Merge lp:~roadmr/canonical-identity-provider/validate-saml-xml into lp:canonical-identity-provider/release
- validate-saml-xml
- Merge into trunk
Proposed by
Daniel Manrique
Status: | Merged |
---|---|
Approved by: | Daniel Manrique |
Approved revision: | no longer in the source branch. |
Merge reported by: | Otto Co-Pilot |
Merged at revision: | not available |
Proposed branch: | lp:~roadmr/canonical-identity-provider/validate-saml-xml |
Merge into: | lp:canonical-identity-provider/release |
Diff against target: |
2814 lines (+2709/-1) 14 files modified
config-manager.txt (+1/-1) saml-schema-xsd/saml-schema-assertion-2.0.xsd (+283/-0) saml-schema-xsd/saml-schema-authn-context-2.0.xsd (+23/-0) saml-schema-xsd/saml-schema-authn-context-types-2.0.xsd (+821/-0) saml-schema-xsd/saml-schema-metadata-2.0.xsd (+336/-0) saml-schema-xsd/saml-schema-protocol-2.0.xsd (+302/-0) saml-schema-xsd/sstc-metadata-attr.xsd (+35/-0) saml-schema-xsd/sstc-saml-attribute-ext.xsd (+25/-0) saml-schema-xsd/sstc-saml-metadata-algsupport-v1.0.xsd (+41/-0) saml-schema-xsd/sstc-saml-metadata-ui-v1.0.xsd (+89/-0) saml-schema-xsd/xenc-schema.xsd (+136/-0) saml-schema-xsd/xml.xsd (+287/-0) saml-schema-xsd/xmldsig-core-schema.xsd (+309/-0) src/ubuntu_sso_saml/tests/test_processors.py (+21/-0) |
To merge this branch: | bzr merge lp:~roadmr/canonical-identity-provider/validate-saml-xml |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Ricardo Kirkner (community) | Approve | ||
Review via email: mp+333276@code.launchpad.net |
Commit message
- Validate SAML responses
- Update django-saml2-idp so it spits out valid SAML
This was spotted by a couple of newly-very-strict SPs which were actually running our assertions against the SAML XSD and rejecting us.
These remotes used the onelogin SAML library https:/
Description of the change
- Validate SAML responses
- Update django-saml2-idp so it spits out valid SAML
This was spotted by a couple of newly-very-strict SPs which were actually running our assertions against the SAML XSD and rejecting us.
To post a comment you must log in.
Revision history for this message
Otto Co-Pilot (otto-copilot) wrote : | # |
Running landing tests failed
https:/
Revision history for this message
Otto Co-Pilot (otto-copilot) wrote : | # |
Running landing tests failed
https:/
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | === modified file 'config-manager.txt' |
2 | --- config-manager.txt 2017-10-06 15:07:33 +0000 |
3 | +++ config-manager.txt 2017-11-07 14:38:57 +0000 |
4 | @@ -5,7 +5,7 @@ |
5 | branches/django-openid-auth lp:~ubuntuone-pqm-team/django-openid-auth/stable;revno=107 |
6 | branches/django-pgtools lp:django-pgtools;revno=8 |
7 | branches/django-piston lp:~ubuntuone-pqm-team/django-piston/stable;revno=7 |
8 | -branches/django-saml2-idp lp:~ubuntuone-pqm-team/django-saml2-idp/stable;revno=68 |
9 | +branches/django-saml2-idp lp:~ubuntuone-pqm-team/django-saml2-idp/stable;revno=69 |
10 | branches/ols-tests lp:ols-tests;tag=ols-tests-1.0.0 |
11 | branches/ols-tests-django lp:ols-tests-django;revno=19 |
12 | branches/python-openid lp:~ubuntuone-pqm-team/python-openid/stable;revno=1989 |
13 | |
14 | === added directory 'saml-schema-xsd' |
15 | === added file 'saml-schema-xsd/saml-schema-assertion-2.0.xsd' |
16 | --- saml-schema-xsd/saml-schema-assertion-2.0.xsd 1970-01-01 00:00:00 +0000 |
17 | +++ saml-schema-xsd/saml-schema-assertion-2.0.xsd 2017-11-07 14:38:57 +0000 |
18 | @@ -0,0 +1,283 @@ |
19 | +<?xml version="1.0" encoding="US-ASCII"?> |
20 | +<schema |
21 | + targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion" |
22 | + xmlns="http://www.w3.org/2001/XMLSchema" |
23 | + xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" |
24 | + xmlns:ds="http://www.w3.org/2000/09/xmldsig#" |
25 | + xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" |
26 | + elementFormDefault="unqualified" |
27 | + attributeFormDefault="unqualified" |
28 | + blockDefault="substitution" |
29 | + version="2.0"> |
30 | + <import namespace="http://www.w3.org/2000/09/xmldsig#" |
31 | + schemaLocation="xmldsig-core-schema.xsd"/> |
32 | + <import namespace="http://www.w3.org/2001/04/xmlenc#" |
33 | + schemaLocation="xenc-schema.xsd"/> |
34 | + <annotation> |
35 | + <documentation> |
36 | + Document identifier: saml-schema-assertion-2.0 |
37 | + Location: http://docs.oasis-open.org/security/saml/v2.0/ |
38 | + Revision history: |
39 | + V1.0 (November, 2002): |
40 | + Initial Standard Schema. |
41 | + V1.1 (September, 2003): |
42 | + Updates within the same V1.0 namespace. |
43 | + V2.0 (March, 2005): |
44 | + New assertion schema for SAML V2.0 namespace. |
45 | + </documentation> |
46 | + </annotation> |
47 | + <attributeGroup name="IDNameQualifiers"> |
48 | + <attribute name="NameQualifier" type="string" use="optional"/> |
49 | + <attribute name="SPNameQualifier" type="string" use="optional"/> |
50 | + </attributeGroup> |
51 | + <element name="BaseID" type="saml:BaseIDAbstractType"/> |
52 | + <complexType name="BaseIDAbstractType" abstract="true"> |
53 | + <attributeGroup ref="saml:IDNameQualifiers"/> |
54 | + </complexType> |
55 | + <element name="NameID" type="saml:NameIDType"/> |
56 | + <complexType name="NameIDType"> |
57 | + <simpleContent> |
58 | + <extension base="string"> |
59 | + <attributeGroup ref="saml:IDNameQualifiers"/> |
60 | + <attribute name="Format" type="anyURI" use="optional"/> |
61 | + <attribute name="SPProvidedID" type="string" use="optional"/> |
62 | + </extension> |
63 | + </simpleContent> |
64 | + </complexType> |
65 | + <complexType name="EncryptedElementType"> |
66 | + <sequence> |
67 | + <element ref="xenc:EncryptedData"/> |
68 | + <element ref="xenc:EncryptedKey" minOccurs="0" maxOccurs="unbounded"/> |
69 | + </sequence> |
70 | + </complexType> |
71 | + <element name="EncryptedID" type="saml:EncryptedElementType"/> |
72 | + <element name="Issuer" type="saml:NameIDType"/> |
73 | + <element name="AssertionIDRef" type="NCName"/> |
74 | + <element name="AssertionURIRef" type="anyURI"/> |
75 | + <element name="Assertion" type="saml:AssertionType"/> |
76 | + <complexType name="AssertionType"> |
77 | + <sequence> |
78 | + <element ref="saml:Issuer"/> |
79 | + <element ref="ds:Signature" minOccurs="0"/> |
80 | + <element ref="saml:Subject" minOccurs="0"/> |
81 | + <element ref="saml:Conditions" minOccurs="0"/> |
82 | + <element ref="saml:Advice" minOccurs="0"/> |
83 | + <choice minOccurs="0" maxOccurs="unbounded"> |
84 | + <element ref="saml:Statement"/> |
85 | + <element ref="saml:AuthnStatement"/> |
86 | + <element ref="saml:AuthzDecisionStatement"/> |
87 | + <element ref="saml:AttributeStatement"/> |
88 | + </choice> |
89 | + </sequence> |
90 | + <attribute name="Version" type="string" use="required"/> |
91 | + <attribute name="ID" type="ID" use="required"/> |
92 | + <attribute name="IssueInstant" type="dateTime" use="required"/> |
93 | + </complexType> |
94 | + <element name="Subject" type="saml:SubjectType"/> |
95 | + <complexType name="SubjectType"> |
96 | + <choice> |
97 | + <sequence> |
98 | + <choice> |
99 | + <element ref="saml:BaseID"/> |
100 | + <element ref="saml:NameID"/> |
101 | + <element ref="saml:EncryptedID"/> |
102 | + </choice> |
103 | + <element ref="saml:SubjectConfirmation" minOccurs="0" maxOccurs="unbounded"/> |
104 | + </sequence> |
105 | + <element ref="saml:SubjectConfirmation" maxOccurs="unbounded"/> |
106 | + </choice> |
107 | + </complexType> |
108 | + <element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/> |
109 | + <complexType name="SubjectConfirmationType"> |
110 | + <sequence> |
111 | + <choice minOccurs="0"> |
112 | + <element ref="saml:BaseID"/> |
113 | + <element ref="saml:NameID"/> |
114 | + <element ref="saml:EncryptedID"/> |
115 | + </choice> |
116 | + <element ref="saml:SubjectConfirmationData" minOccurs="0"/> |
117 | + </sequence> |
118 | + <attribute name="Method" type="anyURI" use="required"/> |
119 | + </complexType> |
120 | + <element name="SubjectConfirmationData" type="saml:SubjectConfirmationDataType"/> |
121 | + <complexType name="SubjectConfirmationDataType" mixed="true"> |
122 | + <complexContent> |
123 | + <restriction base="anyType"> |
124 | + <sequence> |
125 | + <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> |
126 | + </sequence> |
127 | + <attribute name="NotBefore" type="dateTime" use="optional"/> |
128 | + <attribute name="NotOnOrAfter" type="dateTime" use="optional"/> |
129 | + <attribute name="Recipient" type="anyURI" use="optional"/> |
130 | + <attribute name="InResponseTo" type="NCName" use="optional"/> |
131 | + <attribute name="Address" type="string" use="optional"/> |
132 | + <anyAttribute namespace="##other" processContents="lax"/> |
133 | + </restriction> |
134 | + </complexContent> |
135 | + </complexType> |
136 | + <complexType name="KeyInfoConfirmationDataType" mixed="false"> |
137 | + <complexContent> |
138 | + <restriction base="saml:SubjectConfirmationDataType"> |
139 | + <sequence> |
140 | + <element ref="ds:KeyInfo" maxOccurs="unbounded"/> |
141 | + </sequence> |
142 | + </restriction> |
143 | + </complexContent> |
144 | + </complexType> |
145 | + <element name="Conditions" type="saml:ConditionsType"/> |
146 | + <complexType name="ConditionsType"> |
147 | + <choice minOccurs="0" maxOccurs="unbounded"> |
148 | + <element ref="saml:Condition"/> |
149 | + <element ref="saml:AudienceRestriction"/> |
150 | + <element ref="saml:OneTimeUse"/> |
151 | + <element ref="saml:ProxyRestriction"/> |
152 | + </choice> |
153 | + <attribute name="NotBefore" type="dateTime" use="optional"/> |
154 | + <attribute name="NotOnOrAfter" type="dateTime" use="optional"/> |
155 | + </complexType> |
156 | + <element name="Condition" type="saml:ConditionAbstractType"/> |
157 | + <complexType name="ConditionAbstractType" abstract="true"/> |
158 | + <element name="AudienceRestriction" type="saml:AudienceRestrictionType"/> |
159 | + <complexType name="AudienceRestrictionType"> |
160 | + <complexContent> |
161 | + <extension base="saml:ConditionAbstractType"> |
162 | + <sequence> |
163 | + <element ref="saml:Audience" maxOccurs="unbounded"/> |
164 | + </sequence> |
165 | + </extension> |
166 | + </complexContent> |
167 | + </complexType> |
168 | + <element name="Audience" type="anyURI"/> |
169 | + <element name="OneTimeUse" type="saml:OneTimeUseType" /> |
170 | + <complexType name="OneTimeUseType"> |
171 | + <complexContent> |
172 | + <extension base="saml:ConditionAbstractType"/> |
173 | + </complexContent> |
174 | + </complexType> |
175 | + <element name="ProxyRestriction" type="saml:ProxyRestrictionType"/> |
176 | + <complexType name="ProxyRestrictionType"> |
177 | + <complexContent> |
178 | + <extension base="saml:ConditionAbstractType"> |
179 | + <sequence> |
180 | + <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/> |
181 | + </sequence> |
182 | + <attribute name="Count" type="nonNegativeInteger" use="optional"/> |
183 | + </extension> |
184 | + </complexContent> |
185 | + </complexType> |
186 | + <element name="Advice" type="saml:AdviceType"/> |
187 | + <complexType name="AdviceType"> |
188 | + <choice minOccurs="0" maxOccurs="unbounded"> |
189 | + <element ref="saml:AssertionIDRef"/> |
190 | + <element ref="saml:AssertionURIRef"/> |
191 | + <element ref="saml:Assertion"/> |
192 | + <element ref="saml:EncryptedAssertion"/> |
193 | + <any namespace="##other" processContents="lax"/> |
194 | + </choice> |
195 | + </complexType> |
196 | + <element name="EncryptedAssertion" type="saml:EncryptedElementType"/> |
197 | + <element name="Statement" type="saml:StatementAbstractType"/> |
198 | + <complexType name="StatementAbstractType" abstract="true"/> |
199 | + <element name="AuthnStatement" type="saml:AuthnStatementType"/> |
200 | + <complexType name="AuthnStatementType"> |
201 | + <complexContent> |
202 | + <extension base="saml:StatementAbstractType"> |
203 | + <sequence> |
204 | + <element ref="saml:SubjectLocality" minOccurs="0"/> |
205 | + <element ref="saml:AuthnContext"/> |
206 | + </sequence> |
207 | + <attribute name="AuthnInstant" type="dateTime" use="required"/> |
208 | + <attribute name="SessionIndex" type="string" use="optional"/> |
209 | + <attribute name="SessionNotOnOrAfter" type="dateTime" use="optional"/> |
210 | + </extension> |
211 | + </complexContent> |
212 | + </complexType> |
213 | + <element name="SubjectLocality" type="saml:SubjectLocalityType"/> |
214 | + <complexType name="SubjectLocalityType"> |
215 | + <attribute name="Address" type="string" use="optional"/> |
216 | + <attribute name="DNSName" type="string" use="optional"/> |
217 | + </complexType> |
218 | + <element name="AuthnContext" type="saml:AuthnContextType"/> |
219 | + <complexType name="AuthnContextType"> |
220 | + <sequence> |
221 | + <choice> |
222 | + <sequence> |
223 | + <element ref="saml:AuthnContextClassRef"/> |
224 | + <choice minOccurs="0"> |
225 | + <element ref="saml:AuthnContextDecl"/> |
226 | + <element ref="saml:AuthnContextDeclRef"/> |
227 | + </choice> |
228 | + </sequence> |
229 | + <choice> |
230 | + <element ref="saml:AuthnContextDecl"/> |
231 | + <element ref="saml:AuthnContextDeclRef"/> |
232 | + </choice> |
233 | + </choice> |
234 | + <element ref="saml:AuthenticatingAuthority" minOccurs="0" maxOccurs="unbounded"/> |
235 | + </sequence> |
236 | + </complexType> |
237 | + <element name="AuthnContextClassRef" type="anyURI"/> |
238 | + <element name="AuthnContextDeclRef" type="anyURI"/> |
239 | + <element name="AuthnContextDecl" type="anyType"/> |
240 | + <element name="AuthenticatingAuthority" type="anyURI"/> |
241 | + <element name="AuthzDecisionStatement" type="saml:AuthzDecisionStatementType"/> |
242 | + <complexType name="AuthzDecisionStatementType"> |
243 | + <complexContent> |
244 | + <extension base="saml:StatementAbstractType"> |
245 | + <sequence> |
246 | + <element ref="saml:Action" maxOccurs="unbounded"/> |
247 | + <element ref="saml:Evidence" minOccurs="0"/> |
248 | + </sequence> |
249 | + <attribute name="Resource" type="anyURI" use="required"/> |
250 | + <attribute name="Decision" type="saml:DecisionType" use="required"/> |
251 | + </extension> |
252 | + </complexContent> |
253 | + </complexType> |
254 | + <simpleType name="DecisionType"> |
255 | + <restriction base="string"> |
256 | + <enumeration value="Permit"/> |
257 | + <enumeration value="Deny"/> |
258 | + <enumeration value="Indeterminate"/> |
259 | + </restriction> |
260 | + </simpleType> |
261 | + <element name="Action" type="saml:ActionType"/> |
262 | + <complexType name="ActionType"> |
263 | + <simpleContent> |
264 | + <extension base="string"> |
265 | + <attribute name="Namespace" type="anyURI" use="required"/> |
266 | + </extension> |
267 | + </simpleContent> |
268 | + </complexType> |
269 | + <element name="Evidence" type="saml:EvidenceType"/> |
270 | + <complexType name="EvidenceType"> |
271 | + <choice maxOccurs="unbounded"> |
272 | + <element ref="saml:AssertionIDRef"/> |
273 | + <element ref="saml:AssertionURIRef"/> |
274 | + <element ref="saml:Assertion"/> |
275 | + <element ref="saml:EncryptedAssertion"/> |
276 | + </choice> |
277 | + </complexType> |
278 | + <element name="AttributeStatement" type="saml:AttributeStatementType"/> |
279 | + <complexType name="AttributeStatementType"> |
280 | + <complexContent> |
281 | + <extension base="saml:StatementAbstractType"> |
