RubyGems - ruby-saml - Versions diffs - 0.8.16 → 0.9 - Mend

ruby-saml 0.8.16 → 0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (90) hide show

checksums.yaml +5 -5
data/.gitignore +1 -0
data/.travis.yml +1 -6
data/Gemfile +2 -12
data/README.md +363 -35
data/Rakefile +14 -0
data/changelog.md +22 -9
data/lib/onelogin/ruby-saml/attribute_service.rb +34 -0
data/lib/onelogin/ruby-saml/attributes.rb +26 -64
data/lib/onelogin/ruby-saml/authrequest.rb +47 -89
data/lib/onelogin/ruby-saml/idp_metadata_parser.rb +87 -0
data/lib/onelogin/ruby-saml/logoutrequest.rb +34 -93
data/lib/onelogin/ruby-saml/logoutresponse.rb +25 -24
data/lib/onelogin/ruby-saml/metadata.rb +46 -16
data/lib/onelogin/ruby-saml/response.rb +62 -322
data/lib/onelogin/ruby-saml/saml_message.rb +78 -0
data/lib/onelogin/ruby-saml/settings.rb +54 -121
data/lib/onelogin/ruby-saml/slo_logoutrequest.rb +26 -61
data/lib/onelogin/ruby-saml/slo_logoutresponse.rb +27 -84
data/lib/onelogin/ruby-saml/utils.rb +32 -199
data/lib/onelogin/ruby-saml/version.rb +1 -1
data/lib/ruby-saml.rb +5 -2
data/lib/schemas/{saml20assertion_schema.xsd → saml-schema-assertion-2.0.xsd} +283 -283
data/lib/schemas/saml-schema-authn-context-2.0.xsd +23 -0
data/lib/schemas/saml-schema-authn-context-types-2.0.xsd +821 -0
data/lib/schemas/saml-schema-metadata-2.0.xsd +339 -0
data/lib/schemas/{saml20protocol_schema.xsd → saml-schema-protocol-2.0.xsd} +302 -302
data/lib/schemas/sstc-metadata-attr.xsd +35 -0
data/lib/schemas/sstc-saml-attribute-ext.xsd +25 -0
data/lib/schemas/sstc-saml-metadata-algsupport-v1.0.xsd +41 -0
data/lib/schemas/sstc-saml-metadata-ui-v1.0.xsd +89 -0
data/lib/schemas/{xenc_schema.xsd → xenc-schema.xsd} +1 -11
data/lib/schemas/xml.xsd +287 -0
data/lib/schemas/{xmldsig_schema.xsd → xmldsig-core-schema.xsd} +0 -9
data/lib/xml_security.rb +83 -235
data/ruby-saml.gemspec +1 -0
data/test/idp_metadata_parser_test.rb +54 -0
data/test/logoutrequest_test.rb +68 -144
data/test/logoutresponse_test.rb +43 -25
data/test/metadata_test.rb +87 -0
data/test/request_test.rb +103 -90
data/test/response_test.rb +181 -471
data/test/responses/idp_descriptor.xml +3 -0
data/test/responses/logoutresponse_fixtures.rb +5 -5
data/test/responses/response_no_cert_and_encrypted_attrs.xml +29 -0
data/test/responses/response_with_multiple_attribute_values.xml +1 -1
data/test/responses/slo_request.xml +4 -0
data/test/settings_test.rb +25 -112
data/test/slo_logoutrequest_test.rb +41 -44
data/test/slo_logoutresponse_test.rb +87 -167
data/test/test_helper.rb +27 -102
data/test/xml_security_test.rb +114 -337
metadata +34 -84
data/lib/onelogin/ruby-saml/setting_error.rb +0 -6
data/test/certificates/certificate.der +0 -0
data/test/certificates/formatted_certificate +0 -14
data/test/certificates/formatted_chained_certificate +0 -42
data/test/certificates/formatted_private_key +0 -12
data/test/certificates/formatted_rsa_private_key +0 -12
data/test/certificates/invalid_certificate1 +0 -1
data/test/certificates/invalid_certificate2 +0 -1
data/test/certificates/invalid_certificate3 +0 -12
data/test/certificates/invalid_chained_certificate1 +0 -1
data/test/certificates/invalid_private_key1 +0 -1
data/test/certificates/invalid_private_key2 +0 -1
data/test/certificates/invalid_private_key3 +0 -10
data/test/certificates/invalid_rsa_private_key1 +0 -1
data/test/certificates/invalid_rsa_private_key2 +0 -1
data/test/certificates/invalid_rsa_private_key3 +0 -10
data/test/certificates/ruby-saml-2.crt +0 -15
data/test/requests/logoutrequest_fixtures.rb +0 -47
data/test/responses/encrypted_new_attack.xml.base64 +0 -1
data/test/responses/invalids/invalid_issuer_assertion.xml.base64 +0 -1
data/test/responses/invalids/invalid_issuer_message.xml.base64 +0 -1
data/test/responses/invalids/multiple_signed.xml.base64 +0 -1
data/test/responses/invalids/no_signature.xml.base64 +0 -1
data/test/responses/invalids/response_with_concealed_signed_assertion.xml +0 -51
data/test/responses/invalids/response_with_doubled_signed_assertion.xml +0 -49
data/test/responses/invalids/signature_wrapping_attack.xml.base64 +0 -1
data/test/responses/response_node_text_attack.xml.base64 +0 -1
data/test/responses/response_with_concealed_signed_assertion.xml +0 -51
data/test/responses/response_with_doubled_signed_assertion.xml +0 -49
data/test/responses/response_with_multiple_attribute_statements.xml +0 -72
data/test/responses/response_with_signed_assertion_3.xml +0 -30
data/test/responses/response_with_signed_message_and_assertion.xml +0 -34
data/test/responses/response_with_undefined_recipient.xml.base64 +0 -1
data/test/responses/response_wrapped.xml.base64 +0 -150
data/test/responses/valid_response.xml.base64 +0 -1
data/test/responses/valid_response_without_x509certificate.xml.base64 +0 -1
data/test/utils_test.rb +0 -231

data/lib/schemas/saml-schema-metadata-2.0.xsd ADDED

@@ -0,0 +1,339 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+    targetNamespace="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns="http://www.w3.org/2001/XMLSchema"
+    elementFormDefault="unqualified"
+    attributeFormDefault="unqualified"
+    blockDefault="substitution"
+    version="2.0">
+    <import namespace="http://www.w3.org/2000/09/xmldsig#"
+        schemaLocation="xmldsig-core-schema.xsd"/>
+    <import namespace="http://www.w3.org/2001/04/xmlenc#"
+        schemaLocation="xenc-schema.xsd"/>
+    <import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+        schemaLocation="saml-schema-assertion-2.0.xsd"/>
+    <import namespace="http://www.w3.org/XML/1998/namespace"
+        schemaLocation="xml.xsd"/>
+    <annotation>
+        <documentation>
+            Document identifier: saml-schema-metadata-2.0
+            Location: http://docs.oasis-open.org/security/saml/v2.0/
+            Revision history:
+              V2.0 (March, 2005):
+                Schema for SAML metadata, first published in SAML 2.0.
