1 <?xml version="1.0" encoding="US-ASCII"?>
2 <schema targetNamespace="urn:mace:shibboleth:target:config:1.0"
3 xmlns="http://www.w3.org/2001/XMLSchema"
4 xmlns:conf="urn:mace:shibboleth:target:config:1.0"
5 xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
6 xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
7 elementFormDefault="qualified"
8 attributeFormDefault="unqualified"
9 blockDefault="substitution"
12 <import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="cs-sstc-schema-assertion-1.1.xsd"/>
13 <import namespace="urn:oasis:names:tc:SAML:2.0:metadata" schemaLocation="saml-schema-metadata-2.0.xsd"/>
17 1.0 schema for XML-based configuration of Shibboleth target libraries and modules.
18 First appearing in Shibboleth 1.2 release.
22 <complexType name="PluggableType">
24 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
26 <attribute name="type" type="string" use="required"/>
27 <attribute name="uri" type="anyURI" use="optional"/>
28 <anyAttribute namespace="##any" processContents="lax"/>
31 <element name="ShibbolethTargetConfig" type="conf:SPConfigType"/>
32 <element name="SPConfig" type="conf:SPConfigType"/>
33 <complexType name="SPConfigType">
35 <documentation>Root element of configuration file</documentation>
38 <element ref="conf:Extensions" minOccurs="0"/>
39 <choice minOccurs="0">
40 <element name="OutOfProcess" type="conf:OutOfProcessType"/>
41 <element name="Global" type="conf:OutOfProcessType"/>
42 <element name="SHAR" type="conf:OutOfProcessType"/>
44 <choice minOccurs="0">
45 <element name="InProcess" type="conf:InProcessType"/>
46 <element name="Local" type="conf:InProcessType"/>
47 <element name="SHIRE" type="conf:InProcessType"/>
49 <element ref="conf:Applications"/>
50 <element name="CredentialsProvider" type="conf:PluggableType" minOccurs="0" maxOccurs="unbounded"/>
51 <element ref="conf:AttributeFactory" minOccurs="0" maxOccurs="unbounded"/>
53 <attribute name="logger" type="anyURI" use="optional"/>
54 <attribute name="clockSkew" type="unsignedInt" use="optional"/>
55 <anyAttribute namespace="##other" processContents="lax"/>
58 <element name="Extensions">
60 <documentation>Container for extension libraries and custom configuration</documentation>
64 <element name="Library" minOccurs="0" maxOccurs="unbounded">
67 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
69 <attribute name="path" type="anyURI" use="required"/>
70 <attribute name="fatal" type="boolean" use="optional"/>
71 <anyAttribute namespace="##other" processContents="lax"/>
74 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
79 <attributeGroup name="SessionCacheProperties">
80 <attribute name="cleanupInterval" type="unsignedInt" use="optional" default="300"/>
81 <attribute name="cacheTimeout" type="unsignedInt" use="optional" default="28800"/>
82 <attribute name="AAConnectTimeout" type="unsignedInt" use="optional" default="15"/>
83 <attribute name="AATimeout" type="unsignedInt" use="optional" default="30"/>
