summaryrefslogtreecommitdiff
path: root/schema/shibboleth-attribute-resolver.xsd
diff options
context:
space:
mode:
authorBjörn Mattsson <bjorn@sunet.se>2023-10-19 16:05:58 +0200
committerBjörn Mattsson <bjorn@sunet.se>2023-10-19 16:05:58 +0200
commitaf3487b9c4a9b630d88b55c2bcc4bedf257cab4a (patch)
tree2b6988b2c2cb434e8a14cad14430c0537a2d0c8f /schema/shibboleth-attribute-resolver.xsd
Added files from Wiki + base files for repo
Diffstat (limited to 'schema/shibboleth-attribute-resolver.xsd')
-rw-r--r--schema/shibboleth-attribute-resolver.xsd2274
1 files changed, 2274 insertions, 0 deletions
diff --git a/schema/shibboleth-attribute-resolver.xsd b/schema/shibboleth-attribute-resolver.xsd
new file mode 100644
index 0000000..cca79e7
--- /dev/null
+++ b/schema/shibboleth-attribute-resolver.xsd
@@ -0,0 +1,2274 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema xmlns="http://www.w3.org/2001/XMLSchema" xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
+ xmlns:sec="urn:mace:shibboleth:2.0:security" targetNamespace="urn:mace:shibboleth:2.0:resolver"
+ elementFormDefault="qualified" version="5.0.0">
+
+ <import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd"/>
+ <import namespace="urn:mace:shibboleth:2.0:security" schemaLocation="http://shibboleth.net/schema/idp/shibboleth-security.xsd"/>
+
+ <annotation>
+ <documentation>Shibboleth V4 Attribute Resolver configuration schema
+ </documentation>
+ </annotation>
+
+ <element name="AttributeResolver" type="resolver:AttributeResolverType">
+ <annotation>
+ <documentation>Root of the attribute resolver configuration file.
+ </documentation>
+ </annotation>
+ </element>
+ <complexType name="AttributeResolverType">
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="resolver:AttributeDefinition"/>
+ <element ref="resolver:DataConnector"/>
+ </choice>
+ <attribute name="id" type="resolver:string">
+ <annotation>
+ <documentation>A unique identifier for this Resolver.
+ </documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <element name="AttributeDefinition" type="resolver:BaseAttributeDefinitionType">
+ <annotation>
+ <documentation>Defines an attribute definition within this resolver.
+ </documentation>
+ </annotation>
+ </element>
+
+ <complexType name="BaseAttributeDefinitionType">
+ <annotation>
+ <documentation>
+ Attribute definition define the finished attributes to be released by the
+ resolver.
+
+ Definitions derived from this type need to explicitly include (as a choice)
+ the Dependency, DisplayName, DisplayDescription and Encoder sub elements
+
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseResolutionPlugInType">
+ <attribute name="dependencyOnly" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag that indicates whether this attribute definition is
+ only defined because its data is needed elsewhere within the resolver
+ and as such should not be released outside the resolver.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="preRequested" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag that indicates whether this attribute definition and
+ its dependencies are to be resolved in a "first pass", prior to the
+ main resolution. These attributes will be populated into a child
+ context so as to be available to activationConditions.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <element name="AttributeEncoder" type="resolver:BaseAttributeEncoderType">
+ <annotation>
+ <documentation>Defines an encoder for an attribute.</documentation>
+ </annotation>
+ </element>
+
+ <complexType name="BaseAttributeEncoderType">
+ <annotation>
+ <documentation>
+ An attribute encoder is responsible for converting an attribute, and its values,
+ into a protocol specific representation such as a SAML 1 or SAML 2 Attribute.
+ The use of them to produce a SAML NameIdentifier/NameID is DEPRECATED.
+ </documentation>
+ </annotation>
+ <sequence>
+ <element name="ActivationConditionScript" type="resolver:ScriptType" minOccurs="0">
+ <annotation>
+ <documentation>
+ A scripted predicate which controls whether this encoder will run
+ </documentation>
+ </annotation>
+ </element>
+ </sequence>
+ <attribute name="name" type="resolver:string"/>
+ <attribute name="encodeType" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean indicating whether the encoding should include type information. This is
+ encoding-specific (e.g., for XML it likely involves xsi:type).
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="activationConditionRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ A reference to a Predicate which controls whether this encoder will run
+ Mutually exclusive with relyingParties
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="relyingParties" type="resolver:string">
+ <annotation>
+ <documentation>
+ A (space separated) list of entities for which this plugin is to be active
+ Mutually exclusive with activationConditionRef
+ </documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <element name="DataConnector" type="resolver:BaseDataConnectorType">
+ <annotation>
+ <documentation>
+ Defines a data connector which is used to pull information from local
+ infrastructure.
+ </documentation>
+ </annotation>
+ </element>
+
+ <complexType name="BaseDataConnectorType">
+ <annotation>
+ <documentation>
+ Data connectors pull information from local infrastructure, such as
+ databases and LDAP directories, and make these raw attributes available
+ to attribute definitions for finishing.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseResolutionPlugInType">
+ <attribute name="noRetryDelay" type="resolver:string">
+ <annotation>
+ <documentation>Time to bypass connector after a failure before trying it again.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="exportAttributes" type="resolver:string">
+ <annotation>
+ <documentation>A list of attribute names to be exported by the resolution process from this data connector.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="BaseResolutionPlugInType" abstract="true">
+ <annotation>
+ <documentation>
+ A base type for all attribute resolver plugins: data and principal
+ connectors and attribute definitions
+ </documentation>
+ </annotation>
+ <attribute name="id" type="resolver:string" use="required">
+ <annotation>
+ <documentation>A unique identifier for this definition.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="activationConditionRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ A reference to a predicate to decide whether this plugin is applicable.