+        </documentation>
+    </annotation>
+    <simpleType name="entityIDType">
+        <restriction base="anyURI">
+            <maxLength value="1024"/>
+        </restriction>
+    </simpleType>
+    <complexType name="localizedNameType">
+        <simpleContent>
+            <extension base="string">
+                <attribute ref="xml:lang" use="required"/>
+            </extension>
+        </simpleContent>
+    </complexType>
+    <complexType name="localizedURIType">
+        <simpleContent>
+            <extension base="anyURI">
+                <attribute ref="xml:lang" use="required"/>
+            </extension>
+        </simpleContent>
+    </complexType>
+    <element name="Extensions" type="md:ExtensionsType"/>
+    <complexType final="#all" name="ExtensionsType">
+        <sequence>
+            <any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
+        </sequence>
+    </complexType>
+    <complexType name="EndpointType">
+        <sequence>
+            <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="Binding" type="anyURI" use="required"/>
+        <attribute name="Location" type="anyURI" use="required"/>
+        <attribute name="ResponseLocation" type="anyURI" use="optional"/>
+        <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+    <complexType name="IndexedEndpointType">
+        <complexContent>
+            <extension base="md:EndpointType">
+                <attribute name="index" type="unsignedShort" use="required"/>
+                <attribute name="isDefault" type="boolean" use="optional"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="EntitiesDescriptor" type="md:EntitiesDescriptorType"/>
+    <complexType name="EntitiesDescriptorType">
+        <sequence>
+            <element ref="ds:Signature" minOccurs="0"/>
+            <element ref="md:Extensions" minOccurs="0"/>
+            <choice minOccurs="1" maxOccurs="unbounded">
+                <element ref="md:EntityDescriptor"/>
+                <element ref="md:EntitiesDescriptor"/>
+            </choice>
+        </sequence>
+        <attribute name="validUntil" type="dateTime" use="optional"/>
+        <attribute name="cacheDuration" type="duration" use="optional"/>
+        <attribute name="ID" type="ID" use="optional"/>
+        <attribute name="Name" type="string" use="optional"/>
+    </complexType>
+    <element name="EntityDescriptor" type="md:EntityDescriptorType"/>
+    <complexType name="EntityDescriptorType">
+        <sequence>
+            <element ref="ds:Signature" minOccurs="0"/>
+            <element ref="md:Extensions" minOccurs="0"/>
+            <choice>
+                <choice maxOccurs="unbounded">
+                    <element ref="md:RoleDescriptor"/>
+                    <element ref="md:IDPSSODescriptor"/>
+                    <element ref="md:SPSSODescriptor"/>
+                    <element ref="md:AuthnAuthorityDescriptor"/>
+                    <element ref="md:AttributeAuthorityDescriptor"/>
+                    <element ref="md:PDPDescriptor"/>
+                </choice>
+                <element ref="md:AffiliationDescriptor"/>
+            </choice>
+            <element ref="md:Organization" minOccurs="0"/>
+            <element ref="md:ContactPerson" minOccurs="0" maxOccurs="unbounded"/>
+            <element ref="md:AdditionalMetadataLocation" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="entityID" type="md:entityIDType" use="required"/>
+        <attribute name="validUntil" type="dateTime" use="optional"/>
+        <attribute name="cacheDuration" type="duration" use="optional"/>
+        <attribute name="ID" type="ID" use="optional"/>
+        <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+    <element name="Organization" type="md:OrganizationType"/>
+    <complexType name="OrganizationType">
+        <sequence>
+            <element ref="md:Extensions" minOccurs="0"/>
+            <element ref="md:OrganizationName" maxOccurs="unbounded"/>
+            <element ref="md:OrganizationDisplayName" maxOccurs="unbounded"/>
+            <element ref="md:OrganizationURL" maxOccurs="unbounded"/>
+        </sequence>
+        <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+    <element name="OrganizationName" type="md:localizedNameType"/>
+    <element name="OrganizationDisplayName" type="md:localizedNameType"/>
+    <element name="OrganizationURL" type="md:localizedURIType"/>
+    <element name="ContactPerson" type="md:ContactType"/>
+    <complexType name="ContactType">
+        <sequence>
+            <element ref="md:Extensions" minOccurs="0"/>
+            <element ref="md:Company" minOccurs="0"/>
+            <element ref="md:GivenName" minOccurs="0"/>
+            <element ref="md:SurName" minOccurs="0"/>
+            <element ref="md:EmailAddress" minOccurs="0" maxOccurs="unbounded"/>
+            <element ref="md:TelephoneNumber" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="contactType" type="md:ContactTypeType" use="required"/>
+        <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+    <element name="Company" type="string"/>
+    <element name="GivenName" type="string"/>
+    <element name="SurName" type="string"/>
+    <element name="EmailAddress" type="anyURI"/>
+    <element name="TelephoneNumber" type="string"/>
+    <simpleType name="ContactTypeType">
+        <restriction base="string">
+            <enumeration value="technical"/>
+            <enumeration value="support"/>
+            <enumeration value="administrative"/>
+            <enumeration value="billing"/>
+            <enumeration value="other"/>
+        </restriction>
+    </simpleType>
+    <element name="AdditionalMetadataLocation" type="md:AdditionalMetadataLocationType"/>
+    <complexType name="AdditionalMetadataLocationType">
