ruby-saml-federazione-trentina 0.0.1

data/lib/onelogin/ruby-saml/request.rb

@@ -0,0 +1,83 @@
+
+# A few helper functions for assembling a SAMLRequest and 
+# sending it to the IdP
+module Onelogin::Saml
+	include Coding
+	module Request
+		
+	  # a few symbols for SAML class names
+		HTTP_POST = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+		HTTP_GET = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+		# get the IdP metadata, and select the appropriate SSO binding
+		# that we can support.  Currently this is HTTP-Redirect and HTTP-POST
+		# but more could be added in the future
+		def binding_select(service)
+			# first check if we're still using the old hard coded method for 
+			# backwards compatability
+			if @settings.idp_metadata == nil && @settings.idp_sso_target_url != nil
+				@URL = @settings.idp_sso_target_url
+				return "GET", content_get
+			end
+			# grab the metadata
+			metadata = Metadata::new
+			meta_doc = metadata.get_idp_metadata(@settings)
+			
+			# first try POST
+			sso_element = REXML::XPath.first(meta_doc,
+				"/EntityDescriptor/IDPSSODescriptor/#{service}[@Binding='#{HTTP_POST}']")
+			if sso_element 
+				@URL = sso_element.attributes["Location"]
+				#Logging.debug "binding_select: POST to #{@URL}"
+				return "POST", content_post
+			end
+			
+			# next try GET
+			sso_element = REXML::XPath.first(meta_doc,
+				"/EntityDescriptor/IDPSSODescriptor/#{service}[@Binding='#{HTTP_GET}']")
+			if sso_element 
+				@URL = sso_element.attributes["Location"]
+				Logging.debug "binding_select: GET from #{@URL}"
+				return "GET", content_get
+			end
+			# other types we might want to add in the future:  SOAP, Artifact
+		end
+		
+		# construct the the parameter list on the URL and return
+		def content_get
+			# compress GET requests to try and stay under that 8KB request limit
+			deflated_request  = Zlib::Deflate.deflate(@request, 9)[2..-5]
+			# strict_encode64() isn't available?  sub out the newlines
+			@request_params["SAMLRequest"] = Base64.encode64(deflated_request).gsub(/\n/, "")
+			
+			Logging.debug "SAMLRequest=#{@request_params["SAMLRequest"]}"
+			uri = Addressable::URI.parse(@URL)
+			uri.query_values = @request_params
+			url = uri.to_s
+			#url = @URL + "?SAMLRequest=" + @request_params["SAMLRequest"]
+			Logging.debug "Sending to URL #{url}"
+			return url
+		end
+		# construct an HTML form (POST) and return the content
+		def content_post
+			# POST requests seem to bomb out when they're deflated
+			# and they probably don't need to be compressed anyway
+			@request_params["SAMLRequest"] = Base64.encode64(@request).gsub(/\n/, "")
+			
+			#Logging.debug "SAMLRequest=#{@request_params["SAMLRequest"]}"
+			# kind of a cheesy method of building an HTML, form since we can't rely on Rails too much,
+			# and REXML doesn't work well with quote characters
+			str = "<html><body onLoad=\"document.getElementById('form').submit();\">\n"
+			str += "<form id='form' name='form' method='POST' action=\"#{@URL}\">\n"
+			# we could change this in the future to associate a temp auth session ID
+			str += "<input name='RelayState' value='ruby-saml' type='hidden' />\n"
+			@request_params.each_pair do |key, value|
+				str += "<input name=\"#{key}\" value=\"#{value}\" type='hidden' />\n"
+				#str += "<input name=\"#{key}\" value=\"#{CGI.escape(value)}\" type='hidden' />\n"
+			end
+			str += "</form></body></html>\n"
+			
+			Logging.debug "Created form:\n#{str}"
+			return str
+		end
+	end	
+end