+ Mutually exclusive with [exclude]relyingParties and [exclude]resolutionPhases.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="relyingParties" type="resolver:string">
+ <annotation>
+ <documentation>
+ A (space separated) list of entities for which this plugin is to be active.
+ Mutually exclusive with activationConditionRef.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="excludeRelyingParties" type="resolver:string">
+ <annotation>
+ <documentation>
+ A (space separated) list of entities for which this plugin is to be inactive.
+ Mutually exclusive with activationConditionRef.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="resolutionPhases" type="resolver:string">
+ <annotation>
+ <documentation>
+ A (space separated) list of resolution "phases" for which this plugin is to be active.
+ Mutually exclusive with activationConditionRef.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="excludeResolutionPhases" type="resolver:string">
+ <annotation>
+ <documentation>
+ A (space separated) list of resolution "phases" for which this plugin is to be inactive.
+ Mutually exclusive with activationConditionRef.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="propagateResolutionExceptions" type="resolver:string">
+ <annotation>
+ <documentation>
+ DEPRECATED: Whether to ripple errors produced by the plugin out to the resolver (default is true).
+ </documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <element name="InputAttributeDefinition" type="resolver:PluginDependencyType">
+ <annotation>
+ <documentation>
+ Defines a dependency on a specific Attribute Definition.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="InputDataConnector">
+ <annotation>
+ <documentation>
+ Defines a dependency on a specific Data Connector.
+
+ attributeNames is a space separated list of attribute names. Property replacement done
+ before "listification""
+
+ allAttributes means take all attributes. Property replacement done before conversion
+
+ One one of the above are allowed.
+ </documentation>
+ </annotation>
+ <complexType>
+ <complexContent>
+ <extension base="resolver:PluginDependencyType">
+ <attribute name="allAttributes" type="resolver:string"/>
+ <attribute name="attributeNames" type="resolver:string"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ </element>
+ <element name="FailoverDataConnector" type="resolver:PluginDependencyType">
+ <annotation>
+ <documentation>
+ Defines a data connector to use should the parent data connector fail.
+ </documentation>
+ </annotation>
+ </element>
+ <complexType name="PluginDependencyType">
+ <annotation>
+ <documentation>An (abstract) type that represents a reference to another plugin</documentation>
+ </annotation>
+ <attribute name="ref" type="resolver:string" use="required"/>
+ </complexType>
+
+ <complexType name="LocalizedStringType">
+ <simpleContent>
+ <extension base="string">
+ <attribute ref="xml:lang"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+
+ <complexType name="ValueMapType">
+ <annotation>
+ <documentation>
+ Performs many to one mapping of source values to a return value. SourceValue strings may include regular
+ expressions and the ReturnValue may include back references to capturing groups as supported by
+ java.util.regex.Pattern.
+ </documentation>
+ </annotation>
+ <sequence>
+ <element name="ReturnValue" type="string">
+ <annotation>
+ <documentation>The value to be returned from this value map.</documentation>
+ </annotation>
+ </element>
+ <element name="SourceValue" maxOccurs="unbounded">
+ <annotation>
+ <documentation>A regular expression string to be matched against the incoming value.</documentation>
+ </annotation>
+ <complexType>
+ <simpleContent>
+ <extension base="string">
+ <attribute name="caseSensitive" type="resolver:string">
+ <annotation>
+ <documentation>If true, value matching will be case-sensitive.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="partialMatch" type="resolver:string">
+ <annotation>
+ <documentation>
+ If true, the SourceValue may match only a substring of the incoming value. By
+ default, it must match the entire value.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ </sequence>
+ </complexType>
+
+ <complexType name="ContextDerivedAttribute">
+ <annotation>
+ <documentation>A attribute definition to pull attribute values from anywhere in the PRC tree</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="attributeValuesFunctionRef" type="resolver:string" use="required">
+ <annotation>
+ <documentation>The Function to generate the Attribute Values given a PRC</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Mapped">
+ <annotation>
+ <documentation>
+ The mapped attribute definition performs a many to many mapping from source attributes values provided
+ by the definition's dependencies to values which are returned. Each source value is passed through each
+ defined ValueMap which may result in one or more resulting values. If no ValueMaps match the source
+ value and a DefaultValue is defined, the DefaultValue is used.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ <element name="DefaultValue">
+ <annotation>
+ <documentation>
+ A source value is mapped to the DefaultValue if none of the ValueMaps result in a match.
+ This string may not contain regular expression back references.
+ </documentation>
+ </annotation>
+ <complexType>
+ <simpleContent>
+ <extension base="string">
+ <attribute name="passThru" type="resolver:string">
+ <annotation>
+ <documentation>
+ If true, the source value is passed thru unmodified. If passThru is
+ enabled, DefaultValue may not contain a string value.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ <element name="ValueMap" type="resolver:ValueMapType" maxOccurs="unbounded"/>
+ </choice>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Prescoped">
+ <annotation>
+ <documentation>
+ An attribute definition that splits the values of the source attribute into an attribute value
+ with a value and scope.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="scopeDelimiter" type="resolver:string">
+ <annotation>
+ <documentation>Delimiter between the value and scope.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="PrincipalName">
+ <annotation>
+ <documentation>Exposes the principal's name as an attribute definition.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="RegexSplit">
+ <annotation>
+ <documentation>An attribute definition that splits the source attribute's values based on a regular expression.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="regex" type="resolver:string" use="required">
+ <annotation>
+ <documentation>The regular expression used to split a value.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="caseSensitive" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating the case sensitivity of the regular expression.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML1NameIdentifier">
+ <annotation>
+ <documentation>DEPRECATED: An attribute definition that creates attributes whose values are SAML 1 NameIdentifiers.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="nameIdFormat" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 1 NameFormat of the NameID.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="nameIdQualifier" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 1 NameQualifier of the NameID.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML2NameID">
+ <annotation>
+ <documentation>DEPRECATED: An attribute definition that creates attributes whose values are SAML 2 NameIDs.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="nameIdFormat" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 NameFormat of the NameID.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="nameIdQualifier" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 NameQualifier of the NameID.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="nameIdSPQualifier" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 SPNameQualifier of the NameID.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Scoped">
+ <annotation>
+ <documentation>A basic attribute definition which supports attribute scoping.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="scope" type="resolver:string">
+ <annotation>
+ <documentation>Value to use for scoping the attribute.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="scopeFromDependency" type="resolver:string">
+ <annotation>
+ <documentation>Attribute whose values will be used for scoping the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ScriptedAttribute">
+ <annotation>
+ <documentation>
+ An attribute definition that constructs its attributes by means of a script supported by JSR-223. The
+ script is provided all the edu.internet2.middleware.shibboleth.common.attribute.Attribute object
+ resolved from all the definitions dependencies. The resultant attribute definition must then be bound to
+ a script attribute corresponding to the script variable whose name is the ID of the definition. This
+ variable is injected into the script by the attribute definition.
