ruby-saml 0.5.3 → 0.6.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of ruby-saml might be problematic. Click here for more details.

Files changed (29) hide show
  1. data/.gitignore +5 -0
  2. data/.travis.yml +5 -0
  3. data/Gemfile +10 -6
  4. data/{README.rdoc → README.md} +31 -26
  5. data/lib/onelogin/ruby-saml/authrequest.rb +23 -18
  6. data/lib/onelogin/ruby-saml/logging.rb +4 -0
  7. data/lib/onelogin/ruby-saml/logoutrequest.rb +80 -0
  8. data/lib/onelogin/ruby-saml/response.rb +38 -4
  9. data/lib/onelogin/ruby-saml/settings.rb +10 -1
  10. data/lib/onelogin/ruby-saml/version.rb +1 -1
  11. data/lib/ruby-saml.rb +1 -0
  12. data/lib/schemas/saml20assertion_schema.xsd +283 -0
  13. data/lib/schemas/saml20protocol_schema.xsd +302 -0
  14. data/lib/schemas/xenc_schema.xsd +146 -0
  15. data/lib/schemas/xmldsig_schema.xsd +318 -0
  16. data/lib/xml_security.rb +52 -36
  17. data/ruby-saml.gemspec +4 -26
  18. data/test/logoutrequest_test.rb +98 -0
  19. data/test/response_test.rb +40 -2
  20. data/test/responses/adfs_response_sha1.xml +46 -0
  21. data/test/responses/{adfs_response.xml → adfs_response_sha256.xml} +0 -0
  22. data/test/responses/adfs_response_sha384.xml +46 -0
  23. data/test/responses/adfs_response_sha512.xml +46 -0
  24. data/test/responses/no_signature_ns.xml +48 -0
  25. data/test/settings_test.rb +22 -2
  26. data/test/test_helper.rb +2 -0
  27. data/test/xml_security_test.rb +103 -4
  28. metadata +79 -105
  29. data/Gemfile.lock +0 -38
data/.gitignore CHANGED
@@ -3,3 +3,8 @@
3
3
  coverage
4
4
  rdoc
5
5
  pkg
6
+ Gemfile.lock
7
+ .idea/*
8
+ lib/Lib.iml
9
+ test/Test.iml
10
+ .rvmrc
data/.travis.yml ADDED
@@ -0,0 +1,5 @@
1
+ language: ruby
2
+ rvm:
3
+ - 1.8.7
4
+ - 1.9.3
5
+ - ree
data/Gemfile CHANGED
@@ -1,8 +1,12 @@
1
1
  source 'http://rubygems.org'
2
2
 
3
- gem 'rake'
4
- gem 'shoulda', "~>3.0.1"
5
- gem 'mocha', "~>0.10.5"
6
- gem 'ruby-debug', "~>0.10.4"
7
- gem 'uuid', "~>2.3.5"
8
- gem 'xmlcanonicalizer', "~>0.1.1"
3
+ gemspec
4
+
5
+ group :test do
6
+ gem "ruby-debug", "~> 0.10.4", :require => nil, :platforms => :ruby_18
7
+ gem "debugger", "~> 1.1.1", :require => nil, :platforms => :ruby_19
8
+ gem "shoulda"
9
+ gem "rake"
10
+ gem "mocha"
11
+ gem "nokogiri"
12
+ end
data/{README.rdoc → README.md} RENAMED
@@ -1,20 +1,23 @@
1
- = Ruby SAML
1
+ # Ruby SAML [![Build Status](https://secure.travis-ci.org/onelogin/ruby-saml.png)](http://travis-ci.org/onelogin/ruby-saml)
2
2
 
3
3
  The Ruby SAML library is for implementing the client side of a SAML authorization, i.e. it provides a means for managing authorization initialization and confirmation requests from identity providers.
4
4
 
5
5
  SAML authorization is a two step process and you are expected to implement support for both.
6
6
 
7
- == The initialization phase
7
+ ## The initialization phase
8
8
 
9
9
  This is the first request you will get from the identity provider. It will hit your application at a specific URL (that you've announced as being your SAML initialization point). The response to this initialization, is a redirect back to the identity provider, which can look something like this (ignore the saml_settings method call for now):
10
10
 
