summaryrefslogtreecommitdiff
path: root/schema
diff options
context:
space:
mode:
Diffstat (limited to 'schema')
-rw-r--r--schema/saml-schema-assertion-2.0.xsd283
-rw-r--r--schema/saml-schema-metadata-2.0.xsd337
-rw-r--r--schema/saml-schema-protocol-2.0.xsd302
-rw-r--r--schema/shibboleth-2.0-attribute-map.xsd358
-rw-r--r--schema/shibboleth-3.0-native-sp-config.xsd908
-rw-r--r--schema/shibboleth-afp.xsd952
-rw-r--r--schema/shibboleth-attribute-resolver.xsd2274
-rw-r--r--schema/xenc-schema.xsd146
-rw-r--r--schema/xml.xsd287
9 files changed, 5847 insertions, 0 deletions
diff --git a/schema/saml-schema-assertion-2.0.xsd b/schema/saml-schema-assertion-2.0.xsd
new file mode 100644
index 0000000..478ddfa
--- /dev/null
+++ b/schema/saml-schema-assertion-2.0.xsd
@@ -0,0 +1,283 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<schema
+ targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+ elementFormDefault="unqualified"
+ attributeFormDefault="unqualified"
+ blockDefault="substitution"
+ version="2.0">
+ <import namespace="http://www.w3.org/2000/09/xmldsig#"
+ schemaLocation="xmldsig-core-schema.xsd"/>
+ <import namespace="http://www.w3.org/2001/04/xmlenc#"
+ schemaLocation="xenc-schema.xsd"/>
+ <annotation>
+ <documentation>
+ Document identifier: saml-schema-assertion-2.0
+ Location: http://docs.oasis-open.org/security/saml/v2.0/
+ Revision history:
+ V1.0 (November, 2002):
+ Initial Standard Schema.
+ V1.1 (September, 2003):
+ Updates within the same V1.0 namespace.
+ V2.0 (March, 2005):
+ New assertion schema for SAML V2.0 namespace.
+ </documentation>
+ </annotation>
+ <attributeGroup name="IDNameQualifiers">
+ <attribute name="NameQualifier" type="string" use="optional"/>
+ <attribute name="SPNameQualifier" type="string" use="optional"/>
+ </attributeGroup>
+ <element name="BaseID" type="saml:BaseIDAbstractType"/>
+ <complexType name="BaseIDAbstractType" abstract="true">
+ <attributeGroup ref="saml:IDNameQualifiers"/>
+ </complexType>
+ <element name="NameID" type="saml:NameIDType"/>
+ <complexType name="NameIDType">
+ <simpleContent>
+ <extension base="string">
+ <attributeGroup ref="saml:IDNameQualifiers"/>
+ <attribute name="Format" type="anyURI" use="optional"/>
+ <attribute name="SPProvidedID" type="string" use="optional"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ <complexType name="EncryptedElementType">
+ <sequence>
+ <element ref="xenc:EncryptedData"/>
+ <element ref="xenc:EncryptedKey" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+ <element name="EncryptedID" type="saml:EncryptedElementType"/>
+ <element name="Issuer" type="saml:NameIDType"/>
+ <element name="AssertionIDRef" type="NCName"/>
+ <element name="AssertionURIRef" type="anyURI"/>
+ <element name="Assertion" type="saml:AssertionType"/>
+ <complexType name="AssertionType">
+ <sequence>
+ <element ref="saml:Issuer"/>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="saml:Subject" minOccurs="0"/>
+ <element ref="saml:Conditions" minOccurs="0"/>
+ <element ref="saml:Advice" minOccurs="0"/>
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="saml:Statement"/>
+ <element ref="saml:AuthnStatement"/>
+ <element ref="saml:AuthzDecisionStatement"/>
+ <element ref="saml:AttributeStatement"/>
+ </choice>
+ </sequence>
+ <attribute name="Version" type="string" use="required"/>
+ <attribute name="ID" type="ID" use="required"/>
+ <attribute name="IssueInstant" type="dateTime" use="required"/>
+ </complexType>
+ <element name="Subject" type="saml:SubjectType"/>
+ <complexType name="SubjectType">
+ <choice>
+ <sequence>
+ <choice>
+ <element ref="saml:BaseID"/>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ <element ref="saml:SubjectConfirmation" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <element ref="saml:SubjectConfirmation" maxOccurs="unbounded"/>
+ </choice>
+ </complexType>
+ <element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/>
+ <complexType name="SubjectConfirmationType">
+ <sequence>
+ <choice minOccurs="0">
+ <element ref="saml:BaseID"/>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ <element ref="saml:SubjectConfirmationData" minOccurs="0"/>
+ </sequence>
+ <attribute name="Method" type="anyURI" use="required"/>
+ </complexType>
+ <element name="SubjectConfirmationData" type="saml:SubjectConfirmationDataType"/>
+ <complexType name="SubjectConfirmationDataType" mixed="true">
+ <complexContent>
+ <restriction base="anyType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="NotBefore" type="dateTime" use="optional"/>
+ <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+ <attribute name="Recipient" type="anyURI" use="optional"/>
+ <attribute name="InResponseTo" type="NCName" use="optional"/>
+ <attribute name="Address" type="string" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </restriction>
+ </complexContent>
+ </complexType>
+ <complexType name="KeyInfoConfirmationDataType" mixed="false">
+ <complexContent>
+ <restriction base="saml:SubjectConfirmationDataType">
+ <sequence>
+ <element ref="ds:KeyInfo" maxOccurs="unbounded"/>
+ </sequence>
+ </restriction>
+ </complexContent>
+ </complexType>
+ <element name="Conditions" type="saml:ConditionsType"/>
+ <complexType name="ConditionsType">
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="saml:Condition"/>
+ <element ref="saml:AudienceRestriction"/>
+ <element ref="saml:OneTimeUse"/>
+ <element ref="saml:ProxyRestriction"/>
+ </choice>
+ <attribute name="NotBefore" type="dateTime" use="optional"/>
+ <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+ </complexType>
+ <element name="Condition" type="saml:ConditionAbstractType"/>
+ <complexType name="ConditionAbstractType" abstract="true"/>
+ <element name="AudienceRestriction" type="saml:AudienceRestrictionType"/>
+ <complexType name="AudienceRestrictionType">
+ <complexContent>
+ <extension base="saml:ConditionAbstractType">
+ <sequence>
+ <element ref="saml:Audience" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="Audience" type="anyURI"/>
+ <element name="OneTimeUse" type="saml:OneTimeUseType" />
+ <complexType name="OneTimeUseType">
+ <complexContent>
+ <extension base="saml:ConditionAbstractType"/>
+ </complexContent>
+ </complexType>
+ <element name="ProxyRestriction" type="saml:ProxyRestrictionType"/>
+ <complexType name="ProxyRestrictionType">
+ <complexContent>
+ <extension base="saml:ConditionAbstractType">
+ <sequence>
+ <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Count" type="nonNegativeInteger" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="Advice" type="saml:AdviceType"/>
+ <complexType name="AdviceType">
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="saml:AssertionIDRef"/>
+ <element ref="saml:AssertionURIRef"/>
+ <element ref="saml:Assertion"/>
+ <element ref="saml:EncryptedAssertion"/>
+ <any namespace="##other" processContents="lax"/>
+ </choice>
+ </complexType>
+ <element name="EncryptedAssertion" type="saml:EncryptedElementType"/>
+ <element name="Statement" type="saml:StatementAbstractType"/>
+ <complexType name="StatementAbstractType" abstract="true"/>
+ <element name="AuthnStatement" type="saml:AuthnStatementType"/>
+ <complexType name="AuthnStatementType">
+ <complexContent>
+ <extension base="saml:StatementAbstractType">
+ <sequence>
+ <element ref="saml:SubjectLocality" minOccurs="0"/>
+ <element ref="saml:AuthnContext"/>
+ </sequence>
+ <attribute name="AuthnInstant" type="dateTime" use="required"/>
+ <attribute name="SessionIndex" type="string" use="optional"/>
+ <attribute name="SessionNotOnOrAfter" type="dateTime" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="SubjectLocality" type="saml:SubjectLocalityType"/>
+ <complexType name="SubjectLocalityType">
+ <attribute name="Address" type="string" use="optional"/>
+ <attribute name="DNSName" type="string" use="optional"/>
+ </complexType>
+ <element name="AuthnContext" type="saml:AuthnContextType"/>
+ <complexType name="AuthnContextType">
+ <sequence>
+ <choice>
+ <sequence>
+ <element ref="saml:AuthnContextClassRef"/>
+ <choice minOccurs="0">
+ <element ref="saml:AuthnContextDecl"/>
+ <element ref="saml:AuthnContextDeclRef"/>
+ </choice>
+ </sequence>
+ <choice>
+ <element ref="saml:AuthnContextDecl"/>
+ <element ref="saml:AuthnContextDeclRef"/>
+ </choice>
+ </choice>
+ <element ref="saml:AuthenticatingAuthority" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+ <element name="AuthnContextClassRef" type="anyURI"/>
+ <element name="AuthnContextDeclRef" type="anyURI"/>
+ <element name="AuthnContextDecl" type="anyType"/>
+ <element name="AuthenticatingAuthority" type="anyURI"/>
+ <element name="AuthzDecisionStatement" type="saml:AuthzDecisionStatementType"/>
+ <complexType name="AuthzDecisionStatementType">
+ <complexContent>
+ <extension base="saml:StatementAbstractType">
+ <sequence>
+ <element ref="saml:Action" maxOccurs="unbounded"/>
+ <element ref="saml:Evidence" minOccurs="0"/>
+ </sequence>
+ <attribute name="Resource" type="anyURI" use="required"/>
+ <attribute name="Decision" type="saml:DecisionType" use="required"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <simpleType name="DecisionType">
+ <restriction base="string">
+ <enumeration value="Permit"/>
+ <enumeration value="Deny"/>
+ <enumeration value="Indeterminate"/>
+ </restriction>
+ </simpleType>
+ <element name="Action" type="saml:ActionType"/>
+ <complexType name="ActionType">
+ <simpleContent>
+ <extension base="string">
+ <attribute name="Namespace" type="anyURI" use="required"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ <element name="Evidence" type="saml:EvidenceType"/>
+ <complexType name="EvidenceType">
+ <choice maxOccurs="unbounded">
+ <element ref="saml:AssertionIDRef"/>
+ <element ref="saml:AssertionURIRef"/>
+ <element ref="saml:Assertion"/>
+ <element ref="saml:EncryptedAssertion"/>
+ </choice>
+ </complexType>
+ <element name="AttributeStatement" type="saml:AttributeStatementType"/>
+ <complexType name="AttributeStatementType">
+ <complexContent>
+ <extension base="saml:StatementAbstractType">
+ <choice maxOccurs="unbounded">
+ <element ref="saml:Attribute"/>
+ <element ref="saml:EncryptedAttribute"/>
+ </choice>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="Attribute" type="saml:AttributeType"/>
+ <complexType name="AttributeType">
+ <sequence>
+ <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Name" type="string" use="required"/>
+ <attribute name="NameFormat" type="anyURI" use="optional"/>
+ <attribute name="FriendlyName" type="string" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+ <element name="AttributeValue" type="anyType" nillable="true"/>
+ <element name="EncryptedAttribute" type="saml:EncryptedElementType"/>
+</schema>
diff --git a/schema/saml-schema-metadata-2.0.xsd b/schema/saml-schema-metadata-2.0.xsd
new file mode 100644
index 0000000..b656d4f
--- /dev/null
+++ b/schema/saml-schema-metadata-2.0.xsd
@@ -0,0 +1,337 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+ targetNamespace="urn:oasis:names:tc:SAML:2.0:metadata"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ elementFormDefault="unqualified"
+ attributeFormDefault="unqualified"
+ blockDefault="substitution"
+ version="2.0">
+ <import namespace="http://www.w3.org/2000/09/xmldsig#"
+ schemaLocation="xmldsig-core-schema.xsd"/>
+ <import namespace="http://www.w3.org/2001/04/xmlenc#"
+ schemaLocation="xenc-schema.xsd"/>
+ <import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+ schemaLocation="saml-schema-assertion-2.0.xsd"/>
+ <import namespace="http://www.w3.org/XML/1998/namespace"
+ schemaLocation="xml.xsd"/>
+ <annotation>
+ <documentation>
+ Document identifier: saml-schema-metadata-2.0
+ Location: http://docs.oasis-open.org/security/saml/v2.0/
+ Revision history:
+ V2.0 (March, 2005):
+ Schema for SAML metadata, first published in SAML 2.0.
+ </documentation>
+ </annotation>
+
+ <simpleType name="entityIDType">
+ <restriction base="anyURI">
+ <maxLength value="1024"/>
+ </restriction>
+ </simpleType>
+ <complexType name="localizedNameType">
+ <simpleContent>
+ <extension base="string">
+ <attribute ref="xml:lang" use="required"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ <complexType name="localizedURIType">
+ <simpleContent>
+ <extension base="anyURI">
+ <attribute ref="xml:lang" use="required"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+
+ <element name="Extensions" type="md:ExtensionsType"/>
+ <complexType final="#all" name="ExtensionsType">
+ <sequence>
+ <any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+
+ <complexType name="EndpointType">
+ <sequence>
+ <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Binding" type="anyURI" use="required"/>
+ <attribute name="Location" type="anyURI" use="required"/>
+ <attribute name="ResponseLocation" type="anyURI" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+
+ <complexType name="IndexedEndpointType">
+ <complexContent>
+ <extension base="md:EndpointType">
+ <attribute name="index" type="unsignedShort" use="required"/>
+ <attribute name="isDefault" type="boolean" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <element name="EntitiesDescriptor" type="md:EntitiesDescriptorType"/>
+ <complexType name="EntitiesDescriptorType">
+ <sequence>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="md:Extensions" minOccurs="0"/>
+ <choice minOccurs="1" maxOccurs="unbounded">
+ <element ref="md:EntityDescriptor"/>
+ <element ref="md:EntitiesDescriptor"/>
+ </choice>
+ </sequence>
+ <attribute name="validUntil" type="dateTime" use="optional"/>
+ <attribute name="cacheDuration" type="duration" use="optional"/>
+ <attribute name="ID" type="ID" use="optional"/>
+ <attribute name="Name" type="string" use="optional"/>
+ </complexType>
+
+ <element name="EntityDescriptor" type="md:EntityDescriptorType"/>
+ <complexType name="EntityDescriptorType">
+ <sequence>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="md:Extensions" minOccurs="0"/>
+ <choice>
+ <choice maxOccurs="unbounded">
+ <element ref="md:RoleDescriptor"/>
+ <element ref="md:IDPSSODescriptor"/>
+ <element ref="md:SPSSODescriptor"/>
+ <element ref="md:AuthnAuthorityDescriptor"/>
+ <element ref="md:AttributeAuthorityDescriptor"/>
+ <element ref="md:PDPDescriptor"/>
+ </choice>
+ <element ref="md:AffiliationDescriptor"/>
+ </choice>
+ <element ref="md:Organization" minOccurs="0"/>
+ <element ref="md:ContactPerson" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:AdditionalMetadataLocation" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="entityID" type="md:entityIDType" use="required"/>
+ <attribute name="validUntil" type="dateTime" use="optional"/>
+ <attribute name="cacheDuration" type="duration" use="optional"/>
+ <attribute name="ID" type="ID" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+
+ <element name="Organization" type="md:OrganizationType"/>
+ <complexType name="OrganizationType">
+ <sequence>
+ <element ref="md:Extensions" minOccurs="0"/>
+ <element ref="md:OrganizationName" maxOccurs="unbounded"/>
+ <element ref="md:OrganizationDisplayName" maxOccurs="unbounded"/>
+ <element ref="md:OrganizationURL" maxOccurs="unbounded"/>
+ </sequence>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+ <element name="OrganizationName" type="md:localizedNameType"/>
+ <element name="OrganizationDisplayName" type="md:localizedNameType"/>
+ <element name="OrganizationURL" type="md:localizedURIType"/>
+ <element name="ContactPerson" type="md:ContactType"/>
+ <complexType name="ContactType">
+ <sequence>
+ <element ref="md:Extensions" minOccurs="0"/>
+ <element ref="md:Company" minOccurs="0"/>
+ <element ref="md:GivenName" minOccurs="0"/>
+ <element ref="md:SurName" minOccurs="0"/>
+ <element ref="md:EmailAddress" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:TelephoneNumber" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="contactType" type="md:ContactTypeType" use="required"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+ <element name="Company" type="string"/>
+ <element name="GivenName" type="string"/>
+ <element name="SurName" type="string"/>
+ <element name="EmailAddress" type="anyURI"/>
+ <element name="TelephoneNumber" type="string"/>
+ <simpleType name="ContactTypeType">
+ <restriction base="string">
+ <enumeration value="technical"/>
+ <enumeration value="support"/>
+ <enumeration value="administrative"/>
+ <enumeration value="billing"/>
+ <enumeration value="other"/>
+ </restriction>
+ </simpleType>
+
+ <element name="AdditionalMetadataLocation" type="md:AdditionalMetadataLocationType"/>
+ <complexType name="AdditionalMetadataLocationType">
+ <simpleContent>
+ <extension base="anyURI">
+ <attribute name="namespace" type="anyURI" use="required"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+
+ <element name="RoleDescriptor" type="md:RoleDescriptorType"/>
+ <complexType name="RoleDescriptorType" abstract="true">
+ <sequence>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="md:Extensions" minOccurs="0"/>
+ <element ref="md:KeyDescriptor" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:Organization" minOccurs="0"/>
+ <element ref="md:ContactPerson" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="ID" type="ID" use="optional"/>
+ <attribute name="validUntil" type="dateTime" use="optional"/>
+ <attribute name="cacheDuration" type="duration" use="optional"/>
+ <attribute name="protocolSupportEnumeration" type="md:anyURIListType" use="required"/>
+ <attribute name="errorURL" type="anyURI" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+ <simpleType name="anyURIListType">
+ <list itemType="anyURI"/>
+ </simpleType>
+
+ <element name="KeyDescriptor" type="md:KeyDescriptorType"/>
+ <complexType name="KeyDescriptorType">
+ <sequence>
+ <element ref="ds:KeyInfo"/>
+ <element ref="md:EncryptionMethod" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="use" type="md:KeyTypes" use="optional"/>
+ </complexType>
+ <simpleType name="KeyTypes">
+ <restriction base="string">
+ <enumeration value="encryption"/>
+ <enumeration value="signing"/>
+ </restriction>
+ </simpleType>
+ <element name="EncryptionMethod" type="xenc:EncryptionMethodType"/>
+
+ <complexType name="SSODescriptorType" abstract="true">
+ <complexContent>
+ <extension base="md:RoleDescriptorType">
+ <sequence>
+ <element ref="md:ArtifactResolutionService" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:SingleLogoutService" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:ManageNameIDService" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="ArtifactResolutionService" type="md:IndexedEndpointType"/>
+ <element name="SingleLogoutService" type="md:EndpointType"/>
+ <element name="ManageNameIDService" type="md:EndpointType"/>
+ <element name="NameIDFormat" type="anyURI"/>
+
+ <element name="IDPSSODescriptor" type="md:IDPSSODescriptorType"/>
+ <complexType name="IDPSSODescriptorType">
+ <complexContent>
+ <extension base="md:SSODescriptorType">
+ <sequence>
+ <element ref="md:SingleSignOnService" maxOccurs="unbounded"/>
+ <element ref="md:NameIDMappingService" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:AttributeProfile" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="WantAuthnRequestsSigned" type="boolean" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="SingleSignOnService" type="md:EndpointType"/>
+ <element name="NameIDMappingService" type="md:EndpointType"/>
+ <element name="AssertionIDRequestService" type="md:EndpointType"/>
+ <element name="AttributeProfile" type="anyURI"/>
+
+ <element name="SPSSODescriptor" type="md:SPSSODescriptorType"/>
+ <complexType name="SPSSODescriptorType">
+ <complexContent>
+ <extension base="md:SSODescriptorType">
+ <sequence>
+ <element ref="md:AssertionConsumerService" maxOccurs="unbounded"/>
+ <element ref="md:AttributeConsumingService" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="AuthnRequestsSigned" type="boolean" use="optional"/>
+ <attribute name="WantAssertionsSigned" type="boolean" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AssertionConsumerService" type="md:IndexedEndpointType"/>
+ <element name="AttributeConsumingService" type="md:AttributeConsumingServiceType"/>
+ <complexType name="AttributeConsumingServiceType">
+ <sequence>
+ <element ref="md:ServiceName" maxOccurs="unbounded"/>
+ <element ref="md:ServiceDescription" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:RequestedAttribute" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="index" type="unsignedShort" use="required"/>
+ <attribute name="isDefault" type="boolean" use="optional"/>
+ </complexType>
+ <element name="ServiceName" type="md:localizedNameType"/>
+ <element name="ServiceDescription" type="md:localizedNameType"/>
+ <element name="RequestedAttribute" type="md:RequestedAttributeType"/>
+ <complexType name="RequestedAttributeType">
+ <complexContent>
+ <extension base="saml:AttributeType">
+ <attribute name="isRequired" type="boolean" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <element name="AuthnAuthorityDescriptor" type="md:AuthnAuthorityDescriptorType"/>
+ <complexType name="AuthnAuthorityDescriptorType">
+ <complexContent>
+ <extension base="md:RoleDescriptorType">
+ <sequence>
+ <element ref="md:AuthnQueryService" maxOccurs="unbounded"/>
+ <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AuthnQueryService" type="md:EndpointType"/>
+
+ <element name="PDPDescriptor" type="md:PDPDescriptorType"/>
+ <complexType name="PDPDescriptorType">
+ <complexContent>
+ <extension base="md:RoleDescriptorType">
+ <sequence>
+ <element ref="md:AuthzService" maxOccurs="unbounded"/>
+ <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AuthzService" type="md:EndpointType"/>
+
+ <element name="AttributeAuthorityDescriptor" type="md:AttributeAuthorityDescriptorType"/>
+ <complexType name="AttributeAuthorityDescriptorType">
+ <complexContent>
+ <extension base="md:RoleDescriptorType">
+ <sequence>
+ <element ref="md:AttributeService" maxOccurs="unbounded"/>
+ <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:AttributeProfile" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AttributeService" type="md:EndpointType"/>
+
+ <element name="AffiliationDescriptor" type="md:AffiliationDescriptorType"/>
+ <complexType name="AffiliationDescriptorType">
+ <sequence>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="md:Extensions" minOccurs="0"/>
+ <element ref="md:AffiliateMember" maxOccurs="unbounded"/>
+ <element ref="md:KeyDescriptor" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="affiliationOwnerID" type="md:entityIDType" use="required"/>
+ <attribute name="validUntil" type="dateTime" use="optional"/>
+ <attribute name="cacheDuration" type="duration" use="optional"/>
+ <attribute name="ID" type="ID" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+ <element name="AffiliateMember" type="md:entityIDType"/>
+</schema>
diff --git a/schema/saml-schema-protocol-2.0.xsd b/schema/saml-schema-protocol-2.0.xsd
new file mode 100644
index 0000000..eb480e5
--- /dev/null
+++ b/schema/saml-schema-protocol-2.0.xsd
@@ -0,0 +1,302 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+ targetNamespace="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ elementFormDefault="unqualified"
+ attributeFormDefault="unqualified"
+ blockDefault="substitution"
+ version="2.0">
+ <import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+ schemaLocation="saml-schema-assertion-2.0.xsd"/>
+ <import namespace="http://www.w3.org/2000/09/xmldsig#"
+ schemaLocation="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
+ <annotation>
+ <documentation>
+ Document identifier: saml-schema-protocol-2.0
+ Location: http://docs.oasis-open.org/security/saml/v2.0/
+ Revision history:
+ V1.0 (November, 2002):
+ Initial Standard Schema.
