1 <?xml version="1.0" encoding="US-ASCII"?>
2 <schema targetNamespace="urn:mace:shibboleth:2.0:native:sp:config"
3 xmlns="http://www.w3.org/2001/XMLSchema"
4 xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
5 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
6 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
7 xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
8 elementFormDefault="qualified"
9 attributeFormDefault="unqualified"
10 blockDefault="substitution"
13 <import namespace="urn:oasis:names:tc:SAML:2.0:assertion" schemaLocation="saml-schema-assertion-2.0.xsd"/>
14 <import namespace="urn:oasis:names:tc:SAML:2.0:protocol" schemaLocation="saml-schema-protocol-2.0.xsd"/>
15 <import namespace="urn:oasis:names:tc:SAML:2.0:metadata" schemaLocation="saml-schema-metadata-2.0.xsd"/>
19 2.0 schema for XML-based configuration of Shibboleth Native SP instances.
20 First appearing in Shibboleth 2.0 release.
24 <simpleType name="string">
25 <restriction base="string">
26 <minLength value="1"/>
30 <simpleType name="listOfStrings">
31 <list itemType="conf:string"/>
34 <simpleType name="listOfURIs">
35 <list itemType="anyURI"/>
38 <simpleType name="bindingBoolean">
39 <restriction base="string">
40 <enumeration value="true"/>
41 <enumeration value="false"/>
42 <enumeration value="front"/>
43 <enumeration value="back"/>
47 <complexType name="PluggableType">
49 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
51 <attribute name="type" type="conf:string" use="required"/>
52 <anyAttribute namespace="##any" processContents="lax"/>
55 <element name="SPConfig">
58 <documentation>Root of configuration</documentation>
61 <element ref="conf:Extensions" minOccurs="0"/>
62 <element ref="conf:OutOfProcess"/>
63 <element ref="conf:InProcess"/>
64 <choice minOccurs="0">
65 <element name="UnixListener">
67 <attribute name="address" type="conf:string" use="required"/>
70 <element name="TCPListener">
72 <attribute name="address" type="conf:string" use="required"/>
73 <attribute name="port" type="unsignedInt" use="required"/>
74 <attribute name="acl" type="conf:listOfStrings"/>
77 <element name="Listener" type="conf:PluggableType"/>
79 <element ref="conf:StorageService" minOccurs="0" maxOccurs="unbounded"/>
80 <element ref="conf:SessionCache" minOccurs="0"/>
81 <element ref="conf:ReplayCache" minOccurs="0"/>
82 <element ref="conf:ArtifactMap" minOccurs="0"/>
83 <element name="RequestMapper" type="conf:PluggableType" minOccurs="0"/>
84 <element ref="conf:ApplicationDefaults"/>
85 <element ref="conf:SecurityPolicies"/>
86 <element ref="conf:TransportOption" minOccurs="0" maxOccurs="unbounded"/>
88 <attribute name="logger" type="anyURI"/>
89 <attribute name="clockSkew" type="unsignedInt"/>
90 <attribute name="unsafeChars" type="conf:string"/>
91 <anyAttribute namespace="##other" processContents="lax"/>
95 <element name="Extensions">
97 <documentation>Container for extension libraries and custom configuration</documentation>
101 <element name="Library" minOccurs="0" maxOccurs="unbounded">
104 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
106 <attribute name="path" type="anyURI" use="required"/>
107 <attribute name="fatal" type="boolean"/>
108 <anyAttribute namespace="##any" processContents="lax"/>
111 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
116 <element name="StorageService">
118 <documentation>References StorageService plugins</documentation>
122 <restriction base="conf:PluggableType">
124 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
126 <attribute name="id" type="ID" use="required"/>
127 <attribute name="cleanupInterval" type="unsignedInt"/>