11
- def initialize
11
+ ```ruby
12
+ def init
12
13
  request = Onelogin::Saml::Authrequest.new
13
14
  redirect_to(request.create(saml_settings))
14
15
  end
16
+ ```
15
17
 
16
18
  Once you've redirected back to the identity provider, it will ensure that the user has been authorized and redirect back to your application for final consumption, this is can look something like this (the authorize_success and authorize_failure methods are specific to your application):
17
19
 
20
+ ```ruby
18
21
  def consume
19
22
  response = Onelogin::Saml::Response.new(params[:SAMLResponse])
20
23
  response.settings = saml_settings
@@ -25,28 +28,32 @@ Once you've redirected back to the identity provider, it will ensure that the us
25
28
  authorize_failure(user)
26
29
  end
27
30
  end
31
+ ```
28
32
 
29
33
  In the above there are a few assumptions in place, one being that the response.name_id is an email address. This is all handled with how you specify the settings that are in play via the saml_settings method. That could be implemented along the lines of this:
30
34
 
31
- def saml_settings
32
- settings = Onelogin::Saml::Settings.new
35
+ ```ruby
36
+ def saml_settings
37
+ settings = Onelogin::Saml::Settings.new
33
38
 
34
- settings.assertion_consumer_service_url = "http://#{request.host}/saml/finalize"
35
- settings.issuer = request.host
36
- settings.idp_sso_target_url = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
37
- settings.idp_cert_fingerprint = OneLoginAppCertFingerPrint
38
- settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
39
- # Optional for most SAML IdPs
40
- settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
41
-
42
- settings
43
- end
39
+ settings.assertion_consumer_service_url = "http://#{request.host}/saml/finalize"
40
+ settings.issuer = request.host
41
+ settings.idp_sso_target_url = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
42
+ settings.idp_cert_fingerprint = OneLoginAppCertFingerPrint
43
+ settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
44
+ # Optional for most SAML IdPs
45
+ settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
46
+
47
+ settings
48
+ end
49
+ ```
44
50
 
45
51
  What's left at this point, is to wrap it all up in a controller and point the initialization and consumption URLs in OneLogin at that. A full controller example could look like this:
46
52
 
47
- # This controller expects you to use the URLs /saml/initialize and /saml/consume in your OneLogin application.
53
+ ```ruby
54
+ # This controller expects you to use the URLs /saml/init and /saml/consume in your OneLogin application.
48
55
  class SamlController < ApplicationController
49
- def initialize
56
+ def init
50
57
  request = Onelogin::Saml::Authrequest.new
51
58
  redirect_to(request.create(saml_settings))
52
59
  end
@@ -74,10 +81,11 @@ What's left at this point, is to wrap it all up in a controller and point the in
74
81
  settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
75
82
  # Optional for most SAML IdPs
76
83
  settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
77
-
84
+
78
85
  settings
79
86
  end
80
87
  end
88
+ ```
81
89
 
82
90
  If are using saml:AttributeStatement to transfare metadata, like the user name, you can access all the attributes through response.attributes. It
83
91
  contains all the saml:AttributeStatement with its 'Name' as a indifferent key and the one saml:AttributeValue as value.
@@ -87,16 +95,17 @@ contains all the saml:AttributeStatement with its 'Name' as a indifferent key an
87
95
 
88
96
  response.attributes[:username]
89
97
 
90
- == Service Provider Metadata
98
+ ## Service Provider Metadata
91
99
 
92
100
  To form a trusted pair relationship with the IdP, the SP (you) need to provide metadata XML
93
101
  to the IdP for various good reasons. (Caching, certificate lookups, relying party permissions, etc)
94
102
 
95
103
  The class Onelogin::Saml::Metdata takes care of this by reading the Settings and returning XML. All
96
- you have to do is add a controller to return the data, then give this URL to the IdP administrator.
104
+ you have to do is add a controller to return the data, then give this URL to the IdP administrator.
97
105
  The metdata will be polled by the IdP every few minutes, so updating your settings should propagate
98
106
  to the IdP settings.
99
107
 
108
+ ```ruby
100
109
  class SamlController < ApplicationController
101
110
  # ... the rest of your controller definitions ...
102
111
  def metadata
@@ -105,13 +114,9 @@ to the IdP settings.
105
114
  render :xml => meta.generate(settings)
106
115
  end
107
116
  end
117
+ ```
108
118
 