+
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ <element name="Script" type="resolver:string">
+ <annotation>
+ <documentation>The script to evaluate to construct the attribute.</documentation>
+ </annotation>
+ </element>
+ <element name="ScriptFile" type="resolver:string">
+ <annotation>
+ <documentation>
+ The filesystem path to the script to evaluate to construct the attribute.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
+ <attribute name="language" type="resolver:string">
+ <annotation>
+ <documentation>
+ The JSR-233 name for the scripting language that will be used. By default "javascript" is
+ supported.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="customObjectRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ The name of a bean defined somewhere else which will be injected into the script as an
+ object called "custom". If not supplied, nothing is injected.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Simple">
+ <annotation>
+ <documentation>A basic attribute definition.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="ignoreNullValues" type="resolver:string">
+ <annotation>
+ <documentation>Do we drop null values (default: FALSE)</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="DateTime">
+ <annotation>
+ <documentation>An attribute definition producing date/time values.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="ignoreConversionErrors" type="resolver:string">
+ <annotation>
+ <documentation>Are conversion errors ignored? (default: FALSE)</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="epochInSeconds" type="resolver:string">
+ <annotation>
+ <documentation>
+ Use seconds as epoch unit instead of millseconds when converting numeric data (default: TRUE)
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="formattingString" type="resolver:string">
+ <annotation>
+ <documentation>A formatting string to use converting string data.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Decrypted">
+ <annotation>
+ <documentation>An attribute definition involving an encrypted (DataSealed) attribute</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="dataSealerRef" type="resolver:string">
+ <annotation>
+ <documentation>Value to use for the decryption key</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SubjectDerivedAttribute">
+ <annotation>
+ <documentation>A attribute definition to pull attribute values from the Principals. A short cut looks at IdPAttributePrincipals</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="attributeValuesFunctionRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Provides a plug in point to allow general extraction of values from Principals.
+ Mutually exclusive with principalAttributeName.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="principalAttributeName" type="resolver:string">
+ <annotation>
+ <documentation>
+ The id of the IdPAttribute contained within a IdPAttributePrincipal to look for.
+ Mutually exclusive with attributeValueEngineRef.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="forCanonicalization" type="resolver:string">
+ <annotation>
+ <documentation>
+ If true, the source Subject is assumed to be undergoing C14N rather than the
+ usual post-authentication source. Defaults to false.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Template">
+ <annotation>
+ <documentation>
+ An Attribute Definition that constructs its values based on the values of its dependencies using the
+ Velocity Template Language. Dependencies may have multiple values, however multiple dependencies must
+ have the same number of values. In the case of multi-valued dependencies, the template will be evaluated
+ multiples times, iterating over each dependency.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ <element name="Template" type="resolver:string">
+ <annotation>
+ <documentation>
+ Template specified in the Velocity Template Language used to construct attribute values.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
+ <attribute name="velocityEngine" type="resolver:string">
+ <annotation>
+ <documentation>Name of the velocity engine defined within the application.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ComputedId">
+ <annotation>
+ <documentation>
+ An ID created by digesting the requesting entityID, an attribute value (usually a user identifier), and a salt.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element ref="resolver:FailoverDataConnector"/>
+ </choice>
+ <attribute name="generatedAttributeID" type="resolver:string">
+ <annotation>
+ <documentation>
+ The name of the attribute produced by this data connector.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="salt" type="resolver:string">
+ <annotation>
+ <documentation>
+ A salt, of at least 16 bytes, used in the computed ID.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="encodedSalt" type="resolver:string">
+ <annotation>
+ <documentation>
+ A base64-encoded salt, of at least 16 bytes, used in the computed ID.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="algorithm" type="resolver:string">
+ <annotation>
+ <documentation>
+ The JCE digest algorithm to use, defaults to SHA-1.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="encoding" type="resolver:string">
+ <annotation>
+ <documentation>
+ An encoding type to apply after the digest, defaults to BASE64 but should
+ be set to BASE32.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="exceptionMapRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Spring bean reference to a map of overrides that alter salt or suppress generation
+ for particular users/services.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="saltLookupStrategyRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Spring bean reference to a BiFunction&lt;ProfileRequestContext,PairwiseId&gt;
+ to obtain the salt.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="LDAPDirectory">
+ <annotation>
+ <documentation>
+ A data connector that can pull information from an LDAP, version 3, directory.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element ref="resolver:FailoverDataConnector"/>
+ <element name="FilterTemplate" type="resolver:string">
+ <annotation>
+ <documentation>
+ A template used to construct the LDAP filter used to query the directory.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="ReturnAttributes" type="resolver:string" minOccurs="0">
+ <annotation>
+ <documentation>
+ A space separated list of attributes that should be returned from the query.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="BinaryAttributes" type="resolver:string" minOccurs="0">
+ <annotation>
+ <documentation>
+ A space separated list of attributes whose values should be encoded.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="StartTLSTrustCredential" type="sec:X509Credential">
+ <annotation>
+ <documentation>
+ The X.509 trust information to use when connecting to the directory over LDAPS or startTLS.
