ruby-saml 0.8.16 → 0.9

data/lib/onelogin/ruby-saml/utils.rb

@@ -1,211 +1,44 @@
-if RUBY_VERSION < '1.9'
-  require 'uuid'
-else
-  require 'securerandom'
-end
-
-require "base64"
-require "zlib"
-
 module OneLogin
   module RubySaml
-
-    # SAML2 Auxiliary class
-    #
     class Utils
-      @@uuid_generator = UUID.new if RUBY_VERSION < '1.9'
-
-      BASE64_FORMAT = %r(\A([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\Z)
-
-      # Given a REXML::Element instance, return the concatenation of all child text nodes. Assumes
-      # that there all children other than text nodes can be ignored (e.g. comments). If nil is
-      # passed, nil will be returned.
-      def self.element_text(element)
-        element.texts.map(&:value).join if element
-      end
-
-      # Return a properly formatted x509 certificate
-      #
-      # @param cert [String] The original certificate
-      # @return [String] The formatted certificate
-      #
-      def self.format_cert(cert)
-        # don't try to format an encoded certificate or if is empty or nil
-        if cert.respond_to?(:ascii_only?)
-          return cert if cert.nil? || cert.empty? || !cert.ascii_only?
-        else
-          return cert if cert.nil? || cert.empty? || cert.match(/\x0d/)
-        end
-
-        if cert.scan(/BEGIN CERTIFICATE/).length > 1
-            formatted_cert = []
-          cert.scan(/-{5}BEGIN CERTIFICATE-{5}[\n\r]?.*?-{5}END CERTIFICATE-{5}[\n\r]?/m) {|c|
-            formatted_cert << format_cert(c)
-          }
-          formatted_cert.join("\n")
-        else
-          cert = cert.gsub(/\-{5}\s?(BEGIN|END) CERTIFICATE\s?\-{5}/, "")
-          cert = cert.gsub(/\r/, "")
-          cert = cert.gsub(/\n/, "")
-          cert = cert.gsub(/\s/, "")
-          cert = cert.scan(/.{1,64}/)
-          cert = cert.join("\n")
-          "-----BEGIN CERTIFICATE-----\n#{cert}\n-----END CERTIFICATE-----"
+      def self.format_cert(cert, heads=true)
+        cert = cert.delete("\n").delete("\r").delete("\x0D")
+        if cert
+          cert = cert.gsub('-----BEGIN CERTIFICATE-----', '')
+          cert = cert.gsub('-----END CERTIFICATE-----', '')
+          cert = cert.gsub(' ', '')
+
+          if heads
+            cert = cert.scan(/.{1,64}/).join("\n")+"\n"
+            cert = "-----BEGIN CERTIFICATE-----\n" + cert + "-----END CERTIFICATE-----\n"
+          end
         end
-      end
-
-      # Return a properly formatted private key
-      #
-      # @param key [String] The original private key
-      # @return [String] The formatted private key
-      #
-      def self.format_private_key(key)
-        # don't try to format an encoded private key or if is empty
-        return key if key.nil? || key.empty? || key.match(/\x0d/)
-
-        # is this an rsa key?
-        rsa_key = key.match("RSA PRIVATE KEY")
-        key = key.gsub(/\-{5}\s?(BEGIN|END)( RSA)? PRIVATE KEY\s?\-{5}/, "")
-        key = key.gsub(/\n/, "")
-        key = key.gsub(/\r/, "")
-        key = key.gsub(/\s/, "")
-        key = key.scan(/.{1,64}/)
-        key = key.join("\n")
-        key_label = rsa_key ? "RSA PRIVATE KEY" : "PRIVATE KEY"
-        "-----BEGIN #{key_label}-----\n#{key}\n-----END #{key_label}-----"
-      end
-
-      # Build the Query String signature that will be used in the HTTP-Redirect binding
-      # to generate the Signature
-      # @param params [Hash] Parameters to build the Query String
-      # @option params [String] :type 'SAMLRequest' or 'SAMLResponse'
-      # @option params [String] :data Base64 encoded SAMLRequest or SAMLResponse
-      # @option params [String] :relay_state The RelayState parameter
-      # @option params [String] :sig_alg The SigAlg parameter
-      # @return [String] The Query String
-      #
-      def self.build_query(params)
-        type, data, relay_state, sig_alg = [:type, :data, :relay_state, :sig_alg].map { |k| params[k]}
-          url_string = "#{type}=#{CGI.escape(data)}"
-        url_string << "&RelayState=#{CGI.escape(relay_state)}" if relay_state
-        url_string << "&SigAlg=#{CGI.escape(sig_alg)}"
-      end
-
-      def self.uuid
-        RUBY_VERSION < '1.9' ? "_#{@@uuid_generator.generate}" : "_#{SecureRandom.uuid}"
-      end
-
-      # Build the status error message
-      # @param status_code [String] StatusCode value
-      # @param status_message [Strig] StatusMessage value
-      # @return [String] The status error message
-      def self.status_error_msg(error_msg, raw_status_code = nil, status_message = nil)
-        unless raw_status_code.nil?