109
-
110
- = Full Example
111
-
112
- Please check https://github.com/onelogin/ruby-saml-example for a very basic sample Rails application using this gem.
113
-
114
- == Note on Patches/Pull Requests
119
+ ## Note on Patches/Pull Requests
115
120
 
116
121
  * Fork the project.
117
122
  * Make your feature addition or bug fix.
data/lib/onelogin/ruby-saml/authrequest.rb CHANGED
@@ -10,8 +10,29 @@ module Onelogin
10
10
  include REXML
11
11
  class Authrequest
12
12
  def create(settings, params = {})
13
+ request_doc = create_authentication_xml_doc(settings)
14
+
15
+ request = ""
16
+ request_doc.write(request)
17
+
18
+ Logging.debug "Created AuthnRequest: #{request}"
19
+
20
+ deflated_request = Zlib::Deflate.deflate(request, 9)[2..-5]
21
+ base64_request = Base64.encode64(deflated_request)
22
+ encoded_request = CGI.escape(base64_request)
23
+ params_prefix = (settings.idp_sso_target_url =~ /\?/) ? '&' : '?'
24
+ request_params = "#{params_prefix}SAMLRequest=#{encoded_request}"
25
+
26
+ params.each_pair do |key, value|
27
+ request_params << "&#{key}=#{CGI.escape(value.to_s)}"
28
+ end
29
+
30
+ settings.idp_sso_target_url + request_params
31
+ end
32
+
33
+ def create_authentication_xml_doc(settings)
13
34
  uuid = "_" + UUID.new.generate
14
- time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
35
+ time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%S")
15
36
  # Create AuthnRequest root element using REXML
16
37
  request_doc = REXML::Document.new
17
38
 
@@ -50,23 +71,7 @@ module Onelogin
50
71
  }
51
72
  class_ref.text = settings.authn_context
52
73
  end
53
-
54
- request = ""
55
- request_doc.write(request)
56
-
57
- Logging.debug "Created AuthnRequest: #{request}"
58
-
59
- deflated_request = Zlib::Deflate.deflate(request, 9)[2..-5]
60
- base64_request = Base64.encode64(deflated_request)
61
- encoded_request = CGI.escape(base64_request)
62
- params_prefix = (settings.idp_sso_target_url =~ /\?/) ? '&' : '?'
63
- request_params = "#{params_prefix}SAMLRequest=#{encoded_request}"
64
-
65
- params.each_pair do |key, value|
66
- request_params << "&#{key}=#{CGI.escape(value.to_s)}"
67
- end
68
-
69
- settings.idp_sso_target_url + request_params
74
+ request_doc
70
75
  end
71
76
 
72
77
  end
data/lib/onelogin/ruby-saml/logging.rb CHANGED
@@ -3,6 +3,8 @@ module Onelogin
3
3
  module Saml
4
4
  class Logging
5
5
  def self.debug(message)
6
+ return if !!ENV["ruby-saml/testing"]
7
+
6
8
  if defined? Rails
7
9
  Rails.logger.debug message
8
10
  else
@@ -11,6 +13,8 @@ module Onelogin
11
13
  end
12
14
 
