summaryrefslogtreecommitdiff
path: root/schema/shibboleth-trust-1.0.xsd
diff options
context:
space:
mode:
Diffstat (limited to 'schema/shibboleth-trust-1.0.xsd')
-rw-r--r--schema/shibboleth-trust-1.0.xsd60
1 files changed, 60 insertions, 0 deletions
diff --git a/schema/shibboleth-trust-1.0.xsd b/schema/shibboleth-trust-1.0.xsd
new file mode 100644
index 00000000..0e603a5b
--- /dev/null
+++ b/schema/shibboleth-trust-1.0.xsd
@@ -0,0 +1,60 @@
+<schema targetNamespace="urn:mace:shibboleth:trust:1.0"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ xmlns:trust="urn:mace:shibboleth:trust:1.0"
+ elementFormDefault="unqualified"
+ attributeFormDefault="unqualified"
+ version="1.0">
+
+ <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/>
+
+ <annotation>
+ <documentation>
+ Trust metadata binds keys or authority lists to system entities.
+ The metadata consumer is responsible for associating the names of system entities
+ to the application context in an appropriate way.
+ </documentation>
+ </annotation>
+
+ <element name="Trust">
+ <annotation>
+ <documentation>
+ An optionally signed collection of trust binding elements.
+ ds:KeyInfo is by definition a binding of a key to a specific entity,
+ which may be specified in various ways such as KeyName or X509SubjectName.
+ </documentation>
+ </annotation>
+ <complexType>
+ <sequence>
+ <choice maxOccurs="unbounded">
+ <element ref="ds:KeyInfo"/>
+ <element ref="trust:KeyAuthority"/>
+ </choice>
+ <element ref="ds:Signature" minOccurs="0"/>
+ </sequence>
+ <attribute name="lastChanged" type="dateTime" use="optional"/>
+ <attribute name="validUntil" type="dateTime" use="optional"/>
+ <attribute name="cacheDuration" type="duration" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+ </element>
+
+ <element name="KeyAuthority" type="trust:KeyAuthorityType"/>
+ <complexType name="KeyAuthorityType">
+ <annotation>
+ <documentation>
+ Binds keying authorities to one or more named system entities.
+ Omitting ds:KeyName will apply the authorities to all transactions, unless
+ another specific match applies. This is risky, so use wisely, in conjunction
+ with constraints on acceptable messages using other forms of metadata or policy.
+ </documentation>
+ </annotation>
+ <sequence>
+ <element ref="ds:KeyName" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="ds:KeyInfo"/>
+ </sequence>
+ <attribute name="VerifyDepth" type="unsignedByte" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+
+</schema>