projects / shibboleth / sp.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
New creds format.
[shibboleth/sp.git] / schemas / shibboleth.xsd
1 <?xml version="1.0" encoding="US-ASCII"?>
2 <schema targetNamespace="urn:mace:shibboleth:1.0" xmlns="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:shib="urn:mace:shibboleth:1.0" elementFormDefault="qualified" attributeFormDefault="unqualified" version="1.0">
3     <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/>
4     <import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd"/>
5     
6     
7     <!-- Status-Related Information -->
8     
9     <!--
10     The following SAML sub-status codes are defined in this namespace:
11     
12         "RealTimeRelease"
13             Used with samlp:Responder, signals user wants real-time attribute release
14         
15         "InvalidHandle"
16             Used with samlp:Requester, signals AA did not recognize handle as valid
17     -->
18     
19     <element name="RealTimeReleaseURL" type="anyURI">
20         <annotation>
21                 <documentation xml:lang="en">Used by AA in samlp:StatusDetail to signal user wants real-time attribute release.</documentation>
22         </annotation>
23     </element>
24     
25
26     <!-- Relaxes SAML AttributeValue type definition -->
27
28         <complexType name="AttributeValueType" mixed="true">
29                 <annotation>
30                         <documentation xml:lang="en">By convention, all Shibboleth attribute values carry this unconstrained xsi:type.</documentation>
31                 </annotation>
32                 <sequence>
33                         <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
34                 </sequence>
35                 <anyAttribute namespace="##any" processContents="lax"/>
36         </complexType>
37
38
39     <!-- Attribute Acceptance Policies -->
40         
41     <simpleType name="AttributeRuleValueType">
42         <restriction base="string">
43             <enumeration value="literal"/>
44             <enumeration value="regexp"/>
45             <enumeration value="xpath"/>
46         </restriction>
47     </simpleType>
48     
49     <complexType name="SiteRuleType">
50         <sequence>
51                 <element name="Scope" minOccurs="0" maxOccurs="unbounded">
52                         <complexType>
53                     <simpleContent>
54                         <extension base="string">
55                                 <attribute name="Accept" type="boolean" use="optional" default="true"/>
56                             <attribute name="Type" type="shib:AttributeRuleValueType" use="optional" default="literal"/>
57                             <anyAttribute namespace="##any" processContents="lax"/>
58                         </extension>
59                     </simpleContent>
60                         </complexType>
61                 </element>
62                 <choice minOccurs="0">
63                         <element name="AnyValue">
64                                 <complexType>
65                                         <sequence/>
66                                         <anyAttribute namespace="##any" processContents="lax"/>
67                                 </complexType>
68                         </element>
69                     <element name="Value" maxOccurs="unbounded">
70                         <complexType>
71                             <simpleContent>
72                                 <extension base="string">
73                                     <attribute name="Type" type="shib:AttributeRuleValueType" use="optional" default="literal"/>
74                                     <anyAttribute namespace="##any" processContents="lax"/>
75                                 </extension>
76                             </simpleContent>
77                         </complexType>
78                     </element>
79                 </choice>
80         </sequence>
81     </complexType>
82
83     <element name="AnySite" type="shib:SiteRuleType"/>
84     <element name="SiteRule">
85         <complexType>
86             <complexContent>
87                 <extension base="shib:SiteRuleType">
88                     <attribute name="Name" type="string" use="required"/>
89                     <anyAttribute namespace="##any" processContents="lax"/>
90                 </extension>
91             </complexContent>
92         </complexType>
93     </element>
94
95     <complexType name="AttributeRuleType">
96         <sequence>
97             <element ref="shib:AnySite" minOccurs="0"/>
98             <element ref="shib:SiteRule" minOccurs="0" maxOccurs="unbounded"/>
99         </sequence>
100         <attribute name="Name" type="string" use="required"/>
101         <attribute name="Namespace" type="string" use="optional"/>
