1 <?xml version="1.0" encoding="US-ASCII"?>
2 <schema targetNamespace="urn:mace:shibboleth:1.0" xmlns="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:shib="urn:mace:shibboleth:1.0" elementFormDefault="qualified" attributeFormDefault="unqualified" version="1.0">
3 <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/>
4 <import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd"/>
7 <!-- Status-Related Information -->
10 The following SAML sub-status codes are defined in this namespace:
13 Used with samlp:Responder, signals user wants real-time attribute release
16 Used with samlp:Requester, signals AA did not recognize handle as valid
19 <element name="RealTimeReleaseURL" type="anyURI">
21 <documentation xml:lang="en">Used by AA in samlp:StatusDetail to signal user wants real-time attribute release.</documentation>
26 <!-- Relaxes SAML AttributeValue type definition -->
28 <complexType name="AttributeValueType" mixed="true">
30 <documentation xml:lang="en">By convention, all Shibboleth attribute values carry this unconstrained xsi:type.</documentation>
33 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
35 <anyAttribute namespace="##any" processContents="lax"/>
39 <!-- Attribute Acceptance Policies -->
41 <simpleType name="AttributeRuleValueType">
42 <restriction base="string">
43 <enumeration value="literal"/>
44 <enumeration value="regexp"/>
45 <enumeration value="xpath"/>
49 <complexType name="SiteRuleType">
51 <element name="Scope" minOccurs="0" maxOccurs="unbounded">
54 <extension base="string">
55 <attribute name="Accept" type="boolean" use="optional" default="true"/>
56 <attribute name="Type" type="shib:AttributeRuleValueType" use="optional" default="literal"/>
57 <anyAttribute namespace="##any" processContents="lax"/>
62 <choice minOccurs="0">
63 <element name="AnyValue">
66 <anyAttribute namespace="##any" processContents="lax"/>
69 <element name="Value" maxOccurs="unbounded">
72 <extension base="string">
73 <attribute name="Type" type="shib:AttributeRuleValueType" use="optional" default="literal"/>
74 <anyAttribute namespace="##any" processContents="lax"/>
83 <element name="AnySite" type="shib:SiteRuleType"/>
84 <element name="SiteRule">
87 <extension base="shib:SiteRuleType">
88 <attribute name="Name" type="string" use="required"/>
89 <anyAttribute namespace="##any" processContents="lax"/>
95 <complexType name="AttributeRuleType">
97 <element ref="shib:AnySite" minOccurs="0"/>
98 <element ref="shib:SiteRule" minOccurs="0" maxOccurs="unbounded"/>
100 <attribute name="Name" type="string" use="required"/>
101 <attribute name="Namespace" type="string" use="optional"/>
102 <attribute name="Factory" type="string" use="optional"/>
103 <attribute name="Alias" type="string" use="optional"/>
104 <attribute name="Header" type="string" use="optional"/>
105 <anyAttribute namespace="##any" processContents="lax"/>
108 <element name="AttributeRule" type="shib:AttributeRuleType">
109 <key name="SiteRuleKey">
110 <selector xpath="./shib:SiteRule"/>
111 <field xpath="@Name"/>
115 <element name="AttributeAcceptancePolicy">
118 <element ref="shib:AttributeRule" minOccurs="0" maxOccurs="unbounded"/>
120 <anyAttribute namespace="##any" processContents="lax"/>
125 <!-- Shibboleth Metadata -->
127 <complexType name="SiteType">
129 <documentation xml:lang="en">All sites have a Name attribute, plus optional i18n-ized aliases.</documentation>
132 <element name="Alias" minOccurs="0" maxOccurs="unbounded">
135 <extension base="string">
136 <attribute ref="xml:lang"/>
141 <element name="Contact" type="shib:ContactType" minOccurs="0" maxOccurs="unbounded"/>
143 <attribute name="Name" type="string" use="required"/>
144 <attribute name="ErrorURL" type="anyURI" use="optional"/>
145 <anyAttribute namespace="##any" processContents="lax"/>
148 <simpleType name="ContactTypeType">
149 <restriction base="string">
150 <enumeration value="technical"/>
151 <enumeration value="administrative"/>
152 <enumeration value="billing"/>
153 <enumeration value="other"/>
157 <complexType name="ContactType">
158 <annotation><documentation xml:lang="en">A human contact for a site.</documentation></annotation>
160 <attribute name="Type" type="shib:ContactTypeType" use="required"/>
161 <attribute name="Name" type="string" use="required"/>
162 <attribute name="Email" type="string" use="optional"/>
165 <complexType name="regexp_string">
167 <documentation xml:lang="en">A string element with an optional attribute signaling regexp content.</documentation>
170 <extension base="string">
171 <attribute name="regexp" type="boolean" use="optional" default="false"/>
176 <complexType name="AuthorityType">
178 <documentation xml:lang="en">Metadata about a SAML authority.</documentation>
181 <attribute name="Name" type="string" use="required"/>
182 <attribute name="Location" type="anyURI" use="required"/>
183 <anyAttribute namespace="##any" processContents="lax"/>
186 <complexType name="OriginSiteType">
188 <documentation xml:lang="en">Origin sites add at least one handle service (with a name and optional KeyInfo), plus optional domains trusted for attribute scoping.</documentation>
191 <extension base="shib:SiteType">
193 <element name="HandleService" type="shib:AuthorityType" maxOccurs="unbounded"/>
194 <element name="AttributeAuthority" type="shib:AuthorityType" minOccurs="0" maxOccurs="unbounded"/>
195 <element name="Domain" type="shib:regexp_string" minOccurs="0" maxOccurs="unbounded"/>
201 <complexType name="SiteGroupType">
203 <documentation xml:lang="en">Used to logically group sites together, optionally signed.</documentation>
