summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBjörn Mattsson <bjorn@sunet.se>2023-10-19 16:05:58 +0200
committerBjörn Mattsson <bjorn@sunet.se>2023-10-19 16:05:58 +0200
commitaf3487b9c4a9b630d88b55c2bcc4bedf257cab4a (patch)
tree2b6988b2c2cb434e8a14cad14430c0537a2d0c8f
Added files from Wiki + base files for repo
Diffstat
-rw-r--r--Makefile14
-rw-r--r--Shibboleth-IdP/v4/attribute-filter.xml281
-rw-r--r--Shibboleth-IdP/v4/attribute-resolver.xml618
-rw-r--r--Shibboleth-SP/v3/attribute-map.xml146
-rw-r--r--Shibboleth-SP/v3/swamid-IIS-shibboleth2.xml92
-rw-r--r--Shibboleth-SP/v3/swamid-apache-shibboleth2.xml71
-rw-r--r--schema.xsd8
-rw-r--r--schema/saml-schema-assertion-2.0.xsd283
-rw-r--r--schema/saml-schema-metadata-2.0.xsd337
-rw-r--r--schema/saml-schema-protocol-2.0.xsd302
-rw-r--r--schema/shibboleth-2.0-attribute-map.xsd358
-rw-r--r--schema/shibboleth-3.0-native-sp-config.xsd908
-rw-r--r--schema/shibboleth-afp.xsd952
-rw-r--r--schema/shibboleth-attribute-resolver.xsd2274
-rw-r--r--schema/xenc-schema.xsd146
-rw-r--r--schema/xml.xsd287
-rwxr-xr-xscripts/bump-tag43
-rwxr-xr-xscripts/do-update.sh3
-rwxr-xr-xscripts/verify-tag14
19 files changed, 7137 insertions, 0 deletions
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..9d5b87a
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,14 @@
+MXML=$(shell find . -type f -name "*.xml")
+
+tag: schematest
+ ./scripts/bump-tag
+
+update: update-git
+ ./scripts/verify-tag && rsync -avz --delete ADFSToolkit/ Shibboleth-IdP/ Shibboleth-SP/ /opt/swamid-entity-configurations/
+
+update-git:
+ git checkout master && git reset --hard && git pull
+
+schematest:
+ @fail=false ; for x in $(MXML); do test=`xmllint --xinclude --nowarning --noout --path schema --schema schema.xsd $$x 2>&1`; rc=$$?; echo $$test | sed 's/fails to validate/&/;s/validates/&/'; if [ $$rc -gt 0 ]; then fail=true ; fi; done ; if $$fail ; then exit 1 ; fi
+
diff --git a/Shibboleth-IdP/v4/attribute-filter.xml b/Shibboleth-IdP/v4/attribute-filter.xml
new file mode 100644
index 0000000..94ed74c
--- /dev/null
+++ b/Shibboleth-IdP/v4/attribute-filter.xml
@@ -0,0 +1,281 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
+ xmlns="urn:mace:shibboleth:2.0:afp"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
+
+ <!-- REFEDS Anonymous Authorization Entity Category -->
+ <AttributeFilterPolicy id="releaseToRefedsAnonymous">
+ <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/anonymous" />
+ <AttributeRule attributeID="eduPersonScopedAffiliation">
+ <PermitValueRule xsi:type="ANY"/>
+ </AttributeRule>
+ <AttributeRule attributeID="schacHomeOrganization">
+ <PermitValueRule xsi:type="ANY"/>
+ </AttributeRule>
+ </AttributeFilterPolicy>
+
+ <!-- REFEDS Pseudonymous Authorization Entity Category -->
+ <!-- Supports data minimalisation to prevent use together with anonymous -->
+ <AttributeFilterPolicy id="releaseToRefedsPseudonymous">
+ <PolicyRequirementRule xsi:type="AND">
+ <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/pseudonymous" />
+ <Rule xsi:type="NOT">
+ <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/anonymous" />
+ </Rule>
+ </PolicyRequirementRule>
+ <AttributeRule attributeID="samlPairwiseID">
+ <PermitValueRule xsi:type="ANY"/>
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonScopedAffiliation">
+ <PermitValueRule xsi:type="ANY"/>
+ </AttributeRule>
+ <AttributeRule attributeID="schacHomeOrganization">
+ <PermitValueRule xsi:type="ANY"/>
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonAssurance">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ </AttributeFilterPolicy>
+
+ <!-- REFEDS Personalized Access Entity Category -->
+ <!-- Supports data minimalisation to prevent use together with anonymous and pseudonymous-->
+ <AttributeFilterPolicy id="releaseToRefedsPersonalized">
+ <PolicyRequirementRule xsi:type="AND">
+ <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/personalized" />
+ <Rule xsi:type="NOT">
+ <Rule xsi:type="OR">
+ <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/anonymous" />
+ <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/pseudonymous" />
+ </Rule>
+ </Rule>
+ </PolicyRequirementRule>
+ <AttributeRule attributeID="samlSubjectID">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="displayName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="givenName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="sn">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="mail">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonAssurance">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="schacHomeOrganization">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonScopedAffiliation">
+ <PermitValueRule xsi:type="OR">
+ <Rule xsi:type="Value" value="faculty" caseSensitive="false" />
+ <Rule xsi:type="Value" value="student" caseSensitive="false"/>
+ <Rule xsi:type="Value" value="staff" caseSensitive="false"/>
+ <Rule xsi:type="Value" value="alum" caseSensitive="false"/>
+ <Rule xsi:type="Value" value="member" caseSensitive="false"/>
+ <Rule xsi:type="Value" value="affiliate" caseSensitive="false"/>
+ <Rule xsi:type="Value" value="employee" caseSensitive="false"/>
+ <Rule xsi:type="Value" value="library-walk-in" caseSensitive="false"/>
+ </PermitValueRule>
+ </AttributeRule>
+ </AttributeFilterPolicy>
+
+ <!-- Rule to honour Subject ID requirement tag in metadata. Used in combination with Geant/Refeds Code of Conduct v* -->
+ <!-- Code of Conduct can be combined with other entity categories -->
+ <!-- Supports data minimalisation to prevent subject-id and pairwise-id being released together -->
+ <AttributeFilterPolicy id="subject-identifiers">
+ <PolicyRequirementRule xsi:type="OR">
+ <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" />
+ <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/code-of-conduct/v2" />
+ </PolicyRequirementRule>
+ <AttributeRule attributeID="samlPairwiseID">
+ <PermitValueRule xsi:type="AND">
+ <Rule xsi:type="NOT">
+ <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/personalized" />
+ </Rule>
+ <Rule xsi:type="OR">
+ <Rule xsi:type="EntityAttributeExactMatch" attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="pairwise-id" />
+ <Rule xsi:type="EntityAttributeExactMatch" attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="any" />
+ </Rule>
+ </PermitValueRule>
+ </AttributeRule>
+ <AttributeRule attributeID="samlSubjectID">
+ <PermitValueRule xsi:type="AND">
+ <Rule xsi:type="NOT">
+ <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/pseudonymous" />
+ </Rule>
+ <Rule xsi:type="EntityAttributeExactMatch" attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="subject-id" />
+ </PermitValueRule>
+ </AttributeRule>
+ </AttributeFilterPolicy>
+
+ <!-- GEANT Data protection Code of Conduct or REFEDS Data Protection Code of Conduct Entity Category -->
+ <AttributeFilterPolicy id="releaseToCodeOfConduct">
+ <PolicyRequirementRule xsi:type="OR">
+ <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" />
+ <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/code-of-conduct/v2" />
+ </PolicyRequirementRule>
+ <AttributeRule attributeID="eduPersonTargetedID">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonPrincipalName">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonOrcid">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="norEduPersonNIN">
+ <PermitValueRule xsi:type="AND">
+ <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ <Rule xsi:type="RegistrationAuthority" registrars="http://www.swamid.se/" />
+ </PermitValueRule>
+ </AttributeRule>
+ <AttributeRule attributeID="personalIdentityNumber">
+ <PermitValueRule xsi:type="AND">
+ <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ <Rule xsi:type="RegistrationAuthority" registrars="http://www.swamid.se/" />
+ </PermitValueRule>
+ </AttributeRule>
+ <AttributeRule attributeID="schacDateOfBirth">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="mail">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="mailLocalAddress">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="cn">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="displayName">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="givenName">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="sn">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonAssurance">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonScopedAffiliation">
+ <PermitValueRule xsi:type="AND">
+ <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ <Rule xsi:type="OR">
+ <Rule xsi:type="Value" value="faculty" caseSensitive="false" />
+ <Rule xsi:type="Value" value="student" caseSensitive="false" />
+ <Rule xsi:type="Value" value="staff" caseSensitive="false" />
+ <Rule xsi:type="Value" value="alum" caseSensitive="false" />
+ <Rule xsi:type="Value" value="member" caseSensitive="false" />
+ <Rule xsi:type="Value" value="affiliate" caseSensitive="false" />
+ <Rule xsi:type="Value" value="employee" caseSensitive="false" />
+ <Rule xsi:type="Value" value="library-walk-in" caseSensitive="false" />
+ </Rule>
+ </PermitValueRule>
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonAffiliation">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="o">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="norEduOrgAcronym">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="c">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="co">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="schacHomeOrganization">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="schacHomeOrganizationType">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ </AttributeFilterPolicy>
+
+ <!-- REFEDS Research and Scholarship Entity Category -->
+ <AttributeFilterPolicy id="releaseToRefedsResearchAndScholarship">
+ <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship" />
+ <AttributeRule attributeID="eduPersonTargetedID">
+ <PermitValueRule xsi:type="NOT">
+ <Rule xsi:type="Value" value="https://refeds.org/assurance/ID/eppn-unique-no-reassign" attributeID="eduPersonAssurance" />
+ </PermitValueRule>
+ </AttributeRule>
+ <AttributeRule attributeID="displayName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="givenName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="sn">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="mail">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonAssurance">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonPrincipalName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonScopedAffiliation">
+ <PermitValueRule xsi:type="OR">
+ <Rule xsi:type="Value" value="faculty" caseSensitive="false" />
+ <Rule xsi:type="Value" value="student" caseSensitive="false" />
+ <Rule xsi:type="Value" value="staff" caseSensitive="false" />
+ <Rule xsi:type="Value" value="alum" caseSensitive="false" />
+ <Rule xsi:type="Value" value="member" caseSensitive="false" />
+ <Rule xsi:type="Value" value="affiliate" caseSensitive="false" />
+ <Rule xsi:type="Value" value="employee" caseSensitive="false" />
+ <Rule xsi:type="Value" value="library-walk-in" caseSensitive="false" />
+ </PermitValueRule>
+ </AttributeRule>
+ </AttributeFilterPolicy>
+
+ <!-- ESI European Student Identifier -->
+ <AttributeFilterPolicy id="entity-category-european-student-identifier">
+ <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://myacademicid.org/entity-categories/esi" />
+ <AttributeRule attributeID="schacPersonalUniqueCode">
+ <PermitValueRule xsi:type="ValueRegex" regex="^urn:schac:personalUniqueCode:int:esi:.*" />
+ </AttributeRule>
+ </AttributeFilterPolicy>
+
+ <!-- Sectigo -->
+ <AttributeFilterPolicy id="releaseSectigoAttributeBundle">
+ <PolicyRequirementRule xsi:type="Requester" value="https://cert-manager.com/shibboleth" />
+ <AttributeRule attributeID="eduPersonPrincipalName">
+ <PermitValueRule xsi:type="ANY"/>
+ </AttributeRule>
+ <AttributeRule attributeID="displayName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="givenName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="mail">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="sn">
+ <PermitValueRule xsi:type="ANY"/>
+ </AttributeRule>
+ <AttributeRule attributeID="schacHomeOrganization">
+ <PermitValueRule xsi:type="ANY"/>
+ </AttributeRule>
+ <AttributeRule attributeID="tcsPersonalEntitlement">
+ <PermitValueRule xsi:type="ANY"/>
+ </AttributeRule>
+ </AttributeFilterPolicy>
+
+ <!-- PLACEHOLDER DO NOT REMOVE -->
+</AttributeFilterPolicyGroup>
diff --git a/Shibboleth-IdP/v4/attribute-resolver.xml b/Shibboleth-IdP/v4/attribute-resolver.xml
new file mode 100644
index 0000000..5171017
--- /dev/null
+++ b/Shibboleth-IdP/v4/attribute-resolver.xml
@@ -0,0 +1,618 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ This file is an EXAMPLE configuration file for use within the
+ SWAMID federation containing lots of example attributes, encoders,
+ and a couple of example data connectors.
+
+ Not all attribute definitions or data connectors are demonstrated, but
+ a variety of LDAP attributes, some common to Shibboleth deployments and
+ many not, are included.
+
+ Deployers should refer to the Identity Provider documentation
+
+ https://wiki.shibboleth.net/confluence/display/IDP4/AttributeResolverConfiguration
+
+ for a complete list of components and their options.
+-->
+<AttributeResolver
+ xmlns="urn:mace:shibboleth:2.0:resolver"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
+
+ <!-- ========================================== -->
+ <!-- Attribute Definitions -->
+ <!-- ========================================== -->
+
+ <!-- Schema: Core schema attributes-->
+ <AttributeDefinition xsi:type="Simple" id="uid">
+ <InputDataConnector ref="myLDAP" attributeNames="uid"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="mail">
+ <InputDataConnector ref="myLDAP" attributeNames="mail"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="homePhone">
+ <InputDataConnector ref="myLDAP" attributeNames="homePhone"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:homePhone" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.20" friendlyName="homePhone" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="homePostalAddress">
+ <InputDataConnector ref="myLDAP" attributeNames="homePostalAddress"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:homePostalAddress" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.39" friendlyName="homePostalAddress" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="mobileNumber">
+ <InputDataConnector ref="myLDAP" attributeNames="mobile"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mobile" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.41" friendlyName="mobile" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="pagerNumber">
+ <InputDataConnector ref="myLDAP" attributeNames="pager"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:pager" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.42" friendlyName="pager" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="sn">
+ <InputDataConnector ref="myLDAP" attributeNames="sn"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="cn">
+ <InputDataConnector ref="myLDAP" attributeNames="cn"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:cn" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="locality">
+ <InputDataConnector ref="myLDAP" attributeNames="l"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:l" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.7" friendlyName="l" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="stateProvince">
+ <InputDataConnector ref="myLDAP" attributeNames="st"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:st" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.8" friendlyName="st" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="street">
+ <InputDataConnector ref="myLDAP" attributeNames="street"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:street" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.9" friendlyName="street" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="o">
+ <InputDataConnector ref="staticAttributes" attributeNames="o"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="ou">
+ <InputDataConnector ref="myLDAP" attributeNames="ou"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:ou" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.11" friendlyName="ou" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="title">
+ <InputDataConnector ref="myLDAP" attributeNames="title"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:title" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.12" friendlyName="title" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="postalAddress">
+ <InputDataConnector ref="myLDAP" attributeNames="postalAddress"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postalAddress" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.16" friendlyName="postalAddress" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="postalCode">
+ <InputDataConnector ref="myLDAP" attributeNames="postalCode"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postalCode" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.17" friendlyName="postalCode" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="postOfficeBox">
+ <InputDataConnector ref="myLDAP" attributeNames="postOfficeBox"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postOfficeBox" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.18" friendlyName="postOfficeBox" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="telephoneNumber">
+ <InputDataConnector ref="myLDAP" attributeNames="telephoneNumber"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:telephoneNumber" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.20" friendlyName="telephoneNumber" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="givenName">
+ <InputDataConnector ref="myLDAP" attributeNames="givenName"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="initials">
+ <InputDataConnector ref="myLDAP" attributeNames="initials"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:initials" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.43" friendlyName="initials" encodeType="false" />
+ </AttributeDefinition>
+
+ <!-- Schema: inetOrgPerson attributes-->
+ <AttributeDefinition xsi:type="Simple" id="departmentNumber">
+ <InputDataConnector ref="myLDAP" attributeNames="departmentNumber"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:departmentNumber" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.2" friendlyName="departmentNumber" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="displayName">
+ <InputDataConnector ref="myLDAP" attributeNames="displayName"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="employeeNumber">
+ <InputDataConnector ref="myLDAP" attributeNames="employeeNumber"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeNumber" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.3" friendlyName="employeeNumber" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="employeeType">
+ <InputDataConnector ref="myLDAP" attributeNames="employeeType"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="jpegPhoto">
+ <InputDataConnector ref="myLDAP" attributeNames="jpegPhoto"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:jpegPhoto" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.60" friendlyName="jpegPhoto" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="preferredLanguage">
+ <InputDataConnector ref="myLDAP" attributeNames="preferredLanguage"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:preferredLanguage" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.39" friendlyName="preferredLanguage" encodeType="false" />
+ </AttributeDefinition>
+
+ <!-- Schema: eduPerson attributes -->
+ <AttributeDefinition xsi:type="Simple" id="eduPersonAffiliation">
+ <InputDataConnector ref="myLDAP" attributeNames="eduPersonAffiliation" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonAffiliation" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="eduPersonEntitlement">
+ <InputDataConnector ref="myLDAP" attributeNames="eduPersonEntitlement"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="eduPersonNickname">
+ <InputDataConnector ref="myLDAP" attributeNames="eduPersonNickname"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonNickname" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" friendlyName="eduPersonNickname" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="eduPersonPrimaryAffiliation">
+ <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrimaryAffiliation"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" encodeType="false" />
+ </AttributeDefinition>
+
+ <!-- Use this if the eduPersonPrincipalName is stored in myLDAP -->
+ <!--
+ <AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalName">
+ <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalName"/>
+ <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
+ </AttributeDefinition>
+ -->
+
+ <!-- Or this if you want a scoped eduPersonPrincipalName. Change the attributeNames as appropriate to your LDAP -->
+ <AttributeDefinition xsi:type="Scoped" id="eduPersonPrincipalName" scope="%{idp.scope}">
+ <InputDataConnector ref="myLDAP" attributeNames="uid"/>
+ <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalNamePrior">
+ <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalNamePrior"/>
+ <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" friendlyName="eduPersonPrincipalNamePrior" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}">
+ <InputDataConnector ref="myLDAP" attributeNames="eduPersonAffiliation"/>
+ <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
+ </AttributeDefinition>
+
+ <!-- filteredLDAPEduPersonAssurance script which checks if the user has AL2 or AL3 in LDAP and releases them together with appropriate similar RAF attributes -->
+ <!-- AL3 is only released if the SP has requested Refeds MFA authentication context -->
+ <!-- Output of this script must be used in the eduPersonAssurance attribute definition -->
+ <!-- NOTE WELL - You must ensure that you only release attribute values that your organisation has approval for! Read through this code and understand it fully before using it! -->
+ <AttributeDefinition id="filteredLDAPEduPersonAssurance" xsi:type="ScriptedAttribute">
+ <InputDataConnector ref="myLDAP" attributeNames="eduPersonAssurance"/>
+ <InputDataConnector ref="staticAttributes" attributeNames="allowedLDAPEduPersonAssurance"/>
+ <Script><![CDATA[
+ logger = Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.attribute.resolver.eppnbuilder");
+ mfaPrincipalName = "https://refeds.org/profile/mfa";
+ al3Assurance = "http://www.swamid.se/policy/assurance/al3"
+ al2Assurance = "http://www.swamid.se/policy/assurance/al2"
+ rafMedium = "https://refeds.org/assurance/IAP/medium"
+ rafHigh = "https://refeds.org/assurance/IAP/high"
+ rafLocalEnterprise = "https://refeds.org/assurance/IAP/local-enterprise"
+ rafCappuccino = "https://refeds.org/assurance/profile/cappuccino"
+ rafEspresso = "https://refeds.org/assurance/profile/espresso"
+ try {
+ // Loop over the eduPersonAssurance values stored in the backend
+ for(i = 0; i < eduPersonAssurance.getValues().size(); i++)
+ {
+ value = eduPersonAssurance.getValues().get(i);
+ // Check value against the static attribute id allowLDAPEduPersonAssurance which contains the values we can process below
+ if (allowedLDAPEduPersonAssurance.getValues().contains(value))
+ {
+ // If the user has AL2 in our backend, we add AL2, rafLocalEnterprise and rafMedium to eduPersonAssurance.
+ if (value == al2Assurance)
+ {
+ filteredLDAPEduPersonAssurance.addValue(value);
+ filteredLDAPEduPersonAssurance.addValue(rafMedium);
+ filteredLDAPEduPersonAssurance.addValue(rafCappuccino);
+ filteredLDAPEduPersonAssurance.addValue(rafLocalEnterprise);
+ }
+ // If the user has AL3 in our backend...
+ if (value == al3Assurance)
+ {
+ // Following ascertains if the SP has requested Refeds MFA
+ if (profileContext)
+ {
+ authenticationContext = profileContext.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
+ if(authenticationContext)
+ {
+ requestedPrincipalContext = authenticationContext.getSubcontext("net.shibboleth.idp.authn.context.RequestedPrincipalContext");
+ if(requestedPrincipalContext)
+ {
+ matchingPrincipal = requestedPrincipalContext.getMatchingPrincipal();
+ if (matchingPrincipal && matchingPrincipal.getName() == mfaPrincipalName)
+ {
+ // User is AL3 and we are logging in with MFA, release AL3 assurance, rafHigh and rafEspresso
+ filteredLDAPEduPersonAssurance.addValue(value);
+ filteredLDAPEduPersonAssurance.addValue(rafHigh);
+ filteredLDAPEduPersonAssurance.addValue(rafEspresso);
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ } catch(err) {
+ // Put a warning in the logs, might be wrong in LDAP, or this script! The static variables will still be released.