102         <attribute name="Factory" type="string" use="optional"/>
103         <attribute name="Alias" type="string" use="optional"/>
104                 <attribute name="Header" type="string" use="optional"/>
105                 <anyAttribute namespace="##any" processContents="lax"/>
106     </complexType>
107
108     <element name="AttributeRule" type="shib:AttributeRuleType">
109         <key name="SiteRuleKey">
110             <selector xpath="./shib:SiteRule"/>
111             <field xpath="@Name"/>
112         </key>
113     </element>
114
115     <element name="AttributeAcceptancePolicy">
116         <complexType>
117             <sequence>
118                 <element ref="shib:AttributeRule" minOccurs="0" maxOccurs="unbounded"/>
119             </sequence>
120             <anyAttribute namespace="##any" processContents="lax"/>
121         </complexType>
122     </element>
123
124
125     <!-- Shibboleth Metadata -->
126     
127     <complexType name="SiteType">
128         <annotation>
129                 <documentation xml:lang="en">All sites have a Name attribute, plus optional i18n-ized aliases.</documentation>
130         </annotation>
131         <sequence>
132             <element name="Alias" minOccurs="0" maxOccurs="unbounded">
133                 <complexType>
134                     <simpleContent>
135                         <extension base="string">
136                             <attribute ref="xml:lang"/>
137                         </extension>
138                     </simpleContent>
139                 </complexType>
140             </element>
141             <element name="Contact" type="shib:ContactType" minOccurs="0" maxOccurs="unbounded"/>
142         </sequence>
143         <attribute name="Name" type="string" use="required"/>
144         <attribute name="ErrorURL" type="anyURI" use="optional"/>
145         <anyAttribute namespace="##any" processContents="lax"/>
146     </complexType>
147
148         <simpleType name="ContactTypeType">
149                 <restriction base="string">
150             <enumeration value="technical"/>
151             <enumeration value="administrative"/>
152             <enumeration value="billing"/>
153             <enumeration value="other"/>
154         </restriction>
155     </simpleType>
156
157         <complexType name="ContactType">
158                 <annotation><documentation xml:lang="en">A human contact for a site.</documentation></annotation>
159                 <sequence/>
160         <attribute name="Type" type="shib:ContactTypeType" use="required"/>
161         <attribute name="Name" type="string" use="required"/>
162         <attribute name="Email" type="string" use="optional"/>
163         </complexType>
164
165     <complexType name="regexp_string">
166         <annotation>
167                 <documentation xml:lang="en">A string element with an optional attribute signaling regexp content.</documentation>
168         </annotation>
169         <simpleContent>
170             <extension base="string">
171                 <attribute name="regexp" type="boolean" use="optional" default="false"/>
172             </extension>
173         </simpleContent>
174     </complexType>    
175
176         <complexType name="AuthorityType">
177                 <annotation>
178                         <documentation xml:lang="en">Metadata about a SAML authority.</documentation>
179                 </annotation>
180         <sequence/>
181         <attribute name="Name" type="string" use="required"/>
182         <attribute name="Location" type="anyURI" use="required"/>
183         <anyAttribute namespace="##any" processContents="lax"/>
184         </complexType>
185
186     <complexType name="OriginSiteType">
187         <annotation>
188                 <documentation xml:lang="en">Origin sites add at least one handle service (with a name and optional KeyInfo), plus optional domains trusted for attribute scoping.</documentation>
189         </annotation>
190         <complexContent>
191                 <extension base="shib:SiteType">
192                     <sequence>
193                         <element name="HandleService" type="shib:AuthorityType" maxOccurs="unbounded"/>
194                         <element name="AttributeAuthority" type="shib:AuthorityType" minOccurs="0" maxOccurs="unbounded"/>
195                         <element name="Domain" type="shib:regexp_string" minOccurs="0" maxOccurs="unbounded"/>
196                     </sequence>
197                 </extension>
198         </complexContent>
199     </complexType>
200
201     <complexType name="SiteGroupType">
202         <annotation>
203                 <documentation xml:lang="en">Used to logically group sites together, optionally signed.</documentation>
