ciam-es 0.0.1

data/lib/ciam/xml_security_new.rb

@@ -0,0 +1,373 @@
+# The contents of this file are subject to the terms
+# of the Common Development and Distribution License
+# (the License). You may not use this file except in
+# compliance with the License.
+#
+# You can obtain a copy of the License at
+# https://opensso.dev.java.net/public/CDDLv1.0.html or
+# opensso/legal/CDDLv1.0.txt
+# See the License for the specific language governing
+# permission and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL
+# Header Notice in each file and include the License file
+# at opensso/legal/CDDLv1.0.txt.
+# If applicable, add the following below the CDDL Header,
+# with the fields enclosed by brackets [] replaced by
+# your own identifying information:
+# "Portions Copyrighted [year] [name of copyright owner]"
+#
+# $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
+#
+# Copyright 2007 Sun Microsystems Inc. All Rights Reserved
+# Portions Copyrighted 2007 Todd W Saxton.
+
+require 'rubygems'
+require "rexml/document"
+require "rexml/xpath"
+require "openssl"
+require 'nokogiri'
+require "digest/sha1"
+require "digest/sha2"
+require "ciam/ruby-saml/error_handling"
+
+module Ciam
+  module XMLSecurityNew
+
+    class BaseDocument < REXML::Document
+      REXML::Document::entity_expansion_limit = 0
+
+      C14N            = "http://www.w3.org/2001/10/xml-exc-c14n#"
+      DSIG            = "http://www.w3.org/2000/09/xmldsig#"
+      NOKOGIRI_OPTIONS = Nokogiri::XML::ParseOptions::STRICT |
+                         Nokogiri::XML::ParseOptions::NONET
+
+      def canon_algorithm(element)
+        algorithm = element
+        if algorithm.is_a?(REXML::Element)
+          algorithm = element.attribute('Algorithm').value
+        end
+
+        case algorithm
+          when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
+               "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"
+            Nokogiri::XML::XML_C14N_1_0
+          when "http://www.w3.org/2006/12/xml-c14n11",
+               "http://www.w3.org/2006/12/xml-c14n11#WithComments"
+            Nokogiri::XML::XML_C14N_1_1
+          else
+            Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+        end
+        Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+      end
+
+      def algorithm(element)
+        algorithm = element
+        if algorithm.is_a?(REXML::Element)
+          algorithm = element.attribute("Algorithm").value
+        end
+
+        algorithm = algorithm && algorithm =~ /(rsa-)?sha(.*?)$/i && $2.to_i
+
+        case algorithm
+        when 256 then OpenSSL::Digest::SHA256
+        when 384 then OpenSSL::Digest::SHA384
+        when 512 then OpenSSL::Digest::SHA512
+        else
+          OpenSSL::Digest::SHA256
+        end
+      end
+
+    end
+
+    class Document < BaseDocument
+      RSA_SHA1        = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+      RSA_SHA256      = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+      RSA_SHA384      = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
+      RSA_SHA512      = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
+      SHA1            = "http://www.w3.org/2000/09/xmldsig#sha1"
+      SHA256          = 'http://www.w3.org/2001/04/xmlenc#sha256'
+      SHA384          = "http://www.w3.org/2001/04/xmldsig-more#sha384"
+      SHA512          = 'http://www.w3.org/2001/04/xmlenc#sha512'
+      ENVELOPED_SIG   = "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
+      INC_PREFIX_LIST = "#default samlp saml2p saml ds xs xsi md"
+
+      attr_accessor :uuid
+
+      def uuid
+        @uuid ||= begin
+          document.root.nil? ? nil : document.root.attributes['ID']
+        end
+      end
+
+      #<Signature>
+        #<SignedInfo>
+          #<CanonicalizationMethod />
+          #<SignatureMethod />
+          #<Reference>
+             #<Transforms>
+             #<DigestMethod>
+             #<DigestValue>
+          #</Reference>
+          #<Reference /> etc.
