RubyGems - ruby-saml - Versions diffs - 0.8.18 → 0.9 - Mend

ruby-saml 0.8.18 → 0.9

Potentially problematic release.

This version of ruby-saml might be problematic. Click here for more details.

Files changed (90) hide show

checksums.yaml +4 -4
data/.gitignore +1 -0
data/.travis.yml +1 -6
data/Gemfile +2 -12
data/README.md +363 -35
data/Rakefile +14 -0
data/changelog.md +22 -9
data/lib/onelogin/ruby-saml/attribute_service.rb +34 -0
data/lib/onelogin/ruby-saml/attributes.rb +26 -64
data/lib/onelogin/ruby-saml/authrequest.rb +47 -93
data/lib/onelogin/ruby-saml/idp_metadata_parser.rb +87 -0
data/lib/onelogin/ruby-saml/logoutrequest.rb +36 -100
data/lib/onelogin/ruby-saml/logoutresponse.rb +25 -35
data/lib/onelogin/ruby-saml/metadata.rb +46 -16
data/lib/onelogin/ruby-saml/response.rb +63 -373
data/lib/onelogin/ruby-saml/saml_message.rb +78 -0
data/lib/onelogin/ruby-saml/settings.rb +54 -122
data/lib/onelogin/ruby-saml/slo_logoutrequest.rb +25 -71
data/lib/onelogin/ruby-saml/slo_logoutresponse.rb +37 -102
data/lib/onelogin/ruby-saml/utils.rb +32 -199
data/lib/onelogin/ruby-saml/version.rb +1 -1
data/lib/ruby-saml.rb +5 -2
data/lib/schemas/{saml20assertion_schema.xsd → saml-schema-assertion-2.0.xsd} +283 -283
data/lib/schemas/saml-schema-authn-context-2.0.xsd +23 -0
data/lib/schemas/saml-schema-authn-context-types-2.0.xsd +821 -0
data/lib/schemas/saml-schema-metadata-2.0.xsd +339 -0
data/lib/schemas/{saml20protocol_schema.xsd → saml-schema-protocol-2.0.xsd} +302 -302
data/lib/schemas/sstc-metadata-attr.xsd +35 -0
data/lib/schemas/sstc-saml-attribute-ext.xsd +25 -0
data/lib/schemas/sstc-saml-metadata-algsupport-v1.0.xsd +41 -0
data/lib/schemas/sstc-saml-metadata-ui-v1.0.xsd +89 -0
data/lib/schemas/{xenc_schema.xsd → xenc-schema.xsd} +1 -11
data/lib/schemas/xml.xsd +287 -0
data/lib/schemas/{xmldsig_schema.xsd → xmldsig-core-schema.xsd} +0 -9
data/lib/xml_security.rb +83 -235
data/ruby-saml.gemspec +1 -0
data/test/idp_metadata_parser_test.rb +54 -0
data/test/logoutrequest_test.rb +68 -155
data/test/logoutresponse_test.rb +43 -32
data/test/metadata_test.rb +87 -0
data/test/request_test.rb +102 -99
data/test/response_test.rb +181 -495
data/test/responses/idp_descriptor.xml +3 -0
data/test/responses/logoutresponse_fixtures.rb +7 -8
data/test/responses/response_no_cert_and_encrypted_attrs.xml +29 -0
data/test/responses/response_with_multiple_attribute_values.xml +1 -1
data/test/responses/slo_request.xml +4 -0
data/test/settings_test.rb +25 -112
data/test/slo_logoutrequest_test.rb +40 -50
data/test/slo_logoutresponse_test.rb +86 -185
data/test/test_helper.rb +27 -102
data/test/xml_security_test.rb +114 -337
metadata +30 -81
data/lib/onelogin/ruby-saml/setting_error.rb +0 -6
data/test/certificates/certificate.der +0 -0
data/test/certificates/formatted_certificate +0 -14
data/test/certificates/formatted_chained_certificate +0 -42
data/test/certificates/formatted_private_key +0 -12
data/test/certificates/formatted_rsa_private_key +0 -12
data/test/certificates/invalid_certificate1 +0 -1