128 <anyAttribute namespace="##any" processContents="lax"/>
134 <element name="SessionCache">
136 <documentation>References SessionCache plugins</documentation>
140 <restriction base="conf:PluggableType">
142 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
144 <attribute name="StorageService" type="IDREF"/>
145 <attribute name="cacheTimeout" type="unsignedInt"/>
146 <anyAttribute namespace="##any" processContents="lax"/>
152 <element name="ReplayCache">
154 <documentation>Ties ReplayCache to a custom StorageService</documentation>
158 <attribute name="StorageService" type="IDREF" use="required"/>
162 <element name="ArtifactMap">
164 <documentation>Customizes an ArtifactMap</documentation>
168 <attribute name="StorageService" type="IDREF"/>
169 <attribute name="context" type="conf:string"/>
170 <attribute name="artifactTTL" type="unsignedInt"/>
174 <element name="OutOfProcess">
176 <documentation>Container for out-of-process (shibd) configuration</documentation>
180 <element ref="conf:Extensions" minOccurs="0"/>
181 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
183 <attribute name="logger" type="anyURI"/>
184 <attribute name="catchAll" type="boolean"/>
185 <anyAttribute namespace="##other" processContents="lax"/>
189 <element name="InProcess">
192 Container for configuration of locally integrated or platform-specific
193 features (e.g. web server filters)
198 <element ref="conf:Extensions" minOccurs="0"/>
199 <element ref="conf:ISAPI" minOccurs="0"/>
200 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
202 <attribute name="logger" type="anyURI"/>
203 <attribute name="unsetHeaderValue" type="conf:string"/>
204 <attribute name="checkSpoofing" type="boolean"/>
205 <attribute name="spoofKey" type="conf:string"/>
206 <attribute name="catchAll" type="boolean"/>
207 <anyAttribute namespace="##other" processContents="lax"/>
211 <element name="ISAPI">
214 <element name="Site" maxOccurs="unbounded">
217 <element name="Alias" type="string" minOccurs="0" maxOccurs="unbounded"/>
219 <attribute name="id" type="unsignedInt" use="required"/>
220 <attribute name="name" type="conf:string" use="required"/>
221 <attribute name="port" type="unsignedInt"/>
222 <attribute name="sslport" type="unsignedInt"/>
223 <attribute name="scheme" type="conf:string"/>
226 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
228 <attribute name="normalizeRequest" type="boolean"/>
229 <attribute name="safeHeaderNames" type="boolean"/>
230 <anyAttribute namespace="##other" processContents="lax"/>
234 <element name="AccessControl" type="conf:UniOperatorType">
237 A simple example access policy language extension that supersedes Apache .htaccess
241 <element name="OR" type="conf:MultiOperatorType"/>
242 <element name="AND" type="conf:MultiOperatorType"/>
243 <element name="NOT" type="conf:UniOperatorType"/>
244 <complexType name="UniOperatorType">
246 <element ref="conf:AND"/>
247 <element ref="conf:OR"/>
248 <element ref="conf:NOT"/>
249 <element ref="conf:Rule"/>
250 <element ref="conf:RuleRegex"/>
253 <complexType name="MultiOperatorType">
254 <choice minOccurs="2" maxOccurs="unbounded">
255 <element ref="conf:AND"/>
256 <element ref="conf:OR"/>
257 <element ref="conf:NOT"/>
258 <element ref="conf:Rule"/>
259 <element ref="conf:RuleRegex"/>
262 <element name="Rule">
265 <extension base="conf:listOfStrings">
266 <attribute name="require" type="conf:string" use="required"/>
267 <attribute name="list" type="boolean"/>
272 <element name="RuleRegex">
275 <extension base="conf:string">
276 <attribute name="require" type="conf:string" use="required"/>
277 <attribute name="ignoreCase" type="boolean"/>
283 <attributeGroup name="ContentSettings">