data/lib/onelogin/ruby-saml/response.rb

@@ -0,0 +1,211 @@
+require "xml_security"
+require "time"
+require "nokogiri"
+require 'ruby-debug'
+require "base64"
+require "openssl"
+require "digest/sha1"
+
+# Only supports SAML 2.0
+module Onelogin
+  module Saml
+
+    class Response
+      ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+      PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
+      DSIG      = "http://www.w3.org/2000/09/xmldsig#"
+
+      attr_accessor :options, :response, :document, :settings
+
+      def initialize(response, options = {})
+        raise ArgumentError.new("Response cannot be nil") if response.nil?
+        self.options  = options
+        self.response = response
+        begin
+          self.document = XMLSecurity::SignedDocument.new(Base64.decode64(response))
+        rescue REXML::ParseException => e
+          if response =~ /</
+            self.document = XMLSecurity::SignedDocument.new(response)
+          else
+            raise e
+          end
+        end
+        
+      end
+
+      def is_valid?
+        validate
+      end
+
+      def validate!
+        validate(false)
+      end
+
+      # The value of the user identifier as designated by the initialization request response
+      def name_id
+        @name_id ||= begin
+          # non va..  node = REXML::XPath.first(document, "/saml2p:Response/saml2:Assertion[@ID='#{document.signed_element_id}']/saml2:Subject/saml2:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
+          node = REXML::XPath.first(document, "/saml2p:Response/saml2:Assertion[@ID='#{document.signed_element_id}']/saml2:Subject/saml2:NameID")
+          #node ||=  REXML::XPath.first(document, "/p:Response[@ID='#{document.signed_element_id}']/a:Assertion/a:Subject/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
+          node ||=  REXML::XPath.first(document, "/saml2p:Response[@ID='#{document.signed_element_id}']/saml2:Assertion/saml2:Subject/saml2:NameID")
+          node.nil? ? nil : node.text
+        end
+      end
+
+      # A hash of alle the attributes with the response. Assuming there is only one value for each key
+      def attributes
+        @attr_statements ||= begin
+          result = {}
+
+          stmt_element = REXML::XPath.first(document, "/p:Response/a:Assertion/a:AttributeStatement", { "p" => PROTOCOL, "a" => ASSERTION })
+          return {} if stmt_element.nil?
+
+          stmt_element.elements.each do |attr_element|
+            name  = attr_element.attributes["Name"]
+            value = attr_element.elements.first.text
+
+            result[name] = value
+          end
+
+          result.keys.each do |key|
+            result[key.intern] = result[key]
+          end
+
+          result
+        end
+      end
+
+      # When this user session should expire at latest
+      def session_expires_at
+        @expires_at ||= begin
+          node = REXML::XPath.first(document, "/p:Response/a:Assertion/a:AuthnStatement", { "p" => PROTOCOL, "a" => ASSERTION })
+          parse_time(node, "SessionNotOnOrAfter")
+        end
+      end
+      
+      # Checks the status of the response for a "Success" code
+      def success?
+        @status_code ||= begin
+          node = REXML::XPath.first(document, "/p:Response/p:Status/p:StatusCode", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.attributes["Value"] == "urn:oasis:names:tc:SAML:2.0:status:Success"
+        end
+      end
+
+      # Conditions (if any) for the assertion to run
+      def conditions
+        @conditions ||= begin
+          REXML::XPath.first(document, "/p:Response/a:Assertion[@ID='#{document.signed_element_id}']/a:Conditions", { "p" => PROTOCOL, "a" => ASSERTION })
+        end
+      end
+
+      def issuer
+        @issuer ||= begin
+          node = REXML::XPath.first(document, "/p:Response/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
+          node ||= REXML::XPath.first(document, "/p:Response/a:Assertion/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.nil? ? nil : node.text
+        end
+      end
+
+      private
+
+      def validation_error(message)
+        raise ValidationError.new(message)
+      end
+
+      # def validate(soft = true)
+      #   debugger
+      #   val = validate_structure(soft) && validate_response_state(soft) && validate_conditions(soft) && document.validate(get_fingerprint, soft) && success?
+      #   val
+      # end
+
+    def validate(soft = true)
+        # prime the IdP metadata before the document validation. 
+        # The idp_cert needs to be populated before the validate_response_state method
+        
+        if settings 
+          Onelogin::Saml::Metadata.new(settings).get_idp_metadata
+        end
+          return false if validate_structure(soft) == false
+          return false if validate_response_state(soft) == false
+          return false if validate_conditions(soft) == false
+        
+        # Just in case a user needs to toss out the signature validation,
+        # I'm adding in an option for it.  (Sometimes canonicalization is a bitch!)
+        return true if settings.skip_validation == true
+        
+        # document.validte populates the idp_cert
+          return false if document.validate(get_fingerprint, soft) == false
+        
+        # validate response code
+        return false if success? == false  
+
+        return true
+    end
+
+
+      def validate_structure(soft = true)
+        Dir.chdir(File.expand_path(File.join(File.dirname(__FILE__), '..', '..', 'schemas'))) do
+          @schema = Nokogiri::XML::Schema(IO.read('saml20protocol_schema.xsd'))
+          @xml = Nokogiri::XML(self.document.to_s)
+        end
+        if soft
+          @schema.validate(@xml).map{ return false }
+        else
+          @schema.validate(@xml).map{ |error| raise(Exception.new("#{error.message}\n\n#{@xml.to_s}")) }
+        end
+      end
+
+      def validate_response_state(soft = true)
+        if response.empty?
+          return soft ? false : validation_error("Blank response")
+        end
+
+        if settings.nil?
+          return soft ? false : validation_error("No settings on response")
+        end
+
+        if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil?
+          return soft ? false : validation_error("No fingerprint or certificate on settings")
+        end
+
+        true
+      end
+
+      def get_fingerprint
+        if settings.idp_cert
+          cert_text = Base64.decode64(settings.idp_cert)
+          cert = OpenSSL::X509::Certificate.new(cert_text)
+          Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+        else
+          settings.idp_cert_fingerprint
+        end
+        
+      end
+
+      def validate_conditions(soft = true)
+        return true if conditions.nil?
+        return true if options[:skip_conditions]
+
+        if not_before = parse_time(conditions, "NotBefore")
+          if Time.now.utc < not_before
+            return soft ? false : validation_error("Current time is earlier than NotBefore condition")
+          end
+        end
+
+        if not_on_or_after = parse_time(conditions, "NotOnOrAfter")
+          if Time.now.utc >= not_on_or_after
+            return soft ? false : validation_error("Current time is on or after NotOnOrAfter condition")
+          end
+        end
+
+        true
+      end
+
+      def parse_time(node, attribute)
+        if node && node.attributes[attribute]
+          Time.parse(node.attributes[attribute])
+        end
+      end
+    end
+  end
+end

