1 <?xml version="1.0" encoding="US-ASCII"?>
2 <schema targetNamespace="urn:mace:shibboleth:1.0"
3 xmlns="http://www.w3.org/2001/XMLSchema"
4 xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
5 xmlns:xml="http://www.w3.org/XML/1998/namespace"
6 xmlns:shib="urn:mace:shibboleth:1.0"
7 xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
8 elementFormDefault="qualified"
9 attributeFormDefault="unqualified"
12 <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/>
13 <import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/>
14 <import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="cs-sstc-schema-assertion-1.1.xsd"/>
16 <!-- Status-Related Information -->
19 The following SAML sub-status codes are defined in this namespace:
22 Used with samlp:Requester, signals AA did not recognize handle as valid
26 Relaxes SAML AttributeValue type definition. Xerces-C has a bug that prevents
27 anyAttribute content appearing on anyType. As a hack, we define the SAML schema
28 such that AttributeValue now derives from an extended type, and we then extend
29 that type here. 1.1 origins will specify this xsi:type. 1.2 origins will leave
30 it out, and the SAML schema hack will allow it to validate.
31 In 1.1 targets, this type was defined differently.
34 <complexType name="AttributeValueType" mixed="true">
36 <documentation xml:lang="en">
37 By convention, all Shibboleth 1.1 origin attribute values carry this unconstrained xsi:type.
41 <extension base="saml:AttributeValueType"/>
45 <!-- Attribute Acceptance Policies -->
47 <simpleType name="AttributeRuleValueType">
48 <restriction base="string">
49 <enumeration value="literal"/>
50 <enumeration value="regexp"/>
51 <enumeration value="xpath"/>
55 <complexType name="SiteRuleType">
57 <element name="Scope" minOccurs="0" maxOccurs="unbounded">
60 <extension base="string">
61 <attribute name="Accept" type="boolean" use="optional" default="true"/>
62 <attribute name="Type" type="shib:AttributeRuleValueType" use="optional" default="literal"/>
63 <anyAttribute namespace="##any" processContents="lax"/>
68 <choice minOccurs="0">
69 <element name="AnyValue">
72 <anyAttribute namespace="##any" processContents="lax"/>
75 <element name="Value" maxOccurs="unbounded">
78 <extension base="string">
79 <attribute name="Type" type="shib:AttributeRuleValueType" use="optional" default="literal"/>
80 <anyAttribute namespace="##any" processContents="lax"/>
89 <element name="AnySite" type="shib:SiteRuleType"/>
90 <element name="SiteRule">
93 <extension base="shib:SiteRuleType">
94 <attribute name="Name" type="string" use="required"/>
95 <anyAttribute namespace="##any" processContents="lax"/>
101 <complexType name="AttributeRuleType">
103 <element ref="shib:AnySite" minOccurs="0"/>
104 <element ref="shib:SiteRule" minOccurs="0" maxOccurs="unbounded"/>
106 <attribute name="Name" type="string" use="required"/>
107 <attribute name="Namespace" type="string" use="optional"/>
108 <attribute name="Factory" type="string" use="optional"/>
109 <attribute name="Alias" type="string" use="optional"/>
110 <attribute name="Header" type="string" use="optional"/>
111 <anyAttribute namespace="##any" processContents="lax"/>
114 <element name="AttributeRule" type="shib:AttributeRuleType">
115 <key name="SiteRuleKey">
116 <selector xpath="./shib:SiteRule"/>
117 <field xpath="@Name"/>
121 <element name="AttributeAcceptancePolicy">
124 <element ref="shib:AttributeRule" minOccurs="0" maxOccurs="unbounded"/>
126 <anyAttribute namespace="##any" processContents="lax"/>
131 <!-- Shibboleth Metadata -->
133 <complexType name="SiteType">
135 <documentation xml:lang="en">All sites have a Name attribute, plus optional i18n-ized aliases.</documentation>
138 <element name="Alias" minOccurs="0" maxOccurs="unbounded">
141 <extension base="string">
142 <attribute ref="xml:lang"/>
147 <element name="Contact" type="shib:ContactType" minOccurs="0" maxOccurs="unbounded"/>
149 <attribute name="Name" type="string" use="required"/>
150 <attribute name="ErrorURL" type="anyURI" use="optional"/>
151 <anyAttribute namespace="##any" processContents="lax"/>