284 <attribute name="authType" type="conf:string"/>
285 <attribute name="requireSession" type="boolean"/>
286 <attribute name="requireSessionWith" type="conf:string"/>
287 <attribute name="exportAssertion" type="boolean"/>
288 <attribute name="redirectToSSL" type="unsignedInt"/>
289 <attribute name="entityID" type="anyURI"/>
290 <attribute name="discoveryURL" type="anyURI"/>
291 <attribute name="isPassive" type="boolean"/>
292 <attribute name="forceAuthn" type="boolean"/>
293 <attribute name="authnContextClassRef" type="anyURI"/>
294 <attribute name="authnContextComparison" type="samlp:AuthnContextComparisonType"/>
295 <attribute name="NameIDFormat" type="anyURI"/>
296 <attribute name="SPNameQualifier" type="conf:string"/>
297 <attribute name="redirectErrors" type="anyURI"/>
298 <attribute name="sessionError" type="anyURI"/>
299 <attribute name="metadataError" type="anyURI"/>
300 <attribute name="accessError" type="anyURI"/>
301 <attribute name="sslError" type="anyURI"/>
302 <attribute name="REMOTE_ADDR" type="conf:string"/>
303 <anyAttribute namespace="##other" processContents="lax"/>
305 <element name="AccessControlProvider" type="conf:PluggableType"/>
306 <element name="htaccess" type="conf:PluggableType"/>
308 <element name="RequestMap">
311 Built-in request mapping syntax, decomposes URLs into Host/Path/Path/...
316 <choice minOccurs="0">
317 <element ref="conf:htaccess"/>
318 <element ref="conf:AccessControl"/>
319 <element ref="conf:AccessControlProvider"/>
321 <choice minOccurs="0" maxOccurs="unbounded">
322 <element ref="conf:Host"/>
323 <element ref="conf:HostRegex"/>
326 <attribute name="applicationId" type="conf:string" fixed="default"/>
327 <attributeGroup ref="conf:ContentSettings"/>
331 <element name="Host">
334 <choice minOccurs="0">
335 <element ref="conf:htaccess"/>
336 <element ref="conf:AccessControl"/>
337 <element ref="conf:AccessControlProvider"/>
339 <choice minOccurs="0" maxOccurs="unbounded">
340 <element ref="conf:Path"/>
341 <element ref="conf:PathRegex"/>
342 <element ref="conf:Query"/>
345 <attribute name="scheme">
347 <restriction base="conf:string">
348 <enumeration value="http"/>
349 <enumeration value="https"/>
350 <enumeration value="ftp"/>
351 <enumeration value="ldap"/>
352 <enumeration value="ldaps"/>
356 <attribute name="name" type="conf:string" use="required"/>
357 <attribute name="port" type="unsignedInt"/>
358 <attribute name="applicationId" type="conf:string"/>
359 <attributeGroup ref="conf:ContentSettings"/>
363 <element name="HostRegex">
366 <choice minOccurs="0">
367 <element ref="conf:htaccess"/>
368 <element ref="conf:AccessControl"/>
369 <element ref="conf:AccessControlProvider"/>
371 <choice minOccurs="0" maxOccurs="unbounded">
372 <element ref="conf:Path"/>
373 <element ref="conf:PathRegex"/>
374 <element ref="conf:Query"/>
377 <attribute name="regex" type="conf:string" use="required"/>
378 <attribute name="ignoreCase" type="boolean"/>
379 <attribute name="applicationId" type="conf:string"/>
380 <attributeGroup ref="conf:ContentSettings"/>
384 <element name="Path">
387 <choice minOccurs="0">
388 <element ref="conf:htaccess"/>
389 <element ref="conf:AccessControl"/>
390 <element ref="conf:AccessControlProvider"/>
392 <choice minOccurs="0" maxOccurs="unbounded">
393 <element ref="conf:Path"/>
394 <element ref="conf:PathRegex"/>
395 <element ref="conf:Query"/>
398 <attribute name="name" type="conf:string" use="required"/>
399 <attribute name="applicationId" type="conf:string"/>
400 <attributeGroup ref="conf:ContentSettings"/>
404 <element name="PathRegex">
407 <choice minOccurs="0">
408 <element ref="conf:htaccess"/>
409 <element ref="conf:AccessControl"/>
