From af3487b9c4a9b630d88b55c2bcc4bedf257cab4a Mon Sep 17 00:00:00 2001 From: Björn Mattsson Date: Thu, 19 Oct 2023 16:05:58 +0200 Subject: Added files from Wiki + base files for repo --- Makefile | 14 + Shibboleth-IdP/v4/attribute-filter.xml | 281 +++ Shibboleth-IdP/v4/attribute-resolver.xml | 618 +++++++ Shibboleth-SP/v3/attribute-map.xml | 146 ++ Shibboleth-SP/v3/swamid-IIS-shibboleth2.xml | 92 + Shibboleth-SP/v3/swamid-apache-shibboleth2.xml | 71 + schema.xsd | 8 + schema/saml-schema-assertion-2.0.xsd | 283 +++ schema/saml-schema-metadata-2.0.xsd | 337 ++++ schema/saml-schema-protocol-2.0.xsd | 302 ++++ schema/shibboleth-2.0-attribute-map.xsd | 358 ++++ schema/shibboleth-3.0-native-sp-config.xsd | 908 ++++++++++ schema/shibboleth-afp.xsd | 952 ++++++++++ schema/shibboleth-attribute-resolver.xsd | 2274 ++++++++++++++++++++++++ schema/xenc-schema.xsd | 146 ++ schema/xml.xsd | 287 +++ scripts/bump-tag | 43 + scripts/do-update.sh | 3 + scripts/verify-tag | 14 + 19 files changed, 7137 insertions(+) create mode 100644 Makefile create mode 100644 Shibboleth-IdP/v4/attribute-filter.xml create mode 100644 Shibboleth-IdP/v4/attribute-resolver.xml create mode 100644 Shibboleth-SP/v3/attribute-map.xml create mode 100644 Shibboleth-SP/v3/swamid-IIS-shibboleth2.xml create mode 100644 Shibboleth-SP/v3/swamid-apache-shibboleth2.xml create mode 100644 schema.xsd create mode 100644 schema/saml-schema-assertion-2.0.xsd create mode 100644 schema/saml-schema-metadata-2.0.xsd create mode 100644 schema/saml-schema-protocol-2.0.xsd create mode 100644 schema/shibboleth-2.0-attribute-map.xsd create mode 100644 schema/shibboleth-3.0-native-sp-config.xsd create mode 100644 schema/shibboleth-afp.xsd create mode 100644 schema/shibboleth-attribute-resolver.xsd create mode 100644 schema/xenc-schema.xsd create mode 100644 schema/xml.xsd create mode 100755 scripts/bump-tag create mode 100755 scripts/do-update.sh create mode 100755 scripts/verify-tag diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..9d5b87a --- /dev/null +++ b/Makefile @@ -0,0 +1,14 @@ +MXML=$(shell find . -type f -name "*.xml") + +tag: schematest + ./scripts/bump-tag + +update: update-git + ./scripts/verify-tag && rsync -avz --delete ADFSToolkit/ Shibboleth-IdP/ Shibboleth-SP/ /opt/swamid-entity-configurations/ + +update-git: + git checkout master && git reset --hard && git pull + +schematest: + @fail=false ; for x in $(MXML); do test=`xmllint --xinclude --nowarning --noout --path schema --schema schema.xsd $$x 2>&1`; rc=$$?; echo $$test | sed 's/fails to validate/&/;s/validates/&/'; if [ $$rc -gt 0 ]; then fail=true ; fi; done ; if $$fail ; then exit 1 ; fi + diff --git a/Shibboleth-IdP/v4/attribute-filter.xml b/Shibboleth-IdP/v4/attribute-filter.xml new file mode 100644 index 0000000..94ed74c --- /dev/null +++ b/Shibboleth-IdP/v4/attribute-filter.xml @@ -0,0 +1,281 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/Shibboleth-IdP/v4/attribute-resolver.xml b/Shibboleth-IdP/v4/attribute-resolver.xml new file mode 100644 index 0000000..5171017 --- /dev/null +++ b/Shibboleth-IdP/v4/attribute-resolver.xml @@ -0,0 +1,618 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ORGANIZATION_NAME + + + ORGANIZATION_ACRONYM + + + ISO_COUNTRY_CODE + + + ISO_COUNTRY_NAME + + + SCHAC_HOME_ORG_DOMAIN_NAME + + + urn:schac:homeOrganizationType:eu:higherEducationInstitution + + + + + + + http://www.swamid.se/policy/assurance/al2 + http://www.swamid.se/policy/assurance/al3 + + + + + http://www.swamid.se/policy/assurance/al1 + https://refeds.org/assurance/IAP/low + + + + + https://refeds.org/assurance + https://refeds.org/assurance/ID/unique + https://refeds.org/assurance/ID/eppn-unique-no-reassign + https://refeds.org/assurance/ATP/ePA-1m + + + + + + + MyGlobalDataSource + + + + + + + + + + + + + + + + + + + + + + + diff --git a/Shibboleth-SP/v3/attribute-map.xml b/Shibboleth-SP/v3/attribute-map.xml new file mode 100644 index 0000000..053e327 --- /dev/null +++ b/Shibboleth-SP/v3/attribute-map.xml @@ -0,0 +1,146 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/Shibboleth-SP/v3/swamid-IIS-shibboleth2.xml b/Shibboleth-SP/v3/swamid-IIS-shibboleth2.xml new file mode 100644 index 0000000..fdc0dc9 --- /dev/null +++ b/Shibboleth-SP/v3/swamid-IIS-shibboleth2.xml @@ -0,0 +1,92 @@ + + + + + + + + + + + + + + + + + + + + SAML2 Local + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/Shibboleth-SP/v3/swamid-apache-shibboleth2.xml b/Shibboleth-SP/v3/swamid-apache-shibboleth2.xml new file mode 100644 index 0000000..55159a6 --- /dev/null +++ b/Shibboleth-SP/v3/swamid-apache-shibboleth2.xml @@ -0,0 +1,71 @@ + + + + + + SAML2 Local + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/schema.xsd b/schema.xsd new file mode 100644 index 0000000..fc176e6 --- /dev/null +++ b/schema.xsd @@ -0,0 +1,8 @@ + + + + + + + + diff --git a/schema/saml-schema-assertion-2.0.xsd b/schema/saml-schema-assertion-2.0.xsd new file mode 100644 index 0000000..478ddfa --- /dev/null +++ b/schema/saml-schema-assertion-2.0.xsd @@ -0,0 +1,283 @@ + + + + + + + Document identifier: saml-schema-assertion-2.0 + Location: http://docs.oasis-open.org/security/saml/v2.0/ + Revision history: + V1.0 (November, 2002): + Initial Standard Schema. + V1.1 (September, 2003): + Updates within the same V1.0 namespace. + V2.0 (March, 2005): + New assertion schema for SAML V2.0 namespace. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/schema/saml-schema-metadata-2.0.xsd b/schema/saml-schema-metadata-2.0.xsd new file mode 100644 index 0000000..b656d4f --- /dev/null +++ b/schema/saml-schema-metadata-2.0.xsd @@ -0,0 +1,337 @@ + + + + + + + + + Document identifier: saml-schema-metadata-2.0 + Location: http://docs.oasis-open.org/security/saml/v2.0/ + Revision history: + V2.0 (March, 2005): + Schema for SAML metadata, first published in SAML 2.0. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/schema/saml-schema-protocol-2.0.xsd b/schema/saml-schema-protocol-2.0.xsd new file mode 100644 index 0000000..eb480e5 --- /dev/null +++ b/schema/saml-schema-protocol-2.0.xsd @@ -0,0 +1,302 @@ + + + + + + + Document identifier: saml-schema-protocol-2.0 + Location: http://docs.oasis-open.org/security/saml/v2.0/ + Revision history: + V1.0 (November, 2002): + Initial Standard Schema. + V1.1 (September, 2003): + Updates within the same V1.0 namespace. + V2.0 (March, 2005): + New protocol schema based in a SAML V2.0 namespace. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/schema/shibboleth-2.0-attribute-map.xsd b/schema/shibboleth-2.0-attribute-map.xsd new file mode 100644 index 0000000..31ff798 --- /dev/null +++ b/schema/shibboleth-2.0-attribute-map.xsd @@ -0,0 +1,358 @@ + + + + + + + + This schema maps SAML attributes into Shibboleth internal attributes. