schemas/shibboleth.xsd

   1 <?xml version="1.0" encoding="US-ASCII"?>
   2 <schema targetNamespace="urn:mace:shibboleth:1.0"
   3         xmlns="http://www.w3.org/2001/XMLSchema"
   4         xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
   5         xmlns:xml="http://www.w3.org/XML/1998/namespace"
   6         xmlns:shib="urn:mace:shibboleth:1.0"
   7         xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
   8         elementFormDefault="qualified"
   9         attributeFormDefault="unqualified"
  10         version="1.3">
  11
  12     <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/>
  13     <import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/>
  14     <import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="cs-sstc-schema-assertion-1.1.xsd"/>
  15
  16     <!-- Status-Related Information -->
  17
  18     <!--
  19     The following SAML sub-status codes are defined in this namespace:
  20
  21         "InvalidHandle"
  22             Used with samlp:Requester, signals AA did not recognize handle as valid
  23     -->
  24
  25     <!--
  26     Relaxes SAML AttributeValue type definition. Xerces-C has a bug that prevents
  27     anyAttribute content appearing on anyType. It works in 2.2 but not in later versions.
  28     -->
  29
  30         <complexType name="AttributeValueType" mixed="true">
  31                 <annotation>
  32                         <documentation xml:lang="en">
  33                         By convention, all Shibboleth 1.1 origin attribute values carry this unconstrained xsi:type.
  34                         </documentation>
  35                 </annotation>
  36                 <complexContent>
  37                         <extension base="anyType"/>
  38                 </complexContent>
  39         </complexType>
  40
  41     <!-- Attribute Acceptance Policies -->
  42
  43     <simpleType name="AttributeRuleValueType">
  44         <restriction base="string">
  45             <enumeration value="literal"/>
  46             <enumeration value="regexp"/>
  47             <enumeration value="xpath"/>
  48         </restriction>
  49     </simpleType>
  50
  51     <complexType name="SiteRuleType">
  52         <sequence>
  53                 <element name="Scope" minOccurs="0" maxOccurs="unbounded">
  54                         <complexType>
  55                     <simpleContent>
  56                         <extension base="string">
  57                                 <attribute name="Accept" type="boolean" use="optional" default="true"/>
  58                             <attribute name="Type" type="shib:AttributeRuleValueType" use="optional" default="literal"/>
  59                             <anyAttribute namespace="##other" processContents="lax"/>
  60                         </extension>
  61                     </simpleContent>
  62                         </complexType>
  63                 </element>
  64                 <choice minOccurs="0">
  65                         <element name="AnyValue">
  66                                 <complexType>
  67                                         <sequence/>
  68                                         <anyAttribute namespace="##other" processContents="lax"/>
  69                                 </complexType>
  70                         </element>
  71                     <element name="Value" maxOccurs="unbounded">
  72                         <complexType>
  73                             <simpleContent>
  74                                 <extension base="string">
  75                                                                 <attribute name="Accept" type="boolean" use="optional" default="true"/>
  76                                     <attribute name="Type" type="shib:AttributeRuleValueType" use="optional" default="literal"/>
  77                                     <anyAttribute namespace="##other" processContents="lax"/>
  78                                 </extension>
  79                             </simpleContent>
  80                         </complexType>
  81                     </element>
  82                 </choice>
  83         </sequence>
  84     </complexType>
  85
  86     <element name="AnySite" type="shib:SiteRuleType"/>
  87     <element name="SiteRule">
  88         <complexType>
  89             <complexContent>
  90                 <extension base="shib:SiteRuleType">
  91                     <attribute name="Name" type="string" use="required"/>
  92                     <anyAttribute namespace="##other" processContents="lax"/>
  93                 </extension>
  94             </complexContent>
  95         </complexType>
  96     </element>
  97
  98     <complexType name="AttributeRuleType">
  99         <sequence>