410 <element ref="conf:AccessControlProvider"/>
412 <element ref="conf:Query" minOccurs="0" maxOccurs="unbounded"/>
414 <attribute name="regex" type="conf:string" use="required"/>
415 <attribute name="ignoreCase" type="boolean"/>
416 <attribute name="applicationId" type="conf:string"/>
417 <attributeGroup ref="conf:ContentSettings"/>
421 <element name="Query">
424 <choice minOccurs="0">
425 <element ref="conf:htaccess"/>
426 <element ref="conf:AccessControl"/>
427 <element ref="conf:AccessControlProvider"/>
429 <element ref="conf:Query" minOccurs="0" maxOccurs="unbounded"/>
431 <attribute name="name" type="conf:string" use="required"/>
432 <attribute name="regex" type="conf:string"/>
433 <attributeGroup ref="conf:ContentSettings"/>
437 <element name="ApplicationDefaults">
439 <documentation>Container for default settings and application-specific overrides</documentation>
443 <element ref="conf:Sessions"/>
444 <element ref="conf:Errors" minOccurs="0"/>
445 <element ref="conf:RelyingParty" minOccurs="0" maxOccurs="unbounded"/>
446 <element ref="conf:Notify" minOccurs="0" maxOccurs="unbounded"/>
447 <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
448 <element name="MetadataProvider" type="conf:PluggableType"/>
449 <element name="TrustEngine" type="conf:PluggableType"/>
450 <element name="AttributeExtractor" type="conf:PluggableType" minOccurs="0"/>
451 <element name="AttributeResolver" type="conf:PluggableType" minOccurs="0"/>
452 <element name="AttributeFilter" type="conf:PluggableType" minOccurs="0"/>
453 <element name="CredentialResolver" type="conf:PluggableType" minOccurs="0"/>
454 <element ref="conf:ApplicationOverride" minOccurs="0" maxOccurs="unbounded"/>
456 <attribute name="id" type="conf:string" fixed="default"/>
457 <attribute name="entityID" type="anyURI" use="required"/>
458 <attribute name="policyId" type="conf:string" use="required"/>
459 <attributeGroup ref="conf:ApplicationGroup"/>
460 <attributeGroup ref="conf:RelyingPartyGroup"/>
461 <anyAttribute namespace="##other" processContents="lax"/>
465 <element name="ApplicationOverride">
467 <documentation>Container for application-specific overrides</documentation>
471 <element ref="conf:Sessions" minOccurs="0"/>
472 <element ref="conf:Errors" minOccurs="0"/>
473 <element ref="conf:RelyingParty" minOccurs="0" maxOccurs="unbounded"/>
474 <element ref="conf:Notify" minOccurs="0" maxOccurs="unbounded"/>
475 <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
476 <element name="MetadataProvider" type="conf:PluggableType" minOccurs="0"/>
477 <element name="TrustEngine" type="conf:PluggableType" minOccurs="0"/>
478 <element name="AttributeExtractor" type="conf:PluggableType" minOccurs="0"/>
479 <element name="AttributeResolver" type="conf:PluggableType" minOccurs="0"/>
480 <element name="AttributeFilter" type="conf:PluggableType" minOccurs="0"/>
481 <element name="CredentialResolver" type="conf:PluggableType" minOccurs="0"/>
483 <attribute name="id" type="conf:string" use="required"/>
484 <attribute name="entityID" type="anyURI"/>
485 <attribute name="policyId" type="conf:string"/>
486 <attributeGroup ref="conf:ApplicationGroup"/>
487 <attributeGroup ref="conf:RelyingPartyGroup"/>
488 <anyAttribute namespace="##other" processContents="lax"/>
492 <attributeGroup name="ApplicationGroup">
493 <attribute name="homeURL" type="anyURI"/>
494 <attribute name="REMOTE_USER" type="conf:listOfStrings"/>
495 <attribute name="unsetHeaders" type="conf:listOfStrings"/>
496 <attribute name="metadataAttributePrefix" type="conf:string"/>
497 <attribute name="attributePrefix" type="conf:string"/>
500 <attributeGroup name="RelyingPartyGroup">