+        #</SignedInfo>
+        #<SignatureValue />
+        #<KeyInfo />
+        #<Object />
+      #</Signature>
+      def sign_document(private_key, certificate, signature_method = RSA_SHA256, digest_method = SHA256)
+        noko = Nokogiri::XML(self.to_s) do |config|
+          config.options = Ciam::XMLSecurityNew::BaseDocument::NOKOGIRI_OPTIONS
+        end
+
+        signature_element = REXML::Element.new("ds:Signature").add_namespace('ds', DSIG)
+        signed_info_element = signature_element.add_element("ds:SignedInfo")
+        signed_info_element.add_element("ds:CanonicalizationMethod", {"Algorithm" => C14N})
+        signed_info_element.add_element("ds:SignatureMethod", {"Algorithm"=>signature_method})
+
+        # Add Reference
+        reference_element = signed_info_element.add_element("ds:Reference", {"URI" => "##{uuid}"})
+
+        # Add Transforms
+        transforms_element = reference_element.add_element("ds:Transforms")
+        transforms_element.add_element("ds:Transform", {"Algorithm" => ENVELOPED_SIG})
+        c14element = transforms_element.add_element("ds:Transform", {"Algorithm" => C14N})
+        c14element.add_element("ec:InclusiveNamespaces", {"xmlns:ec" => C14N, "PrefixList" => INC_PREFIX_LIST})
+
+        digest_method_element = reference_element.add_element("ds:DigestMethod", {"Algorithm" => digest_method})
+        inclusive_namespaces = INC_PREFIX_LIST.split(" ")
+        canon_doc = noko.canonicalize(canon_algorithm(C14N), inclusive_namespaces)
+        #canon_doc = noko.canonicalize(canon_algorithm(C14N))
+        reference_element.add_element("ds:DigestValue").text = compute_digest(canon_doc, algorithm(digest_method_element))
+
+        # add SignatureValue
+        noko_sig_element = Nokogiri::XML(signature_element.to_s) do |config|
+          config.options = Ciam::XMLSecurityNew::BaseDocument::NOKOGIRI_OPTIONS
+        end
+
+        noko_signed_info_element = noko_sig_element.at_xpath('//ds:Signature/ds:SignedInfo', 'ds' => DSIG)
+        canon_string = noko_signed_info_element.canonicalize(canon_algorithm(C14N), inclusive_namespaces)
+
+        signature = compute_signature(private_key, algorithm(signature_method).new, canon_string)
+        signature_element.add_element("ds:SignatureValue").text = signature.to_s.gsub(/\n/, "").gsub(/\t/, "")
+
+        # add KeyInfo
+        key_info_element       = signature_element.add_element("ds:KeyInfo")
+        x509_element           = key_info_element.add_element("ds:X509Data")
+        x509_cert_element      = x509_element.add_element("ds:X509Certificate")
+        if certificate.is_a?(String)
+          certificate = OpenSSL::X509::Certificate.new(certificate)
+        end
+        x509_cert_element.text = Base64.encode64(certificate.to_der).to_s.gsub(/\n/, "").gsub(/\t/, "")
+
+        # add the signature
+        sp_sso_descriptor = self.root.elements["md:SPSSODescriptor"]
+        unless sp_sso_descriptor.blank?
+          #inserisco firma nei metadata
+          self.root.insert_before sp_sso_descriptor, signature_element
+        else
+          #inserisco firma nella request
+          saml_issuer = self.root.elements["saml:Issuer"]
+          self.root.insert_after saml_issuer, signature_element
+        end
+        
+
+      end
+
+      protected
+
+      def compute_signature(private_key, signature_algorithm, document)
+        Base64.encode64(private_key.sign(signature_algorithm, document)).to_s.gsub(/\n/, "").gsub(/\t/, "")
+      end
+
+      def compute_digest(document, digest_algorithm)
+        digest = digest_algorithm.digest(document)
+        Base64.encode64(digest).strip!