data/test/certificates/invalid_certificate2 +0 -1
data/test/certificates/invalid_certificate3 +0 -12
data/test/certificates/invalid_chained_certificate1 +0 -1
data/test/certificates/invalid_private_key1 +0 -1
data/test/certificates/invalid_private_key2 +0 -1
data/test/certificates/invalid_private_key3 +0 -10
data/test/certificates/invalid_rsa_private_key1 +0 -1
data/test/certificates/invalid_rsa_private_key2 +0 -1
data/test/certificates/invalid_rsa_private_key3 +0 -10
data/test/certificates/ruby-saml-2.crt +0 -15
data/test/requests/logoutrequest_fixtures.rb +0 -47
data/test/responses/encrypted_new_attack.xml.base64 +0 -1
data/test/responses/invalids/invalid_issuer_assertion.xml.base64 +0 -1
data/test/responses/invalids/invalid_issuer_message.xml.base64 +0 -1
data/test/responses/invalids/multiple_signed.xml.base64 +0 -1
data/test/responses/invalids/no_signature.xml.base64 +0 -1
data/test/responses/invalids/response_with_concealed_signed_assertion.xml +0 -51
data/test/responses/invalids/response_with_doubled_signed_assertion.xml +0 -49
data/test/responses/invalids/signature_wrapping_attack.xml.base64 +0 -1
data/test/responses/response_node_text_attack.xml.base64 +0 -1
data/test/responses/response_with_concealed_signed_assertion.xml +0 -51
data/test/responses/response_with_doubled_signed_assertion.xml +0 -49
data/test/responses/response_with_multiple_attribute_statements.xml +0 -72
data/test/responses/response_with_signed_assertion_3.xml +0 -30
data/test/responses/response_with_signed_message_and_assertion.xml +0 -34
data/test/responses/response_with_undefined_recipient.xml.base64 +0 -1
data/test/responses/response_wrapped.xml.base64 +0 -150
data/test/responses/valid_response.xml.base64 +0 -1
data/test/responses/valid_response_without_x509certificate.xml.base64 +0 -1
data/test/utils_test.rb +0 -231

data/lib/schemas/{saml20protocol_schema.xsd → saml-schema-protocol-2.0.xsd} RENAMED Viewed

@@ -1,302 +1,302 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<schema
-    targetNamespace="urn:oasis:names:tc:SAML:2.0:protocol"
-    xmlns="http://www.w3.org/2001/XMLSchema"
-    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
-    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-    elementFormDefault="unqualified"
-    attributeFormDefault="unqualified"
-    blockDefault="substitution"
-    version="2.0">
-    <import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
-        schemaLocation="saml20assertion_schema.xsd"/>
-    <import namespace="http://www.w3.org/2000/09/xmldsig#"
-        schemaLocation="xmldsig_schema.xsd"/>
-    <annotation>
-        <documentation>
-            Document identifier: saml-schema-protocol-2.0
-            Location: http://docs.oasis-open.org/security/saml/v2.0/
-            Revision history:
-            V1.0 (November, 2002):
-              Initial Standard Schema.
-            V1.1 (September, 2003):
-              Updates within the same V1.0 namespace.
-            V2.0 (March, 2005):
-              New protocol schema based in a SAML V2.0 namespace.