-          if raw_status_code.include? "|"
-            status_codes = raw_status_code.split(' | ')
-            values = status_codes.collect do |status_code|
-              status_code.split(':').last
+        cert
+      end
+
+      def self.format_private_key(key, heads=true)
+        key = key.delete("\n").delete("\r").delete("\x0D")
+        if key
+          if key.index('-----BEGIN PRIVATE KEY-----') != nil
+            key = key.gsub('-----BEGIN PRIVATE KEY-----', '')
+            key = key.gsub('-----END PRIVATE KEY-----', '')
+            key = key.gsub(' ', '')
+            if heads
+              key = key.scan(/.{1,64}/).join("\n")+"\n"
+              key = "-----BEGIN PRIVATE KEY-----\n" + key + "-----END PRIVATE KEY-----\n"
             end
-            printable_code = values.join(" => ")
           else
-            printable_code = raw_status_code.split(':').last
+            key = key.gsub('-----BEGIN RSA PRIVATE KEY-----', '')
+            key = key.gsub('-----END RSA PRIVATE KEY-----', '')
+            key = key.gsub(' ', '')
+            if heads
+              key = key.scan(/.{1,64}/).join("\n")+"\n"
+              key = "-----BEGIN RSA PRIVATE KEY-----\n" + key + "-----END RSA PRIVATE KEY-----\n"
+            end
           end
-          error_msg << ', was ' + printable_code
-        end
-
-        unless status_message.nil?
-          error_msg << ' -> ' + status_message
         end
-
-        error_msg
-      end
-
-      # Base64 decode and try also to inflate a SAML Message
-      # @param saml [String] The deflated and encoded SAML Message
-      # @return [String] The plain SAML Message
-      #
-      def self.decode_raw_saml(saml)
-        return saml unless base64_encoded?(saml)
-
-        decoded = decode(saml)
-        begin
-          inflate(decoded)
-        rescue
-          decoded
-        end
-      end
-
-      # Base 64 decode method
-      # @param string [String] The string message
-      # @return [String] The decoded string
-      #
-      def self.decode(string)
-        Base64.decode64(string)
-      end
-
-      # Base 64 encode method
-      # @param string [String] The string
-      # @return [String] The encoded string
-      #
-      def self.encode(string)
-        if Base64.respond_to?('strict_encode64')
-          Base64.strict_encode64(string)
-        else
-          Base64.encode64(string).gsub(/\n/, "")
-        end
-      end
-
-      # Check if a string is base64 encoded
-      # @param string [String] string to check the encoding of
-      # @return [true, false] whether or not the string is base64 encoded
-      #
-      def self.base64_encoded?(string)
-        !!string.gsub(/[\r\n]|\\r|\\n|\s/, "").match(BASE64_FORMAT)
-      end
-
-      # Inflate method
-      # @param deflated [String] The string
-      # @return [String] The inflated string
-      #
-      def self.inflate(deflated)
-        Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate(deflated)
-      end
-
-      # Deflate method
-      # @param inflated [String] The string
-      # @return [String] The deflated string
-      #
-      def self.deflate(inflated)
-        Zlib::Deflate.deflate(inflated, 9)[2..-5]
-      end
-
-      # Given two strings, attempt to match them as URIs using Rails' parse method.  If they can be parsed,
-      # then the fully-qualified domain name and the host should performa a case-insensitive match, per the
-      # RFC for URIs.  If Rails can not parse the string in to URL pieces, return a boolean match of the
-      # two strings.  This maintains the previous functionality.
-      # @return [Boolean]
-      def self.uri_match?(destination_url, settings_url)
-        dest_uri = URI.parse(destination_url)
-        acs_uri = URI.parse(settings_url)
-
-        if dest_uri.scheme.nil? || acs_uri.scheme.nil? || dest_uri.host.nil? || acs_uri.host.nil?