data/lib/onelogin/ruby-saml/settings.rb

@@ -0,0 +1,29 @@
+module Onelogin
+  module Saml
+    class Settings
+     
+      attr_accessor :assertion_consumer_service_url, :issuer, :sp_name_qualifier, :sp_cert
+      attr_accessor :idp_sso_target_url, :idp_cert_fingerprint, :idp_cert, :name_identifier_format, :idp_metadata, :idp_metadata_ttl, :idp_name_qualifier
+      attr_accessor :authn_context, :requester_identificator
+      attr_accessor :assertion_consumer_service_binding, :idp_slo_target_url
+      attr_accessor :name_identifier_value
+      attr_accessor :sessionindex
+      attr_accessor :single_logout_service_url, :single_logout_service_binding, :single_logout_destination, :destination_service_url
+      attr_accessor :skip_validation
+    
+      def initialize(config = {})
+        config.each do |k,v|
+          acc = "#{k.to_s}=".to_sym
+          self.send(acc, v) if self.respond_to? acc
+        end
+
+        # Set some sane default values on a few options
+        self.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+        self.single_logout_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+        # Default cache TTL for metadata is 1 day
+        self.idp_metadata_ttl = 86400
+      end
+
+    end
+  end
+end

data/lib/onelogin/ruby-saml/validation_error.rb

@@ -0,0 +1,7 @@
+module Onelogin
+  module Saml
+    class ValidationError < Exception
+    end
+  end
+end
+

data/lib/onelogin/ruby-saml/version.rb

@@ -0,0 +1,5 @@
+module Onelogin
+  module Saml
+    VERSION = '0.6.0'
+  end
+end