-     </documentation>
-    </annotation>
-    <complexType name="RequestAbstractType" abstract="true">
-        <sequence>
-            <element ref="saml:Issuer" minOccurs="0"/>
-            <element ref="ds:Signature" minOccurs="0"/>
-            <element ref="samlp:Extensions" minOccurs="0"/>
-        </sequence>
-        <attribute name="ID" type="ID" use="required"/>
-        <attribute name="Version" type="string" use="required"/>
-        <attribute name="IssueInstant" type="dateTime" use="required"/>
-        <attribute name="Destination" type="anyURI" use="optional"/>
-    	<attribute name="Consent" type="anyURI" use="optional"/>
-    </complexType>
-    <element name="Extensions" type="samlp:ExtensionsType"/>
-    <complexType name="ExtensionsType">
-        <sequence>
-            <any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
-        </sequence>
-    </complexType>
-    <complexType name="StatusResponseType">
-    	<sequence>
-            <element ref="saml:Issuer" minOccurs="0"/>
-            <element ref="ds:Signature" minOccurs="0"/>
-            <element ref="samlp:Extensions" minOccurs="0"/>
-            <element ref="samlp:Status"/>
-    	</sequence>
-    	<attribute name="ID" type="ID" use="required"/>
-    	<attribute name="InResponseTo" type="NCName" use="optional"/>
-    	<attribute name="Version" type="string" use="required"/>
-    	<attribute name="IssueInstant" type="dateTime" use="required"/>
-    	<attribute name="Destination" type="anyURI" use="optional"/>
-    	<attribute name="Consent" type="anyURI" use="optional"/>
-    </complexType>
-    <element name="Status" type="samlp:StatusType"/>
-    <complexType name="StatusType">
-        <sequence>
-            <element ref="samlp:StatusCode"/>
-            <element ref="samlp:StatusMessage" minOccurs="0"/>
-            <element ref="samlp:StatusDetail" minOccurs="0"/>
-        </sequence>
-    </complexType>
-    <element name="StatusCode" type="samlp:StatusCodeType"/>
-    <complexType name="StatusCodeType">
-        <sequence>
-            <element ref="samlp:StatusCode" minOccurs="0"/>
-        </sequence>
-        <attribute name="Value" type="anyURI" use="required"/>
-    </complexType>
-    <element name="StatusMessage" type="string"/>
-    <element name="StatusDetail" type="samlp:StatusDetailType"/>
-    <complexType name="StatusDetailType">
-        <sequence>
-            <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
-        </sequence>
-    </complexType>
-    <element name="AssertionIDRequest" type="samlp:AssertionIDRequestType"/>
-    <complexType name="AssertionIDRequestType">
-    	<complexContent>
-            <extension base="samlp:RequestAbstractType">
-                <sequence>
-                    <element ref="saml:AssertionIDRef" maxOccurs="unbounded"/>
-                </sequence>
-            </extension>
-    	</complexContent>
-    </complexType>
-    <element name="SubjectQuery" type="samlp:SubjectQueryAbstractType"/>
-    <complexType name="SubjectQueryAbstractType" abstract="true">
-    	<complexContent>
-            <extension base="samlp:RequestAbstractType">
-                <sequence>
-                    <element ref="saml:Subject"/>
-                </sequence>
-            </extension>
-    	</complexContent>
-    </complexType>
-    <element name="AuthnQuery" type="samlp:AuthnQueryType"/>
-    <complexType name="AuthnQueryType">
-        <complexContent>
-            <extension base="samlp:SubjectQueryAbstractType">
-                <sequence>
-                    <element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
-                </sequence>
-                <attribute name="SessionIndex" type="string" use="optional"/>
-            </extension>
-        </complexContent>
-    </complexType>
-    <element name="RequestedAuthnContext" type="samlp:RequestedAuthnContextType"/>
-    <complexType name="RequestedAuthnContextType">
-        <choice>
-            <element ref="saml:AuthnContextClassRef" maxOccurs="unbounded"/>
-            <element ref="saml:AuthnContextDeclRef" maxOccurs="unbounded"/>
-        </choice>
-        <attribute name="Comparison" type="samlp:AuthnContextComparisonType" use="optional"/>
-    </complexType>
-    <simpleType name="AuthnContextComparisonType">
-        <restriction base="string">
-            <enumeration value="exact"/>
-            <enumeration value="minimum"/>
-            <enumeration value="maximum"/>