-          raise URI::InvalidURIError
-        else
-          dest_uri.scheme.downcase == acs_uri.scheme.downcase &&
-            dest_uri.host.downcase == acs_uri.host.downcase &&
-            dest_uri.path == acs_uri.path &&
-            dest_uri.query == acs_uri.query
-        end
-      rescue URI::InvalidURIError
-        original_uri_match?(destination_url, settings_url)
-      end
-
-      # If Rails' URI.parse can't match to valid URL, default back to the original matching service.
-      # @return [Boolean]
-      def self.original_uri_match?(destination_url, settings_url)
-        destination_url == settings_url
       end
 
     end
   end
-end
+end

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '0.8.16'
+    VERSION = '0.9'
   end
 end

data/lib/ruby-saml.rb

@@ -1,13 +1,16 @@
 require 'onelogin/ruby-saml/logging'
+require 'onelogin/ruby-saml/saml_message'
 require 'onelogin/ruby-saml/authrequest'
 require 'onelogin/ruby-saml/logoutrequest'
 require 'onelogin/ruby-saml/logoutresponse'
+require 'onelogin/ruby-saml/attributes'
 require 'onelogin/ruby-saml/slo_logoutrequest'
 require 'onelogin/ruby-saml/slo_logoutresponse'
 require 'onelogin/ruby-saml/response'
 require 'onelogin/ruby-saml/settings'
-require 'onelogin/ruby-saml/utils'
+require 'onelogin/ruby-saml/attribute_service'
 require 'onelogin/ruby-saml/validation_error'
 require 'onelogin/ruby-saml/metadata'
+require 'onelogin/ruby-saml/idp_metadata_parser'
+require 'onelogin/ruby-saml/utils'
 require 'onelogin/ruby-saml/version'
-require 'onelogin/ruby-saml/attributes'

data/lib/schemas/{saml20assertion_schema.xsd → saml-schema-assertion-2.0.xsd}

@@ -1,283 +1,283 @@
-<?xml version="1.0" encoding="US-ASCII"?>
-<schema
-    targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion"
-    xmlns="http://www.w3.org/2001/XMLSchema"
-    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
-    elementFormDefault="unqualified"
-    attributeFormDefault="unqualified"
-    blockDefault="substitution"
-    version="2.0">
-    <import namespace="http://www.w3.org/2000/09/xmldsig#"
-        schemaLocation="xmldsig_schema.xsd"/>
-    <import namespace="http://www.w3.org/2001/04/xmlenc#"
-        schemaLocation="xenc_schema.xsd"/>
-    <annotation>
-        <documentation>
-            Document identifier: saml-schema-assertion-2.0
-            Location: http://docs.oasis-open.org/security/saml/v2.0/
-            Revision history:
-            V1.0 (November, 2002):
-              Initial Standard Schema.
-            V1.1 (September, 2003):
-              Updates within the same V1.0 namespace.
-            V2.0 (March, 2005):
-              New assertion schema for SAML V2.0 namespace.