13
15
  def self.info(message)
16
+ return if !!ENV["ruby-saml/testing"]
17
+
14
18
  if defined? Rails
15
19
  Rails.logger.info message
16
20
  else
data/lib/onelogin/ruby-saml/logoutrequest.rb ADDED
@@ -0,0 +1,80 @@
1
+ require "base64"
2
+ require "uuid"
3
+ require "zlib"
4
+ require "cgi"
5
+
6
+ module Onelogin
7
+ module Saml
8
+ include REXML
9
+ class Logoutrequest
10
+
11
+ attr_reader :uuid # Can be obtained if neccessary
12
+
13
+ def initialize
14
+ @uuid = "_" + UUID.new.generate
15
+ end
16
+
17
+ def create(settings, params={})
18
+ request_doc = create_unauth_xml_doc(settings, params)
19
+ request = ""
20
+ request_doc.write(request)
21
+
22
+ deflated_request = Zlib::Deflate.deflate(request, 9)[2..-5]
23
+ base64_request = Base64.encode64(deflated_request)
24
+ encoded_request = CGI.escape(base64_request)
25
+
26
+ params_prefix = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
27
+ request_params = "#{params_prefix}SAMLRequest=#{encoded_request}"
28
+
29
+ params.each_pair do |key, value|
30
+ request_params << "&#{key}=#{CGI.escape(value.to_s)}"
31
+ end
32
+
33
+ @logout_url = settings.idp_slo_target_url + request_params
34
+ end
35
+
36
+ def create_unauth_xml_doc(settings, params)
37
+
38
+ time = Time.new().strftime("%Y-%m-%dT%H:%M:%SZ")
39
+
40
+ request_doc = REXML::Document.new
41
+ root = request_doc.add_element "samlp:LogoutRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol" }
42
+ root.attributes['ID'] = @uuid
43
+ root.attributes['IssueInstant'] = time
44
+ root.attributes['Version'] = "2.0"
45
+
46
+ if settings.issuer
47
+ issuer = root.add_element "saml:Issuer", { "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
48
+ issuer.text = settings.issuer
49
+ end
50
+
51
+ if settings.name_identifier_value
52
+ name_id = root.add_element "saml:NameID", { "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
53
+ name_id.attributes['NameQualifier'] = settings.sp_name_qualifier if settings.sp_name_qualifier
54
+ name_id.attributes['Format'] = settings.name_identifier_format if settings.name_identifier_format
55
+ name_id.text = settings.name_identifier_value
56
+ end
57
+
58
+ if settings.sessionindex
59
+ sessionindex = root.add_element "samlp:SessionIndex", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol" }
60
+ sessionindex.text = settings.sessionindex
61
+ end
62
+
63
+ # BUG fix here -- if an authn_context is defined, add the tags with an "exact"
64
+ # match required for authentication to succeed. If this is not defined,
65
+ # the IdP will choose default rules for authentication. (Shibboleth IdP)
66
+ if settings.authn_context != nil
67
+ requested_context = root.add_element "samlp:RequestedAuthnContext", {
68
+ "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
69
+ "Comparison" => "exact",
70
+ }
71
+ class_ref = requested_context.add_element "saml:AuthnContextClassRef", {
72
+ "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
73
+ }
74
+ class_ref.text = settings.authn_context
75
+ end
76
+ request_doc
77
+ end
78
+ end
79
+ end
80
+ end
data/lib/onelogin/ruby-saml/response.rb CHANGED
@@ -1,6 +1,8 @@
1
1
  require "xml_security"
2
2
  require "time"
3
+ require "nokogiri"
3
4
 
5
+ # Only supports SAML 2.0
4
6
  module Onelogin
5
7
  module Saml
6
8
 
@@ -15,15 +17,24 @@ module Onelogin
15
17
  raise ArgumentError.new("Response cannot be nil") if response.nil?
16
18
  self.options = options
17
19
  self.response = response
18
- self.document = XMLSecurity::SignedDocument.new(Base64.decode64(response))
20
+
21
+ begin
22
+ self.document = XMLSecurity::SignedDocument.new(Base64.decode64(response))
23
+ rescue REXML::ParseException => e
24
+ if response =~ /</
25
+ self.document = XMLSecurity::SignedDocument.new(response)
26
+ else
27
+ raise e
28
+ end
29
+ end
19
30
  end
20
31
 
21
32
  def is_valid?
22
- validate(soft = true)
33
+ validate
23
34
  end
24
35
 
25
36
  def validate!
26
- validate(soft = false)
37
+ validate(false)
27
38
  end
28
39
 
29
40
  # The value of the user identifier as designated by the initialization request response
@@ -65,6 +76,14 @@ module Onelogin
65
76
  parse_time(node, "SessionNotOnOrAfter")
66
77
  end
67
78
  end
79
+
80
+ # Checks the status of the response for a "Success" code
81
+ def success?
82
+ @status_code ||= begin
83
+ node = REXML::XPath.first(document, "/p:Response/p:Status/p:StatusCode", { "p" => PROTOCOL, "a" => ASSERTION })
84
+ node.attributes["Value"] == "urn:oasis:names:tc:SAML:2.0:status:Success"
85
+ end
86
+ end
68
87
 