data/lib/ruby-saml.rb

@@ -0,0 +1,11 @@
+require 'onelogin/ruby-saml/logging'
+require 'onelogin/ruby-saml/coding'
+require 'onelogin/ruby-saml/request'
+require 'onelogin/ruby-saml/authrequest'
+require 'onelogin/ruby-saml/logout_request'
+require 'onelogin/ruby-saml/logout_response'
+require 'onelogin/ruby-saml/response'
+require 'onelogin/ruby-saml/settings'
+require 'onelogin/ruby-saml/validation_error'
+require 'onelogin/ruby-saml/metadata'
+require 'onelogin/ruby-saml/version'

data/lib/schemas/saml20assertion_schema.xsd

@@ -0,0 +1,283 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<schema
+    targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns="http://www.w3.org/2001/XMLSchema"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+    elementFormDefault="unqualified"
+    attributeFormDefault="unqualified"
+    blockDefault="substitution"
+    version="2.0">
+    <import namespace="http://www.w3.org/2000/09/xmldsig#"
+        schemaLocation="xmldsig_schema.xsd"/>
+    <import namespace="http://www.w3.org/2001/04/xmlenc#"
+        schemaLocation="xenc_schema.xsd"/>
+    <annotation>
+        <documentation>
+            Document identifier: saml-schema-assertion-2.0
+            Location: http://docs.oasis-open.org/security/saml/v2.0/
+            Revision history:
+            V1.0 (November, 2002):
+              Initial Standard Schema.
+            V1.1 (September, 2003):
+              Updates within the same V1.0 namespace.
+            V2.0 (March, 2005):
+              New assertion schema for SAML V2.0 namespace.
+        </documentation>
+    </annotation>
+    <attributeGroup name="IDNameQualifiers">
+        <attribute name="NameQualifier" type="string" use="optional"/>
+        <attribute name="SPNameQualifier" type="string" use="optional"/>
+    </attributeGroup>
+    <element name="BaseID" type="saml:BaseIDAbstractType"/>
+    <complexType name="BaseIDAbstractType" abstract="true">
+        <attributeGroup ref="saml:IDNameQualifiers"/>
+    </complexType>
+    <element name="NameID" type="saml:NameIDType"/>
+    <complexType name="NameIDType">
+        <simpleContent>
+            <extension base="string">
+                <attributeGroup ref="saml:IDNameQualifiers"/>
+                <attribute name="Format" type="anyURI" use="optional"/>
+                <attribute name="SPProvidedID" type="string" use="optional"/>
+            </extension>
+        </simpleContent>
+    </complexType>
+    <complexType name="EncryptedElementType">
+        <sequence>
+            <element ref="xenc:EncryptedData"/>
+            <element ref="xenc:EncryptedKey" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+    </complexType>
+    <element name="EncryptedID" type="saml:EncryptedElementType"/>
+    <element name="Issuer" type="saml:NameIDType"/>
+    <element name="AssertionIDRef" type="NCName"/>
+    <element name="AssertionURIRef" type="anyURI"/>
+    <element name="Assertion" type="saml:AssertionType"/>
+    <complexType name="AssertionType">
+        <sequence>
+            <element ref="saml:Issuer"/>
+            <element ref="ds:Signature" minOccurs="0"/>
+            <element ref="saml:Subject" minOccurs="0"/>
+            <element ref="saml:Conditions" minOccurs="0"/>
+            <element ref="saml:Advice" minOccurs="0"/>
+            <choice minOccurs="0" maxOccurs="unbounded">
+                <element ref="saml:Statement"/>
+                <element ref="saml:AuthnStatement"/>
+                <element ref="saml:AuthzDecisionStatement"/>
+                <element ref="saml:AttributeStatement"/>
+            </choice>
+        </sequence>
+        <attribute name="Version" type="string" use="required"/>
+        <attribute name="ID" type="ID" use="required"/>
+        <attribute name="IssueInstant" type="dateTime" use="required"/>
+    </complexType>
+    <element name="Subject" type="saml:SubjectType"/>
+    <complexType name="SubjectType">
+        <choice>
+            <sequence>
+                <choice>
+                    <element ref="saml:BaseID"/>
+                    <element ref="saml:NameID"/>
+                    <element ref="saml:EncryptedID"/>
+                </choice>
+                <element ref="saml:SubjectConfirmation" minOccurs="0" maxOccurs="unbounded"/>
+            </sequence>
+            <element ref="saml:SubjectConfirmation" maxOccurs="unbounded"/>