+        <simpleContent>
+            <extension base="anyURI">
+                <attribute name="namespace" type="anyURI" use="required"/>
+            </extension>
+        </simpleContent>
+    </complexType>
+    <element name="RoleDescriptor" type="md:RoleDescriptorType"/>
+    <complexType name="RoleDescriptorType" abstract="true">
+        <sequence>
+            <element ref="ds:Signature" minOccurs="0"/>
+            <element ref="md:Extensions" minOccurs="0"/>
+            <element ref="md:KeyDescriptor" minOccurs="0" maxOccurs="unbounded"/>
+            <element ref="md:Organization" minOccurs="0"/>
+            <element ref="md:ContactPerson" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="ID" type="ID" use="optional"/>
+        <attribute name="validUntil" type="dateTime" use="optional"/>
+        <attribute name="cacheDuration" type="duration" use="optional"/>
+        <attribute name="protocolSupportEnumeration" type="md:anyURIListType" use="required"/>
+        <attribute name="errorURL" type="anyURI" use="optional"/>
+        <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+    <simpleType name="anyURIListType">
+        <list itemType="anyURI"/>
+    </simpleType>
+    <element name="KeyDescriptor" type="md:KeyDescriptorType"/>
+    <complexType name="KeyDescriptorType">
+        <sequence>
+            <element ref="ds:KeyInfo"/>
+            <element ref="md:EncryptionMethod" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="use" type="md:KeyTypes" use="optional"/>
+    </complexType>
+    <simpleType name="KeyTypes">
+        <restriction base="string">
+            <enumeration value="encryption"/>
+            <enumeration value="signing"/>
+        </restriction>
+    </simpleType>
+    <element name="EncryptionMethod" type="xenc:EncryptionMethodType"/>
+    <complexType name="SSODescriptorType" abstract="true">
+        <complexContent>
+            <extension base="md:RoleDescriptorType">
+                <sequence>
+                    <element ref="md:ArtifactResolutionService" minOccurs="0" maxOccurs="unbounded"/>
+                    <element ref="md:SingleLogoutService" minOccurs="0" maxOccurs="unbounded"/>
+                    <element ref="md:ManageNameIDService" minOccurs="0" maxOccurs="unbounded"/>
+                    <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+                </sequence>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="ArtifactResolutionService" type="md:IndexedEndpointType"/>
+    <element name="SingleLogoutService" type="md:EndpointType"/>
+    <element name="ManageNameIDService" type="md:EndpointType"/>
+    <element name="NameIDFormat" type="anyURI"/>
+    <element name="IDPSSODescriptor" type="md:IDPSSODescriptorType"/>
+    <complexType name="IDPSSODescriptorType">
+        <complexContent>
+            <extension base="md:SSODescriptorType">
+                <sequence>
+                    <element ref="md:SingleSignOnService" maxOccurs="unbounded"/>
+                    <element ref="md:NameIDMappingService" minOccurs="0" maxOccurs="unbounded"/>
+                    <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+                    <element ref="md:AttributeProfile" minOccurs="0" maxOccurs="unbounded"/>
+                    <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+                </sequence>
+                <attribute name="WantAuthnRequestsSigned" type="boolean" use="optional"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="SingleSignOnService" type="md:EndpointType"/>
+    <element name="NameIDMappingService" type="md:EndpointType"/>
+    <element name="AssertionIDRequestService" type="md:EndpointType"/>
+    <element name="AttributeProfile" type="anyURI"/>
+    <element name="SPSSODescriptor" type="md:SPSSODescriptorType"/>
+    <complexType name="SPSSODescriptorType">
+        <complexContent>
+            <extension base="md:SSODescriptorType">
+                <sequence>
+                    <element ref="md:AssertionConsumerService" maxOccurs="unbounded"/>
+                    <element ref="md:AttributeConsumingService" minOccurs="0" maxOccurs="unbounded"/>
+                    <element ref="md:SingleLogoutService" minOccurs="0" maxOccurs="unbounded"/>
+                    <element ref="md:KeyDescriptor" minOccurs="0" maxOccurs="unbounded"/>
+                </sequence>
+                <attribute name="AuthnRequestsSigned" type="boolean" use="optional"/>
+                <attribute name="WantAssertionsSigned" type="boolean" use="optional"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="AssertionConsumerService" type="md:IndexedEndpointType"/>
+    <element name="AttributeConsumingService" type="md:AttributeConsumingServiceType"/>
+    <complexType name="AttributeConsumingServiceType">
+        <sequence>
+            <element ref="md:ServiceName" maxOccurs="unbounded"/>
+            <element ref="md:ServiceDescription" minOccurs="0" maxOccurs="unbounded"/>
+            <element ref="md:RequestedAttribute" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="index" type="unsignedShort" use="required"/>
+        <attribute name="isDefault" type="boolean" use="optional"/>
+    </complexType>
+    <element name="ServiceName" type="md:localizedNameType"/>
+    <element name="ServiceDescription" type="md:localizedNameType"/>
+    <element name="RequestedAttribute" type="md:RequestedAttributeType"/>
+    <complexType name="RequestedAttributeType">
+        <complexContent>
+            <extension base="saml:AttributeType">
+                <attribute name="isRequired" type="boolean" use="optional"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="AuthnAuthorityDescriptor" type="md:AuthnAuthorityDescriptorType"/>
+    <complexType name="AuthnAuthorityDescriptorType">
+        <complexContent>