+ logger.info("eduPersonAssurance not set in LDAP.");
+ }
+ ]]>
+ </Script>
+ </AttributeDefinition>
+
+ <!-- eduPersonAssurance - output from script above together with the base RAF and AL1 that are always released -->
+ <!-- NOTE WELL: Your organisation must be approved for at least AL1 to use this! -->
+ <AttributeDefinition xsi:type="Simple" id="eduPersonAssurance">
+ <InputAttributeDefinition ref="filteredLDAPEduPersonAssurance" />
+ <InputDataConnector ref="staticAttributes" attributeNames="refedsAssuranceFramework assuranceLevel1"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonAssurance" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" friendlyName="eduPersonAssurance" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="eduPersonOrcid">
+ <InputDataConnector ref="myLDAP" attributeNames="eduPersonOrcid"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonOrcid" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.16" friendlyName="eduPersonOrcid" encodeType="false" />
+ </AttributeDefinition>
+
+ <!-- Deprecated eduPersonUniqueId -->
+ <!--
+ <AttributeDefinition xsi:type="Scoped" id="eduPersonUniqueId" scope="%{idp.scope}">
+ <InputDataConnector ref="myLDAP" attributeNames="uid"/>
+ <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" friendlyName="eduPersonUniqueId" encodeType="false" />
+ </AttributeDefinition>
+ -->
+
+ <!-- Schema: norEdu* attributes -->
+ <AttributeDefinition xsi:type="Simple" id="norEduPersonLegalName">
+ <InputDataConnector ref="myLDAP" attributeNames="norEduPersonLegalName"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:norEduPersonLegalName" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.2428.90.1.10" friendlyName="norEduPersonLegalName" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="norEduPersonNIN">
+ <InputDataConnector ref="myLDAP" attributeNames="norEduPersonNIN"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:norEduPersonNIN" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.2428.90.1.5" friendlyName="norEduPersonNIN" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="norEduPersonLIN">
+ <InputDataConnector ref="myLDAP" attributeNames="norEduPersonLIN"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:norEduPersonLIN" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.2428.90.1.4" friendlyName="norEduPersonLIN" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="norEduPersonBirthDate">
+ <InputDataConnector ref="myLDAP" attributeNames="norEduPersonBirthDate"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:norEduPersonBirthDate" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.2428.90.1.3" friendlyName="norEduPersonBirthDate" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="norEduOrgUniqueIdentifier">
+ <InputDataConnector ref="myLDAP" attributeNames="norEduOrgUniqueIdentifier"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:norEduOrgUniqueIdentifier" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.2428.90.1.7" friendlyName="norEduOrgUniqueIdentifier" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="norEduOrgUnitUniqueIdentifier">
+ <InputDataConnector ref="myLDAP" attributeNames="norEduOrgUnitUniqueIdentifier"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:norEduOrgUnitUniqueIdentifier" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.2428.90.1.8" friendlyName="norEduOrgUnitUniqueIdentifier" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="norEduOrgNIN">
+ <InputDataConnector ref="myLDAP" attributeNames="norEduOrgNIN"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:norEduOrgNIN" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.2428.90.1.12" friendlyName="norEduOrgNIN" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="norEduOrgUniqueNumber">
+ <InputDataConnector ref="myLDAP" attributeNames="norEduOrgUniqueNumber"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:norEduOrgUniqueNumber" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.2428.90.1.1" friendlyName="norEduOrgUniqueNumber" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="norEduOrgUnitUniqueNumber">
+ <InputDataConnector ref="myLDAP" attributeNames="norEduOrgUnitUniqueNumber"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:norEduOrgUnitUniqueNumber" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.2428.90.1.2" friendlyName="norEduOrgUnitUniqueNumber" encodeType="false" />
+ </AttributeDefinition>
+
+ <!-- Schema: SCHema for ACademia (SCHAC) -->
+ <!-- This takes the norEduPersonNIN and returns the date of birth part. -->
+ <!-- Uncomment InputAttributeDefinition if norEduPersonNIN is generated by a script or InputDataConnector if it is an attribute in LDAP -->
+ <AttributeDefinition xsi:type="RegexSplit" id="schacDateOfBirth" regex="^((18|19|20)?[0-9]{2}((0[0-9])|(10|11|12))((([0-2][0-9])|(3[0-1]))|((6[1-9])|([7-8][0-9])|(9[0-1])))).*$">
+ <!-- <InputAttributeDefinition ref="norEduPersonNIN"/> -->
+ <!-- <InputDataConnector ref="myLDAP" attributeNames="norEduPersonNIN" /> -->
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacDateOfBirth" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.3" friendlyName="schacDateOfBirth" encodeType="false" />
+ </AttributeDefinition>
+
+ <!-- This is a multi-value attribute that can be used for many use cases, for example the European Student Identifier (ESI). -->
+ <AttributeDefinition xsi:type="Simple" id="schacPersonalUniqueCode">
+ <InputDataConnector ref="myLDAP" attributeNames="schacPersonalUniqueCode" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacPersonalUniqueCode" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.14" friendlyName="schacPersonalUniqueCode" encodeType="false" />
+ </AttributeDefinition>
+
+ <!-- Alternative to above for when European Student Identifier (ESI) is not included in schacPersonalUniqueCode, uuid part is existing in another -->
+ <!-- LDAP attribute and needs to be concatenated with the first part of the string to form the complete schacPersonalUniqueCode. This example -->
+ <!-- simply uses the fictional attribute ExterntStudentUID. This needs to be changed in three places to the attribute you are actually using! -->
+ <!--
+ <AttributeDefinition xsi:type="ScriptedAttribute" id="schacPersonalUniqueCode">
+ <InputDataConnector ref="myLDAP" attributeNames="ExterntStudentUID" />
+ <Script>
+ <![CDATA[
+ if (ExterntStudentUID) {
+ value=ExterntStudentUID.getValues().get(0);
+ schacPersonalUniqueCode.getValues().add("urn:schac:personalUniqueCode:int:esi:ladok.se:externtstudentuid-" + value);
+ }
+ ]]>
+ </Script>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacPersonalUniqueCode" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.14" friendlyName="schacPersonalUniqueCode" encodeType="false" />
+ </AttributeDefinition>
+ -->
+
+ <!-- Static Attributes -->
+ <AttributeDefinition xsi:type="Simple" id="co">
+ <InputDataConnector ref="staticAttributes" attributeNames="co"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:co" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.43" friendlyName="co" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="c">
+ <InputDataConnector ref="staticAttributes" attributeNames="c"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:c" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.6" friendlyName="c" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="schacHomeOrganization">
+ <InputDataConnector ref="staticAttributes" attributeNames="schacHomeOrganization"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="schacHomeOrganizationType">
+ <InputDataConnector ref="staticAttributes" attributeNames="schacHomeOrganizationType"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganizationType" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.10" friendlyName="schacHomeOrganizationType" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="norEduOrgAcronym">
+ <InputDataConnector ref="staticAttributes" attributeNames="norEduOrgAcronym"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:norEduOrgAcronym" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.2428.90.1.6" friendlyName="norEduOrgAcronym" encodeType="false" />
+ </AttributeDefinition>
+
+ <!-- Schema: SAML Subject ID Attributes -->
+ <AttributeDefinition xsi:type="Scoped" id="samlSubjectID" scope="%{idp.scope}">
+ <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}"/>
+ <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oasis:names:tc:SAML:attribute:subject-id" friendlyName="subject-id" encodeType="false" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Scoped" id="samlPairwiseID" scope="%{idp.scope}">
+ <InputDataConnector ref="computed" attributeNames="computedId"/>
+ <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oasis:names:tc:SAML:attribute:pairwise-id" friendlyName="pairwise-id" encodeType="false" />
+ </AttributeDefinition>
+
+ <!-- Deprecated SWAMID eduPersonTargetedID -->
+ <AttributeDefinition xsi:type="SAML2NameID" id="eduPersonTargetedID" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
+ <InputDataConnector ref="StoredId" attributeNames="persistentId"/>
+ <AttributeEncoder xsi:type="SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" encodeType="false" />
+ </AttributeDefinition>
+
+ <!-- Swedish eID Framework, personalIdentityNumber. Release norEduPersonNIN if it only contains numbers (filter out interim numbers) -->
+ <!-- Uncomment InputAttributeDefinition if norEduPersonNIN is generated by a script or InputDataConnector if it is an attribute in LDAP -->
+ <AttributeDefinition xsi:type="RegexSplit" id="personalIdentityNumber" regex="^((18|19|20)?[0-9]{2}((0[0-9])|(10|11|12))((([0-2][0-9])|(3[0-1]))|((6[1-9])|([7-8][0-9])|(9[0-1])))[0-9]{4})$">
+ <!-- <InputAttributeDefinition ref="norEduPersonNIN"/> -->
+ <!-- <InputDataConnector ref="myLDAP" attributeNames="norEduPersonNIN" /> -->
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:personalIdentityNumber" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.2.752.29.4.13" friendlyName="personalIdentityNumber" encodeType="false" />
+ </AttributeDefinition>
+
+ <!-- mailLocalAddress is used for services that may need access to more than one mail address for the user -->
+ <AttributeDefinition xsi:type="Simple" id="mailLocalAddress">
+ <InputDataConnector ref="myLDAP" attributeNames="mailLocalAddress"/>
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mailLocalAddress" encodeType="false" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.13" friendlyName="mailLocalAddress" encodeType="false" />
+ </AttributeDefinition>
+
+ <!-- ========================================== -->
+ <!-- Data Connectors -->
+ <!-- ========================================== -->
+
+ <!-- Example Static Connector -->
+ <DataConnector id="staticAttributes" xsi:type="Static">
+ <Attribute id="o">
+ <Value>ORGANIZATION_NAME</Value>
+ </Attribute>
+ <Attribute id="norEduOrgAcronym">
+ <Value>ORGANIZATION_ACRONYM</Value>
+ </Attribute>
+ <Attribute id="c">
+ <Value>ISO_COUNTRY_CODE</Value>
+ </Attribute>
+ <Attribute id="co">
+ <Value>ISO_COUNTRY_NAME</Value>
+ </Attribute>
+ <Attribute id="schacHomeOrganization">
+ <Value>SCHAC_HOME_ORG_DOMAIN_NAME</Value>
+ </Attribute>
+ <Attribute id="schacHomeOrganizationType">
+ <Value>urn:schac:homeOrganizationType:eu:higherEducationInstitution</Value>
+<!-- This value is for EU higher education institution, other allowed values are:
+ - urn:schac:homeOrganizationType:eu:educationInstitution
+ - urn:schac:homeOrganizationType:int:NREN
+ - urn:schac:homeOrganizationType:int:universityHospital
+ - urn:schac:homeOrganizationType:int:NRENAffiliate
+ - urn:schac:homeOrganizationType:int:other
+-->
+ </Attribute>
+
+ <!-- Refeds Assurance Framework and eduPersonAssurance -->
+ <!-- Use following in conjunction with scripted attribute filteredEduPersonAssurance -->
+ <Attribute id="allowedLDAPEduPersonAssurance">
+ <Value>http://www.swamid.se/policy/assurance/al2</Value>
+ <Value>http://www.swamid.se/policy/assurance/al3</Value>
+ </Attribute>
+
+ <!-- Use following in conjunction with attribute eduPersonAssurance -->
+ <Attribute id="assuranceLevel1">
+ <Value>http://www.swamid.se/policy/assurance/al1</Value>
+ <Value>https://refeds.org/assurance/IAP/low</Value>
+ </Attribute>
+
+ <!-- Refeds Assurance Framework static value, used in conjunction with scripted attribute filteredEduPersonAssurance -->
+ <Attribute id="refedsAssuranceFramework">
+ <Value>https://refeds.org/assurance</Value>
+ <Value>https://refeds.org/assurance/ID/unique</Value>
+ <Value>https://refeds.org/assurance/ID/eppn-unique-no-reassign</Value>
+ <Value>https://refeds.org/assurance/ATP/ePA-1m</Value>
+ </Attribute>
+
+ </DataConnector>
+
+ <DataConnector id="StoredId"
+ xsi:type="StoredId"
+ generatedAttributeID="persistentId"
+ salt="%{idp.persistentId.salt}">
+ <InputAttributeDefinition ref="%{idp.persistentId.sourceAttribute}"/>
+ <BeanManagedConnection>MyGlobalDataSource</BeanManagedConnection>
+ </DataConnector>
+
+ <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
+ ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+ baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
+ principal="%{idp.attribute.resolver.LDAP.bindDN}"
+ principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
+ useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
+ trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}">
+ <FilterTemplate>
+ <![CDATA[
+ %{idp.attribute.resolver.LDAP.searchFilter}
+ ]]>
+ </FilterTemplate>
+ </DataConnector>
+
+ <!-- Example Relational Database Connector -->
+ <!--
+ <DataConnector id="mySIS" xsi:type="RelationalDatabase">
+ <ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver"
+ jdbcURL="jdbc:oracle:thin:@db.example.org:1521:SomeDB"
+ jdbcUserName="myid"
+ jdbcPassword="mypassword" />
+ <QueryTemplate>
+ <![CDATA[
+ SELECT * FROM student WHERE gzbtpid = '$resolutionContext.principal'
+ ]]>
+ </QueryTemplate>
+
+ <Column columnName="gzbtpid" attributeID="uid" />
+ <Column columnName="fqlft" attributeID="gpa" />
+ </DataConnector>
+ -->
+
+ <!-- Example LDAP Connector -->
+ <!--
+ <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
+ ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+ baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
+ principal="%{idp.attribute.resolver.LDAP.bindDN}"
+ principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
+ useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
+ connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
+ trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
+ responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
+ <FilterTemplate>
+ <![CDATA[
+ %{idp.attribute.resolver.LDAP.searchFilter}
+ ]]>
+ </FilterTemplate>
+ <ConnectionPool
+ minPoolSize="%{idp.pool.LDAP.minSize:3}"
+ maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
+ blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
+ validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
+ validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
+ expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
+ failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
+ </DataConnector>
+ -->
+
+ <!-- DataConector for pairwise-id (example depends on saml-nameid.properties). -->
+ <DataConnector id="computed" xsi:type="ComputedId"
+ generatedAttributeID="computedId"
+ salt="%{idp.persistentId.salt}"
+ algorithm="%{idp.persistentId.algorithm:SHA}"
+ encoding="%{idp.persistentId.encoding:BASE32}">
+
+ <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}" />
+
+ </DataConnector>
+
+
+</AttributeResolver>
diff --git a/Shibboleth-SP/v3/attribute-map.xml b/Shibboleth-SP/v3/attribute-map.xml
new file mode 100644
index 0000000..053e327
--- /dev/null
+++ b/Shibboleth-SP/v3/attribute-map.xml
@@ -0,0 +1,146 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+ <!--
+ SWAMID standard attribute-map.xml for SAML 2.0
+ ==============================================
+ The mappings are agreed to within the Shibboleth community or directly LDAP attribute names.
+
+ Version: 2023-10-18
+
+ REMEMBER to notify SWAMID saml-admins list when updating this file!
+ -->
+
+ <!-- New standard identifier attributes for SAML. -->
+ <Attribute name="urn:oasis:names:tc:SAML:attribute:subject-id" id="subject-id">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+
+ <Attribute name="urn:oasis:names:tc:SAML:attribute:pairwise-id" id="pairwise-id">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+
+ <!-- Swedish -->
+ <Attribute name="urn:oid:1.2.752.29.4.13" id="personalIdentityNumber"/>
+
+ <!-- A persistent id attribute that supports personalized anonymous access. -->
+ <!-- First, the eduPerson version with OID-style name: -->
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+ <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+ </Attribute>
+ <!-- Second, the SAML 2.0 NameID Format: -->
+ <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+ <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+ </Attribute>
+
+ <!-- eduPerson attributes until version 201602 -->
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" id="prior-eppn">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" id="unique-id"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.16" id="orcid"/>
+
+ <!-- eduMember attributes until version 200507 -->
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>
+
+ <!-- eduCourse attributes until version 200507 -->
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>
+
+ <!-- Attributes from the Nordic LDAP schema norEdu* until version 1.6 -->
+ <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.10" id="norEduPersonLegalName"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.5" id="norEduPersonNIN"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.4" id="norEduPersonLIN"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.6" id="norEduOrgAcronym"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.3" id="norEduPersonBirthDate"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.13" id="norEduPersonServiceAuthnLevel"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.14" id="norEduPersonAuthnMethod"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.7" id="norEduOrgUniqueIdentifier"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.8" id="norEduOrgUnitUniqueIdentifier"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.12" id="norEduOrgNIN"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.1" id="norEduOrgUniqueNumber"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.2" id="norEduOrgUnitUniqueNumber"/>
+
+ <!-- Attributes from the European SCHema for ACademia (SCHAC) until version 1.5.0 -->
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.1" id="schacMotherTongue"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.2" id="schacGender"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.3" id="schacDateOfBirth"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.4" id="schacPlaceOfBirth"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.5" id="schacCountryOfCitizenship"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.6" id="schacSn1"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.7" id="schacSn2"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.8" id="schacPersonalTitle"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="schacHomeOrganization"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10" id="schacHomeOrganizationType"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.11" id="schacCountryOfResidence"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.12" id="schacUserPresenceID"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.13" id="schacPersonalPosition"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.14" id="schacPersonalUniqueCode"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.15" id="schacPersonalUniqueID"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.17" id="schacExpiryDate"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.18" id="schacUserPrivateAttribute"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.19" id="schacUserStatus"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.20" id="schacProjectMembership"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.21" id="schacProjectSpecificRole"/>
+
+ <!-- Attributes from the late Swedish Alliance for Middleware Infrastructure (SWAMI) -->
+ <!-- GMAI authorization tuples, mostly sent as eduPersonEntitlement (entitlement above) -->
+ <Attribute name="urn:oid:1.2.752.104.2.3.1" id="swamiGmaiAssertion"/>
+ <!-- Unique identifier for billing recipients -->
+ <Attribute name="urn:oid:1.2.752.104.3.1.1" id="swamiBillingIdentifier"/>
+ <!-- Identifying a recipient of a monetary transfer within a single financials system -->
+ <Attribute name="urn:oid:1.2.752.104.3.1.2" id="swamiCostCenterIdentifier"/>
+
+ <!-- Attribute to extract SWAMID Assurance Profiles -->
+ <Attribute name="urn:oasis:names:tc:SAML:attribute:assurance-certification" id="Assurance-Certification"/>
+
+ <!-- Examples of standard LDAP-based attributes -->
+ <Attribute name="urn:oid:2.5.4.3" id="cn"/>
+ <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+ <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+ <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
+ <Attribute name="urn:oid:2.5.4.12" id="title"/>
+ <Attribute name="urn:oid:2.5.4.43" id="initials"/>
+ <Attribute name="urn:oid:2.5.4.13" id="description"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.13" id="mailLocalAddress"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
+ <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
+ <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
+ <Attribute name="urn:oid:2.5.4.9" id="street"/>
+ <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
+ <Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
+ <Attribute name="urn:oid:2.5.4.8" id="st"/>
+ <Attribute name="urn:oid:2.5.4.7" id="l"/>
+ <Attribute name="urn:oid:2.5.4.10" id="o"/>
+ <Attribute name="urn:oid:2.5.4.11" id="ou"/>
+ <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
+ <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.43" id="friendlyCountryName"/>
+ <Attribute name="urn:oid:2.5.4.6" id="countryName"/>
+
+</Attributes>
diff --git a/Shibboleth-SP/v3/swamid-IIS-shibboleth2.xml b/Shibboleth-SP/v3/swamid-IIS-shibboleth2.xml
new file mode 100644
index 0000000..fdc0dc9
--- /dev/null
+++ b/Shibboleth-SP/v3/swamid-IIS-shibboleth2.xml
@@ -0,0 +1,92 @@
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+ xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+ clockSkew="180">
+
+ <InProcess logger="native.logger">
+ <ISAPI normalizeRequest="true" safeHeaderNames="true">
+ <Site id="1" name="swamidsp.example.org" scheme="https" port="443"/>
+ </ISAPI>
+ </InProcess>
+
+ <RequestMapper type="Native">
+ <RequestMap>
+ <Host name="swamidsp.example.org">
+ <Path name="myswamidapp" requireSession="true" authType="shibboleth"/>
+ </Host>
+ </RequestMap>
+ </RequestMapper>
+
+ <ApplicationDefaults entityID="https://swamidsp.example.org/shibboleth"
+ REMOTE_USER="eppn persistent-id targeted-id"
+ metadataAttributePrefix="Meta-">
+ <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+ redirectLimit="exact"
+ checkAddress="false" handlerSSL="true" cookieProps="http" sameSiteFallback="true">
+
+ <Logout>SAML2 Local</Logout>
+
+ <SessionInitiator type="Chaining" Location="/DS/Login" id="swamid-ds-default" relayState="cookie">
+ <SessionInitiator type="SAML2" acsIndex="1" acsByIndex="false" template="bindingTemplate.html"/>
+ <SessionInitiator type="Shib1" acsIndex="5"/>
+ <SessionInitiator type="SAMLDS" URL="https://service.seamlessaccess.org/ds/"/>
+ </SessionInitiator>
+
+ <md:AssertionConsumerService Location="/SAML2/POST" index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+ conf:ignoreNoPassive="true"/>
+
+ <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+ <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+
+ <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+
+ <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+
+
+ <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+ </Sessions>
+
+ <Errors supportContact="webmaster@example.org"
+ helpLocation="/about.html"
+ styleSheet="/shibboleth-sp/main.css"/>
+
+ <MetadataProvider type="MDQ" id="mdq.swamid.se" ignoreTransport="true" cacheDirectory="mdq.swamid.se"
+ baseUrl="https://mds.swamid.se/">
+ <MetadataFilter type="Signature" certificate="md-signer2.crt"/>
+ <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+ </MetadataProvider>
+
+ <!-- "Old" way -->
+ <!--
+ <MetadataProvider
+ type="XML"
+ url="https://mds.swamid.se/md/swamid-idp-transitive.xml"
+ backingFilePath="swamid-idp-transitive.xml" reloadInterval="14400">
+ <MetadataFilter type="Signature" certificate="md-signer2.crt" verifyBackup="false" />
+ </MetadataProvider>
+ -->
+
+ <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+
+ <AttributeExtractor type="Metadata" errorURL="errorURL" DisplayName="displayName" registrationAuthority="registrationAuthority"/>
+
+ <AttributeResolver type="Query" subjectMatch="true"/>
+
+ <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+ <CredentialResolver type="File" use="signing"
+ key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
+ <CredentialResolver type="File" use="encryption"
+ key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
+
+ </ApplicationDefaults>
+
+ <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+ <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
diff --git a/Shibboleth-SP/v3/swamid-apache-shibboleth2.xml b/Shibboleth-SP/v3/swamid-apache-shibboleth2.xml
new file mode 100644
index 0000000..55159a6
--- /dev/null
+++ b/Shibboleth-SP/v3/swamid-apache-shibboleth2.xml
@@ -0,0 +1,71 @@
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+ xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+ clockSkew="180">
+ <ApplicationDefaults entityID="https://swamidsp.example.org/shibboleth"
+ REMOTE_USER="eppn persistent-id targeted-id"
+ metadataAttributePrefix="Meta-">
+
+ <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+ redirectLimit="exact"
+ checkAddress="false" handlerSSL="true" cookieProps="http" sameSiteFallback="true">
+
+ <Logout>SAML2 Local</Logout>
+
+ <SessionInitiator type="Chaining" Location="/DS/Login" id="swamid-ds-default" relayState="cookie">
+ <SessionInitiator type="SAML2" acsIndex="1" acsByIndex="false" template="bindingTemplate.html"/>
+ <SessionInitiator type="Shib1" acsIndex="5"/>
+ <SessionInitiator type="SAMLDS" URL="https://service.seamlessaccess.org/ds/"/>
+ </SessionInitiator>
+
+ <md:AssertionConsumerService Location="/SAML2/POST" index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+ conf:ignoreNoPassive="true"/>
+
+ <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+ <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+ <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+ <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+
+ <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+
+ </Sessions>
+
+ <Errors supportContact="webmaster@example.org"
+ helpLocation="/about.html"
+ styleSheet="/shibboleth-sp/main.css"/>
+
+ <MetadataProvider type="MDQ" id="mdq.swamid.se" ignoreTransport="true" cacheDirectory="mdq.swamid.se"
+ baseUrl="https://mds.swamid.se/">
+ <MetadataFilter type="Signature" certificate="md-signer2.crt"/>
+ <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+ </MetadataProvider>
+
+ <!-- "Old" way -->
+ <!--
+ <MetadataProvider
+ type="XML"
+ url="https://mds.swamid.se/md/swamid-idp-transitive.xml"
+ backingFilePath="swamid-idp-transitive.xml" reloadInterval="14400">
+ <MetadataFilter type="Signature" certificate="md-signer2.crt" verifyBackup="false" />
+ </MetadataProvider>
+ -->
+
+ <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+
+ <AttributeExtractor type="Metadata" errorURL="errorURL" DisplayName="displayName" registrationAuthority="registrationAuthority"/>
+
+ <AttributeResolver type="Query" subjectMatch="true"/>
+
+ <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+ <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
+ </ApplicationDefaults>
+ <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+ <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
diff --git a/schema.xsd b/schema.xsd
new file mode 100644
index 0000000..fc176e6
--- /dev/null
+++ b/schema.xsd
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<schema targetNamespace="aggregate" xmlns="http://www.w3.org/2001/XMLSchema" version="1.2">
+<import namespace="urn:mace:shibboleth:2.0:afp" schemaLocation="shibboleth-afp.xsd"/>
+<import namespace="urn:oasis:names:tc:SAML:2.0:assertion" schemaLocation="saml-schema-assertion-2.0.xsd"/>
+<import namespace="urn:mace:shibboleth:3.0:native:sp:config" schemaLocation="shibboleth-3.0-native-sp-config.xsd"/>
+<import namespace="urn:mace:shibboleth:2.0:attribute-map" schemaLocation="shibboleth-2.0-attribute-map.xsd"/>
+<import namespace="urn:mace:shibboleth:2.0:resolver" schemaLocation="shibboleth-attribute-resolver.xsd"/>
+</schema>
diff --git a/schema/saml-schema-assertion-2.0.xsd b/schema/saml-schema-assertion-2.0.xsd
new file mode 100644
index 0000000..478ddfa
--- /dev/null
+++ b/schema/saml-schema-assertion-2.0.xsd
@@ -0,0 +1,283 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<schema
+ targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+ elementFormDefault="unqualified"
+ attributeFormDefault="unqualified"
+ blockDefault="substitution"
+ version="2.0">
+ <import namespace="http://www.w3.org/2000/09/xmldsig#"
+ schemaLocation="xmldsig-core-schema.xsd"/>
+ <import namespace="http://www.w3.org/2001/04/xmlenc#"
+ schemaLocation="xenc-schema.xsd"/>
+ <annotation>
+ <documentation>
+ Document identifier: saml-schema-assertion-2.0
+ Location: http://docs.oasis-open.org/security/saml/v2.0/
+ Revision history:
+ V1.0 (November, 2002):
+ Initial Standard Schema.
+ V1.1 (September, 2003):
+ Updates within the same V1.0 namespace.
+ V2.0 (March, 2005):
+ New assertion schema for SAML V2.0 namespace.