501 <attribute name="authType" type="conf:string"/>
502 <attribute name="authUsername" type="conf:string"/>
503 <attribute name="authPassword" type="conf:string"/>
504 <attribute name="signing" type="conf:bindingBoolean"/>
505 <attribute name="signingAlg" type="anyURI"/>
506 <attribute name="digestAlg" type="anyURI"/>
507 <attribute name="encryption" type="conf:bindingBoolean"/>
508 <attribute name="encryptionAlg" type="anyURI"/>
509 <attribute name="keyName" type="conf:string"/>
510 <attribute name="artifactEndpointIndex" type="unsignedShort"/>
511 <attribute name="chunkedEncoding" type="boolean"/>
512 <attribute name="connectTimeout" type="unsignedShort"/>
513 <attribute name="timeout" type="unsignedShort"/>
514 <attribute name="requireConfidentiality" type="boolean"/>
515 <attribute name="requireTransportAuth" type="boolean"/>
516 <attribute name="requireSignedAssertions" type="boolean"/>
519 <element name="Sessions">
521 <documentation>Container for specifying protocol handlers and session policy</documentation>
524 <choice minOccurs="0" maxOccurs="unbounded">
525 <element ref="conf:SessionInitiator"/>
526 <element ref="conf:LogoutInitiator"/>
527 <element ref="md:AssertionConsumerService"/>
528 <element ref="md:ArtifactResolutionService"/>
529 <element ref="md:SingleLogoutService"/>
530 <element ref="md:ManageNameIDService"/>
531 <element name="Handler">
534 <restriction base="conf:PluggableType">
536 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
538 <attribute name="Location" type="anyURI" use="required"/>
539 <attribute name="acl" type="conf:listOfStrings"/>
540 <anyAttribute namespace="##any" processContents="lax"/>
546 <attribute name="handlerURL" type="anyURI" use="required"/>
547 <attribute name="handlerSSL" type="boolean"/>
548 <attribute name="exportLocation" type="conf:string"/>
549 <attribute name="exportACL" type="conf:listOfStrings"/>
550 <attribute name="cookieName" type="conf:string"/>
551 <attribute name="cookieProps" type="conf:string"/>
552 <attribute name="cookieLifetime" type="unsignedInt"/>
553 <attribute name="idpHistory" type="boolean"/>
554 <attribute name="idpHistoryDays" type="unsignedInt"/>
555 <attribute name="lifetime" type="unsignedInt"/>
556 <attribute name="timeout" type="unsignedInt"/>
557 <attribute name="maxTimeSinceAuthn" type="unsignedInt"/>
558 <attribute name="checkAddress" type="boolean"/>
559 <attribute name="consistentAddress" type="boolean"/>
560 <attribute name="postData" type="conf:string"/>
561 <attribute name="postLimit" type="positiveInteger"/>
562 <attribute name="postTemplate" type="conf:string"/>
563 <attribute name="postExpire" type="boolean"/>
564 <anyAttribute namespace="##other" processContents="lax"/>
568 <attribute name="policyId" type="conf:string">
570 <documentation>Used to reference Policy elements from profile endpoints.</documentation>
574 <element name="SessionInitiator">
576 <documentation>Used to specify handlers that can issue AuthnRequests or perform discovery</documentation>
580 <restriction base="conf:PluggableType">
582 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
584 <attribute name="Location" type="anyURI"/>
585 <attribute name="id" type="conf:string"/>
586 <attribute name="isDefault" type="boolean"/>
587 <attribute name="relayState" type="conf:string"/>
588 <attribute name="entityIDParam" type="conf:string"/>
589 <attribute name="entityID" type="anyURI"/>
590 <attribute name="URL" type="anyURI"/>
591 <attribute name="outgoingBindings" type="conf:listOfURIs"/>
592 <attribute name="template" type="anyURI"/>
593 <attribute name="postArtifact" type="boolean"/>
594 <attribute name="acsByIndex" type="boolean"/>