+ V1.1 (September, 2003):
+ Updates within the same V1.0 namespace.
+ V2.0 (March, 2005):
+ New protocol schema based in a SAML V2.0 namespace.
+ </documentation>
+ </annotation>
+ <complexType name="RequestAbstractType" abstract="true">
+ <sequence>
+ <element ref="saml:Issuer" minOccurs="0"/>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="samlp:Extensions" minOccurs="0"/>
+ </sequence>
+ <attribute name="ID" type="ID" use="required"/>
+ <attribute name="Version" type="string" use="required"/>
+ <attribute name="IssueInstant" type="dateTime" use="required"/>
+ <attribute name="Destination" type="anyURI" use="optional"/>
+ <attribute name="Consent" type="anyURI" use="optional"/>
+ </complexType>
+ <element name="Extensions" type="samlp:ExtensionsType"/>
+ <complexType name="ExtensionsType">
+ <sequence>
+ <any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+ <complexType name="StatusResponseType">
+ <sequence>
+ <element ref="saml:Issuer" minOccurs="0"/>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="samlp:Extensions" minOccurs="0"/>
+ <element ref="samlp:Status"/>
+ </sequence>
+ <attribute name="ID" type="ID" use="required"/>
+ <attribute name="InResponseTo" type="NCName" use="optional"/>
+ <attribute name="Version" type="string" use="required"/>
+ <attribute name="IssueInstant" type="dateTime" use="required"/>
+ <attribute name="Destination" type="anyURI" use="optional"/>
+ <attribute name="Consent" type="anyURI" use="optional"/>
+ </complexType>
+ <element name="Status" type="samlp:StatusType"/>
+ <complexType name="StatusType">
+ <sequence>
+ <element ref="samlp:StatusCode"/>
+ <element ref="samlp:StatusMessage" minOccurs="0"/>
+ <element ref="samlp:StatusDetail" minOccurs="0"/>
+ </sequence>
+ </complexType>
+ <element name="StatusCode" type="samlp:StatusCodeType"/>
+ <complexType name="StatusCodeType">
+ <sequence>
+ <element ref="samlp:StatusCode" minOccurs="0"/>
+ </sequence>
+ <attribute name="Value" type="anyURI" use="required"/>
+ </complexType>
+ <element name="StatusMessage" type="string"/>
+ <element name="StatusDetail" type="samlp:StatusDetailType"/>
+ <complexType name="StatusDetailType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+ <element name="AssertionIDRequest" type="samlp:AssertionIDRequestType"/>
+ <complexType name="AssertionIDRequestType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <element ref="saml:AssertionIDRef" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="SubjectQuery" type="samlp:SubjectQueryAbstractType"/>
+ <complexType name="SubjectQueryAbstractType" abstract="true">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <element ref="saml:Subject"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AuthnQuery" type="samlp:AuthnQueryType"/>
+ <complexType name="AuthnQueryType">
+ <complexContent>
+ <extension base="samlp:SubjectQueryAbstractType">
+ <sequence>
+ <element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
+ </sequence>
+ <attribute name="SessionIndex" type="string" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="RequestedAuthnContext" type="samlp:RequestedAuthnContextType"/>
+ <complexType name="RequestedAuthnContextType">
+ <choice>
+ <element ref="saml:AuthnContextClassRef" maxOccurs="unbounded"/>
+ <element ref="saml:AuthnContextDeclRef" maxOccurs="unbounded"/>
+ </choice>
+ <attribute name="Comparison" type="samlp:AuthnContextComparisonType" use="optional"/>
+ </complexType>
+ <simpleType name="AuthnContextComparisonType">
+ <restriction base="string">
+ <enumeration value="exact"/>
+ <enumeration value="minimum"/>
+ <enumeration value="maximum"/>
+ <enumeration value="better"/>
+ </restriction>
+ </simpleType>
+ <element name="AttributeQuery" type="samlp:AttributeQueryType"/>
+ <complexType name="AttributeQueryType">
+ <complexContent>
+ <extension base="samlp:SubjectQueryAbstractType">
+ <sequence>
+ <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AuthzDecisionQuery" type="samlp:AuthzDecisionQueryType"/>
+ <complexType name="AuthzDecisionQueryType">
+ <complexContent>
+ <extension base="samlp:SubjectQueryAbstractType">
+ <sequence>
+ <element ref="saml:Action" maxOccurs="unbounded"/>
+ <element ref="saml:Evidence" minOccurs="0"/>
+ </sequence>
+ <attribute name="Resource" type="anyURI" use="required"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AuthnRequest" type="samlp:AuthnRequestType"/>
+ <complexType name="AuthnRequestType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <element ref="saml:Subject" minOccurs="0"/>
+ <element ref="samlp:NameIDPolicy" minOccurs="0"/>
+ <element ref="saml:Conditions" minOccurs="0"/>
+ <element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
+ <element ref="samlp:Scoping" minOccurs="0"/>
+ </sequence>
+ <attribute name="ForceAuthn" type="boolean" use="optional"/>
+ <attribute name="IsPassive" type="boolean" use="optional"/>
+ <attribute name="ProtocolBinding" type="anyURI" use="optional"/>
+ <attribute name="AssertionConsumerServiceIndex" type="unsignedShort" use="optional"/>
+ <attribute name="AssertionConsumerServiceURL" type="anyURI" use="optional"/>
+ <attribute name="AttributeConsumingServiceIndex" type="unsignedShort" use="optional"/>
+ <attribute name="ProviderName" type="string" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="NameIDPolicy" type="samlp:NameIDPolicyType"/>
+ <complexType name="NameIDPolicyType">
+ <attribute name="Format" type="anyURI" use="optional"/>
+ <attribute name="SPNameQualifier" type="string" use="optional"/>
+ <attribute name="AllowCreate" type="boolean" use="optional"/>
+ </complexType>
+ <element name="Scoping" type="samlp:ScopingType"/>
+ <complexType name="ScopingType">
+ <sequence>
+ <element ref="samlp:IDPList" minOccurs="0"/>
+ <element ref="samlp:RequesterID" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="ProxyCount" type="nonNegativeInteger" use="optional"/>
+ </complexType>
+ <element name="RequesterID" type="anyURI"/>
+ <element name="IDPList" type="samlp:IDPListType"/>
+ <complexType name="IDPListType">
+ <sequence>
+ <element ref="samlp:IDPEntry" maxOccurs="unbounded"/>
+ <element ref="samlp:GetComplete" minOccurs="0"/>
+ </sequence>
+ </complexType>
+ <element name="IDPEntry" type="samlp:IDPEntryType"/>
+ <complexType name="IDPEntryType">
+ <attribute name="ProviderID" type="anyURI" use="required"/>
+ <attribute name="Name" type="string" use="optional"/>
+ <attribute name="Loc" type="anyURI" use="optional"/>
+ </complexType>
+ <element name="GetComplete" type="anyURI"/>
+ <element name="Response" type="samlp:ResponseType"/>
+ <complexType name="ResponseType">
+ <complexContent>
+ <extension base="samlp:StatusResponseType">
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="saml:Assertion"/>
+ <element ref="saml:EncryptedAssertion"/>
+ </choice>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="ArtifactResolve" type="samlp:ArtifactResolveType"/>
+ <complexType name="ArtifactResolveType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <element ref="samlp:Artifact"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="Artifact" type="string"/>
+ <element name="ArtifactResponse" type="samlp:ArtifactResponseType"/>
+ <complexType name="ArtifactResponseType">
+ <complexContent>
+ <extension base="samlp:StatusResponseType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="ManageNameIDRequest" type="samlp:ManageNameIDRequestType"/>
+ <complexType name="ManageNameIDRequestType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <choice>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ <choice>
+ <element ref="samlp:NewID"/>
+ <element ref="samlp:NewEncryptedID"/>
+ <element ref="samlp:Terminate"/>
+ </choice>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="NewID" type="string"/>
+ <element name="NewEncryptedID" type="saml:EncryptedElementType"/>
+ <element name="Terminate" type="samlp:TerminateType"/>
+ <complexType name="TerminateType"/>
+ <element name="ManageNameIDResponse" type="samlp:StatusResponseType"/>
+ <element name="LogoutRequest" type="samlp:LogoutRequestType"/>
+ <complexType name="LogoutRequestType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <choice>
+ <element ref="saml:BaseID"/>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ <element ref="samlp:SessionIndex" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Reason" type="string" use="optional"/>
+ <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="SessionIndex" type="string"/>
+ <element name="LogoutResponse" type="samlp:StatusResponseType"/>
+ <element name="NameIDMappingRequest" type="samlp:NameIDMappingRequestType"/>
+ <complexType name="NameIDMappingRequestType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <choice>
+ <element ref="saml:BaseID"/>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ <element ref="samlp:NameIDPolicy"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="NameIDMappingResponse" type="samlp:NameIDMappingResponseType"/>
+ <complexType name="NameIDMappingResponseType">
+ <complexContent>
+ <extension base="samlp:StatusResponseType">
+ <choice>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ </extension>
+ </complexContent>
+ </complexType>
+</schema>
diff --git a/schema/shibboleth-2.0-attribute-map.xsd b/schema/shibboleth-2.0-attribute-map.xsd
new file mode 100644
index 0000000..31ff798
--- /dev/null
+++ b/schema/shibboleth-2.0-attribute-map.xsd
@@ -0,0 +1,358 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema targetNamespace="urn:mace:shibboleth:2.0:attribute-map"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:am="urn:mace:shibboleth:2.0:attribute-map"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ elementFormDefault="qualified"
+ version="2.5">
+
+ <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd" />
+
+ <annotation>
+ <documentation>
+ This schema maps SAML attributes into Shibboleth internal attributes.
+ </documentation>
+ </annotation>
+
+ <simpleType name="string">
+ <restriction base="string">
+ <minLength value="1"/>
+ </restriction>
+ </simpleType>
+
+ <simpleType name="anyURI">
+ <restriction base="anyURI">
+ <minLength value="1"/>
+ </restriction>
+ </simpleType>
+
+ <simpleType name="listOfStrings">
+ <list itemType="am:string"/>
+ </simpleType>
+
+ <complexType name="PluggableType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="type" type="am:string" use="required"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </complexType>
+
+ <element name="GSSAPIContext" type="base64Binary">
+ <annotation>
+ <documentation>A wrapper element for GSS-API contexts.</documentation>
+ </annotation>
+ </element>
+
+ <element name="GSSAPIName" type="base64Binary">
+ <annotation>
+ <documentation>A wrapper element for GSS-API composite names.</documentation>
+ </annotation>
+ </element>
+
+ <element name="Attributes">
+ <annotation>
+ <documentation>The set of SAML or GSS-API attribute mappings.</documentation>
+ </annotation>
+ <complexType>
+ <sequence>
+ <element name="MetadataProvider" type="am:PluggableType" minOccurs="0"/>
+ <element name="TrustEngine" type="am:PluggableType" minOccurs="0"/>
+ <element name="AttributeFilter" type="am:PluggableType" minOccurs="0"/>
+ <choice maxOccurs="unbounded">
+ <element name="Attribute" type="am:AttributeType"/>
+ <element name="GSSAPIAttribute" type="am:GSSAPIAttributeType"/>
+ </choice>
+ <element ref="ds:Signature" minOccurs="0"/>
+ </sequence>
+ <attribute name="metadataAttributeCaching" type="boolean"/>
+ <attribute name="metadataPolicyId" type="am:string"/>
+ </complexType>
+ </element>
+
+ <complexType name="AttributeType">
+ <annotation>
+ <documentation>Rule for mapping a SAML attribute to an internal attribute.</documentation>
+ </annotation>
+ <sequence>
+ <element name="AttributeDecoder" type="am:AttributeDecoderType" minOccurs="0"/>
+ </sequence>
+ <attribute name="id" type="am:string" use="required">
+ <annotation>
+ <documentation>The internal attribute ID to which this SAML attribute maps.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="aliases" type="am:listOfStrings">
+ <annotation>
+ <documentation>DEPRECATED: Aliases for the internal attribute to which this SAML attribute maps.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="name" type="am:string" use="required">
+ <annotation>
+ <documentation>The SAML 1 AttributeName or SAML 2 Name of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="nameFormat" type="am:string">
+ <annotation>
+ <documentation>The SAML 1 Namespace or SAML 2 NameFormat of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="isRequested" type="boolean">
+ <annotation>
+ <documentation>Marks an attribute as requested by the service.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="isRequired" type="boolean">
+ <annotation>
+ <documentation>Marks an attribute as required by the service.</documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <complexType name="GSSAPIAttributeType">
+ <annotation>
+ <documentation>Rule for mapping a GSS-API naming attribute to an internal attribute.</documentation>
+ </annotation>
+ <attribute name="id" type="am:string" use="required">
+ <annotation>
+ <documentation>The internal attribute ID to which this SAML attribute maps.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="aliases" type="am:listOfStrings">
+ <annotation>
+ <documentation>Optional aliases for the internal attribute to which this SAML attribute maps.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="name" type="am:string" use="required">
+ <annotation>
+ <documentation>The name of the naming attribute.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="authenticated" type="boolean">
+ <annotation>
+ <documentation>If true, only an authenticated GSS-API naming attribute will be mapped.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="binary" type="boolean">
+ <annotation>
+ <documentation>If true, the GSS-API naming attribute will be base64-encoded for internal use.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="scopeDelimiter" type="am:string">
+ <annotation>
+ <documentation>
+ The character(s) used to delimit the scoped information from the scope.
+ </documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <complexType name="AttributeDecoderType" abstract="true">
+ <annotation>
+ <documentation>
+ Decodes a SAML attribute into its Shibboleth-internal representation.
+ </documentation>
+ </annotation>
+ <attribute name="caseSensitive" type="boolean">
+ <annotation>
+ <documentation>
+ Flag controlling case sensitivity when comparisons to the attribute's values are done.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="internal" type="boolean">
+ <annotation>
+ <documentation>
+ Flag controlling whether the resulting attribute should be exported for CGI use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="langAware" type="boolean">
+ <annotation>
+ <documentation>
+ Flag controlling whether the decoder should select only the best matching value by language.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="hashAlg" type="am:string">
+ <annotation>
+ <documentation>
+ Crypto-provider-specific name of hash algorithm to use,
+ turning the decoded result into a simple string.
