projects / shibboleth / sp.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Had to hang AttributeValueType off the SAML hack.
[shibboleth/sp.git] / schemas / shibboleth.xsd
1 <?xml version="1.0" encoding="US-ASCII"?>
2 <schema targetNamespace="urn:mace:shibboleth:1.0"
3         xmlns="http://www.w3.org/2001/XMLSchema"
4         xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
5         xmlns:xml="http://www.w3.org/XML/1998/namespace"
6         xmlns:shib="urn:mace:shibboleth:1.0"
7         xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
8         elementFormDefault="qualified"
9         attributeFormDefault="unqualified"
10         version="1.2">
11
12     <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/>
13     <import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/>
14     <import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="cs-sstc-schema-assertion-1.1.xsd"/>
15     
16     <!-- Status-Related Information -->
17     
18     <!--
19     The following SAML sub-status codes are defined in this namespace:
20     
21         "InvalidHandle"
22             Used with samlp:Requester, signals AA did not recognize handle as valid
23     -->
24
25     <!--
26     Relaxes SAML AttributeValue type definition. Xerces-C has a bug that prevents
27     anyAttribute content appearing on anyType. As a hack, we define the SAML schema
28     such that AttributeValue now derives from an extended type, and we then extend
29     that type here. 1.1 origins will specify this xsi:type. 1.2 origins will leave
30     it out, and the SAML schema hack will allow it to validate.
31     In 1.1 targets, this type was defined differently.
32     -->
33
34         <complexType name="AttributeValueType" mixed="true">
35                 <annotation>
36                         <documentation xml:lang="en">
37                         By convention, all Shibboleth 1.1 origin attribute values carry this unconstrained xsi:type.
38                         </documentation>
39                 </annotation>
40                 <complexContent>
41                         <extension base="saml:AttributeValueType"/>
42                 </complexContent>
43         </complexType>
44     
45     <!-- Attribute Acceptance Policies -->
46         
47     <simpleType name="AttributeRuleValueType">
48         <restriction base="string">
49             <enumeration value="literal"/>
50             <enumeration value="regexp"/>
51             <enumeration value="xpath"/>
52         </restriction>
53     </simpleType>
54     
55     <complexType name="SiteRuleType">
56         <sequence>
57                 <element name="Scope" minOccurs="0" maxOccurs="unbounded">
58                         <complexType>
59                     <simpleContent>
60                         <extension base="string">
61                                 <attribute name="Accept" type="boolean" use="optional" default="true"/>
62                             <attribute name="Type" type="shib:AttributeRuleValueType" use="optional" default="literal"/>
63                             <anyAttribute namespace="##any" processContents="lax"/>
64                         </extension>
65                     </simpleContent>
66                         </complexType>
67                 </element>
68                 <choice minOccurs="0">
69                         <element name="AnyValue">
70                                 <complexType>
71                                         <sequence/>
72                                         <anyAttribute namespace="##any" processContents="lax"/>
73                                 </complexType>
74                         </element>
75                     <element name="Value" maxOccurs="unbounded">
76                         <complexType>
77                             <simpleContent>
78                                 <extension base="string">
79                                     <attribute name="Type" type="shib:AttributeRuleValueType" use="optional" default="literal"/>
80                                     <anyAttribute namespace="##any" processContents="lax"/>
81                                 </extension>
82                             </simpleContent>
83                         </complexType>
84                     </element>
85                 </choice>
86         </sequence>
87     </complexType>
88
89     <element name="AnySite" type="shib:SiteRuleType"/>
90     <element name="SiteRule">
91         <complexType>
92             <complexContent>
93                 <extension base="shib:SiteRuleType">
