diff options
Diffstat (limited to 'schema/shibboleth.xsd')
-rw-r--r-- | schema/shibboleth.xsd | 296 |
1 files changed, 296 insertions, 0 deletions
diff --git a/schema/shibboleth.xsd b/schema/shibboleth.xsd new file mode 100644 index 00000000..392fed45 --- /dev/null +++ b/schema/shibboleth.xsd @@ -0,0 +1,296 @@ +<?xml version="1.0" encoding="US-ASCII"?> +<schema targetNamespace="urn:mace:shibboleth:1.0" + xmlns="http://www.w3.org/2001/XMLSchema" + xmlns:ds="http://www.w3.org/2000/09/xmldsig#" + xmlns:xml="http://www.w3.org/XML/1998/namespace" + xmlns:shib="urn:mace:shibboleth:1.0" + xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" + elementFormDefault="qualified" + attributeFormDefault="unqualified" + version="1.2"> + + <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/> + <import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/> + <import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="cs-sstc-schema-assertion-1.1.xsd"/> + + <!-- Status-Related Information --> + + <!-- + The following SAML sub-status codes are defined in this namespace: + + "InvalidHandle" + Used with samlp:Requester, signals AA did not recognize handle as valid + --> + + <!-- + Relaxes SAML AttributeValue type definition. Xerces-C has a bug that prevents + anyAttribute content appearing on anyType. It works in 2.2 but not in later versions. + --> + + <complexType name="AttributeValueType" mixed="true"> + <annotation> + <documentation xml:lang="en"> + By convention, all Shibboleth 1.1 origin attribute values carry this unconstrained xsi:type. + </documentation> + </annotation> + <complexContent> + <extension base="anyType"/> + </complexContent> + </complexType> + + <!-- Attribute Acceptance Policies --> + + <simpleType name="AttributeRuleValueType"> + <restriction base="string"> + <enumeration value="literal"/> + <enumeration value="regexp"/> + <enumeration value="xpath"/> + </restriction> + </simpleType> + + <complexType name="SiteRuleType"> + <sequence> + <element name="Scope" minOccurs="0" maxOccurs="unbounded"> + <complexType> + <simpleContent> + <extension base="string"> + <attribute name="Accept" type="boolean" use="optional" default="true"/> + <attribute name="Type" type="shib:AttributeRuleValueType" use="optional" default="literal"/> + <anyAttribute namespace="##other" processContents="lax"/> + </extension> + </simpleContent> + </complexType> + </element> + <choice minOccurs="0"> + <element name="AnyValue"> + <complexType> + <sequence/> + <anyAttribute namespace="##other" processContents="lax"/> + </complexType> + </element> + <element name="Value" maxOccurs="unbounded"> + <complexType> + <simpleContent> + <extension base="string"> + <attribute name="Type" type="shib:AttributeRuleValueType" use="optional" default="literal"/> + <anyAttribute namespace="##other" processContents="lax"/> + </extension> + </simpleContent> + </complexType> + </element> + </choice> + </sequence> + </complexType> + + <element name="AnySite" type="shib:SiteRuleType"/> + <element name="SiteRule"> + <complexType> + <complexContent> + <extension base="shib:SiteRuleType"> + <attribute name="Name" type="string" use="required"/> + <anyAttribute namespace="##other" processContents="lax"/> + </extension> + </complexContent> + </complexType> + </element> + + <complexType name="AttributeRuleType"> + <sequence> + <element ref="shib:AnySite" minOccurs="0"/> + <element ref="shib:SiteRule" minOccurs="0" maxOccurs="unbounded"/> + </sequence> + <attribute name="Name" type="string" use="required"/> + <attribute name="Namespace" type="string" use="optional"/> + <attribute name="Factory" type="string" use="optional"/> + <attribute name="Alias" type="string" use="optional"/> + <attribute name="Header" type="string" use="optional"/> + <anyAttribute namespace="##other" processContents="lax"/> + </complexType> + + <element name="AttributeRule" type="shib:AttributeRuleType"> + <key name="SiteRuleKey"> + <selector xpath="./shib:SiteRule"/> + <field xpath="@Name"/> + </key> + </element> + + <element name="AttributeAcceptancePolicy"> + <complexType> + <sequence> + <element name="AnyAttribute" minOccurs="0"> + <complexType> + <sequence/> + </complexType> + </element> + <element ref="shib:AttributeRule" minOccurs="0" maxOccurs="unbounded"/> + </sequence> + <anyAttribute namespace="##other" processContents="lax"/> + </complexType> + </element> + + + <!-- Shibboleth Metadata --> + + <complexType name="SiteType"> + <annotation> + <documentation xml:lang="en">All sites have a Name attribute, plus optional i18n-ized aliases.