282 | + <choice maxOccurs="unbounded"> |
283 | + <element ref="saml:Attribute"/> |
284 | + <element ref="saml:EncryptedAttribute"/> |
285 | + </choice> |
286 | + </extension> |
287 | + </complexContent> |
288 | + </complexType> |
289 | + <element name="Attribute" type="saml:AttributeType"/> |
290 | + <complexType name="AttributeType"> |
291 | + <sequence> |
292 | + <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/> |
293 | + </sequence> |
294 | + <attribute name="Name" type="string" use="required"/> |
295 | + <attribute name="NameFormat" type="anyURI" use="optional"/> |
296 | + <attribute name="FriendlyName" type="string" use="optional"/> |
297 | + <anyAttribute namespace="##other" processContents="lax"/> |
298 | + </complexType> |
299 | + <element name="AttributeValue" type="anyType" nillable="true"/> |
300 | + <element name="EncryptedAttribute" type="saml:EncryptedElementType"/> |
301 | +</schema> |
302 | |
303 | === added file 'saml-schema-xsd/saml-schema-authn-context-2.0.xsd' |
304 | --- saml-schema-xsd/saml-schema-authn-context-2.0.xsd 1970-01-01 00:00:00 +0000 |
305 | +++ saml-schema-xsd/saml-schema-authn-context-2.0.xsd 2017-11-07 14:38:57 +0000 |
306 | @@ -0,0 +1,23 @@ |
307 | +<?xml version="1.0" encoding="UTF-8"?> |
308 | +<xs:schema |
309 | + targetNamespace="urn:oasis:names:tc:SAML:2.0:ac" |
310 | + xmlns:xs="http://www.w3.org/2001/XMLSchema" |
311 | + xmlns="urn:oasis:names:tc:SAML:2.0:ac" |
312 | + blockDefault="substitution" |
313 | + version="2.0"> |
314 | + |
315 | + <xs:annotation> |
316 | + <xs:documentation> |
317 | + Document identifier: saml-schema-authn-context-2.0 |
318 | + Location: http://docs.oasis-open.org/security/saml/v2.0/ |
319 | + Revision history: |
320 | + V2.0 (March, 2005): |
321 | + New core authentication context schema for SAML V2.0. |
322 | + This is just an include of all types from the schema |
323 | + referred to in the include statement below. |
324 | + </xs:documentation> |
325 | + </xs:annotation> |
326 | + |
327 | + <xs:include schemaLocation="saml-schema-authn-context-types-2.0.xsd"/> |
328 | + |
329 | +</xs:schema> |
330 | \ No newline at end of file |
331 | |
332 | === added file 'saml-schema-xsd/saml-schema-authn-context-types-2.0.xsd' |
333 | --- saml-schema-xsd/saml-schema-authn-context-types-2.0.xsd 1970-01-01 00:00:00 +0000 |
334 | +++ saml-schema-xsd/saml-schema-authn-context-types-2.0.xsd 2017-11-07 14:38:57 +0000 |
335 | @@ -0,0 +1,821 @@ |
336 | +<?xml version="1.0" encoding="UTF-8"?> |
337 | +<xs:schema |
338 | + xmlns:xs="http://www.w3.org/2001/XMLSchema" |
339 | + elementFormDefault="qualified" |
340 | + version="2.0"> |
341 | + |
342 | + <xs:annotation> |
343 | + <xs:documentation> |
344 | + Document identifier: saml-schema-authn-context-types-2.0 |
345 | + Location: http://docs.oasis-open.org/security/saml/v2.0/ |
346 | + Revision history: |
347 | + V2.0 (March, 2005): |
348 | + New core authentication context schema types for SAML V2.0. |
349 | + </xs:documentation> |
350 | + </xs:annotation> |
351 | + |
352 | + <xs:element name="AuthenticationContextDeclaration" type="AuthnContextDeclarationBaseType"> |
353 | + <xs:annotation> |
354 | + <xs:documentation> |
355 | + A particular assertion on an identity |
356 | + provider's part with respect to the authentication |
357 | + context associated with an authentication assertion. |
358 | + </xs:documentation> |
359 | + </xs:annotation> |
360 | + </xs:element> |
361 | + |
362 | + <xs:element name="Identification" type="IdentificationType"> |
363 | + <xs:annotation> |
364 | + <xs:documentation> |
365 | + Refers to those characteristics that describe the |
366 | + processes and mechanisms |
367 | + the Authentication Authority uses to initially create |
368 | + an association between a Principal |
369 | + and the identity (or name) by which the Principal will |
370 | + be known |
371 | + </xs:documentation> |
372 | + </xs:annotation> |
373 | + </xs:element> |
374 | + |
375 | + <xs:element name="PhysicalVerification"> |
376 | + <xs:annotation> |
377 | + <xs:documentation> |
378 | + This element indicates that identification has been |
379 | + performed in a physical |
380 | + face-to-face meeting with the principal and not in an |
381 | + online manner. |
382 | + </xs:documentation> |
383 | + </xs:annotation> |
384 | + <xs:complexType> |
385 | + <xs:attribute name="credentialLevel"> |
386 | + <xs:simpleType> |
387 | + <xs:restriction base="xs:NMTOKEN"> |
388 | + <xs:enumeration value="primary"/> |
389 | + <xs:enumeration value="secondary"/> |
390 | + </xs:restriction> |
391 | + </xs:simpleType> |
392 | + </xs:attribute> |
393 | + </xs:complexType> |
394 | + </xs:element> |
395 | + |
396 | + <xs:element name="WrittenConsent" type="ExtensionOnlyType"/> |
397 | + |
398 | + <xs:element name="TechnicalProtection" type="TechnicalProtectionBaseType"> |
399 | + <xs:annotation> |
400 | + <xs:documentation> |
401 | + Refers to those characterstics that describe how the |
402 | + 'secret' (the knowledge or possession |
403 | + of which allows the Principal to authenticate to the |
404 | + Authentication Authority) is kept secure |
405 | + </xs:documentation> |
406 | + </xs:annotation> |
407 | + </xs:element> |
408 | + |
409 | + <xs:element name="SecretKeyProtection" type="SecretKeyProtectionType"> |
410 | + <xs:annotation> |
411 | + <xs:documentation> |
412 | + This element indicates the types and strengths of |
413 | + facilities |
414 | + of a UA used to protect a shared secret key from |
415 | + unauthorized access and/or use. |
416 | + </xs:documentation> |
417 | + </xs:annotation> |
418 | + </xs:element> |
419 | + |
420 | + <xs:element name="PrivateKeyProtection" type="PrivateKeyProtectionType"> |
421 | + <xs:annotation> |
422 | + <xs:documentation> |
423 | + This element indicates the types and strengths of |
424 | + facilities |
425 | + of a UA used to protect a private key from |
426 | + unauthorized access and/or use. |
427 | + </xs:documentation> |
428 | + </xs:annotation> |
429 | + </xs:element> |
430 | + |
431 | + <xs:element name="KeyActivation" type="KeyActivationType"> |
432 | + <xs:annotation> |
433 | + <xs:documentation>The actions that must be performed |
434 | + before the private key can be used. </xs:documentation> |
435 | + </xs:annotation> |
436 | + </xs:element> |
437 | + |
438 | + <xs:element name="KeySharing" type="KeySharingType"> |
439 | + <xs:annotation> |
440 | + <xs:documentation>Whether or not the private key is shared |
441 | + with the certificate authority.</xs:documentation> |
442 | + </xs:annotation> |
443 | + </xs:element> |
444 | + |
445 | + <xs:element name="KeyStorage" type="KeyStorageType"> |
446 | + <xs:annotation> |
447 | + <xs:documentation> |
448 | + In which medium is the key stored. |
449 | + memory - the key is stored in memory. |
450 | + smartcard - the key is stored in a smartcard. |
451 | + token - the key is stored in a hardware token. |
452 | + MobileDevice - the key is stored in a mobile device. |
453 | + MobileAuthCard - the key is stored in a mobile |
454 | + authentication card. |
455 | + </xs:documentation> |
456 | + </xs:annotation> |
457 | + </xs:element> |
458 | + |
459 | + <xs:element name="SubscriberLineNumber" type="ExtensionOnlyType"/> |
460 | + <xs:element name="UserSuffix" type="ExtensionOnlyType"/> |
461 | + |
462 | + <xs:element name="Password" type="PasswordType"> |
463 | + <xs:annotation> |
464 | + <xs:documentation> |
465 | + This element indicates that a password (or passphrase) |
466 | + has been used to |
467 | + authenticate the Principal to a remote system. |
468 | + </xs:documentation> |
469 | + </xs:annotation> |
470 | + </xs:element> |
471 | + |
472 | + <xs:element name="ActivationPin" type="ActivationPinType"> |
473 | + <xs:annotation> |
474 | + <xs:documentation> |
475 | + This element indicates that a Pin (Personal |
476 | + Identification Number) has been used to authenticate the Principal to |
477 | + some local system in order to activate a key. |
478 | + </xs:documentation> |
479 | + </xs:annotation> |
480 | + </xs:element> |
481 | + |
482 | + <xs:element name="Token" type="TokenType"> |
483 | + <xs:annotation> |
484 | + <xs:documentation> |
485 | + This element indicates that a hardware or software |
486 | + token is used |
487 | + as a method of identifying the Principal. |
488 | + </xs:documentation> |
489 | + </xs:annotation> |
490 | + </xs:element> |
491 | + |
492 | + <xs:element name="TimeSyncToken" type="TimeSyncTokenType"> |
493 | + <xs:annotation> |
494 | + <xs:documentation> |
495 | + This element indicates that a time synchronization |
496 | + token is used to identify the Principal. hardware - |
497 | + the time synchonization |
498 | + token has been implemented in hardware. software - the |
499 | + time synchronization |
500 | + token has been implemented in software. SeedLength - |
501 | + the length, in bits, of the |
502 | + random seed used in the time synchronization token. |
503 | + </xs:documentation> |
504 | + </xs:annotation> |
505 | + </xs:element> |
506 | + |
507 | + <xs:element name="Smartcard" type="ExtensionOnlyType"> |
508 | + <xs:annotation> |
509 | + <xs:documentation> |
510 | + This element indicates that a smartcard is used to |
511 | + identity the Principal. |
512 | + </xs:documentation> |
513 | + </xs:annotation> |
514 | + </xs:element> |
515 | + |
516 | + <xs:element name="Length" type="LengthType"> |
517 | + <xs:annotation> |
518 | + <xs:documentation> |
519 | + This element indicates the minimum and/or maximum |
520 | + ASCII length of the password which is enforced (by the UA or the |
521 | + IdP). In other words, this is the minimum and/or maximum number of |
522 | + ASCII characters required to represent a valid password. |
523 | + min - the minimum number of ASCII characters required |
524 | + in a valid password, as enforced by the UA or the IdP. |
525 | + max - the maximum number of ASCII characters required |
526 | + in a valid password, as enforced by the UA or the IdP. |
527 | + </xs:documentation> |
528 | + </xs:annotation> |
529 | + </xs:element> |
530 | + |
531 | + <xs:element name="ActivationLimit" type="ActivationLimitType"> |
532 | + <xs:annotation> |
533 | + <xs:documentation> |
534 | + This element indicates the length of time for which an |
535 | + PIN-based authentication is valid. |
536 | + </xs:documentation> |
537 | + </xs:annotation> |
538 | + </xs:element> |
539 | + |
540 | + <xs:element name="Generation"> |
541 | + <xs:annotation> |
542 | + <xs:documentation> |
543 | + Indicates whether the password was chosen by the |
544 | + Principal or auto-supplied by the Authentication Authority. |
545 | + principalchosen - the Principal is allowed to choose |
546 | + the value of the password. This is true even if |
547 | + the initial password is chosen at random by the UA or |
548 | + the IdP and the Principal is then free to change |
549 | + the password. |
550 | + automatic - the password is chosen by the UA or the |
551 | + IdP to be cryptographically strong in some sense, |
552 | + or to satisfy certain password rules, and that the |
553 | + Principal is not free to change it or to choose a new password. |
554 | + </xs:documentation> |
555 | + </xs:annotation> |
556 | + |
557 | + <xs:complexType> |
558 | + <xs:attribute name="mechanism" use="required"> |
559 | + <xs:simpleType> |
560 | + <xs:restriction base="xs:NMTOKEN"> |
561 | + <xs:enumeration value="principalchosen"/> |
562 | + <xs:enumeration value="automatic"/> |
563 | + </xs:restriction> |
564 | + </xs:simpleType> |
565 | + </xs:attribute> |
566 | + </xs:complexType> |
567 | + </xs:element> |
568 | + |
569 | + <xs:element name="AuthnMethod" type="AuthnMethodBaseType"> |
570 | + <xs:annotation> |
571 | + <xs:documentation> |
572 | + Refers to those characteristics that define the |
573 | + mechanisms by which the Principal authenticates to the Authentication |
574 | + Authority. |
575 | + </xs:documentation> |
576 | + </xs:annotation> |
577 | + </xs:element> |
578 | + |
579 | + <xs:element name="PrincipalAuthenticationMechanism" type="PrincipalAuthenticationMechanismType"> |
580 | + <xs:annotation> |
581 | + <xs:documentation> |
582 | + The method that a Principal employs to perform |
583 | + authentication to local system components. |
584 | + </xs:documentation> |
585 | + </xs:annotation> |
586 | + </xs:element> |
587 | + |
588 | + <xs:element name="Authenticator" type="AuthenticatorBaseType"> |
589 | + <xs:annotation> |
590 | + <xs:documentation> |
591 | + The method applied to validate a principal's |
592 | + authentication across a network |
593 | + </xs:documentation> |
594 | + </xs:annotation> |
595 | + </xs:element> |
596 | + |
597 | + <xs:element name="ComplexAuthenticator" type="ComplexAuthenticatorType"> |
598 | + <xs:annotation> |
599 | + <xs:documentation> |
600 | + Supports Authenticators with nested combinations of |
601 | + additional complexity. |
602 | + </xs:documentation> |
603 | + </xs:annotation> |
604 | + </xs:element> |
605 | + |
606 | + <xs:element name="PreviousSession" type="ExtensionOnlyType"> |
607 | + <xs:annotation> |
608 | + <xs:documentation> |
609 | + Indicates that the Principal has been strongly |
610 | + authenticated in a previous session during which the IdP has set a |
611 | + cookie in the UA. During the present session the Principal has only |
612 | + been authenticated by the UA returning the cookie to the IdP. |
613 | + </xs:documentation> |
614 | + </xs:annotation> |
615 | + </xs:element> |
616 | + |
617 | + <xs:element name="ResumeSession" type="ExtensionOnlyType"> |
618 | + <xs:annotation> |
619 | + <xs:documentation> |
620 | + Rather like PreviousSession but using stronger |
621 | + security. A secret that was established in a previous session with |
622 | + the Authentication Authority has been cached by the local system and |
623 | + is now re-used (e.g. a Master Secret is used to derive new session |
624 | + keys in TLS, SSL, WTLS). |
625 | + </xs:documentation> |
626 | + </xs:annotation> |
627 | + </xs:element> |
628 | + |
629 | + <xs:element name="ZeroKnowledge" type="ExtensionOnlyType"> |
630 | + <xs:annotation> |
631 | + <xs:documentation> |
632 | + This element indicates that the Principal has been |
633 | + authenticated by a zero knowledge technique as specified in ISO/IEC |
634 | + 9798-5. |
635 | + </xs:documentation> |
636 | + </xs:annotation> |
637 | + </xs:element> |
638 | + |
639 | + <xs:element name="SharedSecretChallengeResponse" type="SharedSecretChallengeResponseType"/> |
640 | + |
641 | + <xs:complexType name="SharedSecretChallengeResponseType"> |
642 | + <xs:annotation> |
643 | + <xs:documentation> |
644 | + This element indicates that the Principal has been |
645 | + authenticated by a challenge-response protocol utilizing shared secret |
646 | + keys and symmetric cryptography. |
647 | + </xs:documentation> |
648 | + </xs:annotation> |
649 | + <xs:sequence> |
650 | + <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> |
651 | + </xs:sequence> |
652 | + <xs:attribute name="method" type="xs:anyURI" use="optional"/> |
653 | + </xs:complexType> |
654 | + |
655 | + <xs:element name="DigSig" type="PublicKeyType"> |
656 | + <xs:annotation> |
657 | + <xs:documentation> |
658 | + This element indicates that the Principal has been |