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + A wrapper element for GSS-API contexts. + + + + + + A wrapper element for GSS-API composite names. + + + + + + The set of SAML or GSS-API attribute mappings. + + + + + + + + + + + + + + + + + + + + Rule for mapping a SAML attribute to an internal attribute. + + + + + + + The internal attribute ID to which this SAML attribute maps. + + + + + DEPRECATED: Aliases for the internal attribute to which this SAML attribute maps. + + + + + The SAML 1 AttributeName or SAML 2 Name of the attribute. + + + + + The SAML 1 Namespace or SAML 2 NameFormat of the attribute. + + + + + Marks an attribute as requested by the service. + + + + + Marks an attribute as required by the service. + + + + + + + Rule for mapping a GSS-API naming attribute to an internal attribute. + + + + The internal attribute ID to which this SAML attribute maps. + + + + + Optional aliases for the internal attribute to which this SAML attribute maps. + + + + + The name of the naming attribute. + + + + + If true, only an authenticated GSS-API naming attribute will be mapped. + + + + + If true, the GSS-API naming attribute will be base64-encoded for internal use. + + + + + + The character(s) used to delimit the scoped information from the scope. + + + + + + + + + Decodes a SAML attribute into its Shibboleth-internal representation. + + + + + + Flag controlling case sensitivity when comparisons to the attribute's values are done. + + + + + + + Flag controlling whether the resulting attribute should be exported for CGI use. + + + + + + + Flag controlling whether the decoder should select only the best matching value by language. + + + + + + + Crypto-provider-specific name of hash algorithm to use, + turning the decoded result into a simple string. + + + + + + + + + Decoder for attributes with string values. + + + + + + + + + + + Decoder for attributes with scoped values. + + + + + + + + The character(s) used to delimit the scoped information from the scope. + + + + + + + + + + + Decoder for attributes with NameID values. + + + + + + + + The pattern used to generate string versions of the attribute's values. + + + + + + + Flag controlling whether to default in values for NameQualifier/SPNameQualifier if not set. + + + + + + + + + + + Decoder for attributes with scoped values that produces a NameID attribute with + the scope dropped and the NameQualifiers defaulted. + + + + + + + + Value to use as the NameID Format. + + + + + + + Flag controlling whether to default in values for NameQualifier/SPNameQualifier if not set. + + + + + + + The pattern used to generate string versions of the attribute's values. + + + + + + + + + + + Decoder for attributes with ds:KeyInfo values. + + + + + + + + + + + Flag controlling whether to hash keys before base64-encoding them. + + + + + + + Crypto-provider-specific name of hash algorithm to use. + + + + + + + + + + + Decoder for directly serializing XML values. + + + + + + + + + + + Decoder for extracting information from XML values. + + + + + + + + Optional transform to turn qualified XML names into string names. + + + + + + + + + + + The pattern used to generate strings from the XML. + + + + + + + + + + + Decoder for attributes with base64-encoded string values. + + + + + + + + diff --git a/schema/shibboleth-3.0-native-sp-config.xsd b/schema/shibboleth-3.0-native-sp-config.xsd new file mode 100644 index 0000000..9eb7a4b --- /dev/null +++ b/schema/shibboleth-3.0-native-sp-config.xsd @@ -0,0 +1,908 @@ + + + + + + + + + + + 3.x schema for XML-based configuration of Shibboleth Native SP instances. + First appearing in Shibboleth 3.0 release. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Container for extension libraries and custom configuration + + + + + + + + + + + + + + + + + + + References DataSealer plugins + + + + + + + + + + + + + + References StorageService plugins + + + + + + + + + + + + + + + + References SessionCache plugins + + + + + + + + + + + + + + + + + + + + + Ties ReplayCache to a custom StorageService + + + + + + + + Customizes an ArtifactMap + + + + + + + + + + Container for out-of-process (shibd) configuration + + + + + + + + + + + + + + + + Container for configuration of locally integrated or platform-specific + features (e.g. web server filters) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + A simple example access policy language extension that supersedes Apache .htaccess + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Built-in request mapping syntax, decomposes URLs into Host/Path/Path/... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Container for default settings and application-specific overrides + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Container for application-specific overrides + + + + + + + + + + + + + + + + + + + + + + + + + Externalized application overrides. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Container for specifying protocol handlers and session policy + + + + + + Implicitly configures SessionInitiator and AssertionConsumerService handlers + + + + + + + + + + + + + + + + Implicitly configures LogoutInitiator and SingleLogoutService handlers + + + + + + + + + + + + + Implicitly configures ManageNameIDService handlers + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Used to override Policy from profile endpoints + + + + + + Used to ignore NoPassive errors in AssertionConsumerService endpoints + + + + + + Used to override signing property in SingleLogoutService/etc endpoints + + + + + + Used to override encryption property in SingleLogoutService/etc endpoints + + + + + + Options common to explicit and implicit SessionInitiators + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Used to specify handlers that can issue AuthnRequests or perform discovery + + + + + + + + + + + + + + + + + + + + + Options common to explicit and implicit LogoutInitiators + + + + + + + + + + + + + Used to specify handlers that can issue LogoutRequests + + + + + + + + + + + + + + + + + Used to specify custom handlers + + + + + + + + + + + + + + + + + + Container for error templates and associated details + + + + + + + + + + + + + + + + + + + Container for specifying settings to use with particular peers + + + + + + + + + + + + + + Used to specify locations to receive application notifications + + + + + + + + + + + + + + + + + + Container for specifying sets of policy rules to apply to incoming messages + + + + + Specifies a set of SecurityPolicyRule plugins + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Implementation-specific option to pass to SOAPTransport provider. + + + + + + + + + + + + + + + Root of configuration + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/schema/shibboleth-afp.xsd b/schema/shibboleth-afp.xsd new file mode 100644 index 0000000..9af7009 --- /dev/null +++ b/schema/shibboleth-afp.xsd @@ -0,0 +1,952 @@ + + + + + + + Schema for the attribute filter policies. + + + + + + Root element of the attribute filter policy. Represents a named group of filter policies. + + + + + + + + + + + Defines a set of applications requirements that may be reused across multiple filter + policies. + + + + + + + Defines a permit value rule that may be reused across multiple attribute rules. + + + + + + + Defines a deny value rule that may be reused across multiple attribute rules. + + + + + + + Defines an attribute rule that may be reused across multiple filter policies. + + + + + + + A policy that defines the set of attribute value filters that will be applied if its + application requirements are met. + + + + + + + Digital signature for the policy. Policies that are fetched from an external source, + such as a federation site, should be signed. + + + + + + + + + + + + A policy that defines a set of attribute value filters rules that should be used if given requirements + are met. + + + + + + + + + + + A requirement that if met signals that this filter policy should be used. + + + + + + + A rule that describes how values of an attribute will be filtered. + + + + + + + + + + + A rule that describes how values of an attribute will be filtered. + + + + + + + + + + + + Reference to a PermitValueRule defined within this policy group or another. + + + + + + + + + + Reference to a DenyValueRule defined within this policy group or another. + + + + + + + + The ID of the attribute to which this rule applies. + + + + + If present, and true injects an implicit permit value rule of type ANY + + + + + + + + + A requirement that if met signals that a filter policy should be used. + + + + + + A filter for attribute values. If the filter evaluates to true the value is permitted to be released. + + + + + + + A filter for attribute values. If the filter evaluates to true the value is denied and may not be released. + + + + + + + + + + + + + An ID, unique within