69
88
  # Conditions (if any) for the assertion to run
70
89
  def conditions
@@ -76,6 +95,7 @@ module Onelogin
76
95
  def issuer
77
96
  @issuer ||= begin
78
97
  node = REXML::XPath.first(document, "/p:Response/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
98
+ node ||= REXML::XPath.first(document, "/p:Response/a:Assertion/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
79
99
  node.nil? ? nil : node.text
80
100
  end
81
101
  end
@@ -87,9 +107,23 @@ module Onelogin
87
107
  end
88
108
 
89
109
  def validate(soft = true)
110
+ validate_structure(soft) &&
90
111
  validate_response_state(soft) &&
91
112
  validate_conditions(soft) &&
92
- document.validate(get_fingerprint, soft)
113
+ document.validate(get_fingerprint, soft) &&
114
+ success?
115
+ end
116
+
117
+ def validate_structure(soft = true)
118
+ Dir.chdir(File.expand_path(File.join(File.dirname(__FILE__), '..', '..', 'schemas'))) do
119
+ @schema = Nokogiri::XML::Schema(IO.read('saml20protocol_schema.xsd'))
120
+ @xml = Nokogiri::XML(self.document.to_s)
121
+ end
122
+ if soft
123
+ @schema.validate(@xml).map{ return false }
124
+ else
125
+ @schema.validate(@xml).map{ |error| raise(Exception.new("#{error.message}\n\n#{@xml.to_s}")) }
126
+ end
93
127
  end
94
128
 