659 | + authenticated by a mechanism which involves the Principal computing a |
660 | + digital signature over at least challenge data provided by the IdP. |
661 | + </xs:documentation> |
662 | + </xs:annotation> |
663 | + </xs:element> |
664 | + |
665 | + <xs:element name="AsymmetricDecryption" type="PublicKeyType"> |
666 | + <xs:annotation> |
667 | + <xs:documentation> |
668 | + The local system has a private key but it is used |
669 | + in decryption mode, rather than signature mode. For example, the |
670 | + Authentication Authority generates a secret and encrypts it using the |
671 | + local system's public key: the local system then proves it has |
672 | + decrypted the secret. |
673 | + </xs:documentation> |
674 | + </xs:annotation> |
675 | + </xs:element> |
676 | + |
677 | + <xs:element name="AsymmetricKeyAgreement" type="PublicKeyType"> |
678 | + <xs:annotation> |
679 | + <xs:documentation> |
680 | + The local system has a private key and uses it for |
681 | + shared secret key agreement with the Authentication Authority (e.g. |
682 | + via Diffie Helman). |
683 | + </xs:documentation> |
684 | + </xs:annotation> |
685 | + </xs:element> |
686 | + |
687 | + <xs:complexType name="PublicKeyType"> |
688 | + <xs:sequence> |
689 | + <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> |
690 | + </xs:sequence> |
691 | + <xs:attribute name="keyValidation" use="optional"/> |
692 | + </xs:complexType> |
693 | + |
694 | + <xs:element name="IPAddress" type="ExtensionOnlyType"> |
695 | + <xs:annotation> |
696 | + <xs:documentation> |
697 | + This element indicates that the Principal has been |
698 | + authenticated through connection from a particular IP address. |
699 | + </xs:documentation> |
700 | + </xs:annotation> |
701 | + </xs:element> |
702 | + |
703 | + <xs:element name="SharedSecretDynamicPlaintext" type="ExtensionOnlyType"> |
704 | + <xs:annotation> |
705 | + <xs:documentation> |
706 | + The local system and Authentication Authority |
707 | + share a secret key. The local system uses this to encrypt a |
708 | + randomised string to pass to the Authentication Authority. |
709 | + </xs:documentation> |
710 | + </xs:annotation> |
711 | + </xs:element> |
712 | + |
713 | + <xs:element name="AuthenticatorTransportProtocol" type="AuthenticatorTransportProtocolType"> |
714 | + <xs:annotation> |
715 | + <xs:documentation> |
716 | + The protocol across which Authenticator information is |
717 | + transferred to an Authentication Authority verifier. |
718 | + </xs:documentation> |
719 | + </xs:annotation> |
720 | + </xs:element> |
721 | + |
722 | + <xs:element name="HTTP" type="ExtensionOnlyType"> |
723 | + <xs:annotation> |
724 | + <xs:documentation> |
725 | + This element indicates that the Authenticator has been |
726 | + transmitted using bare HTTP utilizing no additional security |
727 | + protocols. |
728 | + </xs:documentation> |
729 | + </xs:annotation> |
730 | + </xs:element> |
731 | + |
732 | + <xs:element name="IPSec" type="ExtensionOnlyType"> |
733 | + <xs:annotation> |
734 | + <xs:documentation> |
735 | + This element indicates that the Authenticator has been |
736 | + transmitted using a transport mechanism protected by an IPSEC session. |
737 | + </xs:documentation> |
738 | + </xs:annotation> |
739 | + </xs:element> |
740 | + |
741 | + <xs:element name="WTLS" type="ExtensionOnlyType"> |
742 | + <xs:annotation> |
743 | + <xs:documentation> |
744 | + This element indicates that the Authenticator has been |
745 | + transmitted using a transport mechanism protected by a WTLS session. |
746 | + </xs:documentation> |
747 | + </xs:annotation> |
748 | + </xs:element> |
749 | + |
750 | + <xs:element name="MobileNetworkNoEncryption" type="ExtensionOnlyType"> |
751 | + <xs:annotation> |
752 | + <xs:documentation> |
753 | + This element indicates that the Authenticator has been |
754 | + transmitted solely across a mobile network using no additional |
755 | + security mechanism. |
756 | + </xs:documentation> |
757 | + </xs:annotation> |
758 | + </xs:element> |
759 | + |
760 | + <xs:element name="MobileNetworkRadioEncryption" type="ExtensionOnlyType"/> |
761 | + <xs:element name="MobileNetworkEndToEndEncryption" type="ExtensionOnlyType"/> |
762 | + |
763 | + <xs:element name="SSL" type="ExtensionOnlyType"> |
764 | + <xs:annotation> |
765 | + <xs:documentation> |
766 | + This element indicates that the Authenticator has been |
767 | + transmitted using a transport mechnanism protected by an SSL or TLS |
768 | + session. |
769 | + </xs:documentation> |
770 | + </xs:annotation> |
771 | + </xs:element> |
772 | + |
773 | + <xs:element name="PSTN" type="ExtensionOnlyType"/> |
774 | + <xs:element name="ISDN" type="ExtensionOnlyType"/> |
775 | + <xs:element name="ADSL" type="ExtensionOnlyType"/> |
776 | + |
777 | + <xs:element name="OperationalProtection" type="OperationalProtectionType"> |
778 | + <xs:annotation> |
779 | + <xs:documentation> |
780 | + Refers to those characteristics that describe |
781 | + procedural security controls employed by the Authentication Authority. |
782 | + </xs:documentation> |
783 | + </xs:annotation> |
784 | + </xs:element> |
785 | + |
786 | + <xs:element name="SecurityAudit" type="SecurityAuditType"/> |
787 | + <xs:element name="SwitchAudit" type="ExtensionOnlyType"/> |
788 | + <xs:element name="DeactivationCallCenter" type="ExtensionOnlyType"/> |
789 | + |
790 | + <xs:element name="GoverningAgreements" type="GoverningAgreementsType"> |
791 | + <xs:annotation> |
792 | + <xs:documentation> |
793 | + Provides a mechanism for linking to external (likely |
794 | + human readable) documents in which additional business agreements, |
795 | + (e.g. liability constraints, obligations, etc) can be placed. |
796 | + </xs:documentation> |
797 | + </xs:annotation> |
798 | + </xs:element> |
799 | + |
800 | + <xs:element name="GoverningAgreementRef" type="GoverningAgreementRefType"/> |
801 | + |
802 | + <xs:simpleType name="nymType"> |
803 | + <xs:restriction base="xs:NMTOKEN"> |
804 | + <xs:enumeration value="anonymity"/> |
805 | + <xs:enumeration value="verinymity"/> |
806 | + <xs:enumeration value="pseudonymity"/> |
807 | + </xs:restriction> |
808 | + </xs:simpleType> |
809 | + |
810 | + <xs:complexType name="AuthnContextDeclarationBaseType"> |
811 | + <xs:sequence> |
812 | + <xs:element ref="Identification" minOccurs="0"/> |
813 | + <xs:element ref="TechnicalProtection" minOccurs="0"/> |
814 | + <xs:element ref="OperationalProtection" minOccurs="0"/> |
815 | + <xs:element ref="AuthnMethod" minOccurs="0"/> |
816 | + <xs:element ref="GoverningAgreements" minOccurs="0"/> |
817 | + <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> |
818 | + </xs:sequence> |
819 | + <xs:attribute name="ID" type="xs:ID" use="optional"/> |
820 | + </xs:complexType> |
821 | + |
822 | + <xs:complexType name="IdentificationType"> |
823 | + <xs:sequence> |
824 | + <xs:element ref="PhysicalVerification" minOccurs="0"/> |
825 | + <xs:element ref="WrittenConsent" minOccurs="0"/> |
826 | + <xs:element ref="GoverningAgreements" minOccurs="0"/> |
827 | + <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> |
828 | + </xs:sequence> |
829 | + <xs:attribute name="nym" type="nymType"> |
830 | + <xs:annotation> |
831 | + <xs:documentation> |
832 | + This attribute indicates whether or not the |
833 | + Identification mechanisms allow the actions of the Principal to be |
834 | + linked to an actual end user. |
835 | + </xs:documentation> |
836 | + </xs:annotation> |
837 | + </xs:attribute> |
838 | + </xs:complexType> |
839 | + |
840 | + <xs:complexType name="TechnicalProtectionBaseType"> |
841 | + <xs:sequence> |
842 | + <xs:choice minOccurs="0"> |
843 | + <xs:element ref="PrivateKeyProtection"/> |
844 | + <xs:element ref="SecretKeyProtection"/> |
845 | + </xs:choice> |
846 | + <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> |
847 | + </xs:sequence> |
848 | + </xs:complexType> |
849 | + |
850 | + <xs:complexType name="OperationalProtectionType"> |
851 | + <xs:sequence> |
852 | + <xs:element ref="SecurityAudit" minOccurs="0"/> |
853 | + <xs:element ref="DeactivationCallCenter" minOccurs="0"/> |
854 | + <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> |
855 | + </xs:sequence> |
856 | + </xs:complexType> |
857 | + |
858 | + <xs:complexType name="AuthnMethodBaseType"> |
859 | + <xs:sequence> |
860 | + <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/> |
861 | + <xs:element ref="Authenticator" minOccurs="0"/> |
862 | + <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/> |
863 | + <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> |
864 | + </xs:sequence> |
865 | + </xs:complexType> |
866 | + |
867 | + <xs:complexType name="GoverningAgreementsType"> |
868 | + <xs:sequence> |
869 | + <xs:element ref="GoverningAgreementRef" maxOccurs="unbounded"/> |
870 | + </xs:sequence> |
871 | + </xs:complexType> |
872 | + |
873 | + <xs:complexType name="GoverningAgreementRefType"> |
874 | + <xs:attribute name="governingAgreementRef" type="xs:anyURI" use="required"/> |
875 | + </xs:complexType> |
876 | + |
877 | + <xs:complexType name="PrincipalAuthenticationMechanismType"> |
878 | + <xs:sequence> |
879 | + <xs:element ref="Password" minOccurs="0"/> |
880 | + <xs:element ref="RestrictedPassword" minOccurs="0"/> |
881 | + <xs:element ref="Token" minOccurs="0"/> |
882 | + <xs:element ref="Smartcard" minOccurs="0"/> |
883 | + <xs:element ref="ActivationPin" minOccurs="0"/> |
884 | + <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> |
885 | + </xs:sequence> |
886 | + <xs:attribute name="preauth" type="xs:integer" use="optional"/> |
887 | + </xs:complexType> |
888 | + |
889 | + <xs:group name="AuthenticatorChoiceGroup"> |
890 | + <xs:choice> |
891 | + <xs:element ref="PreviousSession"/> |
892 | + <xs:element ref="ResumeSession"/> |
893 | + <xs:element ref="DigSig"/> |
894 | + <xs:element ref="Password"/> |
895 | + <xs:element ref="RestrictedPassword"/> |
896 | + <xs:element ref="ZeroKnowledge"/> |
897 | + <xs:element ref="SharedSecretChallengeResponse"/> |
898 | + <xs:element ref="SharedSecretDynamicPlaintext"/> |
899 | + <xs:element ref="IPAddress"/> |
900 | + <xs:element ref="AsymmetricDecryption"/> |
901 | + <xs:element ref="AsymmetricKeyAgreement"/> |
902 | + <xs:element ref="SubscriberLineNumber"/> |
903 | + <xs:element ref="UserSuffix"/> |
904 | + <xs:element ref="ComplexAuthenticator"/> |
905 | + </xs:choice> |
906 | + </xs:group> |
907 | + |
908 | + <xs:group name="AuthenticatorSequenceGroup"> |
909 | + <xs:sequence> |
910 | + <xs:element ref="PreviousSession" minOccurs="0"/> |
911 | + <xs:element ref="ResumeSession" minOccurs="0"/> |
912 | + <xs:element ref="DigSig" minOccurs="0"/> |
913 | + <xs:element ref="Password" minOccurs="0"/> |
914 | + <xs:element ref="RestrictedPassword" minOccurs="0"/> |
915 | + <xs:element ref="ZeroKnowledge" minOccurs="0"/> |
916 | + <xs:element ref="SharedSecretChallengeResponse" minOccurs="0"/> |
917 | + <xs:element ref="SharedSecretDynamicPlaintext" minOccurs="0"/> |
918 | + <xs:element ref="IPAddress" minOccurs="0"/> |
919 | + <xs:element ref="AsymmetricDecryption" minOccurs="0"/> |
920 | + <xs:element ref="AsymmetricKeyAgreement" minOccurs="0"/> |
921 | + <xs:element ref="SubscriberLineNumber" minOccurs="0"/> |
922 | + <xs:element ref="UserSuffix" minOccurs="0"/> |
923 | + <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> |
924 | + </xs:sequence> |
925 | + </xs:group> |
926 | + |
927 | + <xs:complexType name="AuthenticatorBaseType"> |
928 | + <xs:sequence> |
929 | + <xs:group ref="AuthenticatorChoiceGroup"/> |
930 | + <xs:group ref="AuthenticatorSequenceGroup"/> |
931 | + </xs:sequence> |
932 | + </xs:complexType> |
933 | + |
934 | + <xs:complexType name="ComplexAuthenticatorType"> |
935 | + <xs:sequence> |
936 | + <xs:group ref="AuthenticatorChoiceGroup"/> |
937 | + <xs:group ref="AuthenticatorSequenceGroup"/> |
938 | + </xs:sequence> |
939 | + </xs:complexType> |
940 | + |
941 | + <xs:complexType name="AuthenticatorTransportProtocolType"> |
942 | + <xs:sequence> |
943 | + <xs:choice minOccurs="0"> |
944 | + <xs:element ref="HTTP"/> |
945 | + <xs:element ref="SSL"/> |
946 | + <xs:element ref="MobileNetworkNoEncryption"/> |
947 | + <xs:element ref="MobileNetworkRadioEncryption"/> |
948 | + <xs:element ref="MobileNetworkEndToEndEncryption"/> |
949 | + <xs:element ref="WTLS"/> |
950 | + <xs:element ref="IPSec"/> |
951 | + <xs:element ref="PSTN"/> |
952 | + <xs:element ref="ISDN"/> |
953 | + <xs:element ref="ADSL"/> |
954 | + </xs:choice> |
955 | + <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> |
956 | + </xs:sequence> |
957 | + </xs:complexType> |
958 | + |
959 | + <xs:complexType name="KeyActivationType"> |
960 | + <xs:sequence> |
961 | + <xs:element ref="ActivationPin" minOccurs="0"/> |
962 | + <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> |
963 | + </xs:sequence> |
964 | + </xs:complexType> |
965 | + |
966 | + <xs:complexType name="KeySharingType"> |
967 | + <xs:attribute name="sharing" type="xs:boolean" use="required"/> |
968 | + </xs:complexType> |
969 | + |
970 | + <xs:complexType name="PrivateKeyProtectionType"> |
971 | + <xs:sequence> |
972 | + <xs:element ref="KeyActivation" minOccurs="0"/> |
973 | + <xs:element ref="KeyStorage" minOccurs="0"/> |
974 | + <xs:element ref="KeySharing" minOccurs="0"/> |
975 | + <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> |
976 | + </xs:sequence> |
977 | + </xs:complexType> |
978 | + |
979 | + <xs:complexType name="PasswordType"> |
980 | + <xs:sequence> |
981 | + <xs:element ref="Length" minOccurs="0"/> |
982 | + <xs:element ref="Alphabet" minOccurs="0"/> |
983 | + <xs:element ref="Generation" minOccurs="0"/> |
984 | + <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> |
985 | + </xs:sequence> |
986 | + <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/> |
987 | + </xs:complexType> |
988 | + |
989 | + <xs:element name="RestrictedPassword" type="RestrictedPasswordType"/> |
990 | + |
991 | + <xs:complexType name="RestrictedPasswordType"> |
992 | + <xs:complexContent> |
993 | + <xs:restriction base="PasswordType"> |
994 | + <xs:sequence> |
995 | + <xs:element name="Length" type="RestrictedLengthType" minOccurs="1"/> |
996 | + <xs:element ref="Generation" minOccurs="0"/> |
997 | + <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> |
998 | + </xs:sequence> |
999 | + <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/> |
1000 | + </xs:restriction> |
1001 | + </xs:complexContent> |
1002 | + </xs:complexType> |
1003 | + |
1004 | + <xs:complexType name="RestrictedLengthType"> |
1005 | + <xs:complexContent> |
1006 | + <xs:restriction base="LengthType"> |
1007 | + <xs:attribute name="min" use="required"> |
1008 | + <xs:simpleType> |
1009 | + <xs:restriction base="xs:integer"> |
1010 | + <xs:minInclusive value="3"/> |
1011 | + </xs:restriction> |
1012 | + </xs:simpleType> |
1013 | + </xs:attribute> |
1014 | + <xs:attribute name="max" type="xs:integer" use="optional"/> |
1015 | + </xs:restriction> |
1016 | + </xs:complexContent> |
1017 | + </xs:complexType> |
1018 | + |
1019 | + <xs:complexType name="ActivationPinType"> |
1020 | + <xs:sequence> |
1021 | + <xs:element ref="Length" minOccurs="0"/> |
1022 | + <xs:element ref="Alphabet" minOccurs="0"/> |
1023 | + <xs:element ref="Generation" minOccurs="0"/> |