+      end
+
+    end
+
+    class SignedDocument < BaseDocument
+      include Ciam::Saml::ErrorHandling
+
+      attr_accessor :signed_element_id
+
+      def initialize(response, errors = [])
+        super(response)
+        @errors = errors
+      end
+
+      def signed_element_id
+        @signed_element_id ||= extract_signed_element_id
+      end
+
+      def validate_document(idp_cert_fingerprint, soft = true, options = {})
+        # get cert from response
+        cert_element = REXML::XPath.first(
+          self,
+          "//ds:X509Certificate",
+          { "ds"=>DSIG }
+        )
+
+        if cert_element
+          base64_cert = cert_element.text
+          cert_text = Base64.decode64(base64_cert)
+          begin
+            cert = OpenSSL::X509::Certificate.new(cert_text)
+          rescue OpenSSL::X509::CertificateError => e
+            return append_error("Certificate Error", soft)
+          end
+
+          if options[:fingerprint_alg]
+            fingerprint_alg = Ciam::XMLSecurityNew::BaseDocument.new.algorithm(options[:fingerprint_alg]).new
+          else
+            fingerprint_alg = OpenSSL::Digest::SHA256.new
+          end
+          fingerprint = fingerprint_alg.hexdigest(cert.to_der)
+
+          # check cert matches registered idp cert
+          if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
+            @errors << "Fingerprint mismatch"
+            return append_error("Fingerprint mismatch", soft)
+          end
+        else
+          if options[:cert]
+            base64_cert = Base64.encode64(options[:cert].to_pem)
+          else
+            if soft
+              return false
+            else
+              return append_error("Certificate element missing in response (ds:X509Certificate) and not cert provided at settings", soft)
+            end
+          end
+        end
+        validate_signature(base64_cert, soft)
+      end
+
+      def validate_signature(base64_cert, soft = true)
+
+        document = Nokogiri::XML(self.to_s) do |config|
+          config.options = Ciam::XMLSecurityNew::BaseDocument::NOKOGIRI_OPTIONS
+        end
+
+        # create a rexml document
+        @working_copy ||= REXML::Document.new(self.to_s).root
+
+        # get signature node
+        sig_element = REXML::XPath.first(
+            @working_copy,
+            "//ds:Signature",
+            {"ds"=>DSIG}
+        )
+
+        # signature method
+        sig_alg_value = REXML::XPath.first(
+          sig_element,
+          "./ds:SignedInfo/ds:SignatureMethod",
+          {"ds"=>DSIG}
+        )
+        signature_algorithm = algorithm(sig_alg_value)
+
+        # get signature
+        base64_signature = REXML::XPath.first(
+          sig_element,
+          "./ds:SignatureValue",
+          {"ds" => DSIG}
+        ).text
+        signature = Base64.decode64(base64_signature)
+
+        # canonicalization method
+        canon_algorithm = canon_algorithm REXML::XPath.first(
+          sig_element,
+          './ds:SignedInfo/ds:CanonicalizationMethod',
+          'ds' => DSIG
+        )
+
+        noko_sig_element = document.at_xpath('//ds:Signature', 'ds' => DSIG)
+        noko_signed_info_element = noko_sig_element.at_xpath('./ds:SignedInfo', 'ds' => DSIG)
+
+        canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
+        noko_sig_element.remove
+
+        # get inclusive namespaces
+        inclusive_namespaces = extract_inclusive_namespaces
+
+        # check digests
+        ref = REXML::XPath.first(sig_element, "//ds:Reference", {"ds"=>DSIG})
+        uri = ref.attributes.get_attribute("URI").value
+
+        hashed_element = document.at_xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
+        
+        canon_algorithm = canon_algorithm REXML::XPath.first(
+          ref,
+          '//ds:CanonicalizationMethod',
+          { "ds" => DSIG }
+        )
+        canon_hashed_element = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
+
+        digest_algorithm = algorithm(REXML::XPath.first(
+          ref,
+          "//ds:DigestMethod",
+          { "ds" => DSIG }
+        ))
+        hash = digest_algorithm.digest(canon_hashed_element)
+        encoded_digest_value = REXML::XPath.first(
+          ref,
+          "//ds:DigestValue",
+          { "ds" => DSIG }
+        ).text
+        digest_value = Base64.decode64(encoded_digest_value)
+
+        unless digests_match?(hash, digest_value)
+          @errors << "Digest mismatch"
+          return append_error("Digest mismatch", soft)
+        end
+
+        # get certificate object
+        cert_text = Base64.decode64(base64_cert)
+        cert = OpenSSL::X509::Certificate.new(cert_text)
+
+        # verify signature
+        unless cert.public_key.verify(signature_algorithm.new, signature, canon_string)
+          return append_error("Key validation error", soft)
+        end
+
+        return true
+      end
+
+      private
+
+      def digests_match?(hash, digest_value)
+        hash == digest_value
+      end
+
+      def extract_signed_element_id
+        reference_element = REXML::XPath.first(
+          self,
+          "//ds:Signature/ds:SignedInfo/ds:Reference",
+          {"ds"=>DSIG}
+        )
+
+        return nil if reference_element.nil?