+ </documentation>
+ </annotation>
+ <attributeGroup name="IDNameQualifiers">
+ <attribute name="NameQualifier" type="string" use="optional"/>
+ <attribute name="SPNameQualifier" type="string" use="optional"/>
+ </attributeGroup>
+ <element name="BaseID" type="saml:BaseIDAbstractType"/>
+ <complexType name="BaseIDAbstractType" abstract="true">
+ <attributeGroup ref="saml:IDNameQualifiers"/>
+ </complexType>
+ <element name="NameID" type="saml:NameIDType"/>
+ <complexType name="NameIDType">
+ <simpleContent>
+ <extension base="string">
+ <attributeGroup ref="saml:IDNameQualifiers"/>
+ <attribute name="Format" type="anyURI" use="optional"/>
+ <attribute name="SPProvidedID" type="string" use="optional"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ <complexType name="EncryptedElementType">
+ <sequence>
+ <element ref="xenc:EncryptedData"/>
+ <element ref="xenc:EncryptedKey" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+ <element name="EncryptedID" type="saml:EncryptedElementType"/>
+ <element name="Issuer" type="saml:NameIDType"/>
+ <element name="AssertionIDRef" type="NCName"/>
+ <element name="AssertionURIRef" type="anyURI"/>
+ <element name="Assertion" type="saml:AssertionType"/>
+ <complexType name="AssertionType">
+ <sequence>
+ <element ref="saml:Issuer"/>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="saml:Subject" minOccurs="0"/>
+ <element ref="saml:Conditions" minOccurs="0"/>
+ <element ref="saml:Advice" minOccurs="0"/>
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="saml:Statement"/>
+ <element ref="saml:AuthnStatement"/>
+ <element ref="saml:AuthzDecisionStatement"/>
+ <element ref="saml:AttributeStatement"/>
+ </choice>
+ </sequence>
+ <attribute name="Version" type="string" use="required"/>
+ <attribute name="ID" type="ID" use="required"/>
+ <attribute name="IssueInstant" type="dateTime" use="required"/>
+ </complexType>
+ <element name="Subject" type="saml:SubjectType"/>
+ <complexType name="SubjectType">
+ <choice>
+ <sequence>
+ <choice>
+ <element ref="saml:BaseID"/>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ <element ref="saml:SubjectConfirmation" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <element ref="saml:SubjectConfirmation" maxOccurs="unbounded"/>
+ </choice>
+ </complexType>
+ <element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/>
+ <complexType name="SubjectConfirmationType">
+ <sequence>
+ <choice minOccurs="0">
+ <element ref="saml:BaseID"/>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ <element ref="saml:SubjectConfirmationData" minOccurs="0"/>
+ </sequence>
+ <attribute name="Method" type="anyURI" use="required"/>
+ </complexType>
+ <element name="SubjectConfirmationData" type="saml:SubjectConfirmationDataType"/>
+ <complexType name="SubjectConfirmationDataType" mixed="true">
+ <complexContent>
+ <restriction base="anyType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="NotBefore" type="dateTime" use="optional"/>
+ <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+ <attribute name="Recipient" type="anyURI" use="optional"/>
+ <attribute name="InResponseTo" type="NCName" use="optional"/>
+ <attribute name="Address" type="string" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </restriction>
+ </complexContent>
+ </complexType>
+ <complexType name="KeyInfoConfirmationDataType" mixed="false">
+ <complexContent>
+ <restriction base="saml:SubjectConfirmationDataType">
+ <sequence>
+ <element ref="ds:KeyInfo" maxOccurs="unbounded"/>
+ </sequence>
+ </restriction>
+ </complexContent>
+ </complexType>
+ <element name="Conditions" type="saml:ConditionsType"/>
+ <complexType name="ConditionsType">
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="saml:Condition"/>
+ <element ref="saml:AudienceRestriction"/>
+ <element ref="saml:OneTimeUse"/>
+ <element ref="saml:ProxyRestriction"/>
+ </choice>
+ <attribute name="NotBefore" type="dateTime" use="optional"/>
+ <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+ </complexType>
+ <element name="Condition" type="saml:ConditionAbstractType"/>
+ <complexType name="ConditionAbstractType" abstract="true"/>
+ <element name="AudienceRestriction" type="saml:AudienceRestrictionType"/>
+ <complexType name="AudienceRestrictionType">
+ <complexContent>
+ <extension base="saml:ConditionAbstractType">
+ <sequence>
+ <element ref="saml:Audience" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="Audience" type="anyURI"/>
+ <element name="OneTimeUse" type="saml:OneTimeUseType" />
+ <complexType name="OneTimeUseType">
+ <complexContent>
+ <extension base="saml:ConditionAbstractType"/>
+ </complexContent>
+ </complexType>
+ <element name="ProxyRestriction" type="saml:ProxyRestrictionType"/>
+ <complexType name="ProxyRestrictionType">
+ <complexContent>
+ <extension base="saml:ConditionAbstractType">
+ <sequence>
+ <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Count" type="nonNegativeInteger" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="Advice" type="saml:AdviceType"/>
+ <complexType name="AdviceType">
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="saml:AssertionIDRef"/>
+ <element ref="saml:AssertionURIRef"/>
+ <element ref="saml:Assertion"/>
+ <element ref="saml:EncryptedAssertion"/>
+ <any namespace="##other" processContents="lax"/>
+ </choice>
+ </complexType>
+ <element name="EncryptedAssertion" type="saml:EncryptedElementType"/>
+ <element name="Statement" type="saml:StatementAbstractType"/>
+ <complexType name="StatementAbstractType" abstract="true"/>
+ <element name="AuthnStatement" type="saml:AuthnStatementType"/>
+ <complexType name="AuthnStatementType">
+ <complexContent>
+ <extension base="saml:StatementAbstractType">
+ <sequence>
+ <element ref="saml:SubjectLocality" minOccurs="0"/>
+ <element ref="saml:AuthnContext"/>
+ </sequence>
+ <attribute name="AuthnInstant" type="dateTime" use="required"/>
+ <attribute name="SessionIndex" type="string" use="optional"/>
+ <attribute name="SessionNotOnOrAfter" type="dateTime" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="SubjectLocality" type="saml:SubjectLocalityType"/>
+ <complexType name="SubjectLocalityType">
+ <attribute name="Address" type="string" use="optional"/>
+ <attribute name="DNSName" type="string" use="optional"/>
+ </complexType>
+ <element name="AuthnContext" type="saml:AuthnContextType"/>
+ <complexType name="AuthnContextType">
+ <sequence>
+ <choice>
+ <sequence>
+ <element ref="saml:AuthnContextClassRef"/>
+ <choice minOccurs="0">
+ <element ref="saml:AuthnContextDecl"/>
+ <element ref="saml:AuthnContextDeclRef"/>
+ </choice>
+ </sequence>
+ <choice>
+ <element ref="saml:AuthnContextDecl"/>
+ <element ref="saml:AuthnContextDeclRef"/>
+ </choice>
+ </choice>
+ <element ref="saml:AuthenticatingAuthority" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+ <element name="AuthnContextClassRef" type="anyURI"/>
+ <element name="AuthnContextDeclRef" type="anyURI"/>
+ <element name="AuthnContextDecl" type="anyType"/>
+ <element name="AuthenticatingAuthority" type="anyURI"/>
+ <element name="AuthzDecisionStatement" type="saml:AuthzDecisionStatementType"/>
+ <complexType name="AuthzDecisionStatementType">
+ <complexContent>
+ <extension base="saml:StatementAbstractType">
+ <sequence>
+ <element ref="saml:Action" maxOccurs="unbounded"/>
+ <element ref="saml:Evidence" minOccurs="0"/>
+ </sequence>
+ <attribute name="Resource" type="anyURI" use="required"/>
+ <attribute name="Decision" type="saml:DecisionType" use="required"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <simpleType name="DecisionType">
+ <restriction base="string">
+ <enumeration value="Permit"/>
+ <enumeration value="Deny"/>
+ <enumeration value="Indeterminate"/>
+ </restriction>
+ </simpleType>
+ <element name="Action" type="saml:ActionType"/>
+ <complexType name="ActionType">
+ <simpleContent>
+ <extension base="string">
+ <attribute name="Namespace" type="anyURI" use="required"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ <element name="Evidence" type="saml:EvidenceType"/>
+ <complexType name="EvidenceType">
+ <choice maxOccurs="unbounded">
+ <element ref="saml:AssertionIDRef"/>
+ <element ref="saml:AssertionURIRef"/>
+ <element ref="saml:Assertion"/>
+ <element ref="saml:EncryptedAssertion"/>
+ </choice>
+ </complexType>
+ <element name="AttributeStatement" type="saml:AttributeStatementType"/>
+ <complexType name="AttributeStatementType">
+ <complexContent>
+ <extension base="saml:StatementAbstractType">
+ <choice maxOccurs="unbounded">
+ <element ref="saml:Attribute"/>
+ <element ref="saml:EncryptedAttribute"/>
+ </choice>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="Attribute" type="saml:AttributeType"/>
+ <complexType name="AttributeType">
+ <sequence>
+ <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Name" type="string" use="required"/>
+ <attribute name="NameFormat" type="anyURI" use="optional"/>
+ <attribute name="FriendlyName" type="string" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+ <element name="AttributeValue" type="anyType" nillable="true"/>
+ <element name="EncryptedAttribute" type="saml:EncryptedElementType"/>
+</schema>
diff --git a/schema/saml-schema-metadata-2.0.xsd b/schema/saml-schema-metadata-2.0.xsd
new file mode 100644
index 0000000..b656d4f
--- /dev/null
+++ b/schema/saml-schema-metadata-2.0.xsd
@@ -0,0 +1,337 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+ targetNamespace="urn:oasis:names:tc:SAML:2.0:metadata"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ elementFormDefault="unqualified"
+ attributeFormDefault="unqualified"
+ blockDefault="substitution"
+ version="2.0">
+ <import namespace="http://www.w3.org/2000/09/xmldsig#"
+ schemaLocation="xmldsig-core-schema.xsd"/>
+ <import namespace="http://www.w3.org/2001/04/xmlenc#"
+ schemaLocation="xenc-schema.xsd"/>
+ <import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+ schemaLocation="saml-schema-assertion-2.0.xsd"/>
+ <import namespace="http://www.w3.org/XML/1998/namespace"
+ schemaLocation="xml.xsd"/>
+ <annotation>
+ <documentation>
+ Document identifier: saml-schema-metadata-2.0
+ Location: http://docs.oasis-open.org/security/saml/v2.0/
+ Revision history:
+ V2.0 (March, 2005):
+ Schema for SAML metadata, first published in SAML 2.0.
+ </documentation>
+ </annotation>
+
+ <simpleType name="entityIDType">
+ <restriction base="anyURI">
+ <maxLength value="1024"/>
+ </restriction>
+ </simpleType>
+ <complexType name="localizedNameType">
+ <simpleContent>
+ <extension base="string">
+ <attribute ref="xml:lang" use="required"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ <complexType name="localizedURIType">
+ <simpleContent>
+ <extension base="anyURI">
+ <attribute ref="xml:lang" use="required"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+
+ <element name="Extensions" type="md:ExtensionsType"/>
+ <complexType final="#all" name="ExtensionsType">
+ <sequence>
+ <any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+
+ <complexType name="EndpointType">
+ <sequence>
+ <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Binding" type="anyURI" use="required"/>
+ <attribute name="Location" type="anyURI" use="required"/>
+ <attribute name="ResponseLocation" type="anyURI" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+
+ <complexType name="IndexedEndpointType">
+ <complexContent>
+ <extension base="md:EndpointType">
+ <attribute name="index" type="unsignedShort" use="required"/>
+ <attribute name="isDefault" type="boolean" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <element name="EntitiesDescriptor" type="md:EntitiesDescriptorType"/>
+ <complexType name="EntitiesDescriptorType">
+ <sequence>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="md:Extensions" minOccurs="0"/>
+ <choice minOccurs="1" maxOccurs="unbounded">
+ <element ref="md:EntityDescriptor"/>
+ <element ref="md:EntitiesDescriptor"/>
+ </choice>
+ </sequence>
+ <attribute name="validUntil" type="dateTime" use="optional"/>
+ <attribute name="cacheDuration" type="duration" use="optional"/>
+ <attribute name="ID" type="ID" use="optional"/>
+ <attribute name="Name" type="string" use="optional"/>
+ </complexType>
+
+ <element name="EntityDescriptor" type="md:EntityDescriptorType"/>
+ <complexType name="EntityDescriptorType">
+ <sequence>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="md:Extensions" minOccurs="0"/>
+ <choice>
+ <choice maxOccurs="unbounded">
+ <element ref="md:RoleDescriptor"/>
+ <element ref="md:IDPSSODescriptor"/>
+ <element ref="md:SPSSODescriptor"/>
+ <element ref="md:AuthnAuthorityDescriptor"/>
+ <element ref="md:AttributeAuthorityDescriptor"/>
+ <element ref="md:PDPDescriptor"/>
+ </choice>
+ <element ref="md:AffiliationDescriptor"/>
+ </choice>
+ <element ref="md:Organization" minOccurs="0"/>
+ <element ref="md:ContactPerson" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:AdditionalMetadataLocation" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="entityID" type="md:entityIDType" use="required"/>
+ <attribute name="validUntil" type="dateTime" use="optional"/>
+ <attribute name="cacheDuration" type="duration" use="optional"/>
+ <attribute name="ID" type="ID" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+
+ <element name="Organization" type="md:OrganizationType"/>
+ <complexType name="OrganizationType">
+ <sequence>
+ <element ref="md:Extensions" minOccurs="0"/>
+ <element ref="md:OrganizationName" maxOccurs="unbounded"/>
+ <element ref="md:OrganizationDisplayName" maxOccurs="unbounded"/>
+ <element ref="md:OrganizationURL" maxOccurs="unbounded"/>
+ </sequence>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+ <element name="OrganizationName" type="md:localizedNameType"/>
+ <element name="OrganizationDisplayName" type="md:localizedNameType"/>
+ <element name="OrganizationURL" type="md:localizedURIType"/>
+ <element name="ContactPerson" type="md:ContactType"/>
+ <complexType name="ContactType">
+ <sequence>
+ <element ref="md:Extensions" minOccurs="0"/>
+ <element ref="md:Company" minOccurs="0"/>
+ <element ref="md:GivenName" minOccurs="0"/>
+ <element ref="md:SurName" minOccurs="0"/>
+ <element ref="md:EmailAddress" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:TelephoneNumber" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="contactType" type="md:ContactTypeType" use="required"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+ <element name="Company" type="string"/>
+ <element name="GivenName" type="string"/>
+ <element name="SurName" type="string"/>
+ <element name="EmailAddress" type="anyURI"/>
+ <element name="TelephoneNumber" type="string"/>
+ <simpleType name="ContactTypeType">
+ <restriction base="string">
+ <enumeration value="technical"/>
+ <enumeration value="support"/>
+ <enumeration value="administrative"/>
+ <enumeration value="billing"/>
+ <enumeration value="other"/>
+ </restriction>
+ </simpleType>
+
+ <element name="AdditionalMetadataLocation" type="md:AdditionalMetadataLocationType"/>
+ <complexType name="AdditionalMetadataLocationType">
+ <simpleContent>
+ <extension base="anyURI">
+ <attribute name="namespace" type="anyURI" use="required"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+
+ <element name="RoleDescriptor" type="md:RoleDescriptorType"/>
+ <complexType name="RoleDescriptorType" abstract="true">
+ <sequence>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="md:Extensions" minOccurs="0"/>
+ <element ref="md:KeyDescriptor" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:Organization" minOccurs="0"/>
+ <element ref="md:ContactPerson" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="ID" type="ID" use="optional"/>
+ <attribute name="validUntil" type="dateTime" use="optional"/>
+ <attribute name="cacheDuration" type="duration" use="optional"/>
+ <attribute name="protocolSupportEnumeration" type="md:anyURIListType" use="required"/>
+ <attribute name="errorURL" type="anyURI" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+ <simpleType name="anyURIListType">
+ <list itemType="anyURI"/>
+ </simpleType>
+
+ <element name="KeyDescriptor" type="md:KeyDescriptorType"/>
+ <complexType name="KeyDescriptorType">
+ <sequence>
+ <element ref="ds:KeyInfo"/>
+ <element ref="md:EncryptionMethod" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="use" type="md:KeyTypes" use="optional"/>
+ </complexType>
+ <simpleType name="KeyTypes">
+ <restriction base="string">
+ <enumeration value="encryption"/>
+ <enumeration value="signing"/>
+ </restriction>
+ </simpleType>
+ <element name="EncryptionMethod" type="xenc:EncryptionMethodType"/>
+
+ <complexType name="SSODescriptorType" abstract="true">
+ <complexContent>
+ <extension base="md:RoleDescriptorType">
+ <sequence>
+ <element ref="md:ArtifactResolutionService" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:SingleLogoutService" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:ManageNameIDService" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="ArtifactResolutionService" type="md:IndexedEndpointType"/>
+ <element name="SingleLogoutService" type="md:EndpointType"/>
+ <element name="ManageNameIDService" type="md:EndpointType"/>
+ <element name="NameIDFormat" type="anyURI"/>
+
+ <element name="IDPSSODescriptor" type="md:IDPSSODescriptorType"/>
+ <complexType name="IDPSSODescriptorType">
+ <complexContent>
+ <extension base="md:SSODescriptorType">
+ <sequence>
+ <element ref="md:SingleSignOnService" maxOccurs="unbounded"/>
+ <element ref="md:NameIDMappingService" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:AttributeProfile" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="WantAuthnRequestsSigned" type="boolean" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="SingleSignOnService" type="md:EndpointType"/>
+ <element name="NameIDMappingService" type="md:EndpointType"/>
+ <element name="AssertionIDRequestService" type="md:EndpointType"/>
+ <element name="AttributeProfile" type="anyURI"/>
+
+ <element name="SPSSODescriptor" type="md:SPSSODescriptorType"/>
+ <complexType name="SPSSODescriptorType">
+ <complexContent>
+ <extension base="md:SSODescriptorType">
+ <sequence>
+ <element ref="md:AssertionConsumerService" maxOccurs="unbounded"/>
+ <element ref="md:AttributeConsumingService" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="AuthnRequestsSigned" type="boolean" use="optional"/>
+ <attribute name="WantAssertionsSigned" type="boolean" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AssertionConsumerService" type="md:IndexedEndpointType"/>
+ <element name="AttributeConsumingService" type="md:AttributeConsumingServiceType"/>
+ <complexType name="AttributeConsumingServiceType">
+ <sequence>
+ <element ref="md:ServiceName" maxOccurs="unbounded"/>
+ <element ref="md:ServiceDescription" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:RequestedAttribute" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="index" type="unsignedShort" use="required"/>
+ <attribute name="isDefault" type="boolean" use="optional"/>
+ </complexType>
+ <element name="ServiceName" type="md:localizedNameType"/>
+ <element name="ServiceDescription" type="md:localizedNameType"/>
+ <element name="RequestedAttribute" type="md:RequestedAttributeType"/>
+ <complexType name="RequestedAttributeType">
+ <complexContent>
+ <extension base="saml:AttributeType">
+ <attribute name="isRequired" type="boolean" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <element name="AuthnAuthorityDescriptor" type="md:AuthnAuthorityDescriptorType"/>
+ <complexType name="AuthnAuthorityDescriptorType">
+ <complexContent>
+ <extension base="md:RoleDescriptorType">
+ <sequence>
+ <element ref="md:AuthnQueryService" maxOccurs="unbounded"/>
+ <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AuthnQueryService" type="md:EndpointType"/>
+
+ <element name="PDPDescriptor" type="md:PDPDescriptorType"/>
+ <complexType name="PDPDescriptorType">
+ <complexContent>
+ <extension base="md:RoleDescriptorType">
+ <sequence>
+ <element ref="md:AuthzService" maxOccurs="unbounded"/>
+ <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AuthzService" type="md:EndpointType"/>
+
+ <element name="AttributeAuthorityDescriptor" type="md:AttributeAuthorityDescriptorType"/>
+ <complexType name="AttributeAuthorityDescriptorType">
+ <complexContent>
+ <extension base="md:RoleDescriptorType">
+ <sequence>
+ <element ref="md:AttributeService" maxOccurs="unbounded"/>
+ <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:AttributeProfile" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AttributeService" type="md:EndpointType"/>
+
+ <element name="AffiliationDescriptor" type="md:AffiliationDescriptorType"/>
+ <complexType name="AffiliationDescriptorType">
+ <sequence>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="md:Extensions" minOccurs="0"/>
+ <element ref="md:AffiliateMember" maxOccurs="unbounded"/>
+ <element ref="md:KeyDescriptor" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="affiliationOwnerID" type="md:entityIDType" use="required"/>
+ <attribute name="validUntil" type="dateTime" use="optional"/>
+ <attribute name="cacheDuration" type="duration" use="optional"/>
+ <attribute name="ID" type="ID" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+ <element name="AffiliateMember" type="md:entityIDType"/>
+</schema>
diff --git a/schema/saml-schema-protocol-2.0.xsd b/schema/saml-schema-protocol-2.0.xsd
new file mode 100644
index 0000000..eb480e5
--- /dev/null
+++ b/schema/saml-schema-protocol-2.0.xsd
@@ -0,0 +1,302 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+ targetNamespace="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ elementFormDefault="unqualified"
+ attributeFormDefault="unqualified"
+ blockDefault="substitution"
+ version="2.0">
+ <import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+ schemaLocation="saml-schema-assertion-2.0.xsd"/>
+ <import namespace="http://www.w3.org/2000/09/xmldsig#"
+ schemaLocation="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
+ <annotation>
+ <documentation>
+ Document identifier: saml-schema-protocol-2.0
+ Location: http://docs.oasis-open.org/security/saml/v2.0/
+ Revision history:
+ V1.0 (November, 2002):
+ Initial Standard Schema.
+ V1.1 (September, 2003):
+ Updates within the same V1.0 namespace.
+ V2.0 (March, 2005):
+ New protocol schema based in a SAML V2.0 namespace.
+ </documentation>
+ </annotation>
+ <complexType name="RequestAbstractType" abstract="true">
+ <sequence>
+ <element ref="saml:Issuer" minOccurs="0"/>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="samlp:Extensions" minOccurs="0"/>
+ </sequence>
+ <attribute name="ID" type="ID" use="required"/>
+ <attribute name="Version" type="string" use="required"/>
+ <attribute name="IssueInstant" type="dateTime" use="required"/>
+ <attribute name="Destination" type="anyURI" use="optional"/>
+ <attribute name="Consent" type="anyURI" use="optional"/>
+ </complexType>
+ <element name="Extensions" type="samlp:ExtensionsType"/>
+ <complexType name="ExtensionsType">
+ <sequence>
+ <any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+ <complexType name="StatusResponseType">
+ <sequence>
+ <element ref="saml:Issuer" minOccurs="0"/>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="samlp:Extensions" minOccurs="0"/>
+ <element ref="samlp:Status"/>
+ </sequence>
+ <attribute name="ID" type="ID" use="required"/>
+ <attribute name="InResponseTo" type="NCName" use="optional"/>
+ <attribute name="Version" type="string" use="required"/>
+ <attribute name="IssueInstant" type="dateTime" use="required"/>
+ <attribute name="Destination" type="anyURI" use="optional"/>
+ <attribute name="Consent" type="anyURI" use="optional"/>
+ </complexType>
+ <element name="Status" type="samlp:StatusType"/>
+ <complexType name="StatusType">
+ <sequence>
+ <element ref="samlp:StatusCode"/>
+ <element ref="samlp:StatusMessage" minOccurs="0"/>
+ <element ref="samlp:StatusDetail" minOccurs="0"/>
+ </sequence>
+ </complexType>
+ <element name="StatusCode" type="samlp:StatusCodeType"/>
+ <complexType name="StatusCodeType">
+ <sequence>
+ <element ref="samlp:StatusCode" minOccurs="0"/>
+ </sequence>
+ <attribute name="Value" type="anyURI" use="required"/>
+ </complexType>
+ <element name="StatusMessage" type="string"/>
+ <element name="StatusDetail" type="samlp:StatusDetailType"/>
+ <complexType name="StatusDetailType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+ <element name="AssertionIDRequest" type="samlp:AssertionIDRequestType"/>
+ <complexType name="AssertionIDRequestType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <element ref="saml:AssertionIDRef" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="SubjectQuery" type="samlp:SubjectQueryAbstractType"/>
+ <complexType name="SubjectQueryAbstractType" abstract="true">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <element ref="saml:Subject"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AuthnQuery" type="samlp:AuthnQueryType"/>
+ <complexType name="AuthnQueryType">
+ <complexContent>
+ <extension base="samlp:SubjectQueryAbstractType">
+ <sequence>
+ <element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
+ </sequence>
+ <attribute name="SessionIndex" type="string" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="RequestedAuthnContext" type="samlp:RequestedAuthnContextType"/>
+ <complexType name="RequestedAuthnContextType">
+ <choice>
+ <element ref="saml:AuthnContextClassRef" maxOccurs="unbounded"/>
+ <element ref="saml:AuthnContextDeclRef" maxOccurs="unbounded"/>
+ </choice>
+ <attribute name="Comparison" type="samlp:AuthnContextComparisonType" use="optional"/>
+ </complexType>
+ <simpleType name="AuthnContextComparisonType">
+ <restriction base="string">
+ <enumeration value="exact"/>
+ <enumeration value="minimum"/>
+ <enumeration value="maximum"/>
+ <enumeration value="better"/>
+ </restriction>
+ </simpleType>
+ <element name="AttributeQuery" type="samlp:AttributeQueryType"/>
+ <complexType name="AttributeQueryType">
+ <complexContent>
+ <extension base="samlp:SubjectQueryAbstractType">
+ <sequence>
+ <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AuthzDecisionQuery" type="samlp:AuthzDecisionQueryType"/>
+ <complexType name="AuthzDecisionQueryType">
+ <complexContent>
+ <extension base="samlp:SubjectQueryAbstractType">
+ <sequence>
+ <element ref="saml:Action" maxOccurs="unbounded"/>
+ <element ref="saml:Evidence" minOccurs="0"/>
+ </sequence>
+ <attribute name="Resource" type="anyURI" use="required"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AuthnRequest" type="samlp:AuthnRequestType"/>
+ <complexType name="AuthnRequestType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <element ref="saml:Subject" minOccurs="0"/>
+ <element ref="samlp:NameIDPolicy" minOccurs="0"/>
+ <element ref="saml:Conditions" minOccurs="0"/>
+ <element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
+ <element ref="samlp:Scoping" minOccurs="0"/>
+ </sequence>
+ <attribute name="ForceAuthn" type="boolean" use="optional"/>
+ <attribute name="IsPassive" type="boolean" use="optional"/>
+ <attribute name="ProtocolBinding" type="anyURI" use="optional"/>
+ <attribute name="AssertionConsumerServiceIndex" type="unsignedShort" use="optional"/>
+ <attribute name="AssertionConsumerServiceURL" type="anyURI" use="optional"/>
+ <attribute name="AttributeConsumingServiceIndex" type="unsignedShort" use="optional"/>
+ <attribute name="ProviderName" type="string" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="NameIDPolicy" type="samlp:NameIDPolicyType"/>
+ <complexType name="NameIDPolicyType">
+ <attribute name="Format" type="anyURI" use="optional"/>
+ <attribute name="SPNameQualifier" type="string" use="optional"/>
+ <attribute name="AllowCreate" type="boolean" use="optional"/>
+ </complexType>
+ <element name="Scoping" type="samlp:ScopingType"/>
+ <complexType name="ScopingType">
+ <sequence>
+ <element ref="samlp:IDPList" minOccurs="0"/>
+ <element ref="samlp:RequesterID" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="ProxyCount" type="nonNegativeInteger" use="optional"/>
+ </complexType>
+ <element name="RequesterID" type="anyURI"/>
+ <element name="IDPList" type="samlp:IDPListType"/>
+ <complexType name="IDPListType">
+ <sequence>
+ <element ref="samlp:IDPEntry" maxOccurs="unbounded"/>
+ <element ref="samlp:GetComplete" minOccurs="0"/>
+ </sequence>
+ </complexType>
+ <element name="IDPEntry" type="samlp:IDPEntryType"/>
+ <complexType name="IDPEntryType">
+ <attribute name="ProviderID" type="anyURI" use="required"/>
+ <attribute name="Name" type="string" use="optional"/>
+ <attribute name="Loc" type="anyURI" use="optional"/>
+ </complexType>
+ <element name="GetComplete" type="anyURI"/>
+ <element name="Response" type="samlp:ResponseType"/>
+ <complexType name="ResponseType">
+ <complexContent>
+ <extension base="samlp:StatusResponseType">
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="saml:Assertion"/>
+ <element ref="saml:EncryptedAssertion"/>
+ </choice>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="ArtifactResolve" type="samlp:ArtifactResolveType"/>
+ <complexType name="ArtifactResolveType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <element ref="samlp:Artifact"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="Artifact" type="string"/>
+ <element name="ArtifactResponse" type="samlp:ArtifactResponseType"/>
+ <complexType name="ArtifactResponseType">
+ <complexContent>
+ <extension base="samlp:StatusResponseType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="ManageNameIDRequest" type="samlp:ManageNameIDRequestType"/>
+ <complexType name="ManageNameIDRequestType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <choice>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ <choice>
+ <element ref="samlp:NewID"/>
+ <element ref="samlp:NewEncryptedID"/>
+ <element ref="samlp:Terminate"/>
+ </choice>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="NewID" type="string"/>
+ <element name="NewEncryptedID" type="saml:EncryptedElementType"/>
+ <element name="Terminate" type="samlp:TerminateType"/>
+ <complexType name="TerminateType"/>
+ <element name="ManageNameIDResponse" type="samlp:StatusResponseType"/>
+ <element name="LogoutRequest" type="samlp:LogoutRequestType"/>
+ <complexType name="LogoutRequestType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <choice>
+ <element ref="saml:BaseID"/>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ <element ref="samlp:SessionIndex" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Reason" type="string" use="optional"/>
+ <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="SessionIndex" type="string"/>
+ <element name="LogoutResponse" type="samlp:StatusResponseType"/>
+ <element name="NameIDMappingRequest" type="samlp:NameIDMappingRequestType"/>
+ <complexType name="NameIDMappingRequestType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <choice>
+ <element ref="saml:BaseID"/>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ <element ref="samlp:NameIDPolicy"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="NameIDMappingResponse" type="samlp:NameIDMappingResponseType"/>
+ <complexType name="NameIDMappingResponseType">
+ <complexContent>
+ <extension base="samlp:StatusResponseType">
+ <choice>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ </extension>
+ </complexContent>
+ </complexType>
+</schema>
diff --git a/schema/shibboleth-2.0-attribute-map.xsd b/schema/shibboleth-2.0-attribute-map.xsd
new file mode 100644
index 0000000..31ff798
--- /dev/null
+++ b/schema/shibboleth-2.0-attribute-map.xsd
@@ -0,0 +1,358 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema targetNamespace="urn:mace:shibboleth:2.0:attribute-map"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:am="urn:mace:shibboleth:2.0:attribute-map"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ elementFormDefault="qualified"
+ version="2.5">
+
+ <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd" />
+
+ <annotation>
+ <documentation>
+ This schema maps SAML attributes into Shibboleth internal attributes.