595 <attribute name="acsIndex" type="unsignedShort"/>
596 <attribute name="defaultACSIndex" type="unsignedShort"/> <!-- deprecated -->
597 <attribute name="isPassive" type="boolean"/>
598 <attribute name="forceAuthn" type="boolean"/>
599 <attribute name="authnContextClassRef" type="anyURI"/>
600 <attribute name="authnContextComparison" type="samlp:AuthnContextComparisonType"/>
601 <attribute name="NameIDFormat" type="anyURI"/>
602 <attribute name="SPNameQualifier" type="conf:string"/>
603 <attribute name="requestDelegation" type="boolean"/>
604 <anyAttribute namespace="##any" processContents="lax"/>
610 <element name="LogoutInitiator">
612 <documentation>Used to specify handlers that can issue LogoutRequests</documentation>
616 <restriction base="conf:PluggableType">
618 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
620 <attribute name="Location" type="anyURI"/>
621 <attribute name="relayState" type="conf:string"/>
622 <attribute name="outgoingBindings" type="conf:listOfURIs"/>
623 <attribute name="template" type="anyURI"/>
624 <attribute name="postArtifact" type="boolean"/>
625 <anyAttribute namespace="##any" processContents="lax"/>
631 <element name="Errors">
633 <documentation>Container for error templates and associated details</documentation>
637 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
639 <attribute name="redirectErrors" type="anyURI"/>
640 <attribute name="session" type="anyURI"/>
641 <attribute name="metadata" type="anyURI"/>
642 <attribute name="access" type="anyURI"/>
643 <attribute name="ssl" type="anyURI"/>
644 <attribute name="localLogout" type="anyURI"/>
645 <attribute name="globalLogout" type="anyURI"/>
646 <attribute name="partialLogout" type="anyURI"/>
647 <attribute name="supportContact" type="conf:string"/>
648 <attribute name="logoLocation" type="anyURI"/>
649 <attribute name="styleSheet" type="anyURI"/>
650 <anyAttribute namespace="##any" processContents="lax"/>
654 <element name="RelyingParty">
656 <documentation>Container for specifying settings to use with particular peers</documentation>
660 <attribute name="Name" type="conf:string" use="required"/>
661 <attributeGroup ref="conf:RelyingPartyGroup"/>
662 <attribute name="entityID" type="anyURI"/>
663 <anyAttribute namespace="##other" processContents="lax"/>
667 <element name="Notify">
669 <documentation>Used to specify locations to receive application notifications</documentation>
673 <attribute name="Channel" use="required">
675 <restriction base="string">
676 <enumeration value="front"/>
677 <enumeration value="back"/>
681 <attribute name="Location" type="anyURI" use="required"/>
682 <anyAttribute namespace="##any" processContents="lax"/>
686 <element name="SecurityPolicies">
688 <documentation>Container for specifying sets of policy rules to apply to incoming messages</documentation>
692 <element name="Policy" minOccurs="1" maxOccurs="unbounded">
694 <documentation>Specifies a set of SecurityPolicyRule plugins</documentation>
698 <element name="Rule" type="conf:PluggableType" minOccurs="1" maxOccurs="unbounded"/>
699 <element name="PolicyRule" type="conf:PluggableType" minOccurs="1" maxOccurs="unbounded"/>
701 <attribute name="id" type="conf:string" use="required"/>
702 <attribute name="validate" type="boolean"/>
703 <anyAttribute namespace="##any" processContents="lax"/>
710 <element name="TransportOption">
712 <documentation>Implementation-specific option to pass to SOAPTransport provider.</documentation>
716 <extension base="anySimpleType">
717 <attribute name="provider" type="conf:string" use="required"/>
718 <attribute name="option" type="conf:string" use="required"/>