+ DEPRECATED in 3.4 Use trustFile=
+ </documentation>
+ </annotation>
+ </element>
+ <element name="StartTLSAuthenticationCredential" type="sec:X509Credential">
+ <annotation>
+ <documentation>
+ The X.509 client authentication information to use when connecting to the directory over LDAPS or startTLS.
+ DEPRECATED in 3.4 Use authCert= and authKey
+ </documentation>
+ </annotation>
+ </element>
+ <element name="ConnectionPool" type="resolver:LdapPoolConfigType"/>
+ <element name="SASLConfig" type="resolver:SaslConfigType"/>
+ <element name="Column" type="resolver:ColumnType"/>
+ <element name="ResultCache" type="resolver:CacheConfigType"/>
+ <element name="ResultCacheBean" type="string"/>
+ </choice>
+ <attribute name="ldapURL" type="resolver:string">
+ <annotation>
+ <documentation>
+ The URL to the LDAP server.
+ If the search scope is set to ONELEVEL only the entries
+ within this node will be searched, if SUBTREE is specified entries within this node and descendant
+ nodes will be searched.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="connectionStrategy" type="resolver:string">
+ <annotation>
+ <documentation>
+ The LDAP connection strategy. Acceptable values are ACTIVE_PASSIVE, ROUND_ROBIN and RANDOM.
+ Default value is ACTIVE_PASSIVE.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="baseDN" type="resolver:string">
+ <annotation>
+ <documentation>
+ The base DN from which attribute search filtering occurs
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="principal" type="resolver:string">
+ <annotation>
+ <documentation>The DN for the principal connecting to the LDAP directory.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="principalCredential" type="string">
+ <annotation>
+ <documentation>
+ The credential for the principal connecting to the LDAP directory.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="searchScope" type="resolver:string">
+ <annotation>
+ <documentation>
+ The LDAP search scope. Acceptable values are OBJECT, ONELEVEL, SUBTREE.
+ Default value is SUBTREE.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="derefAliases" type="resolver:string">
+ <annotation>
+ <documentation>
+ The LDAP alias dereference behavior. Acceptable values are NEVER, SEARCHING, FINDING, ALWAYS.
+ Default value is NEVER.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="followReferrals" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether search referrals and search references should be followed.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="useStartTLS" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether startTLS should be used when connecting to the LDAP.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="startTLSTimeout" type="resolver:string">
+ <annotation>
+ <documentation>
+ The maximum amount of time to wait for startTLS responses. If this limit is
+ reached a timeout error is raised. Default value is 3 seconds.
+ Time is expressed in ISO8601 duration format.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="searchTimeLimit" type="resolver:string">
+ <annotation>
+ <documentation>
+ The maximum amount of time to wait for search results. If this limit is
+ reached a timeout error is raised. Default value is 3 seconds.
+ Time is expressed in ISO8601 duration format.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="connectTimeout" type="resolver:string">
+ <annotation>
+ <documentation>
+ The maximum amount of time to wait for connections to open. If this limit is
+ reached a timeout error is raised. Default value is 3 seconds.
+ Time is expressed in ISO8601 duration format.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="responseTimeout" type="resolver:string">
+ <annotation>
+ <documentation>
+ The maximum amount of time to wait for operation responses. If this limit is
+ reached a timeout error is raised. Default value is 3 seconds.
+ Time is expressed in ISO8601 duration format.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="autoReconnect" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether unexpectedly closed connections should automatically attempt to reconnect.
+ Default value is true.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="reconnectTimeout" type="resolver:string">
+ <annotation>
+ <documentation>
+ The maximum amount of time to wait for a reconnect to occur. If this limit is
+ reached a timeout error is raised. Default value is 10 seconds.
+ Time is expressed in ISO8601 duration format.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="maxResultSize" type="resolver:string">
+ <annotation>
+ <documentation>
+ The maximum number of results that may be returned from a query.
+ Default value is 1.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="noResultIsError" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether a query returning no results should be considered an error. If
+ an error is raised and a failover dependency is defined for this connector the failover will
+ be invoked.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="multipleResultsIsError" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether a query returning more than one result should be considered an error. If
+ an error is raised and a failover dependency is defined for this connector the failover will
+ be invoked.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="lowercaseAttributeNames" type="resolver:string">
+ <annotation>
+ <documentation>
+ Whether to lowercase LDAP attribute names used as IDs for shibboleth attributes
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="templateEngine" type="resolver:string">
+ <annotation>
+ <documentation>Name of the template engine defined within the application.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="executableSearchBuilderRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the ExecutableSearchBuilder implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="mappingStrategyRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the MappingStrategy implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="connectionFactoryRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the Connection Factory implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="searchOperationRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the Search Operation implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="validatorRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the Validator implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="trustFile" type="resolver:string">
+ <annotation>
+ <documentation>
+ Path to a file with the X.509 trust information to use when connecting to the directory over LDAPS or startTLS
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="disableHostnameVerification" type="resolver:string">
+ <annotation>
+ <documentation>
+ Whether to disable hostname/certificate checking during TLS. Defaults to false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="authCert" type="resolver:string">
+ <annotation>
+ <documentation>
+ Path to a file with the X.509 trust client authentication certificate to use when connecting to the directory over LDAPS or startTLS
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="authKey" type="resolver:string">
+ <annotation>
+ <documentation>
+ Path to a file with the X.509 trust client authentication key to use when connecting to the directory over LDAPS or startTLS
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="authKeyPassword" type="string">
+ <annotation>
+ <documentation>
+ Password for the supplied authKey
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="failFastInitialize" type="resolver:string">
+ <annotation>
+ <documentation>
+ Whether to fail if the LDAP server cannot be verified at startup (defaults to false).