1024 | + <xs:element ref="ActivationLimit" minOccurs="0"/> |
1025 | + <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> |
1026 | + </xs:sequence> |
1027 | + </xs:complexType> |
1028 | + |
1029 | + <xs:element name="Alphabet" type="AlphabetType"/> |
1030 | + <xs:complexType name="AlphabetType"> |
1031 | + <xs:attribute name="requiredChars" type="xs:string" use="required"/> |
1032 | + <xs:attribute name="excludedChars" type="xs:string" use="optional"/> |
1033 | + <xs:attribute name="case" type="xs:string" use="optional"/> |
1034 | + </xs:complexType> |
1035 | + |
1036 | + <xs:complexType name="TokenType"> |
1037 | + <xs:sequence> |
1038 | + <xs:element ref="TimeSyncToken"/> |
1039 | + <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> |
1040 | + </xs:sequence> |
1041 | + </xs:complexType> |
1042 | + |
1043 | + <xs:simpleType name="DeviceTypeType"> |
1044 | + <xs:restriction base="xs:NMTOKEN"> |
1045 | + <xs:enumeration value="hardware"/> |
1046 | + <xs:enumeration value="software"/> |
1047 | + </xs:restriction> |
1048 | + </xs:simpleType> |
1049 | + |
1050 | + <xs:simpleType name="booleanType"> |
1051 | + <xs:restriction base="xs:NMTOKEN"> |
1052 | + <xs:enumeration value="true"/> |
1053 | + <xs:enumeration value="false"/> |
1054 | + </xs:restriction> |
1055 | + </xs:simpleType> |
1056 | + |
1057 | + <xs:complexType name="TimeSyncTokenType"> |
1058 | + <xs:attribute name="DeviceType" type="DeviceTypeType" use="required"/> |
1059 | + <xs:attribute name="SeedLength" type="xs:integer" use="required"/> |
1060 | + <xs:attribute name="DeviceInHand" type="booleanType" use="required"/> |
1061 | + </xs:complexType> |
1062 | + |
1063 | + <xs:complexType name="ActivationLimitType"> |
1064 | + <xs:choice> |
1065 | + <xs:element ref="ActivationLimitDuration"/> |
1066 | + <xs:element ref="ActivationLimitUsages"/> |
1067 | + <xs:element ref="ActivationLimitSession"/> |
1068 | + </xs:choice> |
1069 | + </xs:complexType> |
1070 | + |
1071 | + <xs:element name="ActivationLimitDuration" type="ActivationLimitDurationType"> |
1072 | + <xs:annotation> |
1073 | + <xs:documentation> |
1074 | + This element indicates that the Key Activation Limit is |
1075 | + defined as a specific duration of time. |
1076 | + </xs:documentation> |
1077 | + </xs:annotation> |
1078 | + </xs:element> |
1079 | + |
1080 | + <xs:element name="ActivationLimitUsages" type="ActivationLimitUsagesType"> |
1081 | + <xs:annotation> |
1082 | + <xs:documentation> |
1083 | + This element indicates that the Key Activation Limit is |
1084 | + defined as a number of usages. |
1085 | + </xs:documentation> |
1086 | + </xs:annotation> |
1087 | + </xs:element> |
1088 | + |
1089 | + <xs:element name="ActivationLimitSession" type="ActivationLimitSessionType"> |
1090 | + <xs:annotation> |
1091 | + <xs:documentation> |
1092 | + This element indicates that the Key Activation Limit is |
1093 | + the session. |
1094 | + </xs:documentation> |
1095 | + </xs:annotation> |
1096 | + </xs:element> |
1097 | + |
1098 | + <xs:complexType name="ActivationLimitDurationType"> |
1099 | + <xs:attribute name="duration" type="xs:duration" use="required"/> |
1100 | + </xs:complexType> |
1101 | + |
1102 | + <xs:complexType name="ActivationLimitUsagesType"> |
1103 | + <xs:attribute name="number" type="xs:integer" use="required"/> |
1104 | + </xs:complexType> |
1105 | + |
1106 | + <xs:complexType name="ActivationLimitSessionType"/> |
1107 | + |
1108 | + <xs:complexType name="LengthType"> |
1109 | + <xs:attribute name="min" type="xs:integer" use="required"/> |
1110 | + <xs:attribute name="max" type="xs:integer" use="optional"/> |
1111 | + </xs:complexType> |
1112 | + |
1113 | + <xs:simpleType name="mediumType"> |
1114 | + <xs:restriction base="xs:NMTOKEN"> |
1115 | + <xs:enumeration value="memory"/> |
1116 | + <xs:enumeration value="smartcard"/> |
1117 | + <xs:enumeration value="token"/> |
1118 | + <xs:enumeration value="MobileDevice"/> |
1119 | + <xs:enumeration value="MobileAuthCard"/> |
1120 | + </xs:restriction> |
1121 | + </xs:simpleType> |
1122 | + |
1123 | + <xs:complexType name="KeyStorageType"> |
1124 | + <xs:attribute name="medium" type="mediumType" use="required"/> |
1125 | + </xs:complexType> |
1126 | + |
1127 | + <xs:complexType name="SecretKeyProtectionType"> |
1128 | + <xs:sequence> |
1129 | + <xs:element ref="KeyActivation" minOccurs="0"/> |
1130 | + <xs:element ref="KeyStorage" minOccurs="0"/> |
1131 | + <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> |
1132 | + </xs:sequence> |
1133 | + </xs:complexType> |
1134 | + |
1135 | + <xs:complexType name="SecurityAuditType"> |
1136 | + <xs:sequence> |
1137 | + <xs:element ref="SwitchAudit" minOccurs="0"/> |
1138 | + <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> |
1139 | + </xs:sequence> |
1140 | + </xs:complexType> |
1141 | + |
1142 | + <xs:complexType name="ExtensionOnlyType"> |
1143 | + <xs:sequence> |
1144 | + <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> |
1145 | + </xs:sequence> |
1146 | + </xs:complexType> |
1147 | + |
1148 | + <xs:element name="Extension" type="ExtensionType"/> |
1149 | + |
1150 | + <xs:complexType name="ExtensionType"> |
1151 | + <xs:sequence> |
1152 | + <xs:any namespace="##other" processContents="lax" maxOccurs="unbounded"/> |
1153 | + </xs:sequence> |
1154 | + </xs:complexType> |
1155 | + |
1156 | +</xs:schema> |
1157 | |
1158 | === added file 'saml-schema-xsd/saml-schema-metadata-2.0.xsd' |
1159 | --- saml-schema-xsd/saml-schema-metadata-2.0.xsd 1970-01-01 00:00:00 +0000 |
1160 | +++ saml-schema-xsd/saml-schema-metadata-2.0.xsd 2017-11-07 14:38:57 +0000 |
1161 | @@ -0,0 +1,336 @@ |
1162 | +<?xml version="1.0" encoding="UTF-8"?> |
1163 | +<schema |
1164 | + targetNamespace="urn:oasis:names:tc:SAML:2.0:metadata" |
1165 | + xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" |
1166 | + xmlns:ds="http://www.w3.org/2000/09/xmldsig#" |
1167 | + xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" |
1168 | + xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" |
1169 | + xmlns="http://www.w3.org/2001/XMLSchema" |
1170 | + elementFormDefault="unqualified" |
1171 | + attributeFormDefault="unqualified" |
1172 | + blockDefault="substitution" |
1173 | + version="2.0"> |
1174 | + <import namespace="http://www.w3.org/2000/09/xmldsig#" |
1175 | + schemaLocation="xmldsig-core-schema.xsd"/> |
1176 | + <import namespace="http://www.w3.org/2001/04/xmlenc#" |
1177 | + schemaLocation="xenc-schema.xsd"/> |
1178 | + <import namespace="urn:oasis:names:tc:SAML:2.0:assertion" |
1179 | + schemaLocation="saml-schema-assertion-2.0.xsd"/> |
1180 | + <import namespace="http://www.w3.org/XML/1998/namespace" |
1181 | + schemaLocation="xml.xsd"/> |
1182 | + <annotation> |
1183 | + <documentation> |
1184 | + Document identifier: saml-schema-metadata-2.0 |
1185 | + Location: http://docs.oasis-open.org/security/saml/v2.0/ |
1186 | + Revision history: |
1187 | + V2.0 (March, 2005): |
1188 | + Schema for SAML metadata, first published in SAML 2.0. |
1189 | + </documentation> |
1190 | + </annotation> |
1191 | + |
1192 | + <simpleType name="entityIDType"> |
1193 | + <restriction base="anyURI"> |
1194 | + <maxLength value="1024"/> |
1195 | + </restriction> |
1196 | + </simpleType> |
1197 | + <complexType name="localizedNameType"> |
1198 | + <simpleContent> |
1199 | + <extension base="string"> |
1200 | + <attribute ref="xml:lang" use="required"/> |
1201 | + </extension> |
1202 | + </simpleContent> |
1203 | + </complexType> |
1204 | + <complexType name="localizedURIType"> |
1205 | + <simpleContent> |
1206 | + <extension base="anyURI"> |
1207 | + <attribute ref="xml:lang" use="required"/> |
1208 | + </extension> |
1209 | + </simpleContent> |
1210 | + </complexType> |
1211 | + |
1212 | + <element name="Extensions" type="md:ExtensionsType"/> |
1213 | + <complexType final="#all" name="ExtensionsType"> |
1214 | + <sequence> |
1215 | + <any namespace="##other" processContents="lax" maxOccurs="unbounded"/> |
1216 | + </sequence> |
1217 | + </complexType> |
1218 | + |
1219 | + <complexType name="EndpointType"> |
1220 | + <sequence> |
1221 | + <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> |
1222 | + </sequence> |
1223 | + <attribute name="Binding" type="anyURI" use="required"/> |
1224 | + <attribute name="Location" type="anyURI" use="required"/> |
1225 | + <attribute name="ResponseLocation" type="anyURI" use="optional"/> |
1226 | + <anyAttribute namespace="##other" processContents="lax"/> |
1227 | + </complexType> |
1228 | + |
1229 | + <complexType name="IndexedEndpointType"> |
1230 | + <complexContent> |
1231 | + <extension base="md:EndpointType"> |
1232 | + <attribute name="index" type="unsignedShort" use="required"/> |
1233 | + <attribute name="isDefault" type="boolean" use="optional"/> |
1234 | + </extension> |
1235 | + </complexContent> |
1236 | + </complexType> |
1237 | + |
1238 | + <element name="EntitiesDescriptor" type="md:EntitiesDescriptorType"/> |
1239 | + <complexType name="EntitiesDescriptorType"> |
1240 | + <sequence> |
1241 | + <element ref="ds:Signature" minOccurs="0"/> |
1242 | + <element ref="md:Extensions" minOccurs="0"/> |
1243 | + <choice minOccurs="1" maxOccurs="unbounded"> |
1244 | + <element ref="md:EntityDescriptor"/> |
1245 | + <element ref="md:EntitiesDescriptor"/> |
1246 | + </choice> |
1247 | + </sequence> |
1248 | + <attribute name="validUntil" type="dateTime" use="optional"/> |
1249 | + <attribute name="cacheDuration" type="duration" use="optional"/> |
1250 | + <attribute name="ID" type="ID" use="optional"/> |
1251 | + <attribute name="Name" type="string" use="optional"/> |
1252 | + </complexType> |
1253 | + |
1254 | + <element name="EntityDescriptor" type="md:EntityDescriptorType"/> |
1255 | + <complexType name="EntityDescriptorType"> |
1256 | + <sequence> |
1257 | + <element ref="ds:Signature" minOccurs="0"/> |
1258 | + <element ref="md:Extensions" minOccurs="0"/> |
1259 | + <choice> |
1260 | + <choice maxOccurs="unbounded"> |
1261 | + <element ref="md:RoleDescriptor"/> |
1262 | + <element ref="md:IDPSSODescriptor"/> |
1263 | + <element ref="md:SPSSODescriptor"/> |
1264 | + <element ref="md:AuthnAuthorityDescriptor"/> |
1265 | + <element ref="md:AttributeAuthorityDescriptor"/> |
1266 | + <element ref="md:PDPDescriptor"/> |
1267 | + </choice> |
1268 | + <element ref="md:AffiliationDescriptor"/> |
1269 | + </choice> |
1270 | + <element ref="md:Organization" minOccurs="0"/> |
1271 | + <element ref="md:ContactPerson" minOccurs="0" maxOccurs="unbounded"/> |
1272 | + <element ref="md:AdditionalMetadataLocation" minOccurs="0" maxOccurs="unbounded"/> |
1273 | + </sequence> |
1274 | + <attribute name="entityID" type="md:entityIDType" use="required"/> |
1275 | + <attribute name="validUntil" type="dateTime" use="optional"/> |
1276 | + <attribute name="cacheDuration" type="duration" use="optional"/> |
1277 | + <attribute name="ID" type="ID" use="optional"/> |
1278 | + <anyAttribute namespace="##other" processContents="lax"/> |
1279 | + </complexType> |
1280 | + |
1281 | + <element name="Organization" type="md:OrganizationType"/> |
1282 | + <complexType name="OrganizationType"> |
1283 | + <sequence> |
1284 | + <element ref="md:Extensions" minOccurs="0"/> |
1285 | + <element ref="md:OrganizationName" maxOccurs="unbounded"/> |
1286 | + <element ref="md:OrganizationDisplayName" maxOccurs="unbounded"/> |
1287 | + <element ref="md:OrganizationURL" maxOccurs="unbounded"/> |
1288 | + </sequence> |
1289 | + <anyAttribute namespace="##other" processContents="lax"/> |
1290 | + </complexType> |
1291 | + <element name="OrganizationName" type="md:localizedNameType"/> |
1292 | + <element name="OrganizationDisplayName" type="md:localizedNameType"/> |
1293 | + <element name="OrganizationURL" type="md:localizedURIType"/> |
1294 | + <element name="ContactPerson" type="md:ContactType"/> |
1295 | + <complexType name="ContactType"> |
1296 | + <sequence> |
1297 | + <element ref="md:Extensions" minOccurs="0"/> |
1298 | + <element ref="md:Company" minOccurs="0"/> |
1299 | + <element ref="md:GivenName" minOccurs="0"/> |
1300 | + <element ref="md:SurName" minOccurs="0"/> |
1301 | + <element ref="md:EmailAddress" minOccurs="0" maxOccurs="unbounded"/> |
1302 | + <element ref="md:TelephoneNumber" minOccurs="0" maxOccurs="unbounded"/> |
1303 | + </sequence> |
1304 | + <attribute name="contactType" type="md:ContactTypeType" use="required"/> |
1305 | + <anyAttribute namespace="##other" processContents="lax"/> |
1306 | + </complexType> |
1307 | + <element name="Company" type="string"/> |
1308 | + <element name="GivenName" type="string"/> |
1309 | + <element name="SurName" type="string"/> |
1310 | + <element name="EmailAddress" type="anyURI"/> |
1311 | + <element name="TelephoneNumber" type="string"/> |
1312 | + <simpleType name="ContactTypeType"> |
1313 | + <restriction base="string"> |
1314 | + <enumeration value="technical"/> |
1315 | + <enumeration value="support"/> |
1316 | + <enumeration value="administrative"/> |
1317 | + <enumeration value="billing"/> |
1318 | + <enumeration value="other"/> |
1319 | + </restriction> |
1320 | + </simpleType> |
1321 | + |
1322 | + <element name="AdditionalMetadataLocation" type="md:AdditionalMetadataLocationType"/> |
1323 | + <complexType name="AdditionalMetadataLocationType"> |
1324 | + <simpleContent> |
1325 | + <extension base="anyURI"> |
1326 | + <attribute name="namespace" type="anyURI" use="required"/> |
1327 | + </extension> |
1328 | + </simpleContent> |
1329 | + </complexType> |
1330 | + |
1331 | + <element name="RoleDescriptor" type="md:RoleDescriptorType"/> |
1332 | + <complexType name="RoleDescriptorType" abstract="true"> |
1333 | + <sequence> |
1334 | + <element ref="ds:Signature" minOccurs="0"/> |
1335 | + <element ref="md:Extensions" minOccurs="0"/> |
1336 | + <element ref="md:KeyDescriptor" minOccurs="0" maxOccurs="unbounded"/> |
1337 | + <element ref="md:Organization" minOccurs="0"/> |
1338 | + <element ref="md:ContactPerson" minOccurs="0" maxOccurs="unbounded"/> |
1339 | + </sequence> |
1340 | + <attribute name="ID" type="ID" use="optional"/> |
1341 | + <attribute name="validUntil" type="dateTime" use="optional"/> |
1342 | + <attribute name="cacheDuration" type="duration" use="optional"/> |
1343 | + <attribute name="protocolSupportEnumeration" type="md:anyURIListType" use="required"/> |
1344 | + <attribute name="errorURL" type="anyURI" use="optional"/> |
1345 | + <anyAttribute namespace="##other" processContents="lax"/> |
1346 | + </complexType> |
1347 | + <simpleType name="anyURIListType"> |
1348 | + <list itemType="anyURI"/> |
1349 | + </simpleType> |
1350 | + |
1351 | + <element name="KeyDescriptor" type="md:KeyDescriptorType"/> |
1352 | + <complexType name="KeyDescriptorType"> |
1353 | + <sequence> |
1354 | + <element ref="ds:KeyInfo"/> |
1355 | + <element ref="md:EncryptionMethod" minOccurs="0" maxOccurs="unbounded"/> |
1356 | + </sequence> |
1357 | + <attribute name="use" type="md:KeyTypes" use="optional"/> |
1358 | + </complexType> |
1359 | + <simpleType name="KeyTypes"> |
1360 | + <restriction base="string"> |
1361 | + <enumeration value="encryption"/> |
1362 | + <enumeration value="signing"/> |
1363 | + </restriction> |
1364 | + </simpleType> |
1365 | + <element name="EncryptionMethod" type="xenc:EncryptionMethodType"/> |
1366 | + |
1367 | + <complexType name="SSODescriptorType" abstract="true"> |
