<schema targetNamespace="urn:mace:shibboleth:2.0:native:sp:config"
xmlns="http://www.w3.org/2001/XMLSchema"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
- xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
elementFormDefault="qualified"
attributeFormDefault="unqualified"
blockDefault="substitution"
- version="2.4">
+ version="2.5.3">
<import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd" />
<import namespace="urn:oasis:names:tc:SAML:2.0:assertion" schemaLocation="saml-schema-assertion-2.0.xsd"/>
</restriction>
</simpleType>
+ <simpleType name="redirectLimitType">
+ <restriction base="string">
+ <enumeration value="none"/>
+ <enumeration value="exact"/>
+ <enumeration value="host"/>
+ <enumeration value="whitelist"/>
+ <enumeration value="exact+whitelist"/>
+ <enumeration value="host+whitelist"/>
+ </restriction>
+ </simpleType>
+
<complexType name="PluggableType">
<sequence>
<any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
<any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="StorageService" type="IDREF"/>
- <attribute name="cacheTimeout" type="unsignedInt"/>
+ <attribute name="cacheAllowance" type="unsignedInt"/>
+ <attribute name="cacheTimeout" type="unsignedInt"/> <!-- deprecated -->
+ <attribute name="maintainReverseIndex" type="boolean"/>
+ <attribute name="excludeReverseIndex" type="conf:listOfStrings"/>
<anyAttribute namespace="##any" processContents="lax"/>
</restriction>
</complexContent>
<any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="logger" type="anyURI"/>
+ <attribute name="tranLogFormat" type="conf:string"/>
+ <attribute name="tranLogFiller" type="conf:string"/>
<attribute name="catchAll" type="boolean"/>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
<attribute name="checkSpoofing" type="boolean"/>
<attribute name="spoofKey" type="conf:string"/>
<attribute name="catchAll" type="boolean"/>
+ <attribute name="extraAuthTypes" type="conf:listOfStrings"/>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
</complexType>
<attributeGroup name="ContentSettings">
+ <attribute name="applicationId" type="conf:string"/>
<attribute name="authType" type="conf:string"/>
<attribute name="requireSession" type="boolean"/>
<attribute name="requireSessionWith" type="conf:string"/>
+ <attribute name="requireLogoutWith" type="anyURI"/>
<attribute name="exportAssertion" type="boolean"/>
+ <attribute name="exportStdVars" type="boolean"/>
+ <attribute name="exportCookie" type="boolean"/>
<attribute name="redirectToSSL" type="unsignedInt"/>
<attribute name="entityID" type="anyURI"/>
<attribute name="discoveryURL" type="anyURI"/>
+ <attribute name="discoveryPolicy" type="conf:string"/>
<attribute name="isPassive" type="boolean"/>
<attribute name="returnOnError" type="boolean"/>
<attribute name="forceAuthn" type="boolean"/>
- <attribute name="authnContextClassRef" type="anyURI"/>
+ <attribute name="authnContextClassRef" type="conf:listOfURIs"/>
<attribute name="authnContextComparison" type="samlp:AuthnContextComparisonType"/>
<attribute name="NameIDFormat" type="anyURI"/>
<attribute name="SPNameQualifier" type="conf:string"/>
<attribute name="target" type="anyURI"/>
<attribute name="acsIndex" type="unsignedShort"/>
<attribute name="REMOTE_ADDR" type="conf:string"/>
+ <attribute name="encoding" type="conf:string"/>
<anyAttribute namespace="##other" processContents="lax"/>
</attributeGroup>
</choice>
<element ref="ds:Signature" minOccurs="0"/>
</sequence>
- <attribute name="applicationId" type="conf:string" fixed="default"/>
+ <attribute name="unicodeAware" type="boolean"/>
<attributeGroup ref="conf:ContentSettings"/>
</complexType>
</element>
</attribute>
<attribute name="name" type="conf:string" use="required"/>
<attribute name="port" type="unsignedInt"/>
- <attribute name="applicationId" type="conf:string"/>
<attributeGroup ref="conf:ContentSettings"/>