84 <attribute name="defaultLifetime" type="unsignedInt" use="optional" default="1800"/>
85 <attribute name="retryInterval" type="unsignedInt" use="optional" default="300"/>
86 <attribute name="strictValidity" type="boolean" use="optional" default="true"/>
87 <attribute name="propagateErrors" type="boolean" use="optional" default="false"/>
90 <element name="MemorySessionCache">
92 <attributeGroup ref="conf:SessionCacheProperties"/>
93 <anyAttribute namespace="##other" processContents="lax"/>
96 <element name="MySQLSessionCache">
99 <element name="Argument" type="string" minOccurs="0" maxOccurs="unbounded"/>
101 <attributeGroup ref="conf:SessionCacheProperties"/>
102 <attribute name="mysqlTimeout" type="unsignedInt" use="optional" default="14400"/>
103 <attribute name="storeAttributes" type="boolean" use="optional" default="false"/>
104 <anyAttribute namespace="##other" processContents="lax"/>
107 <element name="SessionCache">
110 <extension base="conf:PluggableType">
111 <attributeGroup ref="conf:SessionCacheProperties"/>
117 <complexType name="OutOfProcessType">
119 <documentation>Container for global (server independent) configuration</documentation>
122 <element ref="conf:Extensions" minOccurs="0"/>
124 <element name="UnixListener">
126 <attribute name="address" type="string" use="required"/>
129 <element name="TCPListener">
131 <attribute name="address" type="string" use="required"/>
132 <attribute name="port" type="unsignedInt" use="required"/>
133 <attribute name="acl" use="optional" default="127.0.0.1">
135 <list itemType="string"/>
140 <element name="MemoryListener" type="conf:PluggableType"/>
141 <element name="Listener" type="conf:PluggableType"/>
144 <element ref="conf:MemorySessionCache"/>
145 <element ref="conf:MySQLSessionCache"/>
146 <element ref="conf:SessionCache"/>
148 <choice minOccurs="0">
149 <element name="MySQLReplayCache">
152 <element name="Argument" type="string" minOccurs="0" maxOccurs="unbounded"/>
154 <anyAttribute namespace="##other" processContents="lax"/>
157 <element name="ReplayCache" type="conf:PluggableType"/>
159 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
161 <attribute name="logger" type="anyURI" use="optional"/>
162 <anyAttribute namespace="##other" processContents="lax"/>
165 <complexType name="InProcessType">
168 Container for configuration of locally integrated or platform-specific
169 features (e.g. web server filters)
173 <element ref="conf:Extensions" minOccurs="0"/>
174 <choice minOccurs="0">
175 <element ref="conf:MemorySessionCache"/>
176 <element ref="conf:SessionCache"/>
178 <element name="RequestMapProvider" type="conf:PluggableType" minOccurs="0"/>
179 <element name="Implementation" minOccurs="0">
181 <choice maxOccurs="unbounded">
182 <element ref="conf:ISAPI"/>
183 <any namespace="##other" processContents="lax"/>
187 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
189 <attribute name="logger" type="anyURI" use="optional"/>
190 <attribute name="localRelayState" type="boolean" use="optional" default="false"/>