+
+        sei = reference_element.attribute("URI").value[1..-1]
+        sei.nil? ? reference_element.parent.parent.parent.attribute("ID").value : sei
+      end
+
+      def extract_inclusive_namespaces
+        element = REXML::XPath.first(
+          self,
+          "//ec:InclusiveNamespaces",
+          { "ec" => C14N }
+        )
+        if element
+          prefix_list = element.attributes.get_attribute("PrefixList").value
+          prefix_list.split(" ")
+        else
+          nil
+        end
+      end
+
+    end
+  end
+end

data/lib/schemas/saml20assertion_schema.xsd

@@ -0,0 +1,283 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<schema
+    targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns="http://www.w3.org/2001/XMLSchema"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+    elementFormDefault="unqualified"
+    attributeFormDefault="unqualified"
+    blockDefault="substitution"
+    version="2.0">
+    <import namespace="http://www.w3.org/2000/09/xmldsig#"
+        schemaLocation="xmldsig_schema.xsd"/>
+    <import namespace="http://www.w3.org/2001/04/xmlenc#"
+        schemaLocation="xenc_schema.xsd"/>
+    <annotation>
+        <documentation>
+            Document identifier: saml-schema-assertion-2.0
+            Location: http://docs.oasis-open.org/security/saml/v2.0/
+            Revision history:
+            V1.0 (November, 2002):
+              Initial Standard Schema.
+            V1.1 (September, 2003):
+              Updates within the same V1.0 namespace.
+            V2.0 (March, 2005):
+              New assertion schema for SAML V2.0 namespace.
+        </documentation>
+    </annotation>
+    <attributeGroup name="IDNameQualifiers">
+        <attribute name="NameQualifier" type="string" use="optional"/>
+        <attribute name="SPNameQualifier" type="string" use="optional"/>
+    </attributeGroup>
+    <element name="BaseID" type="saml:BaseIDAbstractType"/>
+    <complexType name="BaseIDAbstractType" abstract="true">
+        <attributeGroup ref="saml:IDNameQualifiers"/>
+    </complexType>
+    <element name="NameID" type="saml:NameIDType"/>
+    <complexType name="NameIDType">
+        <simpleContent>
+            <extension base="string">
+                <attributeGroup ref="saml:IDNameQualifiers"/>
+                <attribute name="Format" type="anyURI" use="optional"/>
+                <attribute name="SPProvidedID" type="string" use="optional"/>
+            </extension>
+        </simpleContent>
+    </complexType>
+    <complexType name="EncryptedElementType">
+        <sequence>
+            <element ref="xenc:EncryptedData"/>
+            <element ref="xenc:EncryptedKey" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+    </complexType>
+    <element name="EncryptedID" type="saml:EncryptedElementType"/>
+    <element name="Issuer" type="saml:NameIDType"/>
+    <element name="AssertionIDRef" type="NCName"/>
+    <element name="AssertionURIRef" type="anyURI"/>
+    <element name="Assertion" type="saml:AssertionType"/>
+    <complexType name="AssertionType">
+        <sequence>
+            <element ref="saml:Issuer"/>
+            <element ref="ds:Signature" minOccurs="0"/>
+            <element ref="saml:Subject" minOccurs="0"/>
+            <element ref="saml:Conditions" minOccurs="0"/>
+            <element ref="saml:Advice" minOccurs="0"/>
+            <choice minOccurs="0" maxOccurs="unbounded">
+                <element ref="saml:Statement"/>
+                <element ref="saml:AuthnStatement"/>
+                <element ref="saml:AuthzDecisionStatement"/>
+                <element ref="saml:AttributeStatement"/>
+            </choice>
+        </sequence>
+        <attribute name="Version" type="string" use="required"/>
+        <attribute name="ID" type="ID" use="required"/>
+        <attribute name="IssueInstant" type="dateTime" use="required"/>
+    </complexType>
+    <element name="Subject" type="saml:SubjectType"/>
+    <complexType name="SubjectType">
+        <choice>
+            <sequence>
+                <choice>
+                    <element ref="saml:BaseID"/>
+                    <element ref="saml:NameID"/>
+                    <element ref="saml:EncryptedID"/>
+                </choice>
+                <element ref="saml:SubjectConfirmation" minOccurs="0" maxOccurs="unbounded"/>
+            </sequence>