204         </annotation>
205         <sequence>
206             <choice maxOccurs="unbounded">
207                 <element ref="shib:OriginSite"/>
208                 <element ref="shib:DestinationSite"/>
209                 <element ref="shib:SiteGroup"/>
210             </choice>
211             <element ref="ds:Signature" minOccurs="0"/>
212         </sequence>
213         <attribute name="Name" type="string" use="required"/>
214         <attribute name="lastChanged" type="dateTime" use="optional"/>
215         <attribute name="validUntil" type="dateTime" use="optional"/>
216         <attribute name="cacheDuration" type="duration" use="optional"/>
217         <anyAttribute namespace="##any" processContents="lax"/>
218     </complexType>    
219
220     <element name="OriginSite" type="shib:OriginSiteType"/>
221     <element name="DestinationSite" type="shib:SiteType"/>
222     <element name="SiteGroup" type="shib:SiteGroupType"/>
223
224
225         <!-- Trust Metadata -->
226
227         <complexType name="KeyAuthorityType">
228                 <annotation>
229                         <documentation xml:lang="en">
230                         Binds a set of keying material to one or more named system entities.
231                         </documentation>
232                 </annotation>
233                 <sequence>
234                         <element ref="ds:KeyInfo"/>
235                         <element name="Subject" type="shib:regexp_string" minOccurs="0" maxOccurs="unbounded"/>
236                 </sequence>
237                 <attribute name="VerifyDepth" type="unsignedByte" use="optional"/>
238                 <attribute name="Type" use="optional" default="authority">
239                         <simpleType>
240                                 <restriction base="string">
241                                         <enumeration value="authority"/>
242                                         <enumeration value="entity"/>
243                                 </restriction>
244                         </simpleType>
245                 </attribute>
246                 <anyAttribute namespace="##any" processContents="lax"/>
247         </complexType>
248         <element name="KeyAuthority" type="shib:KeyAuthorityType"/>
249
250         <element name="Trust">
251                 <annotation>
252                         <documentation xml:lang="en">An optionally signed collection of KeyAuthority data.</documentation>
253                 </annotation>
254                 <complexType>
255                         <sequence>
256                                 <element ref="shib:KeyAuthority" maxOccurs="unbounded"/>
257                                 <element ref="ds:Signature" minOccurs="0"/>
258                         </sequence>
259                 <attribute name="lastChanged" type="dateTime" use="optional"/>
260                 <attribute name="validUntil" type="dateTime" use="optional"/>
261                 <attribute name="cacheDuration" type="duration" use="optional"/>
262                 <anyAttribute namespace="##any" processContents="lax"/>
263                 </complexType>
264         </element>
265
266         <!-- Credential Access -->
267
268         <complexType name="FileCredResolverType">
269                 <annotation>
270                         <documentation xml:lang="en">Describes how to access a key or certificate in a file.</documentation>
271                 </annotation>
272                 <sequence>
273                         <element name="Path" type="string"/>
274                         <element name="Password" type="string" minOccurs="0"/>
275                 </sequence>
276                 <attribute name="Id" type="ID" use="required"/>
277                 <attribute name="Format" use="optional" default="PEM">
278                         <simpleType>
279                                 <restriction base="string">
280                                         <enumeration value="PEM"/>
281                                         <enumeration value="DER"/>
282                                 </restriction>
283                         </simpleType>
284                 </attribute>
285                 <anyAttribute namespace="##any" processContents="lax"/>
286         </complexType>
287         <element name="FileCredResolver" type="shib:FileCredResolverType"/>
288
289         <complexType name="CustomCredResolverType">
290                 <annotation>
291                         <documentation xml:lang="en">Describes how to access a credential using an extension class.</documentation>
292                 </annotation>
293                 <sequence>
294                         <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
295                 </sequence>
296                 <attribute name="Id" type="ID" use="required"/>
297                 <attribute name="Class" type="string" use="required"/>
298         <anyAttribute namespace="##any" processContents="lax"/>
299         </complexType>
300         <element name="CustomCredResolver" type="shib:CustomCredResolverType"/>
301
302         <element name="KeyStoreResolver">
303                 <annotation>
304                         <documentation xml:lang="en">Describes credentials in a Java keystore.</documentation>
305                 </annotation>
306                 <complexType>
307                         <sequence>
308                                 <attribute name="Path" type="string" use="required"/>
309                                 <attribute name="Alias" type="string" use="required"/>
310                                 <attribute name="Password" type="string" use="required"/>
311                                 <attribute name="AliasPassword" type="string" use="optional"/>
312                         </sequence>
313                         <attribute name="Id" type="ID" use="required"/>
314                         <attribute name="Type" type="string" use="optional" default="JKS"/>
315                         <anyAttribute namespace="##any" processContents="lax"/>
316                 </complexType>
317         </element>
318         
319         <complexType name="KeyUseType">
320                 <annotation>
321                         <documentation xml:lang="en">
322                         Binds a set of credentials to one or more named system entities with additional controls over
323                         which relying parties are capable of accepting them.
324                         </documentation>
325                 </annotation>
326                 <sequence>
327                         <element name="Subject" type="shib:regexp_string" minOccurs="0" maxOccurs="unbounded"/>
328                         <element name="RelyingParty" type="shib:regexp_string" minOccurs="0" maxOccurs="unbounded"/>
329                 </sequence>
330                 <attribute name="KeyRef" type="IDREF" use="required"/>
331                 <attribute name="CertificateRef" type="IDREF" use="optional"/>
332         <anyAttribute namespace="##any" processContents="lax"/>
333         </complexType>  
334         <element name="KeyUse" type="shib:KeyUseType"/>
335         
336         <element name="Credentials">
337                 <annotation>
338                         <documentation xml:lang="en">A set of KeyUse data that provides local credentials.</documentation>
339                 </annotation>
340                 <complexType>
341                         <sequence>
342                                 <choice maxOccurs="unbounded">
343                                         <element ref="ds:KeyInfo"/>
344                                         <element ref="shib:FileCredResolver"/>
345                                         <element ref="shib:KeyStoreResolver"/>
346                                         <element ref="shib:CustomCredResolver"/>
347                                 </choice>
348                                 <element ref="shib:KeyUse" maxOccurs="unbounded"/>
349                         </sequence>
350                 <anyAttribute namespace="##any" processContents="lax"/>
351                 </complexType>
352         </element>
353         
354 </schema>
Shibboleth SP