95
129
  def validate_response_state(soft = true)
data/lib/onelogin/ruby-saml/settings.rb CHANGED
@@ -1,9 +1,18 @@
1
1
  module Onelogin
2
2
  module Saml
3
3
  class Settings
4
+ def initialize(config = {})
5
+ config.each do |k,v|
6
+ acc = "#{k.to_s}=".to_sym
7
+ self.send(acc, v) if self.respond_to? acc
8
+ end
9
+ end
4
10
  attr_accessor :assertion_consumer_service_url, :issuer, :sp_name_qualifier
5
11
  attr_accessor :idp_sso_target_url, :idp_cert_fingerprint, :idp_cert, :name_identifier_format
6
- attr_accessor :authn_context
12
+ attr_accessor :authn_context
13
+ attr_accessor :idp_slo_target_url
14
+ attr_accessor :name_identifier_value
15
+ attr_accessor :sessionindex
7
16
  end
8
17
  end
9
18
  end
data/lib/onelogin/ruby-saml/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Onelogin
2
2
  module Saml
3
- VERSION = '0.5.3'
3
+ VERSION = '0.6.0'
4
4
  end
5
5
  end
data/lib/ruby-saml.rb CHANGED
@@ -1,5 +1,6 @@
1
1
  require 'onelogin/ruby-saml/logging'
2
2
  require 'onelogin/ruby-saml/authrequest'
3
+ require 'onelogin/ruby-saml/logoutrequest'
3
4
  require 'onelogin/ruby-saml/response'
4
5
  require 'onelogin/ruby-saml/settings'
5
6
  require 'onelogin/ruby-saml/validation_error'
data/lib/schemas/saml20assertion_schema.xsd ADDED
@@ -0,0 +1,283 @@
1
+ <?xml version="1.0" encoding="US-ASCII"?>
2
+ <schema
3
+ targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion"
4
+ xmlns="http://www.w3.org/2001/XMLSchema"
5
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
6
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
7
+ xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
8
+ elementFormDefault="unqualified"
9
+ attributeFormDefault="unqualified"
10
+ blockDefault="substitution"
11
+ version="2.0">
12
+ <import namespace="http://www.w3.org/2000/09/xmldsig#"
13
+ schemaLocation="xmldsig_schema.xsd"/>
14
+ <import namespace="http://www.w3.org/2001/04/xmlenc#"
15
+ schemaLocation="xenc_schema.xsd"/>
16
+ <annotation>
17
+ <documentation>
18
+ Document identifier: saml-schema-assertion-2.0
19
+ Location: http://docs.oasis-open.org/security/saml/v2.0/
20
+ Revision history:
21
+ V1.0 (November, 2002):
22
+ Initial Standard Schema.
23
+ V1.1 (September, 2003):
24
+ Updates within the same V1.0 namespace.
25
+ V2.0 (March, 2005):
26
+ New assertion schema for SAML V2.0 namespace.
27
+ </documentation>
28
+ </annotation>
29
+ <attributeGroup name="IDNameQualifiers">
30
+ <attribute name="NameQualifier" type="string" use="optional"/>
31
+ <attribute name="SPNameQualifier" type="string" use="optional"/>
32
+ </attributeGroup>
33
+ <element name="BaseID" type="saml:BaseIDAbstractType"/>
34
+ <complexType name="BaseIDAbstractType" abstract="true">
35
+ <attributeGroup ref="saml:IDNameQualifiers"/>
36
+ </complexType>
37
+ <element name="NameID" type="saml:NameIDType"/>
38
+ <complexType name="NameIDType">
39
+ <simpleContent>
40
+ <extension base="string">
41
+ <attributeGroup ref="saml:IDNameQualifiers"/>
42
+ <attribute name="Format" type="anyURI" use="optional"/>
43
+ <attribute name="SPProvidedID" type="string" use="optional"/>
44
+ </extension>
45
+ </simpleContent>
46
+ </complexType>
47
+ <complexType name="EncryptedElementType">
48
+ <sequence>
49
+ <element ref="xenc:EncryptedData"/>
50
+ <element ref="xenc:EncryptedKey" minOccurs="0" maxOccurs="unbounded"/>
51
+ </sequence>
52
+ </complexType>
53
+ <element name="EncryptedID" type="saml:EncryptedElementType"/>
54
+ <element name="Issuer" type="saml:NameIDType"/>
55
+ <element name="AssertionIDRef" type="NCName"/>
56
+ <element name="AssertionURIRef" type="anyURI"/>
57
+ <element name="Assertion" type="saml:AssertionType"/>
58
+ <complexType name="AssertionType">
59
+ <sequence>
60
+ <element ref="saml:Issuer"/>
61
+ <element ref="ds:Signature" minOccurs="0"/>
62
+ <element ref="saml:Subject" minOccurs="0"/>
63
+ <element ref="saml:Conditions" minOccurs="0"/>
64
+ <element ref="saml:Advice" minOccurs="0"/>
65
+ <choice minOccurs="0" maxOccurs="unbounded">
66
+ <element ref="saml:Statement"/>
67
+ <element ref="saml:AuthnStatement"/>
68
+ <element ref="saml:AuthzDecisionStatement"/>
69
+ <element ref="saml:AttributeStatement"/>
70
+ </choice>
71
+ </sequence>
72
+ <attribute name="Version" type="string" use="required"/>
73