+            <element ref="saml:SubjectConfirmation" maxOccurs="unbounded"/>
+        </choice>
+    </complexType>
+    <element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/>
+    <complexType name="SubjectConfirmationType">
+        <sequence>
+            <choice minOccurs="0">
+                <element ref="saml:BaseID"/>
+                <element ref="saml:NameID"/>
+                <element ref="saml:EncryptedID"/>
+            </choice>
+            <element ref="saml:SubjectConfirmationData" minOccurs="0"/>
+        </sequence>
+        <attribute name="Method" type="anyURI" use="required"/>
+    </complexType>
+    <element name="SubjectConfirmationData" type="saml:SubjectConfirmationDataType"/>
+    <complexType name="SubjectConfirmationDataType" mixed="true">
+        <complexContent>
+            <restriction base="anyType">
+                <sequence>
+                    <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+                </sequence>
+                <attribute name="NotBefore" type="dateTime" use="optional"/>
+                <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+                <attribute name="Recipient" type="anyURI" use="optional"/>
+                <attribute name="InResponseTo" type="NCName" use="optional"/>
+                <attribute name="Address" type="string" use="optional"/>
+                <anyAttribute namespace="##other" processContents="lax"/>
+            </restriction>
+        </complexContent>
+    </complexType>
+    <complexType name="KeyInfoConfirmationDataType" mixed="false">
+        <complexContent>
+            <restriction base="saml:SubjectConfirmationDataType">
+                <sequence>
+                    <element ref="ds:KeyInfo" maxOccurs="unbounded"/>
+                </sequence>
+            </restriction>
+        </complexContent>
+    </complexType>
+    <element name="Conditions" type="saml:ConditionsType"/>
+    <complexType name="ConditionsType">
+        <choice minOccurs="0" maxOccurs="unbounded">
+            <element ref="saml:Condition"/>
+            <element ref="saml:AudienceRestriction"/>
+            <element ref="saml:OneTimeUse"/>
+            <element ref="saml:ProxyRestriction"/>
+        </choice>
+        <attribute name="NotBefore" type="dateTime" use="optional"/>
+        <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+    </complexType>
+    <element name="Condition" type="saml:ConditionAbstractType"/>
+    <complexType name="ConditionAbstractType" abstract="true"/>
+    <element name="AudienceRestriction" type="saml:AudienceRestrictionType"/>
+    <complexType name="AudienceRestrictionType">
+        <complexContent>
+            <extension base="saml:ConditionAbstractType">
+                <sequence>
+                    <element ref="saml:Audience" maxOccurs="unbounded"/>
+                </sequence>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="Audience" type="anyURI"/>
+    <element name="OneTimeUse" type="saml:OneTimeUseType" />
+    <complexType name="OneTimeUseType">
+        <complexContent>
+            <extension base="saml:ConditionAbstractType"/>
+        </complexContent>
+    </complexType>
+    <element name="ProxyRestriction" type="saml:ProxyRestrictionType"/>
+    <complexType name="ProxyRestrictionType">
+    <complexContent>
+        <extension base="saml:ConditionAbstractType">
+            <sequence>
+                <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
+            </sequence>
+            <attribute name="Count" type="nonNegativeInteger" use="optional"/>
+        </extension>
+	</complexContent>
+    </complexType>
+    <element name="Advice" type="saml:AdviceType"/>
+    <complexType name="AdviceType">
+        <choice minOccurs="0" maxOccurs="unbounded">
+            <element ref="saml:AssertionIDRef"/>
+            <element ref="saml:AssertionURIRef"/>
+            <element ref="saml:Assertion"/>
+            <element ref="saml:EncryptedAssertion"/>
+            <any namespace="##other" processContents="lax"/>
+        </choice>
+    </complexType>
+    <element name="EncryptedAssertion" type="saml:EncryptedElementType"/>
+    <element name="Statement" type="saml:StatementAbstractType"/>
+    <complexType name="StatementAbstractType" abstract="true"/>
+    <element name="AuthnStatement" type="saml:AuthnStatementType"/>
+    <complexType name="AuthnStatementType">
+        <complexContent>