+ </documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <complexType name="StringAttributeDecoder">
+ <annotation>
+ <documentation>
+ Decoder for attributes with string values.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="am:AttributeDecoderType" />
+ </complexContent>
+ </complexType>
+
+ <complexType name="ScopedAttributeDecoder">
+ <annotation>
+ <documentation>
+ Decoder for attributes with scoped values.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="am:AttributeDecoderType">
+ <attribute name="scopeDelimiter" type="am:string">
+ <annotation>
+ <documentation>
+ The character(s) used to delimit the scoped information from the scope.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="NameIDAttributeDecoder">
+ <annotation>
+ <documentation>
+ Decoder for attributes with NameID values.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="am:AttributeDecoderType">
+ <attribute name="formatter" type="am:string">
+ <annotation>
+ <documentation>
+ The pattern used to generate string versions of the attribute's values.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="defaultQualifiers" type="boolean">
+ <annotation>
+ <documentation>
+ Flag controlling whether to default in values for NameQualifier/SPNameQualifier if not set.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="NameIDFromScopedAttributeDecoder">
+ <annotation>
+ <documentation>
+ Decoder for attributes with scoped values that produces a NameID attribute with
+ the scope dropped and the NameQualifiers defaulted.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="am:ScopedAttributeDecoder">
+ <attribute name="format" type="am:anyURI">
+ <annotation>
+ <documentation>
+ Value to use as the NameID Format.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="defaultQualifiers" type="boolean">
+ <annotation>
+ <documentation>
+ Flag controlling whether to default in values for NameQualifier/SPNameQualifier if not set.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="formatter" type="am:string">
+ <annotation>
+ <documentation>
+ The pattern used to generate string versions of the attribute's values.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="KeyInfoAttributeDecoder">
+ <annotation>
+ <documentation>
+ Decoder for attributes with ds:KeyInfo values.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="am:AttributeDecoderType">
+ <sequence>
+ <element name="KeyInfoResolver" type="am:PluggableType" minOccurs="0"/>
+ </sequence>
+ <attribute name="hash" type="boolean">
+ <annotation>
+ <documentation>
+ Flag controlling whether to hash keys before base64-encoding them.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="keyInfoHashAlg" type="am:string">
+ <annotation>
+ <documentation>
+ Crypto-provider-specific name of hash algorithm to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="XMLAttributeDecoder">
+ <annotation>
+ <documentation>
+ Decoder for directly serializing XML values.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="am:AttributeDecoderType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="DOMAttributeDecoder">
+ <annotation>
+ <documentation>
+ Decoder for extracting information from XML values.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="am:AttributeDecoderType">
+ <sequence>
+ <element name="Mapping" minOccurs="0">
+ <annotation>
+ <documentation>Optional transform to turn qualified XML names into string names.</documentation>
+ </annotation>
+ <complexType>
+ <attribute name="from" type="QName" use="required"/>
+ <attribute name="to" type="am:string" use="required"/>
+ </complexType>
+ </element>
+ </sequence>
+ <attribute name="formatter" type="am:string">
+ <annotation>
+ <documentation>
+ The pattern used to generate strings from the XML.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Base64AttributeDecoder">
+ <annotation>
+ <documentation>
+ Decoder for attributes with base64-encoded string values.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="am:AttributeDecoderType" />
+ </complexContent>
+ </complexType>
+
+</schema>
diff --git a/schema/shibboleth-3.0-native-sp-config.xsd b/schema/shibboleth-3.0-native-sp-config.xsd
new file mode 100644
index 0000000..9eb7a4b
--- /dev/null
+++ b/schema/shibboleth-3.0-native-sp-config.xsd
@@ -0,0 +1,908 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<schema targetNamespace="urn:mace:shibboleth:3.0:native:sp:config"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+ elementFormDefault="qualified"
+ attributeFormDefault="unqualified"
+ blockDefault="substitution"
+ version="3.4">
+
+ <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd" />
+ <import namespace="urn:oasis:names:tc:SAML:2.0:assertion" schemaLocation="saml-schema-assertion-2.0.xsd"/>
+ <import namespace="urn:oasis:names:tc:SAML:2.0:protocol" schemaLocation="saml-schema-protocol-2.0.xsd"/>
+ <import namespace="urn:oasis:names:tc:SAML:2.0:metadata" schemaLocation="saml-schema-metadata-2.0.xsd"/>
+
+ <annotation>
+ <documentation>
+ 3.x schema for XML-based configuration of Shibboleth Native SP instances.
+ First appearing in Shibboleth 3.0 release.
+ </documentation>
+ </annotation>
+
+ <simpleType name="string">
+ <restriction base="string">
+ <minLength value="1"/>
+ </restriction>
+ </simpleType>
+
+ <simpleType name="listOfStrings">
+ <list itemType="conf:string"/>
+ </simpleType>
+
+ <simpleType name="anyURI">
+ <restriction base="anyURI">
+ <minLength value="1"/>
+ </restriction>
+ </simpleType>
+
+ <simpleType name="listOfURIs">
+ <list itemType="conf:anyURI"/>
+ </simpleType>
+
+ <simpleType name="bindingBoolean">
+ <restriction base="string">
+ <enumeration value="true"/>
+ <enumeration value="false"/>
+ <enumeration value="front"/>
+ <enumeration value="back"/>
+ <enumeration value="conditional" />
+ </restriction>
+ </simpleType>
+
+ <simpleType name="redirectLimitType">
+ <restriction base="string">
+ <enumeration value="none"/>
+ <enumeration value="exact"/>
+ <enumeration value="host"/>
+ <enumeration value="whitelist"/>
+ <enumeration value="exact+whitelist"/>
+ <enumeration value="host+whitelist"/>
+ <enumeration value="allow"/>
+ <enumeration value="exact+allow"/>
+ <enumeration value="host+allow"/>
+ </restriction>
+ </simpleType>
+
+ <simpleType name="sameSiteType">
+ <restriction base="string">
+ <enumeration value="None"/>
+ <enumeration value="Lax"/>
+ <enumeration value="Strict"/>
+ </restriction>
+ </simpleType>
+
+ <complexType name="PluggableType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="type" type="conf:string" use="required"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </complexType>
+
+ <complexType name="ExtensionsType">
+ <annotation>
+ <documentation>Container for extension libraries and custom configuration</documentation>
+ </annotation>
+ <sequence>
+ <element name="Library" minOccurs="0" maxOccurs="unbounded">
+ <complexType>
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="path" type="conf:anyURI" use="required"/>
+ <attribute name="fatal" type="boolean"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </complexType>
+ </element>
+ <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+
+ <complexType name="DataSealerType">
+ <annotation>
+ <documentation>References DataSealer plugins</documentation>
+ </annotation>
+ <complexContent>
+ <restriction base="conf:PluggableType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </restriction>
+ </complexContent>
+ </complexType>
+
+ <complexType name="StorageServiceType">
+ <annotation>
+ <documentation>References StorageService plugins</documentation>
+ </annotation>
+ <complexContent>
+ <restriction base="conf:PluggableType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="id" type="ID" use="required"/>
+ <attribute name="cleanupInterval" type="unsignedInt"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </restriction>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SessionCacheType">
+ <annotation>
+ <documentation>References SessionCache plugins</documentation>
+ </annotation>
+ <complexContent>
+ <restriction base="conf:PluggableType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="StorageService" type="IDREF"/>
+ <attribute name="cacheAllowance" type="unsignedInt"/>
+ <attribute name="maintainReverseIndex" type="boolean"/>
+ <attribute name="reverseIndexMaxSize" type="unsignedInt"/>
+ <attribute name="excludeReverseIndex" type="conf:listOfStrings"/>
+ <attribute name="persistedAttributes" type="conf:listOfStrings"/>
+ <attribute name="unreliableNetworks" type="conf:listOfStrings"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </restriction>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ReplayCacheType">
+ <annotation>
+ <documentation>Ties ReplayCache to a custom StorageService</documentation>
+ </annotation>
+ <sequence/>
+ <attribute name="StorageService" type="IDREF"/>
+ </complexType>
+
+ <complexType name="ArtifactMapType">
+ <annotation>
+ <documentation>Customizes an ArtifactMap</documentation>
+ </annotation>
+ <sequence/>
+ <attribute name="StorageService" type="IDREF"/>
+ <attribute name="context" type="conf:string"/>
+ <attribute name="artifactTTL" type="unsignedInt"/>
+ </complexType>
+
+ <complexType name="OutOfProcessType">
+ <annotation>
+ <documentation>Container for out-of-process (shibd) configuration</documentation>
+ </annotation>
+ <sequence>
+ <element name="Extensions" type="conf:ExtensionsType" minOccurs="0"/>
+ <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="logger" type="conf:anyURI"/>
+ <attribute name="tranLogFormat" type="conf:string"/>
+ <attribute name="tranLogFiller" type="conf:string"/>
+ <attribute name="catchAll" type="boolean"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+
+ <complexType name="InProcessType">
+ <annotation>
+ <documentation>
+ Container for configuration of locally integrated or platform-specific
+ features (e.g. web server filters)
+ </documentation>
+ </annotation>
+ <sequence>
+ <element name="Extensions" type="conf:ExtensionsType" minOccurs="0"/>
+ <element name="ISAPI" minOccurs="0">
+ <complexType>
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element name="Site">
+ <complexType>
+ <sequence>
+ <element name="Alias" type="conf:string" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="id" type="unsignedInt" use="required"/>
+ <attribute name="name" type="conf:string" use="required"/>
+ <attribute name="port" type="unsignedInt"/>
+ <attribute name="useHeaders" type="boolean"/>
+ <attribute name="useVariables" type="boolean"/>
+ <attribute name="sslport" type="unsignedInt"/>
+ <attribute name="scheme" type="conf:string"/>
+ </complexType>
+ </element>
+ <element name="Roles">
+ <complexType>
+ <attribute name="authNRole" type="string" use="optional"/>
+ <attribute name="roleAttributes" type="string" use="optional"/>
+ </complexType>
+ </element>
+ <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </choice>
+ <attribute name="normalizeRequest" type="boolean"/>
+ <attribute name="safeHeaderNames" type="boolean"/>
+ <attribute name="useHeaders" type="boolean"/>
+ <attribute name="useVariables" type="boolean"/>
+ <attribute name="handlerPrefix" type="conf:string" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+ </element>
+ <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="logger" type="conf:anyURI"/>
+ <attribute name="unsetHeaderValue" type="conf:string"/>
+ <attribute name="checkSpoofing" type="boolean"/>
+ <attribute name="spoofKey" type="conf:string"/>
+ <attribute name="catchAll" type="boolean"/>
+ <attribute name="extraAuthTypes" type="conf:listOfStrings"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+
+ <element name="AccessControl" type="conf:UniOperatorType">
+ <annotation>
+ <documentation>
+ A simple example access policy language extension that supersedes Apache .htaccess
+ </documentation>
+ </annotation>
+ </element>
+ <complexType name="UniOperatorType">
+ <choice>
+ <element name="AND" type="conf:MultiOperatorType"/>
+ <element name="OR" type="conf:MultiOperatorType"/>
+ <element name="NOT" type="conf:UniOperatorType"/>
+ <element name="Rule" type="conf:RuleType"/>
+ <element name="RuleRegex" type="conf:RuleRegexType"/>
+ </choice>
+ </complexType>
+ <complexType name="MultiOperatorType">
+ <choice minOccurs="2" maxOccurs="unbounded">
+ <element name="AND" type="conf:MultiOperatorType"/>
+ <element name="OR" type="conf:MultiOperatorType"/>
+ <element name="NOT" type="conf:UniOperatorType"/>
+ <element name="Rule" type="conf:RuleType"/>
+ <element name="RuleRegex" type="conf:RuleRegexType"/>
+ </choice>
+ </complexType>
+ <complexType name="RuleType">
+ <simpleContent>
+ <extension base="conf:listOfStrings">
+ <attribute name="require" type="conf:string" use="required"/>
+ <attribute name="list" type="boolean"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ <complexType name="RuleRegexType">
+ <simpleContent>
+ <extension base="conf:string">
+ <attribute name="require" type="conf:string" use="required"/>
+ <attribute name="caseSensitive" type="boolean"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+
+ <attributeGroup name="ContentSettings">
+ <attribute name="applicationId" type="conf:string"/>
+ <attribute name="authType" type="conf:string"/>
+ <attribute name="requireSession" type="boolean"/>
+ <attribute name="requireSessionWith" type="conf:string"/>
+ <attribute name="requireLogoutWith" type="conf:anyURI"/>
+ <attribute name="exportAssertion" type="boolean"/>
+ <attribute name="exportStdVars" type="boolean"/>
+ <attribute name="exportCookie" type="boolean"/>
+ <attribute name="exportDuplicateValues" type="boolean"/>
+ <attribute name="redirectToSSL" type="unsignedInt"/>
+ <attribute name="entityID" type="conf:anyURI"/>
+ <attribute name="entityIDSelf" type="conf:anyURI"/>
+ <attribute name="discoveryURL" type="conf:anyURI"/>
+ <attribute name="discoveryPolicy" type="conf:string"/>
+ <attribute name="isPassive" type="boolean"/>
+ <attribute name="returnOnError" type="boolean"/>
+ <attribute name="forceAuthn" type="boolean"/>
+ <attribute name="authnContextClassRef" type="conf:listOfURIs"/>
+ <attribute name="authnContextComparison" type="samlp:AuthnContextComparisonType"/>
+ <attribute name="NameIDFormat" type="conf:anyURI"/>
+ <attribute name="SPNameQualifier" type="conf:string"/>
+ <attribute name="redirectErrors" type="conf:anyURI"/>
+ <attribute name="sessionError" type="conf:anyURI"/>
+ <attribute name="metadataError" type="conf:anyURI"/>
+ <attribute name="accessError" type="conf:anyURI"/>
+ <attribute name="sslError" type="conf:anyURI"/>
+ <attribute name="target" type="conf:anyURI"/>
+ <attribute name="acsIndex" type="unsignedShort"/>
+ <attribute name="attributeIndex" type="conf:string"/>
+ <attribute name="REMOTE_ADDR" type="conf:string"/>
+ <attribute name="encoding" type="conf:string"/>
+ <attribute name="attributeValueDelimiter" type="conf:string"/>
+ <attribute name="unset" type="conf:listOfStrings"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </attributeGroup>
+
+ <element name="RequestMap">
+ <annotation>
+ <documentation>
+ Built-in request mapping syntax, decomposes URLs into Host/Path/Path/...
+ </documentation>
+ </annotation>
+ <complexType>
+ <sequence>
+ <choice minOccurs="0">
+ <element name="htaccess" type="conf:PluggableType"/>
+ <element ref="conf:AccessControl"/>
+ <element name="AccessControlProvider" type="conf:PluggableType"/>
+ </choice>
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element name="Host" type="conf:HostType"/>
+ <element name="HostRegex" type="conf:HostRegexType"/>
+ </choice>
+ <element ref="ds:Signature" minOccurs="0"/>
+ </sequence>
+ <attribute name="unicodeAware" type="boolean"/>
+ <attributeGroup ref="conf:ContentSettings"/>
+ </complexType>
+ </element>
+
+ <complexType name="HostType">
+ <sequence>
+ <choice minOccurs="0">
+ <element name="htaccess" type="conf:PluggableType"/>
+ <element ref="conf:AccessControl"/>
+ <element name="AccessControlProvider" type="conf:PluggableType"/>
+ </choice>
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element name="Path" type="conf:PathType"/>
+ <element name="PathRegex" type="conf:PathRegexType"/>
+ <element name="Query" type="conf:QueryType"/>
+ </choice>
+ </sequence>
+ <attribute name="scheme">
+ <simpleType>
+ <restriction base="conf:string">
+ <enumeration value="http"/>
+ <enumeration value="https"/>
+ <enumeration value="ftp"/>
+ <enumeration value="ldap"/>
+ <enumeration value="ldaps"/>
+ </restriction>
+ </simpleType>
+ </attribute>
+ <attribute name="name" type="conf:string" use="required"/>
+ <attribute name="port" type="unsignedInt"/>
+ <attributeGroup ref="conf:ContentSettings"/>
+ </complexType>
+
+ <complexType name="HostRegexType">
+ <sequence>
+ <choice minOccurs="0">
+ <element name="htaccess" type="conf:PluggableType"/>
+ <element ref="conf:AccessControl"/>
+ <element name="AccessControlProvider" type="conf:PluggableType"/>
+ </choice>
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element name="Path" type="conf:PathType"/>
+ <element name="PathRegex" type="conf:PathRegexType"/>
+ <element name="Query" type="conf:QueryType"/>
+ </choice>
+ </sequence>
+ <attribute name="regex" type="conf:string" use="required"/>
+ <attribute name="caseSensitive" type="boolean"/>
+ <attributeGroup ref="conf:ContentSettings"/>
+ </complexType>
+
+ <complexType name="PathType">
+ <sequence>
+ <choice minOccurs="0">
+ <element name="htaccess" type="conf:PluggableType"/>
+ <element ref="conf:AccessControl"/>
+ <element name="AccessControlProvider" type="conf:PluggableType"/>
+ </choice>
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element name="Path" type="conf:PathType"/>
+ <element name="PathRegex" type="conf:PathRegexType"/>
+ <element name="Query" type="conf:QueryType"/>
+ </choice>
+ </sequence>
+ <attribute name="name" type="conf:string" use="required"/>
+ <attributeGroup ref="conf:ContentSettings"/>
+ </complexType>
+
+ <complexType name="PathRegexType">
+ <sequence>
+ <choice minOccurs="0">
+ <element name="htaccess" type="conf:PluggableType"/>
+ <element ref="conf:AccessControl"/>
+ <element name="AccessControlProvider" type="conf:PluggableType"/>
+ </choice>
+ <element name="Query" type="conf:QueryType" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="regex" type="conf:string" use="required"/>
+ <attribute name="caseSensitive" type="boolean"/>
+ <attributeGroup ref="conf:ContentSettings"/>
+ </complexType>
+
+ <complexType name="QueryType">
+ <sequence>
+ <choice minOccurs="0">
+ <element name="htaccess" type="conf:PluggableType"/>
+ <element ref="conf:AccessControl"/>
+ <element name="AccessControlProvider" type="conf:PluggableType"/>
+ </choice>
+ <element name="Query" type="conf:QueryType" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="name" type="conf:string" use="required"/>
+ <attribute name="regex" type="conf:string"/>
+ <attributeGroup ref="conf:ContentSettings"/>
+ </complexType>
+
+ <complexType name="ApplicationDefaultsType">
+ <annotation>
+ <documentation>Container for default settings and application-specific overrides</documentation>
+ </annotation>
+ <sequence>
+ <element name="Sessions" type="conf:SessionsType"/>
+ <element name="Errors" type="conf:ErrorsType" minOccurs="0"/>
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element name="RelyingParty" type="conf:RelyingPartyType"/>
+ <element name="Notify" type="conf:NotifyType"/>
+ <element name="MetadataProvider" type="conf:PluggableType"/>
+ <element name="TrustEngine" type="conf:PluggableType"/>
+ <element name="AttributeExtractor" type="conf:PluggableType"/>
+ <element name="AttributeResolver" type="conf:PluggableType"/>
+ <element name="AttributeFilter" type="conf:PluggableType"/>
+ <element name="CredentialResolver" type="conf:PluggableType"/>
+ <element ref="conf:ApplicationOverride"/>
+ <element name="ExternalApplicationOverrides" type="conf:ExternalApplicationOverridesType"/>