+            <extension base="md:RoleDescriptorType">
+                <sequence>
+                    <element ref="md:AuthnQueryService" maxOccurs="unbounded"/>
+                    <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+                    <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+                </sequence>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="AuthnQueryService" type="md:EndpointType"/>
+    <element name="PDPDescriptor" type="md:PDPDescriptorType"/>
+    <complexType name="PDPDescriptorType">
+        <complexContent>
+            <extension base="md:RoleDescriptorType">
+                <sequence>
+                    <element ref="md:AuthzService" maxOccurs="unbounded"/>
+                    <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+                    <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+                </sequence>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="AuthzService" type="md:EndpointType"/>
+    <element name="AttributeAuthorityDescriptor" type="md:AttributeAuthorityDescriptorType"/>
+    <complexType name="AttributeAuthorityDescriptorType">
+        <complexContent>
+            <extension base="md:RoleDescriptorType">
+                <sequence>
+                    <element ref="md:AttributeService" maxOccurs="unbounded"/>
+                    <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+                    <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+                    <element ref="md:AttributeProfile" minOccurs="0" maxOccurs="unbounded"/>
+                    <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+                </sequence>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="AttributeService" type="md:EndpointType"/>
+    <element name="AffiliationDescriptor" type="md:AffiliationDescriptorType"/>
+    <complexType name="AffiliationDescriptorType">
+        <sequence>
+            <element ref="ds:Signature" minOccurs="0"/>
+            <element ref="md:Extensions" minOccurs="0"/>
+            <element ref="md:AffiliateMember" maxOccurs="unbounded"/>
+            <element ref="md:KeyDescriptor" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="affiliationOwnerID" type="md:entityIDType" use="required"/>
+        <attribute name="validUntil" type="dateTime" use="optional"/>
+        <attribute name="cacheDuration" type="duration" use="optional"/>
+        <attribute name="ID" type="ID" use="optional"/>
+        <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+    <element name="AffiliateMember" type="md:entityIDType"/>
+</schema>

data/lib/schemas/{saml20protocol_schema.xsd → saml-schema-protocol-2.0.xsd} RENAMED

@@ -1,302 +1,302 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<schema
-    targetNamespace="urn:oasis:names:tc:SAML:2.0:protocol"
-    xmlns="http://www.w3.org/2001/XMLSchema"
-    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
-    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-    elementFormDefault="unqualified"
-    attributeFormDefault="unqualified"
-    blockDefault="substitution"
-    version="2.0">
-    <import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
-        schemaLocation="saml20assertion_schema.xsd"/>
-    <import namespace="http://www.w3.org/2000/09/xmldsig#"
-        schemaLocation="xmldsig_schema.xsd"/>
-    <annotation>
-        <documentation>
-            Document identifier: saml-schema-protocol-2.0
-            Location: http://docs.oasis-open.org/security/saml/v2.0/
-            Revision history:
-            V1.0 (November, 2002):
-              Initial Standard Schema.
-            V1.1 (September, 2003):
-              Updates within the same V1.0 namespace.
-            V2.0 (March, 2005):
-              New protocol schema based in a SAML V2.0 namespace.
-     </documentation>
-    </annotation>
-    <complexType name="RequestAbstractType" abstract="true">
-        <sequence>
-            <element ref="saml:Issuer" minOccurs="0"/>
-            <element ref="ds:Signature" minOccurs="0"/>
-            <element ref="samlp:Extensions" minOccurs="0"/>
-        </sequence>
-        <attribute name="ID" type="ID" use="required"/>
-        <attribute name="Version" type="string" use="required"/>
-        <attribute name="IssueInstant" type="dateTime" use="required"/>
-        <attribute name="Destination" type="anyURI" use="optional"/>
-    	<attribute name="Consent" type="anyURI" use="optional"/>
-    </complexType>
-    <element name="Extensions" type="samlp:ExtensionsType"/>
-    <complexType name="ExtensionsType">
-        <sequence>
-            <any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
-        </sequence>
-    </complexType>
-    <complexType name="StatusResponseType">
-    	<sequence>
-            <element ref="saml:Issuer" minOccurs="0"/>
-            <element ref="ds:Signature" minOccurs="0"/>
-            <element ref="samlp:Extensions" minOccurs="0"/>
-            <element ref="samlp:Status"/>
-    	</sequence>
-    	<attribute name="ID" type="ID" use="required"/>
-    	<attribute name="InResponseTo" type="NCName" use="optional"/>
-    	<attribute name="Version" type="string" use="required"/>
-    	<attribute name="IssueInstant" type="dateTime" use="required"/>
-    	<attribute name="Destination" type="anyURI" use="optional"/>
-    	<attribute name="Consent" type="anyURI" use="optional"/>
-    </complexType>
-    <element name="Status" type="samlp:StatusType"/>
-    <complexType name="StatusType">
-        <sequence>
-            <element ref="samlp:StatusCode"/>
-            <element ref="samlp:StatusMessage" minOccurs="0"/>
-            <element ref="samlp:StatusDetail" minOccurs="0"/>
-        </sequence>
-    </complexType>
-    <element name="StatusCode" type="samlp:StatusCodeType"/>