+        </choice>
+    </complexType>
+    <element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/>
+    <complexType name="SubjectConfirmationType">
+        <sequence>
+            <choice minOccurs="0">
+                <element ref="saml:BaseID"/>
+                <element ref="saml:NameID"/>
+                <element ref="saml:EncryptedID"/>
+            </choice>
+            <element ref="saml:SubjectConfirmationData" minOccurs="0"/>
+        </sequence>
+        <attribute name="Method" type="anyURI" use="required"/>
+    </complexType>
+    <element name="SubjectConfirmationData" type="saml:SubjectConfirmationDataType"/>
+    <complexType name="SubjectConfirmationDataType" mixed="true">
+        <complexContent>
+            <restriction base="anyType">
+                <sequence>
+                    <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+                </sequence>
+                <attribute name="NotBefore" type="dateTime" use="optional"/>
+                <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+                <attribute name="Recipient" type="anyURI" use="optional"/>
+                <attribute name="InResponseTo" type="NCName" use="optional"/>
+                <attribute name="Address" type="string" use="optional"/>
+                <anyAttribute namespace="##other" processContents="lax"/>
+            </restriction>
+        </complexContent>
+    </complexType>
+    <complexType name="KeyInfoConfirmationDataType" mixed="false">
+        <complexContent>
+            <restriction base="saml:SubjectConfirmationDataType">
+                <sequence>
+                    <element ref="ds:KeyInfo" maxOccurs="unbounded"/>
+                </sequence>
+            </restriction>
+        </complexContent>
+    </complexType>
+    <element name="Conditions" type="saml:ConditionsType"/>
+    <complexType name="ConditionsType">
+        <choice minOccurs="0" maxOccurs="unbounded">
+            <element ref="saml:Condition"/>
+            <element ref="saml:AudienceRestriction"/>
+            <element ref="saml:OneTimeUse"/>
+            <element ref="saml:ProxyRestriction"/>
+        </choice>
+        <attribute name="NotBefore" type="dateTime" use="optional"/>
+        <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+    </complexType>
+    <element name="Condition" type="saml:ConditionAbstractType"/>
+    <complexType name="ConditionAbstractType" abstract="true"/>
+    <element name="AudienceRestriction" type="saml:AudienceRestrictionType"/>
+    <complexType name="AudienceRestrictionType">
+        <complexContent>
+            <extension base="saml:ConditionAbstractType">
+                <sequence>
+                    <element ref="saml:Audience" maxOccurs="unbounded"/>
+                </sequence>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="Audience" type="anyURI"/>
+    <element name="OneTimeUse" type="saml:OneTimeUseType" />
+    <complexType name="OneTimeUseType">
+        <complexContent>
+            <extension base="saml:ConditionAbstractType"/>
+        </complexContent>
+    </complexType>
+    <element name="ProxyRestriction" type="saml:ProxyRestrictionType"/>
+    <complexType name="ProxyRestrictionType">
+    <complexContent>
+        <extension base="saml:ConditionAbstractType">
+            <sequence>
+                <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
+            </sequence>
+            <attribute name="Count" type="nonNegativeInteger" use="optional"/>
+        </extension>
+	</complexContent>
+    </complexType>
+    <element name="Advice" type="saml:AdviceType"/>
+    <complexType name="AdviceType">
+        <choice minOccurs="0" maxOccurs="unbounded">
+            <element ref="saml:AssertionIDRef"/>
+            <element ref="saml:AssertionURIRef"/>
+            <element ref="saml:Assertion"/>
+            <element ref="saml:EncryptedAssertion"/>
+            <any namespace="##other" processContents="lax"/>
+        </choice>
+    </complexType>
+    <element name="EncryptedAssertion" type="saml:EncryptedElementType"/>
+    <element name="Statement" type="saml:StatementAbstractType"/>
+    <complexType name="StatementAbstractType" abstract="true"/>
+    <element name="AuthnStatement" type="saml:AuthnStatementType"/>
+    <complexType name="AuthnStatementType">
+        <complexContent>