-            <enumeration value="better"/>
-        </restriction>
-    </simpleType>
-    <element name="AttributeQuery" type="samlp:AttributeQueryType"/>
-    <complexType name="AttributeQueryType">
-        <complexContent>
-            <extension base="samlp:SubjectQueryAbstractType">
-                <sequence>
-                    <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
-                </sequence>
-            </extension>
-        </complexContent>
-    </complexType>
-    <element name="AuthzDecisionQuery" type="samlp:AuthzDecisionQueryType"/>
-    <complexType name="AuthzDecisionQueryType">
-        <complexContent>
-            <extension base="samlp:SubjectQueryAbstractType">
-                <sequence>
-                    <element ref="saml:Action" maxOccurs="unbounded"/>
-                    <element ref="saml:Evidence" minOccurs="0"/>
-                </sequence>
-                <attribute name="Resource" type="anyURI" use="required"/>
-            </extension>
-        </complexContent>
-    </complexType>
-    <element name="AuthnRequest" type="samlp:AuthnRequestType"/>
-    <complexType name="AuthnRequestType">
-        <complexContent>
-            <extension base="samlp:RequestAbstractType">
-                <sequence>
-                    <element ref="saml:Subject" minOccurs="0"/>
-                    <element ref="samlp:NameIDPolicy" minOccurs="0"/>
-                    <element ref="saml:Conditions" minOccurs="0"/>
-                    <element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
-                    <element ref="samlp:Scoping" minOccurs="0"/>
-                </sequence>
-                <attribute name="ForceAuthn" type="boolean" use="optional"/>
-                <attribute name="IsPassive" type="boolean" use="optional"/>
-                <attribute name="ProtocolBinding" type="anyURI" use="optional"/>
-                <attribute name="AssertionConsumerServiceIndex" type="unsignedShort" use="optional"/>
-                <attribute name="AssertionConsumerServiceURL" type="anyURI" use="optional"/>
-                <attribute name="AttributeConsumingServiceIndex" type="unsignedShort" use="optional"/>
-                <attribute name="ProviderName" type="string" use="optional"/>
-            </extension>
-        </complexContent>
-    </complexType>
-    <element name="NameIDPolicy" type="samlp:NameIDPolicyType"/>
-    <complexType name="NameIDPolicyType">
-        <attribute name="Format" type="anyURI" use="optional"/>
-        <attribute name="SPNameQualifier" type="string" use="optional"/>
-        <attribute name="AllowCreate" type="boolean" use="optional"/>
-    </complexType>
-    <element name="Scoping" type="samlp:ScopingType"/>
-    <complexType name="ScopingType">
-        <sequence>
-            <element ref="samlp:IDPList" minOccurs="0"/>
-            <element ref="samlp:RequesterID" minOccurs="0" maxOccurs="unbounded"/>
-        </sequence>
-        <attribute name="ProxyCount" type="nonNegativeInteger" use="optional"/>
-    </complexType>
-    <element name="RequesterID" type="anyURI"/>
-    <element name="IDPList" type="samlp:IDPListType"/>
-    <complexType name="IDPListType">
-        <sequence>
-            <element ref="samlp:IDPEntry" maxOccurs="unbounded"/>
-            <element ref="samlp:GetComplete" minOccurs="0"/>
-        </sequence>
-    </complexType>
-    <element name="IDPEntry" type="samlp:IDPEntryType"/>
-    <complexType name="IDPEntryType">
-        <attribute name="ProviderID" type="anyURI" use="required"/>
-        <attribute name="Name" type="string" use="optional"/>
-        <attribute name="Loc" type="anyURI" use="optional"/>
-    </complexType>
-    <element name="GetComplete" type="anyURI"/>
-    <element name="Response" type="samlp:ResponseType"/>
-    <complexType name="ResponseType">
-    	<complexContent>
-            <extension base="samlp:StatusResponseType">
-                <choice minOccurs="0" maxOccurs="unbounded">
-                    <element ref="saml:Assertion"/>
-                    <element ref="saml:EncryptedAssertion"/>
-                </choice>
-            </extension>
-    	</complexContent>
-    </complexType>
-    <element name="ArtifactResolve" type="samlp:ArtifactResolveType"/>
-    <complexType name="ArtifactResolveType">
-    	<complexContent>
-            <extension base="samlp:RequestAbstractType">
-                <sequence>
-                    <element ref="samlp:Artifact"/>