+ </choice>
+ </sequence>
+ <attribute name="id" type="conf:string" fixed="default"/>
+ <attribute name="entityID" type="conf:anyURI" use="required"/>
+ <attributeGroup ref="conf:ApplicationGroup"/>
+ <attributeGroup ref="conf:RelyingPartyGroup"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+
+ <element name="ApplicationOverride" type="conf:ApplicationOverrideType"/>
+
+ <complexType name="ApplicationOverrideType">
+ <annotation>
+ <documentation>Container for application-specific overrides</documentation>
+ </annotation>
+ <sequence>
+ <element name="Sessions" type="conf:SessionsType" minOccurs="0"/>
+ <element name="Errors" type="conf:ErrorsType" minOccurs="0"/>
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element name="RelyingParty" type="conf:RelyingPartyType"/>
+ <element name="Notify" type="conf:NotifyType"/>
+ <element name="MetadataProvider" type="conf:PluggableType"/>
+ <element name="TrustEngine" type="conf:PluggableType"/>
+ <element name="AttributeExtractor" type="conf:PluggableType"/>
+ <element name="AttributeResolver" type="conf:PluggableType"/>
+ <element name="AttributeFilter" type="conf:PluggableType"/>
+ <element name="CredentialResolver" type="conf:PluggableType"/>
+ </choice>
+ </sequence>
+ <attribute name="id" type="conf:string" use="required"/>
+ <attribute name="entityID" type="conf:anyURI"/>
+ <attributeGroup ref="conf:ApplicationGroup"/>
+ <attributeGroup ref="conf:RelyingPartyGroup"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+
+ <complexType name="ExternalApplicationOverridesType">
+ <annotation>
+ <documentation>Externalized application overrides.</documentation>
+ </annotation>
+ <sequence/>
+ <attribute name="path" type="conf:string" use="required" />
+ </complexType>
+
+ <attributeGroup name="ApplicationGroup">
+ <attribute name="homeURL" type="conf:anyURI"/>
+ <attribute name="policyId" type="conf:string"/>
+ <attribute name="REMOTE_USER" type="conf:listOfStrings"/>
+ <attribute name="unsetHeaders" type="conf:listOfStrings"/>
+ <attribute name="metadataAttributePrefix" type="conf:string"/>
+ <attribute name="attributePrefix" type="conf:string"/>
+ <attribute name="requireAuthenticatedEncryption" type="boolean"/>
+ </attributeGroup>
+
+ <attributeGroup name="RelyingPartyGroup">
+ <attribute name="authType" type="conf:string"/>
+ <attribute name="authUsername" type="conf:string"/>
+ <attribute name="authPassword" type="conf:string"/>
+ <attribute name="signing" type="conf:bindingBoolean"/>
+ <attribute name="signingAlg" type="conf:anyURI"/>
+ <attribute name="digestAlg" type="conf:anyURI"/>
+ <attribute name="encryption" type="conf:bindingBoolean"/>
+ <attribute name="encryptionAlg" type="conf:anyURI"/>
+ <attribute name="keyName" type="conf:string"/>
+ <attribute name="artifactEndpointIndex" type="unsignedShort"/>
+ <attribute name="chunkedEncoding" type="boolean"/>
+ <attribute name="connectTimeout" type="unsignedShort"/>
+ <attribute name="timeout" type="unsignedShort"/>
+ <attribute name="cipherSuites" type="string"/>
+ <attribute name="requireConfidentiality" type="boolean"/>
+ <attribute name="requireTransportAuth" type="boolean"/>
+ <attribute name="requireSignedAssertions" type="boolean"/>
+ <attribute name="sessionHook" type="conf:anyURI"/>
+ <attribute name="artifactByFilesystem" type="boolean"/>
+ <attribute name="authnContextClassRef" type="conf:listOfURIs"/>
+ <attribute name="authnContextComparison" type="samlp:AuthnContextComparisonType"/>
+ <attribute name="NameIDFormat" type="conf:anyURI"/>
+ <attribute name="SPNameQualifier" type="conf:string"/>
+ <attribute name="attributeIndex" type="conf:string"/>
+ <attribute name="requestDelegation" type="boolean"/>
+ </attributeGroup>
+
+ <complexType name="SessionsType">
+ <annotation>
+ <documentation>Container for specifying protocol handlers and session policy</documentation>
+ </annotation>
+ <sequence>
+ <element name="SSO" minOccurs="0">
+ <complexType>
+ <annotation>
+ <documentation>Implicitly configures SessionInitiator and AssertionConsumerService handlers</documentation>
+ </annotation>
+ <simpleContent>
+ <extension base="conf:listOfStrings">
+ <attribute name="policyId" type="conf:string"/>
+ <attribute name="ignoreNoPassive" type="boolean"/>
+ <attribute name="discoveryProtocol" type="conf:string"/>
+ <attribute name="discoveryURL" type="conf:anyURI"/>
+ <attributeGroup ref="conf:SessionInitiatorGroup"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ <element name="Logout" minOccurs="0">
+ <complexType>
+ <annotation>
+ <documentation>Implicitly configures LogoutInitiator and SingleLogoutService handlers</documentation>
+ </annotation>
+ <simpleContent>
+ <extension base="conf:listOfStrings">
+ <attribute name="policyId" type="conf:string"/>
+ <attributeGroup ref="conf:LogoutInitiatorGroup"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ <element name="NameIDMgmt" minOccurs="0">
+ <complexType>
+ <annotation>
+ <documentation>Implicitly configures ManageNameIDService handlers</documentation>
+ </annotation>
+ <simpleContent>
+ <extension base="conf:listOfStrings">
+ <attribute name="policyId" type="conf:string"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="conf:SessionInitiator"/>
+ <element ref="conf:LogoutInitiator"/>
+ <element ref="md:AssertionConsumerService"/>
+ <element ref="md:ArtifactResolutionService"/>
+ <element ref="md:SingleLogoutService"/>
+ <element ref="md:ManageNameIDService"/>
+ <element ref="conf:Handler"/>
+ </choice>
+ </sequence>
+ <attribute name="handlerURL" type="conf:anyURI"/>
+ <attribute name="handlerSSL" type="boolean"/>
+ <attribute name="exportLocation" type="conf:string"/>
+ <attribute name="exportACL" type="conf:listOfStrings"/>
+ <attribute name="cookieName" type="conf:string"/>
+ <attribute name="cookieProps" type="conf:string"/>
+ <attribute name="sameSiteSession" type="conf:sameSiteType"/>
+ <attribute name="sameSiteFallback" type="boolean"/>
+ <attribute name="cookieLifetime" type="unsignedInt"/>
+ <attribute name="idpHistory" type="boolean"/>
+ <attribute name="idpHistoryDays" type="unsignedInt"/>
+ <attribute name="idpHistoryProps" type="conf:string"/>
+ <attribute name="lifetime" type="unsignedInt"/>
+ <attribute name="timeout" type="unsignedInt"/>
+ <attribute name="maxTimeSinceAuthn" type="unsignedInt"/>
+ <attribute name="checkAddress" type="boolean"/>
+ <attribute name="consistentAddress" type="boolean"/>
+ <attribute name="postData" type="conf:string"/>
+ <attribute name="postLimit" type="positiveInteger"/>
+ <attribute name="postTemplate" type="conf:string"/>
+ <attribute name="postExpire" type="boolean"/>
+ <attribute name="relayState" type="conf:string"/>
+ <attribute name="relayStateLimit" type="conf:redirectLimitType"/>
+ <attribute name="relayStateWhitelist" type="conf:listOfURIs"/>
+ <attribute name="redirectLimit" type="conf:redirectLimitType"/>
+ <attribute name="redirectWhitelist" type="conf:listOfURIs"/>
+ <attribute name="redirectAllow" type="conf:listOfURIs"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+
+ <attribute name="policyId" type="conf:string">
+ <annotation>
+ <documentation>Used to override Policy from profile endpoints</documentation>
+ </annotation>
+ </attribute>
+
+ <attribute name="ignoreNoPassive" type="boolean">
+ <annotation>
+ <documentation>Used to ignore NoPassive errors in AssertionConsumerService endpoints</documentation>
+ </annotation>
+ </attribute>
+
+ <attribute name="signing" type="conf:bindingBoolean">
+ <annotation>
+ <documentation>Used to override signing property in SingleLogoutService/etc endpoints</documentation>
+ </annotation>
+ </attribute>
+
+ <attribute name="encryption" type="conf:bindingBoolean">
+ <annotation>
+ <documentation>Used to override encryption property in SingleLogoutService/etc endpoints</documentation>
+ </annotation>
+ </attribute>
+
+ <attributeGroup name="SessionInitiatorGroup">
+ <annotation>
+ <documentation>Options common to explicit and implicit SessionInitiators</documentation>
+ </annotation>
+ <attribute name="relayState" type="conf:string"/>
+ <attribute name="entityIDParam" type="conf:string"/>
+ <attribute name="entityID" type="conf:anyURI"/>
+ <attribute name="outgoingBindings" type="conf:listOfURIs"/>
+ <attribute name="preservedOptions" type="conf:listOfStrings"/>
+ <attribute name="template" type="conf:anyURI"/>
+ <attribute name="postArtifact" type="boolean"/>
+ <attribute name="acsByIndex" type="boolean"/>
+ <attribute name="isPassive" type="boolean"/>
+ <attribute name="returnOnError" type="boolean"/>
+ <attribute name="forceAuthn" type="boolean"/>
+ <attribute name="authnContextClassRef" type="conf:anyURI"/>
+ <attribute name="authnContextComparison" type="samlp:AuthnContextComparisonType"/>
+ <attribute name="NameIDFormat" type="conf:anyURI"/>
+ <attribute name="SPNameQualifier" type="conf:string"/>
+ <attribute name="attributeIndex" type="conf:string"/>
+ <attribute name="requestDelegation" type="boolean"/>
+ <attribute name="target" type="conf:anyURI"/>
+ <attribute name="discoveryPolicy" type="conf:string"/>
+ <attribute name="signing" type="conf:bindingBoolean"/>
+ <attribute name="encryption" type="conf:bindingBoolean"/>
+ <attribute name="externalInput" type="boolean"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </attributeGroup>
+
+ <element name="SessionInitiator">
+ <annotation>
+ <documentation>Used to specify handlers that can issue AuthnRequests or perform discovery</documentation>
+ </annotation>
+ <complexType>
+ <complexContent>
+ <restriction base="conf:PluggableType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Location" type="conf:anyURI"/>
+ <attribute name="id" type="conf:string"/>
+ <attribute name="isDefault" type="boolean"/>
+ <attribute name="URL" type="conf:anyURI"/>
+ <attribute name="acsIndex" type="unsignedShort"/>
+ <attributeGroup ref="conf:SessionInitiatorGroup"/>
+ </restriction>
+ </complexContent>
+ </complexType>
+ </element>
+
+ <attributeGroup name="LogoutInitiatorGroup">
+ <annotation>
+ <documentation>Options common to explicit and implicit LogoutInitiators</documentation>
+ </annotation>
+ <attribute name="relayState" type="conf:string"/>
+ <attribute name="outgoingBindings" type="conf:listOfURIs"/>
+ <attribute name="template" type="conf:anyURI"/>
+ <attribute name="postArtifact" type="boolean"/>
+ <attribute name="signing" type="conf:bindingBoolean"/>
+ <attribute name="encryption" type="conf:bindingBoolean"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </attributeGroup>
+
+ <element name="LogoutInitiator">
+ <annotation>
+ <documentation>Used to specify handlers that can issue LogoutRequests</documentation>
+ </annotation>
+ <complexType>
+ <complexContent>
+ <restriction base="conf:PluggableType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Location" type="conf:anyURI"/>
+ <attributeGroup ref="conf:LogoutInitiatorGroup"/>
+ </restriction>
+ </complexContent>
+ </complexType>
+ </element>
+
+ <element name="Handler">
+ <annotation>
+ <documentation>Used to specify custom handlers</documentation>
+ </annotation>
+ <complexType>
+ <complexContent>
+ <restriction base="conf:PluggableType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Location" type="conf:anyURI" use="required"/>
+ <attribute name="acl" type="conf:listOfStrings"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </restriction>
+ </complexContent>
+ </complexType>
+ </element>
+
+ <complexType name="ErrorsType">
+ <annotation>
+ <documentation>Container for error templates and associated details</documentation>
+ </annotation>
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="redirectErrors" type="conf:anyURI"/>
+ <attribute name="session" type="conf:anyURI"/>
+ <attribute name="metadata" type="conf:anyURI"/>
+ <attribute name="access" type="conf:anyURI"/>
+ <attribute name="ssl" type="conf:anyURI"/>
+ <attribute name="localLogout" type="conf:anyURI"/>
+ <attribute name="globalLogout" type="conf:anyURI"/>
+ <attribute name="partialLogout" type="conf:anyURI"/>
+ <attribute name="externalParameters" type="boolean" />
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </complexType>
+
+ <complexType name="RelyingPartyType">
+ <annotation>
+ <documentation>Container for specifying settings to use with particular peers</documentation>
+ </annotation>
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Name" type="conf:string"/>
+ <attribute name="type" type="conf:string"/>
+ <attributeGroup ref="conf:RelyingPartyGroup"/>
+ <attribute name="entityID" type="conf:anyURI"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </complexType>
+
+ <complexType name="NotifyType">
+ <annotation>
+ <documentation>Used to specify locations to receive application notifications</documentation>
+ </annotation>
+ <sequence/>
+ <attribute name="Channel" use="required">
+ <simpleType>
+ <restriction base="string">
+ <enumeration value="front"/>
+ <enumeration value="back"/>
+ </restriction>
+ </simpleType>
+ </attribute>
+ <attribute name="Location" type="conf:anyURI" use="required"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </complexType>
+
+ <element name="SecurityPolicies">
+ <complexType>
+ <annotation>
+ <documentation>Container for specifying sets of policy rules to apply to incoming messages</documentation>
+ </annotation>
+ <sequence>
+ <element name="Policy" minOccurs="1" maxOccurs="unbounded">
+ <annotation>
+ <documentation>Specifies a set of SecurityPolicyRule plugins</documentation>
+ </annotation>
+ <complexType>
+ <choice>
+ <element name="Rule" type="conf:PluggableType" minOccurs="1" maxOccurs="unbounded"/>
+ <element name="PolicyRule" type="conf:PluggableType" minOccurs="1" maxOccurs="unbounded"/>
+ </choice>
+ <attribute name="id" type="conf:string" use="required"/>
+ <attribute name="validate" type="boolean"/>
+ <anyAttribute namespace="##any" processContents="lax"/>
+ </complexType>
+ </element>
+ <choice minOccurs="0">
+ <element name="AlgorithmWhitelist" type="conf:listOfURIs"/>
+ <element name="AlgorithmBlacklist">
+ <complexType>
+ <simpleContent>
+ <extension base="conf:listOfURIs">
+ <attribute name="includeDefaultBlacklist" type="boolean"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ <element name="IncludedAlgorithms" type="conf:listOfURIs"/>
+ <element name="ExcludedAlgorithms">
+ <complexType>
+ <simpleContent>
+ <extension base="conf:listOfURIs">
+ <attribute name="excludeDefaults" type="boolean"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ </choice>
+ </sequence>
+ </complexType>
+ </element>
+
+ <element name="TransportOption">
+ <annotation>
+ <documentation>Implementation-specific option to pass to SOAPTransport provider.</documentation>
+ </annotation>
+ <complexType>
+ <simpleContent>
+ <extension base="anySimpleType">
+ <attribute name="provider" type="conf:string" use="required"/>
+ <attribute name="option" type="conf:string" use="required"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+
+ <element name="SPConfig">
+ <complexType>
+ <annotation>
+ <documentation>Root of configuration</documentation>
+ </annotation>
+ <sequence>
+ <element name="Extensions" type="conf:ExtensionsType" minOccurs="0"/>
+ <element name="OutOfProcess" type="conf:OutOfProcessType" minOccurs="0"/>
+ <element name="InProcess" type="conf:InProcessType" minOccurs="0"/>
+ <choice minOccurs="0">
+ <element name="UnixListener">
+ <complexType>
+ <attribute name="address" type="conf:string"/>
+ <attribute name="clientAddress" type="conf:string"/>
+ <attribute name="stackSize" type="unsignedInt"/>
+ </complexType>
+ </element>
+ <element name="TCPListener">
+ <complexType>
+ <attribute name="address" type="conf:string"/>
+ <attribute name="port" type="unsignedInt"/>
+ <attribute name="clientAddress" type="conf:string"/>
+ <attribute name="clientPort" type="unsignedInt"/>
+ <attribute name="acl" type="conf:listOfStrings"/>
+ <attribute name="stackSize" type="unsignedInt"/>
+ <attribute name="retryErrors" type="conf:string"/>
+ </complexType>
+ </element>
+ <element name="Listener" type="conf:PluggableType"/>
+ </choice>
+ <element name="StorageService" type="conf:StorageServiceType" minOccurs="0" maxOccurs="unbounded"/>
+ <element name="DataSealer" type="conf:DataSealerType" minOccurs="0" />
+ <element name="SessionCache" type="conf:SessionCacheType" minOccurs="0"/>
+ <element name="ReplayCache" type="conf:ReplayCacheType" minOccurs="0"/>
+ <element name="ArtifactMap" type="conf:ArtifactMapType" minOccurs="0"/>
+ <element name="RequestMapper" type="conf:PluggableType" minOccurs="0"/>
+ <element name="ApplicationDefaults" type="conf:ApplicationDefaultsType"/>
+ <element name="SecurityPolicyProvider" type="conf:PluggableType"/>
+ <element name="ProtocolProvider" type="conf:PluggableType" minOccurs="0"/>
+ <element ref="conf:TransportOption" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="ds:Signature" minOccurs="0"/>
+ </sequence>
+ <attribute name="logger" type="conf:anyURI"/>
+ <attribute name="clockSkew" type="unsignedInt"/>
+ <attribute name="unsafeChars" type="conf:string"/>
+ <attribute name="allowedSchemes" type="conf:listOfStrings"/>
+ <attribute name="langFromClient" type="boolean"/>
+ <attribute name="langPriority" type="conf:listOfStrings"/>
+ <attribute name="contactPriority" type="conf:listOfStrings"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+ </element>
+
+</schema>
diff --git a/schema/shibboleth-afp.xsd b/schema/shibboleth-afp.xsd
new file mode 100644
index 0000000..9af7009
--- /dev/null
+++ b/schema/shibboleth-afp.xsd
@@ -0,0 +1,952 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:afp="urn:mace:shibboleth:2.0:afp"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ targetNamespace="urn:mace:shibboleth:2.0:afp"
+ version="5.0.0"
+ elementFormDefault="qualified">
+
+ <import namespace="http://www.w3.org/2000/09/xmldsig#"
+ schemaLocation="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd" />
+
+ <annotation>
+ <documentation>Schema for the attribute filter policies.</documentation>
+ </annotation>
+
+ <element name="AttributeFilterPolicyGroup" type="afp:AttributeFilterPolicyGroupType">
+ <annotation>
+ <documentation>
+ Root element of the attribute filter policy. Represents a named group of filter policies.
+ </documentation>
+ </annotation>
+ </element>
+ <complexType name="AttributeFilterPolicyGroupType">
+ <complexContent>
+ <extension base="afp:IdentityType">
+ <sequence>
+ <element ref="afp:PolicyRequirementRule" minOccurs="0" maxOccurs="unbounded">
+ <annotation>
+ <documentation>
+ Defines a set of applications requirements that may be reused across multiple filter
+ policies.
+ </documentation>
+ </annotation>
+ </element>
+ <element ref="afp:PermitValueRule" minOccurs="0" maxOccurs="unbounded">
+ <annotation>
+ <documentation>
+ Defines a permit value rule that may be reused across multiple attribute rules.
+ </documentation>
+ </annotation>
+ </element>
+ <element ref="afp:DenyValueRule" minOccurs="0" maxOccurs="unbounded">
+ <annotation>
+ <documentation>
+ Defines a deny value rule that may be reused across multiple attribute rules.
+ </documentation>
+ </annotation>
+ </element>
+ <element ref="afp:AttributeRule" minOccurs="0" maxOccurs="unbounded">
+ <annotation>
+ <documentation>
+ Defines an attribute rule that may be reused across multiple filter policies.
+ </documentation>
+ </annotation>
+ </element>
+ <element ref="afp:AttributeFilterPolicy" minOccurs="0" maxOccurs="unbounded">
+ <annotation>
+ <documentation>
+ A policy that defines the set of attribute value filters that will be applied if its
+ application requirements are met.
+ </documentation>
+ </annotation>
+ </element>
+ <element ref="ds:Signature" minOccurs="0">
+ <annotation>
+ <documentation>
+ Digital signature for the policy. Policies that are fetched from an external source,
+ such as a federation site, should be signed.