+ </documentation>
+ </annotation>
+
+ <simpleType name="string">
+ <restriction base="string">
+ <minLength value="1"/>
+ </restriction>
+ </simpleType>
+
+ <simpleType name="anyURI">
+ <restriction base="anyURI">
+ <minLength value="1"/>
+ </restriction>
+ </simpleType>
+
+ <simpleType name="listOfStrings">
+ <list itemType="am:string"/>
+ </simpleType>
+
+ <complexType name="PluggableType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="type" type="am:string" use="required"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </complexType>
+
+ <element name="GSSAPIContext" type="base64Binary">
+ <annotation>
+ <documentation>A wrapper element for GSS-API contexts.</documentation>
+ </annotation>
+ </element>
+
+ <element name="GSSAPIName" type="base64Binary">
+ <annotation>
+ <documentation>A wrapper element for GSS-API composite names.</documentation>
+ </annotation>
+ </element>
+
+ <element name="Attributes">
+ <annotation>
+ <documentation>The set of SAML or GSS-API attribute mappings.</documentation>
+ </annotation>
+ <complexType>
+ <sequence>
+ <element name="MetadataProvider" type="am:PluggableType" minOccurs="0"/>
+ <element name="TrustEngine" type="am:PluggableType" minOccurs="0"/>
+ <element name="AttributeFilter" type="am:PluggableType" minOccurs="0"/>
+ <choice maxOccurs="unbounded">
+ <element name="Attribute" type="am:AttributeType"/>
+ <element name="GSSAPIAttribute" type="am:GSSAPIAttributeType"/>
+ </choice>
+ <element ref="ds:Signature" minOccurs="0"/>
+ </sequence>
+ <attribute name="metadataAttributeCaching" type="boolean"/>
+ <attribute name="metadataPolicyId" type="am:string"/>
+ </complexType>
+ </element>
+
+ <complexType name="AttributeType">
+ <annotation>
+ <documentation>Rule for mapping a SAML attribute to an internal attribute.</documentation>
+ </annotation>
+ <sequence>
+ <element name="AttributeDecoder" type="am:AttributeDecoderType" minOccurs="0"/>
+ </sequence>
+ <attribute name="id" type="am:string" use="required">
+ <annotation>
+ <documentation>The internal attribute ID to which this SAML attribute maps.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="aliases" type="am:listOfStrings">
+ <annotation>
+ <documentation>DEPRECATED: Aliases for the internal attribute to which this SAML attribute maps.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="name" type="am:string" use="required">
+ <annotation>
+ <documentation>The SAML 1 AttributeName or SAML 2 Name of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="nameFormat" type="am:string">
+ <annotation>
+ <documentation>The SAML 1 Namespace or SAML 2 NameFormat of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="isRequested" type="boolean">
+ <annotation>
+ <documentation>Marks an attribute as requested by the service.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="isRequired" type="boolean">
+ <annotation>
+ <documentation>Marks an attribute as required by the service.</documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <complexType name="GSSAPIAttributeType">
+ <annotation>
+ <documentation>Rule for mapping a GSS-API naming attribute to an internal attribute.</documentation>
+ </annotation>
+ <attribute name="id" type="am:string" use="required">
+ <annotation>
+ <documentation>The internal attribute ID to which this SAML attribute maps.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="aliases" type="am:listOfStrings">
+ <annotation>
+ <documentation>Optional aliases for the internal attribute to which this SAML attribute maps.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="name" type="am:string" use="required">
+ <annotation>
+ <documentation>The name of the naming attribute.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="authenticated" type="boolean">
+ <annotation>
+ <documentation>If true, only an authenticated GSS-API naming attribute will be mapped.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="binary" type="boolean">
+ <annotation>
+ <documentation>If true, the GSS-API naming attribute will be base64-encoded for internal use.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="scopeDelimiter" type="am:string">
+ <annotation>
+ <documentation>
+ The character(s) used to delimit the scoped information from the scope.
+ </documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <complexType name="AttributeDecoderType" abstract="true">
+ <annotation>
+ <documentation>
+ Decodes a SAML attribute into its Shibboleth-internal representation.
+ </documentation>
+ </annotation>
+ <attribute name="caseSensitive" type="boolean">
+ <annotation>
+ <documentation>
+ Flag controlling case sensitivity when comparisons to the attribute's values are done.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="internal" type="boolean">
+ <annotation>
+ <documentation>
+ Flag controlling whether the resulting attribute should be exported for CGI use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="langAware" type="boolean">
+ <annotation>
+ <documentation>
+ Flag controlling whether the decoder should select only the best matching value by language.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="hashAlg" type="am:string">
+ <annotation>
+ <documentation>
+ Crypto-provider-specific name of hash algorithm to use,
+ turning the decoded result into a simple string.
+ </documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <complexType name="StringAttributeDecoder">
+ <annotation>
+ <documentation>
+ Decoder for attributes with string values.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="am:AttributeDecoderType" />
+ </complexContent>
+ </complexType>
+
+ <complexType name="ScopedAttributeDecoder">
+ <annotation>
+ <documentation>
+ Decoder for attributes with scoped values.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="am:AttributeDecoderType">
+ <attribute name="scopeDelimiter" type="am:string">
+ <annotation>
+ <documentation>
+ The character(s) used to delimit the scoped information from the scope.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="NameIDAttributeDecoder">
+ <annotation>
+ <documentation>
+ Decoder for attributes with NameID values.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="am:AttributeDecoderType">
+ <attribute name="formatter" type="am:string">
+ <annotation>
+ <documentation>
+ The pattern used to generate string versions of the attribute's values.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="defaultQualifiers" type="boolean">
+ <annotation>
+ <documentation>
+ Flag controlling whether to default in values for NameQualifier/SPNameQualifier if not set.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="NameIDFromScopedAttributeDecoder">
+ <annotation>
+ <documentation>
+ Decoder for attributes with scoped values that produces a NameID attribute with
+ the scope dropped and the NameQualifiers defaulted.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="am:ScopedAttributeDecoder">
+ <attribute name="format" type="am:anyURI">
+ <annotation>
+ <documentation>
+ Value to use as the NameID Format.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="defaultQualifiers" type="boolean">
+ <annotation>
+ <documentation>
+ Flag controlling whether to default in values for NameQualifier/SPNameQualifier if not set.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="formatter" type="am:string">
+ <annotation>
+ <documentation>
+ The pattern used to generate string versions of the attribute's values.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="KeyInfoAttributeDecoder">
+ <annotation>
+ <documentation>
+ Decoder for attributes with ds:KeyInfo values.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="am:AttributeDecoderType">
+ <sequence>
+ <element name="KeyInfoResolver" type="am:PluggableType" minOccurs="0"/>
+ </sequence>
+ <attribute name="hash" type="boolean">
+ <annotation>
+ <documentation>
+ Flag controlling whether to hash keys before base64-encoding them.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="keyInfoHashAlg" type="am:string">
+ <annotation>
+ <documentation>
+ Crypto-provider-specific name of hash algorithm to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="XMLAttributeDecoder">
+ <annotation>
+ <documentation>
+ Decoder for directly serializing XML values.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="am:AttributeDecoderType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="DOMAttributeDecoder">
+ <annotation>
+ <documentation>
+ Decoder for extracting information from XML values.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="am:AttributeDecoderType">
+ <sequence>
+ <element name="Mapping" minOccurs="0">
+ <annotation>
+ <documentation>Optional transform to turn qualified XML names into string names.</documentation>
+ </annotation>
+ <complexType>
+ <attribute name="from" type="QName" use="required"/>
+ <attribute name="to" type="am:string" use="required"/>
+ </complexType>
+ </element>
+ </sequence>
+ <attribute name="formatter" type="am:string">
+ <annotation>
+ <documentation>
+ The pattern used to generate strings from the XML.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Base64AttributeDecoder">
+ <annotation>
+ <documentation>
+ Decoder for attributes with base64-encoded string values.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="am:AttributeDecoderType" />
+ </complexContent>
+ </complexType>
+
+</schema>
diff --git a/schema/shibboleth-3.0-native-sp-config.xsd b/schema/shibboleth-3.0-native-sp-config.xsd
new file mode 100644
index 0000000..9eb7a4b
--- /dev/null
+++ b/schema/shibboleth-3.0-native-sp-config.xsd
@@ -0,0 +1,908 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<schema targetNamespace="urn:mace:shibboleth:3.0:native:sp:config"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+ elementFormDefault="qualified"
+ attributeFormDefault="unqualified"
+ blockDefault="substitution"
+ version="3.4">
+
+ <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd" />
+ <import namespace="urn:oasis:names:tc:SAML:2.0:assertion" schemaLocation="saml-schema-assertion-2.0.xsd"/>
+ <import namespace="urn:oasis:names:tc:SAML:2.0:protocol" schemaLocation="saml-schema-protocol-2.0.xsd"/>
+ <import namespace="urn:oasis:names:tc:SAML:2.0:metadata" schemaLocation="saml-schema-metadata-2.0.xsd"/>
+
+ <annotation>
+ <documentation>
+ 3.x schema for XML-based configuration of Shibboleth Native SP instances.
+ First appearing in Shibboleth 3.0 release.
+ </documentation>
+ </annotation>
+
+ <simpleType name="string">
+ <restriction base="string">
+ <minLength value="1"/>
+ </restriction>
+ </simpleType>
+
+ <simpleType name="listOfStrings">
+ <list itemType="conf:string"/>
+ </simpleType>
+
+ <simpleType name="anyURI">
+ <restriction base="anyURI">
+ <minLength value="1"/>
+ </restriction>
+ </simpleType>
+
+ <simpleType name="listOfURIs">
+ <list itemType="conf:anyURI"/>
+ </simpleType>
+
+ <simpleType name="bindingBoolean">
+ <restriction base="string">
+ <enumeration value="true"/>
+ <enumeration value="false"/>
+ <enumeration value="front"/>
+ <enumeration value="back"/>
+ <enumeration value="conditional" />
+ </restriction>
+ </simpleType>
+
+ <simpleType name="redirectLimitType">
+ <restriction base="string">
+ <enumeration value="none"/>
+ <enumeration value="exact"/>
+ <enumeration value="host"/>
+ <enumeration value="whitelist"/>
+ <enumeration value="exact+whitelist"/>
+ <enumeration value="host+whitelist"/>
+ <enumeration value="allow"/>
+ <enumeration value="exact+allow"/>
+ <enumeration value="host+allow"/>
+ </restriction>
+ </simpleType>
+
+ <simpleType name="sameSiteType">
+ <restriction base="string">
+ <enumeration value="None"/>
+ <enumeration value="Lax"/>
+ <enumeration value="Strict"/>
+ </restriction>
+ </simpleType>
+
+ <complexType name="PluggableType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="type" type="conf:string" use="required"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </complexType>
+
+ <complexType name="ExtensionsType">
+ <annotation>
+ <documentation>Container for extension libraries and custom configuration</documentation>
+ </annotation>
+ <sequence>
+ <element name="Library" minOccurs="0" maxOccurs="unbounded">
+ <complexType>
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="path" type="conf:anyURI" use="required"/>
+ <attribute name="fatal" type="boolean"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </complexType>
+ </element>
+ <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+
+ <complexType name="DataSealerType">
+ <annotation>
+ <documentation>References DataSealer plugins</documentation>
+ </annotation>
+ <complexContent>
+ <restriction base="conf:PluggableType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </restriction>
+ </complexContent>
+ </complexType>
+
+ <complexType name="StorageServiceType">
+ <annotation>
+ <documentation>References StorageService plugins</documentation>
+ </annotation>
+ <complexContent>
+ <restriction base="conf:PluggableType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="id" type="ID" use="required"/>
+ <attribute name="cleanupInterval" type="unsignedInt"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </restriction>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SessionCacheType">
+ <annotation>
+ <documentation>References SessionCache plugins</documentation>
+ </annotation>
+ <complexContent>
+ <restriction base="conf:PluggableType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="StorageService" type="IDREF"/>
+ <attribute name="cacheAllowance" type="unsignedInt"/>
+ <attribute name="maintainReverseIndex" type="boolean"/>
+ <attribute name="reverseIndexMaxSize" type="unsignedInt"/>
+ <attribute name="excludeReverseIndex" type="conf:listOfStrings"/>
+ <attribute name="persistedAttributes" type="conf:listOfStrings"/>
+ <attribute name="unreliableNetworks" type="conf:listOfStrings"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </restriction>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ReplayCacheType">
+ <annotation>
+ <documentation>Ties ReplayCache to a custom StorageService</documentation>
+ </annotation>
+ <sequence/>
+ <attribute name="StorageService" type="IDREF"/>
+ </complexType>
+
+ <complexType name="ArtifactMapType">
+ <annotation>
+ <documentation>Customizes an ArtifactMap</documentation>
+ </annotation>
+ <sequence/>
+ <attribute name="StorageService" type="IDREF"/>
+ <attribute name="context" type="conf:string"/>
+ <attribute name="artifactTTL" type="unsignedInt"/>
+ </complexType>
+
+ <complexType name="OutOfProcessType">
+ <annotation>
+ <documentation>Container for out-of-process (shibd) configuration</documentation>
+ </annotation>
+ <sequence>
+ <element name="Extensions" type="conf:ExtensionsType" minOccurs="0"/>
+ <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="logger" type="conf:anyURI"/>
+ <attribute name="tranLogFormat" type="conf:string"/>
+ <attribute name="tranLogFiller" type="conf:string"/>
+ <attribute name="catchAll" type="boolean"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+
+ <complexType name="InProcessType">
+ <annotation>
+ <documentation>
+ Container for configuration of locally integrated or platform-specific
+ features (e.g. web server filters)
+ </documentation>
+ </annotation>
+ <sequence>
+ <element name="Extensions" type="conf:ExtensionsType" minOccurs="0"/>
+ <element name="ISAPI" minOccurs="0">
+ <complexType>
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element name="Site">
+ <complexType>
+ <sequence>
+ <element name="Alias" type="conf:string" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="id" type="unsignedInt" use="required"/>
+ <attribute name="name" type="conf:string" use="required"/>
+ <attribute name="port" type="unsignedInt"/>
+ <attribute name="useHeaders" type="boolean"/>
+ <attribute name="useVariables" type="boolean"/>
+ <attribute name="sslport" type="unsignedInt"/>
+ <attribute name="scheme" type="conf:string"/>
+ </complexType>
+ </element>
+ <element name="Roles">
+ <complexType>
+ <attribute name="authNRole" type="string" use="optional"/>
+ <attribute name="roleAttributes" type="string" use="optional"/>
+ </complexType>
+ </element>
+ <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </choice>
+ <attribute name="normalizeRequest" type="boolean"/>
+ <attribute name="safeHeaderNames" type="boolean"/>
+ <attribute name="useHeaders" type="boolean"/>
+ <attribute name="useVariables" type="boolean"/>
+ <attribute name="handlerPrefix" type="conf:string" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+ </element>
+ <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="logger" type="conf:anyURI"/>
+ <attribute name="unsetHeaderValue" type="conf:string"/>
+ <attribute name="checkSpoofing" type="boolean"/>
+ <attribute name="spoofKey" type="conf:string"/>
+ <attribute name="catchAll" type="boolean"/>
+ <attribute name="extraAuthTypes" type="conf:listOfStrings"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+
+ <element name="AccessControl" type="conf:UniOperatorType">
+ <annotation>
+ <documentation>
+ A simple example access policy language extension that supersedes Apache .htaccess
+ </documentation>
+ </annotation>
+ </element>
+ <complexType name="UniOperatorType">
+ <choice>
+ <element name="AND" type="conf:MultiOperatorType"/>
+ <element name="OR" type="conf:MultiOperatorType"/>
+ <element name="NOT" type="conf:UniOperatorType"/>
+ <element name="Rule" type="conf:RuleType"/>
+ <element name="RuleRegex" type="conf:RuleRegexType"/>
+ </choice>
+ </complexType>
+ <complexType name="MultiOperatorType">
+ <choice minOccurs="2" maxOccurs="unbounded">
+ <element name="AND" type="conf:MultiOperatorType"/>
+ <element name="OR" type="conf:MultiOperatorType"/>
+ <element name="NOT" type="conf:UniOperatorType"/>
+ <element name="Rule" type="conf:RuleType"/>
+ <element name="RuleRegex" type="conf:RuleRegexType"/>
+ </choice>
+ </complexType>
+ <complexType name="RuleType">
+ <simpleContent>
+ <extension base="conf:listOfStrings">
+ <attribute name="require" type="conf:string" use="required"/>
+ <attribute name="list" type="boolean"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ <complexType name="RuleRegexType">
+ <simpleContent>
+ <extension base="conf:string">
+ <attribute name="require" type="conf:string" use="required"/>
+ <attribute name="caseSensitive" type="boolean"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+
+ <attributeGroup name="ContentSettings">
+ <attribute name="applicationId" type="conf:string"/>
+ <attribute name="authType" type="conf:string"/>
+ <attribute name="requireSession" type="boolean"/>
+ <attribute name="requireSessionWith" type="conf:string"/>
+ <attribute name="requireLogoutWith" type="conf:anyURI"/>
+ <attribute name="exportAssertion" type="boolean"/>
+ <attribute name="exportStdVars" type="boolean"/>
+ <attribute name="exportCookie" type="boolean"/>
+ <attribute name="exportDuplicateValues" type="boolean"/>
+ <attribute name="redirectToSSL" type="unsignedInt"/>
+ <attribute name="entityID" type="conf:anyURI"/>
+ <attribute name="entityIDSelf" type="conf:anyURI"/>
+ <attribute name="discoveryURL" type="conf:anyURI"/>
+ <attribute name="discoveryPolicy" type="conf:string"/>
+ <attribute name="isPassive" type="boolean"/>
+ <attribute name="returnOnError" type="boolean"/>
+ <attribute name="forceAuthn" type="boolean"/>
+ <attribute name="authnContextClassRef" type="conf:listOfURIs"/>
+ <attribute name="authnContextComparison" type="samlp:AuthnContextComparisonType"/>
+ <attribute name="NameIDFormat" type="conf:anyURI"/>
+ <attribute name="SPNameQualifier" type="conf:string"/>
+ <attribute name="redirectErrors" type="conf:anyURI"/>
+ <attribute name="sessionError" type="conf:anyURI"/>
+ <attribute name="metadataError" type="conf:anyURI"/>
+ <attribute name="accessError" type="conf:anyURI"/>
+ <attribute name="sslError" type="conf:anyURI"/>
+ <attribute name="target" type="conf:anyURI"/>
+ <attribute name="acsIndex" type="unsignedShort"/>
+ <attribute name="attributeIndex" type="conf:string"/>
+ <attribute name="REMOTE_ADDR" type="conf:string"/>
+ <attribute name="encoding" type="conf:string"/>
+ <attribute name="attributeValueDelimiter" type="conf:string"/>
+ <attribute name="unset" type="conf:listOfStrings"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </attributeGroup>
+
+ <element name="RequestMap">
+ <annotation>
+ <documentation>
+ Built-in request mapping syntax, decomposes URLs into Host/Path/Path/...