</complexType>
</sequence>
<attribute name="regex" type="conf:string" use="required"/>
<attribute name="ignoreCase" type="boolean"/>
- <attribute name="applicationId" type="conf:string"/>
<attributeGroup ref="conf:ContentSettings"/>
</complexType>
</choice>
</sequence>
<attribute name="name" type="conf:string" use="required"/>
- <attribute name="applicationId" type="conf:string"/>
<attributeGroup ref="conf:ContentSettings"/>
</complexType>
</sequence>
<attribute name="regex" type="conf:string" use="required"/>
<attribute name="ignoreCase" type="boolean"/>
- <attribute name="applicationId" type="conf:string"/>
<attributeGroup ref="conf:ContentSettings"/>
</complexType>
<sequence>
<element name="Sessions" type="conf:SessionsType"/>
<element name="Errors" type="conf:ErrorsType" minOccurs="0"/>
- <element name="RelyingParty" type="conf:RelyingPartyType" minOccurs="0" maxOccurs="unbounded"/>
- <element name="Notify" type="conf:NotifyType" minOccurs="0" maxOccurs="unbounded"/>
- <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
- <element name="MetadataProvider" type="conf:PluggableType"/>
- <element name="TrustEngine" type="conf:PluggableType"/>
- <element name="AttributeExtractor" type="conf:PluggableType" minOccurs="0"/>
- <element name="AttributeResolver" type="conf:PluggableType" minOccurs="0"/>
- <element name="AttributeFilter" type="conf:PluggableType" minOccurs="0"/>
- <element name="CredentialResolver" type="conf:PluggableType" minOccurs="0"/>
- <element name="ApplicationOverride" type="conf:ApplicationOverrideType" minOccurs="0" maxOccurs="unbounded"/>
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element name="RelyingParty" type="conf:RelyingPartyType"/>
+ <element name="Notify" type="conf:NotifyType"/>
+ <element ref="saml:Audience"/>
+ <element name="MetadataProvider" type="conf:PluggableType"/>
+ <element name="TrustEngine" type="conf:PluggableType"/>
+ <element name="AttributeExtractor" type="conf:PluggableType"/>
+ <element name="AttributeResolver" type="conf:PluggableType"/>
+ <element name="AttributeFilter" type="conf:PluggableType"/>
+ <element name="CredentialResolver" type="conf:PluggableType"/>
+ <element name="ApplicationOverride" type="conf:ApplicationOverrideType"/>
+ </choice>
</sequence>
<attribute name="id" type="conf:string" fixed="default"/>
<attribute name="entityID" type="anyURI" use="required"/>
- <attribute name="policyId" type="conf:string" use="required"/>
<attributeGroup ref="conf:ApplicationGroup"/>
<attributeGroup ref="conf:RelyingPartyGroup"/>
<anyAttribute namespace="##other" processContents="lax"/>
<sequence>
<element name="Sessions" type="conf:SessionsType" minOccurs="0"/>
<element name="Errors" type="conf:ErrorsType" minOccurs="0"/>
- <element name="RelyingParty" type="conf:RelyingPartyType" minOccurs="0" maxOccurs="unbounded"/>
- <element name="Notify" type="conf:NotifyType" minOccurs="0" maxOccurs="unbounded"/>
- <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
- <element name="MetadataProvider" type="conf:PluggableType" minOccurs="0"/>
- <element name="TrustEngine" type="conf:PluggableType" minOccurs="0"/>
- <element name="AttributeExtractor" type="conf:PluggableType" minOccurs="0"/>
- <element name="AttributeResolver" type="conf:PluggableType" minOccurs="0"/>
- <element name="AttributeFilter" type="conf:PluggableType" minOccurs="0"/>
- <element name="CredentialResolver" type="conf:PluggableType" minOccurs="0"/>
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element name="RelyingParty" type="conf:RelyingPartyType"/>
+ <element name="Notify" type="conf:NotifyType"/>
+ <element ref="saml:Audience"/>
+ <element name="MetadataProvider" type="conf:PluggableType"/>
+ <element name="TrustEngine" type="conf:PluggableType"/>
+ <element name="AttributeExtractor" type="conf:PluggableType"/>
+ <element name="AttributeResolver" type="conf:PluggableType"/>