+ </documentation>
+ </annotation>
+ </element>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <element name="AttributeFilterPolicy" type="afp:AttributeFilterPolicyType">
+ <annotation>
+ <documentation>
+ A policy that defines a set of attribute value filters rules that should be used if given requirements
+ are met.
+ </documentation>
+ </annotation>
+ </element>
+ <complexType name="AttributeFilterPolicyType">
+ <complexContent>
+ <extension base="afp:IdentityType">
+ <sequence>
+ <element ref="afp:PolicyRequirementRule">
+ <annotation>
+ <documentation>
+ A requirement that if met signals that this filter policy should be used.
+ </documentation>
+ </annotation>
+ </element>
+ <element ref="afp:AttributeRule" minOccurs="0" maxOccurs="unbounded">
+ <annotation>
+ <documentation>
+ A rule that describes how values of an attribute will be filtered.
+ </documentation>
+ </annotation>
+ </element>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <element name="AttributeRule" type="afp:AttributeRuleType">
+ <annotation>
+ <documentation>A rule that describes how values of an attribute will be filtered.</documentation>
+ </annotation>
+ </element>
+ <complexType name="AttributeRuleType">
+ <complexContent>
+ <extension base="afp:IdentityType">
+ <choice>
+ <choice minOccurs="0">
+ <element ref="afp:PermitValueRule"/>
+ <element name="PermitValueRuleReference" type="afp:ReferenceType">
+ <annotation>
+ <documentation>
+ Reference to a PermitValueRule defined within this policy group or another.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
+ <choice minOccurs="0">
+ <element ref="afp:DenyValueRule"/>
+ <element name="DenyValueRuleReference" type="afp:ReferenceType">
+ <annotation>
+ <documentation>
+ Reference to a DenyValueRule defined within this policy group or another.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
+ </choice>
+ <attribute name="attributeID" type="afp:string" use="required">
+ <annotation>
+ <documentation>The ID of the attribute to which this rule applies.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="permitAny" type="afp:string">
+ <annotation>
+ <documentation>If present, and true injects an implicit permit value rule of type ANY</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <element name="PolicyRequirementRule" type="afp:MatchFunctorType">
+ <annotation>
+ <documentation>A requirement that if met signals that a filter policy should be used.</documentation>
+ </annotation>
+ </element>
+ <element name="PermitValueRule" type="afp:MatchFunctorType">
+ <annotation>
+ <documentation>
+ A filter for attribute values. If the filter evaluates to true the value is permitted to be released.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="DenyValueRule" type="afp:MatchFunctorType">
+ <annotation>
+ <documentation>
+ A filter for attribute values. If the filter evaluates to true the value is denied and may not be released.
+ </documentation>
+ </annotation>
+ </element>
+ <complexType name="MatchFunctorType" abstract="true">
+ <complexContent>
+ <extension base="afp:IdentityType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="IdentityType">
+ <attribute name="id" type="afp:string">
+ <annotation>
+ <documentation>An ID, unique within the policy and component type.</documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <complexType name="ReferenceType">
+ <attribute name="ref" type="afp:string">
+ <annotation>
+ <documentation>Used to reference a globally defined policy component.</documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <!-- Blanket Match Function -->
+ <complexType name="ANY">
+ <annotation>
+ <documentation>A match function that evaluates to true.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:MatchFunctorType"/>
+ </complexContent>
+ </complexType>
+
+ <!-- Directional Match Functions -->
+ <complexType name="Inbound">
+ <annotation>
+ <documentation>A match function that evaluates to true.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:MatchFunctorType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Outbound">
+ <annotation>
+ <documentation>A match function that evaluates to true.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:MatchFunctorType"/>
+ </complexContent>
+ </complexType>
+
+ <!-- Boolean Match Functions -->
+ <complexType name="AND">
+ <annotation>
+ <documentation>
+ A match function that performs a logical AND on the results of all contained matching functions.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <sequence maxOccurs="unbounded">
+ <element name="Rule" type="afp:MatchFunctorType">
+ <annotation>
+ <documentation>
+ The set of match function rules to be ANDed.
+ </documentation>
+ </annotation>
+ </element>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="OR">
+ <annotation>
+ <documentation>
+ A match function that performs a logical OR on the results of all contained matching functions.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <sequence maxOccurs="unbounded">
+ <element name="Rule" type="afp:MatchFunctorType">
+ <annotation>
+ <documentation>
+ The set of match function rules to be ORed.
+ </documentation>
+ </annotation>
+ </element>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="NOT">
+ <annotation>
+ <documentation>
+ A match function that performs a logical NOT on the result of the contained matching function.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <sequence minOccurs="1" maxOccurs="1">
+ <element name="Rule" type="afp:MatchFunctorType">
+ <annotation>
+ <documentation>
+ The set of match function rules to be negated.
+ </documentation>
+ </annotation>
+ </element>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <!-- Predicate Plugin Function -->
+ <complexType name="Predicate">
+ <annotation>
+ <documentation>
+ A match function that matches the attribute request against the
+ specified value.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <attribute name="rulePredicateRef" type="afp:string" use="required">
+ <annotation>
+ <documentation>
+ The reference to an externally defined bean to do the predicate work
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <!-- Literal String Match Functions -->
+ <complexType name="Requester">
+ <annotation>
+ <documentation>
+ A match function that matches the attribute requester against the specified value.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:StringMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ProxiedRequester">
+ <annotation>
+ <documentation>
+ A match function that matches a proxied attribute requester against the specified value.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:StringMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Issuer">
+ <annotation>
+ <documentation>
+ A match function that matches the attribute issuer against the specified value.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:StringMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="PrincipalName">
+ <annotation>
+ <documentation>A match function that matches the principal name against the specified value.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:StringMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Profile">
+ <annotation>
+ <documentation>A match function that matches the active profile identifier against the specified value.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:StringMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Value">
+ <annotation>
+ <documentation>
+ A match function that matches the value of an attribute against the specified value. This match
+ evaluates to true if the attribute contains the specified value.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:TargetedStringMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Scope">
+ <annotation>
+ <documentation>
+ A match function that matches the attribute scope against the specified value.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:TargetedStringMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="TargetedStringMatchType" abstract="true">
+ <complexContent>
+ <extension base="afp:StringMatchType">
+ <attribute name="attributeID" type="afp:string">
+ <annotation>
+ <documentation>
+ The ID of the attribute whose value should be matched. If no attribute ID is specified the
+ ID of the containing attribute rule is assumed.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="StringMatchType" abstract="true">
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <attribute name="value" type="afp:string" use="required">
+ <annotation>
+ <documentation>The string value to match.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="caseSensitive" type="afp:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether the match evaluation should be case sensitive.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <!-- Regular Expression Match Functions -->
+ <complexType name="RequesterRegex">
+ <annotation>
+ <documentation>
+ A match function that matches the attribute requester against the specified regular expression.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:RegexMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ProxiedRequesterRegex">
+ <annotation>
+ <documentation>
+ A match function that matches a proxied attribute requester against the specified regular expression.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:RegexMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="IssuerRegex">
+ <annotation>
+ <documentation>
+ A match function that matches the attribute issuer against the specified regular expression.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:RegexMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="PrincipalNameRegex">
+ <annotation>
+ <documentation>
+ A match function that matches the principal name against the specified regular expression.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:RegexMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ValueRegex">
+ <annotation>
+ <documentation>
+ A match function that matches an attribute value against the specified regular expression. This function
+ evaluates to true if any value matches the given expression.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:TargetedRegexMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ScopeRegex">
+ <annotation>
+ <documentation>
+ A match function that matches the attribute scope against the specified regular expression.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:TargetedRegexMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="TargetedRegexMatchType" abstract="true">
+ <complexContent>
+ <extension base="afp:RegexMatchType">
+ <attribute name="attributeID" type="afp:string">
+ <annotation>
+ <documentation>
+ The ID of the attribute whose value should be matched. If no attribute ID is specified the
+ ID of the containing attribute rule is assumed.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="RegexMatchType" abstract="true">
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <attribute name="regex" type="afp:string" use="required">
+ <annotation>
+ <documentation>The regular expression values are matched against.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="caseSensitive" type="afp:string">
+ <annotation>
+ <documentation>Whether the comparison is case sensitive, default TRUE</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <!-- Misc. Functions -->
+ <complexType name="Script">
+ <annotation>
+ <documentation>
+ A match function that evaluates a script to determine if some criteria is met. The script MUST return a
+ boolean.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <choice>
+ <element name="Script" type="afp:string" minOccurs="0">
+ <annotation>
+ <documentation>The script to evaluate to construct the attribute.</documentation>
+ </annotation>
+ </element>
+ <element name="ScriptFile" type="afp:string" minOccurs="0">
+ <annotation>
+ <documentation>
+ The filesystem path to the script to evaluate to construct the attribute.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
+ <attribute name="language" type="afp:string">
+ <annotation>
+ <documentation>
+ The JSR-233 name for the scripting language that will be used. By default "javascript" is
+ supported.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="customObjectRef" type="afp:string">
+ <annotation>
+ <documentation>
+ The name of a bean defined somewhere else which will be injected into the script as an
+ object called "custom". If not supplied nothing is injected.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="NumberOfAttributeValues">
+ <annotation>
+ <documentation>
+ A match function that evaluates to true if the given attribute has as a number of values that falls
+ between the minimum and maximum. This method may be used as a sanity check to ensure that an unexpected
+ number of values did not come from the attribute resolver and be released.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <attribute name="attributeID" type="afp:string" use="required">
+ <annotation>
+ <documentation>The ID of the attribute whose value should be matched.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="minimum" type="afp:string">
+ <annotation>
+ <documentation>Minimum number of values an attribute may have.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="maximum" type="afp:string">
+ <annotation>
+ <documentation>Maximum number of values an attribute may have.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <!-- SAML-specific. -->
+
+ <complexType name="EntityAttributeExactMatch">
+ <annotation>
+ <documentation>
+ A match function that checks if the attribute requester's metadata
+ contains an entity attribute with the specified value.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:EntityAttributeExactMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ProxiedRequesterEntityAttributeExactMatch">
+ <annotation>
+ <documentation>
+ A match function that checks if a proxied requester's metadata
+ contains an entity attribute with the specified value.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:EntityAttributeExactMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="IssuerEntityAttributeExactMatch">
+ <annotation>
+ <documentation>
+ A match function that checks if the attribute issuer's metadata
+ contains an entity attribute with the specified value.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:EntityAttributeExactMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="EntityAttributeExactMatchType" abstract="true">
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <attribute name="attributeName" type="afp:string" use="required">
+ <annotation>
+ <documentation>The name of the entity attribute to match.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="attributeValue" type="afp:string" use="required">
+ <annotation>
+ <documentation>The value of the entity attribute to match.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="attributeNameFormat" type="afp:string">
+ <annotation>
+ <documentation>The NameFormat of the entity attribute to match.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="ignoreUnmappedEntityAttributes" type="afp:string">
+ <annotation>
+ <documentation>
+ Boolean attribute, whether to examine only mapped/decoded attributes, default is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="EntityAttributeRegexMatch">
+ <annotation>
+ <documentation>
+ A match function that checks if the attribute requester's metadata contains
+ an entity attribute with a value that matches the given regular expression.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:EntityAttributeRegexMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ProxiedRequesterEntityAttributeRegexMatch">
+ <annotation>
+ <documentation>
+ A match function that checks if a proxied requester's metadata contains
+ an entity attribute with a value that matches the given regular expression.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:EntityAttributeRegexMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="IssuerEntityAttributeRegexMatch">
+ <annotation>
+ <documentation>
+ A match function that checks if the attribute issuer's metadata contains
+ an entity attribute with a value that matches the given regular expression.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:EntityAttributeRegexMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="EntityAttributeRegexMatchType" abstract="true">
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <attribute name="attributeName" type="afp:string" use="required">
+ <annotation>
+ <documentation>The name of the entity attribute to match.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="attributeValueRegex" type="afp:string" use="required">
+ <annotation>
+ <documentation>The regular expression that must match the value of the entity attribute to
+ match.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="attributeNameFormat" type="afp:string">
+ <annotation>
+ <documentation>The name format of the entity attribute to match.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="ignoreUnmappedEntityAttributes" type="afp:string">
+ <annotation>
+ <documentation>
+ Boolean attribute, whether to examine only mapped/decoded attributes, default is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="NameIDFormatExactMatch">
+ <annotation>
+ <documentation>
+ A match function that evaluates to true if the attribute requester supports a specified
+ NameID format.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:NameIDFormatExactMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="IssuerNameIDFormatExactMatch">
+ <annotation>
+ <documentation>
+ A match function that evaluates to true if the attribute issuer supports a specified
+ NameID format.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:NameIDFormatExactMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="NameIDFormatExactMatchType" abstract="true">
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <attribute name="nameIdFormat" type="afp:string" use="required">
+ <annotation>
+ <documentation>The NameID format that needs to be supported by the entity.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="InEntityGroup">
+ <annotation>
+ <documentation>
+ A match function that evaluates to true if the attribute requester is found in metadata and
+ is a member of the given entity group.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:EntityGroupMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ProxiedRequesterInEntityGroup">
+ <annotation>
+ <documentation>
+ A match function that evaluates to true if a proxied requester is found in metadata and
+ is a member of the given entity group.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:EntityGroupMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="IssuerInEntityGroup">
+ <annotation>
+ <documentation>
+ A match function that evaluates to true if the attribute issuer is found in metadata and
+ is a member of the given entity group.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:EntityGroupMatchType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="EntityGroupMatchType" abstract="true">
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <attribute name="groupID" type="afp:string" use="required">
+ <annotation>
+ <documentation>The entity group ID that an entity must be in.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="checkAffiliations" type="afp:string">
+ <annotation>
+ <documentation>
+ Whether to check for membership in metadata-based AffiliationDescriptors.
+
+ Defaults to false.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="RegistrationAuthority">
+ <annotation>
+ <documentation>
+ A match function that matches a requester's MDRPI against a list of potential values.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:RegistrationAuthorityMatchType" />
+ </complexContent>
+ </complexType>
+
+ <complexType name="ProxiedRequesterRegistrationAuthority">
+ <annotation>
+ <documentation>
+ A match function that matches a proxied requester's MDRPI against a list of potential values.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:RegistrationAuthorityMatchType" />
+ </complexContent>
+ </complexType>
+
+ <complexType name="IssuerRegistrationAuthority">
+ <annotation>
+ <documentation>
+ A match function that matches the attribute issuer's MDRPI content against a list of potential values.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:RegistrationAuthorityMatchType" />
+ </complexContent>
+ </complexType>
+
+ <complexType name="RegistrationAuthorityMatchType" abstract="true">
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <attribute name="registrars" type="afp:anyURIListType" use="required">
+ <annotation>
+ <documentation>The string values to match.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="matchIfMetadataSilent" type="boolean">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether a match should occur if the metadata does
+ not contain an MDRPI statement (coded) default is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ScopeMatchesShibMDScope">
+ <annotation>
+ <documentation>
+ A match function that ensures that an attribute value's scope matches a scope given in
+ metadata for the entity or role of the attribute issuer.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:MatchFunctorType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ValueMatchesShibMDScope">
+ <annotation>
+ <documentation>
+ A match function that ensures that an attribute value's scope matches a scope given in
+ metadata for the entity or role of the attribute issuer.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:MatchFunctorType"/>
+ </complexContent>
+ </complexType>
+
+ <complexType name="AttributeInMetadata">
+ <annotation>
+ <documentation>
+ A match function that evaluates to true if an attribute (or specific values) is specified by
+ the requesting entity's AttributeConsumingService SP metadata.
+
+ It supports both explicit checking for a named SAML RequestedAttribute in metadata, or
+ comparison via the transcoding registry to compare the internal attribute form against
+ decoded objects produced from the metadata. This is the old "mapped" functionality
+ in V3 and is now collapsed into one matcher type.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:MatchFunctorType">
+ <attribute name="attributeID" type="afp:string">
+ <annotation>
+ <documentation>
+ The ID of the attribute whose value should be matched. If no attribute ID is specified the
+ ID of the containing attribute rule is assumed.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="onlyIfRequired" type="afp:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether attributes noted as optional should match.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="matchIfMetadataSilent" type="afp:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether a match should occur if (after mapping)
+ the metadata does not contain and Attributes.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="attributeName" type="afp:string">
+ <annotation>
+ <documentation>The name of a requested attribute to look for.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="attributeNameFormat" type="afp:string">
+ <annotation>
+ <documentation>The name format of a requested attribute to look for.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <simpleType name="anyURIListType">
+ <list itemType="string"/>
+ </simpleType>
+
+ <simpleType name="string">
+ <restriction base="string">
+ <minLength value="1"/>
+ </restriction>
+ </simpleType>
+</schema>
diff --git a/schema/shibboleth-attribute-resolver.xsd b/schema/shibboleth-attribute-resolver.xsd
new file mode 100644
index 0000000..cca79e7
--- /dev/null
+++ b/schema/shibboleth-attribute-resolver.xsd
@@ -0,0 +1,2274 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema xmlns="http://www.w3.org/2001/XMLSchema" xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
+ xmlns:sec="urn:mace:shibboleth:2.0:security" targetNamespace="urn:mace:shibboleth:2.0:resolver"
+ elementFormDefault="qualified" version="5.0.0">
+
+ <import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd"/>
+ <import namespace="urn:mace:shibboleth:2.0:security" schemaLocation="http://shibboleth.net/schema/idp/shibboleth-security.xsd"/>
+
+ <annotation>
+ <documentation>Shibboleth V4 Attribute Resolver configuration schema
+ </documentation>
+ </annotation>
+
+ <element name="AttributeResolver" type="resolver:AttributeResolverType">
+ <annotation>
+ <documentation>Root of the attribute resolver configuration file.
+ </documentation>
+ </annotation>
+ </element>
+ <complexType name="AttributeResolverType">
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="resolver:AttributeDefinition"/>
+ <element ref="resolver:DataConnector"/>
+ </choice>
+ <attribute name="id" type="resolver:string">
+ <annotation>
+ <documentation>A unique identifier for this Resolver.
+ </documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <element name="AttributeDefinition" type="resolver:BaseAttributeDefinitionType">
+ <annotation>
+ <documentation>Defines an attribute definition within this resolver.
+ </documentation>
+ </annotation>
+ </element>
+
+ <complexType name="BaseAttributeDefinitionType">
+ <annotation>
+ <documentation>
+ Attribute definition define the finished attributes to be released by the
+ resolver.
+
+ Definitions derived from this type need to explicitly include (as a choice)
+ the Dependency, DisplayName, DisplayDescription and Encoder sub elements
+
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseResolutionPlugInType">
+ <attribute name="dependencyOnly" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag that indicates whether this attribute definition is
+ only defined because its data is needed elsewhere within the resolver
+ and as such should not be released outside the resolver.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="preRequested" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag that indicates whether this attribute definition and
+ its dependencies are to be resolved in a "first pass", prior to the
+ main resolution. These attributes will be populated into a child
+ context so as to be available to activationConditions.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <element name="AttributeEncoder" type="resolver:BaseAttributeEncoderType">
+ <annotation>
+ <documentation>Defines an encoder for an attribute.</documentation>
+ </annotation>
+ </element>
+
+ <complexType name="BaseAttributeEncoderType">
+ <annotation>
+ <documentation>
+ An attribute encoder is responsible for converting an attribute, and its values,
+ into a protocol specific representation such as a SAML 1 or SAML 2 Attribute.
+ The use of them to produce a SAML NameIdentifier/NameID is DEPRECATED.