-        </documentation>
-    </annotation>
-    <attributeGroup name="IDNameQualifiers">
-        <attribute name="NameQualifier" type="string" use="optional"/>
-        <attribute name="SPNameQualifier" type="string" use="optional"/>
-    </attributeGroup>
-    <element name="BaseID" type="saml:BaseIDAbstractType"/>
-    <complexType name="BaseIDAbstractType" abstract="true">
-        <attributeGroup ref="saml:IDNameQualifiers"/>
-    </complexType>
-    <element name="NameID" type="saml:NameIDType"/>
-    <complexType name="NameIDType">
-        <simpleContent>
-            <extension base="string">
-                <attributeGroup ref="saml:IDNameQualifiers"/>
-                <attribute name="Format" type="anyURI" use="optional"/>
-                <attribute name="SPProvidedID" type="string" use="optional"/>
-            </extension>
-        </simpleContent>
-    </complexType>
-    <complexType name="EncryptedElementType">
-        <sequence>
-            <element ref="xenc:EncryptedData"/>
-            <element ref="xenc:EncryptedKey" minOccurs="0" maxOccurs="unbounded"/>
-        </sequence>
-    </complexType>
-    <element name="EncryptedID" type="saml:EncryptedElementType"/>
-    <element name="Issuer" type="saml:NameIDType"/>
-    <element name="AssertionIDRef" type="NCName"/>
-    <element name="AssertionURIRef" type="anyURI"/>
-    <element name="Assertion" type="saml:AssertionType"/>
-    <complexType name="AssertionType">
-        <sequence>
-            <element ref="saml:Issuer"/>
-            <element ref="ds:Signature" minOccurs="0"/>
-            <element ref="saml:Subject" minOccurs="0"/>
-            <element ref="saml:Conditions" minOccurs="0"/>
-            <element ref="saml:Advice" minOccurs="0"/>
-            <choice minOccurs="0" maxOccurs="unbounded">
-                <element ref="saml:Statement"/>
-                <element ref="saml:AuthnStatement"/>
-                <element ref="saml:AuthzDecisionStatement"/>
-                <element ref="saml:AttributeStatement"/>
-            </choice>
-        </sequence>
-        <attribute name="Version" type="string" use="required"/>
-        <attribute name="ID" type="ID" use="required"/>
-        <attribute name="IssueInstant" type="dateTime" use="required"/>
-    </complexType>
-    <element name="Subject" type="saml:SubjectType"/>
-    <complexType name="SubjectType">
-        <choice>
-            <sequence>
-                <choice>
-                    <element ref="saml:BaseID"/>
-                    <element ref="saml:NameID"/>
-                    <element ref="saml:EncryptedID"/>
-                </choice>
-                <element ref="saml:SubjectConfirmation" minOccurs="0" maxOccurs="unbounded"/>
-            </sequence>
-            <element ref="saml:SubjectConfirmation" maxOccurs="unbounded"/>
-        </choice>
-    </complexType>
-    <element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/>
-    <complexType name="SubjectConfirmationType">
-        <sequence>
-            <choice minOccurs="0">
-                <element ref="saml:BaseID"/>
-                <element ref="saml:NameID"/>
-                <element ref="saml:EncryptedID"/>
-            </choice>
-            <element ref="saml:SubjectConfirmationData" minOccurs="0"/>
-        </sequence>
-        <attribute name="Method" type="anyURI" use="required"/>
-    </complexType>
-    <element name="SubjectConfirmationData" type="saml:SubjectConfirmationDataType"/>
-    <complexType name="SubjectConfirmationDataType" mixed="true">
-        <complexContent>
-            <restriction base="anyType">
-                <sequence>
-                    <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
-                </sequence>
-                <attribute name="NotBefore" type="dateTime" use="optional"/>
-                <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
-                <attribute name="Recipient" type="anyURI" use="optional"/>
-                <attribute name="InResponseTo" type="NCName" use="optional"/>
-                <attribute name="Address" type="string" use="optional"/>
-                <anyAttribute namespace="##other" processContents="lax"/>
-            </restriction>
-        </complexContent>
-    </complexType>
-    <complexType name="KeyInfoConfirmationDataType" mixed="false">
-        <complexContent>
-            <restriction base="saml:SubjectConfirmationDataType">
-                <sequence>
-                    <element ref="ds:KeyInfo" maxOccurs="unbounded"/>
-                </sequence>
-            </restriction>
-        </complexContent>
-    </complexType>
-    <element name="Conditions" type="saml:ConditionsType"/>
-    <complexType name="ConditionsType">
-        <choice minOccurs="0" maxOccurs="unbounded">
-            <element ref="saml:Condition"/>
-            <element ref="saml:AudienceRestriction"/>