+ <element name="AttributeFilter" type="conf:PluggableType"/>
+ <element name="CredentialResolver" type="conf:PluggableType"/>
+ </choice>
</sequence>
<attribute name="id" type="conf:string" use="required"/>
<attribute name="entityID" type="anyURI"/>
- <attribute name="policyId" type="conf:string"/>
<attributeGroup ref="conf:ApplicationGroup"/>
<attributeGroup ref="conf:RelyingPartyGroup"/>
<anyAttribute namespace="##other" processContents="lax"/>
<attributeGroup name="ApplicationGroup">
<attribute name="homeURL" type="anyURI"/>
+ <attribute name="policyId" type="conf:string"/>
<attribute name="REMOTE_USER" type="conf:listOfStrings"/>
<attribute name="unsetHeaders" type="conf:listOfStrings"/>
<attribute name="metadataAttributePrefix" type="conf:string"/>
<attribute name="attributePrefix" type="conf:string"/>
+ <attribute name="requireAuthenticatedEncryption" type="boolean"/>
</attributeGroup>
<attributeGroup name="RelyingPartyGroup">
<attribute name="requireConfidentiality" type="boolean"/>
<attribute name="requireTransportAuth" type="boolean"/>
<attribute name="requireSignedAssertions" type="boolean"/>
+ <attribute name="sessionHook" type="anyURI"/>
+ <attribute name="artifactByFilesystem" type="boolean"/>
</attributeGroup>
-
+
<complexType name="SessionsType">
<annotation>
<documentation>Container for specifying protocol handlers and session policy</documentation>
</annotation>
- <choice minOccurs="0" maxOccurs="unbounded">
- <element ref="conf:SessionInitiator"/>
- <element ref="conf:LogoutInitiator"/>
- <element ref="md:AssertionConsumerService"/>
- <element ref="md:ArtifactResolutionService"/>
- <element ref="md:SingleLogoutService"/>
- <element ref="md:ManageNameIDService"/>
- <element name="Handler">
+ <sequence>
+ <element name="SSO" minOccurs="0">
<complexType>
- <complexContent>
- <restriction base="conf:PluggableType">
- <sequence>
- <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
- </sequence>
- <attribute name="Location" type="anyURI" use="required"/>
- <attribute name="acl" type="conf:listOfStrings"/>
- <anyAttribute namespace="##any" processContents="lax"/>
- </restriction>
- </complexContent>
+ <annotation>
+ <documentation>Implicitly configures SessionInitiator and AssertionConsumerService handlers</documentation>
+ </annotation>
+ <simpleContent>
+ <extension base="conf:listOfStrings">
+ <attribute name="policyId" type="conf:string"/>
+ <attribute name="ignoreNoPassive" type="boolean"/>
+ <attribute name="discoveryProtocol" type="conf:string"/>
+ <attribute name="discoveryURL" type="anyURI"/>
+ <attributeGroup ref="conf:SessionInitiatorGroup"/>
+ </extension>
+ </simpleContent>
</complexType>
</element>
- </choice>
- <attribute name="handlerURL" type="anyURI" use="required"/>
+ <element name="Logout" minOccurs="0">
+ <complexType>
+ <annotation>
+ <documentation>Implicitly configures LogoutInitiator and SingleLogoutService handlers</documentation>
+ </annotation>
+ <simpleContent>
+ <extension base="conf:listOfStrings">
+ <attribute name="policyId" type="conf:string"/>
+ <attributeGroup ref="conf:LogoutInitiatorGroup"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ <element name="NameIDMgmt" minOccurs="0">
+ <complexType>
+ <annotation>
+ <documentation>Implicitly configures ManageNameIDService handlers</documentation>
+ </annotation>
+ <simpleContent>
+ <extension base="conf:listOfStrings">
+ <attribute name="policyId" type="conf:string"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="conf:SessionInitiator"/>
+ <element ref="conf:LogoutInitiator"/>
+ <element ref="md:AssertionConsumerService"/>
+ <element ref="md:ArtifactResolutionService"/>
+ <element ref="md:SingleLogoutService"/>
+ <element ref="md:ManageNameIDService"/>
+ <element ref="conf:Handler"/>
+ </choice>
+ </sequence>
+ <attribute name="handlerURL" type="anyURI"/>