+ </documentation>
+ </annotation>
+ <sequence>
+ <element name="ActivationConditionScript" type="resolver:ScriptType" minOccurs="0">
+ <annotation>
+ <documentation>
+ A scripted predicate which controls whether this encoder will run
+ </documentation>
+ </annotation>
+ </element>
+ </sequence>
+ <attribute name="name" type="resolver:string"/>
+ <attribute name="encodeType" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean indicating whether the encoding should include type information. This is
+ encoding-specific (e.g., for XML it likely involves xsi:type).
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="activationConditionRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ A reference to a Predicate which controls whether this encoder will run
+ Mutually exclusive with relyingParties
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="relyingParties" type="resolver:string">
+ <annotation>
+ <documentation>
+ A (space separated) list of entities for which this plugin is to be active
+ Mutually exclusive with activationConditionRef
+ </documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <element name="DataConnector" type="resolver:BaseDataConnectorType">
+ <annotation>
+ <documentation>
+ Defines a data connector which is used to pull information from local
+ infrastructure.
+ </documentation>
+ </annotation>
+ </element>
+
+ <complexType name="BaseDataConnectorType">
+ <annotation>
+ <documentation>
+ Data connectors pull information from local infrastructure, such as
+ databases and LDAP directories, and make these raw attributes available
+ to attribute definitions for finishing.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseResolutionPlugInType">
+ <attribute name="noRetryDelay" type="resolver:string">
+ <annotation>
+ <documentation>Time to bypass connector after a failure before trying it again.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="exportAttributes" type="resolver:string">
+ <annotation>
+ <documentation>A list of attribute names to be exported by the resolution process from this data connector.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="BaseResolutionPlugInType" abstract="true">
+ <annotation>
+ <documentation>
+ A base type for all attribute resolver plugins: data and principal
+ connectors and attribute definitions
+ </documentation>
+ </annotation>
+ <attribute name="id" type="resolver:string" use="required">
+ <annotation>
+ <documentation>A unique identifier for this definition.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="activationConditionRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ A reference to a predicate to decide whether this plugin is applicable.
+ Mutually exclusive with [exclude]relyingParties and [exclude]resolutionPhases.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="relyingParties" type="resolver:string">
+ <annotation>
+ <documentation>
+ A (space separated) list of entities for which this plugin is to be active.
+ Mutually exclusive with activationConditionRef.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="excludeRelyingParties" type="resolver:string">
+ <annotation>
+ <documentation>
+ A (space separated) list of entities for which this plugin is to be inactive.
+ Mutually exclusive with activationConditionRef.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="resolutionPhases" type="resolver:string">
+ <annotation>
+ <documentation>
+ A (space separated) list of resolution "phases" for which this plugin is to be active.
+ Mutually exclusive with activationConditionRef.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="excludeResolutionPhases" type="resolver:string">
+ <annotation>
+ <documentation>
+ A (space separated) list of resolution "phases" for which this plugin is to be inactive.
+ Mutually exclusive with activationConditionRef.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="propagateResolutionExceptions" type="resolver:string">
+ <annotation>
+ <documentation>
+ DEPRECATED: Whether to ripple errors produced by the plugin out to the resolver (default is true).
+ </documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <element name="InputAttributeDefinition" type="resolver:PluginDependencyType">
+ <annotation>
+ <documentation>
+ Defines a dependency on a specific Attribute Definition.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="InputDataConnector">
+ <annotation>
+ <documentation>
+ Defines a dependency on a specific Data Connector.
+
+ attributeNames is a space separated list of attribute names. Property replacement done
+ before "listification""
+
+ allAttributes means take all attributes. Property replacement done before conversion
+
+ One one of the above are allowed.
+ </documentation>
+ </annotation>
+ <complexType>
+ <complexContent>
+ <extension base="resolver:PluginDependencyType">
+ <attribute name="allAttributes" type="resolver:string"/>
+ <attribute name="attributeNames" type="resolver:string"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ </element>
+ <element name="FailoverDataConnector" type="resolver:PluginDependencyType">
+ <annotation>
+ <documentation>
+ Defines a data connector to use should the parent data connector fail.
+ </documentation>
+ </annotation>
+ </element>
+ <complexType name="PluginDependencyType">
+ <annotation>
+ <documentation>An (abstract) type that represents a reference to another plugin</documentation>
+ </annotation>
+ <attribute name="ref" type="resolver:string" use="required"/>
+ </complexType>
+
+ <complexType name="LocalizedStringType">
+ <simpleContent>
+ <extension base="string">
+ <attribute ref="xml:lang"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+
+ <complexType name="ValueMapType">
+ <annotation>
+ <documentation>
+ Performs many to one mapping of source values to a return value. SourceValue strings may include regular
+ expressions and the ReturnValue may include back references to capturing groups as supported by
+ java.util.regex.Pattern.
+ </documentation>
+ </annotation>
+ <sequence>
+ <element name="ReturnValue" type="string">
+ <annotation>
+ <documentation>The value to be returned from this value map.</documentation>
+ </annotation>
+ </element>
+ <element name="SourceValue" maxOccurs="unbounded">
+ <annotation>
+ <documentation>A regular expression string to be matched against the incoming value.</documentation>
+ </annotation>
+ <complexType>
+ <simpleContent>
+ <extension base="string">
+ <attribute name="caseSensitive" type="resolver:string">
+ <annotation>
+ <documentation>If true, value matching will be case-sensitive.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="partialMatch" type="resolver:string">
+ <annotation>
+ <documentation>
+ If true, the SourceValue may match only a substring of the incoming value. By
+ default, it must match the entire value.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ </sequence>
+ </complexType>
+
+ <complexType name="ContextDerivedAttribute">
+ <annotation>
+ <documentation>A attribute definition to pull attribute values from anywhere in the PRC tree</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="attributeValuesFunctionRef" type="resolver:string" use="required">
+ <annotation>
+ <documentation>The Function to generate the Attribute Values given a PRC</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Mapped">
+ <annotation>
+ <documentation>
+ The mapped attribute definition performs a many to many mapping from source attributes values provided
+ by the definition's dependencies to values which are returned. Each source value is passed through each
+ defined ValueMap which may result in one or more resulting values. If no ValueMaps match the source
+ value and a DefaultValue is defined, the DefaultValue is used.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ <element name="DefaultValue">
+ <annotation>
+ <documentation>
+ A source value is mapped to the DefaultValue if none of the ValueMaps result in a match.
+ This string may not contain regular expression back references.
+ </documentation>
+ </annotation>
+ <complexType>
+ <simpleContent>
+ <extension base="string">
+ <attribute name="passThru" type="resolver:string">
+ <annotation>
+ <documentation>
+ If true, the source value is passed thru unmodified. If passThru is
+ enabled, DefaultValue may not contain a string value.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ <element name="ValueMap" type="resolver:ValueMapType" maxOccurs="unbounded"/>
+ </choice>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Prescoped">
+ <annotation>
+ <documentation>
+ An attribute definition that splits the values of the source attribute into an attribute value
+ with a value and scope.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="scopeDelimiter" type="resolver:string">
+ <annotation>
+ <documentation>Delimiter between the value and scope.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="PrincipalName">
+ <annotation>
+ <documentation>Exposes the principal's name as an attribute definition.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="RegexSplit">
+ <annotation>
+ <documentation>An attribute definition that splits the source attribute's values based on a regular expression.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="regex" type="resolver:string" use="required">
+ <annotation>
+ <documentation>The regular expression used to split a value.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="caseSensitive" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating the case sensitivity of the regular expression.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML1NameIdentifier">
+ <annotation>
+ <documentation>DEPRECATED: An attribute definition that creates attributes whose values are SAML 1 NameIdentifiers.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="nameIdFormat" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 1 NameFormat of the NameID.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="nameIdQualifier" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 1 NameQualifier of the NameID.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML2NameID">
+ <annotation>
+ <documentation>DEPRECATED: An attribute definition that creates attributes whose values are SAML 2 NameIDs.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="nameIdFormat" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 NameFormat of the NameID.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="nameIdQualifier" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 NameQualifier of the NameID.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="nameIdSPQualifier" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 SPNameQualifier of the NameID.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Scoped">
+ <annotation>
+ <documentation>A basic attribute definition which supports attribute scoping.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="scope" type="resolver:string">
+ <annotation>
+ <documentation>Value to use for scoping the attribute.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="scopeFromDependency" type="resolver:string">
+ <annotation>
+ <documentation>Attribute whose values will be used for scoping the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ScriptedAttribute">
+ <annotation>
+ <documentation>
+ An attribute definition that constructs its attributes by means of a script supported by JSR-223. The
+ script is provided all the edu.internet2.middleware.shibboleth.common.attribute.Attribute object
+ resolved from all the definitions dependencies. The resultant attribute definition must then be bound to
+ a script attribute corresponding to the script variable whose name is the ID of the definition. This
+ variable is injected into the script by the attribute definition.
+
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ <element name="Script" type="resolver:string">
+ <annotation>
+ <documentation>The script to evaluate to construct the attribute.</documentation>
+ </annotation>
+ </element>
+ <element name="ScriptFile" type="resolver:string">
+ <annotation>
+ <documentation>
+ The filesystem path to the script to evaluate to construct the attribute.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
+ <attribute name="language" type="resolver:string">
+ <annotation>
+ <documentation>
+ The JSR-233 name for the scripting language that will be used. By default "javascript" is
+ supported.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="customObjectRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ The name of a bean defined somewhere else which will be injected into the script as an
+ object called "custom". If not supplied, nothing is injected.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Simple">
+ <annotation>
+ <documentation>A basic attribute definition.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="ignoreNullValues" type="resolver:string">
+ <annotation>
+ <documentation>Do we drop null values (default: FALSE)</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="DateTime">
+ <annotation>
+ <documentation>An attribute definition producing date/time values.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="ignoreConversionErrors" type="resolver:string">
+ <annotation>
+ <documentation>Are conversion errors ignored? (default: FALSE)</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="epochInSeconds" type="resolver:string">
+ <annotation>
+ <documentation>
+ Use seconds as epoch unit instead of millseconds when converting numeric data (default: TRUE)
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="formattingString" type="resolver:string">
+ <annotation>
+ <documentation>A formatting string to use converting string data.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Decrypted">
+ <annotation>
+ <documentation>An attribute definition involving an encrypted (DataSealed) attribute</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="dataSealerRef" type="resolver:string">
+ <annotation>
+ <documentation>Value to use for the decryption key</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SubjectDerivedAttribute">
+ <annotation>
+ <documentation>A attribute definition to pull attribute values from the Principals. A short cut looks at IdPAttributePrincipals</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ </choice>
+ <attribute name="attributeValuesFunctionRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Provides a plug in point to allow general extraction of values from Principals.
+ Mutually exclusive with principalAttributeName.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="principalAttributeName" type="resolver:string">
+ <annotation>
+ <documentation>
+ The id of the IdPAttribute contained within a IdPAttributePrincipal to look for.
+ Mutually exclusive with attributeValueEngineRef.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="forCanonicalization" type="resolver:string">
+ <annotation>
+ <documentation>
+ If true, the source Subject is assumed to be undergoing C14N rather than the
+ usual post-authentication source. Defaults to false.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Template">
+ <annotation>
+ <documentation>
+ An Attribute Definition that constructs its values based on the values of its dependencies using the
+ Velocity Template Language. Dependencies may have multiple values, however multiple dependencies must
+ have the same number of values. In the case of multi-valued dependencies, the template will be evaluated
+ multiples times, iterating over each dependency.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeDefinitionType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element name="DisplayName" type="resolver:LocalizedStringType"/>
+ <element name="DisplayDescription" type="resolver:LocalizedStringType"/>
+ <element ref="resolver:AttributeEncoder"/>
+ <element name="Template" type="resolver:string">
+ <annotation>
+ <documentation>
+ Template specified in the Velocity Template Language used to construct attribute values.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
+ <attribute name="velocityEngine" type="resolver:string">
+ <annotation>
+ <documentation>Name of the velocity engine defined within the application.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ComputedId">
+ <annotation>
+ <documentation>
+ An ID created by digesting the requesting entityID, an attribute value (usually a user identifier), and a salt.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element ref="resolver:FailoverDataConnector"/>
+ </choice>
+ <attribute name="generatedAttributeID" type="resolver:string">
+ <annotation>
+ <documentation>
+ The name of the attribute produced by this data connector.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="salt" type="resolver:string">
+ <annotation>
+ <documentation>
+ A salt, of at least 16 bytes, used in the computed ID.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="encodedSalt" type="resolver:string">
+ <annotation>
+ <documentation>
+ A base64-encoded salt, of at least 16 bytes, used in the computed ID.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="algorithm" type="resolver:string">
+ <annotation>
+ <documentation>
+ The JCE digest algorithm to use, defaults to SHA-1.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="encoding" type="resolver:string">
+ <annotation>
+ <documentation>
+ An encoding type to apply after the digest, defaults to BASE64 but should
+ be set to BASE32.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="exceptionMapRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Spring bean reference to a map of overrides that alter salt or suppress generation
+ for particular users/services.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="saltLookupStrategyRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Spring bean reference to a BiFunction&lt;ProfileRequestContext,PairwiseId&gt;
+ to obtain the salt.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="LDAPDirectory">
+ <annotation>
+ <documentation>
+ A data connector that can pull information from an LDAP, version 3, directory.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element ref="resolver:FailoverDataConnector"/>
+ <element name="FilterTemplate" type="resolver:string">
+ <annotation>
+ <documentation>
+ A template used to construct the LDAP filter used to query the directory.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="ReturnAttributes" type="resolver:string" minOccurs="0">
+ <annotation>
+ <documentation>
+ A space separated list of attributes that should be returned from the query.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="BinaryAttributes" type="resolver:string" minOccurs="0">
+ <annotation>
+ <documentation>
+ A space separated list of attributes whose values should be encoded.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="StartTLSTrustCredential" type="sec:X509Credential">
+ <annotation>
+ <documentation>
+ The X.509 trust information to use when connecting to the directory over LDAPS or startTLS.
+ DEPRECATED in 3.4 Use trustFile=
+ </documentation>
+ </annotation>
+ </element>
+ <element name="StartTLSAuthenticationCredential" type="sec:X509Credential">
+ <annotation>
+ <documentation>
+ The X.509 client authentication information to use when connecting to the directory over LDAPS or startTLS.
+ DEPRECATED in 3.4 Use authCert= and authKey
+ </documentation>
+ </annotation>
+ </element>
+ <element name="ConnectionPool" type="resolver:LdapPoolConfigType"/>
+ <element name="SASLConfig" type="resolver:SaslConfigType"/>
+ <element name="Column" type="resolver:ColumnType"/>
+ <element name="ResultCache" type="resolver:CacheConfigType"/>
+ <element name="ResultCacheBean" type="string"/>
+ </choice>
+ <attribute name="ldapURL" type="resolver:string">
+ <annotation>
+ <documentation>
+ The URL to the LDAP server.
+ If the search scope is set to ONELEVEL only the entries
+ within this node will be searched, if SUBTREE is specified entries within this node and descendant
+ nodes will be searched.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="connectionStrategy" type="resolver:string">
+ <annotation>
+ <documentation>
+ The LDAP connection strategy. Acceptable values are ACTIVE_PASSIVE, ROUND_ROBIN and RANDOM.
+ Default value is ACTIVE_PASSIVE.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="baseDN" type="resolver:string">
+ <annotation>
+ <documentation>
+ The base DN from which attribute search filtering occurs
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="principal" type="resolver:string">
+ <annotation>
+ <documentation>The DN for the principal connecting to the LDAP directory.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="principalCredential" type="string">
+ <annotation>
+ <documentation>
+ The credential for the principal connecting to the LDAP directory.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="searchScope" type="resolver:string">
+ <annotation>
+ <documentation>
+ The LDAP search scope. Acceptable values are OBJECT, ONELEVEL, SUBTREE.
+ Default value is SUBTREE.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="derefAliases" type="resolver:string">
+ <annotation>
+ <documentation>
+ The LDAP alias dereference behavior. Acceptable values are NEVER, SEARCHING, FINDING, ALWAYS.
+ Default value is NEVER.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="followReferrals" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether search referrals and search references should be followed.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="useStartTLS" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether startTLS should be used when connecting to the LDAP.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="startTLSTimeout" type="resolver:string">
+ <annotation>
+ <documentation>
+ The maximum amount of time to wait for startTLS responses. If this limit is
+ reached a timeout error is raised. Default value is 3 seconds.
+ Time is expressed in ISO8601 duration format.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="searchTimeLimit" type="resolver:string">
+ <annotation>
+ <documentation>
+ The maximum amount of time to wait for search results. If this limit is
+ reached a timeout error is raised. Default value is 3 seconds.
+ Time is expressed in ISO8601 duration format.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="connectTimeout" type="resolver:string">
+ <annotation>
+ <documentation>
+ The maximum amount of time to wait for connections to open. If this limit is
+ reached a timeout error is raised. Default value is 3 seconds.
+ Time is expressed in ISO8601 duration format.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="responseTimeout" type="resolver:string">
+ <annotation>
+ <documentation>
+ The maximum amount of time to wait for operation responses. If this limit is
+ reached a timeout error is raised. Default value is 3 seconds.
+ Time is expressed in ISO8601 duration format.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="autoReconnect" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether unexpectedly closed connections should automatically attempt to reconnect.
+ Default value is true.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="reconnectTimeout" type="resolver:string">
+ <annotation>
+ <documentation>
+ The maximum amount of time to wait for a reconnect to occur. If this limit is
+ reached a timeout error is raised. Default value is 10 seconds.
+ Time is expressed in ISO8601 duration format.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="maxResultSize" type="resolver:string">
+ <annotation>
+ <documentation>
+ The maximum number of results that may be returned from a query.
+ Default value is 1.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="noResultIsError" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether a query returning no results should be considered an error. If
+ an error is raised and a failover dependency is defined for this connector the failover will
+ be invoked.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="multipleResultsIsError" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether a query returning more than one result should be considered an error. If
+ an error is raised and a failover dependency is defined for this connector the failover will
+ be invoked.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="lowercaseAttributeNames" type="resolver:string">
+ <annotation>
+ <documentation>
+ Whether to lowercase LDAP attribute names used as IDs for shibboleth attributes
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="templateEngine" type="resolver:string">
+ <annotation>
+ <documentation>Name of the template engine defined within the application.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="executableSearchBuilderRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the ExecutableSearchBuilder implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="mappingStrategyRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the MappingStrategy implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="connectionFactoryRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the Connection Factory implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="searchOperationRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the Search Operation implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="validatorRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the Validator implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="trustFile" type="resolver:string">
+ <annotation>
+ <documentation>
+ Path to a file with the X.509 trust information to use when connecting to the directory over LDAPS or startTLS
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="disableHostnameVerification" type="resolver:string">
+ <annotation>
+ <documentation>
+ Whether to disable hostname/certificate checking during TLS. Defaults to false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="authCert" type="resolver:string">
+ <annotation>
+ <documentation>
+ Path to a file with the X.509 trust client authentication certificate to use when connecting to the directory over LDAPS or startTLS
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="authKey" type="resolver:string">
+ <annotation>
+ <documentation>
+ Path to a file with the X.509 trust client authentication key to use when connecting to the directory over LDAPS or startTLS
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="authKeyPassword" type="string">
+ <annotation>
+ <documentation>
+ Password for the supplied authKey
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="failFastInitialize" type="resolver:string">
+ <annotation>
+ <documentation>
+ Whether to fail if the LDAP server cannot be verified at startup (defaults to false).