-            <element ref="saml:OneTimeUse"/>
-            <element ref="saml:ProxyRestriction"/>
-        </choice>
-        <attribute name="NotBefore" type="dateTime" use="optional"/>
-        <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
-    </complexType>
-    <element name="Condition" type="saml:ConditionAbstractType"/>
-    <complexType name="ConditionAbstractType" abstract="true"/>
-    <element name="AudienceRestriction" type="saml:AudienceRestrictionType"/>
-    <complexType name="AudienceRestrictionType">
-        <complexContent>
-            <extension base="saml:ConditionAbstractType">
-                <sequence>
-                    <element ref="saml:Audience" maxOccurs="unbounded"/>
-                </sequence>
-            </extension>
-        </complexContent>
-    </complexType>
-    <element name="Audience" type="anyURI"/>
-    <element name="OneTimeUse" type="saml:OneTimeUseType" />
-    <complexType name="OneTimeUseType">
-        <complexContent>
-            <extension base="saml:ConditionAbstractType"/>
-        </complexContent>
-    </complexType>
-    <element name="ProxyRestriction" type="saml:ProxyRestrictionType"/>
-    <complexType name="ProxyRestrictionType">
-    <complexContent>
-        <extension base="saml:ConditionAbstractType">
-            <sequence>
-                <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
-            </sequence>
-            <attribute name="Count" type="nonNegativeInteger" use="optional"/>
-        </extension>
-	</complexContent>
-    </complexType>
-    <element name="Advice" type="saml:AdviceType"/>
-    <complexType name="AdviceType">
-        <choice minOccurs="0" maxOccurs="unbounded">
-            <element ref="saml:AssertionIDRef"/>
-            <element ref="saml:AssertionURIRef"/>
-            <element ref="saml:Assertion"/>
-            <element ref="saml:EncryptedAssertion"/>
-            <any namespace="##other" processContents="lax"/>
-        </choice>
-    </complexType>
-    <element name="EncryptedAssertion" type="saml:EncryptedElementType"/>
-    <element name="Statement" type="saml:StatementAbstractType"/>
-    <complexType name="StatementAbstractType" abstract="true"/>
-    <element name="AuthnStatement" type="saml:AuthnStatementType"/>
-    <complexType name="AuthnStatementType">
-        <complexContent>
-            <extension base="saml:StatementAbstractType">
-                <sequence>
-                    <element ref="saml:SubjectLocality" minOccurs="0"/>
-                    <element ref="saml:AuthnContext"/>
-                </sequence>
-                <attribute name="AuthnInstant" type="dateTime" use="required"/>
-                <attribute name="SessionIndex" type="string" use="optional"/>
-                <attribute name="SessionNotOnOrAfter" type="dateTime" use="optional"/>
-            </extension>
-        </complexContent>
-    </complexType>
-    <element name="SubjectLocality" type="saml:SubjectLocalityType"/>
-    <complexType name="SubjectLocalityType">
-        <attribute name="Address" type="string" use="optional"/>
-        <attribute name="DNSName" type="string" use="optional"/>
-    </complexType>
-    <element name="AuthnContext" type="saml:AuthnContextType"/>
-    <complexType name="AuthnContextType">
-        <sequence>
-            <choice>
-                <sequence>
-                    <element ref="saml:AuthnContextClassRef"/>
-                    <choice minOccurs="0">
-                        <element ref="saml:AuthnContextDecl"/>
-                        <element ref="saml:AuthnContextDeclRef"/>
-                    </choice>
-                </sequence>
-                <choice>
-                    <element ref="saml:AuthnContextDecl"/>
-                    <element ref="saml:AuthnContextDeclRef"/>
-                </choice>
-            </choice>
-            <element ref="saml:AuthenticatingAuthority" minOccurs="0" maxOccurs="unbounded"/>
-        </sequence>
-    </complexType>
-    <element name="AuthnContextClassRef" type="anyURI"/>
-    <element name="AuthnContextDeclRef" type="anyURI"/>
-    <element name="AuthnContextDecl" type="anyType"/>
-    <element name="AuthenticatingAuthority" type="anyURI"/>
-    <element name="AuthzDecisionStatement" type="saml:AuthzDecisionStatementType"/>
-    <complexType name="AuthzDecisionStatementType">
-        <complexContent>
-            <extension base="saml:StatementAbstractType">
-                <sequence>
-                    <element ref="saml:Action" maxOccurs="unbounded"/>
-                    <element ref="saml:Evidence" minOccurs="0"/>
-                </sequence>
-                <attribute name="Resource" type="anyURI" use="required"/>
-                <attribute name="Decision" type="saml:DecisionType" use="required"/>
-            </extension>
-        </complexContent>
-    </complexType>