the policy and component type. + + + + + + + + Used to reference a globally defined policy component. + + + + + + + + A match function that evaluates to true. + + + + + + + + + + A match function that evaluates to true. + + + + + + + + + A match function that evaluates to true. + + + + + + + + + + + A match function that performs a logical AND on the results of all contained matching functions. + + + + + + + + + The set of match function rules to be ANDed. + + + + + + + + + + + + A match function that performs a logical OR on the results of all contained matching functions. + + + + + + + + + The set of match function rules to be ORed. + + + + + + + + + + + + A match function that performs a logical NOT on the result of the contained matching function. + + + + + + + + + The set of match function rules to be negated. + + + + + + + + + + + + + A match function that matches the attribute request against the + specified value. + + + + + + + + The reference to an externally defined bean to do the predicate work + + + + + + + + + + + + A match function that matches the attribute requester against the specified value. + + + + + + + + + + + A match function that matches a proxied attribute requester against the specified value. + + + + + + + + + + + A match function that matches the attribute issuer against the specified value. + + + + + + + + + + A match function that matches the principal name against the specified value. + + + + + + + + + A match function that matches the active profile identifier against the specified value. + + + + + + + + + + A match function that matches the value of an attribute against the specified value. This match + evaluates to true if the attribute contains the specified value. + + + + + + + + + + + A match function that matches the attribute scope against the specified value. + + + + + + + + + + + + + + The ID of the attribute whose value should be matched. If no attribute ID is specified the + ID of the containing attribute rule is assumed. + + + + + + + + + + + + + The string value to match. + + + + + + A boolean flag indicating whether the match evaluation should be case sensitive. + + + + + + + + + + + + A match function that matches the attribute requester against the specified regular expression. + + + + + + + + + + + A match function that matches a proxied attribute requester against the specified regular expression. + + + + + + + + + + + A match function that matches the attribute issuer against the specified regular expression. + + + + + + + + + + + A match function that matches the principal name against the specified regular expression. + + + + + + + + + + + A match function that matches an attribute value against the specified regular expression. This function + evaluates to true if any value matches the given expression. + + + + + + + + + + + A match function that matches the attribute scope against the specified regular expression. + + + + + + + + + + + + + + The ID of the attribute whose value should be matched. If no attribute ID is specified the + ID of the containing attribute rule is assumed. + + + + + + + + + + + + + The regular expression values are matched against. + + + + + Whether the comparison is case sensitive, default TRUE + + + + + + + + + + + A match function that evaluates a script to determine if some criteria is met. The script MUST return a + boolean. + + + + + + + + The script to evaluate to construct the attribute. + + + + + + The filesystem path to the script to evaluate to construct the attribute. + + + + + + + + The JSR-233 name for the scripting language that will be used. By default "javascript" is + supported. + + + + + + + The name of a bean defined somewhere else which will be injected into the script as an + object called "custom". If not supplied nothing is injected. + + + + + + + + + + + A match function that evaluates to true if the given attribute has as a number of values that falls + between the minimum and maximum. This method may be used as a sanity check to ensure that an unexpected + number of values did not come from the attribute resolver and be released. + + + + + + + The ID of the attribute whose value should be matched. + + + + + Minimum number of values an attribute may have. + + + + + Maximum number of values an attribute may have. + + + + + + + + + + + + A match function that checks if the attribute requester's metadata + contains an entity attribute with the specified value. + + + + + + + + + + + A match function that checks if a proxied requester's metadata + contains an entity attribute with the specified value. + + + + + + + + + + + A match function that checks if the attribute issuer's metadata + contains an entity attribute with the specified value. + + + + + + + + + + + + + The name of the entity attribute to match. + + + + + The value of the entity attribute to match. + + + + + The NameFormat of the entity attribute to match. + + + + + + Boolean attribute, whether to examine only mapped/decoded attributes, default is false. + + + + + + + + + + + A match function that checks if the attribute requester's metadata contains + an entity attribute with a value that matches the given regular expression. + + + + + + + + + + + A match function that checks if a proxied requester's metadata contains + an entity attribute with a value that matches the given regular expression. + + + + + + + + + + + A match function that checks if the attribute issuer's metadata contains + an entity attribute with a value that matches the given regular expression. + + + + + + + + + + + + + The name of the entity attribute to match. + + + + + The regular expression that must match the value of the entity attribute to + match. + + + + + The name format of the entity attribute to match. + + + + + + Boolean attribute, whether to examine only mapped/decoded attributes, default is false. + + + + + + + + + + + A match function that evaluates to true if the attribute requester supports a specified + NameID format. + + + + + + + + + + + A match function that evaluates to true if the attribute issuer supports a specified + NameID format. + + + + + + + + + + + + + The NameID format that needs to be supported by the entity. + + + + + + + + + + A match function that evaluates to true if the attribute requester is found in metadata and + is a member of the given entity group. + + + + + + + + + + + A match function that evaluates to true if a proxied requester is found in metadata and + is a member of the given entity group. + + + + + + + + + + + A match function that evaluates to true if the attribute issuer is found in metadata and + is a member of the given entity group. + + + + + + + + + + + + + The entity group ID that an entity must be in. + + + + + + Whether to check for membership in metadata-based AffiliationDescriptors. + + Defaults to false. + + + + + + + + + + + A match function that matches a requester's MDRPI against a list of potential values. + + + + + + + + + + + A match function that matches a proxied requester's MDRPI against a list of potential values. + + + + + + + + + + + A match function that matches the attribute issuer's MDRPI content against a list of potential values. + + + + + + + + + + + + + The string values to match. + + + + + + A boolean flag indicating whether a match should occur if the metadata does + not contain an MDRPI statement (coded) default is false. + + + + + + + + + + + A match function that ensures that an attribute value's scope matches a scope given in + metadata for the entity or role of the attribute issuer. + + + + + + + + + + + A match function that ensures that an attribute value's scope matches a scope given in + metadata for the entity or role of the attribute issuer. + + + + + + + + + + + A match function that evaluates to true if an