProvider" type="conf:PluggableType" minOccurs="0" maxOccurs="unbounded"/>
63 <element ref="conf:AttributeFactory" minOccurs="0" maxOccurs="unbounded"/>
65 <attribute name="logger" type="anyURI"/>
66 <attribute name="clockSkew" type="unsignedInt"/>
67 <anyAttribute namespace="##other" processContents="lax"/>
70 <element name="Extensions">
72 <documentation>Container for extension libraries and custom configuration</documentation>
76 <element name="Library" minOccurs="0" maxOccurs="unbounded">
79 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
81 <attribute name="path" type="anyURI" use="required"/>
82 <attribute name="fatal" type="boolean"/>
83 <anyAttribute namespace="##other" processContents="lax"/>
86 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
91 <complexType name="GlobalConfigurationType">
93 <documentation>Container for global (server independent) configuration</documentation>
96 <element ref="conf:Extensions" minOccurs="0"/>
98 <element name="UnixListener">
100 <attribute name="address" type="conf:string" use="required"/>
103 <element name="TCPListener">
105 <attribute name="address" type="conf:string" use="required"/>
106 <attribute name="port" type="unsignedInt" use="required"/>
107 <attribute name="acl" type="conf:listOfStrings" default="127.0.0.1"/>
110 <element name="MemoryListener" type="conf:PluggableType"/>
111 <element name="Listener" type="conf:PluggableType"/>
114 <element name="MemorySessionCache">
116 <attributeGroup ref="conf:SessionCacheProperties"/>
117 <anyAttribute namespace="##other" processContents="lax"/>
120 <element name="MySQLSessionCache">
123 <element name="Argument" type="conf:string" minOccurs="0" maxOccurs="unbounded"/>
125 <attributeGroup ref="conf:SessionCacheProperties"/>
126 <attribute name="mysqlTimeout" type="unsignedInt" default="14400"/>
127 <attribute name="storeAttributes" type="boolean" default="false"/>
128 <anyAttribute namespace="##other" processContents="lax"/>
131 <element name="SessionCache">
134 <extension base="conf:PluggableType">
135 <attributeGroup ref="conf:SessionCacheProperties"/>
141 <choice minOccurs="0">
142 <element name="MySQLReplayCache">
145 <element name="Argument" type="conf:string" minOccurs="0" maxOccurs="unbounded"/>
147 <anyAttribute namespace="##other" processContents="lax"/>
150 <element name="ReplayCache" type="conf:PluggableType"/>
152 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
154 <attribute name="logger" type="anyURI"/>
155 <anyAttribute namespace="##other" processContents="lax"/>
158 <attributeGroup name="SessionCacheProperties">
159 <attribute name="cleanupInterval" type="unsignedInt" default="300"/>
160 <attribute name="cacheTimeout" type="unsignedInt" default="28800"/>
161 <attribute name="AAConnectTimeout" type="unsignedInt" default="15"/>
162 <attribute name="AATimeout" type="unsignedInt" default="30"/>
163 <attribute name="defaultLifetime" type="unsignedInt" default="1800"/>
164 <attribute name="retryInterval" type="unsignedInt" default="300"/>
165 <attribute name="strictValidity" type="boolean" default="true"/>
166 <attribute name="propagateErrors" type="boolean" default="false"/>
169 <complexType name="LocalConfigurationType">
172 Container for configuration of locally integrated or platform-specific
173 features (e.g. web server filters)
177 <element ref="conf:Extensions" minOccurs="0"/>
178 <element name="RequestMapProvider" type="conf:PluggableType" minOccurs="0"/>