1368 | + <complexContent> |
1369 | + <extension base="md:RoleDescriptorType"> |
1370 | + <sequence> |
1371 | + <element ref="md:ArtifactResolutionService" minOccurs="0" maxOccurs="unbounded"/> |
1372 | + <element ref="md:SingleLogoutService" minOccurs="0" maxOccurs="unbounded"/> |
1373 | + <element ref="md:ManageNameIDService" minOccurs="0" maxOccurs="unbounded"/> |
1374 | + <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/> |
1375 | + </sequence> |
1376 | + </extension> |
1377 | + </complexContent> |
1378 | + </complexType> |
1379 | + <element name="ArtifactResolutionService" type="md:IndexedEndpointType"/> |
1380 | + <element name="SingleLogoutService" type="md:EndpointType"/> |
1381 | + <element name="ManageNameIDService" type="md:EndpointType"/> |
1382 | + <element name="NameIDFormat" type="anyURI"/> |
1383 | + |
1384 | + <element name="IDPSSODescriptor" type="md:IDPSSODescriptorType"/> |
1385 | + <complexType name="IDPSSODescriptorType"> |
1386 | + <complexContent> |
1387 | + <extension base="md:SSODescriptorType"> |
1388 | + <sequence> |
1389 | + <element ref="md:SingleSignOnService" maxOccurs="unbounded"/> |
1390 | + <element ref="md:NameIDMappingService" minOccurs="0" maxOccurs="unbounded"/> |
1391 | + <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/> |
1392 | + <element ref="md:AttributeProfile" minOccurs="0" maxOccurs="unbounded"/> |
1393 | + <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/> |
1394 | + </sequence> |
1395 | + <attribute name="WantAuthnRequestsSigned" type="boolean" use="optional"/> |
1396 | + </extension> |
1397 | + </complexContent> |
1398 | + </complexType> |
1399 | + <element name="SingleSignOnService" type="md:EndpointType"/> |
1400 | + <element name="NameIDMappingService" type="md:EndpointType"/> |
1401 | + <element name="AssertionIDRequestService" type="md:EndpointType"/> |
1402 | + <element name="AttributeProfile" type="anyURI"/> |
1403 | + |
1404 | + <element name="SPSSODescriptor" type="md:SPSSODescriptorType"/> |
1405 | + <complexType name="SPSSODescriptorType"> |
1406 | + <complexContent> |
1407 | + <extension base="md:SSODescriptorType"> |
1408 | + <sequence> |
1409 | + <element ref="md:AssertionConsumerService" maxOccurs="unbounded"/> |
1410 | + <element ref="md:AttributeConsumingService" minOccurs="0" maxOccurs="unbounded"/> |
1411 | + </sequence> |
1412 | + <attribute name="AuthnRequestsSigned" type="boolean" use="optional"/> |
1413 | + <attribute name="WantAssertionsSigned" type="boolean" use="optional"/> |
1414 | + </extension> |
1415 | + </complexContent> |
1416 | + </complexType> |
1417 | + <element name="AssertionConsumerService" type="md:IndexedEndpointType"/> |
1418 | + <element name="AttributeConsumingService" type="md:AttributeConsumingServiceType"/> |
1419 | + <complexType name="AttributeConsumingServiceType"> |
1420 | + <sequence> |
1421 | + <element ref="md:ServiceName" maxOccurs="unbounded"/> |
1422 | + <element ref="md:ServiceDescription" minOccurs="0" maxOccurs="unbounded"/> |
1423 | + <element ref="md:RequestedAttribute" maxOccurs="unbounded"/> |
1424 | + </sequence> |
1425 | + <attribute name="index" type="unsignedShort" use="required"/> |
1426 | + <attribute name="isDefault" type="boolean" use="optional"/> |
1427 | + </complexType> |
1428 | + <element name="ServiceName" type="md:localizedNameType"/> |
1429 | + <element name="ServiceDescription" type="md:localizedNameType"/> |
1430 | + <element name="RequestedAttribute" type="md:RequestedAttributeType"/> |
1431 | + <complexType name="RequestedAttributeType"> |
1432 | + <complexContent> |
1433 | + <extension base="saml:AttributeType"> |
1434 | + <attribute name="isRequired" type="boolean" use="optional"/> |
1435 | + </extension> |
1436 | + </complexContent> |
1437 | + </complexType> |
1438 | + |
1439 | + <element name="AuthnAuthorityDescriptor" type="md:AuthnAuthorityDescriptorType"/> |
1440 | + <complexType name="AuthnAuthorityDescriptorType"> |
1441 | + <complexContent> |
1442 | + <extension base="md:RoleDescriptorType"> |
1443 | + <sequence> |
1444 | + <element ref="md:AuthnQueryService" maxOccurs="unbounded"/> |
1445 | + <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/> |
1446 | + <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/> |
1447 | + </sequence> |
1448 | + </extension> |
1449 | + </complexContent> |
1450 | + </complexType> |
1451 | + <element name="AuthnQueryService" type="md:EndpointType"/> |
1452 | + |
1453 | + <element name="PDPDescriptor" type="md:PDPDescriptorType"/> |
1454 | + <complexType name="PDPDescriptorType"> |
1455 | + <complexContent> |
1456 | + <extension base="md:RoleDescriptorType"> |
1457 | + <sequence> |
1458 | + <element ref="md:AuthzService" maxOccurs="unbounded"/> |
1459 | + <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/> |
1460 | + <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/> |
1461 | + </sequence> |
1462 | + </extension> |
1463 | + </complexContent> |
1464 | + </complexType> |
1465 | + <element name="AuthzService" type="md:EndpointType"/> |
1466 | + |
1467 | + <element name="AttributeAuthorityDescriptor" type="md:AttributeAuthorityDescriptorType"/> |
1468 | + <complexType name="AttributeAuthorityDescriptorType"> |
1469 | + <complexContent> |
1470 | + <extension base="md:RoleDescriptorType"> |
1471 | + <sequence> |
1472 | + <element ref="md:AttributeService" maxOccurs="unbounded"/> |
1473 | + <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/> |
1474 | + <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/> |
1475 | + <element ref="md:AttributeProfile" minOccurs="0" maxOccurs="unbounded"/> |
1476 | + <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/> |
1477 | + </sequence> |
1478 | + </extension> |
1479 | + </complexContent> |
1480 | + </complexType> |
1481 | + <element name="AttributeService" type="md:EndpointType"/> |
1482 | + |
1483 | + <element name="AffiliationDescriptor" type="md:AffiliationDescriptorType"/> |
1484 | + <complexType name="AffiliationDescriptorType"> |
1485 | + <sequence> |
1486 | + <element ref="ds:Signature" minOccurs="0"/> |
1487 | + <element ref="md:Extensions" minOccurs="0"/> |
1488 | + <element ref="md:AffiliateMember" maxOccurs="unbounded"/> |
1489 | + </sequence> |
1490 | + <attribute name="affiliationOwnerID" type="md:entityIDType" use="required"/> |
1491 | + <attribute name="validUntil" type="dateTime" use="optional"/> |
1492 | + <attribute name="cacheDuration" type="duration" use="optional"/> |
1493 | + <attribute name="ID" type="ID" use="optional"/> |
1494 | + <anyAttribute namespace="##other" processContents="lax"/> |
1495 | + </complexType> |
1496 | + <element name="AffiliateMember" type="md:entityIDType"/> |
1497 | +</schema> |
1498 | |
1499 | === added file 'saml-schema-xsd/saml-schema-protocol-2.0.xsd' |
1500 | --- saml-schema-xsd/saml-schema-protocol-2.0.xsd 1970-01-01 00:00:00 +0000 |
1501 | +++ saml-schema-xsd/saml-schema-protocol-2.0.xsd 2017-11-07 14:38:57 +0000 |
1502 | @@ -0,0 +1,302 @@ |
1503 | +<?xml version="1.0" encoding="UTF-8"?> |
1504 | +<schema |
1505 | + targetNamespace="urn:oasis:names:tc:SAML:2.0:protocol" |
1506 | + xmlns="http://www.w3.org/2001/XMLSchema" |
1507 | + xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" |
1508 | + xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" |
1509 | + xmlns:ds="http://www.w3.org/2000/09/xmldsig#" |
1510 | + elementFormDefault="unqualified" |
1511 | + attributeFormDefault="unqualified" |
1512 | + blockDefault="substitution" |
1513 | + version="2.0"> |
1514 | + <import namespace="urn:oasis:names:tc:SAML:2.0:assertion" |
1515 | + schemaLocation="saml-schema-assertion-2.0.xsd"/> |
1516 | + <import namespace="http://www.w3.org/2000/09/xmldsig#" |
1517 | + schemaLocation="xmldsig-core-schema.xsd"/> |
1518 | + <annotation> |
1519 | + <documentation> |
1520 | + Document identifier: saml-schema-protocol-2.0 |
1521 | + Location: http://docs.oasis-open.org/security/saml/v2.0/ |
1522 | + Revision history: |
1523 | + V1.0 (November, 2002): |
1524 | + Initial Standard Schema. |
1525 | + V1.1 (September, 2003): |
1526 | + Updates within the same V1.0 namespace. |
1527 | + V2.0 (March, 2005): |
1528 | + New protocol schema based in a SAML V2.0 namespace. |
1529 | + </documentation> |
1530 | + </annotation> |
1531 | + <complexType name="RequestAbstractType" abstract="true"> |
1532 | + <sequence> |
1533 | + <element ref="saml:Issuer" minOccurs="0"/> |
1534 | + <element ref="ds:Signature" minOccurs="0"/> |
1535 | + <element ref="samlp:Extensions" minOccurs="0"/> |
1536 | + </sequence> |
1537 | + <attribute name="ID" type="ID" use="required"/> |
1538 | + <attribute name="Version" type="string" use="required"/> |
1539 | + <attribute name="IssueInstant" type="dateTime" use="required"/> |
1540 | + <attribute name="Destination" type="anyURI" use="optional"/> |
1541 | + <attribute name="Consent" type="anyURI" use="optional"/> |
1542 | + </complexType> |
1543 | + <element name="Extensions" type="samlp:ExtensionsType"/> |
1544 | + <complexType name="ExtensionsType"> |
1545 | + <sequence> |
1546 | + <any namespace="##other" processContents="lax" maxOccurs="unbounded"/> |
1547 | + </sequence> |
1548 | + </complexType> |
1549 | + <complexType name="StatusResponseType"> |
1550 | + <sequence> |
1551 | + <element ref="saml:Issuer" minOccurs="0"/> |
1552 | + <element ref="ds:Signature" minOccurs="0"/> |
1553 | + <element ref="samlp:Extensions" minOccurs="0"/> |
1554 | + <element ref="samlp:Status"/> |
1555 | + </sequence> |
1556 | + <attribute name="ID" type="ID" use="required"/> |
1557 | + <attribute name="InResponseTo" type="NCName" use="optional"/> |
1558 | + <attribute name="Version" type="string" use="required"/> |
1559 | + <attribute name="IssueInstant" type="dateTime" use="required"/> |
1560 | + <attribute name="Destination" type="anyURI" use="optional"/> |
1561 | + <attribute name="Consent" type="anyURI" use="optional"/> |
1562 | + </complexType> |
1563 | + <element name="Status" type="samlp:StatusType"/> |
1564 | + <complexType name="StatusType"> |
1565 | + <sequence> |
1566 | + <element ref="samlp:StatusCode"/> |
1567 | + <element ref="samlp:StatusMessage" minOccurs="0"/> |
1568 | + <element ref="samlp:StatusDetail" minOccurs="0"/> |
1569 | + </sequence> |
1570 | + </complexType> |
1571 | + <element name="StatusCode" type="samlp:StatusCodeType"/> |
1572 | + <complexType name="StatusCodeType"> |
1573 | + <sequence> |
1574 | + <element ref="samlp:StatusCode" minOccurs="0"/> |
1575 | + </sequence> |
1576 | + <attribute name="Value" type="anyURI" use="required"/> |
1577 | + </complexType> |
1578 | + <element name="StatusMessage" type="string"/> |
1579 | + <element name="StatusDetail" type="samlp:StatusDetailType"/> |
1580 | + <complexType name="StatusDetailType"> |
1581 | + <sequence> |
1582 | + <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> |
1583 | + </sequence> |
1584 | + </complexType> |
1585 | + <element name="AssertionIDRequest" type="samlp:AssertionIDRequestType"/> |
1586 | + <complexType name="AssertionIDRequestType"> |
1587 | + <complexContent> |
1588 | + <extension base="samlp:RequestAbstractType"> |
1589 | + <sequence> |
1590 | + <element ref="saml:AssertionIDRef" maxOccurs="unbounded"/> |
1591 | + </sequence> |
1592 | + </extension> |
1593 | + </complexContent> |
1594 | + </complexType> |
1595 | + <element name="SubjectQuery" type="samlp:SubjectQueryAbstractType"/> |
1596 | + <complexType name="SubjectQueryAbstractType" abstract="true"> |
1597 | + <complexContent> |
1598 | + <extension base="samlp:RequestAbstractType"> |
1599 | + <sequence> |
1600 | + <element ref="saml:Subject"/> |
1601 | + </sequence> |
1602 | + </extension> |
1603 | + </complexContent> |
1604 | + </complexType> |
1605 | + <element name="AuthnQuery" type="samlp:AuthnQueryType"/> |
1606 | + <complexType name="AuthnQueryType"> |
1607 | + <complexContent> |
1608 | + <extension base="samlp:SubjectQueryAbstractType"> |
1609 | + <sequence> |
1610 | + <element ref="samlp:RequestedAuthnContext" minOccurs="0"/> |
1611 | + </sequence> |
1612 | + <attribute name="SessionIndex" type="string" use="optional"/> |
1613 | + </extension> |
1614 | + </complexContent> |
1615 | + </complexType> |
1616 | + <element name="RequestedAuthnContext" type="samlp:RequestedAuthnContextType"/> |
1617 | + <complexType name="RequestedAuthnContextType"> |
1618 | + <choice> |
1619 | + <element ref="saml:AuthnContextClassRef" maxOccurs="unbounded"/> |
1620 | + <element ref="saml:AuthnContextDeclRef" maxOccurs="unbounded"/> |
1621 | + </choice> |
1622 | + <attribute name="Comparison" type="samlp:AuthnContextComparisonType" use="optional"/> |
1623 | + </complexType> |
1624 | + <simpleType name="AuthnContextComparisonType"> |
1625 | + <restriction base="string"> |
1626 | + <enumeration value="exact"/> |
1627 | + <enumeration value="minimum"/> |
1628 | + <enumeration value="maximum"/> |
1629 | + <enumeration value="better"/> |
1630 | + </restriction> |
1631 | + </simpleType> |
1632 | + <element name="AttributeQuery" type="samlp:AttributeQueryType"/> |
1633 | + <complexType name="AttributeQueryType"> |
1634 | + <complexContent> |
1635 | + <extension base="samlp:SubjectQueryAbstractType"> |
1636 | + <sequence> |
1637 | + <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/> |
1638 | + </sequence> |
1639 | + </extension> |
1640 | + </complexContent> |
1641 | + </complexType> |
1642 | + <element name="AuthzDecisionQuery" type="samlp:AuthzDecisionQueryType"/> |
1643 | + <complexType name="AuthzDecisionQueryType"> |
1644 | + <complexContent> |
1645 | + <extension base="samlp:SubjectQueryAbstractType"> |
1646 | + <sequence> |
1647 | + <element ref="saml:Action" maxOccurs="unbounded"/> |
1648 | + <element ref="saml:Evidence" minOccurs="0"/> |
1649 | + </sequence> |
1650 | + <attribute name="Resource" type="anyURI" use="required"/> |
1651 | + </extension> |
1652 | + </complexContent> |
1653 | + </complexType> |
1654 | + <element name="AuthnRequest" type="samlp:AuthnRequestType"/> |
1655 | + <complexType name="AuthnRequestType"> |
1656 | + <complexContent> |
1657 | + <extension base="samlp:RequestAbstractType"> |
1658 | + <sequence> |
1659 | + <element ref="saml:Subject" minOccurs="0"/> |
1660 | + <element ref="samlp:NameIDPolicy" minOccurs="0"/> |
1661 | + <element ref="saml:Conditions" minOccurs="0"/> |
1662 | + <element ref="samlp:RequestedAuthnContext" minOccurs="0"/> |
1663 | + <element ref="samlp:Scoping" minOccurs="0"/> |
1664 | + </sequence> |
1665 | + <attribute name="ForceAuthn" type="boolean" use="optional"/> |
1666 | + <attribute name="IsPassive" type="boolean" use="optional"/> |
1667 | + <attribute name="ProtocolBinding" type="anyURI" use="optional"/> |
1668 | + <attribute name="AssertionConsumerServiceIndex" type="unsignedShort" use="optional"/> |
1669 | + <attribute name="AssertionConsumerServiceURL" type="anyURI" use="optional"/> |
1670 | + <attribute name="AttributeConsumingServiceIndex" type="unsignedShort" use="optional"/> |
1671 | + <attribute name="ProviderName" type="string" use="optional"/> |
1672 | + </extension> |
1673 | + </complexContent> |
1674 | + </complexType> |
1675 | + <element name="NameIDPolicy" type="samlp:NameIDPolicyType"/> |
1676 | + <complexType name="NameIDPolicyType"> |
1677 | + <attribute name="Format" type="anyURI" use="optional"/> |