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="PairwiseId">
+ <annotation>
+ <documentation>
+ A connector for pairwise ID production that directly leverages a PairwiseIdStore bean.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element ref="resolver:FailoverDataConnector"/>
+ </choice>
+ <attribute name="pairwiseIdStoreRef" type="resolver:string" use="required">
+ <annotation>
+ <documentation>
+ Bean name of the PairwiseIdStore to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="generatedAttributeID" type="resolver:string">
+ <annotation>
+ <documentation>
+ The name of the attribute produced by this data connector.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="RelationalDatabase">
+ <annotation>
+ <documentation>
+ A data connector definition that uses JDBC version 3 to connect to and pull information from a
+ relational database.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element ref="resolver:FailoverDataConnector"/>
+ <element ref="resolver:ContainerManagedConnection">
+ <annotation>
+ <documentation>
+ A connection, or pool of connections, to the database managed by the application
+ container.
+ </documentation>
+ </annotation>
+ </element>
+ <element ref="resolver:SimpleManagedConnection">
+ <annotation>
+ <documentation>
+ A connection, or pool of connections, to the database managed by the data connector.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="BeanManagedConnection" type="string">
+ <annotation>
+ <documentation>
+ A connection, or pool of connections, to the database configured in a Spring bean.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="QueryTemplate" type="resolver:string" minOccurs="0">
+ <annotation>
+ <documentation>
+ A template that will be used to create the SQL query thats pulls information from the
+ database.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="Column" type="resolver:ColumnType"/>
+ <element name="ResultCache" type="resolver:CacheConfigType"/>
+ <element name="ResultCacheBean" type="resolver:string"/>
+ </choice>
+ <attribute name="queryTimeout" type="resolver:string">
+ <annotation>
+ <documentation>
+ Timeout for the queries made to the database.
+ Timeout is given in ISO8601 duration form.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="noResultIsError" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether a query returning no results should be considered an error. If
+ an error is raised and a failover dependency is defined for this connector the failover will
+ be invoked.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="multipleResultsIsError" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether a query returning more than one result should be considered an error. If
+ an error is raised and a failover dependency is defined for this connector the failover will
+ be invoked.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="templateEngine" type="resolver:string">
+ <annotation>
+ <documentation>
+ Name of the template engine defined within the application.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="executableSearchBuilderRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the ExecutableSearchBuilder implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="mappingStrategyRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the MappingStrategy implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="validatorRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the Validator implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="failFastInitialize" type="resolver:string">
+ <annotation>
+ <documentation>
+ Whether to fail if the DataConnector cannot be verified at startup (defaults to false).
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="HTTP">
+ <annotation>
+ <documentation>
+ A data connector definition that issues requests and parses responses using HTTP, typically
+ via a form of web service. REST and scripted handling of responses, typically in JSON,
+ is the primary use case.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <choice maxOccurs="unbounded">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element ref="resolver:FailoverDataConnector"/>
+ <element name="URLTemplate">
+ <annotation>
+ <documentation>
+ A template that will be used to create the absolute URL to request.
+ </documentation>
+ </annotation>
+ <complexType>
+ <simpleContent>
+ <extension base="string">
+ <attribute name="customObjectRef" type="resolver:string" />
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ <element name="BodyTemplate">
+ <annotation>
+ <documentation>
+ A template that will be used to create a body to POST.
+ </documentation>
+ </annotation>
+ <complexType>
+ <simpleContent>
+ <extension base="string">
+ <attribute name="MIMEType" type="resolver:string" />
+ <attribute name="charset" type="resolver:string" />
+ <attribute name="customObjectRef" type="resolver:string" />
+ </extension>
+ </simpleContent>
+ </complexType>
+ </element>
+ <element name="CacheKeyTemplate" type="resolver:string">
+ <annotation>
+ <documentation>
+ A template that will be used to create a key to the caching of the results.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="ResponseMapping" type="resolver:ScriptType">
+ <annotation>
+ <documentation>Maps the response into attributes by means of scripting.</documentation>
+ </annotation>
+ </element>
+ <element name="ResultCache" type="resolver:CacheConfigType"/>
+ <element name="ResultCacheBean" type="resolver:string"/>
+ </choice>
+ <attribute name="httpClientRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the HttpClient to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="httpClientSecurityParametersRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the HttpClientSecurityParameters to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="serverCertificate" type="resolver:string">
+ <annotation>
+ <documentation>
+ Location of certificate to authenticate HTTP server
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="certificateAuthority" type="resolver:string">
+ <annotation>
+ <documentation>
+ Location of CA to indirectly authenticate HTTP server
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="clientPrivateKey" type="resolver:string">
+ <annotation>
+ <documentation>
+ Location of private key to authenticate with via TLS
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="clientCertificate" type="resolver:string">
+ <annotation>
+ <documentation>
+ Location of client certificate to authenticate with via TLS
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="templateEngine" type="resolver:string">
+ <annotation>
+ <documentation>
+ Name of the template engine defined within the application.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="maxLength" type="resolver:string">
+ <annotation>
+ <documentation>
+ Maximum size of response body to accept.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="acceptStatuses" >
+ <annotation>
+ <documentation>
+ A space-delimited list of HTTP status codes that should be treated as successful.
+ </documentation>
+ </annotation>
+ <simpleType>
+ <list itemType="string"/>
+ </simpleType>
+ </attribute>
+ <attribute name="acceptTypes" >
+ <annotation>
+ <documentation>
+ A space-delimited list of MIME content types that should be accepted.
+ </documentation>
+ </annotation>
+ <simpleType>
+ <list itemType="string"/>
+ </simpleType>
+ </attribute>
+ <attribute name="headerMapRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing a Map&lt;String,String&gt; of request headers to set.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="executableSearchBuilderRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the ExecutableSearchBuilder implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="mappingStrategyRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the MappingStrategy implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="validatorRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the Validator implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="failFastInitialize" type="resolver:string">
+ <annotation>
+ <documentation>
+ Whether to fail if the HTTP server cannot be verified at startup (defaults to false).
+ No verification takes place currently.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="ScriptedDataConnector">
+ <annotation>
+ <documentation>
+ A data connector that constructs attributes by means of a script supported by JSR-223. Populated
+ Attributes are added to the java.util.Collection "connectorResults".
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element ref="resolver:FailoverDataConnector"/>
+ <element name="Script" type="resolver:string">
+ <annotation>
+ <documentation>The script to evaluate to construct the attribute.</documentation>
+ </annotation>
+ </element>
+ <element name="ScriptFile" type="resolver:string">
+ <annotation>
+ <documentation>
+ The filesystem path to the script to evaluate to construct the attribute.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
+ <attribute name="language" type="resolver:string">
+ <annotation>
+ <documentation>
+ The JSR-233 name for the scripting language that will be used. By default "javascript" is
+ supported.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="customObjectRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ The name of a bean defined somewhere else which will be injected into the script as an
+ object called "custom". If not supplied, nothing is injected.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Static">
+ <annotation>
+ <documentation>
+ A data connector that gets its information from a static list of attributes and values specified within
+ this configuration.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <sequence>
+ <element name="Attribute" minOccurs="0" maxOccurs="unbounded">
+ <annotation>
+ <documentation>
+ Specifies an attribute, and its values, to be exposed by this connector.
+ </documentation>
+ </annotation>
+ <complexType>
+ <sequence>
+ <element name="Value" type="resolver:string" maxOccurs="unbounded">
+ <annotation>
+ <documentation>
+ A value of the attribute. If the value contains characters that would
+ otherwise need to be XML encoded you may wrap the value in a CDATA section.
+ </documentation>
+ </annotation>
+ </element>
+ </sequence>
+ <attribute name="id" type="resolver:string" use="required">
+ <annotation>
+ <documentation>The ID of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+ </element>
+ </sequence>
+ <attribute name="attributeListRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ The name of a bean defined somewhere else which describes a List of IdPAttributes
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="StorageService">
+ <annotation>
+ <documentation>
+ A data connector definition that queries for a record via the IdP's StorageService API.
+ Simple and scripted handling of records, typically in JSON, is the primary use case.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <choice maxOccurs="unbounded">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element ref="resolver:FailoverDataConnector"/>
+ <element name="ContextTemplate" type="resolver:string">
+ <annotation>
+ <documentation>
+ A template that will be used to create the context to query.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="KeyTemplate" type="resolver:string">
+ <annotation>
+ <documentation>
+ A template that will be used to create the key to query.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="RecordMapping" type="resolver:ScriptType">
+ <annotation>
+ <documentation>
+ Maps the record into attributes by means of scripting.
+ Mutually exclusive with generatedAttributeID attribute.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="ResultCache" type="resolver:CacheConfigType"/>
+ <element name="ResultCacheBean" type="resolver:string"/>
+ </choice>
+ <attribute name="storageServiceRef" type="resolver:string" use="required">
+ <annotation>
+ <documentation>
+ Reference to Spring bean of the StorageService to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="customObjectRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Injected object into Context/Key template building process.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="generatedAttributeID" type="resolver:string">
+ <annotation>
+ <documentation>
+ The name of the attribute produced by this data connector if simple
+ record mapping is used. Mutually exclusive with ResponseMapping element.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="noResultIsError" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether a search returning no record should be considered an error. If
+ an error is raised and a failover dependency is defined for this connector the failover will
+ be invoked.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="templateEngine" type="resolver:string">
+ <annotation>
+ <documentation>
+ Name of the template engine defined within the application.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="executableSearchBuilderRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the ExecutableSearchBuilder implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="mappingStrategyRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Reference to a Spring bean providing the MappingStrategy implementation to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="StoredId">
+ <annotation>
+ <documentation>
+ A connector that retrieves a pairwise ID from a database.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element ref="resolver:InputAttributeDefinition"/>
+ <element ref="resolver:InputDataConnector"/>
+ <element ref="resolver:FailoverDataConnector"/>
+ <element ref="resolver:SimpleManagedConnection"/>
+ <element ref="resolver:ContainerManagedConnection">
+ <annotation>
+ <documentation>
+ A connection, or pool of connections, to the database managed by the application
+ container.
+ </documentation>
+ </annotation>
+ </element>
+ <element name="BeanManagedConnection" type="resolver:string">
+ <annotation>
+ <documentation>
+ A connection, or pool of connections, to the database configured in a Spring bean.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
+ <attribute name="queryTimeout" type="resolver:string">
+ <annotation>
+ <documentation>
+ Timeout for the queries made to the database.
+ Timeout is given in ISO8601 duration form.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="transactionRetries" type="resolver:string">
+ <annotation>
+ <documentation>
+ Number of retries if insert fails (defaults to 3).
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="tableName" type="resolver:string">
+ <annotation>
+ <documentation>
+ Overrides name of database table to use.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="failFastInitialize" type="resolver:string">
+ <annotation>
+ <documentation>
+ Whether to fail if the store cannot be verified at startup (defaults to false).
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="retryableErrors">
+ <annotation>
+ <documentation>
+ A space-delimited list of SQLState codes to treat as retryable (indicating
+ a duplicate insert error occurred).
+ </documentation>
+ </annotation>
+ <simpleType>
+ <list itemType="string"/>
+ </simpleType>
+ </attribute>
+ <attribute name="generatedAttributeID" type="resolver:string">
+ <annotation>
+ <documentation>
+ The name of the attribute produced by this data connector.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="salt" type="resolver:string">
+ <annotation>
+ <documentation>
+ A salt, of at least 16 bytes, used in the computed ID.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="encodedSalt" type="resolver:string">
+ <annotation>
+ <documentation>
+ A base64-encoded salt, of at least 16 bytes, used in the computed ID.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="algorithm" type="resolver:string">
+ <annotation>
+ <documentation>
+ The JCE digest algorithm to use, defaults to SHA-1.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="encoding" type="resolver:string">
+ <annotation>
+ <documentation>
+ An encoding type to apply after the digest, defaults to BASE64 but should
+ be set to BASE32.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="exceptionMapRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Spring bean reference to a map of overrides that alter salt or suppress generation
+ for particular users/services.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="saltLookupStrategyRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Spring bean reference to a BiFunction&lt;ProfileRequestContext,PairwiseId&gt;
+ to obtain the salt.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="Subject">
+ <annotation>
+ <documentation>
+ A data connector that constructs attributes by extracting all IdPAttributePrincipal objects
+ found within the Subject(s) associated with the requests.
+
+ This is a streamlined approach to extracting them one by one with the SubjectDerivedAttribute
+ plugin provided encoding and other attribute metadata can be obtained from the system's
+ generalized transcoding facility.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <sequence>
+ <element ref="resolver:FailoverDataConnector" minOccurs="0" maxOccurs="1"/>
+ </sequence>
+ <attribute name="noResultIsError" type="resolver:string">
+ <annotation>
+ <documentation>
+ A boolean flag indicating whether an absence of any results will cause an error. If an error
+ is raised and a failover dependency is defined for this connector the failover will be invoked.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="forCanonicalization" type="resolver:string">
+ <annotation>
+ <documentation>
+ If true, the source Subject is assumed to be undergoing C14N rather than the
+ usual post-authentication source. Defaults to false.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="EntityAttributes">
+ <annotation>
+ <documentation>
+ A connector for extracting mapped/decoded metadata tags from a peer's metadata.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseDataConnectorType">
+ <attribute name="metadataContextStrategyRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Bean ID of a Function to locate the SAMLMetadataContext to operate on.
+ Default is to locate it under the inbound message context via SAMLPeerEntityContext.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <!-- Support types for DataConnectors -->
+
+ <complexType name="ColumnType">
+ <attribute name="columnName" type="resolver:string" use="required">
+ <annotation>
+ <documentation>The name of the database column.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="attributeID" type="resolver:string">
+ <annotation>
+ <documentation>The name of the attribute that data from this column should be added to.</documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <complexType name="SaslConfigType">
+ <choice maxOccurs="unbounded" minOccurs="0">
+ <element name="SASLProperty" type="resolver:PropertyType">
+ <annotation>
+ <documentation>
+ SASL configuration properties.
+ Common properties include javax.security.sasl.qop, javax.security.sasl.strength, javax.security.sasl.server.authentication.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
+ <attribute name="mechanism" type="resolver:string">
+ <annotation>
+ <documentation>
+ The SASL mechanism. Common values are EXTERNAL, DIGEST_MD5, CRAM_MD5, GSSAPI
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="authorizationId" type="resolver:string">
+ <annotation>
+ <documentation>SASL authorization ID.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="realm" type="resolver:string">
+ <annotation>
+ <documentation>The SASL realm.</documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <complexType name="LdapPoolConfigType">
+ <attribute name="minPoolSize" type="resolver:string">
+ <annotation>
+ <documentation>
+ The minimum number of ldap connections that should always be available in the pool.
+ Note that these connections are provisioned as soon as the pool is initialized.
+ Default value is 0.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="maxPoolSize" type="resolver:string">
+ <annotation>
+ <documentation>
+ The maximum number of ldap connections that should ever be available in the pool.
+ Note that when this threshold is reach the pool will begin blocking until a connection
+ is available.
+ Default value is 3.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="blockWaitTime" type="resolver:string">
+ <annotation>
+ <documentation>
+ Amount of time to block while waiting for a connection from the pool. If no
+ wait time is given, callers will block indefinitely.
+
+ Values are expressed in ISO8601 duration format.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="validatePeriodically" type="resolver:string">
+ <annotation>
+ <documentation>
+ Whether each ldap connection should be checked on a periodic basis.
+ Default value is false.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="validateTimerPeriod" type="resolver:string">
+ <annotation>
+ <documentation>
+ Time that the periodic pool validation process should repeat.
+ Ldap objects are pruned when they have been idle beyond the expiration time.
+ The pool is not pruned below the minimum pool size.
+ Default value is 30 minutes.
+
+ Period is expressed in ISO8601 duration format.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="validateDN" type="resolver:string">
+ <annotation>
+ <documentation>
+ Ldap compare DN to use for connection validation.
+ Used in conjunction with validateFilter to perform a compare.
+ Default value is empty.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="validateFilter" type="resolver:string">
+ <annotation>
+ <documentation>
+ Ldap compare filter to use for connection validation.
+ Used in conjunction with validateDN to perform a compare.
+ Default value is (objectClass=*).
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="validateOnCheckout" type="resolver:string">
+ <annotation>
+ <documentation>
+ Whether to validate connections when checking them out of the pool.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="prunePeriod" type="resolver:string">
+ <annotation>
+ <documentation>
+ Duration between looking for idle connections to reduce the pool back
+ to its minimum size.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="expirationTime" type="resolver:string">
+ <annotation>
+ <documentation>
+ Time in that an object in the pool should be considered stale and ready for removal.
+ Time is expressed in ISO8601 duration format.
+ </documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <complexType name="CacheConfigType">
+ <attribute name="cacheManagerRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ Name of the CacheManager bean that will manage the result cache. This is not used.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="expireAfterAccess" type="resolver:string">
+ <annotation>
+ <documentation>
+ Length of time a result will be cached after the last access.
+ Incompatible with expireAfterWrite.
+
+ Duration is expressed in ISO8601 duration notation.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="expireAfterWrite" type="resolver:string">
+ <annotation>
+ <documentation>
+ Length of time a result will be cached from the time
+ it is inserted into the cache.
+ Incompatible with expireAfterAccess.
+
+ Duration is expressed in ISO8601 duration notation.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="maximumCachedElements" type="resolver:string">
+ <annotation>
+ <documentation>
+ Maximum number of results that will be held in cache.
+ </documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <element name="ContainerManagedConnection" type="resolver:ContainerManagedConnectionType">
+ <annotation>
+ <documentation>
+ Describes a database connection source that is managed by the application container.
+ </documentation>
+ </annotation>
+ </element>
+
+ <complexType name="ContainerManagedConnectionType">
+ <attribute name="resourceName" type="resolver:string" use="required">
+ <annotation>
+ <documentation>The resource name the DataSource is bound to in the JNDI tree.</documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <complexType name="PropertyType">
+ <attribute name="name" type="resolver:string" use="required">
+ <annotation>
+ <documentation>The name of the property.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="value" type="resolver:string" use="required">
+ <annotation>
+ <documentation>The value of the property,</documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <element name="SimpleManagedConnection" type="resolver:SimpleManagedConnectionType">
+ <annotation>
+ <documentation>
+ Describes a simple database connection source that is managed by the attribute resolver data connector.
+ Included to "get people going" only
+ </documentation>
+ </annotation>
+ </element>
+
+ <complexType name="SimpleManagedConnectionType">
+ <attribute name="jdbcDriver" type="resolver:string" use="required">
+ <annotation>
+ <documentation>
+ This is the full qualified class name of the JDBC driver used to connect to the database.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="jdbcURL" type="resolver:string" use="required">
+ <annotation>
+ <documentation>
+ The JDBC URL for the database. These are usually of the form
+ jdbc:databaseProduceName:databaseSpecificInformation. For example, jdbc:hsql:mem:MyDatabase
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="jdbcUserName" type="resolver:string">
+ <annotation>
+ <documentation>The user name to use while connecting to the database.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="jdbcPassword" type="string">
+ <annotation>
+ <documentation>The password to use while connecting to the database.</documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <!-- Encoders that produce SAML 1 or SAML 2 Attributes -->
+ <complexType name="SAML1String">
+ <annotation>
+ <documentation>Defines a SAML 1 string encoder for an attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeEncoderType">
+ <attribute name="namespace" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 1 Namespace of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML1Base64">
+ <annotation>
+ <documentation>Defines a SAML 1 Base64 encoder for an attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeEncoderType">
+ <attribute name="namespace" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 1 Namespace of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML1XMLObject">
+ <annotation>
+ <documentation>Defines a SAML 1 Base64 encoder for an attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeEncoderType">
+ <attribute name="namespace" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 1 Namespace of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML2String">
+ <annotation>
+ <documentation>Defines a SAML 2 string encoder for an attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeEncoderType">
+ <attribute name="nameFormat" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 NameFormat of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="friendlyName" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 FriendlyName of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML2DateTime">
+ <annotation>
+ <documentation>Defines a SAML 2 date/time encoder for an attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeEncoderType">
+ <attribute name="nameFormat" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 NameFormat of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="friendlyName" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 FriendlyName of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML2Base64">
+ <annotation>
+ <documentation>Defines a SAML 2 Base64 encoder for an attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeEncoderType">
+ <attribute name="nameFormat" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 NameFormat of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="friendlyName" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 FriendlyName of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML2XMLObject">
+ <annotation>
+ <documentation>Defines a SAML 2 Base64 encoder for an attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeEncoderType">
+ <attribute name="nameFormat" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 NameFormat of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="friendlyName" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 FriendlyName of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="BaseScopedAttributeEncoderType">
+ <annotation>
+ <documentation>Defines an encoder for a scoped attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseAttributeEncoderType">
+ <attribute name="scopeType" type="resolver:string">
+ <annotation>
+ <documentation>
+ The type of scoping to use for the encoded attribute. Valid values are "inline" or
+ "attribute".