-                </sequence>
-            </extension>
-    	</complexContent>
-    </complexType>
-    <element name="Artifact" type="string"/>
-    <element name="ArtifactResponse" type="samlp:ArtifactResponseType"/>
-    <complexType name="ArtifactResponseType">
-    	<complexContent>
-            <extension base="samlp:StatusResponseType">
-                <sequence>
-                    <any namespace="##any" processContents="lax" minOccurs="0"/>
-                </sequence>
-            </extension>
-    	</complexContent>
-    </complexType>
-    <element name="ManageNameIDRequest" type="samlp:ManageNameIDRequestType"/>
-    <complexType name="ManageNameIDRequestType">
-    	<complexContent>
-            <extension base="samlp:RequestAbstractType">
-                <sequence>
-                    <choice>
-                        <element ref="saml:NameID"/>
-                        <element ref="saml:EncryptedID"/>
-                    </choice>
-                    <choice>
-                        <element ref="samlp:NewID"/>
-                        <element ref="samlp:NewEncryptedID"/>
-                        <element ref="samlp:Terminate"/>
-                    </choice>
-                </sequence>
-            </extension>
-    	</complexContent>
-    </complexType>
-    <element name="NewID" type="string"/>
-    <element name="NewEncryptedID" type="saml:EncryptedElementType"/>
-    <element name="Terminate" type="samlp:TerminateType"/>
-    <complexType name="TerminateType"/>
-    <element name="ManageNameIDResponse" type="samlp:StatusResponseType"/>
-    <element name="LogoutRequest" type="samlp:LogoutRequestType"/>
-    <complexType name="LogoutRequestType">
-        <complexContent>
-            <extension base="samlp:RequestAbstractType">
-                <sequence>
-                    <choice>
-                        <element ref="saml:BaseID"/>
-                        <element ref="saml:NameID"/>
-                        <element ref="saml:EncryptedID"/>
-                    </choice>
-                    <element ref="samlp:SessionIndex" minOccurs="0" maxOccurs="unbounded"/>
-                </sequence>
-                <attribute name="Reason" type="string" use="optional"/>
-                <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
-            </extension>
-        </complexContent>
-    </complexType>
-    <element name="SessionIndex" type="string"/>
-    <element name="LogoutResponse" type="samlp:StatusResponseType"/>
-    <element name="NameIDMappingRequest" type="samlp:NameIDMappingRequestType"/>
-    <complexType name="NameIDMappingRequestType">
-        <complexContent>
-            <extension base="samlp:RequestAbstractType">
-                <sequence>
-                    <choice>
-                        <element ref="saml:BaseID"/>
-                        <element ref="saml:NameID"/>
-                        <element ref="saml:EncryptedID"/>
-                    </choice>
-                    <element ref="samlp:NameIDPolicy"/>
-                </sequence>
-            </extension>
-        </complexContent>
-    </complexType>
-    <element name="NameIDMappingResponse" type="samlp:NameIDMappingResponseType"/>
-    <complexType name="NameIDMappingResponseType">
-        <complexContent>
-            <extension base="samlp:StatusResponseType">
-                <choice>
-                    <element ref="saml:NameID"/>
-                    <element ref="saml:EncryptedID"/>
-                </choice>
-            </extension>
-        </complexContent>
-    </complexType>
-</schema>
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+    targetNamespace="urn:oasis:names:tc:SAML:2.0:protocol"
+    xmlns="http://www.w3.org/2001/XMLSchema"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    elementFormDefault="unqualified"
+    attributeFormDefault="unqualified"
+    blockDefault="substitution"
+    version="2.0">
+    <import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+        schemaLocation="saml-schema-assertion-2.0.xsd"/>
+    <import namespace="http://www.w3.org/2000/09/xmldsig#"
+        schemaLocation="xmldsig-core-schema.xsd"/>
+    <annotation>
+        <documentation>
+            Document identifier: saml-schema-protocol-2.0
+            Location: http://docs.oasis-open.org/security/saml/v2.0/
+            Revision history:
+            V1.0 (November, 2002):
+              Initial Standard Schema.