1678 | + <attribute name="SPNameQualifier" type="string" use="optional"/> |
1679 | + <attribute name="AllowCreate" type="boolean" use="optional"/> |
1680 | + </complexType> |
1681 | + <element name="Scoping" type="samlp:ScopingType"/> |
1682 | + <complexType name="ScopingType"> |
1683 | + <sequence> |
1684 | + <element ref="samlp:IDPList" minOccurs="0"/> |
1685 | + <element ref="samlp:RequesterID" minOccurs="0" maxOccurs="unbounded"/> |
1686 | + </sequence> |
1687 | + <attribute name="ProxyCount" type="nonNegativeInteger" use="optional"/> |
1688 | + </complexType> |
1689 | + <element name="RequesterID" type="anyURI"/> |
1690 | + <element name="IDPList" type="samlp:IDPListType"/> |
1691 | + <complexType name="IDPListType"> |
1692 | + <sequence> |
1693 | + <element ref="samlp:IDPEntry" maxOccurs="unbounded"/> |
1694 | + <element ref="samlp:GetComplete" minOccurs="0"/> |
1695 | + </sequence> |
1696 | + </complexType> |
1697 | + <element name="IDPEntry" type="samlp:IDPEntryType"/> |
1698 | + <complexType name="IDPEntryType"> |
1699 | + <attribute name="ProviderID" type="anyURI" use="required"/> |
1700 | + <attribute name="Name" type="string" use="optional"/> |
1701 | + <attribute name="Loc" type="anyURI" use="optional"/> |
1702 | + </complexType> |
1703 | + <element name="GetComplete" type="anyURI"/> |
1704 | + <element name="Response" type="samlp:ResponseType"/> |
1705 | + <complexType name="ResponseType"> |
1706 | + <complexContent> |
1707 | + <extension base="samlp:StatusResponseType"> |
1708 | + <choice minOccurs="0" maxOccurs="unbounded"> |
1709 | + <element ref="saml:Assertion"/> |
1710 | + <element ref="saml:EncryptedAssertion"/> |
1711 | + </choice> |
1712 | + </extension> |
1713 | + </complexContent> |
1714 | + </complexType> |
1715 | + <element name="ArtifactResolve" type="samlp:ArtifactResolveType"/> |
1716 | + <complexType name="ArtifactResolveType"> |
1717 | + <complexContent> |
1718 | + <extension base="samlp:RequestAbstractType"> |
1719 | + <sequence> |
1720 | + <element ref="samlp:Artifact"/> |
1721 | + </sequence> |
1722 | + </extension> |
1723 | + </complexContent> |
1724 | + </complexType> |
1725 | + <element name="Artifact" type="string"/> |
1726 | + <element name="ArtifactResponse" type="samlp:ArtifactResponseType"/> |
1727 | + <complexType name="ArtifactResponseType"> |
1728 | + <complexContent> |
1729 | + <extension base="samlp:StatusResponseType"> |
1730 | + <sequence> |
1731 | + <any namespace="##any" processContents="lax" minOccurs="0"/> |
1732 | + </sequence> |
1733 | + </extension> |
1734 | + </complexContent> |
1735 | + </complexType> |
1736 | + <element name="ManageNameIDRequest" type="samlp:ManageNameIDRequestType"/> |
1737 | + <complexType name="ManageNameIDRequestType"> |
1738 | + <complexContent> |
1739 | + <extension base="samlp:RequestAbstractType"> |
1740 | + <sequence> |
1741 | + <choice> |
1742 | + <element ref="saml:NameID"/> |
1743 | + <element ref="saml:EncryptedID"/> |
1744 | + </choice> |
1745 | + <choice> |
1746 | + <element ref="samlp:NewID"/> |
1747 | + <element ref="samlp:NewEncryptedID"/> |
1748 | + <element ref="samlp:Terminate"/> |
1749 | + </choice> |
1750 | + </sequence> |
1751 | + </extension> |
1752 | + </complexContent> |
1753 | + </complexType> |
1754 | + <element name="NewID" type="string"/> |
1755 | + <element name="NewEncryptedID" type="saml:EncryptedElementType"/> |
1756 | + <element name="Terminate" type="samlp:TerminateType"/> |
1757 | + <complexType name="TerminateType"/> |
1758 | + <element name="ManageNameIDResponse" type="samlp:StatusResponseType"/> |
1759 | + <element name="LogoutRequest" type="samlp:LogoutRequestType"/> |
1760 | + <complexType name="LogoutRequestType"> |
1761 | + <complexContent> |
1762 | + <extension base="samlp:RequestAbstractType"> |
1763 | + <sequence> |
1764 | + <choice> |
1765 | + <element ref="saml:BaseID"/> |
1766 | + <element ref="saml:NameID"/> |
1767 | + <element ref="saml:EncryptedID"/> |
1768 | + </choice> |
1769 | + <element ref="samlp:SessionIndex" minOccurs="0" maxOccurs="unbounded"/> |
1770 | + </sequence> |
1771 | + <attribute name="Reason" type="string" use="optional"/> |
1772 | + <attribute name="NotOnOrAfter" type="dateTime" use="optional"/> |
1773 | + </extension> |
1774 | + </complexContent> |
1775 | + </complexType> |
1776 | + <element name="SessionIndex" type="string"/> |
1777 | + <element name="LogoutResponse" type="samlp:StatusResponseType"/> |
1778 | + <element name="NameIDMappingRequest" type="samlp:NameIDMappingRequestType"/> |
1779 | + <complexType name="NameIDMappingRequestType"> |
1780 | + <complexContent> |
1781 | + <extension base="samlp:RequestAbstractType"> |
1782 | + <sequence> |
1783 | + <choice> |
1784 | + <element ref="saml:BaseID"/> |
1785 | + <element ref="saml:NameID"/> |
1786 | + <element ref="saml:EncryptedID"/> |
1787 | + </choice> |
1788 | + <element ref="samlp:NameIDPolicy"/> |
1789 | + </sequence> |
1790 | + </extension> |
1791 | + </complexContent> |
1792 | + </complexType> |
1793 | + <element name="NameIDMappingResponse" type="samlp:NameIDMappingResponseType"/> |
1794 | + <complexType name="NameIDMappingResponseType"> |
1795 | + <complexContent> |
1796 | + <extension base="samlp:StatusResponseType"> |
1797 | + <choice> |
1798 | + <element ref="saml:NameID"/> |
1799 | + <element ref="saml:EncryptedID"/> |
1800 | + </choice> |
1801 | + </extension> |
1802 | + </complexContent> |
1803 | + </complexType> |
1804 | +</schema> |
1805 | |
1806 | === added file 'saml-schema-xsd/sstc-metadata-attr.xsd' |
1807 | --- saml-schema-xsd/sstc-metadata-attr.xsd 1970-01-01 00:00:00 +0000 |
1808 | +++ saml-schema-xsd/sstc-metadata-attr.xsd 2017-11-07 14:38:57 +0000 |
1809 | @@ -0,0 +1,35 @@ |
1810 | +<?xml version="1.0" encoding="UTF-8"?> |
1811 | +<schema |
1812 | + targetNamespace="urn:oasis:names:tc:SAML:metadata:attribute" |
1813 | + xmlns="http://www.w3.org/2001/XMLSchema" |
1814 | + xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" |
1815 | + xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" |
1816 | + elementFormDefault="unqualified" |
1817 | + attributeFormDefault="unqualified" |
1818 | + blockDefault="substitution" |
1819 | + version="2.0"> |
1820 | + |
1821 | + <annotation> |
1822 | + <documentation> |
1823 | + Document title: SAML V2.0 Metadata Extention for Entity Attributes Schema |
1824 | + Document identifier: sstc-metadata-attr.xsd |
1825 | + Location: http://www.oasis-open.org/committees/documents.php?wg_abbrev=security |
1826 | + Revision history: |
1827 | + V1.0 (November 2008): |
1828 | + Initial version. |
1829 | + </documentation> |
1830 | + </annotation> |
1831 | + |
1832 | + <import namespace="urn:oasis:names:tc:SAML:2.0:assertion" |
1833 | + schemaLocation="saml-schema-assertion-2.0.xsd"/> |
1834 | + |
1835 | + <element name="EntityAttributes" type="mdattr:EntityAttributesType"/> |
1836 | + <complexType name="EntityAttributesType"> |
1837 | + <choice maxOccurs="unbounded"> |
1838 | + <element ref="saml:Attribute"/> |
1839 | + <element ref="saml:Assertion"/> |
1840 | + </choice> |
1841 | + </complexType> |
1842 | + |
1843 | +</schema> |
1844 | + |
1845 | |
1846 | === added file 'saml-schema-xsd/sstc-saml-attribute-ext.xsd' |
1847 | --- saml-schema-xsd/sstc-saml-attribute-ext.xsd 1970-01-01 00:00:00 +0000 |
1848 | +++ saml-schema-xsd/sstc-saml-attribute-ext.xsd 2017-11-07 14:38:57 +0000 |
1849 | @@ -0,0 +1,25 @@ |
1850 | +<?xml version="1.0" encoding="UTF-8"?> |
1851 | +<schema |
1852 | + targetNamespace="urn:oasis:names:tc:SAML:attribute:ext" |
1853 | + xmlns="http://www.w3.org/2001/XMLSchema" |
1854 | + elementFormDefault="unqualified" |
1855 | + attributeFormDefault="unqualified" |
1856 | + blockDefault="substitution" |
1857 | + version="2.0"> |
1858 | + |
1859 | + <annotation> |
1860 | + <documentation> |
1861 | + Document title: SAML V2.0 Attribute Extension Schema |
1862 | + Document identifier: sstc-saml-attribute-ext.xsd |
1863 | + Location: http://www.oasis-open.org/committees/documents.php?wg_abbrev=security |
1864 | + Revision history: |
1865 | + V1.0 (October 2008): |
1866 | + Initial version. |
1867 | + </documentation> |
1868 | + </annotation> |
1869 | + |
1870 | + <attribute name="OriginalIssuer" type="anyURI"/> |
1871 | + <attribute name="LastModified" type="dateTime"/> |
1872 | + |
1873 | +</schema> |
1874 | + |
1875 | |
1876 | === added file 'saml-schema-xsd/sstc-saml-metadata-algsupport-v1.0.xsd' |
1877 | --- saml-schema-xsd/sstc-saml-metadata-algsupport-v1.0.xsd 1970-01-01 00:00:00 +0000 |
1878 | +++ saml-schema-xsd/sstc-saml-metadata-algsupport-v1.0.xsd 2017-11-07 14:38:57 +0000 |
1879 | @@ -0,0 +1,41 @@ |
1880 | +<?xml version="1.0" encoding="UTF-8"?> |
1881 | +<schema |
1882 | + targetNamespace="urn:oasis:names:tc:SAML:metadata:algsupport" |
1883 | + xmlns="http://www.w3.org/2001/XMLSchema" |
1884 | + xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" |
1885 | + elementFormDefault="unqualified" |
1886 | + attributeFormDefault="unqualified" |
1887 | + blockDefault="substitution" |
1888 | + version="1.0"> |
1889 | + |
1890 | + <annotation> |
1891 | + <documentation> |
1892 | + Document title: Metadata Extension Schema for SAML V2.0 Metadata Profile for Algorithm Support Version 1.0 |
1893 | + Document identifier: sstc-saml-metadata-algsupport.xsd |
1894 | + Location: http://docs.oasis-open.org/security/saml/Post2.0/ |
1895 | + Revision history: |
1896 | + V1.0 (June 2010): |
1897 | + Initial version. |
1898 | + </documentation> |
1899 | + </annotation> |
1900 | + |
1901 | + <element name="DigestMethod" type="alg:DigestMethodType"/> |
1902 | + <complexType name="DigestMethodType"> |
1903 | + <sequence> |
1904 | + <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> |
1905 | + </sequence> |
1906 | + <attribute name="Algorithm" type="anyURI" use="required"/> |
1907 | + </complexType> |
1908 | + |
1909 | + <element name="SigningMethod" type="alg:SigningMethodType"/> |
1910 | + <complexType name="SigningMethodType"> |
1911 | + <sequence> |
1912 | + <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> |
1913 | + </sequence> |
1914 | + <attribute name="Algorithm" type="anyURI" use="required"/> |
1915 | + <attribute name="MinKeySize" type="positiveInteger"/> |
1916 | + <attribute name="MaxKeySize" type="positiveInteger"/> |
1917 | + </complexType> |
1918 | + |
1919 | +</schema> |
1920 | + |
1921 | |
1922 | === added file 'saml-schema-xsd/sstc-saml-metadata-ui-v1.0.xsd' |
1923 | --- saml-schema-xsd/sstc-saml-metadata-ui-v1.0.xsd 1970-01-01 00:00:00 +0000 |
1924 | +++ saml-schema-xsd/sstc-saml-metadata-ui-v1.0.xsd 2017-11-07 14:38:57 +0000 |
1925 | @@ -0,0 +1,89 @@ |
1926 | +<?xml version="1.0" encoding="UTF-8"?> |
1927 | +<schema |
1928 | + targetNamespace="urn:oasis:names:tc:SAML:metadata:ui" |
1929 | + xmlns="http://www.w3.org/2001/XMLSchema" |
1930 | + xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" |
1931 | + xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" |
1932 | + elementFormDefault="unqualified" |
1933 | + attributeFormDefault="unqualified" |
1934 | + blockDefault="substitution" |
1935 | + version="1.0"> |
1936 | + |
1937 | + <annotation> |
1938 | + <documentation> |
1939 | + Document title: Metadata Extension Schema for SAML V2.0 Metadata Extensions for Login and Discovery User Interface Version 1.0 |
1940 | + Document identifier: sstc-saml-metadata-ui-v1.0.xsd |
1941 | + Location: http://docs.oasis-open.org/security/saml/Post2.0/ |
1942 | + Revision history: |
1943 | + 16 November 2010: |
1944 | + Added Keywords element/type. |
1945 | + 01 November 2010 |
1946 | + Changed filename. |
1947 | + September 2010: |
1948 | + Initial version. |
1949 | + </documentation> |
1950 | + </annotation> |
1951 | + |
1952 | + <import namespace="urn:oasis:names:tc:SAML:2.0:metadata" |
1953 | + schemaLocation="saml-schema-metadata-2.0.xsd"/> |
1954 | + <import namespace="http://www.w3.org/XML/1998/namespace" |
1955 | + schemaLocation="xml.xsd"/> |
1956 | + |
1957 | + <element name="UIInfo" type="mdui:UIInfoType" /> |
1958 | + <complexType name="UIInfoType"> |
1959 | + <choice minOccurs="0" maxOccurs="unbounded"> |
1960 | + <element ref="mdui:DisplayName"/> |
1961 | + <element ref="mdui:Description"/> |
1962 | + <element ref="mdui:Keywords"/> |
1963 | + <element ref="mdui:Logo"/> |
1964 | + <element ref="mdui:InformationURL"/> |
1965 | + <element ref="mdui:PrivacyStatementURL"/> |
1966 | + <any namespace="##other" processContents="lax"/> |
1967 | + </choice> |
1968 | + </complexType> |
1969 | + |
1970 | + <element name="DisplayName" type="md:localizedNameType"/> |
1971 | + <element name="Description" type="md:localizedNameType"/> |
1972 | + <element name="InformationURL" type="md:localizedURIType"/> |
1973 | + <element name="PrivacyStatementURL" type="md:localizedURIType"/> |
1974 | + |
1975 | + <element name="Keywords" type="mdui:KeywordsType"/> |
1976 | + <complexType name="KeywordsType"> |
1977 | + <simpleContent> |
1978 | + <extension base="mdui:listOfStrings"> |
1979 | + <attribute ref="xml:lang" use="required"/> |
1980 | + </extension> |
1981 | + </simpleContent> |
1982 | + </complexType> |
1983 | + |
1984 | + <simpleType name="listOfStrings"> |
1985 | + <list itemType="string"/> |
1986 | + </simpleType> |
1987 | + |
1988 | + <element name="Logo" type="mdui:LogoType"/> |
1989 | + <complexType name="LogoType"> |
1990 | + <simpleContent> |
1991 | + <extension base="anyURI"> |
1992 | + <attribute name="height" type="positiveInteger" use="required"/> |
1993 | + <attribute name="width" type="positiveInteger" use="required"/> |
1994 | + <attribute ref="xml:lang"/> |
1995 | + </extension> |
1996 | + </simpleContent> |
1997 | + </complexType> |
1998 | + |
1999 | + <element name="DiscoHints" type="mdui:DiscoHintsType"/> |
2000 | + <complexType name="DiscoHintsType"> |
2001 | + <choice minOccurs="0" maxOccurs="unbounded"> |
2002 | + <element ref="mdui:IPHint"/> |
2003 | + <element ref="mdui:DomainHint"/> |
2004 | + <element ref="mdui:GeolocationHint"/> |
2005 | + <any namespace="##other" processContents="lax"/> |
2006 | + </choice> |
2007 | + </complexType> |
2008 | + |
2009 | + <element name="IPHint" type="string"/> |
2010 | + <element name="DomainHint" type="string"/> |
2011 | + <element name="GeolocationHint" type="anyURI"/> |
2012 | + |
2013 | +</schema> |
2014 | + |
2015 | |
2016 | === added file 'saml-schema-xsd/xenc-schema.xsd' |
2017 | --- saml-schema-xsd/xenc-schema.xsd 1970-01-01 00:00:00 +0000 |
2018 | +++ saml-schema-xsd/xenc-schema.xsd 2017-11-07 14:38:57 +0000 |
2019 | @@ -0,0 +1,136 @@ |
2020 | +<?xml version="1.0" encoding="utf-8"?> |
2021 | + |
2022 | +<schema xmlns='http://www.w3.org/2001/XMLSchema' version='1.0' |
2023 | + xmlns:xenc='http://www.w3.org/2001/04/xmlenc#' |
2024 | + xmlns:ds='http://www.w3.org/2000/09/xmldsig#' |
2025 | + targetNamespace='http://www.w3.org/2001/04/xmlenc#' |
2026 | + elementFormDefault='qualified'> |
2027 | + |
2028 | + <import namespace='http://www.w3.org/2000/09/xmldsig#' |
2029 | + schemaLocation='xmldsig-core-schema.xsd'/> |
2030 | + |
2031 | + <complexType name='EncryptedType' abstract='true'> |
2032 | + <sequence> |
2033 | + <element name='EncryptionMethod' type='xenc:EncryptionMethodType' |
2034 | + minOccurs='0'/> |
2035 | + <element ref='ds:KeyInfo' minOccurs='0'/> |