+            <extension base="saml:StatementAbstractType">
+                <sequence>
+                    <element ref="saml:SubjectLocality" minOccurs="0"/>
+                    <element ref="saml:AuthnContext"/>
+                </sequence>
+                <attribute name="AuthnInstant" type="dateTime" use="required"/>
+                <attribute name="SessionIndex" type="string" use="optional"/>
+                <attribute name="SessionNotOnOrAfter" type="dateTime" use="optional"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="SubjectLocality" type="saml:SubjectLocalityType"/>
+    <complexType name="SubjectLocalityType">
+        <attribute name="Address" type="string" use="optional"/>
+        <attribute name="DNSName" type="string" use="optional"/>
+    </complexType>
+    <element name="AuthnContext" type="saml:AuthnContextType"/>
+    <complexType name="AuthnContextType">
+        <sequence>
+            <choice>
+                <sequence>
+                    <element ref="saml:AuthnContextClassRef"/>
+                    <choice minOccurs="0">
+                        <element ref="saml:AuthnContextDecl"/>
+                        <element ref="saml:AuthnContextDeclRef"/>
+                    </choice>
+                </sequence>
+                <choice>
+                    <element ref="saml:AuthnContextDecl"/>
+                    <element ref="saml:AuthnContextDeclRef"/>
+                </choice>
+            </choice>
+            <element ref="saml:AuthenticatingAuthority" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+    </complexType>
+    <element name="AuthnContextClassRef" type="anyURI"/>
+    <element name="AuthnContextDeclRef" type="anyURI"/>
+    <element name="AuthnContextDecl" type="anyType"/>
+    <element name="AuthenticatingAuthority" type="anyURI"/>
+    <element name="AuthzDecisionStatement" type="saml:AuthzDecisionStatementType"/>
+    <complexType name="AuthzDecisionStatementType">
+        <complexContent>
+            <extension base="saml:StatementAbstractType">
+                <sequence>
+                    <element ref="saml:Action" maxOccurs="unbounded"/>
+                    <element ref="saml:Evidence" minOccurs="0"/>
+                </sequence>
+                <attribute name="Resource" type="anyURI" use="required"/>
+                <attribute name="Decision" type="saml:DecisionType" use="required"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <simpleType name="DecisionType">
+        <restriction base="string">
+            <enumeration value="Permit"/>
+            <enumeration value="Deny"/>
+            <enumeration value="Indeterminate"/>
+        </restriction>
+    </simpleType>
+    <element name="Action" type="saml:ActionType"/>
+    <complexType name="ActionType">
+        <simpleContent>
+            <extension base="string">
+                <attribute name="Namespace" type="anyURI" use="required"/>
+            </extension>
+        </simpleContent>
+    </complexType>
+    <element name="Evidence" type="saml:EvidenceType"/>
+    <complexType name="EvidenceType">
+        <choice maxOccurs="unbounded">
+            <element ref="saml:AssertionIDRef"/>
+            <element ref="saml:AssertionURIRef"/>
+            <element ref="saml:Assertion"/>
+            <element ref="saml:EncryptedAssertion"/>
+        </choice>
+    </complexType>
+    <element name="AttributeStatement" type="saml:AttributeStatementType"/>
+    <complexType name="AttributeStatementType">
+        <complexContent>
+            <extension base="saml:StatementAbstractType">
+                <choice maxOccurs="unbounded">
+                    <element ref="saml:Attribute"/>
+                    <element ref="saml:EncryptedAttribute"/>
+                </choice>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="Attribute" type="saml:AttributeType"/>
+    <complexType name="AttributeType">
+        <sequence>
+            <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="Name" type="string" use="required"/>
+        <attribute name="NameFormat" type="anyURI" use="optional"/>
+        <attribute name="FriendlyName" type="string" use="optional"/>
+        <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+    <element name="AttributeValue" type="anyType" nillable="true"/>
+    <element name="EncryptedAttribute" type="saml:EncryptedElementType"/>
+</schema>