ruby-saml 0.8.18 → 0.9

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of ruby-saml might be problematic. Click here for more details.

Files changed (90) hide show
  1. checksums.yaml +4 -4
  2. data/.gitignore +1 -0
  3. data/.travis.yml +1 -6
  4. data/Gemfile +2 -12
  5. data/README.md +363 -35
  6. data/Rakefile +14 -0
  7. data/changelog.md +22 -9
  8. data/lib/onelogin/ruby-saml/attribute_service.rb +34 -0
  9. data/lib/onelogin/ruby-saml/attributes.rb +26 -64
  10. data/lib/onelogin/ruby-saml/authrequest.rb +47 -93
  11. data/lib/onelogin/ruby-saml/idp_metadata_parser.rb +87 -0
  12. data/lib/onelogin/ruby-saml/logoutrequest.rb +36 -100
  13. data/lib/onelogin/ruby-saml/logoutresponse.rb +25 -35
  14. data/lib/onelogin/ruby-saml/metadata.rb +46 -16
  15. data/lib/onelogin/ruby-saml/response.rb +63 -373
  16. data/lib/onelogin/ruby-saml/saml_message.rb +78 -0
  17. data/lib/onelogin/ruby-saml/settings.rb +54 -122
  18. data/lib/onelogin/ruby-saml/slo_logoutrequest.rb +25 -71
  19. data/lib/onelogin/ruby-saml/slo_logoutresponse.rb +37 -102
  20. data/lib/onelogin/ruby-saml/utils.rb +32 -199
  21. data/lib/onelogin/ruby-saml/version.rb +1 -1
  22. data/lib/ruby-saml.rb +5 -2
  23. data/lib/schemas/{saml20assertion_schema.xsd → saml-schema-assertion-2.0.xsd} +283 -283
  24. data/lib/schemas/saml-schema-authn-context-2.0.xsd +23 -0
  25. data/lib/schemas/saml-schema-authn-context-types-2.0.xsd +821 -0
  26. data/lib/schemas/saml-schema-metadata-2.0.xsd +339 -0
  27. data/lib/schemas/{saml20protocol_schema.xsd → saml-schema-protocol-2.0.xsd} +302 -302
  28. data/lib/schemas/sstc-metadata-attr.xsd +35 -0
  29. data/lib/schemas/sstc-saml-attribute-ext.xsd +25 -0
  30. data/lib/schemas/sstc-saml-metadata-algsupport-v1.0.xsd +41 -0
  31. data/lib/schemas/sstc-saml-metadata-ui-v1.0.xsd +89 -0
  32. data/lib/schemas/{xenc_schema.xsd → xenc-schema.xsd} +1 -11
  33. data/lib/schemas/xml.xsd +287 -0
  34. data/lib/schemas/{xmldsig_schema.xsd → xmldsig-core-schema.xsd} +0 -9
  35. data/lib/xml_security.rb +83 -235
  36. data/ruby-saml.gemspec +1 -0
  37. data/test/idp_metadata_parser_test.rb +54 -0
  38. data/test/logoutrequest_test.rb +68 -155
  39. data/test/logoutresponse_test.rb +43 -32
  40. data/test/metadata_test.rb +87 -0
  41. data/test/request_test.rb +102 -99
  42. data/test/response_test.rb +181 -495
  43. data/test/responses/idp_descriptor.xml +3 -0
  44. data/test/responses/logoutresponse_fixtures.rb +7 -8
  45. data/test/responses/response_no_cert_and_encrypted_attrs.xml +29 -0
  46. data/test/responses/response_with_multiple_attribute_values.xml +1 -1
  47. data/test/responses/slo_request.xml +4 -0
  48. data/test/settings_test.rb +25 -112
  49. data/test/slo_logoutrequest_test.rb +40 -50
  50. data/test/slo_logoutresponse_test.rb +86 -185
  51. data/test/test_helper.rb +27 -102
  52. data/test/xml_security_test.rb +114 -337
  53. metadata +30 -81
  54. data/lib/onelogin/ruby-saml/setting_error.rb +0 -6
  55. data/test/certificates/certificate.der +0 -0
  56. data/test/certificates/formatted_certificate +0 -14
  57. data/test/certificates/formatted_chained_certificate +0 -42
  58. data/test/certificates/formatted_private_key +0 -12
  59. data/test/certificates/formatted_rsa_private_key +0 -12
  60. data/test/certificates/invalid_certificate1 +0 -1
  61. data/test/certificates/invalid_certificate2 +0 -1
  62. data/test/certificates/invalid_certificate3 +0 -12
  63. data/test/certificates/invalid_chained_certificate1 +0 -1
  64. data/test/certificates/invalid_private_key1 +0 -1
  65. data/test/certificates/invalid_private_key2 +0 -1
  66. data/test/certificates/invalid_private_key3 +0 -10
  67. data/test/certificates/invalid_rsa_private_key1 +0 -1
  68. data/test/certificates/invalid_rsa_private_key2 +0 -1
  69. data/test/certificates/invalid_rsa_private_key3 +0 -10
  70. data/test/certificates/ruby-saml-2.crt +0 -15
  71. data/test/requests/logoutrequest_fixtures.rb +0 -47
  72. data/test/responses/encrypted_new_attack.xml.base64 +0 -1
  73. data/test/responses/invalids/invalid_issuer_assertion.xml.base64 +0 -1
  74. data/test/responses/invalids/invalid_issuer_message.xml.base64 +0 -1
  75. data/test/responses/invalids/multiple_signed.xml.base64 +0 -1
  76. data/test/responses/invalids/no_signature.xml.base64 +0 -1
  77. data/test/responses/invalids/response_with_concealed_signed_assertion.xml +0 -51
  78. data/test/responses/invalids/response_with_doubled_signed_assertion.xml +0 -49
  79. data/test/responses/invalids/signature_wrapping_attack.xml.base64 +0 -1
  80. data/test/responses/response_node_text_attack.xml.base64 +0 -1
  81. data/test/responses/response_with_concealed_signed_assertion.xml +0 -51
  82. data/test/responses/response_with_doubled_signed_assertion.xml +0 -49
  83. data/test/responses/response_with_multiple_attribute_statements.xml +0 -72
  84. data/test/responses/response_with_signed_assertion_3.xml +0 -30
  85. data/test/responses/response_with_signed_message_and_assertion.xml +0 -34
  86. data/test/responses/response_with_undefined_recipient.xml.base64 +0 -1
  87. data/test/responses/response_wrapped.xml.base64 +0 -150
  88. data/test/responses/valid_response.xml.base64 +0 -1
  89. data/test/responses/valid_response_without_x509certificate.xml.base64 +0 -1
  90. data/test/utils_test.rb +0 -231
@@ -0,0 +1,821 @@
1
+ <?xml version="1.0" encoding="UTF-8"?>
2
+ <xs:schema
3
+ xmlns:xs="http://www.w3.org/2001/XMLSchema"
4
+ elementFormDefault="qualified"
5
+ version="2.0">
6
+
7
+ <xs:annotation>
8
+ <xs:documentation>
9
+ Document identifier: saml-schema-authn-context-types-2.0
10
+ Location: http://docs.oasis-open.org/security/saml/v2.0/
11
+ Revision history:
12
+ V2.0 (March, 2005):
13
+ New core authentication context schema types for SAML V2.0.