2036 | + <element ref='xenc:CipherData'/> |
2037 | + <element ref='xenc:EncryptionProperties' minOccurs='0'/> |
2038 | + </sequence> |
2039 | + <attribute name='Id' type='ID' use='optional'/> |
2040 | + <attribute name='Type' type='anyURI' use='optional'/> |
2041 | + <attribute name='MimeType' type='string' use='optional'/> |
2042 | + <attribute name='Encoding' type='anyURI' use='optional'/> |
2043 | + </complexType> |
2044 | + |
2045 | + <complexType name='EncryptionMethodType' mixed='true'> |
2046 | + <sequence> |
2047 | + <element name='KeySize' minOccurs='0' type='xenc:KeySizeType'/> |
2048 | + <element name='OAEPparams' minOccurs='0' type='base64Binary'/> |
2049 | + <any namespace='##other' minOccurs='0' maxOccurs='unbounded'/> |
2050 | + </sequence> |
2051 | + <attribute name='Algorithm' type='anyURI' use='required'/> |
2052 | + </complexType> |
2053 | + |
2054 | + <simpleType name='KeySizeType'> |
2055 | + <restriction base="integer"/> |
2056 | + </simpleType> |
2057 | + |
2058 | + <element name='CipherData' type='xenc:CipherDataType'/> |
2059 | + <complexType name='CipherDataType'> |
2060 | + <choice> |
2061 | + <element name='CipherValue' type='base64Binary'/> |
2062 | + <element ref='xenc:CipherReference'/> |
2063 | + </choice> |
2064 | + </complexType> |
2065 | + |
2066 | + <element name='CipherReference' type='xenc:CipherReferenceType'/> |
2067 | + <complexType name='CipherReferenceType'> |
2068 | + <choice> |
2069 | + <element name='Transforms' type='xenc:TransformsType' minOccurs='0'/> |
2070 | + </choice> |
2071 | + <attribute name='URI' type='anyURI' use='required'/> |
2072 | + </complexType> |
2073 | + |
2074 | + <complexType name='TransformsType'> |
2075 | + <sequence> |
2076 | + <element ref='ds:Transform' maxOccurs='unbounded'/> |
2077 | + </sequence> |
2078 | + </complexType> |
2079 | + |
2080 | + |
2081 | + <element name='EncryptedData' type='xenc:EncryptedDataType'/> |
2082 | + <complexType name='EncryptedDataType'> |
2083 | + <complexContent> |
2084 | + <extension base='xenc:EncryptedType'> |
2085 | + </extension> |
2086 | + </complexContent> |
2087 | + </complexType> |
2088 | + |
2089 | + <!-- Children of ds:KeyInfo --> |
2090 | + |
2091 | + <element name='EncryptedKey' type='xenc:EncryptedKeyType'/> |
2092 | + <complexType name='EncryptedKeyType'> |
2093 | + <complexContent> |
2094 | + <extension base='xenc:EncryptedType'> |
2095 | + <sequence> |
2096 | + <element ref='xenc:ReferenceList' minOccurs='0'/> |
2097 | + <element name='CarriedKeyName' type='string' minOccurs='0'/> |
2098 | + </sequence> |
2099 | + <attribute name='Recipient' type='string' |
2100 | + use='optional'/> |
2101 | + </extension> |
2102 | + </complexContent> |
2103 | + </complexType> |
2104 | + |
2105 | + <element name="AgreementMethod" type="xenc:AgreementMethodType"/> |
2106 | + <complexType name="AgreementMethodType" mixed="true"> |
2107 | + <sequence> |
2108 | + <element name="KA-Nonce" minOccurs="0" type="base64Binary"/> |
2109 | + <!-- <element ref="ds:DigestMethod" minOccurs="0"/> --> |
2110 | + <any namespace="##other" minOccurs="0" maxOccurs="unbounded"/> |
2111 | + <element name="OriginatorKeyInfo" minOccurs="0" type="ds:KeyInfoType"/> |
2112 | + <element name="RecipientKeyInfo" minOccurs="0" type="ds:KeyInfoType"/> |
2113 | + </sequence> |
2114 | + <attribute name="Algorithm" type="anyURI" use="required"/> |
2115 | + </complexType> |
2116 | + |
2117 | + <!-- End Children of ds:KeyInfo --> |
2118 | + |
2119 | + <element name='ReferenceList'> |
2120 | + <complexType> |
2121 | + <choice minOccurs='1' maxOccurs='unbounded'> |
2122 | + <element name='DataReference' type='xenc:ReferenceType'/> |
2123 | + <element name='KeyReference' type='xenc:ReferenceType'/> |
2124 | + </choice> |
2125 | + </complexType> |
2126 | + </element> |
2127 | + |
2128 | + <complexType name='ReferenceType'> |
2129 | + <sequence> |
2130 | + <any namespace='##other' minOccurs='0' maxOccurs='unbounded'/> |
2131 | + </sequence> |
2132 | + <attribute name='URI' type='anyURI' use='required'/> |
2133 | + </complexType> |
2134 | + |
2135 | + |
2136 | + <element name='EncryptionProperties' type='xenc:EncryptionPropertiesType'/> |
2137 | + <complexType name='EncryptionPropertiesType'> |
2138 | + <sequence> |
2139 | + <element ref='xenc:EncryptionProperty' maxOccurs='unbounded'/> |
2140 | + </sequence> |
2141 | + <attribute name='Id' type='ID' use='optional'/> |
2142 | + </complexType> |
2143 | + |
2144 | + <element name='EncryptionProperty' type='xenc:EncryptionPropertyType'/> |
2145 | + <complexType name='EncryptionPropertyType' mixed='true'> |
2146 | + <choice maxOccurs='unbounded'> |
2147 | + <any namespace='##other' processContents='lax'/> |
2148 | + </choice> |
2149 | + <attribute name='Target' type='anyURI' use='optional'/> |
2150 | + <attribute name='Id' type='ID' use='optional'/> |
2151 | + <anyAttribute namespace="http://www.w3.org/XML/1998/namespace"/> |
2152 | + </complexType> |
2153 | + |
2154 | +</schema> |
2155 | + |
2156 | |
2157 | === added file 'saml-schema-xsd/xml.xsd' |
2158 | --- saml-schema-xsd/xml.xsd 1970-01-01 00:00:00 +0000 |
2159 | +++ saml-schema-xsd/xml.xsd 2017-11-07 14:38:57 +0000 |
2160 | @@ -0,0 +1,287 @@ |
2161 | +<?xml version='1.0'?> |
2162 | +<?xml-stylesheet href="../2008/09/xsd.xsl" type="text/xsl"?> |
2163 | +<xs:schema targetNamespace="http://www.w3.org/XML/1998/namespace" |
2164 | + xmlns:xs="http://www.w3.org/2001/XMLSchema" |
2165 | + xmlns ="http://www.w3.org/1999/xhtml" |
2166 | + xml:lang="en"> |
2167 | + |
2168 | + <xs:annotation> |
2169 | + <xs:documentation> |
2170 | + <div> |
2171 | + <h1>About the XML namespace</h1> |
2172 | + |
2173 | + <div class="bodytext"> |
2174 | + <p> |
2175 | + This schema document describes the XML namespace, in a form |
2176 | + suitable for import by other schema documents. |
2177 | + </p> |
2178 | + <p> |
2179 | + See <a href="http://www.w3.org/XML/1998/namespace.html"> |
2180 | + http://www.w3.org/XML/1998/namespace.html</a> and |
2181 | + <a href="http://www.w3.org/TR/REC-xml"> |
2182 | + http://www.w3.org/TR/REC-xml</a> for information |
2183 | + about this namespace. |
2184 | + </p> |
2185 | + <p> |
2186 | + Note that local names in this namespace are intended to be |
2187 | + defined only by the World Wide Web Consortium or its subgroups. |
2188 | + The names currently defined in this namespace are listed below. |
2189 | + They should not be used with conflicting semantics by any Working |
2190 | + Group, specification, or document instance. |
2191 | + </p> |
2192 | + <p> |
2193 | + See further below in this document for more information about <a |
2194 | + href="#usage">how to refer to this schema document from your own |
2195 | + XSD schema documents</a> and about <a href="#nsversioning">the |
2196 | + namespace-versioning policy governing this schema document</a>. |
2197 | + </p> |
2198 | + </div> |
2199 | + </div> |
2200 | + </xs:documentation> |
2201 | + </xs:annotation> |
2202 | + |
2203 | + <xs:attribute name="lang"> |
2204 | + <xs:annotation> |
2205 | + <xs:documentation> |
2206 | + <div> |
2207 | + |
2208 | + <h3>lang (as an attribute name)</h3> |
2209 | + <p> |
2210 | + denotes an attribute whose value |
2211 | + is a language code for the natural language of the content of |
2212 | + any element; its value is inherited. This name is reserved |
2213 | + by virtue of its definition in the XML specification.</p> |
2214 | + |
2215 | + </div> |
2216 | + <div> |
2217 | + <h4>Notes</h4> |
2218 | + <p> |
2219 | + Attempting to install the relevant ISO 2- and 3-letter |
2220 | + codes as the enumerated possible values is probably never |
2221 | + going to be a realistic possibility. |
2222 | + </p> |
2223 | + <p> |
2224 | + See BCP 47 at <a href="http://www.rfc-editor.org/rfc/bcp/bcp47.txt"> |
2225 | + http://www.rfc-editor.org/rfc/bcp/bcp47.txt</a> |
2226 | + and the IANA language subtag registry at |
2227 | + <a href="http://www.iana.org/assignments/language-subtag-registry"> |
2228 | + http://www.iana.org/assignments/language-subtag-registry</a> |
2229 | + for further information. |
2230 | + </p> |
2231 | + <p> |
2232 | + The union allows for the 'un-declaration' of xml:lang with |
2233 | + the empty string. |
2234 | + </p> |
2235 | + </div> |
2236 | + </xs:documentation> |
2237 | + </xs:annotation> |
2238 | + <xs:simpleType> |
2239 | + <xs:union memberTypes="xs:language"> |
2240 | + <xs:simpleType> |
2241 | + <xs:restriction base="xs:string"> |
2242 | + <xs:enumeration value=""/> |
2243 | + </xs:restriction> |
2244 | + </xs:simpleType> |
2245 | + </xs:union> |
2246 | + </xs:simpleType> |
2247 | + </xs:attribute> |
2248 | + |
2249 | + <xs:attribute name="space"> |
2250 | + <xs:annotation> |
2251 | + <xs:documentation> |
2252 | + <div> |
2253 | + |
2254 | + <h3>space (as an attribute name)</h3> |
2255 | + <p> |
2256 | + denotes an attribute whose |
2257 | + value is a keyword indicating what whitespace processing |
2258 | + discipline is intended for the content of the element; its |
2259 | + value is inherited. This name is reserved by virtue of its |
2260 | + definition in the XML specification.</p> |
2261 | + |
2262 | + </div> |
2263 | + </xs:documentation> |
2264 | + </xs:annotation> |
2265 | + <xs:simpleType> |
2266 | + <xs:restriction base="xs:NCName"> |
2267 | + <xs:enumeration value="default"/> |
2268 | + <xs:enumeration value="preserve"/> |
2269 | + </xs:restriction> |
2270 | + </xs:simpleType> |
2271 | + </xs:attribute> |
2272 | + |
2273 | + <xs:attribute name="base" type="xs:anyURI"> <xs:annotation> |
2274 | + <xs:documentation> |
2275 | + <div> |
2276 | + |
2277 | + <h3>base (as an attribute name)</h3> |
2278 | + <p> |
2279 | + denotes an attribute whose value |
2280 | + provides a URI to be used as the base for interpreting any |
2281 | + relative URIs in the scope of the element on which it |
2282 | + appears; its value is inherited. This name is reserved |
2283 | + by virtue of its definition in the XML Base specification.</p> |
2284 | + |
2285 | + <p> |
2286 | + See <a |
2287 | + href="http://www.w3.org/TR/xmlbase/">http://www.w3.org/TR/xmlbase/</a> |
2288 | + for information about this attribute. |
2289 | + </p> |
2290 | + </div> |
2291 | + </xs:documentation> |
2292 | + </xs:annotation> |
2293 | + </xs:attribute> |
2294 | + |
2295 | + <xs:attribute name="id" type="xs:ID"> |
2296 | + <xs:annotation> |
2297 | + <xs:documentation> |
2298 | + <div> |
2299 | + |
2300 | + <h3>id (as an attribute name)</h3> |
2301 | + <p> |
2302 | + denotes an attribute whose value |
2303 | + should be interpreted as if declared to be of type ID. |
2304 | + This name is reserved by virtue of its definition in the |
2305 | + xml:id specification.</p> |
2306 | + |
2307 | + <p> |
2308 | + See <a |
2309 | + href="http://www.w3.org/TR/xml-id/">http://www.w3.org/TR/xml-id/</a> |
2310 | + for information about this attribute. |
2311 | + </p> |
2312 | + </div> |
2313 | + </xs:documentation> |
2314 | + </xs:annotation> |
2315 | + </xs:attribute> |
2316 | + |
2317 | + <xs:attributeGroup name="specialAttrs"> |
2318 | + <xs:attribute ref="xml:base"/> |
2319 | + <xs:attribute ref="xml:lang"/> |
2320 | + <xs:attribute ref="xml:space"/> |
2321 | + <xs:attribute ref="xml:id"/> |
2322 | + </xs:attributeGroup> |
2323 | + |
2324 | + <xs:annotation> |
2325 | + <xs:documentation> |
2326 | + <div> |
2327 | + |
2328 | + <h3>Father (in any context at all)</h3> |
2329 | + |
2330 | + <div class="bodytext"> |
2331 | + <p> |
2332 | + denotes Jon Bosak, the chair of |
2333 | + the original XML Working Group. This name is reserved by |
2334 | + the following decision of the W3C XML Plenary and |
2335 | + XML Coordination groups: |
2336 | + </p> |
2337 | + <blockquote> |
2338 | + <p> |
2339 | + In appreciation for his vision, leadership and |
2340 | + dedication the W3C XML Plenary on this 10th day of |
2341 | + February, 2000, reserves for Jon Bosak in perpetuity |
2342 | + the XML name "xml:Father". |
2343 | + </p> |
2344 | + </blockquote> |
2345 | + </div> |
2346 | + </div> |
2347 | + </xs:documentation> |
2348 | + </xs:annotation> |
2349 | + |
2350 | + <xs:annotation> |
2351 | + <xs:documentation> |
2352 | + <div xml:id="usage" id="usage"> |
2353 | + <h2><a name="usage">About this schema document</a></h2> |
2354 | + |
2355 | + <div class="bodytext"> |
2356 | + <p> |
2357 | + This schema defines attributes and an attribute group suitable |
2358 | + for use by schemas wishing to allow <code>xml:base</code>, |
2359 | + <code>xml:lang</code>, <code>xml:space</code> or |
2360 | + <code>xml:id</code> attributes on elements they define. |
2361 | + </p> |
2362 | + <p> |
2363 | + To enable this, such a schema must import this schema for |
2364 | + the XML namespace, e.g. as follows: |
2365 | + </p> |
2366 | + <pre> |
2367 | + <schema . . .> |
2368 | + . . . |
2369 | + <import namespace="http://www.w3.org/XML/1998/namespace" |
2370 | + schemaLocation="http://www.w3.org/2001/xml.xsd"/> |
2371 | + </pre> |
2372 | + <p> |
2373 | + or |
2374 | + </p> |
2375 | + <pre> |
2376 | + <import namespace="http://www.w3.org/XML/1998/namespace" |
2377 | + schemaLocation="http://www.w3.org/2009/01/xml.xsd"/> |
2378 | + </pre> |
2379 | + <p> |
2380 | + Subsequently, qualified reference to any of the attributes or the |
2381 | + group defined below will have the desired effect, e.g. |
2382 | + </p> |
2383 | + <pre> |
2384 | + <type . . .> |
2385 | + . . . |
2386 | + <attributeGroup ref="xml:specialAttrs"/> |
2387 | + </pre> |
2388 | + <p> |
2389 | + will define a type which will schema-validate an instance element |
2390 | + with any of those attributes. |
2391 | + </p> |
2392 | + </div> |
2393 | + </div> |
2394 | + </xs:documentation> |
2395 | + </xs:annotation> |
2396 | + |
2397 | + <xs:annotation> |
2398 | + <xs:documentation> |
2399 | + <div id="nsversioning" xml:id="nsversioning"> |
2400 | + <h2><a name="nsversioning">Versioning policy for this schema document</a></h2> |
2401 | + <div class="bodytext"> |
2402 | + <p> |
2403 | + In keeping with the XML Schema WG's standard versioning |
2404 | + policy, this schema document will persist at |
2405 | + <a href="http://www.w3.org/2009/01/xml.xsd"> |
2406 | + http://www.w3.org/2009/01/xml.xsd</a>. |
2407 | + </p> |
2408 | + <p> |
2409 | + At the date of issue it can also be found at |
2410 | + <a href="http://www.w3.org/2001/xml.xsd"> |
2411 | + http://www.w3.org/2001/xml.xsd</a>. |
2412 | + </p> |
2413 | + <p> |
2414 | + The schema document at that URI may however change in the future, |
2415 | + in order to remain compatible with the latest version of XML |
2416 | + Schema itself, or with the XML namespace itself. In other words, |
2417 | + if the XML Schema or XML namespaces change, the version of this |
2418 | + document at <a href="http://www.w3.org/2001/xml.xsd"> |
2419 | + http://www.w3.org/2001/xml.xsd |
2420 | + </a> |
2421 | + will change accordingly; the version at |
2422 | + <a href="http://www.w3.org/2009/01/xml.xsd"> |
2423 | + http://www.w3.org/2009/01/xml.xsd |
2424 | + </a> |
2425 | + will not change. |
2426 | + </p> |
2427 | + <p> |
2428 | + Previous dated (and unchanging) versions of this schema |
2429 | + document are at: |
2430 | + </p> |
2431 | + <ul> |
2432 | + <li><a href="http://www.w3.org/2009/01/xml.xsd"> |
2433 | + http://www.w3.org/2009/01/xml.xsd</a></li> |