206 <choice maxOccurs="unbounded">
207 <element ref="shib:OriginSite"/>
208 <element ref="shib:DestinationSite"/>
209 <element ref="shib:SiteGroup"/>
211 <element ref="ds:Signature" minOccurs="0"/>
213 <attribute name="Name" type="string" use="required"/>
214 <attribute name="lastChanged" type="dateTime" use="optional"/>
215 <attribute name="validUntil" type="dateTime" use="optional"/>
216 <attribute name="cacheDuration" type="duration" use="optional"/>
217 <anyAttribute namespace="##any" processContents="lax"/>
220 <element name="OriginSite" type="shib:OriginSiteType"/>
221 <element name="DestinationSite" type="shib:SiteType"/>
222 <element name="SiteGroup" type="shib:SiteGroupType"/>
225 <!-- Trust Metadata -->
227 <complexType name="KeyAuthorityType">
229 <documentation xml:lang="en">
230 Binds a set of keying material to one or more named system entities.
234 <element ref="ds:KeyInfo"/>
235 <element name="Subject" type="shib:regexp_string" minOccurs="0" maxOccurs="unbounded"/>
237 <attribute name="VerifyDepth" type="unsignedByte" use="optional"/>
238 <attribute name="Type" use="optional" default="authority">
240 <restriction base="string">
241 <enumeration value="authority"/>
242 <enumeration value="entity"/>
246 <anyAttribute namespace="##any" processContents="lax"/>
248 <element name="KeyAuthority" type="shib:KeyAuthorityType"/>
250 <element name="Trust">
252 <documentation xml:lang="en">An optionally signed collection of KeyAuthority data.</documentation>
256 <element ref="shib:KeyAuthority" maxOccurs="unbounded"/>
257 <element ref="ds:Signature" minOccurs="0"/>
259 <attribute name="lastChanged" type="dateTime" use="optional"/>
260 <attribute name="validUntil" type="dateTime" use="optional"/>
261 <attribute name="cacheDuration" type="duration" use="optional"/>
262 <anyAttribute namespace="##any" processContents="lax"/>
266 <!-- Credential Access -->
268 <complexType name="FileCredResolverType">
270 <documentation xml:lang="en">Describes how to access a key or certificate in a file.</documentation>
273 <element name="Path" type="string"/>
274 <element name="Password" type="string" minOccurs="0"/>
276 <attribute name="Id" type="ID" use="required"/>
277 <attribute name="Format" use="optional" default="PEM">
279 <restriction base="string">
280 <enumeration value="PEM"/>
281 <enumeration value="DER"/>
285 <anyAttribute namespace="##any" processContents="lax"/>
287 <element name="FileCredResolver" type="shib:FileCredResolverType"/>
289 <complexType name="CustomCredResolverType">
291 <documentation xml:lang="en">Describes how to access a credential using an extension class.</documentation>
294 <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
296 <attribute name="Id" type="ID" use="required"/>
297 <attribute name="Class" type="string" use="required"/>
298 <anyAttribute namespace="##any" processContents="lax"/>
300 <element name="CustomCredResolver" type="shib:CustomCredResolverType"/>
302 <element name="KeyStoreResolver">
304 <documentation xml:lang="en">Describes credentials in a Java keystore.</documentation>
308 <attribute name="Path" type="string" use="required"/>
309 <attribute name="Alias" type="string" use="required"/>
310 <attribute name="Password" type="string" use="required"/>
311 <attribute name="AliasPassword" type="string" use="optional"/>
313 <attribute name="Id" type="ID" use="required"/>
314 <attribute name="Type" type="string" use="optional" default="JKS"/>
315 <anyAttribute namespace="##any" processContents="lax"/>
319 <complexType name="KeyUseType">
321 <documentation xml:lang="en">
322 Binds a set of credentials to one or more named system entities with additional controls over
323 which relying parties are capable of accepting them.
327 <element name="Subject" type="shib:regexp_string" minOccurs="0" maxOccurs="unbounded"/>
328 <element name="RelyingParty" type="shib:regexp_string" minOccurs="0" maxOccurs="unbounded"/>
330 <attribute name="KeyRef" type="IDREF" use="required"/>
331 <attribute name="CertificateRef" type="IDREF" use="optional"/>
332 <anyAttribute namespace="##any" processContents="lax"/>
334 <element name="KeyUse" type="shib:KeyUseType"/>
336 <element name="Credentials">
338 <documentation xml:lang="en">A set of KeyUse data that provides local credentials.</documentation>
342 <choice maxOccurs="unbounded">
343 <element ref="ds:KeyInfo"/>
344 <element ref="shib:FileCredResolver"/>
345 <element ref="shib:KeyStoreResolver"/>
346 <element ref="shib:CustomCredResolver"/>
348 <element ref="shib:KeyUse" maxOccurs="unbounded"/>
350 <anyAttribute namespace="##any" processContents="lax"/>