+            V1.1 (September, 2003):
+              Updates within the same V1.0 namespace.
+            V2.0 (March, 2005):
+              New protocol schema based in a SAML V2.0 namespace.
+     </documentation>
+    </annotation>
+    <complexType name="RequestAbstractType" abstract="true">
+        <sequence>
+            <element ref="saml:Issuer" minOccurs="0"/>
+            <element ref="ds:Signature" minOccurs="0"/>
+            <element ref="samlp:Extensions" minOccurs="0"/>
+        </sequence>
+        <attribute name="ID" type="ID" use="required"/>
+        <attribute name="Version" type="string" use="required"/>
+        <attribute name="IssueInstant" type="dateTime" use="required"/>
+        <attribute name="Destination" type="anyURI" use="optional"/>
+    	<attribute name="Consent" type="anyURI" use="optional"/>
+    </complexType>
+    <element name="Extensions" type="samlp:ExtensionsType"/>
+    <complexType name="ExtensionsType">
+        <sequence>
+            <any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
+        </sequence>
+    </complexType>
+    <complexType name="StatusResponseType">
+    	<sequence>
+            <element ref="saml:Issuer" minOccurs="0"/>
+            <element ref="ds:Signature" minOccurs="0"/>
+            <element ref="samlp:Extensions" minOccurs="0"/>
+            <element ref="samlp:Status"/>
+    	</sequence>
+    	<attribute name="ID" type="ID" use="required"/>
+    	<attribute name="InResponseTo" type="NCName" use="optional"/>
+    	<attribute name="Version" type="string" use="required"/>
+    	<attribute name="IssueInstant" type="dateTime" use="required"/>
+    	<attribute name="Destination" type="anyURI" use="optional"/>
+    	<attribute name="Consent" type="anyURI" use="optional"/>
+    </complexType>
+    <element name="Status" type="samlp:StatusType"/>
+    <complexType name="StatusType">
+        <sequence>
+            <element ref="samlp:StatusCode"/>
+            <element ref="samlp:StatusMessage" minOccurs="0"/>
+            <element ref="samlp:StatusDetail" minOccurs="0"/>
+        </sequence>
+    </complexType>
+    <element name="StatusCode" type="samlp:StatusCodeType"/>
+    <complexType name="StatusCodeType">
+        <sequence>
+            <element ref="samlp:StatusCode" minOccurs="0"/>
+        </sequence>
+        <attribute name="Value" type="anyURI" use="required"/>
+    </complexType>
+    <element name="StatusMessage" type="string"/>
+    <element name="StatusDetail" type="samlp:StatusDetailType"/>
+    <complexType name="StatusDetailType">
+        <sequence>
+            <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+    </complexType>
+    <element name="AssertionIDRequest" type="samlp:AssertionIDRequestType"/>
+    <complexType name="AssertionIDRequestType">
+    	<complexContent>
+            <extension base="samlp:RequestAbstractType">
+                <sequence>
+                    <element ref="saml:AssertionIDRef" maxOccurs="unbounded"/>
+                </sequence>
+            </extension>
+    	</complexContent>
+    </complexType>
+    <element name="SubjectQuery" type="samlp:SubjectQueryAbstractType"/>
+    <complexType name="SubjectQueryAbstractType" abstract="true">
+    	<complexContent>
+            <extension base="samlp:RequestAbstractType">
+                <sequence>
+                    <element ref="saml:Subject"/>
+                </sequence>
+            </extension>
+    	</complexContent>
+    </complexType>
+    <element name="AuthnQuery" type="samlp:AuthnQueryType"/>
+    <complexType name="AuthnQueryType">
+        <complexContent>
+            <extension base="samlp:SubjectQueryAbstractType">
+                <sequence>
+                    <element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
+                </sequence>
+                <attribute name="SessionIndex" type="string" use="optional"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="RequestedAuthnContext" type="samlp:RequestedAuthnContextType"/>
+    <complexType name="RequestedAuthnContextType">
+        <choice>
+            <element ref="saml:AuthnContextClassRef" maxOccurs="unbounded"/>