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="PairwiseId">
+ <annotation>
+ <documentation>
+ A connector for pairwise ID production that directly leverages a PairwiseIdStore bean.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element ref="resolver:FailoverDataConnector"/>
+ </choice>
+ <attribute name="pairwiseIdStoreRef" type="resolver:string" use="required">
+ <annotation>
+ <documentation>
+ Bean name of the PairwiseIdStore to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="generatedAttributeID" type="resolver:string">
+ <annotation>
+ <documentation>
+ The name of the attribute produced by this data connector.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="RelationalDatabase">
+ <annotation>
+ <documentation>
+ A data connector definition that uses JDBC version 3 to connect to and pull information from a
+ relational database.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element ref="resolver:FailoverDataConnector"/>
+ <element ref="resolver:ContainerManagedConnection">
+ <annotation>
+ <documentation>
+ A connection, or pool of connections, to the database managed by the application
+ container.
+ </documentation>
+ </annotation>
+ </element>
+ <element ref="resolver:SimpleManagedConnection">
+ <annotation>
+ <documentation>
+ A connection, or pool of connections, to the database managed by the data connector.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="BeanManagedConnection" type="string">
+ <annotation>
+ <documentation>
+ A connection, or pool of connections, to the database configured in a Spring bean.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="QueryTemplate" type="resolver:string" minOccurs="0">
+ <annotation>
+ <documentation>
+ A template that will be used to create the SQL query thats pulls information from the
+ database.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="Column" type="resolver:ColumnType"/>
+ <element name="ResultCache" type="resolver:CacheConfigType"/>
+ <element name="ResultCacheBean" type="resolver:string"/>
+ </choice>
+ <attribute name="queryTimeout" type="resolver:string">
+ <annotation>
+ <documentation>
+ Timeout for the queries made to the database.
+ Timeout is given in ISO8601 duration form.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="noResultIsError" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether a query returning no results should be considered an error. If
+ an error is raised and a failover dependency is defined for this connector the failover will
+ be invoked.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="multipleResultsIsError" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether a query returning more than one result should be considered an error. If
+ an error is raised and a failover dependency is defined for this connector the failover will
+ be invoked.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="templateEngine" type="resolver:string">
+ <annotation>
+ <documentation>
+ Name of the template engine defined within the application.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="executableSearchBuilderRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the ExecutableSearchBuilder implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="mappingStrategyRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the MappingStrategy implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="validatorRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the Validator implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="failFastInitialize" type="resolver:string">
+ <annotation>
+ <documentation>
+ Whether to fail if the DataConnector cannot be verified at startup (defaults to false).
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="HTTP">
+ <annotation>
+ <documentation>
+ A data connector definition that issues requests and parses responses using HTTP, typically
+ via a form of web service. REST and scripted handling of responses, typically in JSON,
+ is the primary use case.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <choice maxOccurs="unbounded">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element ref="resolver:FailoverDataConnector"/>
+ <element name="URLTemplate">
+ <annotation>
+ <documentation>
+ A template that will be used to create the absolute URL to request.
+ </documentation>
+ </annotation>
+ <complexType>
+ <simpleContent>
+ <extension base="string">
+ <attribute name="customObjectRef" type="resolver:string" />
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ <element name="BodyTemplate">
+ <annotation>
+ <documentation>
+ A template that will be used to create a body to POST.
+ </documentation>
+ </annotation>
+ <complexType>
+ <simpleContent>
+ <extension base="string">
+ <attribute name="MIMEType" type="resolver:string" />
+ <attribute name="charset" type="resolver:string" />
+ <attribute name="customObjectRef" type="resolver:string" />
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ <element name="CacheKeyTemplate" type="resolver:string">
+ <annotation>
+ <documentation>
+ A template that will be used to create a key to the caching of the results.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="ResponseMapping" type="resolver:ScriptType">
+ <annotation>
+ <documentation>Maps the response into attributes by means of scripting.</documentation>
+ </annotation>
+ </element>
+ <element name="ResultCache" type="resolver:CacheConfigType"/>
+ <element name="ResultCacheBean" type="resolver:string"/>
+ </choice>
+ <attribute name="httpClientRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the HttpClient to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="httpClientSecurityParametersRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the HttpClientSecurityParameters to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="serverCertificate" type="resolver:string">
+ <annotation>
+ <documentation>
+ Location of certificate to authenticate HTTP server
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="certificateAuthority" type="resolver:string">
+ <annotation>
+ <documentation>
+ Location of CA to indirectly authenticate HTTP server
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="clientPrivateKey" type="resolver:string">
+ <annotation>
+ <documentation>
+ Location of private key to authenticate with via TLS
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="clientCertificate" type="resolver:string">
+ <annotation>
+ <documentation>
+ Location of client certificate to authenticate with via TLS
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="templateEngine" type="resolver:string">
+ <annotation>
+ <documentation>
+ Name of the template engine defined within the application.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="maxLength" type="resolver:string">
+ <annotation>
+ <documentation>
+ Maximum size of response body to accept.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="acceptStatuses" >
+ <annotation>
+ <documentation>
+ A space-delimited list of HTTP status codes that should be treated as successful.
+ </documentation>
+ </annotation>
+ <simpleType>
+ <list itemType="string"/>
+ </simpleType>
+ </attribute>
+ <attribute name="acceptTypes" >
+ <annotation>
+ <documentation>
+ A space-delimited list of MIME content types that should be accepted.