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="scopeDelimiter" type="resolver:string">
+ <annotation>
+ <documentation>
+ If scopeType is "inline", this is the delimeter used between the attribute value and
+ scope.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="scopeAttribute" type="resolver:string">
+ <annotation>
+ <documentation>
+ If scopeType is "attribute", this is the name of the name of the attribute used to carry the
+ scope value.
+ </documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML1ScopedString">
+ <annotation>
+ <documentation>Defines a SAML 1 string encoder for a scoped attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseScopedAttributeEncoderType">
+ <attribute name="namespace" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 1 Namespace of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <complexType name="SAML2ScopedString">
+ <annotation>
+ <documentation>Defines a SAML 2 string encoder for a scoped attribute.</documentation>
+ </annotation>
+ <complexContent>
+ <extension base="resolver:BaseScopedAttributeEncoderType">
+ <attribute name="nameFormat" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 NameFormat of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ <attribute name="friendlyName" type="resolver:string">
+ <annotation>
+ <documentation>The SAML 2 FriendlyName of the attribute.</documentation>
+ </annotation>
+ </attribute>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <!-- Reusable type for inline scripting. -->
+
+ <complexType name="ScriptType">
+ <annotation>
+ <documentation>
+ A type for elements that allow for scripts to be declared inline or via a resource.
+ </documentation>
+ </annotation>
+ <choice>
+ <element name="Script" type="resolver:string">
+ <annotation>
+ <documentation>The script to evaluate to construct the attribute.</documentation>
+ </annotation>
+ </element>
+ <element name="ScriptFile" type="resolver:string">
+ <annotation>
+ <documentation>
+ Path of a local resource containing the script to evaluate to construct the attribute.
+ </documentation>
+ </annotation>
+ </element>
+ </choice>
+ <attribute name="language" type="resolver:string">
+ <annotation>
+ <documentation>
+ The JSR-233 name for the scripting language that will be used.
+ By default "javascript" is assumed.
+ </documentation>
+ </annotation>
+ </attribute>
+ <attribute name="customObjectRef" type="resolver:string">
+ <annotation>
+ <documentation>
+ The name of a bean defined somewhere else which will be injected into the script as an
+ object called "custom". If not supplied, nothing is injected.
+ </documentation>
+ </annotation>
+ </attribute>
+ </complexType>
+
+ <simpleType name="string">
+ <restriction base="string">
+ <minLength value="1"/>
+ </restriction>
+ </simpleType>
+
+</schema>
diff --git a/schema/xenc-schema.xsd b/schema/xenc-schema.xsd
new file mode 100644
index 0000000..d61229f
--- /dev/null
+++ b/schema/xenc-schema.xsd
@@ -0,0 +1,146 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE schema PUBLIC "-//W3C//DTD XMLSchema 200102//EN"
+ "http://www.w3.org/2001/XMLSchema.dtd"
+ [
+ <!ATTLIST schema
+ xmlns:xenc CDATA #FIXED 'http://www.w3.org/2001/04/xmlenc#'
+ xmlns:ds CDATA #FIXED 'http://www.w3.org/2000/09/xmldsig#'>
+ <!ENTITY xenc 'http://www.w3.org/2001/04/xmlenc#'>
+ <!ENTITY % p ''>
+ <!ENTITY % s ''>
+ ]>
+
+<schema xmlns='http://www.w3.org/2001/XMLSchema' version='1.0'
+ xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'
+ xmlns:ds='http://www.w3.org/2000/09/xmldsig#'
+ targetNamespace='http://www.w3.org/2001/04/xmlenc#'
+ elementFormDefault='qualified'>
+
+ <import namespace='http://www.w3.org/2000/09/xmldsig#'
+ schemaLocation='xmldsig-core-schema.xsd'/>
+
+ <complexType name='EncryptedType' abstract='true'>
+ <sequence>
+ <element name='EncryptionMethod' type='xenc:EncryptionMethodType'
+ minOccurs='0'/>
+ <element ref='ds:KeyInfo' minOccurs='0'/>
+ <element ref='xenc:CipherData'/>
+ <element ref='xenc:EncryptionProperties' minOccurs='0'/>
+ </sequence>
+ <attribute name='Id' type='ID' use='optional'/>
+ <attribute name='Type' type='anyURI' use='optional'/>
+ <attribute name='MimeType' type='string' use='optional'/>
+ <attribute name='Encoding' type='anyURI' use='optional'/>
+ </complexType>
+
+ <complexType name='EncryptionMethodType' mixed='true'>
+ <sequence>
+ <element name='KeySize' minOccurs='0' type='xenc:KeySizeType'/>
+ <element name='OAEPparams' minOccurs='0' type='base64Binary'/>
+ <any namespace='##other' minOccurs='0' maxOccurs='unbounded'/>
+ </sequence>
+ <attribute name='Algorithm' type='anyURI' use='required'/>
+ </complexType>
+
+ <simpleType name='KeySizeType'>
+ <restriction base="integer"/>
+ </simpleType>
+
+ <element name='CipherData' type='xenc:CipherDataType'/>
+ <complexType name='CipherDataType'>
+ <choice>
+ <element name='CipherValue' type='base64Binary'/>
+ <element ref='xenc:CipherReference'/>
+ </choice>
+ </complexType>
+
+ <element name='CipherReference' type='xenc:CipherReferenceType'/>
+ <complexType name='CipherReferenceType'>
+ <choice>
+ <element name='Transforms' type='xenc:TransformsType' minOccurs='0'/>
+ </choice>
+ <attribute name='URI' type='anyURI' use='required'/>
+ </complexType>
+
+ <complexType name='TransformsType'>
+ <sequence>
+ <element ref='ds:Transform' maxOccurs='unbounded'/>
+ </sequence>
+ </complexType>
+
+
+ <element name='EncryptedData' type='xenc:EncryptedDataType'/>
+ <complexType name='EncryptedDataType'>
+ <complexContent>
+ <extension base='xenc:EncryptedType'>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <!-- Children of ds:KeyInfo -->
+
+ <element name='EncryptedKey' type='xenc:EncryptedKeyType'/>
+ <complexType name='EncryptedKeyType'>
+ <complexContent>
+ <extension base='xenc:EncryptedType'>
+ <sequence>
+ <element ref='xenc:ReferenceList' minOccurs='0'/>
+ <element name='CarriedKeyName' type='string' minOccurs='0'/>
+ </sequence>
+ <attribute name='Recipient' type='string'
+ use='optional'/>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <element name="AgreementMethod" type="xenc:AgreementMethodType"/>
+ <complexType name="AgreementMethodType" mixed="true">
+ <sequence>
+ <element name="KA-Nonce" minOccurs="0" type="base64Binary"/>
+ <!-- <element ref="ds:DigestMethod" minOccurs="0"/> -->
+ <any namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
+ <element name="OriginatorKeyInfo" minOccurs="0" type="ds:KeyInfoType"/>
+ <element name="RecipientKeyInfo" minOccurs="0" type="ds:KeyInfoType"/>
+ </sequence>
+ <attribute name="Algorithm" type="anyURI" use="required"/>
+ </complexType>
+
+ <!-- End Children of ds:KeyInfo -->
+
+ <element name='ReferenceList'>
+ <complexType>
+ <choice minOccurs='1' maxOccurs='unbounded'>
+ <element name='DataReference' type='xenc:ReferenceType'/>
+ <element name='KeyReference' type='xenc:ReferenceType'/>
+ </choice>
+ </complexType>
+ </element>
+
+ <complexType name='ReferenceType'>
+ <sequence>
+ <any namespace='##other' minOccurs='0' maxOccurs='unbounded'/>
+ </sequence>
+ <attribute name='URI' type='anyURI' use='required'/>
+ </complexType>
+
+
+ <element name='EncryptionProperties' type='xenc:EncryptionPropertiesType'/>
+ <complexType name='EncryptionPropertiesType'>
+ <sequence>
+ <element ref='xenc:EncryptionProperty' maxOccurs='unbounded'/>
+ </sequence>
+ <attribute name='Id' type='ID' use='optional'/>
+ </complexType>
+
+ <element name='EncryptionProperty' type='xenc:EncryptionPropertyType'/>
+ <complexType name='EncryptionPropertyType' mixed='true'>
+ <choice maxOccurs='unbounded'>
+ <any namespace='##other' processContents='lax'/>
+ </choice>
+ <attribute name='Target' type='anyURI' use='optional'/>
+ <attribute name='Id' type='ID' use='optional'/>
+ <anyAttribute namespace="http://www.w3.org/XML/1998/namespace"/>
+ </complexType>
+
+</schema>
+
diff --git a/schema/xml.xsd b/schema/xml.xsd
new file mode 100644
index 0000000..aea7d0d
--- /dev/null
+++ b/schema/xml.xsd
@@ -0,0 +1,287 @@
+<?xml version='1.0'?>
+<?xml-stylesheet href="../2008/09/xsd.xsl" type="text/xsl"?>
+<xs:schema targetNamespace="http://www.w3.org/XML/1998/namespace"
+ xmlns:xs="http://www.w3.org/2001/XMLSchema"
+ xmlns ="http://www.w3.org/1999/xhtml"
+ xml:lang="en">
+
+ <xs:annotation>
+ <xs:documentation>
+ <div>
+ <h1>About the XML namespace</h1>
+
+ <div class="bodytext">
+ <p>
+ This schema document describes the XML namespace, in a form
+ suitable for import by other schema documents.
+ </p>
+ <p>
+ See <a href="http://www.w3.org/XML/1998/namespace.html">
+ http://www.w3.org/XML/1998/namespace.html</a> and
+ <a href="http://www.w3.org/TR/REC-xml">
+ http://www.w3.org/TR/REC-xml</a> for information
+ about this namespace.
+ </p>
+ <p>
+ Note that local names in this namespace are intended to be
+ defined only by the World Wide Web Consortium or its subgroups.
+ The names currently defined in this namespace are listed below.
+ They should not be used with conflicting semantics by any Working
+ Group, specification, or document instance.
+ </p>
+ <p>
+ See further below in this document for more information about <a
+ href="#usage">how to refer to this schema document from your own
+ XSD schema documents</a> and about <a href="#nsversioning">the
+ namespace-versioning policy governing this schema document</a>.
+ </p>
+ </div>
+ </div>
+ </xs:documentation>
+ </xs:annotation>
+
+ <xs:attribute name="lang">
+ <xs:annotation>
+ <xs:documentation>
+ <div>
+
+ <h3>lang (as an attribute name)</h3>
+ <p>
+ denotes an attribute whose value
+ is a language code for the natural language of the content of
+ any element; its value is inherited. This name is reserved
+ by virtue of its definition in the XML specification.</p>
+
+ </div>
+ <div>
+ <h4>Notes</h4>
+ <p>
+ Attempting to install the relevant ISO 2- and 3-letter
+ codes as the enumerated possible values is probably never
+ going to be a realistic possibility.
+ </p>
+ <p>
+ See BCP 47 at <a href="http://www.rfc-editor.org/rfc/bcp/bcp47.txt">
+ http://www.rfc-editor.org/rfc/bcp/bcp47.txt</a>
+ and the IANA language subtag registry at
+ <a href="http://www.iana.org/assignments/language-subtag-registry">
+ http://www.iana.org/assignments/language-subtag-registry</a>
+ for further information.
+ </p>
+ <p>
+ The union allows for the 'un-declaration' of xml:lang with
+ the empty string.
+ </p>
+ </div>
+ </xs:documentation>
+ </xs:annotation>
+ <xs:simpleType>
+ <xs:union memberTypes="xs:language">
+ <xs:simpleType>
+ <xs:restriction base="xs:string">
+ <xs:enumeration value=""/>
+ </xs:restriction>
+ </xs:simpleType>
+ </xs:union>
+ </xs:simpleType>
+ </xs:attribute>
+
+ <xs:attribute name="space">
+ <xs:annotation>
+ <xs:documentation>
+ <div>
+
+ <h3>space (as an attribute name)</h3>
+ <p>
+ denotes an attribute whose
+ value is a keyword indicating what whitespace processing
+ discipline is intended for the content of the element; its
+ value is inherited. This name is reserved by virtue of its
+ definition in the XML specification.</p>
+
+ </div>
+ </xs:documentation>
+ </xs:annotation>
+ <xs:simpleType>
+ <xs:restriction base="xs:NCName">
+ <xs:enumeration value="default"/>
+ <xs:enumeration value="preserve"/>
+ </xs:restriction>
+ </xs:simpleType>
+ </xs:attribute>
+
+ <xs:attribute name="base" type="xs:anyURI"> <xs:annotation>
+ <xs:documentation>
+ <div>
+
+ <h3>base (as an attribute name)</h3>
+ <p>
+ denotes an attribute whose value
+ provides a URI to be used as the base for interpreting any
+ relative URIs in the scope of the element on which it
+ appears; its value is inherited. This name is reserved
+ by virtue of its definition in the XML Base specification.</p>
+
+ <p>
+ See <a
+ href="http://www.w3.org/TR/xmlbase/">http://www.w3.org/TR/xmlbase/</a>
+ for information about this attribute.
+ </p>
+ </div>
+ </xs:documentation>
+ </xs:annotation>
+ </xs:attribute>
+
+ <xs:attribute name="id" type="xs:ID">
+ <xs:annotation>
+ <xs:documentation>
+ <div>
+
+ <h3>id (as an attribute name)</h3>
+ <p>
+ denotes an attribute whose value
+ should be interpreted as if declared to be of type ID.
+ This name is reserved by virtue of its definition in the
+ xml:id specification.</p>
+
+ <p>
+ See <a
+ href="http://www.w3.org/TR/xml-id/">http://www.w3.org/TR/xml-id/</a>
+ for information about this attribute.
+ </p>
+ </div>
+ </xs:documentation>
+ </xs:annotation>
+ </xs:attribute>
+
+ <xs:attributeGroup name="specialAttrs">
+ <xs:attribute ref="xml:base"/>
+ <xs:attribute ref="xml:lang"/>
+ <xs:attribute ref="xml:space"/>
+ <xs:attribute ref="xml:id"/>
+ </xs:attributeGroup>
+
+ <xs:annotation>
+ <xs:documentation>
+ <div>
+
+ <h3>Father (in any context at all)</h3>
+
+ <div class="bodytext">
+ <p>
+ denotes Jon Bosak, the chair of
+ the original XML Working Group. This name is reserved by
+ the following decision of the W3C XML Plenary and
+ XML Coordination groups:
+ </p>
+ <blockquote>
+ <p>
+ In appreciation for his vision, leadership and
+ dedication the W3C XML Plenary on this 10th day of
+ February, 2000, reserves for Jon Bosak in perpetuity
+ the XML name "xml:Father".
+ </p>
+ </blockquote>
+ </div>
+ </div>
+ </xs:documentation>
+ </xs:annotation>
+
+ <xs:annotation>
+ <xs:documentation>
+ <div xml:id="usage" id="usage">
+ <h2><a name="usage">About this schema document</a></h2>
+
+ <div class="bodytext">
+ <p>
+ This schema defines attributes and an attribute group suitable
+ for use by schemas wishing to allow <code>xml:base</code>,
+ <code>xml:lang</code>, <code>xml:space</code> or
+ <code>xml:id</code> attributes on elements they define.
+ </p>
+ <p>
+ To enable this, such a schema must import this schema for
+ the XML namespace, e.g. as follows:
+ </p>
+ <pre>
+ &lt;schema . . .>
+ . . .
+ &lt;import namespace="http://www.w3.org/XML/1998/namespace"
+ schemaLocation="http://www.w3.org/2001/xml.xsd"/>
+ </pre>
+ <p>
+ or
+ </p>
+ <pre>
+ &lt;import namespace="http://www.w3.org/XML/1998/namespace"
+ schemaLocation="http://www.w3.org/2009/01/xml.xsd"/>
+ </pre>
+ <p>
+ Subsequently, qualified reference to any of the attributes or the
+ group defined below will have the desired effect, e.g.
+ </p>
+ <pre>
+ &lt;type . . .>
+ . . .
+ &lt;attributeGroup ref="xml:specialAttrs"/>
+ </pre>
+ <p>
+ will define a type which will schema-validate an instance element
+ with any of those attributes.
+ </p>
+ </div>
+ </div>
+ </xs:documentation>
+ </xs:annotation>
+
+ <xs:annotation>
+ <xs:documentation>
+ <div id="nsversioning" xml:id="nsversioning">
+ <h2><a name="nsversioning">Versioning policy for this schema document</a></h2>
+ <div class="bodytext">
+ <p>
+ In keeping with the XML Schema WG's standard versioning
+ policy, this schema document will persist at
+ <a href="http://www.w3.org/2009/01/xml.xsd">
+ http://www.w3.org/2009/01/xml.xsd</a>.
+ </p>
+ <p>
+ At the date of issue it can also be found at
+ <a href="http://www.w3.org/2001/xml.xsd">
+ http://www.w3.org/2001/xml.xsd</a>.
+ </p>
+ <p>
+ The schema document at that URI may however change in the future,
+ in order to remain compatible with the latest version of XML
+ Schema itself, or with the XML namespace itself. In other words,
+ if the XML Schema or XML namespaces change, the version of this
+ document at <a href="http://www.w3.org/2001/xml.xsd">
+ http://www.w3.org/2001/xml.xsd
+ </a>
+ will change accordingly; the version at
+ <a href="http://www.w3.org/2009/01/xml.xsd">
+ http://www.w3.org/2009/01/xml.xsd
+ </a>
+ will not change.
+ </p>
+ <p>
+ Previous dated (and unchanging) versions of this schema
+ document are at:
+ </p>
+ <ul>
+ <li><a href="http://www.w3.org/2009/01/xml.xsd">
+ http://www.w3.org/2009/01/xml.xsd</a></li>
+ <li><a href="http://www.w3.org/2007/08/xml.xsd">
+ http://www.w3.org/2007/08/xml.xsd</a></li>
+ <li><a href="http://www.w3.org/2004/10/xml.xsd">
+ http://www.w3.org/2004/10/xml.xsd</a></li>
+ <li><a href="http://www.w3.org/2001/03/xml.xsd">
+ http://www.w3.org/2001/03/xml.xsd</a></li>
+ </ul>
+ </div>
+ </div>
+ </xs:documentation>
+ </xs:annotation>
+
+</xs:schema>
+
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-29 07:40:35 +0000