+ </documentation>
+ </annotation>
+ <complexType>
+ <sequence>
+ <choice minOccurs="0">
+ <element name="htaccess" type="conf:PluggableType"/>
+ <element ref="conf:AccessControl"/>
+ <element name="AccessControlProvider" type="conf:PluggableType"/>
+ </choice>
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element name="Host" type="conf:HostType"/>
+ <element name="HostRegex" type="conf:HostRegexType"/>
+ </choice>
+ <element ref="ds:Signature" minOccurs="0"/>
+ </sequence>
+ <attribute name="unicodeAware" type="boolean"/>
+ <attributeGroup ref="conf:ContentSettings"/>
+ </complexType>
+ </element>
+
+ <complexType name="HostType">
+ <sequence>
+ <choice minOccurs="0">
+ <element name="htaccess" type="conf:PluggableType"/>
+ <element ref="conf:AccessControl"/>
+ <element name="AccessControlProvider" type="conf:PluggableType"/>
+ </choice>
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element name="Path" type="conf:PathType"/>
+ <element name="PathRegex" type="conf:PathRegexType"/>
+ <element name="Query" type="conf:QueryType"/>
+ </choice>
+ </sequence>
+ <attribute name="scheme">
+ <simpleType>
+ <restriction base="conf:string">
+ <enumeration value="http"/>
+ <enumeration value="https"/>
+ <enumeration value="ftp"/>
+ <enumeration value="ldap"/>
+ <enumeration value="ldaps"/>
+ </restriction>
+ </simpleType>
+ </attribute>
+ <attribute name="name" type="conf:string" use="required"/>
+ <attribute name="port" type="unsignedInt"/>
+ <attributeGroup ref="conf:ContentSettings"/>
+ </complexType>
+
+ <complexType name="HostRegexType">
+ <sequence>
+ <choice minOccurs="0">
+ <element name="htaccess" type="conf:PluggableType"/>
+ <element ref="conf:AccessControl"/>
+ <element name="AccessControlProvider" type="conf:PluggableType"/>
+ </choice>
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element name="Path" type="conf:PathType"/>
+ <element name="PathRegex" type="conf:PathRegexType"/>
+ <element name="Query" type="conf:QueryType"/>
+ </choice>
+ </sequence>
+ <attribute name="regex" type="conf:string" use="required"/>
+ <attribute name="caseSensitive" type="boolean"/>
+ <attributeGroup ref="conf:ContentSettings"/>
+ </complexType>
+
+ <complexType name="PathType">
+ <sequence>
+ <choice minOccurs="0">
+ <element name="htaccess" type="conf:PluggableType"/>
+ <element ref="conf:AccessControl"/>
+ <element name="AccessControlProvider" type="conf:PluggableType"/>
+ </choice>
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element name="Path" type="conf:PathType"/>
+ <element name="PathRegex" type="conf:PathRegexType"/>
+ <element name="Query" type="conf:QueryType"/>
+ </choice>
+ </sequence>
+ <attribute name="name" type="conf:string" use="required"/>
+ <attributeGroup ref="conf:ContentSettings"/>
+ </complexType>
+
+ <complexType name="PathRegexType">
+ <sequence>
+ <choice minOccurs="0">
+ <element name="htaccess" type="conf:PluggableType"/>
+ <element ref="conf:AccessControl"/>
+ <element name="AccessControlProvider" type="conf:PluggableType"/>
+ </choice>
+ <element name="Query" type="conf:QueryType" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="regex" type="conf:string" use="required"/>
+ <attribute name="caseSensitive" type="boolean"/>
+ <attributeGroup ref="conf:ContentSettings"/>
+ </complexType>
+
+ <complexType name="QueryType">
+ <sequence>
+ <choice minOccurs="0">
+ <element name="htaccess" type="conf:PluggableType"/>
+ <element ref="conf:AccessControl"/>
+ <element name="AccessControlProvider" type="conf:PluggableType"/>
+ </choice>
+ <element name="Query" type="conf:QueryType" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="name" type="conf:string" use="required"/>
+ <attribute name="regex" type="conf:string"/>
+ <attributeGroup ref="conf:ContentSettings"/>
+ </complexType>
+
+ <complexType name="ApplicationDefaultsType">
+ <annotation>
+ <documentation>Container for default settings and application-specific overrides</documentation>
+ </annotation>
+ <sequence>
+ <element name="Sessions" type="conf:SessionsType"/>
+ <element name="Errors" type="conf:ErrorsType" minOccurs="0"/>
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element name="RelyingParty" type="conf:RelyingPartyType"/>
+ <element name="Notify" type="conf:NotifyType"/>
+ <element name="MetadataProvider" type="conf:PluggableType"/>
+ <element name="TrustEngine" type="conf:PluggableType"/>
+ <element name="AttributeExtractor" type="conf:PluggableType"/>
+ <element name="AttributeResolver" type="conf:PluggableType"/>
+ <element name="AttributeFilter" type="conf:PluggableType"/>
+ <element name="CredentialResolver" type="conf:PluggableType"/>
+ <element ref="conf:ApplicationOverride"/>
+ <element name="ExternalApplicationOverrides" type="conf:ExternalApplicationOverridesType"/>
+ </choice>
+ </sequence>
+ <attribute name="id" type="conf:string" fixed="default"/>
+ <attribute name="entityID" type="conf:anyURI" use="required"/>
+ <attributeGroup ref="conf:ApplicationGroup"/>
+ <attributeGroup ref="conf:RelyingPartyGroup"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+
+ <element name="ApplicationOverride" type="conf:ApplicationOverrideType"/>
+
+ <complexType name="ApplicationOverrideType">
+ <annotation>
+ <documentation>Container for application-specific overrides</documentation>
+ </annotation>
+ <sequence>
+ <element name="Sessions" type="conf:SessionsType" minOccurs="0"/>
+ <element name="Errors" type="conf:ErrorsType" minOccurs="0"/>
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element name="RelyingParty" type="conf:RelyingPartyType"/>
+ <element name="Notify" type="conf:NotifyType"/>
+ <element name="MetadataProvider" type="conf:PluggableType"/>
+ <element name="TrustEngine" type="conf:PluggableType"/>
+ <element name="AttributeExtractor" type="conf:PluggableType"/>
+ <element name="AttributeResolver" type="conf:PluggableType"/>
+ <element name="AttributeFilter" type="conf:PluggableType"/>
+ <element name="CredentialResolver" type="conf:PluggableType"/>
+ </choice>
+ </sequence>
+ <attribute name="id" type="conf:string" use="required"/>
+ <attribute name="entityID" type="conf:anyURI"/>
+ <attributeGroup ref="conf:ApplicationGroup"/>
+ <attributeGroup ref="conf:RelyingPartyGroup"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+
+ <complexType name="ExternalApplicationOverridesType">
+ <annotation>
+ <documentation>Externalized application overrides.</documentation>
+ </annotation>
+ <sequence/>
+ <attribute name="path" type="conf:string" use="required" />
+ </complexType>
+
+ <attributeGroup name="ApplicationGroup">
+ <attribute name="homeURL" type="conf:anyURI"/>
+ <attribute name="policyId" type="conf:string"/>
+ <attribute name="REMOTE_USER" type="conf:listOfStrings"/>
+ <attribute name="unsetHeaders" type="conf:listOfStrings"/>
+ <attribute name="metadataAttributePrefix" type="conf:string"/>
+ <attribute name="attributePrefix" type="conf:string"/>
+ <attribute name="requireAuthenticatedEncryption" type="boolean"/>
+ </attributeGroup>
+
+ <attributeGroup name="RelyingPartyGroup">
+ <attribute name="authType" type="conf:string"/>
+ <attribute name="authUsername" type="conf:string"/>
+ <attribute name="authPassword" type="conf:string"/>
+ <attribute name="signing" type="conf:bindingBoolean"/>
+ <attribute name="signingAlg" type="conf:anyURI"/>
+ <attribute name="digestAlg" type="conf:anyURI"/>
+ <attribute name="encryption" type="conf:bindingBoolean"/>
+ <attribute name="encryptionAlg" type="conf:anyURI"/>
+ <attribute name="keyName" type="conf:string"/>
+ <attribute name="artifactEndpointIndex" type="unsignedShort"/>
+ <attribute name="chunkedEncoding" type="boolean"/>
+ <attribute name="connectTimeout" type="unsignedShort"/>
+ <attribute name="timeout" type="unsignedShort"/>
+ <attribute name="cipherSuites" type="string"/>
+ <attribute name="requireConfidentiality" type="boolean"/>
+ <attribute name="requireTransportAuth" type="boolean"/>
+ <attribute name="requireSignedAssertions" type="boolean"/>
+ <attribute name="sessionHook" type="conf:anyURI"/>
+ <attribute name="artifactByFilesystem" type="boolean"/>
+ <attribute name="authnContextClassRef" type="conf:listOfURIs"/>
+ <attribute name="authnContextComparison" type="samlp:AuthnContextComparisonType"/>
+ <attribute name="NameIDFormat" type="conf:anyURI"/>
+ <attribute name="SPNameQualifier" type="conf:string"/>
+ <attribute name="attributeIndex" type="conf:string"/>
+ <attribute name="requestDelegation" type="boolean"/>
+ </attributeGroup>
+
+ <complexType name="SessionsType">
+ <annotation>
+ <documentation>Container for specifying protocol handlers and session policy</documentation>
+ </annotation>
+ <sequence>
+ <element name="SSO" minOccurs="0">
+ <complexType>
+ <annotation>
+ <documentation>Implicitly configures SessionInitiator and AssertionConsumerService handlers</documentation>
+ </annotation>
+ <simpleContent>
+ <extension base="conf:listOfStrings">
+ <attribute name="policyId" type="conf:string"/>
+ <attribute name="ignoreNoPassive" type="boolean"/>
+ <attribute name="discoveryProtocol" type="conf:string"/>
+ <attribute name="discoveryURL" type="conf:anyURI"/>
+ <attributeGroup ref="conf:SessionInitiatorGroup"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ <element name="Logout" minOccurs="0">
+ <complexType>
+ <annotation>
+ <documentation>Implicitly configures LogoutInitiator and SingleLogoutService handlers</documentation>
+ </annotation>
+ <simpleContent>
+ <extension base="conf:listOfStrings">
+ <attribute name="policyId" type="conf:string"/>
+ <attributeGroup ref="conf:LogoutInitiatorGroup"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ <element name="NameIDMgmt" minOccurs="0">
+ <complexType>
+ <annotation>
+ <documentation>Implicitly configures ManageNameIDService handlers</documentation>
+ </annotation>
+ <simpleContent>
+ <extension base="conf:listOfStrings">
+ <attribute name="policyId" type="conf:string"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="conf:SessionInitiator"/>
+ <element ref="conf:LogoutInitiator"/>
+ <element ref="md:AssertionConsumerService"/>
+ <element ref="md:ArtifactResolutionService"/>
+ <element ref="md:SingleLogoutService"/>
+ <element ref="md:ManageNameIDService"/>
+ <element ref="conf:Handler"/>
+ </choice>
+ </sequence>
+ <attribute name="handlerURL" type="conf:anyURI"/>
+ <attribute name="handlerSSL" type="boolean"/>
+ <attribute name="exportLocation" type="conf:string"/>
+ <attribute name="exportACL" type="conf:listOfStrings"/>
+ <attribute name="cookieName" type="conf:string"/>
+ <attribute name="cookieProps" type="conf:string"/>
+ <attribute name="sameSiteSession" type="conf:sameSiteType"/>
+ <attribute name="sameSiteFallback" type="boolean"/>
+ <attribute name="cookieLifetime" type="unsignedInt"/>
+ <attribute name="idpHistory" type="boolean"/>
+ <attribute name="idpHistoryDays" type="unsignedInt"/>
+ <attribute name="idpHistoryProps" type="conf:string"/>
+ <attribute name="lifetime" type="unsignedInt"/>
+ <attribute name="timeout" type="unsignedInt"/>
+ <attribute name="maxTimeSinceAuthn" type="unsignedInt"/>
+ <attribute name="checkAddress" type="boolean"/>
+ <attribute name="consistentAddress" type="boolean"/>
+ <attribute name="postData" type="conf:string"/>
+ <attribute name="postLimit" type="positiveInteger"/>
+ <attribute name="postTemplate" type="conf:string"/>
+ <attribute name="postExpire" type="boolean"/>
+ <attribute name="relayState" type="conf:string"/>
+ <attribute name="relayStateLimit" type="conf:redirectLimitType"/>
+ <attribute name="relayStateWhitelist" type="conf:listOfURIs"/>
+ <attribute name="redirectLimit" type="conf:redirectLimitType"/>
+ <attribute name="redirectWhitelist" type="conf:listOfURIs"/>
+ <attribute name="redirectAllow" type="conf:listOfURIs"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+
+ <attribute name="policyId" type="conf:string">
+ <annotation>
+ <documentation>Used to override Policy from profile endpoints</documentation>
+ </annotation>
+ </attribute>
+
+ <attribute name="ignoreNoPassive" type="boolean">
+ <annotation>
+ <documentation>Used to ignore NoPassive errors in AssertionConsumerService endpoints</documentation>
+ </annotation>
+ </attribute>
+
+ <attribute name="signing" type="conf:bindingBoolean">
+ <annotation>
+ <documentation>Used to override signing property in SingleLogoutService/etc endpoints</documentation>
+ </annotation>
+ </attribute>
+
+ <attribute name="encryption" type="conf:bindingBoolean">
+ <annotation>
+ <documentation>Used to override encryption property in SingleLogoutService/etc endpoints</documentation>
+ </annotation>
+ </attribute>
+
+ <attributeGroup name="SessionInitiatorGroup">
+ <annotation>
+ <documentation>Options common to explicit and implicit SessionInitiators</documentation>
+ </annotation>
+ <attribute name="relayState" type="conf:string"/>
+ <attribute name="entityIDParam" type="conf:string"/>
+ <attribute name="entityID" type="conf:anyURI"/>
+ <attribute name="outgoingBindings" type="conf:listOfURIs"/>
+ <attribute name="preservedOptions" type="conf:listOfStrings"/>
+ <attribute name="template" type="conf:anyURI"/>
+ <attribute name="postArtifact" type="boolean"/>
+ <attribute name="acsByIndex" type="boolean"/>
+ <attribute name="isPassive" type="boolean"/>
+ <attribute name="returnOnError" type="boolean"/>
+ <attribute name="forceAuthn" type="boolean"/>
+ <attribute name="authnContextClassRef" type="conf:anyURI"/>
+ <attribute name="authnContextComparison" type="samlp:AuthnContextComparisonType"/>
+ <attribute name="NameIDFormat" type="conf:anyURI"/>
+ <attribute name="SPNameQualifier" type="conf:string"/>
+ <attribute name="attributeIndex" type="conf:string"/>
+ <attribute name="requestDelegation" type="boolean"/>
+ <attribute name="target" type="conf:anyURI"/>
+ <attribute name="discoveryPolicy" type="conf:string"/>
+ <attribute name="signing" type="conf:bindingBoolean"/>
+ <attribute name="encryption" type="conf:bindingBoolean"/>
+ <attribute name="externalInput" type="boolean"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </attributeGroup>
+
+ <element name="SessionInitiator">
+ <annotation>
+ <documentation>Used to specify handlers that can issue AuthnRequests or perform discovery</documentation>
+ </annotation>
+ <complexType>
+ <complexContent>
+ <restriction base="conf:PluggableType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Location" type="conf:anyURI"/>
+ <attribute name="id" type="conf:string"/>
+ <attribute name="isDefault" type="boolean"/>
+ <attribute name="URL" type="conf:anyURI"/>
+ <attribute name="acsIndex" type="unsignedShort"/>
+ <attributeGroup ref="conf:SessionInitiatorGroup"/>
+ </restriction>
+ </complexContent>
+ </complexType>
+ </element>
+
+ <attributeGroup name="LogoutInitiatorGroup">
+ <annotation>
+ <documentation>Options common to explicit and implicit LogoutInitiators</documentation>
+ </annotation>
+ <attribute name="relayState" type="conf:string"/>
+ <attribute name="outgoingBindings" type="conf:listOfURIs"/>
+ <attribute name="template" type="conf:anyURI"/>
+ <attribute name="postArtifact" type="boolean"/>
+ <attribute name="signing" type="conf:bindingBoolean"/>
+ <attribute name="encryption" type="conf:bindingBoolean"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </attributeGroup>
+
+ <element name="LogoutInitiator">
+ <annotation>
+ <documentation>Used to specify handlers that can issue LogoutRequests</documentation>
+ </annotation>
+ <complexType>
+ <complexContent>
+ <restriction base="conf:PluggableType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Location" type="conf:anyURI"/>
+ <attributeGroup ref="conf:LogoutInitiatorGroup"/>
+ </restriction>
+ </complexContent>
+ </complexType>
+ </element>
+
+ <element name="Handler">
+ <annotation>
+ <documentation>Used to specify custom handlers</documentation>
+ </annotation>
+ <complexType>
+ <complexContent>
+ <restriction base="conf:PluggableType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Location" type="conf:anyURI" use="required"/>
+ <attribute name="acl" type="conf:listOfStrings"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </restriction>
+ </complexContent>
+ </complexType>
+ </element>
+
+ <complexType name="ErrorsType">
+ <annotation>
+ <documentation>Container for error templates and associated details</documentation>
+ </annotation>
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="redirectErrors" type="conf:anyURI"/>
+ <attribute name="session" type="conf:anyURI"/>
+ <attribute name="metadata" type="conf:anyURI"/>
+ <attribute name="access" type="conf:anyURI"/>
+ <attribute name="ssl" type="conf:anyURI"/>
+ <attribute name="localLogout" type="conf:anyURI"/>
+ <attribute name="globalLogout" type="conf:anyURI"/>
+ <attribute name="partialLogout" type="conf:anyURI"/>
+ <attribute name="externalParameters" type="boolean" />
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </complexType>
+
+ <complexType name="RelyingPartyType">
+ <annotation>
+ <documentation>Container for specifying settings to use with particular peers</documentation>
+ </annotation>
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Name" type="conf:string"/>
+ <attribute name="type" type="conf:string"/>
+ <attributeGroup ref="conf:RelyingPartyGroup"/>
+ <attribute name="entityID" type="conf:anyURI"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </complexType>
+
+ <complexType name="NotifyType">
+ <annotation>
+ <documentation>Used to specify locations to receive application notifications</documentation>
+ </annotation>
+ <sequence/>
+ <attribute name="Channel" use="required">
+ <simpleType>
+ <restriction base="string">
+ <enumeration value="front"/>
+ <enumeration value="back"/>
+ </restriction>
+ </simpleType>
+ </attribute>
+ <attribute name="Location" type="conf:anyURI" use="required"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </complexType>
+
+ <element name="SecurityPolicies">
+ <complexType>
+ <annotation>
+ <documentation>Container for specifying sets of policy rules to apply to incoming messages</documentation>
+ </annotation>
+ <sequence>
+ <element name="Policy" minOccurs="1" maxOccurs="unbounded">
+ <annotation>
+ <documentation>Specifies a set of SecurityPolicyRule plugins</documentation>
+ </annotation>
+ <complexType>
+ <choice>
+ <element name="Rule" type="conf:PluggableType" minOccurs="1" maxOccurs="unbounded"/>
+ <element name="PolicyRule" type="conf:PluggableType" minOccurs="1" maxOccurs="unbounded"/>
+ </choice>
+ <attribute name="id" type="conf:string" use="required"/>
+ <attribute name="validate" type="boolean"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </complexType>
+ </element>
+ <choice minOccurs="0">
+ <element name="AlgorithmWhitelist" type="conf:listOfURIs"/>
+ <element name="AlgorithmBlacklist">
+ <complexType>
+ <simpleContent>
+ <extension base="conf:listOfURIs">
+ <attribute name="includeDefaultBlacklist" type="boolean"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ <element name="IncludedAlgorithms" type="conf:listOfURIs"/>
+ <element name="ExcludedAlgorithms">
+ <complexType>
+ <simpleContent>
+ <extension base="conf:listOfURIs">
+ <attribute name="excludeDefaults" type="boolean"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ </choice>
+ </sequence>
+ </complexType>
+ </element>
+
+ <element name="TransportOption">
+ <annotation>
+ <documentation>Implementation-specific option to pass to SOAPTransport provider.</documentation>
+ </annotation>
+ <complexType>
+ <simpleContent>
+ <extension base="anySimpleType">
+ <attribute name="provider" type="conf:string" use="required"/>
+ <attribute name="option" type="conf:string" use="required"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+
+ <element name="SPConfig">
+ <complexType>
+ <annotation>
+ <documentation>Root of configuration</documentation>
+ </annotation>
+ <sequence>
+ <element name="Extensions" type="conf:ExtensionsType" minOccurs="0"/>
+ <element name="OutOfProcess" type="conf:OutOfProcessType" minOccurs="0"/>
+ <element name="InProcess" type="conf:InProcessType" minOccurs="0"/>
+ <choice minOccurs="0">
+ <element name="UnixListener">
+ <complexType>
+ <attribute name="address" type="conf:string"/>
+ <attribute name="clientAddress" type="conf:string"/>
+ <attribute name="stackSize" type="unsignedInt"/>
+ </complexType>
+ </element>
+ <element name="TCPListener">
+ <complexType>
+ <attribute name="address" type="conf:string"/>
+ <attribute name="port" type="unsignedInt"/>
+ <attribute name="clientAddress" type="conf:string"/>
+ <attribute name="clientPort" type="unsignedInt"/>
+ <attribute name="acl" type="conf:listOfStrings"/>
+ <attribute name="stackSize" type="unsignedInt"/>
+ <attribute name="retryErrors" type="conf:string"/>
+ </complexType>
+ </element>
+ <element name="Listener" type="conf:PluggableType"/>
+ </choice>
+ <element name="StorageService" type="conf:StorageServiceType" minOccurs="0" maxOccurs="unbounded"/>
+ <element name="DataSealer" type="conf:DataSealerType" minOccurs="0" />
+ <element name="SessionCache" type="conf:SessionCacheType" minOccurs="0"/>
+ <element name="ReplayCache" type="conf:ReplayCacheType" minOccurs="0"/>
+ <element name="ArtifactMap" type="conf:ArtifactMapType" minOccurs="0"/>
+ <element name="RequestMapper" type="conf:PluggableType" minOccurs="0"/>
+ <element name="ApplicationDefaults" type="conf:ApplicationDefaultsType"/>
+ <element name="SecurityPolicyProvider" type="conf:PluggableType"/>
+ <element name="ProtocolProvider" type="conf:PluggableType" minOccurs="0"/>
+ <element ref="conf:TransportOption" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="ds:Signature" minOccurs="0"/>
+ </sequence>
+ <attribute name="logger" type="conf:anyURI"/>
+ <attribute name="clockSkew" type="unsignedInt"/>
+ <attribute name="unsafeChars" type="conf:string"/>
+ <attribute name="allowedSchemes" type="conf:listOfStrings"/>
+ <attribute name="langFromClient" type="boolean"/>
+ <attribute name="langPriority" type="conf:listOfStrings"/>
+ <attribute name="contactPriority" type="conf:listOfStrings"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+ </element>
+
+</schema>
diff --git a/schema/shibboleth-afp.xsd b/schema/shibboleth-afp.xsd
new file mode 100644
index 0000000..9af7009
--- /dev/null
+++ b/schema/shibboleth-afp.xsd
@@ -0,0 +1,952 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:afp="urn:mace:shibboleth:2.0:afp"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ targetNamespace="urn:mace:shibboleth:2.0:afp"
+ version="5.0.0"
+ elementFormDefault="qualified">
+
+ <import namespace="http://www.w3.org/2000/09/xmldsig#"
+ schemaLocation="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd" />
+
+ <annotation>
+ <documentation>Schema for the attribute filter policies.</documentation>
+ </annotation>
+
+ <element name="AttributeFilterPolicyGroup" type="afp:AttributeFilterPolicyGroupType">
+ <annotation>
+ <documentation>
+ Root element of the attribute filter policy. Represents a named group of filter policies.
+ </documentation>
+ </annotation>
+ </element>
+ <complexType name="AttributeFilterPolicyGroupType">
+ <complexContent>
+ <extension base="afp:IdentityType">
+ <sequence>
+ <element ref="afp:PolicyRequirementRule" minOccurs="0" maxOccurs="unbounded">
+ <annotation>
+ <documentation>
+ Defines a set of applications requirements that may be reused across multiple filter
+ policies.
+ </documentation>
+ </annotation>
+ </element>
+ <element ref="afp:PermitValueRule" minOccurs="0" maxOccurs="unbounded">
+ <annotation>
+ <documentation>
+ Defines a permit value rule that may be reused across multiple attribute rules.
+ </documentation>
+ </annotation>
+ </element>
+ <element ref="afp:DenyValueRule" minOccurs="0" maxOccurs="unbounded">
+ <annotation>
+ <documentation>
+ Defines a deny value rule that may be reused across multiple attribute rules.
+ </documentation>
+ </annotation>
+ </element>
+ <element ref="afp:AttributeRule" minOccurs="0" maxOccurs="unbounded">
+ <annotation>
+ <documentation>
+ Defines an attribute rule that may be reused across multiple filter policies.
+ </documentation>
+ </annotation>
+ </element>
+ <element ref="afp:AttributeFilterPolicy" minOccurs="0" maxOccurs="unbounded">
+ <annotation>
+ <documentation>
+ A policy that defines the set of attribute value filters that will be applied if its
+ application requirements are met.
+ </documentation>
+ </annotation>
+ </element>
+ <element ref="ds:Signature" minOccurs="0">
+ <annotation>
+ <documentation>
+ Digital signature for the policy. Policies that are fetched from an external source,
+ such as a federation site, should be signed.
+ </documentation>
+ </annotation>
+ </element>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <element name="AttributeFilterPolicy" type="afp:AttributeFilterPolicyType">
+ <annotation>
+ <documentation>
+ A policy that defines a set of attribute value filters rules that should be used if given requirements
+ are met.
+ </documentation>
+ </annotation>
+ </element>
+ <complexType name="AttributeFilterPolicyType">
+ <complexContent>
+ <extension base="afp:IdentityType">
+ <sequence>
+ <element ref="afp:PolicyRequirementRule">
+ <annotation>
+ <documentation>
+ A requirement that if met signals that this filter policy should be used.
+ </documentation>
+ </annotation>
+ </element>
+ <element ref="afp:AttributeRule" minOccurs="0" maxOccurs="unbounded">
+ <annotation>
+ <documentation>
+ A rule that describes how values of an attribute will be filtered.
+ </documentation>
+ </annotation>
+ </element>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <element name="AttributeRule" type="afp:AttributeRuleType">
+ <annotation>
+ <documentation>A rule that describes how values of an attribute will be filtered.</documentation>
+ </annotation>
+ </element>
+ <complexType name="AttributeRuleType">
+ <complexContent>
+ <extension base="afp:IdentityType">
+ <choice>
+ <choice minOccurs="0">
+ <element ref="afp:PermitValueRule"/>
+ <element name="PermitValueRuleReference" type="afp:ReferenceType">
+ <annotation>
+ <documentation>
+ Reference to a PermitValueRule defined within this policy group or another.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
+ <choice minOccurs="0">
+ <element ref="afp:DenyValueRule"/>
+ <element name="DenyValueRuleReference" type="afp:ReferenceType">
+ <annotation>
+ <documentation>
+ Reference to a DenyValueRule defined within this policy group or another.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
+ </choice>
+ <attribute name="attributeID" type="afp:string" use="required">
+ <annotation>
+ <documentation>The ID of the attribute to which this rule applies.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="permitAny" type="afp:string">
+ <annotation>
+ <documentation>If present, and true injects an implicit permit value rule of type ANY</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <element name="PolicyRequirementRule" type="afp:MatchFunctorType">
+ <annotation>
+ <documentation>A requirement that if met signals that a filter policy should be used.</documentation>
+ </annotation>
+ </element>
+ <element name="PermitValueRule" type="afp:MatchFunctorType">
+ <annotation>
+ <documentation>
+ A filter for attribute values. If the filter evaluates to true the value is permitted to be released.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="DenyValueRule" type="afp:MatchFunctorType">
+ <annotation>
+ <documentation>
+ A filter for attribute values. If the filter evaluates to true the value is denied and may not be released.