2434 | + <li><a href="http://www.w3.org/2007/08/xml.xsd"> |
2435 | + http://www.w3.org/2007/08/xml.xsd</a></li> |
2436 | + <li><a href="http://www.w3.org/2004/10/xml.xsd"> |
2437 | + http://www.w3.org/2004/10/xml.xsd</a></li> |
2438 | + <li><a href="http://www.w3.org/2001/03/xml.xsd"> |
2439 | + http://www.w3.org/2001/03/xml.xsd</a></li> |
2440 | + </ul> |
2441 | + </div> |
2442 | + </div> |
2443 | + </xs:documentation> |
2444 | + </xs:annotation> |
2445 | + |
2446 | +</xs:schema> |
2447 | + |
2448 | |
2449 | === added file 'saml-schema-xsd/xmldsig-core-schema.xsd' |
2450 | --- saml-schema-xsd/xmldsig-core-schema.xsd 1970-01-01 00:00:00 +0000 |
2451 | +++ saml-schema-xsd/xmldsig-core-schema.xsd 2017-11-07 14:38:57 +0000 |
2452 | @@ -0,0 +1,309 @@ |
2453 | +<?xml version="1.0" encoding="utf-8"?> |
2454 | + |
2455 | +<!-- Schema for XML Signatures |
2456 | + http://www.w3.org/2000/09/xmldsig# |
2457 | + $Revision: 1.1 $ on $Date: 2002/02/08 20:32:26 $ by $Author: reagle $ |
2458 | + |
2459 | + Copyright 2001 The Internet Society and W3C (Massachusetts Institute |
2460 | + of Technology, Institut National de Recherche en Informatique et en |
2461 | + Automatique, Keio University). All Rights Reserved. |
2462 | + http://www.w3.org/Consortium/Legal/ |
2463 | + |
2464 | + This document is governed by the W3C Software License [1] as described |
2465 | + in the FAQ [2]. |
2466 | + |
2467 | + [1] http://www.w3.org/Consortium/Legal/copyright-software-19980720 |
2468 | + [2] http://www.w3.org/Consortium/Legal/IPR-FAQ-20000620.html#DTD |
2469 | +--> |
2470 | + |
2471 | + |
2472 | +<schema xmlns="http://www.w3.org/2001/XMLSchema" |
2473 | + xmlns:ds="http://www.w3.org/2000/09/xmldsig#" |
2474 | + targetNamespace="http://www.w3.org/2000/09/xmldsig#" |
2475 | + version="0.1" elementFormDefault="qualified"> |
2476 | + |
2477 | +<!-- Basic Types Defined for Signatures --> |
2478 | + |
2479 | +<simpleType name="CryptoBinary"> |
2480 | + <restriction base="base64Binary"> |
2481 | + </restriction> |
2482 | +</simpleType> |
2483 | + |
2484 | +<!-- Start Signature --> |
2485 | + |
2486 | +<element name="Signature" type="ds:SignatureType"/> |
2487 | +<complexType name="SignatureType"> |
2488 | + <sequence> |
2489 | + <element ref="ds:SignedInfo"/> |
2490 | + <element ref="ds:SignatureValue"/> |
2491 | + <element ref="ds:KeyInfo" minOccurs="0"/> |
2492 | + <element ref="ds:Object" minOccurs="0" maxOccurs="unbounded"/> |
2493 | + </sequence> |
2494 | + <attribute name="Id" type="ID" use="optional"/> |
2495 | +</complexType> |
2496 | + |
2497 | + <element name="SignatureValue" type="ds:SignatureValueType"/> |
2498 | + <complexType name="SignatureValueType"> |
2499 | + <simpleContent> |
2500 | + <extension base="base64Binary"> |
2501 | + <attribute name="Id" type="ID" use="optional"/> |
2502 | + </extension> |
2503 | + </simpleContent> |
2504 | + </complexType> |
2505 | + |
2506 | +<!-- Start SignedInfo --> |
2507 | + |
2508 | +<element name="SignedInfo" type="ds:SignedInfoType"/> |
2509 | +<complexType name="SignedInfoType"> |
2510 | + <sequence> |
2511 | + <element ref="ds:CanonicalizationMethod"/> |
2512 | + <element ref="ds:SignatureMethod"/> |
2513 | + <element ref="ds:Reference" maxOccurs="unbounded"/> |
2514 | + </sequence> |
2515 | + <attribute name="Id" type="ID" use="optional"/> |
2516 | +</complexType> |
2517 | + |
2518 | + <element name="CanonicalizationMethod" type="ds:CanonicalizationMethodType"/> |
2519 | + <complexType name="CanonicalizationMethodType" mixed="true"> |
2520 | + <sequence> |
2521 | + <any namespace="##any" minOccurs="0" maxOccurs="unbounded"/> |
2522 | + <!-- (0,unbounded) elements from (1,1) namespace --> |
2523 | + </sequence> |
2524 | + <attribute name="Algorithm" type="anyURI" use="required"/> |
2525 | + </complexType> |
2526 | + |
2527 | + <element name="SignatureMethod" type="ds:SignatureMethodType"/> |
2528 | + <complexType name="SignatureMethodType" mixed="true"> |
2529 | + <sequence> |
2530 | + <element name="HMACOutputLength" minOccurs="0" type="ds:HMACOutputLengthType"/> |
2531 | + <any namespace="##other" minOccurs="0" maxOccurs="unbounded"/> |
2532 | + <!-- (0,unbounded) elements from (1,1) external namespace --> |
2533 | + </sequence> |
2534 | + <attribute name="Algorithm" type="anyURI" use="required"/> |
2535 | + </complexType> |
2536 | + |
2537 | +<!-- Start Reference --> |
2538 | + |
2539 | +<element name="Reference" type="ds:ReferenceType"/> |
2540 | +<complexType name="ReferenceType"> |
2541 | + <sequence> |
2542 | + <element ref="ds:Transforms" minOccurs="0"/> |
2543 | + <element ref="ds:DigestMethod"/> |
2544 | + <element ref="ds:DigestValue"/> |
2545 | + </sequence> |
2546 | + <attribute name="Id" type="ID" use="optional"/> |
2547 | + <attribute name="URI" type="anyURI" use="optional"/> |
2548 | + <attribute name="Type" type="anyURI" use="optional"/> |
2549 | +</complexType> |
2550 | + |
2551 | + <element name="Transforms" type="ds:TransformsType"/> |
2552 | + <complexType name="TransformsType"> |
2553 | + <sequence> |
2554 | + <element ref="ds:Transform" maxOccurs="unbounded"/> |
2555 | + </sequence> |
2556 | + </complexType> |
2557 | + |
2558 | + <element name="Transform" type="ds:TransformType"/> |
2559 | + <complexType name="TransformType" mixed="true"> |
2560 | + <choice minOccurs="0" maxOccurs="unbounded"> |
2561 | + <any namespace="##other" processContents="lax"/> |
2562 | + <!-- (1,1) elements from (0,unbounded) namespaces --> |
2563 | + <element name="XPath" type="string"/> |
2564 | + </choice> |
2565 | + <attribute name="Algorithm" type="anyURI" use="required"/> |
2566 | + </complexType> |
2567 | + |
2568 | +<!-- End Reference --> |
2569 | + |
2570 | +<element name="DigestMethod" type="ds:DigestMethodType"/> |
2571 | +<complexType name="DigestMethodType" mixed="true"> |
2572 | + <sequence> |
2573 | + <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> |
2574 | + </sequence> |
2575 | + <attribute name="Algorithm" type="anyURI" use="required"/> |
2576 | +</complexType> |
2577 | + |
2578 | +<element name="DigestValue" type="ds:DigestValueType"/> |
2579 | +<simpleType name="DigestValueType"> |
2580 | + <restriction base="base64Binary"/> |
2581 | +</simpleType> |
2582 | + |
2583 | +<!-- End SignedInfo --> |
2584 | + |
2585 | +<!-- Start KeyInfo --> |
2586 | + |
2587 | +<element name="KeyInfo" type="ds:KeyInfoType"/> |
2588 | +<complexType name="KeyInfoType" mixed="true"> |
2589 | + <choice maxOccurs="unbounded"> |
2590 | + <element ref="ds:KeyName"/> |
2591 | + <element ref="ds:KeyValue"/> |
2592 | + <element ref="ds:RetrievalMethod"/> |
2593 | + <element ref="ds:X509Data"/> |
2594 | + <element ref="ds:PGPData"/> |
2595 | + <element ref="ds:SPKIData"/> |
2596 | + <element ref="ds:MgmtData"/> |
2597 | + <any processContents="lax" namespace="##other"/> |
2598 | + <!-- (1,1) elements from (0,unbounded) namespaces --> |
2599 | + </choice> |
2600 | + <attribute name="Id" type="ID" use="optional"/> |
2601 | +</complexType> |
2602 | + |
2603 | + <element name="KeyName" type="string"/> |
2604 | + <element name="MgmtData" type="string"/> |
2605 | + |
2606 | + <element name="KeyValue" type="ds:KeyValueType"/> |
2607 | + <complexType name="KeyValueType" mixed="true"> |
2608 | + <choice> |
2609 | + <element ref="ds:DSAKeyValue"/> |
2610 | + <element ref="ds:RSAKeyValue"/> |
2611 | + <any namespace="##other" processContents="lax"/> |
2612 | + </choice> |
2613 | + </complexType> |
2614 | + |
2615 | + <element name="RetrievalMethod" type="ds:RetrievalMethodType"/> |
2616 | + <complexType name="RetrievalMethodType"> |
2617 | + <sequence> |
2618 | + <element ref="ds:Transforms" minOccurs="0"/> |
2619 | + </sequence> |
2620 | + <attribute name="URI" type="anyURI"/> |
2621 | + <attribute name="Type" type="anyURI" use="optional"/> |
2622 | + </complexType> |
2623 | + |
2624 | +<!-- Start X509Data --> |
2625 | + |
2626 | +<element name="X509Data" type="ds:X509DataType"/> |
2627 | +<complexType name="X509DataType"> |
2628 | + <sequence maxOccurs="unbounded"> |
2629 | + <choice> |
2630 | + <element name="X509IssuerSerial" type="ds:X509IssuerSerialType"/> |
2631 | + <element name="X509SKI" type="base64Binary"/> |
2632 | + <element name="X509SubjectName" type="string"/> |
2633 | + <element name="X509Certificate" type="base64Binary"/> |
2634 | + <element name="X509CRL" type="base64Binary"/> |
2635 | + <any namespace="##other" processContents="lax"/> |
2636 | + </choice> |
2637 | + </sequence> |
2638 | +</complexType> |
2639 | + |
2640 | +<complexType name="X509IssuerSerialType"> |
2641 | + <sequence> |
2642 | + <element name="X509IssuerName" type="string"/> |
2643 | + <element name="X509SerialNumber" type="string"/> |
2644 | + </sequence> |
2645 | +</complexType> |
2646 | + |
2647 | +<!-- End X509Data --> |
2648 | + |
2649 | +<!-- Begin PGPData --> |
2650 | + |
2651 | +<element name="PGPData" type="ds:PGPDataType"/> |
2652 | +<complexType name="PGPDataType"> |
2653 | + <choice> |
2654 | + <sequence> |
2655 | + <element name="PGPKeyID" type="base64Binary"/> |
2656 | + <element name="PGPKeyPacket" type="base64Binary" minOccurs="0"/> |
2657 | + <any namespace="##other" processContents="lax" minOccurs="0" |
2658 | + maxOccurs="unbounded"/> |
2659 | + </sequence> |
2660 | + <sequence> |
2661 | + <element name="PGPKeyPacket" type="base64Binary"/> |
2662 | + <any namespace="##other" processContents="lax" minOccurs="0" |
2663 | + maxOccurs="unbounded"/> |
2664 | + </sequence> |
2665 | + </choice> |
2666 | +</complexType> |
2667 | + |
2668 | +<!-- End PGPData --> |
2669 | + |
2670 | +<!-- Begin SPKIData --> |
2671 | + |
2672 | +<element name="SPKIData" type="ds:SPKIDataType"/> |
2673 | +<complexType name="SPKIDataType"> |
2674 | + <sequence maxOccurs="unbounded"> |
2675 | + <element name="SPKISexp" type="base64Binary"/> |
2676 | + <any namespace="##other" processContents="lax" minOccurs="0"/> |
2677 | + </sequence> |
2678 | +</complexType> |
2679 | + |
2680 | +<!-- End SPKIData --> |
2681 | + |
2682 | +<!-- End KeyInfo --> |
2683 | + |
2684 | +<!-- Start Object (Manifest, SignatureProperty) --> |
2685 | + |
2686 | +<element name="Object" type="ds:ObjectType"/> |
2687 | +<complexType name="ObjectType" mixed="true"> |
2688 | + <sequence minOccurs="0" maxOccurs="unbounded"> |
2689 | + <any namespace="##any" processContents="lax"/> |
2690 | + </sequence> |
2691 | + <attribute name="Id" type="ID" use="optional"/> |
2692 | + <attribute name="MimeType" type="string" use="optional"/> <!-- add a grep facet --> |
2693 | + <attribute name="Encoding" type="anyURI" use="optional"/> |
2694 | +</complexType> |
2695 | + |
2696 | +<element name="Manifest" type="ds:ManifestType"/> |
2697 | +<complexType name="ManifestType"> |
2698 | + <sequence> |
2699 | + <element ref="ds:Reference" maxOccurs="unbounded"/> |
2700 | + </sequence> |
2701 | + <attribute name="Id" type="ID" use="optional"/> |
2702 | +</complexType> |
2703 | + |
2704 | +<element name="SignatureProperties" type="ds:SignaturePropertiesType"/> |
2705 | +<complexType name="SignaturePropertiesType"> |
2706 | + <sequence> |
2707 | + <element ref="ds:SignatureProperty" maxOccurs="unbounded"/> |
2708 | + </sequence> |
2709 | + <attribute name="Id" type="ID" use="optional"/> |
2710 | +</complexType> |
2711 | + |
2712 | + <element name="SignatureProperty" type="ds:SignaturePropertyType"/> |
2713 | + <complexType name="SignaturePropertyType" mixed="true"> |
2714 | + <choice maxOccurs="unbounded"> |
2715 | + <any namespace="##other" processContents="lax"/> |
2716 | + <!-- (1,1) elements from (1,unbounded) namespaces --> |
2717 | + </choice> |
2718 | + <attribute name="Target" type="anyURI" use="required"/> |
2719 | + <attribute name="Id" type="ID" use="optional"/> |
2720 | + </complexType> |
2721 | + |
2722 | +<!-- End Object (Manifest, SignatureProperty) --> |
2723 | + |
2724 | +<!-- Start Algorithm Parameters --> |
2725 | + |
2726 | +<simpleType name="HMACOutputLengthType"> |
2727 | + <restriction base="integer"/> |
2728 | +</simpleType> |
2729 | + |
2730 | +<!-- Start KeyValue Element-types --> |
2731 | + |
2732 | +<element name="DSAKeyValue" type="ds:DSAKeyValueType"/> |
2733 | +<complexType name="DSAKeyValueType"> |
2734 | + <sequence> |
2735 | + <sequence minOccurs="0"> |
2736 | + <element name="P" type="ds:CryptoBinary"/> |
2737 | + <element name="Q" type="ds:CryptoBinary"/> |
2738 | + </sequence> |
2739 | + <element name="G" type="ds:CryptoBinary" minOccurs="0"/> |
2740 | + <element name="Y" type="ds:CryptoBinary"/> |
2741 | + <element name="J" type="ds:CryptoBinary" minOccurs="0"/> |
2742 | + <sequence minOccurs="0"> |
2743 | + <element name="Seed" type="ds:CryptoBinary"/> |
2744 | + <element name="PgenCounter" type="ds:CryptoBinary"/> |
2745 | + </sequence> |
2746 | + </sequence> |
2747 | +</complexType> |
2748 | + |
2749 | +<element name="RSAKeyValue" type="ds:RSAKeyValueType"/> |
2750 | +<complexType name="RSAKeyValueType"> |
2751 | + <sequence> |
2752 | + <element name="Modulus" type="ds:CryptoBinary"/> |
2753 | + <element name="Exponent" type="ds:CryptoBinary"/> |
2754 | + </sequence> |
2755 | +</complexType> |
2756 | + |
2757 | +<!-- End KeyValue Element-types --> |
2758 | + |
2759 | +<!-- End Signature --> |
2760 | + |
2761 | +</schema> |
2762 | |
2763 | === modified file 'src/ubuntu_sso_saml/tests/test_processors.py' |
2764 | --- src/ubuntu_sso_saml/tests/test_processors.py 2017-10-26 16:39:50 +0000 |
2765 | +++ src/ubuntu_sso_saml/tests/test_processors.py 2017-11-07 14:38:57 +0000 |
2766 | @@ -7,6 +7,8 @@ |
2767 | import json |
2768 | import time |
2769 | import urllib |
2770 | +from lxml import etree |
2771 | +from StringIO import StringIO |
2772 | from xml.dom import minidom |
2773 | |
2774 | from django.core.urlresolvers import reverse |
2775 | @@ -48,6 +50,23 @@ |
2776 | return samlresponse |
2777 | |
2778 | |
2779 | +def load_saml_schema(): |
2780 | + """Loads an XSD and returns an XMLSchema for it.""" |
2781 | + if not hasattr(load_saml_schema, "parser"): |
2782 | + with open("saml-schema-xsd/saml-schema-protocol-2.0.xsd") as schema_f: |
2783 | + schema_doc = etree.parse(schema_f) |
2784 | + load_saml_schema.parser = etree.XMLSchema(schema_doc) |
2785 | + return load_saml_schema.parser |
2786 | + |
2787 | + |
2788 | +def validate_saml(samlresponse): |
2789 | + """Validates the given string is a valid SAML XML response.""" |
2790 | + response_f = StringIO(samlresponse) |
2791 | + response_doc = etree.parse(response_f) |
2792 | + saml_schema = load_saml_schema() |
2793 | + saml_schema.assertValid(response_doc) |
2794 | + |
2795 | + |
2796 | class BaseProcessorTestCase(AuthenticatedTestCase): |
2797 | """ |
2798 | Base class with low-level methods to set up saml dance prereqs. |
2799 | @@ -139,6 +158,7 @@ |
2800 | data = self.get_request_data() |
2801 | response = self.client.get('/+saml', data=data, follow=True) |
2802 | samlresponse = get_saml_response(response) |
2803 | + validate_saml(samlresponse) |
2804 | return samlresponse |
2805 | |
2806 | |
2807 | @@ -287,6 +307,7 @@ |
2808 | data = self.get_request_data() |
2809 | response = self.client.get('/+saml', data=data, follow=True) |
2810 | samlresponse = get_saml_response(response) |
2811 | + validate_saml(samlresponse) |
2812 | return samlresponse |
2813 | |
2814 | def test_canonical_email_is_preferred(self): |
LGTM