179 <element name="Implementation" minOccurs="0">
181 <choice maxOccurs="unbounded">
182 <element ref="conf:ISAPI"/>
183 <any namespace="##other" processContents="lax"/>
187 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
189 <attribute name="logger" type="anyURI"/>
190 <attribute name="localRelayState" type="boolean" default="false"/>
191 <attribute name="unsetHeaderValue" type="conf:string"/>
192 <attribute name="checkSpoofing" type="boolean"/>
193 <attribute name="spoofKey" type="conf:string"/>
194 <attribute name="catchAll" type="boolean"/>
195 <attribute name="allowedSchemes" type="conf:listOfStrings"/>
196 <anyAttribute namespace="##other" processContents="lax"/>
199 <element name="ISAPI">
202 <element name="Site" maxOccurs="unbounded">
205 <element name="Alias" type="conf:string" minOccurs="0" maxOccurs="unbounded"/>
207 <attribute name="id" type="unsignedInt" use="required"/>
208 <attribute name="name" type="conf:string" use="required"/>
209 <attribute name="port" type="unsignedInt"/>
210 <attribute name="sslport" type="unsignedInt"/>
211 <attribute name="scheme" type="conf:string"/>
214 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
216 <attribute name="normalizeRequest" type="boolean"/>
217 <attribute name="safeHeaderNames" type="boolean"/>
218 <anyAttribute namespace="##other" processContents="lax"/>
221 <element name="NSAPI" type="anyType"/>
222 <element name="Java" type="anyType"/>
224 <element name="AccessControl" type="conf:UniOperatorType">
227 A simple example access policy language extension that supersedes Apache .htaccess
231 <element name="OR" type="conf:MultiOperatorType"/>
232 <element name="AND" type="conf:MultiOperatorType"/>
233 <element name="NOT" type="conf:UniOperatorType"/>
234 <complexType name="UniOperatorType">
236 <element ref="conf:AND"/>
237 <element ref="conf:OR"/>
238 <element ref="conf:NOT"/>
239 <element ref="conf:Rule"/>
242 <complexType name="MultiOperatorType">
243 <choice minOccurs="2" maxOccurs="unbounded">
244 <element ref="conf:AND"/>
245 <element ref="conf:OR"/>
246 <element ref="conf:NOT"/>
247 <element ref="conf:Rule"/>
250 <element name="Rule">
253 <extension base="conf:listOfStrings">
254 <attribute name="require" type="conf:string" use="required"/>
260 <attributeGroup name="ContentSettings">
261 <attribute name="authType" type="conf:string"/>
262 <attribute name="requireSession" type="boolean"/>
263 <attribute name="requireSessionWith" type="conf:string"/>
264 <attribute name="exportAssertion" type="boolean"/>
265 <attribute name="redirectToSSL" type="unsignedInt"/>
266 <anyAttribute namespace="##other" processContents="lax"/>
268 <element name="AccessControlProvider" type="conf:PluggableType"/>
269 <element name="htaccess" type="conf:PluggableType"/>
271 <element name="RequestMap">
274 Built-in request mapping syntax, decomposes URLs into Host/Path/Path/...
279 <choice minOccurs="0">
280 <element ref="conf:htaccess"/>
281 <element ref="conf:AccessControl"/>
282 <element ref="conf:AccessControlProvider"/>
284 <choice minOccurs="0" maxOccurs="unbounded">
285 <element ref="conf:Host"/>
286 <element ref="conf:HostRegex"/>
289 <attribute name="applicationId" type="conf:string" fixed="default"/>
290 <attributeGroup ref="conf:ContentSettings"/>
294 <element name="Host">
297 <choice minOccurs="0">
298 <element ref="conf:htaccess"/>
299 <element ref="conf:AccessControl"/>
300 <element ref="conf:AccessControlProvider"/>
302 <choice minOccurs="0" maxOccurs="unbounded">