attribute (or specific values) is specified by + the requesting entity's AttributeConsumingService SP metadata. + + It supports both explicit checking for a named SAML RequestedAttribute in metadata, or + comparison via the transcoding registry to compare the internal attribute form against + decoded objects produced from the metadata. This is the old "mapped" functionality + in V3 and is now collapsed into one matcher type. + + + + + + + + The ID of the attribute whose value should be matched. If no attribute ID is specified the + ID of the containing attribute rule is assumed. + + + + + + + A boolean flag indicating whether attributes noted as optional should match. + + + + + + + A boolean flag indicating whether a match should occur if (after mapping) + the metadata does not contain and Attributes. + + + + + + The name of a requested attribute to look for. + + + + + The name format of a requested attribute to look for. + + + + + + + + + + + + + + + + diff --git a/schema/shibboleth-attribute-resolver.xsd b/schema/shibboleth-attribute-resolver.xsd new file mode 100644 index 0000000..cca79e7 --- /dev/null +++ b/schema/shibboleth-attribute-resolver.xsd @@ -0,0 +1,2274 @@ + + + + + + + + Shibboleth V4 Attribute Resolver configuration schema + + + + + + Root of the attribute resolver configuration file. + + + + + + + + + + + A unique identifier for this Resolver. + + + + + + + + Defines an attribute definition within this resolver. + + + + + + + + Attribute definition define the finished attributes to be released by the + resolver. + + Definitions derived from this type need to explicitly include (as a choice) + the Dependency, DisplayName, DisplayDescription and Encoder sub elements + + + + + + + + + A boolean flag that indicates whether this attribute definition is + only defined because its data is needed elsewhere within the resolver + and as such should not be released outside the resolver. + + + + + + + A boolean flag that indicates whether this attribute definition and + its dependencies are to be resolved in a "first pass", prior to the + main resolution. These attributes will be populated into a child + context so as to be available to activationConditions. + + + + + + + + + + Defines an encoder for an attribute. + + + + + + + An attribute encoder is responsible for converting an attribute, and its values, + into a protocol specific representation such as a SAML 1 or SAML 2 Attribute. + The use of them to produce a SAML NameIdentifier/NameID is DEPRECATED. + + + + + + + A scripted predicate which controls whether this encoder will run + + + + + + + + + A boolean indicating whether the encoding should include type information. This is + encoding-specific (e.g., for XML it likely involves xsi:type). + + + + + + + A reference to a Predicate which controls whether this encoder will run + Mutually exclusive with relyingParties + + + + + + + A (space separated) list of entities for which this plugin is to be active + Mutually exclusive with activationConditionRef + + + + + + + + + Defines a data connector which is used to pull information from local + infrastructure. + + + + + + + + Data connectors pull information from local infrastructure, such as + databases and LDAP directories, and make these raw attributes available + to attribute definitions for finishing. + + + + + + + Time to bypass connector after a failure before trying it again. + + + + + A list of attribute names to be exported by the resolution process from this data connector. + + + + + + + + + + A base type for all attribute resolver plugins: data and principal + connectors and attribute definitions + + + + + A unique identifier for this definition. + + + + + + A reference to a predicate to decide whether this plugin is applicable. + Mutually exclusive with [exclude]relyingParties and [exclude]resolutionPhases. + + + + + + + A (space separated) list of entities for which this plugin is to be active. + Mutually exclusive with activationConditionRef. + + + + + + + A (space separated) list of entities for which this plugin is to be inactive. + Mutually exclusive with activationConditionRef. + + + + + + + A (space separated) list of resolution "phases" for which this plugin is to be active. + Mutually exclusive with activationConditionRef. + + + + + + + A (space separated) list of resolution "phases" for which this plugin is to be inactive. + Mutually exclusive with activationConditionRef. + + + + + + + DEPRECATED: Whether to ripple errors produced by the plugin out to the resolver (default is true). + + + + + + + + + Defines a dependency on a specific Attribute Definition. + + + + + + + Defines a dependency on a specific Data Connector. + + attributeNames is a space separated list of attribute names. Property replacement done + before "listification"" + + allAttributes means take all attributes. Property replacement done before conversion + + One one of the above are allowed. + + + + + + + + + + + + + + + Defines a data connector to use should the parent data connector fail. + + + + + + An (abstract) type that represents a reference to another plugin + + + + + + + + + + + + + + + + Performs many to one mapping of source values to a return value. SourceValue strings may include regular + expressions and the ReturnValue may include back references to capturing groups as supported by + java.util.regex.Pattern. + + + + + + The value to be returned from this value map. + + + + + A regular expression string to be matched against the incoming value. + + + + + + + If true, value matching will be case-sensitive. + + + + + + If true, the SourceValue may match only a substring of the incoming value. By + default, it must match the entire value. + + + + + + + + + + + + + A attribute definition to pull attribute values from anywhere in the PRC tree + + + + + + + + + + + The Function to generate the Attribute Values given a PRC + + + + + + + + + + The mapped attribute definition performs a many to many mapping from source attributes values provided + by the definition's dependencies to values which are returned. Each source value is passed through each + defined ValueMap which may result in one or more resulting values. If no ValueMaps match the source + value and a DefaultValue is defined, the DefaultValue is used. + + + + + + + + + + + + + + A source value is mapped to the DefaultValue if none of the ValueMaps result in a match. + This string may not contain regular expression back references. + + + + + + + + + If true, the source value is passed thru unmodified. If passThru is + enabled, DefaultValue may not contain a string value. + + + + + + + + + + + + + + + + + An attribute definition that splits the values of the source attribute into an attribute value + with a value and scope. + + + + + + + + + + + + + + Delimiter between the value and scope. + + + + + + + + + Exposes the principal's name as an attribute definition. + + + + + + + + + + + + + + + An attribute definition that splits the source attribute's values based on a regular expression. + + + + + + + + + + + + + The regular expression used to split a value. + + + + + + A boolean flag indicating the case sensitivity of the regular expression. + + + + + + + + + + DEPRECATED: An attribute definition that creates attributes whose values are SAML 1 NameIdentifiers. + + + + + + + + + + + + + The SAML 1 NameFormat of the NameID. + + + + + The SAML 1 NameQualifier of the NameID. + + + + + + + + + DEPRECATED: An attribute definition that creates attributes whose values are SAML 2 NameIDs. + + + + + + + + + + + + + The SAML 2 NameFormat of the NameID. + + + + + The SAML 2 NameQualifier of the NameID. + + + + + The SAML 2 SPNameQualifier of the NameID. + + + + + + + + + A basic attribute definition which supports attribute