-    <complexType name="StatusCodeType">
-        <sequence>
-            <element ref="samlp:StatusCode" minOccurs="0"/>
-        </sequence>
-        <attribute name="Value" type="anyURI" use="required"/>
-    </complexType>
-    <element name="StatusMessage" type="string"/>
-    <element name="StatusDetail" type="samlp:StatusDetailType"/>
-    <complexType name="StatusDetailType">
-        <sequence>
-            <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
-        </sequence>
-    </complexType>
-    <element name="AssertionIDRequest" type="samlp:AssertionIDRequestType"/>
-    <complexType name="AssertionIDRequestType">
-    	<complexContent>
-            <extension base="samlp:RequestAbstractType">
-                <sequence>
-                    <element ref="saml:AssertionIDRef" maxOccurs="unbounded"/>
-                </sequence>
-            </extension>
-    	</complexContent>
-    </complexType>
-    <element name="SubjectQuery" type="samlp:SubjectQueryAbstractType"/>
-    <complexType name="SubjectQueryAbstractType" abstract="true">
-    	<complexContent>
-            <extension base="samlp:RequestAbstractType">
-                <sequence>
-                    <element ref="saml:Subject"/>
-                </sequence>
-            </extension>
-    	</complexContent>
-    </complexType>
-    <element name="AuthnQuery" type="samlp:AuthnQueryType"/>
-    <complexType name="AuthnQueryType">
-        <complexContent>
-            <extension base="samlp:SubjectQueryAbstractType">
-                <sequence>
-                    <element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
-                </sequence>
-                <attribute name="SessionIndex" type="string" use="optional"/>
-            </extension>
-        </complexContent>
-    </complexType>
-    <element name="RequestedAuthnContext" type="samlp:RequestedAuthnContextType"/>
-    <complexType name="RequestedAuthnContextType">
-        <choice>
-            <element ref="saml:AuthnContextClassRef" maxOccurs="unbounded"/>
-            <element ref="saml:AuthnContextDeclRef" maxOccurs="unbounded"/>
-        </choice>
-        <attribute name="Comparison" type="samlp:AuthnContextComparisonType" use="optional"/>
-    </complexType>
-    <simpleType name="AuthnContextComparisonType">
-        <restriction base="string">
-            <enumeration value="exact"/>
-            <enumeration value="minimum"/>
-            <enumeration value="maximum"/>
-            <enumeration value="better"/>
-        </restriction>
-    </simpleType>
-    <element name="AttributeQuery" type="samlp:AttributeQueryType"/>
-    <complexType name="AttributeQueryType">
-        <complexContent>
-            <extension base="samlp:SubjectQueryAbstractType">
-                <sequence>
-                    <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
-                </sequence>
-            </extension>
-        </complexContent>
-    </complexType>
-    <element name="AuthzDecisionQuery" type="samlp:AuthzDecisionQueryType"/>
-    <complexType name="AuthzDecisionQueryType">
-        <complexContent>
-            <extension base="samlp:SubjectQueryAbstractType">
-                <sequence>
-                    <element ref="saml:Action" maxOccurs="unbounded"/>
-                    <element ref="saml:Evidence" minOccurs="0"/>
-                </sequence>
-                <attribute name="Resource" type="anyURI" use="required"/>
-            </extension>
-        </complexContent>
-    </complexType>
-    <element name="AuthnRequest" type="samlp:AuthnRequestType"/>
-    <complexType name="AuthnRequestType">
-        <complexContent>
-            <extension base="samlp:RequestAbstractType">
-                <sequence>
-                    <element ref="saml:Subject" minOccurs="0"/>
-                    <element ref="samlp:NameIDPolicy" minOccurs="0"/>
-                    <element ref="saml:Conditions" minOccurs="0"/>
-                    <element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
-                    <element ref="samlp:Scoping" minOccurs="0"/>
-                </sequence>
-                <attribute name="ForceAuthn" type="boolean" use="optional"/>
-                <attribute name="IsPassive" type="boolean" use="optional"/>
-                <attribute name="ProtocolBinding" type="anyURI" use="optional"/>
-                <attribute name="AssertionConsumerServiceIndex" type="unsignedShort" use="optional"/>
-                <attribute name="AssertionConsumerServiceURL" type="anyURI" use="optional"/>
-                <attribute name="AttributeConsumingServiceIndex" type="unsignedShort" use="optional"/>
-                <attribute name="ProviderName" type="string" use="optional"/>
-            </extension>
-        </complexContent>
-    </complexType>
-    <element name="NameIDPolicy" type="samlp:NameIDPolicyType"/>
-    <complexType name="NameIDPolicyType">
-        <attribute name="Format" type="anyURI" use="optional"/>
-        <attribute name="SPNameQualifier" type="string" use="optional"/>
-        <attribute name="AllowCreate" type="boolean" use="optional"/>
-    </complexType>
-    <element name="Scoping" type="samlp:ScopingType"/>
-    <complexType name="ScopingType">
-        <sequence>
-            <element ref="samlp:IDPList" minOccurs="0"/>
-            <element ref="samlp:RequesterID" minOccurs="0" maxOccurs="unbounded"/>
-        </sequence>
-        <attribute name="ProxyCount" type="nonNegativeInteger" use="optional"/>
-    </complexType>
-    <element name="RequesterID" type="anyURI"/>
-    <element name="IDPList" type="samlp:IDPListType"/>
-    <complexType name="IDPListType">
-        <sequence>
-            <element ref="samlp:IDPEntry" maxOccurs="unbounded"/>