-    <simpleType name="DecisionType">
-        <restriction base="string">
-            <enumeration value="Permit"/>
-            <enumeration value="Deny"/>
-            <enumeration value="Indeterminate"/>
-        </restriction>
-    </simpleType>
-    <element name="Action" type="saml:ActionType"/>
-    <complexType name="ActionType">
-        <simpleContent>
-            <extension base="string">
-                <attribute name="Namespace" type="anyURI" use="required"/>
-            </extension>
-        </simpleContent>
-    </complexType>
-    <element name="Evidence" type="saml:EvidenceType"/>
-    <complexType name="EvidenceType">
-        <choice maxOccurs="unbounded">
-            <element ref="saml:AssertionIDRef"/>
-            <element ref="saml:AssertionURIRef"/>
-            <element ref="saml:Assertion"/>
-            <element ref="saml:EncryptedAssertion"/>
-        </choice>
-    </complexType>
-    <element name="AttributeStatement" type="saml:AttributeStatementType"/>
-    <complexType name="AttributeStatementType">
-        <complexContent>
-            <extension base="saml:StatementAbstractType">
-                <choice maxOccurs="unbounded">
-                    <element ref="saml:Attribute"/>
-                    <element ref="saml:EncryptedAttribute"/>
-                </choice>
-            </extension>
-        </complexContent>
-    </complexType>
-    <element name="Attribute" type="saml:AttributeType"/>
-    <complexType name="AttributeType">
-        <sequence>
-            <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
-        </sequence>
-        <attribute name="Name" type="string" use="required"/>
-        <attribute name="NameFormat" type="anyURI" use="optional"/>
-        <attribute name="FriendlyName" type="string" use="optional"/>
-        <anyAttribute namespace="##other" processContents="lax"/>
-    </complexType>
-    <element name="AttributeValue" type="anyType" nillable="true"/>
-    <element name="EncryptedAttribute" type="saml:EncryptedElementType"/>
-</schema>
+<?xml version="1.0" encoding="US-ASCII"?>
+<schema
+    targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns="http://www.w3.org/2001/XMLSchema"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+    elementFormDefault="unqualified"
+    attributeFormDefault="unqualified"
+    blockDefault="substitution"
+    version="2.0">
+    <import namespace="http://www.w3.org/2000/09/xmldsig#"
+        schemaLocation="xmldsig-core-schema.xsd"/>
+    <import namespace="http://www.w3.org/2001/04/xmlenc#"
+        schemaLocation="xenc-schema.xsd"/>
+    <annotation>
+        <documentation>
+            Document identifier: saml-schema-assertion-2.0
+            Location: http://docs.oasis-open.org/security/saml/v2.0/
+            Revision history:
+            V1.0 (November, 2002):
+              Initial Standard Schema.
+            V1.1 (September, 2003):
+              Updates within the same V1.0 namespace.
+            V2.0 (March, 2005):
+              New assertion schema for SAML V2.0 namespace.
+        </documentation>
+    </annotation>
+    <attributeGroup name="IDNameQualifiers">
+        <attribute name="NameQualifier" type="string" use="optional"/>
+        <attribute name="SPNameQualifier" type="string" use="optional"/>
+    </attributeGroup>
+    <element name="BaseID" type="saml:BaseIDAbstractType"/>
+    <complexType name="BaseIDAbstractType" abstract="true">
+        <attributeGroup ref="saml:IDNameQualifiers"/>
+    </complexType>
+    <element name="NameID" type="saml:NameIDType"/>
+    <complexType name="NameIDType">
+        <simpleContent>
+            <extension base="string">
+                <attributeGroup ref="saml:IDNameQualifiers"/>
+                <attribute name="Format" type="anyURI" use="optional"/>
+                <attribute name="SPProvidedID" type="string" use="optional"/>
+            </extension>
+        </simpleContent>
+    </complexType>
+    <complexType name="EncryptedElementType">
+        <sequence>
+            <element ref="xenc:EncryptedData"/>
+            <element ref="xenc:EncryptedKey" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+    </complexType>
+    <element name="EncryptedID" type="saml:EncryptedElementType"/>
+    <element name="Issuer" type="saml:NameIDType"/>
+    <element name="AssertionIDRef" type="NCName"/>
+    <element name="AssertionURIRef" type="anyURI"/>
+    <element name="Assertion" type="saml:AssertionType"/>
+    <complexType name="AssertionType">
+        <sequence>
+            <element ref="saml:Issuer"/>
+            <element ref="ds:Signature" minOccurs="0"/>
+            <element ref="saml:Subject" minOccurs="0"/>
+            <element ref="saml:Conditions" minOccurs="0"/>
+            <element ref="saml:Advice" minOccurs="0"/>
+            <choice minOccurs="0" maxOccurs="unbounded">