+            <element ref="saml:AuthnContextDeclRef" maxOccurs="unbounded"/>
+        </choice>
+        <attribute name="Comparison" type="samlp:AuthnContextComparisonType" use="optional"/>
+    </complexType>
+    <simpleType name="AuthnContextComparisonType">
+        <restriction base="string">
+            <enumeration value="exact"/>
+            <enumeration value="minimum"/>
+            <enumeration value="maximum"/>
+            <enumeration value="better"/>
+        </restriction>
+    </simpleType>
+    <element name="AttributeQuery" type="samlp:AttributeQueryType"/>
+    <complexType name="AttributeQueryType">
+        <complexContent>
+            <extension base="samlp:SubjectQueryAbstractType">
+                <sequence>
+                    <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+                </sequence>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="AuthzDecisionQuery" type="samlp:AuthzDecisionQueryType"/>
+    <complexType name="AuthzDecisionQueryType">
+        <complexContent>
+            <extension base="samlp:SubjectQueryAbstractType">
+                <sequence>
+                    <element ref="saml:Action" maxOccurs="unbounded"/>
+                    <element ref="saml:Evidence" minOccurs="0"/>
+                </sequence>
+                <attribute name="Resource" type="anyURI" use="required"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="AuthnRequest" type="samlp:AuthnRequestType"/>
+    <complexType name="AuthnRequestType">
+        <complexContent>
+            <extension base="samlp:RequestAbstractType">
+                <sequence>
+                    <element ref="saml:Subject" minOccurs="0"/>
+                    <element ref="samlp:NameIDPolicy" minOccurs="0"/>
+                    <element ref="saml:Conditions" minOccurs="0"/>
+                    <element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
+                    <element ref="samlp:Scoping" minOccurs="0"/>
+                </sequence>
+                <attribute name="ForceAuthn" type="boolean" use="optional"/>
+                <attribute name="IsPassive" type="boolean" use="optional"/>
+                <attribute name="ProtocolBinding" type="anyURI" use="optional"/>
+                <attribute name="AssertionConsumerServiceIndex" type="unsignedShort" use="optional"/>
+                <attribute name="AssertionConsumerServiceURL" type="anyURI" use="optional"/>
+                <attribute name="AttributeConsumingServiceIndex" type="unsignedShort" use="optional"/>
+                <attribute name="ProviderName" type="string" use="optional"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="NameIDPolicy" type="samlp:NameIDPolicyType"/>
+    <complexType name="NameIDPolicyType">
+        <attribute name="Format" type="anyURI" use="optional"/>
+        <attribute name="SPNameQualifier" type="string" use="optional"/>
+        <attribute name="AllowCreate" type="boolean" use="optional"/>
+    </complexType>
+    <element name="Scoping" type="samlp:ScopingType"/>
+    <complexType name="ScopingType">
+        <sequence>
+            <element ref="samlp:IDPList" minOccurs="0"/>
+            <element ref="samlp:RequesterID" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="ProxyCount" type="nonNegativeInteger" use="optional"/>
+    </complexType>
+    <element name="RequesterID" type="anyURI"/>
+    <element name="IDPList" type="samlp:IDPListType"/>
+    <complexType name="IDPListType">
+        <sequence>
+            <element ref="samlp:IDPEntry" maxOccurs="unbounded"/>
+            <element ref="samlp:GetComplete" minOccurs="0"/>
+        </sequence>
+    </complexType>
+    <element name="IDPEntry" type="samlp:IDPEntryType"/>
+    <complexType name="IDPEntryType">
+        <attribute name="ProviderID" type="anyURI" use="required"/>
+        <attribute name="Name" type="string" use="optional"/>
+        <attribute name="Loc" type="anyURI" use="optional"/>
+    </complexType>
+    <element name="GetComplete" type="anyURI"/>
+    <element name="Response" type="samlp:ResponseType"/>