-            <element ref="samlp:GetComplete" minOccurs="0"/>
-        </sequence>
-    </complexType>
-    <element name="IDPEntry" type="samlp:IDPEntryType"/>
-    <complexType name="IDPEntryType">
-        <attribute name="ProviderID" type="anyURI" use="required"/>
-        <attribute name="Name" type="string" use="optional"/>
-        <attribute name="Loc" type="anyURI" use="optional"/>
-    </complexType>
-    <element name="GetComplete" type="anyURI"/>
-    <element name="Response" type="samlp:ResponseType"/>
-    <complexType name="ResponseType">
-    	<complexContent>
-            <extension base="samlp:StatusResponseType">
-                <choice minOccurs="0" maxOccurs="unbounded">
-                    <element ref="saml:Assertion"/>
-                    <element ref="saml:EncryptedAssertion"/>
-                </choice>
-            </extension>
-    	</complexContent>
-    </complexType>
-    <element name="ArtifactResolve" type="samlp:ArtifactResolveType"/>
-    <complexType name="ArtifactResolveType">
-    	<complexContent>
-            <extension base="samlp:RequestAbstractType">
-                <sequence>
-                    <element ref="samlp:Artifact"/>
-                </sequence>
-            </extension>
-    	</complexContent>
-    </complexType>
-    <element name="Artifact" type="string"/>
-    <element name="ArtifactResponse" type="samlp:ArtifactResponseType"/>
-    <complexType name="ArtifactResponseType">
-    	<complexContent>
-            <extension base="samlp:StatusResponseType">
-                <sequence>
-                    <any namespace="##any" processContents="lax" minOccurs="0"/>
-                </sequence>
-            </extension>
-    	</complexContent>
-    </complexType>
-    <element name="ManageNameIDRequest" type="samlp:ManageNameIDRequestType"/>
-    <complexType name="ManageNameIDRequestType">
-    	<complexContent>
-            <extension base="samlp:RequestAbstractType">
-                <sequence>
-                    <choice>
-                        <element ref="saml:NameID"/>
-                        <element ref="saml:EncryptedID"/>
-                    </choice>
-                    <choice>
-                        <element ref="samlp:NewID"/>
-                        <element ref="samlp:NewEncryptedID"/>
-                        <element ref="samlp:Terminate"/>
-                    </choice>
-                </sequence>
-            </extension>
-    	</complexContent>
-    </complexType>
-    <element name="NewID" type="string"/>
-    <element name="NewEncryptedID" type="saml:EncryptedElementType"/>
-    <element name="Terminate" type="samlp:TerminateType"/>
-    <complexType name="TerminateType"/>
-    <element name="ManageNameIDResponse" type="samlp:StatusResponseType"/>
-    <element name="LogoutRequest" type="samlp:LogoutRequestType"/>
-    <complexType name="LogoutRequestType">
-        <complexContent>
-            <extension base="samlp:RequestAbstractType">
-                <sequence>
-                    <choice>
-                        <element ref="saml:BaseID"/>
-                        <element ref="saml:NameID"/>
-                        <element ref="saml:EncryptedID"/>
-                    </choice>
-                    <element ref="samlp:SessionIndex" minOccurs="0" maxOccurs="unbounded"/>
-                </sequence>
-                <attribute name="Reason" type="string" use="optional"/>
-                <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
-            </extension>
-        </complexContent>
-    </complexType>
-    <element name="SessionIndex" type="string"/>
-    <element name="LogoutResponse" type="samlp:StatusResponseType"/>
-    <element name="NameIDMappingRequest" type="samlp:NameIDMappingRequestType"/>
-    <complexType name="NameIDMappingRequestType">
-        <complexContent>
-            <extension base="samlp:RequestAbstractType">
-                <sequence>
-                    <choice>
-                        <element ref="saml:BaseID"/>
-                        <element ref="saml:NameID"/>
-                        <element ref="saml:EncryptedID"/>
-                    </choice>
-                    <element ref="samlp:NameIDPolicy"/>
-                </sequence>
-            </extension>
-        </complexContent>
-    </complexType>
-    <element name="NameIDMappingResponse" type="samlp:NameIDMappingResponseType"/>
-    <complexType name="NameIDMappingResponseType">
-        <complexContent>
-            <extension base="samlp:StatusResponseType">
-                <choice>
-                    <element ref="saml:NameID"/>
-                    <element ref="saml:EncryptedID"/>
-                </choice>
-            </extension>
-        </complexContent>
-    </complexType>
-</schema>
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+    targetNamespace="urn:oasis:names:tc:SAML:2.0:protocol"
+    xmlns="http://www.w3.org/2001/XMLSchema"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    elementFormDefault="unqualified"
+    attributeFormDefault="unqualified"
+    blockDefault="substitution"
+    version="2.0">
+    <import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+        schemaLocation="saml-schema-assertion-2.0.xsd"/>
+    <import namespace="http://www.w3.org/2000/09/xmldsig#"
+        schemaLocation="xmldsig-core-schema.xsd"/>
+    <annotation>
+        <documentation>
+            Document identifier: saml-schema-protocol-2.0
+            Location: http://docs.oasis-open.org/security/saml/v2.0/
+            Revision history:
+            V1.0 (November, 2002):
+              Initial Standard Schema.
+            V1.1 (September, 2003):
+              Updates within the same V1.0 namespace.
+            V2.0 (March, 2005):
+              New protocol schema based in a SAML V2.0 namespace.