<attribute name="handlerSSL" type="boolean"/>
<attribute name="exportLocation" type="conf:string"/>
<attribute name="exportACL" type="conf:listOfStrings"/>
<attribute name="cookieLifetime" type="unsignedInt"/>
<attribute name="idpHistory" type="boolean"/>
<attribute name="idpHistoryDays" type="unsignedInt"/>
+ <attribute name="idpHistoryProps" type="conf:string"/>
<attribute name="lifetime" type="unsignedInt"/>
<attribute name="timeout" type="unsignedInt"/>
<attribute name="maxTimeSinceAuthn" type="unsignedInt"/>
<attribute name="postLimit" type="positiveInteger"/>
<attribute name="postTemplate" type="conf:string"/>
<attribute name="postExpire" type="boolean"/>
+ <attribute name="relayState" type="conf:string"/>
+ <attribute name="relayStateLimit" type="conf:redirectLimitType"/>
+ <attribute name="relayStateWhitelist" type="conf:listOfURIs"/>
+ <attribute name="redirectLimit" type="conf:redirectLimitType"/>
+ <attribute name="redirectWhitelist" type="conf:listOfURIs"/>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
<attribute name="policyId" type="conf:string">
<annotation>
- <documentation>Used to reference Policy elements from profile endpoints.</documentation>
+ <documentation>Used to override Policy from profile endpoints</documentation>
</annotation>
</attribute>
+ <attribute name="ignoreNoPassive" type="boolean">
+ <annotation>
+ <documentation>Used to ignore NoPassive errors in AssertionConsumerService endpoints</documentation>
+ </annotation>
+ </attribute>
+
+ <attributeGroup name="SessionInitiatorGroup">
+ <annotation>
+ <documentation>Options common to explicit and implicit SessionInitiators</documentation>
+ </annotation>
+ <attribute name="relayState" type="conf:string"/>
+ <attribute name="entityIDParam" type="conf:string"/>
+ <attribute name="entityID" type="anyURI"/>
+ <attribute name="outgoingBindings" type="conf:listOfURIs"/>
+ <attribute name="preservedOptions" type="conf:listOfStrings"/>
+ <attribute name="template" type="anyURI"/>
+ <attribute name="postArtifact" type="boolean"/>
+ <attribute name="acsByIndex" type="boolean"/>
+ <attribute name="isPassive" type="boolean"/>
+ <attribute name="returnOnError" type="boolean"/>
+ <attribute name="forceAuthn" type="boolean"/>
+ <attribute name="authnContextClassRef" type="anyURI"/>
+ <attribute name="authnContextComparison" type="samlp:AuthnContextComparisonType"/>
+ <attribute name="NameIDFormat" type="anyURI"/>
+ <attribute name="SPNameQualifier" type="conf:string"/>
+ <attribute name="requestDelegation" type="boolean"/>
+ <attribute name="target" type="anyURI"/>
+ <attribute name="discoveryPolicy" type="conf:string"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </attributeGroup>
+
<element name="SessionInitiator">
<annotation>
<documentation>Used to specify handlers that can issue AuthnRequests or perform discovery</documentation>
<attribute name="Location" type="anyURI"/>
<attribute name="id" type="conf:string"/>
<attribute name="isDefault" type="boolean"/>
- <attribute name="relayState" type="conf:string"/>
- <attribute name="entityIDParam" type="conf:string"/>
- <attribute name="entityID" type="anyURI"/>
<attribute name="URL" type="anyURI"/>
- <attribute name="outgoingBindings" type="conf:listOfURIs"/>
- <attribute name="template" type="anyURI"/>
- <attribute name="postArtifact" type="boolean"/>
- <attribute name="acsByIndex" type="boolean"/>
<attribute name="acsIndex" type="unsignedShort"/>
<attribute name="defaultACSIndex" type="unsignedShort"/> <!-- deprecated -->
- <attribute name="isPassive" type="boolean"/>
- <attribute name="returnOnError" type="boolean"/>
- <attribute name="forceAuthn" type="boolean"/>
- <attribute name="authnContextClassRef" type="anyURI"/>
- <attribute name="authnContextComparison" type="samlp:AuthnContextComparisonType"/>
- <attribute name="NameIDFormat" type="anyURI"/>