+ <attribute name="ID" type="ID" use="required"/>
74
+ <attribute name="IssueInstant" type="dateTime" use="required"/>
75
+ </complexType>
76
+ <element name="Subject" type="saml:SubjectType"/>
77
+ <complexType name="SubjectType">
78
+ <choice>
79
+ <sequence>
80
+ <choice>
81
+ <element ref="saml:BaseID"/>
82
+ <element ref="saml:NameID"/>
83
+ <element ref="saml:EncryptedID"/>
84
+ </choice>
85
+ <element ref="saml:SubjectConfirmation" minOccurs="0" maxOccurs="unbounded"/>
86
+ </sequence>
87
+ <element ref="saml:SubjectConfirmation" maxOccurs="unbounded"/>
88
+ </choice>
89
+ </complexType>
90
+ <element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/>
91
+ <complexType name="SubjectConfirmationType">
92
+ <sequence>
93
+ <choice minOccurs="0">
94
+ <element ref="saml:BaseID"/>
95
+ <element ref="saml:NameID"/>
96
+ <element ref="saml:EncryptedID"/>
97
+ </choice>
98
+ <element ref="saml:SubjectConfirmationData" minOccurs="0"/>
99
+ </sequence>
100
+ <attribute name="Method" type="anyURI" use="required"/>
101
+ </complexType>
102
+ <element name="SubjectConfirmationData" type="saml:SubjectConfirmationDataType"/>
103
+ <complexType name="SubjectConfirmationDataType" mixed="true">
104
+ <complexContent>
105
+ <restriction base="anyType">
106
+ <sequence>
107
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
108
+ </sequence>
109
+ <attribute name="NotBefore" type="dateTime" use="optional"/>
110
+ <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
111
+ <attribute name="Recipient" type="anyURI" use="optional"/>
112
+ <attribute name="InResponseTo" type="NCName" use="optional"/>
113
+ <attribute name="Address" type="string" use="optional"/>
114
+ <anyAttribute namespace="##other" processContents="lax"/>
115
+ </restriction>
116
+ </complexContent>
117
+ </complexType>
118
+ <complexType name="KeyInfoConfirmationDataType" mixed="false">
119
+ <complexContent>
120
+ <restriction base="saml:SubjectConfirmationDataType">
121
+ <sequence>
122
+ <element ref="ds:KeyInfo" maxOccurs="unbounded"/>
123
+ </sequence>
124
+ </restriction>
125
+ </complexContent>
126
+ </complexType>
127
+ <element name="Conditions" type="saml:ConditionsType"/>
128
+ <complexType name="ConditionsType">
129
+ <choice minOccurs="0" maxOccurs="unbounded">
130
+ <element ref="saml:Condition"/>
131
+ <element ref="saml:AudienceRestriction"/>
132
+ <element ref="saml:OneTimeUse"/>
133
+ <element ref="saml:ProxyRestriction"/>
134
+ </choice>
135
+ <attribute name="NotBefore" type="dateTime" use="optional"/>
136
+ <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
137
+ </complexType>
138
+ <element name="Condition" type="saml:ConditionAbstractType"/>
139
+ <complexType name="ConditionAbstractType" abstract="true"/>
140
+ <element name="AudienceRestriction" type="saml:AudienceRestrictionType"/>
141
+ <complexType name="AudienceRestrictionType">
142
+ <complexContent>
143
+ <extension base="saml:ConditionAbstractType">
144
+ <sequence>
145
+ <element ref="saml:Audience" maxOccurs="unbounded"/>
146
+ </sequence>
147
+ </extension>
148
+ </complexContent>
149
+ </complexType>
150
+ <element name="Audience" type="anyURI"/>
151
+ <element name="OneTimeUse" type="saml:OneTimeUseType" />
152
+ <complexType name="OneTimeUseType">
153
+ <complexContent>
154
+ <extension base="saml:ConditionAbstractType"/>
155
+ </complexContent>
156
+ </complexType>
157
+ <element name="ProxyRestriction" type="saml:ProxyRestrictionType"/>
158
+ <complexType name="ProxyRestrictionType">
159
+ <complexContent>
160
+ <extension base="saml:ConditionAbstractType">
161
+ <sequence>
162
+ <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
163
+ </sequence>
164
+ <attribute name="Count" type="nonNegativeInteger" use="optional"/>
165
+ </extension>
166
+ </complexContent>
167
+ </complexType>
168
+ <element name="Advice" type="saml:AdviceType"/>
169
+ <complexType name="AdviceType">
170
+ <choice minOccurs="0" maxOccurs="unbounded">
171
+ <element ref="saml:AssertionIDRef"/>
172
+ <element ref="saml:AssertionURIRef"/>
173
+ <element ref="saml:Assertion"/>
174
+ <element ref="saml:EncryptedAssertion"/>
175
+ <any namespace="##other" processContents="lax"/>
176
+ </choice>
177
+ </complexType>
178
+ <element name="EncryptedAssertion" type="saml:EncryptedElementType"/>
179