</documentation> + </annotation> + <sequence> + <element name="Alias" minOccurs="0" maxOccurs="unbounded"> + <complexType> + <simpleContent> + <extension base="string"> + <attribute ref="xml:lang"/> + </extension> + </simpleContent> + </complexType> + </element> + <element name="Contact" type="shib:ContactType" minOccurs="0" maxOccurs="unbounded"/> + </sequence> + <attribute name="Name" type="string" use="required"/> + <attribute name="ErrorURL" type="anyURI" use="optional"/> + <anyAttribute namespace="##any" processContents="lax"/> + </complexType> + + <simpleType name="ContactTypeType"> + <restriction base="string"> + <enumeration value="technical"/> + <enumeration value="support"/> + <enumeration value="administrative"/> + <enumeration value="billing"/> + <enumeration value="other"/> + </restriction> + </simpleType> + + <complexType name="ContactType"> + <annotation><documentation xml:lang="en">A human contact for a site.</documentation></annotation> + <sequence/> + <attribute name="Type" type="shib:ContactTypeType" use="required"/> + <attribute name="Name" type="string" use="required"/> + <attribute name="Email" type="string" use="optional"/> + </complexType> + + <complexType name="regexp_string"> + <annotation> + <documentation xml:lang="en">A string element with an optional attribute signaling regexp content.</documentation> + </annotation> + <simpleContent> + <extension base="string"> + <attribute name="regexp" type="boolean" use="optional" default="false"/> + </extension> + </simpleContent> + </complexType> + + <complexType name="AuthorityType"> + <annotation> + <documentation xml:lang="en">Metadata about a SAML authority.</documentation> + </annotation> + <sequence/> + <attribute name="Name" type="string" use="required"/> + <attribute name="Location" type="anyURI" use="required"/> + <anyAttribute namespace="##any" processContents="lax"/> + </complexType> + + <complexType name="OriginSiteType"> + <annotation> + <documentation xml:lang="en"> + Origin sites add at least one handle service (with a name), plus optional domains trusted for attribute scoping. + </documentation> + </annotation> + <complexContent> + <extension base="shib:SiteType"> + <sequence> + <element name="HandleService" type="shib:AuthorityType" maxOccurs="unbounded"/> + <element name="AttributeAuthority" type="shib:AuthorityType" minOccurs="0" maxOccurs="unbounded"/> + <element name="Domain" type="shib:regexp_string" minOccurs="0" maxOccurs="unbounded"/> + </sequence> + </extension> + </complexContent> + </complexType> + + <complexType name="DestinationSiteType"> + <annotation> + <documentation xml:lang="en"> + Destination sites add at least one attribute requester (with a name). + </documentation> + </annotation> + <complexContent> + <extension base="shib:SiteType"> + <sequence> + <element name="AssertionConsumerServiceURL" maxOccurs="unbounded"> + <complexType> + <sequence/> + <attribute name="Location" type="string" use="required"/> + <attribute name="Id" type="string" use="optional"/> + <anyAttribute namespace="##any" processContents="lax"/> + </complexType> + </element> + <element name="AttributeRequester" maxOccurs="unbounded"> + <complexType> + <sequence/> + <attribute name="Name" type="string" use="required"/> + <anyAttribute namespace="##any" processContents="lax"/> + </complexType> + </element> + </sequence> + </extension> + </complexContent> + </complexType> + + <complexType name="SiteGroupType"> + <annotation> + <documentation xml:lang="en">Used to logically group sites together, optionally signed.</documentation> + </annotation> + <sequence> + <choice maxOccurs="unbounded"> + <element ref="shib:OriginSite"/> + <element ref="shib:DestinationSite"/> + <element ref="shib:SiteGroup"/> + </choice> + <element ref="ds:Signature" minOccurs="0"/> + </sequence> + <attribute name="Name" type="string" use="required"/> + <attribute name="lastChanged" type="dateTime" use="optional"/> + <attribute name="validUntil" type="dateTime" use="optional"/> + <attribute name="cacheDuration" type="duration" use="optional"/> + <anyAttribute namespace="##any" processContents="lax"/> + </complexType> + + <element name="OriginSite" type="shib:OriginSiteType"/> + <element name="DestinationSite" type="shib:DestinationSiteType"/> + <element name="SiteGroup" type="shib:SiteGroupType"/> + + + <!-- Old (pre 1.2) Trust Metadata --> + + <complexType name="KeyAuthorityType"> + <annotation> + <documentation xml:lang="en"> + Binds a set of keying material to one or more named system entities. + </documentation> + </annotation> + <sequence> + <element ref="ds:KeyInfo"/> + <element name="Subject" type="shib:regexp_string" minOccurs="0" maxOccurs="unbounded"/> + </sequence> + <anyAttribute namespace="##any" processContents="lax"/> + </complexType> + <element name="KeyAuthority" type="shib:KeyAuthorityType"/> + + <element name="Trust"> + <annotation> + <documentation xml:lang="en">An optionally signed collection of KeyAuthority data.</documentation> + </annotation> + <complexType> + <sequence> + <element ref="shib:KeyAuthority" maxOccurs="unbounded"/> + <element ref="ds:Signature" minOccurs="0"/> + </sequence> + <attribute name="lastChanged" type="dateTime" use="optional"/> + <attribute name="validUntil" type="dateTime" use="optional"/> + <attribute name="cacheDuration" type="duration" use="optional"/> + <anyAttribute namespace="##any" processContents="lax"/> + </complexType> + </element> + +</schema> |