+                <element ref="saml:Statement"/>
+                <element ref="saml:AuthnStatement"/>
+                <element ref="saml:AuthzDecisionStatement"/>
+                <element ref="saml:AttributeStatement"/>
+            </choice>
+        </sequence>
+        <attribute name="Version" type="string" use="required"/>
+        <attribute name="ID" type="ID" use="required"/>
+        <attribute name="IssueInstant" type="dateTime" use="required"/>
+    </complexType>
+    <element name="Subject" type="saml:SubjectType"/>
+    <complexType name="SubjectType">
+        <choice>
+            <sequence>
+                <choice>
+                    <element ref="saml:BaseID"/>
+                    <element ref="saml:NameID"/>
+                    <element ref="saml:EncryptedID"/>
+                </choice>
+                <element ref="saml:SubjectConfirmation" minOccurs="0" maxOccurs="unbounded"/>
+            </sequence>
+            <element ref="saml:SubjectConfirmation" maxOccurs="unbounded"/>
+        </choice>
+    </complexType>
+    <element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/>
+    <complexType name="SubjectConfirmationType">
+        <sequence>
+            <choice minOccurs="0">
+                <element ref="saml:BaseID"/>
+                <element ref="saml:NameID"/>
+                <element ref="saml:EncryptedID"/>
+            </choice>
+            <element ref="saml:SubjectConfirmationData" minOccurs="0"/>
+        </sequence>
+        <attribute name="Method" type="anyURI" use="required"/>
+    </complexType>
+    <element name="SubjectConfirmationData" type="saml:SubjectConfirmationDataType"/>
+    <complexType name="SubjectConfirmationDataType" mixed="true">
+        <complexContent>
+            <restriction base="anyType">
+                <sequence>
+                    <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+                </sequence>
+                <attribute name="NotBefore" type="dateTime" use="optional"/>
+                <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+                <attribute name="Recipient" type="anyURI" use="optional"/>
+                <attribute name="InResponseTo" type="NCName" use="optional"/>
+                <attribute name="Address" type="string" use="optional"/>
+                <anyAttribute namespace="##other" processContents="lax"/>
+            </restriction>
+        </complexContent>
+    </complexType>
+    <complexType name="KeyInfoConfirmationDataType" mixed="false">
+        <complexContent>
+            <restriction base="saml:SubjectConfirmationDataType">
+                <sequence>
+                    <element ref="ds:KeyInfo" maxOccurs="unbounded"/>
+                </sequence>
+            </restriction>
+        </complexContent>
+    </complexType>
+    <element name="Conditions" type="saml:ConditionsType"/>
+    <complexType name="ConditionsType">
+        <choice minOccurs="0" maxOccurs="unbounded">
+            <element ref="saml:Condition"/>
+            <element ref="saml:AudienceRestriction"/>
+            <element ref="saml:OneTimeUse"/>
+            <element ref="saml:ProxyRestriction"/>
+        </choice>
+        <attribute name="NotBefore" type="dateTime" use="optional"/>
+        <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+    </complexType>
+    <element name="Condition" type="saml:ConditionAbstractType"/>
+    <complexType name="ConditionAbstractType" abstract="true"/>
+    <element name="AudienceRestriction" type="saml:AudienceRestrictionType"/>
+    <complexType name="AudienceRestrictionType">
+        <complexContent>
+            <extension base="saml:ConditionAbstractType">
+                <sequence>
+                    <element ref="saml:Audience" maxOccurs="unbounded"/>
+                </sequence>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="Audience" type="anyURI"/>
+    <element name="OneTimeUse" type="saml:OneTimeUseType" />
+    <complexType name="OneTimeUseType">
+        <complexContent>
+            <extension base="saml:ConditionAbstractType"/>
+        </complexContent>
+    </complexType>
+    <element name="ProxyRestriction" type="saml:ProxyRestrictionType"/>
+    <complexType name="ProxyRestrictionType">
+    <complexContent>
+        <extension base="saml:ConditionAbstractType">
+            <sequence>
+                <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
+            </sequence>
+            <attribute name="Count" type="nonNegativeInteger" use="optional"/>
+        </extension>
+	</complexContent>
+    </complexType>
+    <element name="Advice" type="saml:AdviceType"/>
+    <complexType name="AdviceType">
+        <choice minOccurs="0" maxOccurs="unbounded">
+            <element ref="saml:AssertionIDRef"/>
+            <element ref="saml:AssertionURIRef"/>
+            <element ref="saml:Assertion"/>