191 <attribute name="unsetHeaderValue" type="string" use="optional"/>
192 <anyAttribute namespace="##other" processContents="lax"/>
195 <element name="ISAPI">
198 <element name="Site" maxOccurs="unbounded">
201 <element name="Alias" type="string" minOccurs="0" maxOccurs="unbounded"/>
203 <attribute name="id" type="unsignedInt" use="required"/>
204 <attribute name="name" type="string" use="required"/>
205 <attribute name="port" type="unsignedInt" use="optional"/>
206 <attribute name="sslport" type="unsignedInt" use="optional"/>
207 <attribute name="scheme" type="string" use="optional"/>
210 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
212 <attribute name="normalizeRequest" type="boolean" use="optional"/>
213 <anyAttribute namespace="##other" processContents="lax"/>
216 <element name="NSAPI" type="anyType"/>
217 <element name="Java" type="anyType"/>
219 <element name="AccessControl" type="conf:UniOperatorType">
222 A simple example access policy language extension that supersedes Apache .htaccess
226 <element name="OR" type="conf:MultiOperatorType"/>
227 <element name="AND" type="conf:MultiOperatorType"/>
228 <element name="NOT" type="conf:UniOperatorType"/>
229 <complexType name="UniOperatorType">
231 <element ref="conf:AND"/>
232 <element ref="conf:OR"/>
233 <element ref="conf:NOT"/>
234 <element ref="conf:Rule"/>
237 <complexType name="MultiOperatorType">
238 <choice minOccurs="2" maxOccurs="unbounded">
239 <element ref="conf:AND"/>
240 <element ref="conf:OR"/>
241 <element ref="conf:NOT"/>
242 <element ref="conf:Rule"/>
245 <element name="Rule">
248 <extension base="conf:listOfStrings">
249 <attribute name="require" type="string" use="required"/>
254 <simpleType name="listOfStrings">
255 <list itemType="string"/>
258 <attributeGroup name="ContentSettings">
259 <attribute name="authType" type="string" use="optional"/>
260 <attribute name="requireSession" type="boolean" use="optional"/>
261 <attribute name="requireSessionWith" type="string" use="optional"/>
262 <attribute name="exportAssertion" type="boolean" use="optional"/>
263 <attribute name="redirectToSSL" type="unsignedInt" use="optional"/>
264 <anyAttribute namespace="##other" processContents="lax"/>
266 <element name="AccessControlProvider" type="conf:PluggableType"/>
267 <element name="htaccess" type="conf:PluggableType"/>
269 <element name="RequestMap">
272 Built-in request mapping syntax, decomposes URLs into Host/Path/Path/...
277 <choice minOccurs="0">
278 <element ref="conf:htaccess"/>
279 <element ref="conf:AccessControl"/>
280 <element ref="conf:AccessControlProvider"/>
282 <element ref="conf:Host" minOccurs="0" maxOccurs="unbounded"/>
284 <attribute name="applicationId" type="string" fixed="default"/>
285 <attributeGroup ref="conf:ContentSettings"/>
289 <element name="Host">
292 <choice minOccurs="0">
293 <element ref="conf:htaccess"/>
294 <element ref="conf:AccessControl"/>
295 <element ref="conf:AccessControlProvider"/>
297 <element ref="conf:Path" minOccurs="0" maxOccurs="unbounded"/>
299 <attribute name="scheme" use="optional">
301 <restriction base="string">
302 <enumeration value="http"/>
303 <enumeration value="https"/>
304 <enumeration value="ftp"/>
305 <enumeration value="ldap"/>
306 <enumeration value="ldaps"/>
310 <attribute name="name" type="string" use="required"/>
311 <attribute name="port" type="unsignedInt" use="optional"/>
312 <attribute name="applicationId" type="string" use="optional"/>
313 <attributeGroup ref="conf:ContentSettings"/>
317 <element name="Path">
320 <choice minOccurs="0">
321 <element ref="conf:htaccess"/>
322 <element ref="conf:AccessControl"/>
323 <element ref="conf:AccessControlProvider"/>
325 <element ref="conf:Path" minOccurs="0" maxOccurs="unbounded"/>
327 <attribute name="name" type="string" use="required"/>
328 <attribute name="applicationId" type="string" use="optional"/>
329 <attributeGroup ref="conf:ContentSettings"/>
333 <element name="Applications">
335 <documentation>Container for global target settings and application-specific overrides</documentation>
339 <element ref="conf:Sessions"/>
340 <element ref="conf:Errors"/>
341 <element ref="conf:CredentialUse" minOccurs="0"/>
342 <choice minOccurs="0" maxOccurs="unbounded">
343 <element ref="saml:AttributeDesignator"/>
344 <element ref="saml:Audience"/>
345 <element name="AAPProvider" type="conf:PluggableType"/>
346 <element name="MetadataProvider" type="conf:PluggableType"/>
347 <element name="TrustProvider" type="conf:PluggableType"/>
349 <element ref="conf:Application" minOccurs="0" maxOccurs="unbounded"/>
351 <attribute name="id" type="string" fixed="default"/>
352 <attribute name="providerId" type="anyURI" use="required"/>
353 <attribute name="homeURL" type="anyURI" use="optional"/>
354 <anyAttribute namespace="##other" processContents="lax"/>
358 <element name="Application">
360 <documentation>Container for application-specific overrides</documentation>
364 <element ref="conf:Sessions" minOccurs="0"/>
365 <element ref="conf:Errors" minOccurs="0"/>
366 <element ref="conf:CredentialUse" minOccurs="0"/>
367 <choice minOccurs="0" maxOccurs="unbounded">
368 <element ref="saml:AttributeDesignator"/>
369 <element ref="saml:Audience"/>
370 <element name="AAPProvider" type="conf:PluggableType"/>
371 <!-- deprecated --> <element name="FederationProvider" type="conf:PluggableType"/>
