<?xml version="1.0" encoding="US-ASCII"?>
<schema targetNamespace="urn:mace:shibboleth:1.0"
	xmlns="http://www.w3.org/2001/XMLSchema"
	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
	xmlns:xml="http://www.w3.org/XML/1998/namespace"
	xmlns:shib="urn:mace:shibboleth:1.0"
	xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
	elementFormDefault="qualified"
	attributeFormDefault="unqualified"
	version="1.2">

    <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/>
    <import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/>
    <import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="cs-sstc-schema-assertion-1.1.xsd"/>
    
    <!-- Status-Related Information -->
    
    <!--
    The following SAML sub-status codes are defined in this namespace:
    
        "InvalidHandle"
            Used with samlp:Requester, signals AA did not recognize handle as valid
    -->

    <!--
    Relaxes SAML AttributeValue type definition. Xerces-C has a bug that prevents
    anyAttribute content appearing on anyType. It works in 2.2 but not in later versions.
    -->

	<complexType name="AttributeValueType" mixed="true">
		<annotation>
			<documentation xml:lang="en">
			By convention, all Shibboleth 1.1 origin attribute values carry this unconstrained xsi:type.
			</documentation>
		</annotation>
		<complexContent>
			<extension base="anyType"/>
		</complexContent>
	</complexType>
    
    <!-- Attribute Acceptance Policies -->
	
    <simpleType name="AttributeRuleValueType">
        <restriction base="string">
            <enumeration value="literal"/>
            <enumeration value="regexp"/>
            <enumeration value="xpath"/>
        </restriction>
    </simpleType>
    
    <complexType name="SiteRuleType">
    	<sequence>
    		<element name="Scope" minOccurs="0" maxOccurs="unbounded">
    			<complexType>
                    <simpleContent>
                        <extension base="string">
                        	<attribute name="Accept" type="boolean" use="optional" default="true"/>
                            <attribute name="Type" type="shib:AttributeRuleValueType" use="optional" default="literal"/>
                            <anyAttribute namespace="##other" processContents="lax"/>
                        </extension>
                    </simpleContent>
    			</complexType>
    		</element>
	        <choice minOccurs="0">
	        	<element name="AnyValue">
	        		<complexType>
	        			<sequence/>
	        			<anyAttribute namespace="##other" processContents="lax"/>
	        		</complexType>
	        	</element>
	            <element name="Value" maxOccurs="unbounded">
	                <complexType>
	                    <simpleContent>
	                        <extension base="string">
	                            <attribute name="Type" type="shib:AttributeRuleValueType" use="optional" default="literal"/>
	                            <anyAttribute namespace="##other" processContents="lax"/>
	                        </extension>
	                    </simpleContent>
	                </complexType>
	            </element>
	        </choice>
    	</sequence>
    </complexType>

    <element name="AnySite" type="shib:SiteRuleType"/>
    <element name="SiteRule">
        <complexType>
            <complexContent>
                <extension base="shib:SiteRuleType">
                    <attribute name="Name" type="string" use="required"/>
                    <anyAttribute namespace="##other" processContents="lax"/>
                </extension>
            </complexContent>
        </complexType>
    </element>

    <complexType name="AttributeRuleType">
        <sequence>
            <element ref="shib:AnySite" minOccurs="0"/>
            <element ref="shib:SiteRule" minOccurs="0" maxOccurs="unbounded"/>
        </sequence>
        <attribute name="Name" type="string" use="required"/>
        <attribute name="Namespace" type="string" use="optional"/>
        <attribute name="Factory" type="string" use="optional"/>
        <attribute name="Alias" type="string" use="optional"/>
		<attribute name="Header" type="string" use="optional"/>
		<anyAttribute namespace="##other" processContents="lax"/>
    </complexType>

    <element name="AttributeRule" type="shib:AttributeRuleType">
        <key name="SiteRuleKey">
            <selector xpath="./shib:SiteRule"/>
            <field xpath="@Name"/>
        </key>
    </element>

    <element name="AttributeAcceptancePolicy">
        <complexType>
            <sequence>
                <element name="AnyAttribute" minOccurs="0">
                    <complexType>
                    	<sequence/>
                    </complexType>
                </element>
                <element ref="shib:AttributeRule" minOccurs="0" maxOccurs="unbounded"/>
            </sequence>
            <anyAttribute namespace="##other" processContents="lax"/>
        </complexType>
    </element>


    <!-- Shibboleth Metadata -->
    
    <complexType name="SiteType">
        <annotation>
        	<documentation xml:lang="en">All sites have a Name attribute, plus optional i18n-ized aliases.</documentation>
        </annotation>
        <sequence>
            <element name="Alias" minOccurs="0" maxOccurs="unbounded">
                <complexType>
                    <simpleContent>
                        <extension base="string">
                            <attribute ref="xml:lang"/>
                        </extension>
                    </simpleContent>
                </complexType>
            </element>
            <element name="Contact" type="shib:ContactType" minOccurs="0" maxOccurs="unbounded"/>
        </sequence>
        <attribute name="Name" type="string" use="required"/>
        <attribute name="ErrorURL" type="anyURI" use="optional"/>
        <anyAttribute namespace="##any" processContents="lax"/>
    </complexType>