+ </documentation>
+ </annotation>
+ <simpleType>
+ <list itemType="string"/>
+ </simpleType>
+ </attribute>
+ <attribute name="headerMapRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing a Map&lt;String,String&gt; of request headers to set.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="executableSearchBuilderRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the ExecutableSearchBuilder implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="mappingStrategyRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the MappingStrategy implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="validatorRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the Validator implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="failFastInitialize" type="resolver:string">
+ <annotation>
+ <documentation>
+ Whether to fail if the HTTP server cannot be verified at startup (defaults to false).
+ No verification takes place currently.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ScriptedDataConnector">
+ <annotation>
+ <documentation>
+ A data connector that constructs attributes by means of a script supported by JSR-223. Populated
+ Attributes are added to the java.util.Collection "connectorResults".
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element ref="resolver:FailoverDataConnector"/>
+ <element name="Script" type="resolver:string">
+ <annotation>
+ <documentation>The script to evaluate to construct the attribute.</documentation>
+ </annotation>
+ </element>
+ <element name="ScriptFile" type="resolver:string">
+ <annotation>
+ <documentation>
+ The filesystem path to the script to evaluate to construct the attribute.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
+ <attribute name="language" type="resolver:string">
+ <annotation>
+ <documentation>
+ The JSR-233 name for the scripting language that will be used. By default "javascript" is
+ supported.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="customObjectRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ The name of a bean defined somewhere else which will be injected into the script as an
+ object called "custom". If not supplied, nothing is injected.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Static">
+ <annotation>
+ <documentation>
+ A data connector that gets its information from a static list of attributes and values specified within
+ this configuration.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <sequence>
+ <element name="Attribute" minOccurs="0" maxOccurs="unbounded">
+ <annotation>
+ <documentation>
+ Specifies an attribute, and its values, to be exposed by this connector.
+ </documentation>
+ </annotation>
+ <complexType>
+ <sequence>
+ <element name="Value" type="resolver:string" maxOccurs="unbounded">
+ <annotation>
+ <documentation>
+ A value of the attribute. If the value contains characters that would
+ otherwise need to be XML encoded you may wrap the value in a CDATA section.
+ </documentation>
+ </annotation>
+ </element>
+ </sequence>
+ <attribute name="id" type="resolver:string" use="required">
+ <annotation>
+ <documentation>The ID of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+ </element>
+ </sequence>
+ <attribute name="attributeListRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ The name of a bean defined somewhere else which describes a List of IdPAttributes
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="StorageService">
+ <annotation>
+ <documentation>
+ A data connector definition that queries for a record via the IdP's StorageService API.
+ Simple and scripted handling of records, typically in JSON, is the primary use case.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <choice maxOccurs="unbounded">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element ref="resolver:FailoverDataConnector"/>
+ <element name="ContextTemplate" type="resolver:string">
+ <annotation>
+ <documentation>
+ A template that will be used to create the context to query.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="KeyTemplate" type="resolver:string">
+ <annotation>
+ <documentation>
+ A template that will be used to create the key to query.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="RecordMapping" type="resolver:ScriptType">
+ <annotation>
+ <documentation>
+ Maps the record into attributes by means of scripting.
+ Mutually exclusive with generatedAttributeID attribute.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="ResultCache" type="resolver:CacheConfigType"/>
+ <element name="ResultCacheBean" type="resolver:string"/>
+ </choice>
+ <attribute name="storageServiceRef" type="resolver:string" use="required">
+ <annotation>
+ <documentation>
+ Reference to Spring bean of the StorageService to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="customObjectRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Injected object into Context/Key template building process.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="generatedAttributeID" type="resolver:string">
+ <annotation>
+ <documentation>
+ The name of the attribute produced by this data connector if simple
+ record mapping is used. Mutually exclusive with ResponseMapping element.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="noResultIsError" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether a search returning no record should be considered an error. If
+ an error is raised and a failover dependency is defined for this connector the failover will
+ be invoked.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="templateEngine" type="resolver:string">
+ <annotation>
+ <documentation>
+ Name of the template engine defined within the application.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="executableSearchBuilderRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the ExecutableSearchBuilder implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="mappingStrategyRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the MappingStrategy implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="StoredId">
+ <annotation>
+ <documentation>
+ A connector that retrieves a pairwise ID from a database.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element ref="resolver:FailoverDataConnector"/>
+ <element ref="resolver:SimpleManagedConnection"/>
+ <element ref="resolver:ContainerManagedConnection">
+ <annotation>
+ <documentation>
+ A connection, or pool of connections, to the database managed by the application
+ container.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="BeanManagedConnection" type="resolver:string">
+ <annotation>
+ <documentation>
+ A connection, or pool of connections, to the database configured in a Spring bean.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
+ <attribute name="queryTimeout" type="resolver:string">
+ <annotation>
+ <documentation>
+ Timeout for the queries made to the database.
+ Timeout is given in ISO8601 duration form.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="transactionRetries" type="resolver:string">
+ <annotation>
+ <documentation>
+ Number of retries if insert fails (defaults to 3).
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="tableName" type="resolver:string">
+ <annotation>
+ <documentation>
+ Overrides name of database table to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="failFastInitialize" type="resolver:string">
+ <annotation>
+ <documentation>
+ Whether to fail if the store cannot be verified at startup (defaults to false).
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="retryableErrors">
+ <annotation>
+ <documentation>
+ A space-delimited list of SQLState codes to treat as retryable (indicating
+ a duplicate insert error occurred).