- <attribute name="SPNameQualifier" type="conf:string"/>
- <attribute name="requestDelegation" type="boolean"/>
- <attribute name="target" type="anyURI"/>
- <anyAttribute namespace="##any" processContents="lax"/>
+ <attributeGroup ref="conf:SessionInitiatorGroup"/>
</restriction>
</complexContent>
</complexType>
</element>
+ <attributeGroup name="LogoutInitiatorGroup">
+ <annotation>
+ <documentation>Options common to explicit and implicit LogoutInitiators</documentation>
+ </annotation>
+ <attribute name="relayState" type="conf:string"/>
+ <attribute name="outgoingBindings" type="conf:listOfURIs"/>
+ <attribute name="template" type="anyURI"/>
+ <attribute name="postArtifact" type="boolean"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </attributeGroup>
+
<element name="LogoutInitiator">
<annotation>
<documentation>Used to specify handlers that can issue LogoutRequests</documentation>
<any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="Location" type="anyURI"/>
- <attribute name="relayState" type="conf:string"/>
- <attribute name="outgoingBindings" type="conf:listOfURIs"/>
- <attribute name="template" type="anyURI"/>
- <attribute name="postArtifact" type="boolean"/>
+ <attributeGroup ref="conf:LogoutInitiatorGroup"/>
+ </restriction>
+ </complexContent>
+ </complexType>
+ </element>
+
+ <element name="Handler">
+ <annotation>
+ <documentation>Used to specify custom handlers</documentation>
+ </annotation>
+ <complexType>
+ <complexContent>
+ <restriction base="conf:PluggableType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Location" type="anyURI" use="required"/>
+ <attribute name="acl" type="conf:listOfStrings"/>
<anyAttribute namespace="##any" processContents="lax"/>
</restriction>
</complexContent>
<attribute name="localLogout" type="anyURI"/>
<attribute name="globalLogout" type="anyURI"/>
<attribute name="partialLogout" type="anyURI"/>
- <attribute name="supportContact" type="conf:string"/>
- <attribute name="logoLocation" type="anyURI"/>
- <attribute name="styleSheet" type="anyURI"/>
<anyAttribute namespace="##any" processContents="lax"/>
</complexType>
<annotation>
<documentation>Container for specifying settings to use with particular peers</documentation>
</annotation>
- <sequence/>
- <attribute name="Name" type="conf:string" use="required"/>
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Name" type="conf:string"/>
+ <attribute name="type" type="conf:string"/>
<attributeGroup ref="conf:RelyingPartyGroup"/>
<attribute name="entityID" type="anyURI"/>
- <anyAttribute namespace="##other" processContents="lax"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
</complexType>
<complexType name="NotifyType">
</element>
<choice minOccurs="0">
<element name="AlgorithmWhitelist" type="conf:listOfURIs"/>
- <element name="AlgorithmBlacklist" type="conf:listOfURIs"/>
+ <element name="AlgorithmBlacklist">
+ <complexType>
+ <simpleContent>
+ <extension base="conf:listOfURIs">
+ <attribute name="includeDefaultBlacklist" type="boolean"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
</choice>
</sequence>
</complexType>
<element name="SecurityPolicyProvider" type="conf:PluggableType"/>
<element ref="conf:SecurityPolicies"/> <!-- deprecated -->
</choice>
+ <element name="ProtocolProvider" type="conf:PluggableType" minOccurs="0"/>
<element ref="conf:TransportOption" minOccurs="0" maxOccurs="unbounded"/>
<element ref="ds:Signature" minOccurs="0"/>
</sequence>
<attribute name="clockSkew" type="unsignedInt"/>
<attribute name="unsafeChars" type="conf:string"/>
<attribute name="allowedSchemes" type="conf:listOfStrings"/>
+ <attribute name="langFromClient" type="boolean"/>
+ <attribute name="langPriority" type="conf:listOfStrings"/>
+ <attribute name="contactPriority" type="conf:listOfStrings"/>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
</element>
projects / shibboleth / cpp-sp.git / blobdiff