+ </documentation>
+ </annotation>
+ </element>
+ <complexType name="MatchFunctorType" abstract="true">
+ <complexContent>
+ <extension base="afp:IdentityType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="IdentityType">
+ <attribute name="id" type="afp:string">
+ <annotation>
+ <documentation>An ID, unique within the policy and component type.</documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <complexType name="ReferenceType">
+ <attribute name="ref" type="afp:string">
+ <annotation>
+ <documentation>Used to reference a globally defined policy component.</documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <!-- Blanket Match Function -->
+ <complexType name="ANY">
+ <annotation>
+ <documentation>A match function that evaluates to true.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:MatchFunctorType"/>
+ </complexContent>
+ </complexType>
+
+ <!-- Directional Match Functions -->
+ <complexType name="Inbound">
+ <annotation>
+ <documentation>A match function that evaluates to true.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:MatchFunctorType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Outbound">
+ <annotation>
+ <documentation>A match function that evaluates to true.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:MatchFunctorType"/>
+ </complexContent>
+ </complexType>
+
+ <!-- Boolean Match Functions -->
+ <complexType name="AND">
+ <annotation>
+ <documentation>
+ A match function that performs a logical AND on the results of all contained matching functions.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <sequence maxOccurs="unbounded">
+ <element name="Rule" type="afp:MatchFunctorType">
+ <annotation>
+ <documentation>
+ The set of match function rules to be ANDed.
+ </documentation>
+ </annotation>
+ </element>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="OR">
+ <annotation>
+ <documentation>
+ A match function that performs a logical OR on the results of all contained matching functions.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <sequence maxOccurs="unbounded">
+ <element name="Rule" type="afp:MatchFunctorType">
+ <annotation>
+ <documentation>
+ The set of match function rules to be ORed.
+ </documentation>
+ </annotation>
+ </element>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="NOT">
+ <annotation>
+ <documentation>
+ A match function that performs a logical NOT on the result of the contained matching function.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <sequence minOccurs="1" maxOccurs="1">
+ <element name="Rule" type="afp:MatchFunctorType">
+ <annotation>
+ <documentation>
+ The set of match function rules to be negated.
+ </documentation>
+ </annotation>
+ </element>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <!-- Predicate Plugin Function -->
+ <complexType name="Predicate">
+ <annotation>
+ <documentation>
+ A match function that matches the attribute request against the
+ specified value.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <attribute name="rulePredicateRef" type="afp:string" use="required">
+ <annotation>
+ <documentation>
+ The reference to an externally defined bean to do the predicate work
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <!-- Literal String Match Functions -->
+ <complexType name="Requester">
+ <annotation>
+ <documentation>
+ A match function that matches the attribute requester against the specified value.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:StringMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ProxiedRequester">
+ <annotation>
+ <documentation>
+ A match function that matches a proxied attribute requester against the specified value.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:StringMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Issuer">
+ <annotation>
+ <documentation>
+ A match function that matches the attribute issuer against the specified value.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:StringMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="PrincipalName">
+ <annotation>
+ <documentation>A match function that matches the principal name against the specified value.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:StringMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Profile">
+ <annotation>
+ <documentation>A match function that matches the active profile identifier against the specified value.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:StringMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Value">
+ <annotation>
+ <documentation>
+ A match function that matches the value of an attribute against the specified value. This match
+ evaluates to true if the attribute contains the specified value.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:TargetedStringMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Scope">
+ <annotation>
+ <documentation>
+ A match function that matches the attribute scope against the specified value.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:TargetedStringMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="TargetedStringMatchType" abstract="true">
+ <complexContent>
+ <extension base="afp:StringMatchType">
+ <attribute name="attributeID" type="afp:string">
+ <annotation>
+ <documentation>
+ The ID of the attribute whose value should be matched. If no attribute ID is specified the
+ ID of the containing attribute rule is assumed.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="StringMatchType" abstract="true">
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <attribute name="value" type="afp:string" use="required">
+ <annotation>
+ <documentation>The string value to match.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="caseSensitive" type="afp:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether the match evaluation should be case sensitive.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <!-- Regular Expression Match Functions -->
+ <complexType name="RequesterRegex">
+ <annotation>
+ <documentation>
+ A match function that matches the attribute requester against the specified regular expression.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:RegexMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ProxiedRequesterRegex">
+ <annotation>
+ <documentation>
+ A match function that matches a proxied attribute requester against the specified regular expression.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:RegexMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="IssuerRegex">
+ <annotation>
+ <documentation>
+ A match function that matches the attribute issuer against the specified regular expression.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:RegexMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="PrincipalNameRegex">
+ <annotation>
+ <documentation>
+ A match function that matches the principal name against the specified regular expression.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:RegexMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ValueRegex">
+ <annotation>
+ <documentation>
+ A match function that matches an attribute value against the specified regular expression. This function
+ evaluates to true if any value matches the given expression.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:TargetedRegexMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ScopeRegex">
+ <annotation>
+ <documentation>
+ A match function that matches the attribute scope against the specified regular expression.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:TargetedRegexMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="TargetedRegexMatchType" abstract="true">
+ <complexContent>
+ <extension base="afp:RegexMatchType">
+ <attribute name="attributeID" type="afp:string">
+ <annotation>
+ <documentation>
+ The ID of the attribute whose value should be matched. If no attribute ID is specified the
+ ID of the containing attribute rule is assumed.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="RegexMatchType" abstract="true">
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <attribute name="regex" type="afp:string" use="required">
+ <annotation>
+ <documentation>The regular expression values are matched against.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="caseSensitive" type="afp:string">
+ <annotation>
+ <documentation>Whether the comparison is case sensitive, default TRUE</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <!-- Misc. Functions -->
+ <complexType name="Script">
+ <annotation>
+ <documentation>
+ A match function that evaluates a script to determine if some criteria is met. The script MUST return a
+ boolean.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <choice>
+ <element name="Script" type="afp:string" minOccurs="0">
+ <annotation>
+ <documentation>The script to evaluate to construct the attribute.</documentation>
+ </annotation>
+ </element>
+ <element name="ScriptFile" type="afp:string" minOccurs="0">
+ <annotation>
+ <documentation>
+ The filesystem path to the script to evaluate to construct the attribute.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
+ <attribute name="language" type="afp:string">
+ <annotation>
+ <documentation>
+ The JSR-233 name for the scripting language that will be used. By default "javascript" is
+ supported.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="customObjectRef" type="afp:string">
+ <annotation>
+ <documentation>
+ The name of a bean defined somewhere else which will be injected into the script as an
+ object called "custom". If not supplied nothing is injected.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="NumberOfAttributeValues">
+ <annotation>
+ <documentation>
+ A match function that evaluates to true if the given attribute has as a number of values that falls
+ between the minimum and maximum. This method may be used as a sanity check to ensure that an unexpected
+ number of values did not come from the attribute resolver and be released.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <attribute name="attributeID" type="afp:string" use="required">
+ <annotation>
+ <documentation>The ID of the attribute whose value should be matched.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="minimum" type="afp:string">
+ <annotation>
+ <documentation>Minimum number of values an attribute may have.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="maximum" type="afp:string">
+ <annotation>
+ <documentation>Maximum number of values an attribute may have.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <!-- SAML-specific. -->
+
+ <complexType name="EntityAttributeExactMatch">
+ <annotation>
+ <documentation>
+ A match function that checks if the attribute requester's metadata
+ contains an entity attribute with the specified value.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:EntityAttributeExactMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ProxiedRequesterEntityAttributeExactMatch">
+ <annotation>
+ <documentation>
+ A match function that checks if a proxied requester's metadata
+ contains an entity attribute with the specified value.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:EntityAttributeExactMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="IssuerEntityAttributeExactMatch">
+ <annotation>
+ <documentation>
+ A match function that checks if the attribute issuer's metadata
+ contains an entity attribute with the specified value.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:EntityAttributeExactMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="EntityAttributeExactMatchType" abstract="true">
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <attribute name="attributeName" type="afp:string" use="required">
+ <annotation>
+ <documentation>The name of the entity attribute to match.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="attributeValue" type="afp:string" use="required">
+ <annotation>
+ <documentation>The value of the entity attribute to match.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="attributeNameFormat" type="afp:string">
+ <annotation>
+ <documentation>The NameFormat of the entity attribute to match.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="ignoreUnmappedEntityAttributes" type="afp:string">
+ <annotation>
+ <documentation>
+ Boolean attribute, whether to examine only mapped/decoded attributes, default is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="EntityAttributeRegexMatch">
+ <annotation>
+ <documentation>
+ A match function that checks if the attribute requester's metadata contains
+ an entity attribute with a value that matches the given regular expression.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:EntityAttributeRegexMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ProxiedRequesterEntityAttributeRegexMatch">
+ <annotation>
+ <documentation>
+ A match function that checks if a proxied requester's metadata contains
+ an entity attribute with a value that matches the given regular expression.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:EntityAttributeRegexMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="IssuerEntityAttributeRegexMatch">
+ <annotation>
+ <documentation>
+ A match function that checks if the attribute issuer's metadata contains
+ an entity attribute with a value that matches the given regular expression.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:EntityAttributeRegexMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="EntityAttributeRegexMatchType" abstract="true">
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <attribute name="attributeName" type="afp:string" use="required">
+ <annotation>
+ <documentation>The name of the entity attribute to match.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="attributeValueRegex" type="afp:string" use="required">
+ <annotation>
+ <documentation>The regular expression that must match the value of the entity attribute to
+ match.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="attributeNameFormat" type="afp:string">
+ <annotation>
+ <documentation>The name format of the entity attribute to match.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="ignoreUnmappedEntityAttributes" type="afp:string">
+ <annotation>
+ <documentation>
+ Boolean attribute, whether to examine only mapped/decoded attributes, default is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="NameIDFormatExactMatch">
+ <annotation>
+ <documentation>
+ A match function that evaluates to true if the attribute requester supports a specified
+ NameID format.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:NameIDFormatExactMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="IssuerNameIDFormatExactMatch">
+ <annotation>
+ <documentation>
+ A match function that evaluates to true if the attribute issuer supports a specified
+ NameID format.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:NameIDFormatExactMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="NameIDFormatExactMatchType" abstract="true">
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <attribute name="nameIdFormat" type="afp:string" use="required">
+ <annotation>
+ <documentation>The NameID format that needs to be supported by the entity.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="InEntityGroup">
+ <annotation>
+ <documentation>
+ A match function that evaluates to true if the attribute requester is found in metadata and
+ is a member of the given entity group.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:EntityGroupMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ProxiedRequesterInEntityGroup">
+ <annotation>
+ <documentation>
+ A match function that evaluates to true if a proxied requester is found in metadata and
+ is a member of the given entity group.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:EntityGroupMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="IssuerInEntityGroup">
+ <annotation>
+ <documentation>
+ A match function that evaluates to true if the attribute issuer is found in metadata and
+ is a member of the given entity group.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:EntityGroupMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="EntityGroupMatchType" abstract="true">
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <attribute name="groupID" type="afp:string" use="required">
+ <annotation>
+ <documentation>The entity group ID that an entity must be in.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="checkAffiliations" type="afp:string">
+ <annotation>
+ <documentation>
+ Whether to check for membership in metadata-based AffiliationDescriptors.
+
+ Defaults to false.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="RegistrationAuthority">
+ <annotation>
+ <documentation>
+ A match function that matches a requester's MDRPI against a list of potential values.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:RegistrationAuthorityMatchType" />
+ </complexContent>
+ </complexType>
+
+ <complexType name="ProxiedRequesterRegistrationAuthority">
+ <annotation>
+ <documentation>
+ A match function that matches a proxied requester's MDRPI against a list of potential values.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:RegistrationAuthorityMatchType" />
+ </complexContent>
+ </complexType>
+
+ <complexType name="IssuerRegistrationAuthority">
+ <annotation>
+ <documentation>
+ A match function that matches the attribute issuer's MDRPI content against a list of potential values.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:RegistrationAuthorityMatchType" />
+ </complexContent>
+ </complexType>
+
+ <complexType name="RegistrationAuthorityMatchType" abstract="true">
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <attribute name="registrars" type="afp:anyURIListType" use="required">
+ <annotation>
+ <documentation>The string values to match.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="matchIfMetadataSilent" type="boolean">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether a match should occur if the metadata does
+ not contain an MDRPI statement (coded) default is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ScopeMatchesShibMDScope">
+ <annotation>
+ <documentation>
+ A match function that ensures that an attribute value's scope matches a scope given in
+ metadata for the entity or role of the attribute issuer.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:MatchFunctorType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ValueMatchesShibMDScope">
+ <annotation>
+ <documentation>
+ A match function that ensures that an attribute value's scope matches a scope given in
+ metadata for the entity or role of the attribute issuer.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:MatchFunctorType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="AttributeInMetadata">
+ <annotation>
+ <documentation>
+ A match function that evaluates to true if an attribute (or specific values) is specified by
+ the requesting entity's AttributeConsumingService SP metadata.
+
+ It supports both explicit checking for a named SAML RequestedAttribute in metadata, or
+ comparison via the transcoding registry to compare the internal attribute form against
+ decoded objects produced from the metadata. This is the old "mapped" functionality
+ in V3 and is now collapsed into one matcher type.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <attribute name="attributeID" type="afp:string">
+ <annotation>
+ <documentation>
+ The ID of the attribute whose value should be matched. If no attribute ID is specified the
+ ID of the containing attribute rule is assumed.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="onlyIfRequired" type="afp:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether attributes noted as optional should match.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="matchIfMetadataSilent" type="afp:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether a match should occur if (after mapping)
+ the metadata does not contain and Attributes.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="attributeName" type="afp:string">
+ <annotation>
+ <documentation>The name of a requested attribute to look for.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="attributeNameFormat" type="afp:string">
+ <annotation>
+ <documentation>The name format of a requested attribute to look for.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <simpleType name="anyURIListType">
+ <list itemType="string"/>
+ </simpleType>
+
+ <simpleType name="string">
+ <restriction base="string">
+ <minLength value="1"/>
+ </restriction>
+ </simpleType>
+</schema>
diff --git a/schema/shibboleth-attribute-resolver.xsd b/schema/shibboleth-attribute-resolver.xsd
new file mode 100644
index 0000000..cca79e7
--- /dev/null
+++ b/schema/shibboleth-attribute-resolver.xsd
@@ -0,0 +1,2274 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema xmlns="http://www.w3.org/2001/XMLSchema" xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
+ xmlns:sec="urn:mace:shibboleth:2.0:security" targetNamespace="urn:mace:shibboleth:2.0:resolver"
+ elementFormDefault="qualified" version="5.0.0">
+
+ <import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd"/>
+ <import namespace="urn:mace:shibboleth:2.0:security" schemaLocation="http://shibboleth.net/schema/idp/shibboleth-security.xsd"/>
+
+ <annotation>
+ <documentation>Shibboleth V4 Attribute Resolver configuration schema
+ </documentation>
+ </annotation>
+
+ <element name="AttributeResolver" type="resolver:AttributeResolverType">
+ <annotation>
+ <documentation>Root of the attribute resolver configuration file.
+ </documentation>
+ </annotation>
+ </element>
+ <complexType name="AttributeResolverType">
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="resolver:AttributeDefinition"/>
+ <element ref="resolver:DataConnector"/>
+ </choice>
+ <attribute name="id" type="resolver:string">
+ <annotation>
+ <documentation>A unique identifier for this Resolver.
+ </documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <element name="AttributeDefinition" type="resolver:BaseAttributeDefinitionType">
+ <annotation>
+ <documentation>Defines an attribute definition within this resolver.
+ </documentation>
+ </annotation>
+ </element>
+
+ <complexType name="BaseAttributeDefinitionType">
+ <annotation>
+ <documentation>
+ Attribute definition define the finished attributes to be released by the
+ resolver.
+
+ Definitions derived from this type need to explicitly include (as a choice)
+ the Dependency, DisplayName, DisplayDescription and Encoder sub elements
+
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseResolutionPlugInType">
+ <attribute name="dependencyOnly" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag that indicates whether this attribute definition is
+ only defined because its data is needed elsewhere within the resolver
+ and as such should not be released outside the resolver.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="preRequested" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag that indicates whether this attribute definition and
+ its dependencies are to be resolved in a "first pass", prior to the
+ main resolution. These attributes will be populated into a child
+ context so as to be available to activationConditions.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <element name="AttributeEncoder" type="resolver:BaseAttributeEncoderType">
+ <annotation>
+ <documentation>Defines an encoder for an attribute.</documentation>
+ </annotation>
+ </element>
+
+ <complexType name="BaseAttributeEncoderType">
+ <annotation>
+ <documentation>
+ An attribute encoder is responsible for converting an attribute, and its values,
+ into a protocol specific representation such as a SAML 1 or SAML 2 Attribute.
+ The use of them to produce a SAML NameIdentifier/NameID is DEPRECATED.
+ </documentation>
+ </annotation>
+ <sequence>
+ <element name="ActivationConditionScript" type="resolver:ScriptType" minOccurs="0">
+ <annotation>
+ <documentation>
+ A scripted predicate which controls whether this encoder will run
+ </documentation>
+ </annotation>
+ </element>
+ </sequence>
+ <attribute name="name" type="resolver:string"/>
+ <attribute name="encodeType" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean indicating whether the encoding should include type information. This is
+ encoding-specific (e.g., for XML it likely involves xsi:type).
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="activationConditionRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ A reference to a Predicate which controls whether this encoder will run
+ Mutually exclusive with relyingParties
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="relyingParties" type="resolver:string">
+ <annotation>
+ <documentation>
+ A (space separated) list of entities for which this plugin is to be active
+ Mutually exclusive with activationConditionRef
+ </documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <element name="DataConnector" type="resolver:BaseDataConnectorType">
+ <annotation>
+ <documentation>
+ Defines a data connector which is used to pull information from local
+ infrastructure.
+ </documentation>
+ </annotation>
+ </element>
+
+ <complexType name="BaseDataConnectorType">
+ <annotation>
+ <documentation>
+ Data connectors pull information from local infrastructure, such as
+ databases and LDAP directories, and make these raw attributes available
+ to attribute definitions for finishing.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseResolutionPlugInType">
+ <attribute name="noRetryDelay" type="resolver:string">
+ <annotation>
+ <documentation>Time to bypass connector after a failure before trying it again.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="exportAttributes" type="resolver:string">
+ <annotation>
+ <documentation>A list of attribute names to be exported by the resolution process from this data connector.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="BaseResolutionPlugInType" abstract="true">
+ <annotation>
+ <documentation>
+ A base type for all attribute resolver plugins: data and principal
+ connectors and attribute definitions
+ </documentation>
+ </annotation>
+ <attribute name="id" type="resolver:string" use="required">
+ <annotation>
+ <documentation>A unique identifier for this definition.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="activationConditionRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ A reference to a predicate to decide whether this plugin is applicable.
+ Mutually exclusive with [exclude]relyingParties and [exclude]resolutionPhases.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="relyingParties" type="resolver:string">
+ <annotation>
+ <documentation>
+ A (space separated) list of entities for which this plugin is to be active.
+ Mutually exclusive with activationConditionRef.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="excludeRelyingParties" type="resolver:string">
+ <annotation>
+ <documentation>
+ A (space separated) list of entities for which this plugin is to be inactive.
+ Mutually exclusive with activationConditionRef.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="resolutionPhases" type="resolver:string">
+ <annotation>
+ <documentation>
+ A (space separated) list of resolution "phases" for which this plugin is to be active.
+ Mutually exclusive with activationConditionRef.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="excludeResolutionPhases" type="resolver:string">
+ <annotation>
+ <documentation>
+ A (space separated) list of resolution "phases" for which this plugin is to be inactive.
+ Mutually exclusive with activationConditionRef.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="propagateResolutionExceptions" type="resolver:string">
+ <annotation>
+ <documentation>
+ DEPRECATED: Whether to ripple errors produced by the plugin out to the resolver (default is true).
+ </documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <element name="InputAttributeDefinition" type="resolver:PluginDependencyType">
+ <annotation>
+ <documentation>
+ Defines a dependency on a specific Attribute Definition.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="InputDataConnector">
+ <annotation>
+ <documentation>
+ Defines a dependency on a specific Data Connector.
+
+ attributeNames is a space separated list of attribute names. Property replacement done
+ before "listification""
+
+ allAttributes means take all attributes. Property replacement done before conversion
+
+ One one of the above are allowed.
+ </documentation>
+ </annotation>
+ <complexType>
+ <complexContent>
+ <extension base="resolver:PluginDependencyType">
+ <attribute name="allAttributes" type="resolver:string"/>
+ <attribute name="attributeNames" type="resolver:string"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ </element>
+ <element name="FailoverDataConnector" type="resolver:PluginDependencyType">
+ <annotation>
+ <documentation>
+ Defines a data connector to use should the parent data connector fail.
+ </documentation>
+ </annotation>
+ </element>
+ <complexType name="PluginDependencyType">
+ <annotation>
+ <documentation>An (abstract) type that represents a reference to another plugin</documentation>
+ </annotation>
+ <attribute name="ref" type="resolver:string" use="required"/>
+ </complexType>
+
+ <complexType name="LocalizedStringType">
+ <simpleContent>
+ <extension base="string">
+ <attribute ref="xml:lang"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+
+ <complexType name="ValueMapType">
+ <annotation>
+ <documentation>
+ Performs many to one mapping of source values to a return value. SourceValue strings may include regular
+ expressions and the ReturnValue may include back references to capturing groups as supported by
+ java.util.regex.Pattern.
+ </documentation>
+ </annotation>
+ <sequence>
+ <element name="ReturnValue" type="string">
+ <annotation>
+ <documentation>The value to be returned from this value map.</documentation>
+ </annotation>
+ </element>
+ <element name="SourceValue" maxOccurs="unbounded">
+ <annotation>
+ <documentation>A regular expression string to be matched against the incoming value.</documentation>
+ </annotation>
+ <complexType>
+ <simpleContent>
+ <extension base="string">
+ <attribute name="caseSensitive" type="resolver:string">
+ <annotation>
+ <documentation>If true, value matching will be case-sensitive.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="partialMatch" type="resolver:string">
+ <annotation>
+ <documentation>
+ If true, the SourceValue may match only a substring of the incoming value. By
+ default, it must match the entire value.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ </sequence>
+ </complexType>
+
+ <complexType name="ContextDerivedAttribute">
+ <annotation>
+ <documentation>A attribute definition to pull attribute values from anywhere in the PRC tree</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="attributeValuesFunctionRef" type="resolver:string" use="required">
+ <annotation>
+ <documentation>The Function to generate the Attribute Values given a PRC</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Mapped">
+ <annotation>
+ <documentation>
+ The mapped attribute definition performs a many to many mapping from source attributes values provided
+ by the definition's dependencies to values which are returned. Each source value is passed through each
+ defined ValueMap which may result in one or more resulting values. If no ValueMaps match the source
+ value and a DefaultValue is defined, the DefaultValue is used.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ <element name="DefaultValue">
+ <annotation>
+ <documentation>
+ A source value is mapped to the DefaultValue if none of the ValueMaps result in a match.
+ This string may not contain regular expression back references.
+ </documentation>
+ </annotation>
+ <complexType>
+ <simpleContent>
+ <extension base="string">
+ <attribute name="passThru" type="resolver:string">
+ <annotation>
+ <documentation>
+ If true, the source value is passed thru unmodified. If passThru is
+ enabled, DefaultValue may not contain a string value.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ <element name="ValueMap" type="resolver:ValueMapType" maxOccurs="unbounded"/>
+ </choice>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Prescoped">
+ <annotation>
+ <documentation>
+ An attribute definition that splits the values of the source attribute into an attribute value
+ with a value and scope.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="scopeDelimiter" type="resolver:string">
+ <annotation>
+ <documentation>Delimiter between the value and scope.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="PrincipalName">
+ <annotation>
+ <documentation>Exposes the principal's name as an attribute definition.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="RegexSplit">
+ <annotation>
+ <documentation>An attribute definition that splits the source attribute's values based on a regular expression.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="regex" type="resolver:string" use="required">
+ <annotation>
+ <documentation>The regular expression used to split a value.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="caseSensitive" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating the case sensitivity of the regular expression.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML1NameIdentifier">
+ <annotation>
+ <documentation>DEPRECATED: An attribute definition that creates attributes whose values are SAML 1 NameIdentifiers.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="nameIdFormat" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 1 NameFormat of the NameID.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="nameIdQualifier" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 1 NameQualifier of the NameID.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML2NameID">
+ <annotation>
+ <documentation>DEPRECATED: An attribute definition that creates attributes whose values are SAML 2 NameIDs.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="nameIdFormat" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 NameFormat of the NameID.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="nameIdQualifier" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 NameQualifier of the NameID.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="nameIdSPQualifier" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 SPNameQualifier of the NameID.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Scoped">
+ <annotation>
+ <documentation>A basic attribute definition which supports attribute scoping.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="scope" type="resolver:string">
+ <annotation>
+ <documentation>Value to use for scoping the attribute.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="scopeFromDependency" type="resolver:string">
+ <annotation>
+ <documentation>Attribute whose values will be used for scoping the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ScriptedAttribute">
+ <annotation>
+ <documentation>
+ An attribute definition that constructs its attributes by means of a script supported by JSR-223. The
+ script is provided all the edu.internet2.middleware.shibboleth.common.attribute.Attribute object
+ resolved from all the definitions dependencies. The resultant attribute definition must then be bound to
+ a script attribute corresponding to the script variable whose name is the ID of the definition. This
+ variable is injected into the script by the attribute definition.