+     </documentation>
+    </annotation>
+    <complexType name="RequestAbstractType" abstract="true">
+        <sequence>
+            <element ref="saml:Issuer" minOccurs="0"/>
+            <element ref="ds:Signature" minOccurs="0"/>
+            <element ref="samlp:Extensions" minOccurs="0"/>
+        </sequence>
+        <attribute name="ID" type="ID" use="required"/>
+        <attribute name="Version" type="string" use="required"/>
+        <attribute name="IssueInstant" type="dateTime" use="required"/>
+        <attribute name="Destination" type="anyURI" use="optional"/>
+    	<attribute name="Consent" type="anyURI" use="optional"/>
+    </complexType>
+    <element name="Extensions" type="samlp:ExtensionsType"/>
+    <complexType name="ExtensionsType">
+        <sequence>
+            <any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
+        </sequence>
+    </complexType>
+    <complexType name="StatusResponseType">
+    	<sequence>
+            <element ref="saml:Issuer" minOccurs="0"/>
+            <element ref="ds:Signature" minOccurs="0"/>
+            <element ref="samlp:Extensions" minOccurs="0"/>
+            <element ref="samlp:Status"/>
+    	</sequence>
+    	<attribute name="ID" type="ID" use="required"/>
+    	<attribute name="InResponseTo" type="NCName" use="optional"/>
+    	<attribute name="Version" type="string" use="required"/>
+    	<attribute name="IssueInstant" type="dateTime" use="required"/>
+    	<attribute name="Destination" type="anyURI" use="optional"/>
+    	<attribute name="Consent" type="anyURI" use="optional"/>
+    </complexType>
+    <element name="Status" type="samlp:StatusType"/>
+    <complexType name="StatusType">
+        <sequence>
+            <element ref="samlp:StatusCode"/>
+            <element ref="samlp:StatusMessage" minOccurs="0"/>
+            <element ref="samlp:StatusDetail" minOccurs="0"/>
+        </sequence>
+    </complexType>
+    <element name="StatusCode" type="samlp:StatusCodeType"/>
+    <complexType name="StatusCodeType">
+        <sequence>
+            <element ref="samlp:StatusCode" minOccurs="0"/>
+        </sequence>
+        <attribute name="Value" type="anyURI" use="required"/>
+    </complexType>
+    <element name="StatusMessage" type="string"/>
+    <element name="StatusDetail" type="samlp:StatusDetailType"/>
+    <complexType name="StatusDetailType">
+        <sequence>
+            <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+    </complexType>
+    <element name="AssertionIDRequest" type="samlp:AssertionIDRequestType"/>
+    <complexType name="AssertionIDRequestType">
+    	<complexContent>
+            <extension base="samlp:RequestAbstractType">
+                <sequence>
+                    <element ref="saml:AssertionIDRef" maxOccurs="unbounded"/>
+                </sequence>
+            </extension>
+    	</complexContent>
+    </complexType>
+    <element name="SubjectQuery" type="samlp:SubjectQueryAbstractType"/>
+    <complexType name="SubjectQueryAbstractType" abstract="true">
+    	<complexContent>
+            <extension base="samlp:RequestAbstractType">
+                <sequence>
+                    <element ref="saml:Subject"/>
+                </sequence>
+            </extension>
+    	</complexContent>
+    </complexType>
+    <element name="AuthnQuery" type="samlp:AuthnQueryType"/>
+    <complexType name="AuthnQueryType">
+        <complexContent>
+            <extension base="samlp:SubjectQueryAbstractType">
+                <sequence>
+                    <element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
+                </sequence>
+                <attribute name="SessionIndex" type="string" use="optional"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="RequestedAuthnContext" type="samlp:RequestedAuthnContextType"/>
+    <complexType name="RequestedAuthnContextType">
+        <choice>
+            <element ref="saml:AuthnContextClassRef" maxOccurs="unbounded"/>
+            <element ref="saml:AuthnContextDeclRef" maxOccurs="unbounded"/>
+        </choice>
+        <attribute name="Comparison" type="samlp:AuthnContextComparisonType" use="optional"/>
+    </complexType>
+    <simpleType name="AuthnContextComparisonType">
+        <restriction base="string">
+            <enumeration value="exact"/>
+            <enumeration value="minimum"/>
+            <enumeration value="maximum"/>
+            <enumeration value="better"/>
+        </restriction>
+    </simpleType>
+    <element name="AttributeQuery" type="samlp:AttributeQueryType"/>
+    <complexType name="AttributeQueryType">
+        <complexContent>
+            <extension base="samlp:SubjectQueryAbstractType">
+                <sequence>
+                    <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+                </sequence>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="AuthzDecisionQuery" type="samlp:AuthzDecisionQueryType"/>
+    <complexType name="AuthzDecisionQueryType">
+        <complexContent>
+            <extension base="samlp:SubjectQueryAbstractType">
+                <sequence>
+                    <element ref="saml:Action" maxOccurs="unbounded"/>
+                    <element ref="saml:Evidence" minOccurs="0"/>
+                </sequence>
+                <attribute name="Resource" type="anyURI" use="required"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="AuthnRequest" type="samlp:AuthnRequestType"/>
+    <complexType name="AuthnRequestType">
+        <complexContent>
+            <extension base="samlp:RequestAbstractType">
+                <sequence>
+                    <element ref="saml:Subject" minOccurs="0"/>
+                    <element ref="samlp:NameIDPolicy" minOccurs="0"/>
+                    <element ref="saml:Conditions" minOccurs="0"/>
+                    <element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
+                    <element ref="samlp:Scoping" minOccurs="0"/>
+                </sequence>
+                <attribute name="ForceAuthn" type="boolean" use="optional"/>
+                <attribute name="IsPassive" type="boolean" use="optional"/>