scoping. + + + + + + + + + + + + + Value to use for scoping the attribute. + + + + + Attribute whose values will be used for scoping the attribute. + + + + + + + + + + An attribute definition that constructs its attributes by means of a script supported by JSR-223. The + script is provided all the edu.internet2.middleware.shibboleth.common.attribute.Attribute object + resolved from all the definitions dependencies. The resultant attribute definition must then be bound to + a script attribute corresponding to the script variable whose name is the ID of the definition. This + variable is injected into the script by the attribute definition. + + + + + + + + + + + + + + The script to evaluate to construct the attribute. + + + + + + The filesystem path to the script to evaluate to construct the attribute. + + + + + + + + The JSR-233 name for the scripting language that will be used. By default "javascript" is + supported. + + + + + + + The name of a bean defined somewhere else which will be injected into the script as an + object called "custom". If not supplied, nothing is injected. + + + + + + + + + + A basic attribute definition. + + + + + + + + + + + + + Do we drop null values (default: FALSE) + + + + + + + + + An attribute definition producing date/time values. + + + + + + + + + + + + + Are conversion errors ignored? (default: FALSE) + + + + + + Use seconds as epoch unit instead of millseconds when converting numeric data (default: TRUE) + + + + + + A formatting string to use converting string data. + + + + + + + + + An attribute definition involving an encrypted (DataSealed) attribute + + + + + + + + + + + + + Value to use for the decryption key + + + + + + + + + A attribute definition to pull attribute values from the Principals. A short cut looks at IdPAttributePrincipals + + + + + + + + + + + + Provides a plug in point to allow general extraction of values from Principals. + Mutually exclusive with principalAttributeName. + + + + + + + The id of the IdPAttribute contained within a IdPAttributePrincipal to look for. + Mutually exclusive with attributeValueEngineRef. + + + + + + + If true, the source Subject is assumed to be undergoing C14N rather than the + usual post-authentication source. Defaults to false. + + + + + + + + + + + An Attribute Definition that constructs its values based on the values of its dependencies using the + Velocity Template Language. Dependencies may have multiple values, however multiple dependencies must + have the same number of values. In the case of multi-valued dependencies, the template will be evaluated + multiples times, iterating over each dependency. + + + + + + + + + + + + + + Template specified in the Velocity Template Language used to construct attribute values. + + + + + + + Name of the velocity engine defined within the application. + + + + + + + + + + An ID created by digesting the requesting entityID, an attribute value (usually a user identifier), and a salt. + + + + + + + + + + + + + The name of the attribute produced by this data connector. + + + + + + + A salt, of at least 16 bytes, used in the computed ID. + + + + + + + A base64-encoded salt, of at least 16 bytes, used in the computed ID. + + + + + + + The JCE digest algorithm to use, defaults to SHA-1. + + + + + + + An encoding type to apply after the digest, defaults to BASE64 but should + be set to BASE32. + + + + + + + Spring bean reference to a map of overrides that alter salt or suppress generation + for particular users/services. + + + + + + + Spring bean reference to a BiFunction<ProfileRequestContext,PairwiseId> + to obtain the salt. + + + + + + + + + + + A data connector that can pull information from an LDAP, version 3, directory. + + + + + + + + + + + + A template used to construct the LDAP filter used to query the directory. + + + + + + + A space separated list of attributes that should be returned from the query. + + + + + + + A space separated list of attributes whose values should be encoded. + + + + + + + The X.509 trust information to use when connecting to the directory over LDAPS or startTLS. + DEPRECATED in 3.4 Use trustFile= + + + + + + + The X.509 client authentication information to use when connecting to the directory over LDAPS or startTLS. + DEPRECATED in 3.4 Use authCert= and authKey + + + + + + + + + + + + + The URL to the LDAP server. + If the search scope is set to ONELEVEL only the entries + within this node will be searched, if SUBTREE is specified entries within this node and descendant + nodes will be searched. + + + + + + + The LDAP connection strategy. Acceptable values are ACTIVE_PASSIVE, ROUND_ROBIN and RANDOM. + Default value is ACTIVE_PASSIVE. + + + + + + + The base DN from which attribute search filtering occurs + + + + + + The DN for the principal connecting to the LDAP directory. + + + + + + The credential for the principal connecting to the LDAP directory. + + + + + + + The LDAP search scope. Acceptable values are OBJECT, ONELEVEL, SUBTREE. + Default value is SUBTREE. + + + + + + + The LDAP alias dereference behavior. Acceptable values are NEVER, SEARCHING, FINDING, ALWAYS. + Default value is NEVER. + + + + + + + A boolean flag indicating whether search referrals and search references should be followed. + Default value is false. + + + + + + + A boolean flag indicating whether startTLS should be used when connecting to the LDAP. + Default value is false. + + + + + + + The maximum amount of time to wait for startTLS responses. If this limit is + reached a timeout error is raised. Default value is 3 seconds. + Time is expressed in ISO8601 duration format. + + + + + + + The maximum amount of time to wait for search results. If this limit is + reached a timeout error is raised. Default value is 3 seconds. + Time is expressed in ISO8601 duration format. + + + + + + + The maximum amount of time to wait for connections to open. If this limit is + reached a timeout error is raised. Default value is 3 seconds. + Time is expressed in ISO8601 duration format. + + + + + + + The maximum amount of time to wait for operation responses. If this limit is + reached a timeout error is raised. Default value is 3 seconds. + Time is expressed in ISO8601 duration format. + + + + + + + A boolean flag indicating whether unexpectedly closed connections should automatically attempt to reconnect. + Default value is true. + + + + + + + The maximum amount of time to wait for a reconnect to occur. If this limit is + reached a timeout error is raised. Default value is 10 seconds. + Time is expressed in ISO8601 duration format. + + + + + + + The maximum number of results that may be returned from a query. + Default value is 1. + + + + + + + A boolean flag indicating whether a query returning no results should be considered an error. If + an error is raised and a failover dependency is defined for this connector the failover will + be invoked. + Default value is false. + + + + + + + A boolean flag indicating whether a query returning more than one result should be considered an error. If + an error is raised and a failover dependency is defined for this connector the failover will + be invoked. + Default value is false. + + + + + + + Whether to lowercase LDAP attribute names used as IDs for shibboleth attributes + + + + + + Name of the template engine defined within the application. + + + + + + Reference to a Spring bean providing the ExecutableSearchBuilder implementation to use. + + + + + + + Reference to a Spring bean providing the MappingStrategy implementation to use. + + + + + + + Reference to a Spring bean providing the Connection Factory implementation to use. + + + + + + + Reference to a Spring bean providing the Search Operation implementation to use. + + + + + + + Reference to a Spring bean providing the Validator implementation