+
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ <element name="Script" type="resolver:string">
+ <annotation>
+ <documentation>The script to evaluate to construct the attribute.</documentation>
+ </annotation>
+ </element>
+ <element name="ScriptFile" type="resolver:string">
+ <annotation>
+ <documentation>
+ The filesystem path to the script to evaluate to construct the attribute.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
+ <attribute name="language" type="resolver:string">
+ <annotation>
+ <documentation>
+ The JSR-233 name for the scripting language that will be used. By default "javascript" is
+ supported.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="customObjectRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ The name of a bean defined somewhere else which will be injected into the script as an
+ object called "custom". If not supplied, nothing is injected.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Simple">
+ <annotation>
+ <documentation>A basic attribute definition.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="ignoreNullValues" type="resolver:string">
+ <annotation>
+ <documentation>Do we drop null values (default: FALSE)</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="DateTime">
+ <annotation>
+ <documentation>An attribute definition producing date/time values.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="ignoreConversionErrors" type="resolver:string">
+ <annotation>
+ <documentation>Are conversion errors ignored? (default: FALSE)</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="epochInSeconds" type="resolver:string">
+ <annotation>
+ <documentation>
+ Use seconds as epoch unit instead of millseconds when converting numeric data (default: TRUE)
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="formattingString" type="resolver:string">
+ <annotation>
+ <documentation>A formatting string to use converting string data.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Decrypted">
+ <annotation>
+ <documentation>An attribute definition involving an encrypted (DataSealed) attribute</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="dataSealerRef" type="resolver:string">
+ <annotation>
+ <documentation>Value to use for the decryption key</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SubjectDerivedAttribute">
+ <annotation>
+ <documentation>A attribute definition to pull attribute values from the Principals. A short cut looks at IdPAttributePrincipals</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="attributeValuesFunctionRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Provides a plug in point to allow general extraction of values from Principals.
+ Mutually exclusive with principalAttributeName.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="principalAttributeName" type="resolver:string">
+ <annotation>
+ <documentation>
+ The id of the IdPAttribute contained within a IdPAttributePrincipal to look for.
+ Mutually exclusive with attributeValueEngineRef.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="forCanonicalization" type="resolver:string">
+ <annotation>
+ <documentation>
+ If true, the source Subject is assumed to be undergoing C14N rather than the
+ usual post-authentication source. Defaults to false.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Template">
+ <annotation>
+ <documentation>
+ An Attribute Definition that constructs its values based on the values of its dependencies using the
+ Velocity Template Language. Dependencies may have multiple values, however multiple dependencies must
+ have the same number of values. In the case of multi-valued dependencies, the template will be evaluated
+ multiples times, iterating over each dependency.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ <element name="Template" type="resolver:string">
+ <annotation>
+ <documentation>
+ Template specified in the Velocity Template Language used to construct attribute values.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
+ <attribute name="velocityEngine" type="resolver:string">
+ <annotation>
+ <documentation>Name of the velocity engine defined within the application.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ComputedId">
+ <annotation>
+ <documentation>
+ An ID created by digesting the requesting entityID, an attribute value (usually a user identifier), and a salt.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element ref="resolver:FailoverDataConnector"/>
+ </choice>
+ <attribute name="generatedAttributeID" type="resolver:string">
+ <annotation>
+ <documentation>
+ The name of the attribute produced by this data connector.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="salt" type="resolver:string">
+ <annotation>
+ <documentation>
+ A salt, of at least 16 bytes, used in the computed ID.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="encodedSalt" type="resolver:string">
+ <annotation>
+ <documentation>
+ A base64-encoded salt, of at least 16 bytes, used in the computed ID.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="algorithm" type="resolver:string">
+ <annotation>
+ <documentation>
+ The JCE digest algorithm to use, defaults to SHA-1.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="encoding" type="resolver:string">
+ <annotation>
+ <documentation>
+ An encoding type to apply after the digest, defaults to BASE64 but should
+ be set to BASE32.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="exceptionMapRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Spring bean reference to a map of overrides that alter salt or suppress generation
+ for particular users/services.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="saltLookupStrategyRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Spring bean reference to a BiFunction&lt;ProfileRequestContext,PairwiseId&gt;
+ to obtain the salt.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="LDAPDirectory">
+ <annotation>
+ <documentation>
+ A data connector that can pull information from an LDAP, version 3, directory.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element ref="resolver:FailoverDataConnector"/>
+ <element name="FilterTemplate" type="resolver:string">
+ <annotation>
+ <documentation>
+ A template used to construct the LDAP filter used to query the directory.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="ReturnAttributes" type="resolver:string" minOccurs="0">
+ <annotation>
+ <documentation>
+ A space separated list of attributes that should be returned from the query.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="BinaryAttributes" type="resolver:string" minOccurs="0">
+ <annotation>
+ <documentation>
+ A space separated list of attributes whose values should be encoded.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="StartTLSTrustCredential" type="sec:X509Credential">
+ <annotation>
+ <documentation>
+ The X.509 trust information to use when connecting to the directory over LDAPS or startTLS.
+ DEPRECATED in 3.4 Use trustFile=
+ </documentation>
+ </annotation>
+ </element>
+ <element name="StartTLSAuthenticationCredential" type="sec:X509Credential">
+ <annotation>
+ <documentation>
+ The X.509 client authentication information to use when connecting to the directory over LDAPS or startTLS.
+ DEPRECATED in 3.4 Use authCert= and authKey
+ </documentation>
+ </annotation>
+ </element>
+ <element name="ConnectionPool" type="resolver:LdapPoolConfigType"/>
+ <element name="SASLConfig" type="resolver:SaslConfigType"/>
+ <element name="Column" type="resolver:ColumnType"/>
+ <element name="ResultCache" type="resolver:CacheConfigType"/>
+ <element name="ResultCacheBean" type="string"/>
+ </choice>
+ <attribute name="ldapURL" type="resolver:string">
+ <annotation>
+ <documentation>
+ The URL to the LDAP server.
+ If the search scope is set to ONELEVEL only the entries
+ within this node will be searched, if SUBTREE is specified entries within this node and descendant
+ nodes will be searched.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="connectionStrategy" type="resolver:string">
+ <annotation>
+ <documentation>
+ The LDAP connection strategy. Acceptable values are ACTIVE_PASSIVE, ROUND_ROBIN and RANDOM.
+ Default value is ACTIVE_PASSIVE.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="baseDN" type="resolver:string">
+ <annotation>
+ <documentation>
+ The base DN from which attribute search filtering occurs
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="principal" type="resolver:string">
+ <annotation>
+ <documentation>The DN for the principal connecting to the LDAP directory.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="principalCredential" type="string">
+ <annotation>
+ <documentation>
+ The credential for the principal connecting to the LDAP directory.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="searchScope" type="resolver:string">
+ <annotation>
+ <documentation>
+ The LDAP search scope. Acceptable values are OBJECT, ONELEVEL, SUBTREE.
+ Default value is SUBTREE.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="derefAliases" type="resolver:string">
+ <annotation>
+ <documentation>
+ The LDAP alias dereference behavior. Acceptable values are NEVER, SEARCHING, FINDING, ALWAYS.
+ Default value is NEVER.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="followReferrals" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether search referrals and search references should be followed.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="useStartTLS" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether startTLS should be used when connecting to the LDAP.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="startTLSTimeout" type="resolver:string">
+ <annotation>
+ <documentation>
+ The maximum amount of time to wait for startTLS responses. If this limit is
+ reached a timeout error is raised. Default value is 3 seconds.
+ Time is expressed in ISO8601 duration format.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="searchTimeLimit" type="resolver:string">
+ <annotation>
+ <documentation>
+ The maximum amount of time to wait for search results. If this limit is
+ reached a timeout error is raised. Default value is 3 seconds.
+ Time is expressed in ISO8601 duration format.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="connectTimeout" type="resolver:string">
+ <annotation>
+ <documentation>
+ The maximum amount of time to wait for connections to open. If this limit is
+ reached a timeout error is raised. Default value is 3 seconds.
+ Time is expressed in ISO8601 duration format.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="responseTimeout" type="resolver:string">
+ <annotation>
+ <documentation>
+ The maximum amount of time to wait for operation responses. If this limit is
+ reached a timeout error is raised. Default value is 3 seconds.
+ Time is expressed in ISO8601 duration format.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="autoReconnect" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether unexpectedly closed connections should automatically attempt to reconnect.
+ Default value is true.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="reconnectTimeout" type="resolver:string">
+ <annotation>
+ <documentation>
+ The maximum amount of time to wait for a reconnect to occur. If this limit is
+ reached a timeout error is raised. Default value is 10 seconds.
+ Time is expressed in ISO8601 duration format.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="maxResultSize" type="resolver:string">
+ <annotation>
+ <documentation>
+ The maximum number of results that may be returned from a query.
+ Default value is 1.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="noResultIsError" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether a query returning no results should be considered an error. If
+ an error is raised and a failover dependency is defined for this connector the failover will
+ be invoked.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="multipleResultsIsError" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether a query returning more than one result should be considered an error. If
+ an error is raised and a failover dependency is defined for this connector the failover will
+ be invoked.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="lowercaseAttributeNames" type="resolver:string">
+ <annotation>
+ <documentation>
+ Whether to lowercase LDAP attribute names used as IDs for shibboleth attributes
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="templateEngine" type="resolver:string">
+ <annotation>
+ <documentation>Name of the template engine defined within the application.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="executableSearchBuilderRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the ExecutableSearchBuilder implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="mappingStrategyRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the MappingStrategy implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="connectionFactoryRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the Connection Factory implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="searchOperationRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the Search Operation implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="validatorRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the Validator implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="trustFile" type="resolver:string">
+ <annotation>
+ <documentation>
+ Path to a file with the X.509 trust information to use when connecting to the directory over LDAPS or startTLS
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="disableHostnameVerification" type="resolver:string">
+ <annotation>
+ <documentation>
+ Whether to disable hostname/certificate checking during TLS. Defaults to false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="authCert" type="resolver:string">
+ <annotation>
+ <documentation>
+ Path to a file with the X.509 trust client authentication certificate to use when connecting to the directory over LDAPS or startTLS
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="authKey" type="resolver:string">
+ <annotation>
+ <documentation>
+ Path to a file with the X.509 trust client authentication key to use when connecting to the directory over LDAPS or startTLS
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="authKeyPassword" type="string">
+ <annotation>
+ <documentation>
+ Password for the supplied authKey
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="failFastInitialize" type="resolver:string">
+ <annotation>
+ <documentation>
+ Whether to fail if the LDAP server cannot be verified at startup (defaults to false).
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="PairwiseId">
+ <annotation>
+ <documentation>
+ A connector for pairwise ID production that directly leverages a PairwiseIdStore bean.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element ref="resolver:FailoverDataConnector"/>
+ </choice>
+ <attribute name="pairwiseIdStoreRef" type="resolver:string" use="required">
+ <annotation>
+ <documentation>
+ Bean name of the PairwiseIdStore to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="generatedAttributeID" type="resolver:string">
+ <annotation>
+ <documentation>
+ The name of the attribute produced by this data connector.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="RelationalDatabase">
+ <annotation>
+ <documentation>
+ A data connector definition that uses JDBC version 3 to connect to and pull information from a
+ relational database.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element ref="resolver:FailoverDataConnector"/>
+ <element ref="resolver:ContainerManagedConnection">
+ <annotation>
+ <documentation>
+ A connection, or pool of connections, to the database managed by the application
+ container.
+ </documentation>
+ </annotation>
+ </element>
+ <element ref="resolver:SimpleManagedConnection">
+ <annotation>
+ <documentation>
+ A connection, or pool of connections, to the database managed by the data connector.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="BeanManagedConnection" type="string">
+ <annotation>
+ <documentation>
+ A connection, or pool of connections, to the database configured in a Spring bean.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="QueryTemplate" type="resolver:string" minOccurs="0">
+ <annotation>
+ <documentation>
+ A template that will be used to create the SQL query thats pulls information from the
+ database.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="Column" type="resolver:ColumnType"/>
+ <element name="ResultCache" type="resolver:CacheConfigType"/>
+ <element name="ResultCacheBean" type="resolver:string"/>
+ </choice>
+ <attribute name="queryTimeout" type="resolver:string">
+ <annotation>
+ <documentation>
+ Timeout for the queries made to the database.
+ Timeout is given in ISO8601 duration form.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="noResultIsError" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether a query returning no results should be considered an error. If
+ an error is raised and a failover dependency is defined for this connector the failover will
+ be invoked.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="multipleResultsIsError" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether a query returning more than one result should be considered an error. If
+ an error is raised and a failover dependency is defined for this connector the failover will
+ be invoked.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="templateEngine" type="resolver:string">
+ <annotation>
+ <documentation>
+ Name of the template engine defined within the application.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="executableSearchBuilderRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the ExecutableSearchBuilder implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="mappingStrategyRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the MappingStrategy implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="validatorRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the Validator implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="failFastInitialize" type="resolver:string">
+ <annotation>
+ <documentation>
+ Whether to fail if the DataConnector cannot be verified at startup (defaults to false).
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="HTTP">
+ <annotation>
+ <documentation>
+ A data connector definition that issues requests and parses responses using HTTP, typically
+ via a form of web service. REST and scripted handling of responses, typically in JSON,
+ is the primary use case.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <choice maxOccurs="unbounded">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element ref="resolver:FailoverDataConnector"/>
+ <element name="URLTemplate">
+ <annotation>
+ <documentation>
+ A template that will be used to create the absolute URL to request.
+ </documentation>
+ </annotation>
+ <complexType>
+ <simpleContent>
+ <extension base="string">
+ <attribute name="customObjectRef" type="resolver:string" />
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ <element name="BodyTemplate">
+ <annotation>
+ <documentation>
+ A template that will be used to create a body to POST.
+ </documentation>
+ </annotation>
+ <complexType>
+ <simpleContent>
+ <extension base="string">
+ <attribute name="MIMEType" type="resolver:string" />
+ <attribute name="charset" type="resolver:string" />
+ <attribute name="customObjectRef" type="resolver:string" />
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ <element name="CacheKeyTemplate" type="resolver:string">
+ <annotation>
+ <documentation>
+ A template that will be used to create a key to the caching of the results.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="ResponseMapping" type="resolver:ScriptType">
+ <annotation>
+ <documentation>Maps the response into attributes by means of scripting.</documentation>
+ </annotation>
+ </element>
+ <element name="ResultCache" type="resolver:CacheConfigType"/>
+ <element name="ResultCacheBean" type="resolver:string"/>
+ </choice>
+ <attribute name="httpClientRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the HttpClient to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="httpClientSecurityParametersRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the HttpClientSecurityParameters to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="serverCertificate" type="resolver:string">
+ <annotation>
+ <documentation>
+ Location of certificate to authenticate HTTP server
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="certificateAuthority" type="resolver:string">
+ <annotation>
+ <documentation>
+ Location of CA to indirectly authenticate HTTP server
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="clientPrivateKey" type="resolver:string">
+ <annotation>
+ <documentation>
+ Location of private key to authenticate with via TLS
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="clientCertificate" type="resolver:string">
+ <annotation>
+ <documentation>
+ Location of client certificate to authenticate with via TLS
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="templateEngine" type="resolver:string">
+ <annotation>
+ <documentation>
+ Name of the template engine defined within the application.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="maxLength" type="resolver:string">
+ <annotation>
+ <documentation>
+ Maximum size of response body to accept.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="acceptStatuses" >
+ <annotation>
+ <documentation>
+ A space-delimited list of HTTP status codes that should be treated as successful.
+ </documentation>
+ </annotation>
+ <simpleType>
+ <list itemType="string"/>
+ </simpleType>
+ </attribute>
+ <attribute name="acceptTypes" >
+ <annotation>
+ <documentation>
+ A space-delimited list of MIME content types that should be accepted.
+ </documentation>
+ </annotation>
+ <simpleType>
+ <list itemType="string"/>
+ </simpleType>
+ </attribute>
+ <attribute name="headerMapRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing a Map&lt;String,String&gt; of request headers to set.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="executableSearchBuilderRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the ExecutableSearchBuilder implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="mappingStrategyRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the MappingStrategy implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="validatorRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the Validator implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="failFastInitialize" type="resolver:string">
+ <annotation>
+ <documentation>
+ Whether to fail if the HTTP server cannot be verified at startup (defaults to false).
+ No verification takes place currently.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ScriptedDataConnector">
+ <annotation>
+ <documentation>
+ A data connector that constructs attributes by means of a script supported by JSR-223. Populated
+ Attributes are added to the java.util.Collection "connectorResults".
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element ref="resolver:FailoverDataConnector"/>
+ <element name="Script" type="resolver:string">
+ <annotation>
+ <documentation>The script to evaluate to construct the attribute.</documentation>
+ </annotation>
+ </element>
+ <element name="ScriptFile" type="resolver:string">
+ <annotation>
+ <documentation>
+ The filesystem path to the script to evaluate to construct the attribute.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
+ <attribute name="language" type="resolver:string">
+ <annotation>
+ <documentation>
+ The JSR-233 name for the scripting language that will be used. By default "javascript" is
+ supported.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="customObjectRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ The name of a bean defined somewhere else which will be injected into the script as an
+ object called "custom". If not supplied, nothing is injected.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Static">
+ <annotation>
+ <documentation>
+ A data connector that gets its information from a static list of attributes and values specified within
+ this configuration.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <sequence>
+ <element name="Attribute" minOccurs="0" maxOccurs="unbounded">
+ <annotation>
+ <documentation>
+ Specifies an attribute, and its values, to be exposed by this connector.
+ </documentation>
+ </annotation>
+ <complexType>
+ <sequence>
+ <element name="Value" type="resolver:string" maxOccurs="unbounded">
+ <annotation>
+ <documentation>
+ A value of the attribute. If the value contains characters that would
+ otherwise need to be XML encoded you may wrap the value in a CDATA section.
+ </documentation>
+ </annotation>
+ </element>
+ </sequence>
+ <attribute name="id" type="resolver:string" use="required">
+ <annotation>
+ <documentation>The ID of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+ </element>
+ </sequence>
+ <attribute name="attributeListRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ The name of a bean defined somewhere else which describes a List of IdPAttributes
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="StorageService">
+ <annotation>
+ <documentation>
+ A data connector definition that queries for a record via the IdP's StorageService API.
+ Simple and scripted handling of records, typically in JSON, is the primary use case.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <choice maxOccurs="unbounded">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element ref="resolver:FailoverDataConnector"/>
+ <element name="ContextTemplate" type="resolver:string">
+ <annotation>
+ <documentation>
+ A template that will be used to create the context to query.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="KeyTemplate" type="resolver:string">
+ <annotation>
+ <documentation>
+ A template that will be used to create the key to query.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="RecordMapping" type="resolver:ScriptType">
+ <annotation>
+ <documentation>
+ Maps the record into attributes by means of scripting.
+ Mutually exclusive with generatedAttributeID attribute.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="ResultCache" type="resolver:CacheConfigType"/>
+ <element name="ResultCacheBean" type="resolver:string"/>
+ </choice>
+ <attribute name="storageServiceRef" type="resolver:string" use="required">
+ <annotation>
+ <documentation>
+ Reference to Spring bean of the StorageService to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="customObjectRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Injected object into Context/Key template building process.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="generatedAttributeID" type="resolver:string">
+ <annotation>
+ <documentation>
+ The name of the attribute produced by this data connector if simple
+ record mapping is used. Mutually exclusive with ResponseMapping element.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="noResultIsError" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether a search returning no record should be considered an error. If
+ an error is raised and a failover dependency is defined for this connector the failover will
+ be invoked.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="templateEngine" type="resolver:string">
+ <annotation>
+ <documentation>
+ Name of the template engine defined within the application.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="executableSearchBuilderRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the ExecutableSearchBuilder implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="mappingStrategyRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the MappingStrategy implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="StoredId">
+ <annotation>
+ <documentation>
+ A connector that retrieves a pairwise ID from a database.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element ref="resolver:FailoverDataConnector"/>
+ <element ref="resolver:SimpleManagedConnection"/>
+ <element ref="resolver:ContainerManagedConnection">
+ <annotation>
+ <documentation>
+ A connection, or pool of connections, to the database managed by the application
+ container.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="BeanManagedConnection" type="resolver:string">
+ <annotation>
+ <documentation>
+ A connection, or pool of connections, to the database configured in a Spring bean.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
+ <attribute name="queryTimeout" type="resolver:string">
+ <annotation>
+ <documentation>
+ Timeout for the queries made to the database.
+ Timeout is given in ISO8601 duration form.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="transactionRetries" type="resolver:string">
+ <annotation>
+ <documentation>
+ Number of retries if insert fails (defaults to 3).
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="tableName" type="resolver:string">
+ <annotation>
+ <documentation>
+ Overrides name of database table to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="failFastInitialize" type="resolver:string">
+ <annotation>
+ <documentation>
+ Whether to fail if the store cannot be verified at startup (defaults to false).
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="retryableErrors">
+ <annotation>
+ <documentation>
+ A space-delimited list of SQLState codes to treat as retryable (indicating
+ a duplicate insert error occurred).
+ </documentation>
+ </annotation>
+ <simpleType>
+ <list itemType="string"/>
+ </simpleType>
+ </attribute>
+ <attribute name="generatedAttributeID" type="resolver:string">
+ <annotation>
+ <documentation>
+ The name of the attribute produced by this data connector.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="salt" type="resolver:string">
+ <annotation>
+ <documentation>
+ A salt, of at least 16 bytes, used in the computed ID.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="encodedSalt" type="resolver:string">
+ <annotation>
+ <documentation>
+ A base64-encoded salt, of at least 16 bytes, used in the computed ID.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="algorithm" type="resolver:string">
+ <annotation>
+ <documentation>
+ The JCE digest algorithm to use, defaults to SHA-1.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="encoding" type="resolver:string">
+ <annotation>
+ <documentation>
+ An encoding type to apply after the digest, defaults to BASE64 but should
+ be set to BASE32.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="exceptionMapRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Spring bean reference to a map of overrides that alter salt or suppress generation
+ for particular users/services.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="saltLookupStrategyRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Spring bean reference to a BiFunction&lt;ProfileRequestContext,PairwiseId&gt;
+ to obtain the salt.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Subject">
+ <annotation>
+ <documentation>
+ A data connector that constructs attributes by extracting all IdPAttributePrincipal objects
+ found within the Subject(s) associated with the requests.
+
+ This is a streamlined approach to extracting them one by one with the SubjectDerivedAttribute
+ plugin provided encoding and other attribute metadata can be obtained from the system's
+ generalized transcoding facility.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <sequence>
+ <element ref="resolver:FailoverDataConnector" minOccurs="0" maxOccurs="1"/>
+ </sequence>
+ <attribute name="noResultIsError" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether an absence of any results will cause an error. If an error
+ is raised and a failover dependency is defined for this connector the failover will be invoked.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="forCanonicalization" type="resolver:string">
+ <annotation>
+ <documentation>
+ If true, the source Subject is assumed to be undergoing C14N rather than the
+ usual post-authentication source. Defaults to false.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="EntityAttributes">
+ <annotation>
+ <documentation>
+ A connector for extracting mapped/decoded metadata tags from a peer's metadata.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <attribute name="metadataContextStrategyRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Bean ID of a Function to locate the SAMLMetadataContext to operate on.
+ Default is to locate it under the inbound message context via SAMLPeerEntityContext.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <!-- Support types for DataConnectors -->
+
+ <complexType name="ColumnType">
+ <attribute name="columnName" type="resolver:string" use="required">
+ <annotation>
+ <documentation>The name of the database column.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="attributeID" type="resolver:string">
+ <annotation>
+ <documentation>The name of the attribute that data from this column should be added to.</documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <complexType name="SaslConfigType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element name="SASLProperty" type="resolver:PropertyType">
+ <annotation>
+ <documentation>
+ SASL configuration properties.
+ Common properties include javax.security.sasl.qop, javax.security.sasl.strength, javax.security.sasl.server.authentication.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
+ <attribute name="mechanism" type="resolver:string">
+ <annotation>
+ <documentation>
+ The SASL mechanism. Common values are EXTERNAL, DIGEST_MD5, CRAM_MD5, GSSAPI
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="authorizationId" type="resolver:string">
+ <annotation>
+ <documentation>SASL authorization ID.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="realm" type="resolver:string">
+ <annotation>
+ <documentation>The SASL realm.</documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <complexType name="LdapPoolConfigType">
+ <attribute name="minPoolSize" type="resolver:string">
+ <annotation>
+ <documentation>
+ The minimum number of ldap connections that should always be available in the pool.
+ Note that these connections are provisioned as soon as the pool is initialized.
+ Default value is 0.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="maxPoolSize" type="resolver:string">
+ <annotation>
+ <documentation>
+ The maximum number of ldap connections that should ever be available in the pool.
+ Note that when this threshold is reach the pool will begin blocking until a connection
+ is available.
+ Default value is 3.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="blockWaitTime" type="resolver:string">
+ <annotation>
+ <documentation>
+ Amount of time to block while waiting for a connection from the pool. If no
+ wait time is given, callers will block indefinitely.
+
+ Values are expressed in ISO8601 duration format.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="validatePeriodically" type="resolver:string">
+ <annotation>
+ <documentation>
+ Whether each ldap connection should be checked on a periodic basis.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="validateTimerPeriod" type="resolver:string">
+ <annotation>
+ <documentation>
+ Time that the periodic pool validation process should repeat.