372 <element name="MetadataProvider" type="conf:PluggableType"/>
373 <element name="TrustProvider" type="conf:PluggableType"/>
376 <attribute name="id" type="string" use="required"/>
377 <attribute name="providerId" type="anyURI" use="optional"/>
378 <attribute name="homeURL" type="anyURI" use="optional"/>
379 <anyAttribute namespace="##other" processContents="lax"/>
383 <element name="KeyInfoResolver" type="conf:PluggableType">
386 Custom plug-in that resolves ds:KeyInfo elements into public keys, used in
387 TrustProvider elements.
392 <element name="Sessions">
394 <documentation>Container for specifying app session establishment and policy</documentation>
397 <choice minOccurs="0" maxOccurs="unbounded">
398 <element ref="conf:SessionInitiator"/>
399 <element ref="md:AssertionConsumerService"/>
400 <element ref="md:SingleLogoutService"/>
401 <element ref="conf:DiagnosticService"/>
402 <element name="ExtensionService" type="conf:PluggableType"/>
404 <!-- deprecated --> <attribute name="wayfURL" type="anyURI" use="optional"/>
405 <!-- deprecated --> <attribute name="shireURL" type="anyURI" use="optional"/>
406 <!-- deprecated --> <attribute name="shireSSL" type="boolean" use="optional"/>
407 <attribute name="handlerURL" type="anyURI" use="optional"/>
408 <attribute name="handlerSSL" type="boolean" use="optional" default="true"/>
409 <attribute name="cookieName" type="string" use="optional"/>
410 <attribute name="cookieProps" type="string" use="optional"/>
411 <attribute name="idpHistory" type="boolean" use="optional" default="true"/>
412 <attribute name="idpHistoryDays" type="unsignedInt" use="optional"/>
413 <attribute name="lifetime" type="unsignedInt" use="optional"/>
414 <attribute name="timeout" type="unsignedInt" use="optional"/>
415 <attribute name="checkAddress" type="boolean" use="optional"/>
416 <attribute name="consistentAddress" type="boolean" use="optional" default="true"/>
417 <attribute name="checkReplay" type="boolean" use="optional" default="true"/>
418 <anyAttribute namespace="##other" processContents="lax"/>
421 <element name="SessionInitiator">
423 <documentation>Used to specify WAYF/Discovery services (external or internal)</documentation>
427 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
429 <attribute name="Location" type="anyURI" use="required"/>
430 <attribute name="Binding" type="anyURI" use="required"/>
431 <attribute name="wayfURL" type="anyURI" use="optional"/>
432 <attribute name="wayfBinding" type="anyURI" use="optional"/>
433 <attribute name="checkCDC" type="anyURI" use="optional"/>
434 <attribute name="isDefault" type="boolean" use="optional"/>
435 <attribute name="id" type="string" use="optional"/>
436 <anyAttribute namespace="##any" processContents="lax"/>
439 <element name="DiagnosticService">
441 <documentation>Used to specify internal diagnostic capabilities</documentation>
445 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
447 <attribute name="Location" type="anyURI" use="required"/>
448 <attribute name="Binding" type="anyURI" use="required"/>
449 <attribute name="echo" type="boolean" use="optional"/>
450 <attribute name="log" type="boolean" use="optional"/>
451 <attribute name="config" type="boolean" use="optional"/>
452 <attribute name="acl" use="optional">
454 <list itemType="string"/>
457 <anyAttribute namespace="##any" processContents="lax"/>
461 <element name="Errors">
463 <documentation>Container for error templates and associated details</documentation>
467 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
469 <!-- deprecated --> <attribute name="shire" type="anyURI" use="optional"/>
470 <attribute name="session" type="anyURI" use="optional"/>
471 <attribute name="metadata" type="anyURI" use="optional"/>
472 <attribute name="rm" type="anyURI" use="required"/>
473 <attribute name="access" type="anyURI" use="optional"/>
474 <attribute name="ssl" type="anyURI" use="optional"/>
475 <attribute name="supportContact" type="string" use="optional"/>
476 <attribute name="logoLocation" type="anyURI" use="optional"/>
477 <attribute name="styleSheet" type="anyURI" use="optional"/>
478 <anyAttribute namespace="##any" processContents="lax"/>
482 <attributeGroup name="CredentialUseGroup">
483 <attribute name="TLS" type="string" use="optional"/>
484 <attribute name="Signing" type="string" use="optional"/>
485 <attribute name="signRequest" type="boolean" use="optional" default="false"/>
486 <attribute name="signatureAlg" type="anyURI" use="optional"/>
487 <attribute name="digestAlg" type="anyURI" use="optional"/>
488 <attribute name="signedResponse" type="boolean" use="optional" default="false"/>
489 <attribute name="signedAssertions" type="boolean" use="optional" default="false"/>
490 <attribute name="authType" use="optional">
492 <restriction base="string">
493 <enumeration value="basic"/>
494 <enumeration value="digest"/>
495 <enumeration value="ntlm"/>
496 <enumeration value="gss"/>
500 <attribute name="authUsername" use="optional"/>
501 <attribute name="authPassword" use="optional"/>
504 <element name="CredentialUse">
506 <documentation>Container for specifying credentials to use</documentation>
510 <element name="RelyingParty" minOccurs="0" maxOccurs="unbounded">
513 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
515 <attribute name="Name" type="string" use="required"/>
516 <attributeGroup ref="conf:CredentialUseGroup"/>
517 <anyAttribute namespace="##other" processContents="lax"/>
520 <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
522 <attributeGroup ref="conf:CredentialUseGroup"/>
523 <anyAttribute namespace="##other" processContents="lax"/>
527 <element name="AttributeFactory">
529 <documentation>Specifies a plugin that implements a specialized SAML attribute</documentation>
533 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
535 <attribute name="type" type="string" use="required"/>
536 <attribute name="AttributeName" type="string" use="required"/>
537 <anyAttribute namespace="##other" processContents="lax"/>