	<simpleType name="ContactTypeType">
		<restriction base="string">
            <enumeration value="technical"/>
            <enumeration value="support"/>
            <enumeration value="administrative"/>
            <enumeration value="billing"/>
            <enumeration value="other"/>
        </restriction>
    </simpleType>

	<complexType name="ContactType">
		<annotation><documentation xml:lang="en">A human contact for a site.</documentation></annotation>
		<sequence/>
        <attribute name="Type" type="shib:ContactTypeType" use="required"/>
        <attribute name="Name" type="string" use="required"/>
        <attribute name="Email" type="string" use="optional"/>
	</complexType>

    <complexType name="regexp_string">
        <annotation>
        	<documentation xml:lang="en">A string element with an optional attribute signaling regexp content.</documentation>
        </annotation>
        <simpleContent>
            <extension base="string">
                <attribute name="regexp" type="boolean" use="optional" default="false"/>
            </extension>
        </simpleContent>
    </complexType>    

	<complexType name="AuthorityType">
		<annotation>
			<documentation xml:lang="en">Metadata about a SAML authority.</documentation>
		</annotation>
        <sequence/>
        <attribute name="Name" type="string" use="required"/>
        <attribute name="Location" type="anyURI" use="required"/>
        <anyAttribute namespace="##any" processContents="lax"/>
	</complexType>

    <complexType name="OriginSiteType">
        <annotation>
        	<documentation xml:lang="en">
        	Origin sites add at least one handle service (with a name), plus optional domains trusted for attribute scoping.
        	</documentation>
        </annotation>
        <complexContent>
	        <extension base="shib:SiteType">
	            <sequence>
	                <element name="HandleService" type="shib:AuthorityType" maxOccurs="unbounded"/>
	                <element name="AttributeAuthority" type="shib:AuthorityType" minOccurs="0" maxOccurs="unbounded"/>
	                <element name="Domain" type="shib:regexp_string" minOccurs="0" maxOccurs="unbounded"/>
	            </sequence>
	        </extension>
        </complexContent>
    </complexType>

    <complexType name="DestinationSiteType">
        <annotation>
        	<documentation xml:lang="en">
        	Destination sites add at least one attribute requester (with a name).
        	</documentation>
        </annotation>
        <complexContent>
	        <extension base="shib:SiteType">
	            <sequence>
	            	<element name="AssertionConsumerServiceURL" maxOccurs="unbounded">
	            		<complexType>
	            			<sequence/>
	            			<attribute name="Location" type="string" use="required"/>
           					<attribute name="Id" type="string" use="optional"/>
        					<anyAttribute namespace="##any" processContents="lax"/>
	            		</complexType>
	            	</element>
	                <element name="AttributeRequester" maxOccurs="unbounded">
	            		<complexType>
	            			<sequence/>
	            			<attribute name="Name" type="string" use="required"/>
        					<anyAttribute namespace="##any" processContents="lax"/>
	            		</complexType>
	                </element>
	            </sequence>
	        </extension>
        </complexContent>
    </complexType>

    <complexType name="SiteGroupType">
        <annotation>
        	<documentation xml:lang="en">Used to logically group sites together, optionally signed.</documentation>
        </annotation>
        <sequence>
            <choice maxOccurs="unbounded">
                <element ref="shib:OriginSite"/>
                <element ref="shib:DestinationSite"/>
                <element ref="shib:SiteGroup"/>
            </choice>
            <element ref="ds:Signature" minOccurs="0"/>
        </sequence>
        <attribute name="Name" type="string" use="required"/>
        <attribute name="lastChanged" type="dateTime" use="optional"/>
        <attribute name="validUntil" type="dateTime" use="optional"/>
        <attribute name="cacheDuration" type="duration" use="optional"/>
        <anyAttribute namespace="##any" processContents="lax"/>
    </complexType>    

    <element name="OriginSite" type="shib:OriginSiteType"/>
    <element name="DestinationSite" type="shib:DestinationSiteType"/>
    <element name="SiteGroup" type="shib:SiteGroupType"/>


	<!-- Old (pre 1.2) Trust Metadata -->

	<complexType name="KeyAuthorityType">
		<annotation>
			<documentation xml:lang="en">
			Binds a set of keying material to one or more named system entities.
			</documentation>
		</annotation>
		<sequence>
			<element ref="ds:KeyInfo"/>
			<element name="Subject" type="shib:regexp_string" minOccurs="0" maxOccurs="unbounded"/>
		</sequence>
		<anyAttribute namespace="##any" processContents="lax"/>
	</complexType>
	<element name="KeyAuthority" type="shib:KeyAuthorityType"/>

	<element name="Trust">
		<annotation>
			<documentation xml:lang="en">An optionally signed collection of KeyAuthority data.</documentation>
		</annotation>
		<complexType>
			<sequence>
				<element ref="shib:KeyAuthority" maxOccurs="unbounded"/>
				<element ref="ds:Signature" minOccurs="0"/>
			</sequence>
	        <attribute name="lastChanged" type="dateTime" use="optional"/>
	        <attribute name="validUntil" type="dateTime" use="optional"/>
	        <attribute name="cacheDuration" type="duration" use="optional"/>
	        <anyAttribute namespace="##any" processContents="lax"/>
		</complexType>
	</element>

</schema>