+ </documentation>
+ </annotation>
+ <simpleType>
+ <list itemType="string"/>
+ </simpleType>
+ </attribute>
+ <attribute name="generatedAttributeID" type="resolver:string">
+ <annotation>
+ <documentation>
+ The name of the attribute produced by this data connector.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="salt" type="resolver:string">
+ <annotation>
+ <documentation>
+ A salt, of at least 16 bytes, used in the computed ID.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="encodedSalt" type="resolver:string">
+ <annotation>
+ <documentation>
+ A base64-encoded salt, of at least 16 bytes, used in the computed ID.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="algorithm" type="resolver:string">
+ <annotation>
+ <documentation>
+ The JCE digest algorithm to use, defaults to SHA-1.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="encoding" type="resolver:string">
+ <annotation>
+ <documentation>
+ An encoding type to apply after the digest, defaults to BASE64 but should
+ be set to BASE32.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="exceptionMapRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Spring bean reference to a map of overrides that alter salt or suppress generation
+ for particular users/services.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="saltLookupStrategyRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Spring bean reference to a BiFunction&lt;ProfileRequestContext,PairwiseId&gt;
+ to obtain the salt.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Subject">
+ <annotation>
+ <documentation>
+ A data connector that constructs attributes by extracting all IdPAttributePrincipal objects
+ found within the Subject(s) associated with the requests.
+
+ This is a streamlined approach to extracting them one by one with the SubjectDerivedAttribute
+ plugin provided encoding and other attribute metadata can be obtained from the system's
+ generalized transcoding facility.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <sequence>
+ <element ref="resolver:FailoverDataConnector" minOccurs="0" maxOccurs="1"/>
+ </sequence>
+ <attribute name="noResultIsError" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether an absence of any results will cause an error. If an error
+ is raised and a failover dependency is defined for this connector the failover will be invoked.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="forCanonicalization" type="resolver:string">
+ <annotation>
+ <documentation>
+ If true, the source Subject is assumed to be undergoing C14N rather than the
+ usual post-authentication source. Defaults to false.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="EntityAttributes">
+ <annotation>
+ <documentation>
+ A connector for extracting mapped/decoded metadata tags from a peer's metadata.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <attribute name="metadataContextStrategyRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Bean ID of a Function to locate the SAMLMetadataContext to operate on.
+ Default is to locate it under the inbound message context via SAMLPeerEntityContext.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <!-- Support types for DataConnectors -->
+
+ <complexType name="ColumnType">
+ <attribute name="columnName" type="resolver:string" use="required">
+ <annotation>
+ <documentation>The name of the database column.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="attributeID" type="resolver:string">
+ <annotation>
+ <documentation>The name of the attribute that data from this column should be added to.</documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <complexType name="SaslConfigType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element name="SASLProperty" type="resolver:PropertyType">
+ <annotation>
+ <documentation>
+ SASL configuration properties.
+ Common properties include javax.security.sasl.qop, javax.security.sasl.strength, javax.security.sasl.server.authentication.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
+ <attribute name="mechanism" type="resolver:string">
+ <annotation>
+ <documentation>
+ The SASL mechanism. Common values are EXTERNAL, DIGEST_MD5, CRAM_MD5, GSSAPI
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="authorizationId" type="resolver:string">
+ <annotation>
+ <documentation>SASL authorization ID.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="realm" type="resolver:string">
+ <annotation>
+ <documentation>The SASL realm.</documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <complexType name="LdapPoolConfigType">
+ <attribute name="minPoolSize" type="resolver:string">
+ <annotation>
+ <documentation>
+ The minimum number of ldap connections that should always be available in the pool.
+ Note that these connections are provisioned as soon as the pool is initialized.
+ Default value is 0.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="maxPoolSize" type="resolver:string">
+ <annotation>
+ <documentation>
+ The maximum number of ldap connections that should ever be available in the pool.
+ Note that when this threshold is reach the pool will begin blocking until a connection
+ is available.
+ Default value is 3.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="blockWaitTime" type="resolver:string">
+ <annotation>
+ <documentation>
+ Amount of time to block while waiting for a connection from the pool. If no
+ wait time is given, callers will block indefinitely.
+
+ Values are expressed in ISO8601 duration format.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="validatePeriodically" type="resolver:string">
+ <annotation>
+ <documentation>
+ Whether each ldap connection should be checked on a periodic basis.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="validateTimerPeriod" type="resolver:string">
+ <annotation>
+ <documentation>
+ Time that the periodic pool validation process should repeat.
+ Ldap objects are pruned when they have been idle beyond the expiration time.
+ The pool is not pruned below the minimum pool size.
+ Default value is 30 minutes.
+
+ Period is expressed in ISO8601 duration format.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="validateDN" type="resolver:string">
+ <annotation>
+ <documentation>
+ Ldap compare DN to use for connection validation.
+ Used in conjunction with validateFilter to perform a compare.
+ Default value is empty.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="validateFilter" type="resolver:string">
+ <annotation>
+ <documentation>
+ Ldap compare filter to use for connection validation.
+ Used in conjunction with validateDN to perform a compare.
+ Default value is (objectClass=*).
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="validateOnCheckout" type="resolver:string">
+ <annotation>
+ <documentation>
+ Whether to validate connections when checking them out of the pool.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="prunePeriod" type="resolver:string">
+ <annotation>
+ <documentation>
+ Duration between looking for idle connections to reduce the pool back
+ to its minimum size.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="expirationTime" type="resolver:string">
+ <annotation>
+ <documentation>
+ Time in that an object in the pool should be considered stale and ready for removal.
+ Time is expressed in ISO8601 duration format.
+ </documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <complexType name="CacheConfigType">
+ <attribute name="cacheManagerRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Name of the CacheManager bean that will manage the result cache. This is not used.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="expireAfterAccess" type="resolver:string">
+ <annotation>
+ <documentation>
+ Length of time a result will be cached after the last access.
+ Incompatible with expireAfterWrite.
+
+ Duration is expressed in ISO8601 duration notation.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="expireAfterWrite" type="resolver:string">
+ <annotation>
+ <documentation>
+ Length of time a result will be cached from the time
+ it is inserted into the cache.