94                     <attribute name="Name" type="string" use="required"/>
95                     <anyAttribute namespace="##any" processContents="lax"/>
96                 </extension>
97             </complexContent>
98         </complexType>
99     </element>
100
101     <complexType name="AttributeRuleType">
102         <sequence>
103             <element ref="shib:AnySite" minOccurs="0"/>
104             <element ref="shib:SiteRule" minOccurs="0" maxOccurs="unbounded"/>
105         </sequence>
106         <attribute name="Name" type="string" use="required"/>
107         <attribute name="Namespace" type="string" use="optional"/>
108         <attribute name="Factory" type="string" use="optional"/>
109         <attribute name="Alias" type="string" use="optional"/>
110                 <attribute name="Header" type="string" use="optional"/>
111                 <anyAttribute namespace="##any" processContents="lax"/>
112     </complexType>
113
114     <element name="AttributeRule" type="shib:AttributeRuleType">
115         <key name="SiteRuleKey">
116             <selector xpath="./shib:SiteRule"/>
117             <field xpath="@Name"/>
118         </key>
119     </element>
120
121     <element name="AttributeAcceptancePolicy">
122         <complexType>
123             <sequence>
124                 <element ref="shib:AttributeRule" minOccurs="0" maxOccurs="unbounded"/>
125             </sequence>
126             <anyAttribute namespace="##any" processContents="lax"/>
127         </complexType>
128     </element>
129
130
131     <!-- Shibboleth Metadata -->
132     
133     <complexType name="SiteType">
134         <annotation>
135                 <documentation xml:lang="en">All sites have a Name attribute, plus optional i18n-ized aliases.</documentation>
136         </annotation>
137         <sequence>
138             <element name="Alias" minOccurs="0" maxOccurs="unbounded">
139                 <complexType>
140                     <simpleContent>
141                         <extension base="string">
142                             <attribute ref="xml:lang"/>
143                         </extension>
144                     </simpleContent>
145                 </complexType>
146             </element>
147             <element name="Contact" type="shib:ContactType" minOccurs="0" maxOccurs="unbounded"/>
148         </sequence>
149         <attribute name="Name" type="string" use="required"/>
150         <attribute name="ErrorURL" type="anyURI" use="optional"/>
151         <anyAttribute namespace="##any" processContents="lax"/>
152     </complexType>
153
154         <simpleType name="ContactTypeType">
155                 <restriction base="string">
156             <enumeration value="technical"/>
157             <enumeration value="support"/>
158             <enumeration value="administrative"/>
159             <enumeration value="billing"/>
160             <enumeration value="other"/>
161         </restriction>
162     </simpleType>
163
164         <complexType name="ContactType">
165                 <annotation><documentation xml:lang="en">A human contact for a site.</documentation></annotation>
166                 <sequence/>
167         <attribute name="Type" type="shib:ContactTypeType" use="required"/>
168         <attribute name="Name" type="string" use="required"/>
169         <attribute name="Email" type="string" use="optional"/>
170         </complexType>
171
172     <complexType name="regexp_string">
173         <annotation>
174                 <documentation xml:lang="en">A string element with an optional attribute signaling regexp content.</documentation>
175         </annotation>
176         <simpleContent>
177             <extension base="string">
178                 <attribute name="regexp" type="boolean" use="optional" default="false"/>
179             </extension>
180         </simpleContent>
181     </complexType>    
182
183         <complexType name="AuthorityType">
184                 <annotation>
185                         <documentation xml:lang="en">Metadata about a SAML authority.</documentation>
186                 </annotation>
187         <sequence/>
188         <attribute name="Name" type="string" use="required"/>
189         <attribute name="Location" type="anyURI" use="required"/>
190         <anyAttribute namespace="##any" processContents="lax"/>
191         </complexType>
192
193     <complexType name="OriginSiteType">
194         <annotation>
195                 <documentation xml:lang="en">
196                 Origin sites add at least one handle service (with a name), plus optional domains trusted for attribute scoping.