+ <element name="Statement" type="saml:StatementAbstractType"/>
180
+ <complexType name="StatementAbstractType" abstract="true"/>
181
+ <element name="AuthnStatement" type="saml:AuthnStatementType"/>
182
+ <complexType name="AuthnStatementType">
183
+ <complexContent>
184
+ <extension base="saml:StatementAbstractType">
185
+ <sequence>
186
+ <element ref="saml:SubjectLocality" minOccurs="0"/>
187
+ <element ref="saml:AuthnContext"/>
188
+ </sequence>
189
+ <attribute name="AuthnInstant" type="dateTime" use="required"/>
190
+ <attribute name="SessionIndex" type="string" use="optional"/>
191
+ <attribute name="SessionNotOnOrAfter" type="dateTime" use="optional"/>
192
+ </extension>
193
+ </complexContent>
194
+ </complexType>
195
+ <element name="SubjectLocality" type="saml:SubjectLocalityType"/>
196
+ <complexType name="SubjectLocalityType">
197
+ <attribute name="Address" type="string" use="optional"/>
198
+ <attribute name="DNSName" type="string" use="optional"/>
199
+ </complexType>
200
+ <element name="AuthnContext" type="saml:AuthnContextType"/>
201
+ <complexType name="AuthnContextType">
202
+ <sequence>
203
+ <choice>
204
+ <sequence>
205
+ <element ref="saml:AuthnContextClassRef"/>
206
+ <choice minOccurs="0">
207
+ <element ref="saml:AuthnContextDecl"/>
208
+ <element ref="saml:AuthnContextDeclRef"/>
209
+ </choice>
210
+ </sequence>
211
+ <choice>
212
+ <element ref="saml:AuthnContextDecl"/>
213
+ <element ref="saml:AuthnContextDeclRef"/>
214
+ </choice>
215
+ </choice>
216
+ <element ref="saml:AuthenticatingAuthority" minOccurs="0" maxOccurs="unbounded"/>
217
+ </sequence>
218
+ </complexType>
219
+ <element name="AuthnContextClassRef" type="anyURI"/>
220
+ <element name="AuthnContextDeclRef" type="anyURI"/>
221
+ <element name="AuthnContextDecl" type="anyType"/>
222
+ <element name="AuthenticatingAuthority" type="anyURI"/>
223
+ <element name="AuthzDecisionStatement" type="saml:AuthzDecisionStatementType"/>
224
+ <complexType name="AuthzDecisionStatementType">
225
+ <complexContent>
226
+ <extension base="saml:StatementAbstractType">
227
+ <sequence>
228
+ <element ref="saml:Action" maxOccurs="unbounded"/>
229
+ <element ref="saml:Evidence" minOccurs="0"/>
230
+ </sequence>
231
+ <attribute name="Resource" type="anyURI" use="required"/>
232
+ <attribute name="Decision" type="saml:DecisionType" use="required"/>
233
+ </extension>
234
+ </complexContent>
235
+ </complexType>
236
+ <simpleType name="DecisionType">
237
+ <restriction base="string">
238
+ <enumeration value="Permit"/>
239
+ <enumeration value="Deny"/>
240
+ <enumeration value="Indeterminate"/>
241
+ </restriction>
242
+ </simpleType>
243
+ <element name="Action" type="saml:ActionType"/>
244
+ <complexType name="ActionType">
245
+ <simpleContent>
246
+ <extension base="string">
247
+ <attribute name="Namespace" type="anyURI" use="required"/>
248
+ </extension>
249
+ </simpleContent>
250
+ </complexType>
251
+ <element name="Evidence" type="saml:EvidenceType"/>
252
+ <complexType name="EvidenceType">
253
+ <choice maxOccurs="unbounded">
254
+ <element ref="saml:AssertionIDRef"/>
255
+ <element ref="saml:AssertionURIRef"/>
256
+ <element ref="saml:Assertion"/>
257
+ <element ref="saml:EncryptedAssertion"/>
258
+ </choice>
259
+ </complexType>
260
+ <element name="AttributeStatement" type="saml:AttributeStatementType"/>
261
+ <complexType name="AttributeStatementType">
262
+ <complexContent>
263
+ <extension base="saml:StatementAbstractType">
264
+ <choice maxOccurs="unbounded">
265
+ <element ref="saml:Attribute"/>
266
+ <element ref="saml:EncryptedAttribute"/>
267
+ </choice>
268
+ </extension>
269
+ </complexContent>
270
+ </complexType>
271
+ <element name="Attribute" type="saml:AttributeType"/>
272
+ <complexType name="AttributeType">
273
+ <sequence>
274
+ <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
275
+ </sequence>
276
+ <attribute name="Name" type="string" use="required"/>
277
+ <attribute name="NameFormat" type="anyURI" use="optional"/>
278
+ <attribute name="FriendlyName" type="string" use="optional"/>
279
+ <anyAttribute namespace="##other" processContents="lax"/>
280
+ </complexType>
281
+ <element name="AttributeValue" type="anyType" nillable="true"/>
282
+ <element name="EncryptedAttribute" type="saml:EncryptedElementType"/>
283
+ </schema>