+ Incompatible with expireAfterAccess.
+
+ Duration is expressed in ISO8601 duration notation.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="maximumCachedElements" type="resolver:string">
+ <annotation>
+ <documentation>
+ Maximum number of results that will be held in cache.
+ </documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <element name="ContainerManagedConnection" type="resolver:ContainerManagedConnectionType">
+ <annotation>
+ <documentation>
+ Describes a database connection source that is managed by the application container.
+ </documentation>
+ </annotation>
+ </element>
+
+ <complexType name="ContainerManagedConnectionType">
+ <attribute name="resourceName" type="resolver:string" use="required">
+ <annotation>
+ <documentation>The resource name the DataSource is bound to in the JNDI tree.</documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <complexType name="PropertyType">
+ <attribute name="name" type="resolver:string" use="required">
+ <annotation>
+ <documentation>The name of the property.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="value" type="resolver:string" use="required">
+ <annotation>
+ <documentation>The value of the property,</documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <element name="SimpleManagedConnection" type="resolver:SimpleManagedConnectionType">
+ <annotation>
+ <documentation>
+ Describes a simple database connection source that is managed by the attribute resolver data connector.
+ Included to "get people going" only
+ </documentation>
+ </annotation>
+ </element>
+
+ <complexType name="SimpleManagedConnectionType">
+ <attribute name="jdbcDriver" type="resolver:string" use="required">
+ <annotation>
+ <documentation>
+ This is the full qualified class name of the JDBC driver used to connect to the database.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="jdbcURL" type="resolver:string" use="required">
+ <annotation>
+ <documentation>
+ The JDBC URL for the database. These are usually of the form
+ jdbc:databaseProduceName:databaseSpecificInformation. For example, jdbc:hsql:mem:MyDatabase
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="jdbcUserName" type="resolver:string">
+ <annotation>
+ <documentation>The user name to use while connecting to the database.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="jdbcPassword" type="string">
+ <annotation>
+ <documentation>The password to use while connecting to the database.</documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <!-- Encoders that produce SAML 1 or SAML 2 Attributes -->
+ <complexType name="SAML1String">
+ <annotation>
+ <documentation>Defines a SAML 1 string encoder for an attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeEncoderType">
+ <attribute name="namespace" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 1 Namespace of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML1Base64">
+ <annotation>
+ <documentation>Defines a SAML 1 Base64 encoder for an attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeEncoderType">
+ <attribute name="namespace" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 1 Namespace of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML1XMLObject">
+ <annotation>
+ <documentation>Defines a SAML 1 Base64 encoder for an attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeEncoderType">
+ <attribute name="namespace" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 1 Namespace of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML2String">
+ <annotation>
+ <documentation>Defines a SAML 2 string encoder for an attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeEncoderType">
+ <attribute name="nameFormat" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 NameFormat of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="friendlyName" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 FriendlyName of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML2DateTime">
+ <annotation>
+ <documentation>Defines a SAML 2 date/time encoder for an attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeEncoderType">
+ <attribute name="nameFormat" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 NameFormat of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="friendlyName" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 FriendlyName of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML2Base64">
+ <annotation>
+ <documentation>Defines a SAML 2 Base64 encoder for an attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeEncoderType">
+ <attribute name="nameFormat" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 NameFormat of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="friendlyName" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 FriendlyName of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML2XMLObject">
+ <annotation>
+ <documentation>Defines a SAML 2 Base64 encoder for an attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeEncoderType">
+ <attribute name="nameFormat" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 NameFormat of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="friendlyName" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 FriendlyName of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="BaseScopedAttributeEncoderType">
+ <annotation>
+ <documentation>Defines an encoder for a scoped attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeEncoderType">
+ <attribute name="scopeType" type="resolver:string">
+ <annotation>
+ <documentation>
+ The type of scoping to use for the encoded attribute. Valid values are "inline" or
+ "attribute".
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="scopeDelimiter" type="resolver:string">
+ <annotation>
+ <documentation>
+ If scopeType is "inline", this is the delimeter used between the attribute value and
+ scope.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="scopeAttribute" type="resolver:string">
+ <annotation>
+ <documentation>
+ If scopeType is "attribute", this is the name of the name of the attribute used to carry the
+ scope value.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML1ScopedString">
+ <annotation>
+ <documentation>Defines a SAML 1 string encoder for a scoped attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseScopedAttributeEncoderType">
+ <attribute name="namespace" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 1 Namespace of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML2ScopedString">
+ <annotation>
+ <documentation>Defines a SAML 2 string encoder for a scoped attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseScopedAttributeEncoderType">
+ <attribute name="nameFormat" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 NameFormat of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="friendlyName" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 FriendlyName of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <!-- Reusable type for inline scripting. -->
+
+ <complexType name="ScriptType">
+ <annotation>
+ <documentation>
+ A type for elements that allow for scripts to be declared inline or via a resource.
+ </documentation>
+ </annotation>
+ <choice>
+ <element name="Script" type="resolver:string">
+ <annotation>
+ <documentation>The script to evaluate to construct the attribute.</documentation>
+ </annotation>
+ </element>
+ <element name="ScriptFile" type="resolver:string">
+ <annotation>
+ <documentation>
+ Path of a local resource containing the script to evaluate to construct the attribute.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
+ <attribute name="language" type="resolver:string">
+ <annotation>
+ <documentation>
+ The JSR-233 name for the scripting language that will be used.
+ By default "javascript" is assumed.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="customObjectRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ The name of a bean defined somewhere else which will be injected into the script as an
+ object called "custom". If not supplied, nothing is injected.
+ </documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <simpleType name="string">
+ <restriction base="string">
+ <minLength value="1"/>
+ </restriction>
+ </simpleType>
+
+</schema>
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-29 07:40:16 +0000