+ Ldap objects are pruned when they have been idle beyond the expiration time.
+ The pool is not pruned below the minimum pool size.
+ Default value is 30 minutes.
+
+ Period is expressed in ISO8601 duration format.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="validateDN" type="resolver:string">
+ <annotation>
+ <documentation>
+ Ldap compare DN to use for connection validation.
+ Used in conjunction with validateFilter to perform a compare.
+ Default value is empty.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="validateFilter" type="resolver:string">
+ <annotation>
+ <documentation>
+ Ldap compare filter to use for connection validation.
+ Used in conjunction with validateDN to perform a compare.
+ Default value is (objectClass=*).
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="validateOnCheckout" type="resolver:string">
+ <annotation>
+ <documentation>
+ Whether to validate connections when checking them out of the pool.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="prunePeriod" type="resolver:string">
+ <annotation>
+ <documentation>
+ Duration between looking for idle connections to reduce the pool back
+ to its minimum size.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="expirationTime" type="resolver:string">
+ <annotation>
+ <documentation>
+ Time in that an object in the pool should be considered stale and ready for removal.
+ Time is expressed in ISO8601 duration format.
+ </documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <complexType name="CacheConfigType">
+ <attribute name="cacheManagerRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Name of the CacheManager bean that will manage the result cache. This is not used.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="expireAfterAccess" type="resolver:string">
+ <annotation>
+ <documentation>
+ Length of time a result will be cached after the last access.
+ Incompatible with expireAfterWrite.
+
+ Duration is expressed in ISO8601 duration notation.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="expireAfterWrite" type="resolver:string">
+ <annotation>
+ <documentation>
+ Length of time a result will be cached from the time
+ it is inserted into the cache.
+ Incompatible with expireAfterAccess.
+
+ Duration is expressed in ISO8601 duration notation.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="maximumCachedElements" type="resolver:string">
+ <annotation>
+ <documentation>
+ Maximum number of results that will be held in cache.
+ </documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <element name="ContainerManagedConnection" type="resolver:ContainerManagedConnectionType">
+ <annotation>
+ <documentation>
+ Describes a database connection source that is managed by the application container.
+ </documentation>
+ </annotation>
+ </element>
+
+ <complexType name="ContainerManagedConnectionType">
+ <attribute name="resourceName" type="resolver:string" use="required">
+ <annotation>
+ <documentation>The resource name the DataSource is bound to in the JNDI tree.</documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <complexType name="PropertyType">
+ <attribute name="name" type="resolver:string" use="required">
+ <annotation>
+ <documentation>The name of the property.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="value" type="resolver:string" use="required">
+ <annotation>
+ <documentation>The value of the property,</documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <element name="SimpleManagedConnection" type="resolver:SimpleManagedConnectionType">
+ <annotation>
+ <documentation>
+ Describes a simple database connection source that is managed by the attribute resolver data connector.
+ Included to "get people going" only
+ </documentation>
+ </annotation>
+ </element>
+
+ <complexType name="SimpleManagedConnectionType">
+ <attribute name="jdbcDriver" type="resolver:string" use="required">
+ <annotation>
+ <documentation>
+ This is the full qualified class name of the JDBC driver used to connect to the database.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="jdbcURL" type="resolver:string" use="required">
+ <annotation>
+ <documentation>
+ The JDBC URL for the database. These are usually of the form
+ jdbc:databaseProduceName:databaseSpecificInformation. For example, jdbc:hsql:mem:MyDatabase
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="jdbcUserName" type="resolver:string">
+ <annotation>
+ <documentation>The user name to use while connecting to the database.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="jdbcPassword" type="string">
+ <annotation>
+ <documentation>The password to use while connecting to the database.</documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <!-- Encoders that produce SAML 1 or SAML 2 Attributes -->
+ <complexType name="SAML1String">
+ <annotation>
+ <documentation>Defines a SAML 1 string encoder for an attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeEncoderType">
+ <attribute name="namespace" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 1 Namespace of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML1Base64">
+ <annotation>
+ <documentation>Defines a SAML 1 Base64 encoder for an attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeEncoderType">
+ <attribute name="namespace" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 1 Namespace of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML1XMLObject">
+ <annotation>
+ <documentation>Defines a SAML 1 Base64 encoder for an attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeEncoderType">
+ <attribute name="namespace" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 1 Namespace of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML2String">
+ <annotation>
+ <documentation>Defines a SAML 2 string encoder for an attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeEncoderType">
+ <attribute name="nameFormat" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 NameFormat of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="friendlyName" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 FriendlyName of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML2DateTime">
+ <annotation>
+ <documentation>Defines a SAML 2 date/time encoder for an attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeEncoderType">
+ <attribute name="nameFormat" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 NameFormat of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="friendlyName" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 FriendlyName of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML2Base64">
+ <annotation>
+ <documentation>Defines a SAML 2 Base64 encoder for an attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeEncoderType">
+ <attribute name="nameFormat" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 NameFormat of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="friendlyName" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 FriendlyName of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML2XMLObject">
+ <annotation>
+ <documentation>Defines a SAML 2 Base64 encoder for an attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeEncoderType">
+ <attribute name="nameFormat" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 NameFormat of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="friendlyName" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 FriendlyName of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="BaseScopedAttributeEncoderType">
+ <annotation>
+ <documentation>Defines an encoder for a scoped attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeEncoderType">
+ <attribute name="scopeType" type="resolver:string">
+ <annotation>
+ <documentation>
+ The type of scoping to use for the encoded attribute. Valid values are "inline" or
+ "attribute".
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="scopeDelimiter" type="resolver:string">
+ <annotation>
+ <documentation>
+ If scopeType is "inline", this is the delimeter used between the attribute value and
+ scope.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="scopeAttribute" type="resolver:string">
+ <annotation>
+ <documentation>
+ If scopeType is "attribute", this is the name of the name of the attribute used to carry the
+ scope value.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML1ScopedString">
+ <annotation>
+ <documentation>Defines a SAML 1 string encoder for a scoped attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseScopedAttributeEncoderType">
+ <attribute name="namespace" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 1 Namespace of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML2ScopedString">
+ <annotation>
+ <documentation>Defines a SAML 2 string encoder for a scoped attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseScopedAttributeEncoderType">
+ <attribute name="nameFormat" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 NameFormat of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="friendlyName" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 FriendlyName of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <!-- Reusable type for inline scripting. -->
+
+ <complexType name="ScriptType">
+ <annotation>
+ <documentation>
+ A type for elements that allow for scripts to be declared inline or via a resource.
+ </documentation>
+ </annotation>
+ <choice>
+ <element name="Script" type="resolver:string">
+ <annotation>
+ <documentation>The script to evaluate to construct the attribute.</documentation>
+ </annotation>
+ </element>
+ <element name="ScriptFile" type="resolver:string">
+ <annotation>
+ <documentation>
+ Path of a local resource containing the script to evaluate to construct the attribute.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
+ <attribute name="language" type="resolver:string">
+ <annotation>
+ <documentation>
+ The JSR-233 name for the scripting language that will be used.
+ By default "javascript" is assumed.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="customObjectRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ The name of a bean defined somewhere else which will be injected into the script as an
+ object called "custom". If not supplied, nothing is injected.
+ </documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <simpleType name="string">
+ <restriction base="string">
+ <minLength value="1"/>
+ </restriction>
+ </simpleType>
+
+</schema>
diff --git a/schema/xenc-schema.xsd b/schema/xenc-schema.xsd
new file mode 100644
index 0000000..d61229f
--- /dev/null
+++ b/schema/xenc-schema.xsd
@@ -0,0 +1,146 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE schema PUBLIC "-//W3C//DTD XMLSchema 200102//EN"
+ "http://www.w3.org/2001/XMLSchema.dtd"
+ [
+ <!ATTLIST schema
+ xmlns:xenc CDATA #FIXED 'http://www.w3.org/2001/04/xmlenc#'
+ xmlns:ds CDATA #FIXED 'http://www.w3.org/2000/09/xmldsig#'>
+ <!ENTITY xenc 'http://www.w3.org/2001/04/xmlenc#'>
+ <!ENTITY % p ''>
+ <!ENTITY % s ''>
+ ]>
+
+<schema xmlns='http://www.w3.org/2001/XMLSchema' version='1.0'
+ xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'
+ xmlns:ds='http://www.w3.org/2000/09/xmldsig#'
+ targetNamespace='http://www.w3.org/2001/04/xmlenc#'
+ elementFormDefault='qualified'>
+
+ <import namespace='http://www.w3.org/2000/09/xmldsig#'
+ schemaLocation='xmldsig-core-schema.xsd'/>
+
+ <complexType name='EncryptedType' abstract='true'>
+ <sequence>
+ <element name='EncryptionMethod' type='xenc:EncryptionMethodType'
+ minOccurs='0'/>
+ <element ref='ds:KeyInfo' minOccurs='0'/>
+ <element ref='xenc:CipherData'/>
+ <element ref='xenc:EncryptionProperties' minOccurs='0'/>
+ </sequence>
+ <attribute name='Id' type='ID' use='optional'/>
+ <attribute name='Type' type='anyURI' use='optional'/>
+ <attribute name='MimeType' type='string' use='optional'/>
+ <attribute name='Encoding' type='anyURI' use='optional'/>
+ </complexType>
+
+ <complexType name='EncryptionMethodType' mixed='true'>
+ <sequence>
+ <element name='KeySize' minOccurs='0' type='xenc:KeySizeType'/>
+ <element name='OAEPparams' minOccurs='0' type='base64Binary'/>
+ <any namespace='##other' minOccurs='0' maxOccurs='unbounded'/>
+ </sequence>
+ <attribute name='Algorithm' type='anyURI' use='required'/>
+ </complexType>
+
+ <simpleType name='KeySizeType'>
+ <restriction base="integer"/>
+ </simpleType>
+
+ <element name='CipherData' type='xenc:CipherDataType'/>
+ <complexType name='CipherDataType'>
+ <choice>
+ <element name='CipherValue' type='base64Binary'/>
+ <element ref='xenc:CipherReference'/>
+ </choice>
+ </complexType>
+
+ <element name='CipherReference' type='xenc:CipherReferenceType'/>
+ <complexType name='CipherReferenceType'>
+ <choice>
+ <element name='Transforms' type='xenc:TransformsType' minOccurs='0'/>
+ </choice>
+ <attribute name='URI' type='anyURI' use='required'/>
+ </complexType>
+
+ <complexType name='TransformsType'>
+ <sequence>
+ <element ref='ds:Transform' maxOccurs='unbounded'/>
+ </sequence>
+ </complexType>
+
+
+ <element name='EncryptedData' type='xenc:EncryptedDataType'/>
+ <complexType name='EncryptedDataType'>
+ <complexContent>
+ <extension base='xenc:EncryptedType'>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <!-- Children of ds:KeyInfo -->
+
+ <element name='EncryptedKey' type='xenc:EncryptedKeyType'/>
+ <complexType name='EncryptedKeyType'>
+ <complexContent>
+ <extension base='xenc:EncryptedType'>
+ <sequence>
+ <element ref='xenc:ReferenceList' minOccurs='0'/>
+ <element name='CarriedKeyName' type='string' minOccurs='0'/>
+ </sequence>
+ <attribute name='Recipient' type='string'
+ use='optional'/>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <element name="AgreementMethod" type="xenc:AgreementMethodType"/>
+ <complexType name="AgreementMethodType" mixed="true">
+ <sequence>
+ <element name="KA-Nonce" minOccurs="0" type="base64Binary"/>
+ <!-- <element ref="ds:DigestMethod" minOccurs="0"/> -->
+ <any namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
+ <element name="OriginatorKeyInfo" minOccurs="0" type="ds:KeyInfoType"/>
+ <element name="RecipientKeyInfo" minOccurs="0" type="ds:KeyInfoType"/>
+ </sequence>
+ <attribute name="Algorithm" type="anyURI" use="required"/>
+ </complexType>
+
+ <!-- End Children of ds:KeyInfo -->
+
+ <element name='ReferenceList'>
+ <complexType>
+ <choice minOccurs='1' maxOccurs='unbounded'>
+ <element name='DataReference' type='xenc:ReferenceType'/>
+ <element name='KeyReference' type='xenc:ReferenceType'/>
+ </choice>
+ </complexType>
+ </element>
+
+ <complexType name='ReferenceType'>
+ <sequence>
+ <any namespace='##other' minOccurs='0' maxOccurs='unbounded'/>
+ </sequence>
+ <attribute name='URI' type='anyURI' use='required'/>
+ </complexType>
+
+
+ <element name='EncryptionProperties' type='xenc:EncryptionPropertiesType'/>
+ <complexType name='EncryptionPropertiesType'>
+ <sequence>
+ <element ref='xenc:EncryptionProperty' maxOccurs='unbounded'/>
+ </sequence>
+ <attribute name='Id' type='ID' use='optional'/>
+ </complexType>
+
+ <element name='EncryptionProperty' type='xenc:EncryptionPropertyType'/>
+ <complexType name='EncryptionPropertyType' mixed='true'>
+ <choice maxOccurs='unbounded'>
+ <any namespace='##other' processContents='lax'/>
+ </choice>
+ <attribute name='Target' type='anyURI' use='optional'/>
+ <attribute name='Id' type='ID' use='optional'/>
+ <anyAttribute namespace="http://www.w3.org/XML/1998/namespace"/>
+ </complexType>
+
+</schema>
+
diff --git a/schema/xml.xsd b/schema/xml.xsd
new file mode 100644
index 0000000..aea7d0d
--- /dev/null
+++ b/schema/xml.xsd
@@ -0,0 +1,287 @@
+<?xml version='1.0'?>
+<?xml-stylesheet href="../2008/09/xsd.xsl" type="text/xsl"?>
+<xs:schema targetNamespace="http://www.w3.org/XML/1998/namespace"
+ xmlns:xs="http://www.w3.org/2001/XMLSchema"
+ xmlns ="http://www.w3.org/1999/xhtml"
+ xml:lang="en">
+
+ <xs:annotation>
+ <xs:documentation>
+ <div>
+ <h1>About the XML namespace</h1>
+
+ <div class="bodytext">
+ <p>
+ This schema document describes the XML namespace, in a form
+ suitable for import by other schema documents.
+ </p>
+ <p>
+ See <a href="http://www.w3.org/XML/1998/namespace.html">
+ http://www.w3.org/XML/1998/namespace.html</a> and
+ <a href="http://www.w3.org/TR/REC-xml">
+ http://www.w3.org/TR/REC-xml</a> for information
+ about this namespace.
+ </p>
+ <p>
+ Note that local names in this namespace are intended to be
+ defined only by the World Wide Web Consortium or its subgroups.
+ The names currently defined in this namespace are listed below.
+ They should not be used with conflicting semantics by any Working
+ Group, specification, or document instance.
+ </p>
+ <p>
+ See further below in this document for more information about <a
+ href="#usage">how to refer to this schema document from your own
+ XSD schema documents</a> and about <a href="#nsversioning">the
+ namespace-versioning policy governing this schema document</a>.
+ </p>
+ </div>
+ </div>
+ </xs:documentation>
+ </xs:annotation>
+
+ <xs:attribute name="lang">
+ <xs:annotation>
+ <xs:documentation>
+ <div>
+
+ <h3>lang (as an attribute name)</h3>
+ <p>
+ denotes an attribute whose value
+ is a language code for the natural language of the content of
+ any element; its value is inherited. This name is reserved
+ by virtue of its definition in the XML specification.</p>
+
+ </div>
+ <div>
+ <h4>Notes</h4>
+ <p>
+ Attempting to install the relevant ISO 2- and 3-letter
+ codes as the enumerated possible values is probably never
+ going to be a realistic possibility.
+ </p>
+ <p>
+ See BCP 47 at <a href="http://www.rfc-editor.org/rfc/bcp/bcp47.txt">
+ http://www.rfc-editor.org/rfc/bcp/bcp47.txt</a>
+ and the IANA language subtag registry at
+ <a href="http://www.iana.org/assignments/language-subtag-registry">
+ http://www.iana.org/assignments/language-subtag-registry</a>
+ for further information.
+ </p>
+ <p>
+ The union allows for the 'un-declaration' of xml:lang with
+ the empty string.
+ </p>
+ </div>
+ </xs:documentation>
+ </xs:annotation>
+ <xs:simpleType>
+ <xs:union memberTypes="xs:language">
+ <xs:simpleType>
+ <xs:restriction base="xs:string">
+ <xs:enumeration value=""/>
+ </xs:restriction>
+ </xs:simpleType>
+ </xs:union>
+ </xs:simpleType>
+ </xs:attribute>
+
+ <xs:attribute name="space">
+ <xs:annotation>
+ <xs:documentation>
+ <div>
+
+ <h3>space (as an attribute name)</h3>
+ <p>
+ denotes an attribute whose
+ value is a keyword indicating what whitespace processing
+ discipline is intended for the content of the element; its
+ value is inherited. This name is reserved by virtue of its
+ definition in the XML specification.</p>
+
+ </div>
+ </xs:documentation>
+ </xs:annotation>
+ <xs:simpleType>
+ <xs:restriction base="xs:NCName">
+ <xs:enumeration value="default"/>
+ <xs:enumeration value="preserve"/>
+ </xs:restriction>
+ </xs:simpleType>
+ </xs:attribute>
+
+ <xs:attribute name="base" type="xs:anyURI"> <xs:annotation>
+ <xs:documentation>
+ <div>
+
+ <h3>base (as an attribute name)</h3>
+ <p>
+ denotes an attribute whose value
+ provides a URI to be used as the base for interpreting any
+ relative URIs in the scope of the element on which it
+ appears; its value is inherited. This name is reserved
+ by virtue of its definition in the XML Base specification.</p>
+
+ <p>
+ See <a
+ href="http://www.w3.org/TR/xmlbase/">http://www.w3.org/TR/xmlbase/</a>
+ for information about this attribute.
+ </p>
+ </div>
+ </xs:documentation>
+ </xs:annotation>
+ </xs:attribute>
+
+ <xs:attribute name="id" type="xs:ID">
+ <xs:annotation>
+ <xs:documentation>
+ <div>
+
+ <h3>id (as an attribute name)</h3>
+ <p>
+ denotes an attribute whose value
+ should be interpreted as if declared to be of type ID.
+ This name is reserved by virtue of its definition in the
+ xml:id specification.</p>
+
+ <p>
+ See <a
+ href="http://www.w3.org/TR/xml-id/">http://www.w3.org/TR/xml-id/</a>
+ for information about this attribute.
+ </p>
+ </div>
+ </xs:documentation>
+ </xs:annotation>
+ </xs:attribute>
+
+ <xs:attributeGroup name="specialAttrs">
+ <xs:attribute ref="xml:base"/>
+ <xs:attribute ref="xml:lang"/>
+ <xs:attribute ref="xml:space"/>
+ <xs:attribute ref="xml:id"/>
+ </xs:attributeGroup>
+
+ <xs:annotation>
+ <xs:documentation>
+ <div>
+
+ <h3>Father (in any context at all)</h3>
+
+ <div class="bodytext">
+ <p>
+ denotes Jon Bosak, the chair of
+ the original XML Working Group. This name is reserved by
+ the following decision of the W3C XML Plenary and
+ XML Coordination groups:
+ </p>
+ <blockquote>
+ <p>
+ In appreciation for his vision, leadership and
+ dedication the W3C XML Plenary on this 10th day of
+ February, 2000, reserves for Jon Bosak in perpetuity
+ the XML name "xml:Father".
+ </p>
+ </blockquote>
+ </div>
+ </div>
+ </xs:documentation>
+ </xs:annotation>
+
+ <xs:annotation>
+ <xs:documentation>
+ <div xml:id="usage" id="usage">
+ <h2><a name="usage">About this schema document</a></h2>
+
+ <div class="bodytext">
+ <p>
+ This schema defines attributes and an attribute group suitable
+ for use by schemas wishing to allow <code>xml:base</code>,
+ <code>xml:lang</code>, <code>xml:space</code> or
+ <code>xml:id</code> attributes on elements they define.
+ </p>
+ <p>
+ To enable this, such a schema must import this schema for
+ the XML namespace, e.g. as follows:
+ </p>
+ <pre>
+ &lt;schema . . .>
+ . . .
+ &lt;import namespace="http://www.w3.org/XML/1998/namespace"
+ schemaLocation="http://www.w3.org/2001/xml.xsd"/>
+ </pre>
+ <p>
+ or
+ </p>
+ <pre>
+ &lt;import namespace="http://www.w3.org/XML/1998/namespace"
+ schemaLocation="http://www.w3.org/2009/01/xml.xsd"/>
+ </pre>
+ <p>
+ Subsequently, qualified reference to any of the attributes or the
+ group defined below will have the desired effect, e.g.
+ </p>
+ <pre>
+ &lt;type . . .>
+ . . .
+ &lt;attributeGroup ref="xml:specialAttrs"/>
+ </pre>
+ <p>
+ will define a type which will schema-validate an instance element
+ with any of those attributes.
+ </p>
+ </div>
+ </div>
+ </xs:documentation>
+ </xs:annotation>
+
+ <xs:annotation>
+ <xs:documentation>
+ <div id="nsversioning" xml:id="nsversioning">
+ <h2><a name="nsversioning">Versioning policy for this schema document</a></h2>
+ <div class="bodytext">
+ <p>
+ In keeping with the XML Schema WG's standard versioning
+ policy, this schema document will persist at
+ <a href="http://www.w3.org/2009/01/xml.xsd">
+ http://www.w3.org/2009/01/xml.xsd</a>.
+ </p>
+ <p>
+ At the date of issue it can also be found at
+ <a href="http://www.w3.org/2001/xml.xsd">
+ http://www.w3.org/2001/xml.xsd</a>.
+ </p>
+ <p>
+ The schema document at that URI may however change in the future,
+ in order to remain compatible with the latest version of XML
+ Schema itself, or with the XML namespace itself. In other words,
+ if the XML Schema or XML namespaces change, the version of this
+ document at <a href="http://www.w3.org/2001/xml.xsd">
+ http://www.w3.org/2001/xml.xsd
+ </a>
+ will change accordingly; the version at
+ <a href="http://www.w3.org/2009/01/xml.xsd">
+ http://www.w3.org/2009/01/xml.xsd
+ </a>
+ will not change.
+ </p>
+ <p>
+ Previous dated (and unchanging) versions of this schema
+ document are at:
+ </p>
+ <ul>
+ <li><a href="http://www.w3.org/2009/01/xml.xsd">
+ http://www.w3.org/2009/01/xml.xsd</a></li>
+ <li><a href="http://www.w3.org/2007/08/xml.xsd">
+ http://www.w3.org/2007/08/xml.xsd</a></li>
+ <li><a href="http://www.w3.org/2004/10/xml.xsd">
+ http://www.w3.org/2004/10/xml.xsd</a></li>
+ <li><a href="http://www.w3.org/2001/03/xml.xsd">
+ http://www.w3.org/2001/03/xml.xsd</a></li>
+ </ul>
+ </div>
+ </div>
+ </xs:documentation>
+ </xs:annotation>
+
+</xs:schema>
+
diff --git a/scripts/bump-tag b/scripts/bump-tag
new file mode 100755
index 0000000..7cb8507
--- /dev/null
+++ b/scripts/bump-tag
@@ -0,0 +1,43 @@
+#!/bin/sh
+
+set -e
+
+git pull
+
+tagpfx=${tag:="md"}
+
+last_tag=`git tag -l "${tagpfx}-*"|sort|tail -1`
+
+echo "Verifying last tag $last_tag:"
+(git tag -v $last_tag | grep ^gpg:) || true
+# again to not mask exit status of git with grep
+git tag -v $last_tag > /dev/null 2>&1
+echo ""
+
+echo "Differences between tag $last_tag and what you are about to sign:"
+PAGER=cat git diff $last_tag..master
+
+iter=1
+ok=
+while test -z "$ok"; do
+ this_tag=$(date +${tagpfx}-%Y-%m-%d-v`printf "%02d" $iter`)
+ iter=`expr $iter + 1`
+ case `(echo $this_tag; echo $last_tag) | sort | tail -1` in
+ $last_tag)
+ ;;
+ $this_tag)
+ ok=yes
+ ;;
+ esac
+done
+
+echo ""
+echo "Using new tag $this_tag"
+echo ONLY SIGN IF YOU APPROVE OF VERIFICATION AND DIFF ABOVE
+
+# GITTAGEXTRA is for putting things like "-u 2117364A"
+
+git tag $GITTAGEXTRA -m bump. -s $this_tag
+
+git push
+git push --tags
diff --git a/scripts/do-update.sh b/scripts/do-update.sh
new file mode 100755
index 0000000..078ae15
--- /dev/null
+++ b/scripts/do-update.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+cd /var/cache/entity-configurations_git.swamid.se && make update
diff --git a/scripts/verify-tag b/scripts/verify-tag
new file mode 100755
index 0000000..ddc3ff3
--- /dev/null
+++ b/scripts/verify-tag
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+export GNUPGHOME=/etc/metadata/gnupg
+mkdir -p $GNUPGHOME
+export GPG=gpg
+
+git config --global gpg.program gpg
+
+tag=$(git tag -l "md-[0-9]*" | sort | tail -1)
+if [ -z "$tag" ]; then
+ echo "no matching tag found"
+ exit 1
+fi
+git checkout $tag && git tag -v $tag
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-27 17:37:17 +0000