to use. + + + + + + + Path to a file with the X.509 trust information to use when connecting to the directory over LDAPS or startTLS + + + + + + + Whether to disable hostname/certificate checking during TLS. Defaults to false. + + + + + + + Path to a file with the X.509 trust client authentication certificate to use when connecting to the directory over LDAPS or startTLS + + + + + + + Path to a file with the X.509 trust client authentication key to use when connecting to the directory over LDAPS or startTLS + + + + + + + Password for the supplied authKey + + + + + + + Whether to fail if the LDAP server cannot be verified at startup (defaults to false). + + + + + + + + + + + A connector for pairwise ID production that directly leverages a PairwiseIdStore bean. + + + + + + + + + + + + + Bean name of the PairwiseIdStore to use. + + + + + + + The name of the attribute produced by this data connector. + + + + + + + + + + + A data connector definition that uses JDBC version 3 to connect to and pull information from a + relational database. + + + + + + + + + + + + A connection, or pool of connections, to the database managed by the application + container. + + + + + + + A connection, or pool of connections, to the database managed by the data connector. + + + + + + + A connection, or pool of connections, to the database configured in a Spring bean. + + + + + + + A template that will be used to create the SQL query thats pulls information from the + database. + + + + + + + + + + + Timeout for the queries made to the database. + Timeout is given in ISO8601 duration form. + + + + + + + A boolean flag indicating whether a query returning no results should be considered an error. If + an error is raised and a failover dependency is defined for this connector the failover will + be invoked. + Default value is false. + + + + + + + A boolean flag indicating whether a query returning more than one result should be considered an error. If + an error is raised and a failover dependency is defined for this connector the failover will + be invoked. + Default value is false. + + + + + + + Name of the template engine defined within the application. + + + + + + + Reference to a Spring bean providing the ExecutableSearchBuilder implementation to use. + + + + + + + Reference to a Spring bean providing the MappingStrategy implementation to use. + + + + + + + Reference to a Spring bean providing the Validator implementation to use. + + + + + + + Whether to fail if the DataConnector cannot be verified at startup (defaults to false). + + + + + + + + + + + A data connector definition that issues requests and parses responses using HTTP, typically + via a form of web service. REST and scripted handling of responses, typically in JSON, + is the primary use case. + + + + + + + + + + + + A template that will be used to create the absolute URL to request. + + + + + + + + + + + + + + A template that will be used to create a body to POST. + + + + + + + + + + + + + + + + A template that will be used to create a key to the caching of the results. + + + + + + Maps the response into attributes by means of scripting. + + + + + + + + + Reference to a Spring bean providing the HttpClient to use. + + + + + + + Reference to a Spring bean providing the HttpClientSecurityParameters to use. + + + + + + + Location of certificate to authenticate HTTP server + + + + + + + Location of CA to indirectly authenticate HTTP server + + + + + + + Location of private key to authenticate with via TLS + + + + + + + Location of client certificate to authenticate with via TLS + + + + + + + Name of the template engine defined within the application. + + + + + + + Maximum size of response body to accept. + + + + + + + A space-delimited list of HTTP status codes that should be treated as successful. + + + + + + + + + + A space-delimited list of MIME content types that should be accepted. + + + + + + + + + + Reference to a Spring bean providing a Map<String,String> of request headers to set. + + + + + + + Reference to a Spring bean providing the ExecutableSearchBuilder implementation to use. + + + + + + + Reference to a Spring bean providing the MappingStrategy implementation to use. + + + + + + + Reference to a Spring bean providing the Validator implementation to use. + + + + + + + Whether to fail if the HTTP server cannot be verified at startup (defaults to false). + No verification takes place currently. + + + + + + + + + + + A data connector that constructs attributes by means of a script supported by JSR-223. Populated + Attributes are added to the java.util.Collection "connectorResults". + + + + + + + + + + + The script to evaluate to construct the attribute. + + + + + + The filesystem path to the script to evaluate to construct the attribute. + + + + + + + + The JSR-233 name for the scripting language that will be used. By default "javascript" is + supported. + + + + + + + The name of a bean defined somewhere else which will be injected into the script as an + object called "custom". If not supplied, nothing is injected. + + + + + + + + + + + A data connector that gets its information from a static list of attributes and values specified within + this configuration. + + + + + + + + + Specifies an attribute, and its values, to be exposed by this connector. + + + + + + + + A value of the attribute. If the value contains characters that would + otherwise need to be XML encoded you may wrap the value in a CDATA section. + + + + + + + The ID of the attribute. + + + + + + + + + The name of a bean defined somewhere else which describes a List of IdPAttributes + + + + + + + + + + + A data connector definition that queries for a record via the IdP's StorageService API. + Simple and scripted handling of records, typically in JSON, is the primary use case. + + + + + + + + + + + + A template that will be used to create the context to query. + + + + + + + A template that will be used to create the key to query. + + + + + + + Maps the record into attributes by means of scripting. + Mutually exclusive with generatedAttributeID attribute. + + + + + + + + + + Reference to Spring bean of the StorageService to use. + + + + + + + Injected object into Context/Key template building process. + + + + + + + The name of the attribute produced by this data connector if simple + record mapping is used. Mutually exclusive with ResponseMapping element. + + + + + + + A boolean flag indicating whether a search returning no record should be considered an error. If + an error is raised and a failover dependency is defined for this connector the failover will + be invoked. + Default value is false. + + + + + + + Name of the template engine defined within the application. + + + + + + + Reference to a Spring bean providing the ExecutableSearchBuilder implementation to use. + + + + + + + Reference to a Spring bean providing the MappingStrategy implementation to use. + + + + + + + + + + + A connector that retrieves a pairwise ID from a database. + + + + + + + + + + + + + A connection, or pool of connections, to the database managed by the application + container. + + + + + + + A connection, or pool of connections, to the database configured in a Spring bean. + + + + + + + + Timeout for the queries made to the database. + Timeout is given in ISO8601 duration form. + + + + + + + Number of retries if insert fails (defaults to 3). + + + + + + + Overrides name of database table to use. + + + + + + + Whether to fail if the store cannot be verified at startup (defaults to false). + + + + + + + A space-delimited list of SQLState codes to treat as retryable (indicating + a duplicate insert error occurred). + + + + + + + + + + The name of the attribute produced by this data connector. + + + + + + + A salt, of at least 16 bytes, used in the computed