+            <element ref="saml:EncryptedAssertion"/>
+            <any namespace="##other" processContents="lax"/>
+        </choice>
+    </complexType>
+    <element name="EncryptedAssertion" type="saml:EncryptedElementType"/>
+    <element name="Statement" type="saml:StatementAbstractType"/>
+    <complexType name="StatementAbstractType" abstract="true"/>
+    <element name="AuthnStatement" type="saml:AuthnStatementType"/>
+    <complexType name="AuthnStatementType">
+        <complexContent>
+            <extension base="saml:StatementAbstractType">
+                <sequence>
+                    <element ref="saml:SubjectLocality" minOccurs="0"/>
+                    <element ref="saml:AuthnContext"/>
+                </sequence>
+                <attribute name="AuthnInstant" type="dateTime" use="required"/>
+                <attribute name="SessionIndex" type="string" use="optional"/>
+                <attribute name="SessionNotOnOrAfter" type="dateTime" use="optional"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="SubjectLocality" type="saml:SubjectLocalityType"/>
+    <complexType name="SubjectLocalityType">
+        <attribute name="Address" type="string" use="optional"/>
+        <attribute name="DNSName" type="string" use="optional"/>
+    </complexType>
+    <element name="AuthnContext" type="saml:AuthnContextType"/>
+    <complexType name="AuthnContextType">
+        <sequence>
+            <choice>
+                <sequence>
+                    <element ref="saml:AuthnContextClassRef"/>
+                    <choice minOccurs="0">
+                        <element ref="saml:AuthnContextDecl"/>
+                        <element ref="saml:AuthnContextDeclRef"/>
+                    </choice>
+                </sequence>
+                <choice>
+                    <element ref="saml:AuthnContextDecl"/>
+                    <element ref="saml:AuthnContextDeclRef"/>
+                </choice>
+            </choice>
+            <element ref="saml:AuthenticatingAuthority" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+    </complexType>
+    <element name="AuthnContextClassRef" type="anyURI"/>
+    <element name="AuthnContextDeclRef" type="anyURI"/>
+    <element name="AuthnContextDecl" type="anyType"/>
+    <element name="AuthenticatingAuthority" type="anyURI"/>
+    <element name="AuthzDecisionStatement" type="saml:AuthzDecisionStatementType"/>
+    <complexType name="AuthzDecisionStatementType">
+        <complexContent>
+            <extension base="saml:StatementAbstractType">
+                <sequence>
+                    <element ref="saml:Action" maxOccurs="unbounded"/>
+                    <element ref="saml:Evidence" minOccurs="0"/>
+                </sequence>
+                <attribute name="Resource" type="anyURI" use="required"/>
+                <attribute name="Decision" type="saml:DecisionType" use="required"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <simpleType name="DecisionType">
+        <restriction base="string">
+            <enumeration value="Permit"/>
+            <enumeration value="Deny"/>
+            <enumeration value="Indeterminate"/>
+        </restriction>
+    </simpleType>
+    <element name="Action" type="saml:ActionType"/>
+    <complexType name="ActionType">
+        <simpleContent>
+            <extension base="string">
+                <attribute name="Namespace" type="anyURI" use="required"/>
+            </extension>
+        </simpleContent>
+    </complexType>
+    <element name="Evidence" type="saml:EvidenceType"/>
+    <complexType name="EvidenceType">
+        <choice maxOccurs="unbounded">
+            <element ref="saml:AssertionIDRef"/>
+            <element ref="saml:AssertionURIRef"/>
+            <element ref="saml:Assertion"/>
+            <element ref="saml:EncryptedAssertion"/>
+        </choice>
+    </complexType>
+    <element name="AttributeStatement" type="saml:AttributeStatementType"/>
+    <complexType name="AttributeStatementType">
+        <complexContent>
+            <extension base="saml:StatementAbstractType">
+                <choice maxOccurs="unbounded">
+                    <element ref="saml:Attribute"/>
+                    <element ref="saml:EncryptedAttribute"/>
+                </choice>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="Attribute" type="saml:AttributeType"/>
+    <complexType name="AttributeType">
+        <sequence>
+            <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="Name" type="string" use="required"/>
+        <attribute name="NameFormat" type="anyURI" use="optional"/>
+        <attribute name="FriendlyName" type="string" use="optional"/>
+        <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+    <element name="AttributeValue" type="anyType" nillable="true"/>
+    <element name="EncryptedAttribute" type="saml:EncryptedElementType"/>
+</schema>