303 <element ref="conf:Path"/>
304 <element ref="conf:PathRegex"/>
307 <attribute name="scheme">
309 <restriction base="string">
310 <enumeration value="http"/>
311 <enumeration value="https"/>
312 <enumeration value="ftp"/>
313 <enumeration value="ldap"/>
314 <enumeration value="ldaps"/>
318 <attribute name="name" type="conf:string" use="required"/>
319 <attribute name="port" type="unsignedInt"/>
320 <attribute name="applicationId" type="conf:string"/>
321 <attributeGroup ref="conf:ContentSettings"/>
325 <element name="HostRegex">
328 <choice minOccurs="0">
329 <element ref="conf:htaccess"/>
330 <element ref="conf:AccessControl"/>
331 <element ref="conf:AccessControlProvider"/>
333 <choice minOccurs="0" maxOccurs="unbounded">
334 <element ref="conf:Path"/>
335 <element ref="conf:PathRegex"/>
338 <attribute name="regex" type="conf:string" use="required"/>
339 <attribute name="ignoreCase" type="boolean" default="true"/>
340 <attribute name="applicationId" type="conf:string"/>
341 <attributeGroup ref="conf:ContentSettings"/>
345 <element name="Path">
348 <choice minOccurs="0">
349 <element ref="conf:htaccess"/>
350 <element ref="conf:AccessControl"/>
351 <element ref="conf:AccessControlProvider"/>
353 <choice minOccurs="0" maxOccurs="unbounded">
354 <element ref="conf:Path"/>
355 <element ref="conf:PathRegex"/>
358 <attribute name="name" type="conf:string" use="required"/>
359 <attribute name="applicationId" type="conf:string"/>
360 <attributeGroup ref="conf:ContentSettings"/>
364 <element name="PathRegex">
367 <choice minOccurs="0">
368 <element ref="conf:htaccess"/>
369 <element ref="conf:AccessControl"/>
370 <element ref="conf:AccessControlProvider"/>
373 <attribute name="regex" type="conf:string" use="required"/>
374 <attribute name="ignoreCase" type="boolean" default="true"/>
375 <attribute name="applicationId" type="conf:string"/>
376 <attributeGroup ref="conf:ContentSettings"/>
380 <element name="Applications">
382 <documentation>Container for global target settings and application-specific overrides</documentation>
386 <element ref="conf:Sessions"/>
387 <element ref="conf:Errors"/>
388 <element ref="conf:CredentialUse" minOccurs="0"/>
389 <choice minOccurs="0" maxOccurs="unbounded">
390 <element ref="saml:AttributeDesignator"/>
391 <element ref="saml:Audience"/>
392 <element name="AAPProvider" type="conf:PluggableType"/>
393 <!-- deprecated --> <element name="FederationProvider" type="conf:PluggableType"/>
394 <element name="MetadataProvider" type="conf:PluggableType"/>
395 <element name="TrustProvider" type="conf:PluggableType"/>
397 <element ref="conf:Application" minOccurs="0" maxOccurs="unbounded"/>
399 <attribute name="id" type="conf:string" fixed="default"/>
400 <attribute name="providerId" type="anyURI" use="required"/>
401 <attribute name="homeURL" type="anyURI"/>
402 <anyAttribute namespace="##other" processContents="lax"/>
406 <element name="Application">
408 <documentation>Container for application-specific overrides</documentation>
412 <element ref="conf:Sessions" minOccurs="0"/>
413 <element ref="conf:Errors" minOccurs="0"/>
414 <element ref="conf:CredentialUse" minOccurs="0"/>
415 <choice minOccurs="0" maxOccurs="unbounded">
416 <element ref="saml:AttributeDesignator"/>
417 <element ref="saml:Audience"/>
418 <element name="AAPProvider" type="conf:PluggableType"/>
419 <!-- deprecated --> <element name="FederationProvider" type="conf:PluggableType"/>