ID. + + + + + + + A base64-encoded salt, of at least 16 bytes, used in the computed ID. + + + + + + + The JCE digest algorithm to use, defaults to SHA-1. + + + + + + + An encoding type to apply after the digest, defaults to BASE64 but should + be set to BASE32. + + + + + + + Spring bean reference to a map of overrides that alter salt or suppress generation + for particular users/services. + + + + + + + Spring bean reference to a BiFunction<ProfileRequestContext,PairwiseId> + to obtain the salt. + + + + + + + + + + + A data connector that constructs attributes by extracting all IdPAttributePrincipal objects + found within the Subject(s) associated with the requests. + + This is a streamlined approach to extracting them one by one with the SubjectDerivedAttribute + plugin provided encoding and other attribute metadata can be obtained from the system's + generalized transcoding facility. + + + + + + + + + + + A boolean flag indicating whether an absence of any results will cause an error. If an error + is raised and a failover dependency is defined for this connector the failover will be invoked. + Default value is false. + + + + + + + If true, the source Subject is assumed to be undergoing C14N rather than the + usual post-authentication source. Defaults to false. + + + + + + + + + + + A connector for extracting mapped/decoded metadata tags from a peer's metadata. + + + + + + + + Bean ID of a Function to locate the SAMLMetadataContext to operate on. + Default is to locate it under the inbound message context via SAMLPeerEntityContext. + + + + + + + + + + + + + The name of the database column. + + + + + The name of the attribute that data from this column should be added to. + + + + + + + + + + SASL configuration properties. + Common properties include javax.security.sasl.qop, javax.security.sasl.strength, javax.security.sasl.server.authentication. + + + + + + + + The SASL mechanism. Common values are EXTERNAL, DIGEST_MD5, CRAM_MD5, GSSAPI + + + + + + SASL authorization ID. + + + + + The SASL realm. + + + + + + + + + The minimum number of ldap connections that should always be available in the pool. + Note that these connections are provisioned as soon as the pool is initialized. + Default value is 0. + + + + + + + The maximum number of ldap connections that should ever be available in the pool. + Note that when this threshold is reach the pool will begin blocking until a connection + is available. + Default value is 3. + + + + + + + Amount of time to block while waiting for a connection from the pool. If no + wait time is given, callers will block indefinitely. + + Values are expressed in ISO8601 duration format. + + + + + + + Whether each ldap connection should be checked on a periodic basis. + Default value is false. + + + + + + + Time that the periodic pool validation process should repeat. + Ldap objects are pruned when they have been idle beyond the expiration time. + The pool is not pruned below the minimum pool size. + Default value is 30 minutes. + + Period is expressed in ISO8601 duration format. + + + + + + + Ldap compare DN to use for connection validation. + Used in conjunction with validateFilter to perform a compare. + Default value is empty. + + + + + + + Ldap compare filter to use for connection validation. + Used in conjunction with validateDN to perform a compare. + Default value is (objectClass=*). + + + + + + + Whether to validate connections when checking them out of the pool. + + + + + + + Duration between looking for idle connections to reduce the pool back + to its minimum size. + + + + + + + Time in that an object in the pool should be considered stale and ready for removal. + Time is expressed in ISO8601 duration format. + + + + + + + + + + Name of the CacheManager bean that will manage the result cache. This is not used. + + + + + + + Length of time a result will be cached after the last access. + Incompatible with expireAfterWrite. + + Duration is expressed in ISO8601 duration notation. + + + + + + + Length of time a result will be cached from the time + it is inserted into the cache. + Incompatible with expireAfterAccess. + + Duration is expressed in ISO8601 duration notation. + + + + + + + Maximum number of results that will be held in cache. + + + + + + + + + Describes a database connection source that is managed by the application container. + + + + + + + + The resource name the DataSource is bound to in the JNDI tree. + + + + + + + + The name of the property. + + + + + The value of the property, + + + + + + + + Describes a simple database connection source that is managed by the attribute resolver data connector. + Included to "get people going" only + + + + + + + + + This is the full qualified class name of the JDBC driver used to connect to the database. + + + + + + + The JDBC URL for the database. These are usually of the form + jdbc:databaseProduceName:databaseSpecificInformation. For example, jdbc:hsql:mem:MyDatabase + + + + + + The user name to use while connecting to the database. + + + + + The password to use while connecting to the database. + + + + + + + + Defines a SAML 1 string encoder for an attribute. + + + + + + The SAML 1 Namespace of the attribute. + + + + + + + + + Defines a SAML 1 Base64 encoder for an attribute. + + + + + + The SAML 1 Namespace of the attribute. + + + + + + + + + Defines a SAML 1 Base64 encoder for an attribute. + + + + + + The SAML 1 Namespace of the attribute. + + + + + + + + + Defines a SAML 2 string encoder for an attribute. + + + + + + The SAML 2 NameFormat of the attribute. + + + + + The SAML 2 FriendlyName of the attribute. + + + + + + + + + Defines a SAML 2 date/time encoder for an attribute. + + + + + + The SAML 2 NameFormat of the attribute. + + + + + The SAML 2 FriendlyName of the attribute. + + + + + + + + + Defines a SAML 2 Base64 encoder for an attribute. + + + + + + The SAML 2 NameFormat of the attribute. + + + + + The SAML 2 FriendlyName of the attribute. + + + + + + + + + Defines a SAML 2 Base64 encoder for an attribute. + + + + + + The SAML 2 NameFormat of the attribute. + + + + + The SAML 2 FriendlyName of the attribute. + + + + + + + + + Defines an encoder for a scoped attribute. + + + + + + + The type of scoping to use for the encoded attribute. Valid values are "inline" or + "attribute". + + + + + + + If scopeType is "inline", this is the delimeter used between the attribute value and + scope. + + + + + + + If scopeType is "attribute", this is the name of the name of the attribute used to carry the + scope value. + + + + + + + + + + Defines a SAML 1 string encoder for a scoped attribute. + + + + + + The SAML 1 Namespace of the attribute. + + + + + + + + + Defines a SAML 2 string encoder for a scoped attribute. + + + + + + The SAML 2 NameFormat of the attribute. + + + + + The SAML 2 FriendlyName of the attribute. + + + + + + + + + + + + A type for elements that allow for scripts to be declared inline or via a resource. + + + + + + The script to evaluate to construct the attribute. + + + + + + Path of a local resource containing the script to evaluate to construct the attribute. + + + + + + + + The JSR-233 name for the scripting language that will be used. + By default "javascript" is assumed. + + + + + + + The name of a bean defined somewhere else which will be injected into the script as an + object called "custom". If not supplied, nothing is injected. + + + + + + + + + + + + diff --git a/schema/xenc-schema.xsd b/schema/xenc-schema.xsd new file mode 100644 index 0000000..d61229f --- /dev/null +++ b/schema/xenc-schema.xsd @@ -0,0 +1,146 @@ + + + + + + ]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/schema/xml.xsd b/schema/xml.xsd new file mode 100644 index 0000000..aea7d0d --- /dev/null +++ b/schema/xml.xsd @@ -0,0 +1,287 @@ + + + + + + +
+