+                <attribute name="ProtocolBinding" type="anyURI" use="optional"/>
+                <attribute name="AssertionConsumerServiceIndex" type="unsignedShort" use="optional"/>
+                <attribute name="AssertionConsumerServiceURL" type="anyURI" use="optional"/>
+                <attribute name="AttributeConsumingServiceIndex" type="unsignedShort" use="optional"/>
+                <attribute name="ProviderName" type="string" use="optional"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="NameIDPolicy" type="samlp:NameIDPolicyType"/>
+    <complexType name="NameIDPolicyType">
+        <attribute name="Format" type="anyURI" use="optional"/>
+        <attribute name="SPNameQualifier" type="string" use="optional"/>
+        <attribute name="AllowCreate" type="boolean" use="optional"/>
+    </complexType>
+    <element name="Scoping" type="samlp:ScopingType"/>
+    <complexType name="ScopingType">
+        <sequence>
+            <element ref="samlp:IDPList" minOccurs="0"/>
+            <element ref="samlp:RequesterID" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="ProxyCount" type="nonNegativeInteger" use="optional"/>
+    </complexType>
+    <element name="RequesterID" type="anyURI"/>
+    <element name="IDPList" type="samlp:IDPListType"/>
+    <complexType name="IDPListType">
+        <sequence>
+            <element ref="samlp:IDPEntry" maxOccurs="unbounded"/>
+            <element ref="samlp:GetComplete" minOccurs="0"/>
+        </sequence>
+    </complexType>
+    <element name="IDPEntry" type="samlp:IDPEntryType"/>
+    <complexType name="IDPEntryType">
+        <attribute name="ProviderID" type="anyURI" use="required"/>
+        <attribute name="Name" type="string" use="optional"/>
+        <attribute name="Loc" type="anyURI" use="optional"/>
+    </complexType>
+    <element name="GetComplete" type="anyURI"/>
+    <element name="Response" type="samlp:ResponseType"/>
+    <complexType name="ResponseType">
+    	<complexContent>
+            <extension base="samlp:StatusResponseType">
+                <choice minOccurs="0" maxOccurs="unbounded">
+                    <element ref="saml:Assertion"/>
+                    <element ref="saml:EncryptedAssertion"/>
+                </choice>
+            </extension>
+    	</complexContent>
+    </complexType>
+    <element name="ArtifactResolve" type="samlp:ArtifactResolveType"/>
+    <complexType name="ArtifactResolveType">
+    	<complexContent>
+            <extension base="samlp:RequestAbstractType">
+                <sequence>
+                    <element ref="samlp:Artifact"/>
+                </sequence>
+            </extension>
+    	</complexContent>
+    </complexType>
+    <element name="Artifact" type="string"/>
+    <element name="ArtifactResponse" type="samlp:ArtifactResponseType"/>
+    <complexType name="ArtifactResponseType">
+    	<complexContent>
+            <extension base="samlp:StatusResponseType">
+                <sequence>
+                    <any namespace="##any" processContents="lax" minOccurs="0"/>
+                </sequence>
+            </extension>
+    	</complexContent>
+    </complexType>
+    <element name="ManageNameIDRequest" type="samlp:ManageNameIDRequestType"/>
+    <complexType name="ManageNameIDRequestType">
+    	<complexContent>
+            <extension base="samlp:RequestAbstractType">
+                <sequence>
+                    <choice>
+                        <element ref="saml:NameID"/>
+                        <element ref="saml:EncryptedID"/>
+                    </choice>
+                    <choice>
+                        <element ref="samlp:NewID"/>
+                        <element ref="samlp:NewEncryptedID"/>
+                        <element ref="samlp:Terminate"/>
+                    </choice>
+                </sequence>
+            </extension>
+    	</complexContent>
+    </complexType>
+    <element name="NewID" type="string"/>
+    <element name="NewEncryptedID" type="saml:EncryptedElementType"/>
+    <element name="Terminate" type="samlp:TerminateType"/>
+    <complexType name="TerminateType"/>
+    <element name="ManageNameIDResponse" type="samlp:StatusResponseType"/>
+    <element name="LogoutRequest" type="samlp:LogoutRequestType"/>
+    <complexType name="LogoutRequestType">
+        <complexContent>
+            <extension base="samlp:RequestAbstractType">
+                <sequence>
+                    <choice>
+                        <element ref="saml:BaseID"/>
+                        <element ref="saml:NameID"/>
+                        <element ref="saml:EncryptedID"/>
+                    </choice>
+                    <element ref="samlp:SessionIndex" minOccurs="0" maxOccurs="unbounded"/>
+                </sequence>
+                <attribute name="Reason" type="string" use="optional"/>
+                <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="SessionIndex" type="string"/>
+    <element name="LogoutResponse" type="samlp:StatusResponseType"/>
+    <element name="NameIDMappingRequest" type="samlp:NameIDMappingRequestType"/>
+    <complexType name="NameIDMappingRequestType">
+        <complexContent>
+            <extension base="samlp:RequestAbstractType">
+                <sequence>
+                    <choice>
+                        <element ref="saml:BaseID"/>
+                        <element ref="saml:NameID"/>
+                        <element ref="saml:EncryptedID"/>
+                    </choice>
+                    <element ref="samlp:NameIDPolicy"/>
+                </sequence>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="NameIDMappingResponse" type="samlp:NameIDMappingResponseType"/>
+    <complexType name="NameIDMappingResponseType">
+        <complexContent>
+            <extension base="samlp:StatusResponseType">
+                <choice>
+                    <element ref="saml:NameID"/>
+                    <element ref="saml:EncryptedID"/>
+                </choice>
+            </extension>
+        </complexContent>
+    </complexType>
+</schema>