420 <element name="MetadataProvider" type="conf:PluggableType"/>
421 <element name="TrustProvider" type="conf:PluggableType"/>
424 <attribute name="id" type="conf:string" use="required"/>
425 <attribute name="providerId" type="anyURI"/>
426 <attribute name="homeURL" type="anyURI"/>
427 <anyAttribute namespace="##other" processContents="lax"/>
431 <element name="KeyInfoResolver" type="conf:PluggableType">
434 Custom plug-in that resolves ds:KeyInfo elements into public keys, used in
435 TrustProvider elements.
440 <element name="Sessions">
442 <documentation>Container for specifying app session establishment and policy</documentation>
445 <choice minOccurs="0" maxOccurs="unbounded">
446 <element ref="conf:SessionInitiator"/>
447 <element ref="md:AssertionConsumerService"/>
448 <element ref="md:SingleLogoutService"/>
449 <element name="ExtensionService" type="conf:PluggableType"/>
451 <!-- deprecated --> <attribute name="wayfURL" type="anyURI"/>
452 <!-- deprecated --> <attribute name="shireURL" type="anyURI"/>
453 <!-- deprecated --> <attribute name="shireSSL" type="boolean"/>
454 <attribute name="handlerURL" type="anyURI"/>
455 <attribute name="handlerSSL" type="boolean" default="true"/>
456 <attribute name="cookieName" type="conf:string"/>
457 <attribute name="cookieProps" type="conf:string"/>
458 <attribute name="idpHistory" type="boolean" default="true"/>
459 <attribute name="idpHistoryDays" type="unsignedInt"/>
460 <attribute name="lifetime" type="unsignedInt"/>
461 <attribute name="timeout" type="unsignedInt"/>
462 <attribute name="checkAddress" type="boolean"/>
463 <attribute name="consistentAddress" type="boolean" default="true"/>
464 <attribute name="checkReplay" type="boolean" default="true"/>
465 <anyAttribute namespace="##other" processContents="lax"/>
468 <element name="SessionInitiator">
470 <documentation>Used to specify WAYF/Discovery services (external or internal)</documentation>
474 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
476 <attribute name="Location" type="anyURI" use="required"/>
477 <attribute name="Binding" type="anyURI" use="required"/>
478 <attribute name="wayfURL" type="anyURI"/>
479 <attribute name="wayfBinding" type="anyURI"/>
480 <attribute name="checkCDC" type="anyURI"/>
481 <attribute name="isDefault" type="boolean"/>
482 <attribute name="id" type="conf:string"/>
483 <anyAttribute namespace="##any" processContents="lax"/>
487 <element name="Errors">
489 <documentation>Container for error templates and associated details</documentation>
493 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
495 <!-- deprecated --> <attribute name="shire" type="anyURI"/>
496 <attribute name="session" type="anyURI"/>
497 <attribute name="metadata" type="anyURI"/>
498 <attribute name="rm" type="anyURI" use="required"/>
499 <attribute name="access" type="anyURI"/>
500 <attribute name="ssl" type="anyURI"/>
501 <attribute name="supportContact" type="conf:string"/>
502 <attribute name="logoLocation" type="anyURI"/>
503 <attribute name="styleSheet" type="anyURI"/>
504 <anyAttribute namespace="##any" processContents="lax"/>
508 <attributeGroup name="CredentialUseGroup">
509 <attribute name="TLS" type="conf:string"/>
510 <attribute name="Signing" type="conf:string"/>
511 <attribute name="signRequest" type="boolean" default="false"/>
512 <attribute name="signatureAlg" type="anyURI"/>
513 <attribute name="digestAlg" type="anyURI"/>
514 <attribute name="signedResponse" type="boolean" default="false"/>
515 <attribute name="signedAssertions" type="boolean" default="false"/>
516 <attribute name="authType">
518 <restriction base="string">
519 <enumeration value="basic"/>
520 <enumeration value="digest"/>
521 <enumeration value="ntlm"/>
522 <enumeration value="gss"/>
526 <attribute name="authUsername"/>
527 <attribute name="authPassword"/>
530 <element name="CredentialUse">
532 <documentation>Container for specifying credentials to use</documentation>
536 <element name="RelyingParty" minOccurs="0" maxOccurs="unbounded">
539 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
541 <attribute name="Name" type="conf:string" use="required"/>
542 <attributeGroup ref="conf:CredentialUseGroup"/>
543 <anyAttribute namespace="##other" processContents="lax"/>
546 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
548 <attributeGroup ref="conf:CredentialUseGroup"/>
549 <anyAttribute namespace="##other" processContents="lax"/>
553 <element name="AttributeFactory">
555 <documentation>Specifies a plugin that implements a specialized SAML attribute</documentation>
559 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
561 <attribute name="type" type="conf:string" use="required"/>
562 <attribute name="AttributeName" type="conf:string" use="required"/>
563 <anyAttribute namespace="##other" processContents="lax"/>