197                 </documentation>
198         </annotation>
199         <complexContent>
200                 <extension base="shib:SiteType">
201                     <sequence>
202                         <element name="HandleService" type="shib:AuthorityType" maxOccurs="unbounded"/>
203                         <element name="AttributeAuthority" type="shib:AuthorityType" minOccurs="0" maxOccurs="unbounded"/>
204                         <element name="Domain" type="shib:regexp_string" minOccurs="0" maxOccurs="unbounded"/>
205                     </sequence>
206                 </extension>
207         </complexContent>
208     </complexType>
209
210     <complexType name="DestinationSiteType">
211         <annotation>
212                 <documentation xml:lang="en">
213                 Destination sites add at least one attribute requester (with a name).
214                 </documentation>
215         </annotation>
216         <complexContent>
217                 <extension base="shib:SiteType">
218                     <sequence>
219                         <element name="AssertionConsumerServiceURL" maxOccurs="unbounded">
220                                 <complexType>
221                                         <sequence/>
222                                         <attribute name="Location" type="string" use="required"/>
223                                                 <attribute name="Id" type="string" use="optional"/>
224                                                 <anyAttribute namespace="##any" processContents="lax"/>
225                                 </complexType>
226                         </element>
227                         <element name="AttributeRequester" maxOccurs="unbounded">
228                                 <complexType>
229                                         <sequence/>
230                                         <attribute name="Name" type="string" use="required"/>
231                                                 <anyAttribute namespace="##any" processContents="lax"/>
232                                 </complexType>
233                         </element>
234                     </sequence>
235                 </extension>
236         </complexContent>
237     </complexType>
238
239     <complexType name="SiteGroupType">
240         <annotation>
241                 <documentation xml:lang="en">Used to logically group sites together, optionally signed.</documentation>
242         </annotation>
243         <sequence>
244             <choice maxOccurs="unbounded">
245                 <element ref="shib:OriginSite"/>
246                 <element ref="shib:DestinationSite"/>
247                 <element ref="shib:SiteGroup"/>
248             </choice>
249             <element ref="ds:Signature" minOccurs="0"/>
250         </sequence>
251         <attribute name="Name" type="string" use="required"/>
252         <attribute name="lastChanged" type="dateTime" use="optional"/>
253         <attribute name="validUntil" type="dateTime" use="optional"/>
254         <attribute name="cacheDuration" type="duration" use="optional"/>
255         <anyAttribute namespace="##any" processContents="lax"/>
256     </complexType>    
257
258     <element name="OriginSite" type="shib:OriginSiteType"/>
259     <element name="DestinationSite" type="shib:DestinationSiteType"/>
260     <element name="SiteGroup" type="shib:SiteGroupType"/>
261
262
263         <!-- Old (pre 1.2) Trust Metadata -->
264
265         <complexType name="KeyAuthorityType">
266                 <annotation>
267                         <documentation xml:lang="en">
268                         Binds a set of keying material to one or more named system entities.
269                         </documentation>
270                 </annotation>
271                 <sequence>
272                         <element ref="ds:KeyInfo"/>
273                         <element name="Subject" type="shib:regexp_string" minOccurs="0" maxOccurs="unbounded"/>
274                 </sequence>
275                 <anyAttribute namespace="##any" processContents="lax"/>
276         </complexType>
277         <element name="KeyAuthority" type="shib:KeyAuthorityType"/>
278
279         <element name="Trust">
280                 <annotation>
281                         <documentation xml:lang="en">An optionally signed collection of KeyAuthority data.</documentation>
282                 </annotation>
283                 <complexType>
284                         <sequence>
285                                 <element ref="shib:KeyAuthority" maxOccurs="unbounded"/>
286                                 <element ref="ds:Signature" minOccurs="0"/>
287                         </sequence>
288                 <attribute name="lastChanged" type="dateTime" use="optional"/>
289                 <attribute name="validUntil" type="dateTime" use="optional"/>
290                 <attribute name="cacheDuration" type="duration" use="optional"/>
291                 <anyAttribute namespace="##any" processContents="lax"/>
292                 </complexType>
293         </element>
294
295 </schema>
Shibboleth SP