+            <extension base="saml:StatementAbstractType">
+                <sequence>
+                    <element ref="saml:SubjectLocality" minOccurs="0"/>
+                    <element ref="saml:AuthnContext"/>
+                </sequence>
+                <attribute name="AuthnInstant" type="dateTime" use="required"/>
+                <attribute name="SessionIndex" type="string" use="optional"/>
+                <attribute name="SessionNotOnOrAfter" type="dateTime" use="optional"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="SubjectLocality" type="saml:SubjectLocalityType"/>
+    <complexType name="SubjectLocalityType">
+        <attribute name="Address" type="string" use="optional"/>
+        <attribute name="DNSName" type="string" use="optional"/>
+    </complexType>
+    <element name="AuthnContext" type="saml:AuthnContextType"/>
+    <complexType name="AuthnContextType">
+        <sequence>
+            <choice>
+                <sequence>
+                    <element ref="saml:AuthnContextClassRef"/>
+                    <choice minOccurs="0">
+                        <element ref="saml:AuthnContextDecl"/>
+                        <element ref="saml:AuthnContextDeclRef"/>
+                    </choice>
+                </sequence>
+                <choice>
+                    <element ref="saml:AuthnContextDecl"/>
+                    <element ref="saml:AuthnContextDeclRef"/>
+                </choice>
+            </choice>
+            <element ref="saml:AuthenticatingAuthority" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+    </complexType>
+    <element name="AuthnContextClassRef" type="anyURI"/>
+    <element name="AuthnContextDeclRef" type="anyURI"/>
+    <element name="AuthnContextDecl" type="anyType"/>
+    <element name="AuthenticatingAuthority" type="anyURI"/>
+    <element name="AuthzDecisionStatement" type="saml:AuthzDecisionStatementType"/>
+    <complexType name="AuthzDecisionStatementType">
+        <complexContent>
+            <extension base="saml:StatementAbstractType">
+                <sequence>
+                    <element ref="saml:Action" maxOccurs="unbounded"/>
+                    <element ref="saml:Evidence" minOccurs="0"/>
+                </sequence>
+                <attribute name="Resource" type="anyURI" use="required"/>
+                <attribute name="Decision" type="saml:DecisionType" use="required"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <simpleType name="DecisionType">
+        <restriction base="string">
+            <enumeration value="Permit"/>
+            <enumeration value="Deny"/>
+            <enumeration value="Indeterminate"/>
+        </restriction>
+    </simpleType>
+    <element name="Action" type="saml:ActionType"/>
+    <complexType name="ActionType">
+        <simpleContent>
+            <extension base="string">
+                <attribute name="Namespace" type="anyURI" use="required"/>
+            </extension>
+        </simpleContent>
+    </complexType>
+    <element name="Evidence" type="saml:EvidenceType"/>
+    <complexType name="EvidenceType">
+        <choice maxOccurs="unbounded">
+            <element ref="saml:AssertionIDRef"/>
+            <element ref="saml:AssertionURIRef"/>
+            <element ref="saml:Assertion"/>
+            <element ref="saml:EncryptedAssertion"/>
+        </choice>
+    </complexType>
+    <element name="AttributeStatement" type="saml:AttributeStatementType"/>
+    <complexType name="AttributeStatementType">
+        <complexContent>
+            <extension base="saml:StatementAbstractType">
+                <choice maxOccurs="unbounded">
+                    <element ref="saml:Attribute"/>
+                    <element ref="saml:EncryptedAttribute"/>
+                </choice>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="Attribute" type="saml:AttributeType"/>
+    <complexType name="AttributeType">
+        <sequence>
+            <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="Name" type="string" use="required"/>
+        <attribute name="NameFormat" type="anyURI" use="optional"/>
+        <attribute name="FriendlyName" type="string" use="optional"/>
+        <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+    <element name="AttributeValue" type="anyType" nillable="true"/>
+    <element name="EncryptedAttribute" type="saml:EncryptedElementType"/>
+</schema>