 100             <element ref="shib:AnySite" minOccurs="0"/>
 101             <element ref="shib:SiteRule" minOccurs="0" maxOccurs="unbounded"/>
 102         </sequence>
 103         <attribute name="Name" type="string" use="required"/>
 104         <attribute name="Namespace" type="string" use="optional"/>
 105         <attribute name="Factory" type="string" use="optional"/>
 106         <attribute name="Alias" type="string" use="optional"/>
 107                 <attribute name="Header" type="string" use="optional"/>
 108                 <attribute name="Scoped" type="boolean" use="optional" default="false"/>
 109                 <attribute name="CaseSensitive" type="boolean" use="optional" default="true"/>
 110                 <anyAttribute namespace="##other" processContents="lax"/>
 111     </complexType>
 112
 113     <element name="AttributeRule" type="shib:AttributeRuleType">
 114         <key name="SiteRuleKey">
 115             <selector xpath="./shib:SiteRule"/>
 116             <field xpath="@Name"/>
 117         </key>
 118     </element>
 119
 120     <element name="AttributeAcceptancePolicy">
 121         <complexType>
 122             <sequence>
 123                 <element name="AnyAttribute" minOccurs="0">
 124                     <complexType>
 125                         <sequence/>
 126                     </complexType>
 127                 </element>
 128                 <element ref="shib:AttributeRule" minOccurs="0" maxOccurs="unbounded"/>
 129             </sequence>
 130             <anyAttribute namespace="##other" processContents="lax"/>
 131         </complexType>
 132     </element>
 133
 134
 135     <!-- Shibboleth Metadata -->
 136
 137     <complexType name="SiteType">
 138         <annotation>
 139                 <documentation xml:lang="en">All sites have a Name attribute, plus optional i18n-ized aliases.</documentation>
 140         </annotation>
 141         <sequence>
 142             <element name="Alias" minOccurs="0" maxOccurs="unbounded">
 143                 <complexType>
 144                     <simpleContent>
 145                         <extension base="string">
 146                             <attribute ref="xml:lang"/>
 147                         </extension>
 148                     </simpleContent>
 149                 </complexType>
 150             </element>
 151             <element name="Contact" type="shib:ContactType" minOccurs="0" maxOccurs="unbounded"/>
 152         </sequence>
 153         <attribute name="Name" type="string" use="required"/>
 154         <attribute name="ErrorURL" type="anyURI" use="optional"/>
 155         <anyAttribute namespace="##any" processContents="lax"/>
 156     </complexType>
 157
 158         <simpleType name="ContactTypeType">
 159                 <restriction base="string">
 160             <enumeration value="technical"/>
 161             <enumeration value="support"/>
 162             <enumeration value="administrative"/>
 163             <enumeration value="billing"/>
 164             <enumeration value="other"/>
 165         </restriction>
 166     </simpleType>
 167
 168         <complexType name="ContactType">
 169                 <annotation><documentation xml:lang="en">A human contact for a site.</documentation></annotation>
 170                 <sequence/>
 171         <attribute name="Type" type="shib:ContactTypeType" use="required"/>
 172         <attribute name="Name" type="string" use="required"/>
 173         <attribute name="Email" type="string" use="optional"/>
 174         </complexType>
 175
 176     <complexType name="regexp_string">
 177         <annotation>
 178                 <documentation xml:lang="en">A string element with an optional attribute signaling regexp content.</documentation>
 179         </annotation>
 180         <simpleContent>
 181             <extension base="string">
 182                 <attribute name="regexp" type="boolean" use="optional" default="false"/>
 183             </extension>
 184         </simpleContent>
 185     </complexType>
 186
 187         <complexType name="AuthorityType">
 188                 <annotation>
 189                         <documentation xml:lang="en">Metadata about a SAML authority.</documentation>
 190                 </annotation>
 191         <sequence/>
 192         <attribute name="Name" type="string" use="required"/>
 193         <attribute name="Location" type="anyURI" use="required"/>
 194         <anyAttribute namespace="##any" processContents="lax"/>
 195         </complexType>
 196
 197     <complexType name="OriginSiteType">
 198         <annotation>
 199                 <documentation xml:lang="en">
 200                 Origin sites add at least one handle service (with a name), plus optional domains trusted for attribute scoping.