154 <simpleType name="ContactTypeType">
155 <restriction base="string">
156 <enumeration value="technical"/>
157 <enumeration value="support"/>
158 <enumeration value="administrative"/>
159 <enumeration value="billing"/>
160 <enumeration value="other"/>
164 <complexType name="ContactType">
165 <annotation><documentation xml:lang="en">A human contact for a site.</documentation></annotation>
167 <attribute name="Type" type="shib:ContactTypeType" use="required"/>
168 <attribute name="Name" type="string" use="required"/>
169 <attribute name="Email" type="string" use="optional"/>
172 <complexType name="regexp_string">
174 <documentation xml:lang="en">A string element with an optional attribute signaling regexp content.</documentation>
177 <extension base="string">
178 <attribute name="regexp" type="boolean" use="optional" default="false"/>
183 <complexType name="AuthorityType">
185 <documentation xml:lang="en">Metadata about a SAML authority.</documentation>
188 <attribute name="Name" type="string" use="required"/>
189 <attribute name="Location" type="anyURI" use="required"/>
190 <anyAttribute namespace="##any" processContents="lax"/>
193 <complexType name="OriginSiteType">
195 <documentation xml:lang="en">
196 Origin sites add at least one handle service (with a name), plus optional domains trusted for attribute scoping.
200 <extension base="shib:SiteType">
202 <element name="HandleService" type="shib:AuthorityType" maxOccurs="unbounded"/>
203 <element name="AttributeAuthority" type="shib:AuthorityType" minOccurs="0" maxOccurs="unbounded"/>
204 <element name="Domain" type="shib:regexp_string" minOccurs="0" maxOccurs="unbounded"/>
210 <complexType name="DestinationSiteType">
212 <documentation xml:lang="en">
213 Destination sites add at least one attribute requester (with a name).
217 <extension base="shib:SiteType">
219 <element name="AssertionConsumerServiceURL" maxOccurs="unbounded">
222 <attribute name="Location" type="string" use="required"/>
223 <attribute name="Id" type="string" use="optional"/>
224 <anyAttribute namespace="##any" processContents="lax"/>
227 <element name="AttributeRequester" maxOccurs="unbounded">
230 <attribute name="Name" type="string" use="required"/>
231 <anyAttribute namespace="##any" processContents="lax"/>
239 <complexType name="SiteGroupType">
241 <documentation xml:lang="en">Used to logically group sites together, optionally signed.</documentation>
244 <choice maxOccurs="unbounded">
245 <element ref="shib:OriginSite"/>
246 <element ref="shib:DestinationSite"/>
247 <element ref="shib:SiteGroup"/>
249 <element ref="ds:Signature" minOccurs="0"/>
251 <attribute name="Name" type="string" use="required"/>
252 <attribute name="lastChanged" type="dateTime" use="optional"/>
253 <attribute name="validUntil" type="dateTime" use="optional"/>
254 <attribute name="cacheDuration" type="duration" use="optional"/>
255 <anyAttribute namespace="##any" processContents="lax"/>
258 <element name="OriginSite" type="shib:OriginSiteType"/>
259 <element name="DestinationSite" type="shib:DestinationSiteType"/>
260 <element name="SiteGroup" type="shib:SiteGroupType"/>
263 <!-- Old (pre 1.2) Trust Metadata -->
265 <complexType name="KeyAuthorityType">
267 <documentation xml:lang="en">
268 Binds a set of keying material to one or more named system entities.
272 <element ref="ds:KeyInfo"/>
273 <element name="Subject" type="shib:regexp_string" minOccurs="0" maxOccurs="unbounded"/>
275 <anyAttribute namespace="##any" processContents="lax"/>
277 <element name="KeyAuthority" type="shib:KeyAuthorityType"/>
279 <element name="Trust">
281 <documentation xml:lang="en">An optionally signed collection of KeyAuthority data.</documentation>
285 <element ref="shib:KeyAuthority" maxOccurs="unbounded"/>
286 <element ref="ds:Signature" minOccurs="0"/>
288 <attribute name="lastChanged" type="dateTime" use="optional"/>
289 <attribute name="validUntil" type="dateTime" use="optional"/>
290 <attribute name="cacheDuration" type="duration" use="optional"/>
291 <anyAttribute namespace="##any" processContents="lax"/>