+    <complexType name="ResponseType">
+    	<complexContent>
+            <extension base="samlp:StatusResponseType">
+                <choice minOccurs="0" maxOccurs="unbounded">
+                    <element ref="saml:Assertion"/>
+                    <element ref="saml:EncryptedAssertion"/>
+                </choice>
+            </extension>
+    	</complexContent>
+    </complexType>
+    <element name="ArtifactResolve" type="samlp:ArtifactResolveType"/>
+    <complexType name="ArtifactResolveType">
+    	<complexContent>
+            <extension base="samlp:RequestAbstractType">
+                <sequence>
+                    <element ref="samlp:Artifact"/>
+                </sequence>
+            </extension>
+    	</complexContent>
+    </complexType>
+    <element name="Artifact" type="string"/>
+    <element name="ArtifactResponse" type="samlp:ArtifactResponseType"/>
+    <complexType name="ArtifactResponseType">
+    	<complexContent>
+            <extension base="samlp:StatusResponseType">
+                <sequence>
+                    <any namespace="##any" processContents="lax" minOccurs="0"/>
+                </sequence>
+            </extension>
+    	</complexContent>
+    </complexType>
+    <element name="ManageNameIDRequest" type="samlp:ManageNameIDRequestType"/>
+    <complexType name="ManageNameIDRequestType">
+    	<complexContent>
+            <extension base="samlp:RequestAbstractType">
+                <sequence>
+                    <choice>
+                        <element ref="saml:NameID"/>
+                        <element ref="saml:EncryptedID"/>
+                    </choice>
+                    <choice>
+                        <element ref="samlp:NewID"/>
+                        <element ref="samlp:NewEncryptedID"/>
+                        <element ref="samlp:Terminate"/>
+                    </choice>
+                </sequence>
+            </extension>
+    	</complexContent>
+    </complexType>
+    <element name="NewID" type="string"/>
+    <element name="NewEncryptedID" type="saml:EncryptedElementType"/>
+    <element name="Terminate" type="samlp:TerminateType"/>
+    <complexType name="TerminateType"/>
+    <element name="ManageNameIDResponse" type="samlp:StatusResponseType"/>
+    <element name="LogoutRequest" type="samlp:LogoutRequestType"/>
+    <complexType name="LogoutRequestType">
+        <complexContent>
+            <extension base="samlp:RequestAbstractType">
+                <sequence>
+                    <choice>
+                        <element ref="saml:BaseID"/>
+                        <element ref="saml:NameID"/>
+                        <element ref="saml:EncryptedID"/>
+                    </choice>
+                    <element ref="samlp:SessionIndex" minOccurs="0" maxOccurs="unbounded"/>
+                </sequence>
+                <attribute name="Reason" type="string" use="optional"/>
+                <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="SessionIndex" type="string"/>
+    <element name="LogoutResponse" type="samlp:StatusResponseType"/>
+    <element name="NameIDMappingRequest" type="samlp:NameIDMappingRequestType"/>
+    <complexType name="NameIDMappingRequestType">
+        <complexContent>
+            <extension base="samlp:RequestAbstractType">
+                <sequence>
+                    <choice>
+                        <element ref="saml:BaseID"/>
+                        <element ref="saml:NameID"/>
+                        <element ref="saml:EncryptedID"/>
+                    </choice>
+                    <element ref="samlp:NameIDPolicy"/>
+                </sequence>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="NameIDMappingResponse" type="samlp:NameIDMappingResponseType"/>
+    <complexType name="NameIDMappingResponseType">
+        <complexContent>
+            <extension base="samlp:StatusResponseType">
+                <choice>
+                    <element ref="saml:NameID"/>
+                    <element ref="saml:EncryptedID"/>
+                </choice>
+            </extension>
+        </complexContent>
+    </complexType>
+</schema>