 201                 </documentation>
 202         </annotation>
 203         <complexContent>
 204                 <extension base="shib:SiteType">
 205                     <sequence>
 206                         <element name="HandleService" type="shib:AuthorityType" maxOccurs="unbounded"/>
 207                         <element name="AttributeAuthority" type="shib:AuthorityType" minOccurs="0" maxOccurs="unbounded"/>
 208                         <element ref="shib:Domain" minOccurs="0" maxOccurs="unbounded"/>
 209                     </sequence>
 210                 </extension>
 211         </complexContent>
 212     </complexType>
 213
 214         <element name="Domain" type="shib:regexp_string">
 215                 <annotation>
 216                         <documentation xml:lang="en">A metadata extension used to regulate allowable attribute scopes.</documentation>
 217                 </annotation>
 218         </element>
 219
 220     <complexType name="DestinationSiteType">
 221         <annotation>
 222                 <documentation xml:lang="en">
 223                 Destination sites add at least one attribute requester (with a name).
 224                 </documentation>
 225         </annotation>
 226         <complexContent>
 227                 <extension base="shib:SiteType">
 228                     <sequence>
 229                         <element name="AssertionConsumerServiceURL" maxOccurs="unbounded">
 230                                 <complexType>
 231                                         <attribute name="Location" type="string" use="required"/>
 232                                                 <attribute name="Id" type="string" use="optional"/>
 233                                                 <anyAttribute namespace="##any" processContents="lax"/>
 234                                 </complexType>
 235                         </element>
 236                         <element name="AttributeRequester" maxOccurs="unbounded">
 237                                 <complexType>
 238                                         <attribute name="Name" type="string" use="required"/>
 239                                                 <anyAttribute namespace="##any" processContents="lax"/>
 240                                 </complexType>
 241                         </element>
 242                     </sequence>
 243                 </extension>
 244         </complexContent>
 245     </complexType>
 246
 247     <complexType name="SiteGroupType">
 248         <annotation>
 249                 <documentation xml:lang="en">Used to logically group sites together, optionally signed.</documentation>
 250         </annotation>
 251         <sequence>
 252             <choice maxOccurs="unbounded">
 253                 <element ref="shib:OriginSite"/>
 254                 <element ref="shib:DestinationSite"/>
 255                 <element ref="shib:SiteGroup"/>
 256             </choice>
 257             <element ref="ds:Signature" minOccurs="0"/>
 258         </sequence>
 259         <attribute name="Name" type="string" use="required"/>
 260         <attribute name="lastChanged" type="dateTime" use="optional"/>
 261         <attribute name="validUntil" type="dateTime" use="optional"/>
 262         <attribute name="cacheDuration" type="duration" use="optional"/>
 263         <anyAttribute namespace="##any" processContents="lax"/>
 264     </complexType>
 265
 266     <element name="OriginSite" type="shib:OriginSiteType"/>
 267     <element name="DestinationSite" type="shib:DestinationSiteType"/>
 268     <element name="SiteGroup" type="shib:SiteGroupType"/>
 269
 270
 271         <!-- Old (pre 1.2) Trust Metadata -->
 272
 273         <complexType name="KeyAuthorityType">
 274                 <annotation>
 275                         <documentation xml:lang="en">
 276                         Binds a set of keying material to one or more named system entities.
 277                         </documentation>
 278                 </annotation>
 279                 <sequence>
 280                         <element ref="ds:KeyInfo"/>
 281                         <element name="Subject" type="shib:regexp_string" minOccurs="0" maxOccurs="unbounded"/>
 282                 </sequence>
 283                 <anyAttribute namespace="##any" processContents="lax"/>
 284         </complexType>
 285         <element name="KeyAuthority" type="shib:KeyAuthorityType"/>
 286
 287         <element name="Trust">
 288                 <annotation>
 289                         <documentation xml:lang="en">An optionally signed collection of KeyAuthority data.</documentation>
 290                 </annotation>
 291                 <complexType>
 292                         <sequence>
 293                                 <element ref="shib:KeyAuthority" maxOccurs="unbounded"/>
 294                                 <element ref="ds:Signature" minOccurs="0"/>
 295                         </sequence>
 296                 <attribute name="lastChanged" type="dateTime" use="optional"/>
 297                 <attribute name="validUntil" type="dateTime" use="optional"/>
 298                 <attribute name="cacheDuration" type="duration" use="optional"/>
 299                 <anyAttribute namespace="##any" processContents="lax"/>
 300                 </complexType>
 301         </element>
 302
 303 </schema>