About the XML namespace

+ +
+

+ This schema document describes the XML namespace, in a form + suitable for import by other schema documents. +

+

+ See + http://www.w3.org/XML/1998/namespace.html and + + http://www.w3.org/TR/REC-xml for information + about this namespace. +

+

+ Note that local names in this namespace are intended to be + defined only by the World Wide Web Consortium or its subgroups. + The names currently defined in this namespace are listed below. + They should not be used with conflicting semantics by any Working + Group, specification, or document instance. +

+

+ See further below in this document for more information about how to refer to this schema document from your own + XSD schema documents and about the + namespace-versioning policy governing this schema document. +

+
+
+ + + + + + +
+ +

lang (as an attribute name)

+

+ denotes an attribute whose value + is a language code for the natural language of the content of + any element; its value is inherited. This name is reserved + by virtue of its definition in the XML specification.

+ +
+
+

Notes

+

+ Attempting to install the relevant ISO 2- and 3-letter + codes as the enumerated possible values is probably never + going to be a realistic possibility. +

+

+ See BCP 47 at + http://www.rfc-editor.org/rfc/bcp/bcp47.txt + and the IANA language subtag registry at + + http://www.iana.org/assignments/language-subtag-registry + for further information. +

+

+ The union allows for the 'un-declaration' of xml:lang with + the empty string. +

+
+ + + + + + + + + + + + + + + + +
+ +

space (as an attribute name)

+

+ denotes an attribute whose + value is a keyword indicating what whitespace processing + discipline is intended for the content of the element; its + value is inherited. This name is reserved by virtue of its + definition in the XML specification.

+ +
+ + + + + + + + + + + + +
+ +

base (as an attribute name)

+

+ denotes an attribute whose value + provides a URI to be used as the base for interpreting any + relative URIs in the scope of the element on which it + appears; its value is inherited. This name is reserved + by virtue of its definition in the XML Base specification.

+ +

+ See http://www.w3.org/TR/xmlbase/ + for information about this attribute. +

+
+ + + + + + + +
+ +

id (as an attribute name)

+

+ denotes an attribute whose value + should be interpreted as if declared to be of type ID. + This name is reserved by virtue of its definition in the + xml:id specification.

+ +

+ See http://www.w3.org/TR/xml-id/ + for information about this attribute. +

+
+ + + + + + + + + + + + + +
+ +

Father (in any context at all)

+ +
+

+ denotes Jon Bosak, the chair of + the original XML Working Group. This name is reserved by + the following decision of the W3C XML Plenary and + XML Coordination groups: +

+
+

+ In appreciation for his vision, leadership and + dedication the W3C XML Plenary on this 10th day of + February, 2000, reserves for Jon Bosak in perpetuity + the XML name "xml:Father". +

+
+
+
+ + + + + +
+

About this schema document

+ +
+

+ This schema defines attributes and an attribute group suitable + for use by schemas wishing to allow xml:base, + xml:lang, xml:space or + xml:id attributes on elements they define. +

+

+ To enable this, such a schema must import this schema for + the XML namespace, e.g. as follows: +

+ 
+          <schema . . .>
+           . . .
+           <import namespace="http://www.w3.org/XML/1998/namespace"
+                      schemaLocation="http://www.w3.org/2001/xml.xsd"/>
+
+

+ or +

+ 
+           <import namespace="http://www.w3.org/XML/1998/namespace"
+                      schemaLocation="http://www.w3.org/2009/01/xml.xsd"/>
+
+

+ Subsequently, qualified reference to any of the attributes or the + group defined below will have the desired effect, e.g. +

+ 
+          <type . . .>
+           . . .
+           <attributeGroup ref="xml:specialAttrs"/>
+
+

+ will define a type which will schema-validate an instance element + with any of those attributes. +

+
+
+ + + + + +
+

Versioning policy for this schema document

+
+

+ In keeping with the XML Schema WG's standard versioning + policy, this schema document will persist at + + http://www.w3.org/2009/01/xml.xsd. +

+

+ At the date of issue it can also be found at + + http://www.w3.org/2001/xml.xsd. +

+

+ The schema document at that URI may however change in the future, + in order to remain compatible with the latest version of XML + Schema itself, or with the XML namespace itself. In other words, + if the XML Schema or XML namespaces change, the version of this + document at + http://www.w3.org/2001/xml.xsd + + will change accordingly; the version at + + http://www.w3.org/2009/01/xml.xsd + + will not change. +

+

+ Previous dated (and unchanging) versions of this schema + document are at: +

+ +
+
+ + + + + diff --git a/scripts/bump-tag b/scripts/bump-tag new file mode 100755 index 0000000..7cb8507 --- /dev/null +++ b/scripts/bump-tag @@ -0,0 +1,43 @@ +#!/bin/sh + +set -e + +git pull + +tagpfx=${tag:="md"} + +last_tag=`git tag -l "${tagpfx}-*"|sort|tail -1` + +echo "Verifying last tag $last_tag:" +(git tag -v $last_tag | grep ^gpg:) || true +# again to not mask exit status of git with grep +git tag -v $last_tag > /dev/null 2>&1 +echo "" + +echo "Differences between tag $last_tag and what you are about to sign:" +PAGER=cat git diff $last_tag..master + +iter=1 +ok= +while test -z "$ok"; do + this_tag=$(date +${tagpfx}-%Y-%m-%d-v`printf "%02d" $iter`) + iter=`expr $iter + 1` + case `(echo $this_tag; echo $last_tag) | sort | tail -1` in + $last_tag) + ;; + $this_tag) + ok=yes + ;; + esac +done + +echo "" +echo "Using new tag $this_tag" +echo ONLY SIGN IF YOU APPROVE OF VERIFICATION AND DIFF ABOVE + +# GITTAGEXTRA is for putting things like "-u 2117364A" + +git tag $GITTAGEXTRA -m bump. -s $this_tag + +git push +git push --tags diff --git a/scripts/do-update.sh b/scripts/do-update.sh new file mode 100755 index 0000000..078ae15 --- /dev/null +++ b/scripts/do-update.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +cd /var/cache/entity-configurations_git.swamid.se && make update diff --git a/scripts/verify-tag b/scripts/verify-tag new file mode 100755 index 0000000..ddc3ff3 --- /dev/null +++ b/scripts/verify-tag @@ -0,0 +1,14 @@ +#!/bin/bash + +export GNUPGHOME=/etc/metadata/gnupg +mkdir -p $GNUPGHOME +export GPG=gpg + +git config --global gpg.program gpg + +tag=$(git tag -l "md-[0-9]*" | sort | tail -1) +if [ -z "$tag" ]; then + echo "no matching tag found" + exit 1 +fi +git checkout $tag && git tag -v $tag -- cgit v1.2.3