14
+ </xs:documentation>
15
+ </xs:annotation>
16
+
17
+ <xs:element name="AuthenticationContextDeclaration" type="AuthnContextDeclarationBaseType">
18
+ <xs:annotation>
19
+ <xs:documentation>
20
+ A particular assertion on an identity
21
+ provider's part with respect to the authentication
22
+ context associated with an authentication assertion.
23
+ </xs:documentation>
24
+ </xs:annotation>
25
+ </xs:element>
26
+
27
+ <xs:element name="Identification" type="IdentificationType">
28
+ <xs:annotation>
29
+ <xs:documentation>
30
+ Refers to those characteristics that describe the
31
+ processes and mechanisms
32
+ the Authentication Authority uses to initially create
33
+ an association between a Principal
34
+ and the identity (or name) by which the Principal will
35
+ be known
36
+ </xs:documentation>
37
+ </xs:annotation>
38
+ </xs:element>
39
+
40
+ <xs:element name="PhysicalVerification">
41
+ <xs:annotation>
42
+ <xs:documentation>
43
+ This element indicates that identification has been
44
+ performed in a physical
45
+ face-to-face meeting with the principal and not in an
46
+ online manner.
47
+ </xs:documentation>
48
+ </xs:annotation>
49
+ <xs:complexType>
50
+ <xs:attribute name="credentialLevel">
51
+ <xs:simpleType>
52
+ <xs:restriction base="xs:NMTOKEN">
53
+ <xs:enumeration value="primary"/>
54
+ <xs:enumeration value="secondary"/>
55
+ </xs:restriction>
56
+ </xs:simpleType>
57
+ </xs:attribute>
58
+ </xs:complexType>
59
+ </xs:element>
60
+
61
+ <xs:element name="WrittenConsent" type="ExtensionOnlyType"/>
62
+
63
+ <xs:element name="TechnicalProtection" type="TechnicalProtectionBaseType">
64
+ <xs:annotation>
65
+ <xs:documentation>
66
+ Refers to those characterstics that describe how the
67
+ 'secret' (the knowledge or possession
68
+ of which allows the Principal to authenticate to the
69
+ Authentication Authority) is kept secure
70
+ </xs:documentation>
71
+ </xs:annotation>
72
+ </xs:element>
73
+
74
+ <xs:element name="SecretKeyProtection" type="SecretKeyProtectionType">
75
+ <xs:annotation>
76
+ <xs:documentation>
77
+ This element indicates the types and strengths of
78
+ facilities
79
+ of a UA used to protect a shared secret key from
80
+ unauthorized access and/or use.
81
+ </xs:documentation>
82
+ </xs:annotation>
83
+ </xs:element>
84
+
85
+ <xs:element name="PrivateKeyProtection" type="PrivateKeyProtectionType">
86
+ <xs:annotation>
87
+ <xs:documentation>
88
+ This element indicates the types and strengths of
89
+ facilities
90
+ of a UA used to protect a private key from
91
+ unauthorized access and/or use.
92
+ </xs:documentation>
93
+ </xs:annotation>
94
+ </xs:element>
95
+
96
+ <xs:element name="KeyActivation" type="KeyActivationType">
97
+ <xs:annotation>
98
+ <xs:documentation>The actions that must be performed
99
+ before the private key can be used. </xs:documentation>
100
+ </xs:annotation>
101
+ </xs:element>
102
+
103
+ <xs:element name="KeySharing" type="KeySharingType">
104
+ <xs:annotation>
105
+ <xs:documentation>Whether or not the private key is shared
106
+ with the certificate authority.</xs:documentation>
107
+ </xs:annotation>
108
+ </xs:element>
109
+
110
+ <xs:element name="KeyStorage" type="KeyStorageType">
111
+ <xs:annotation>
112
+ <xs:documentation>
113
+ In which medium is the key stored.
114
+ memory - the key is stored in memory.
115
+ smartcard - the key is stored in a smartcard.
116
+ token - the key is stored in a hardware token.
117
+ MobileDevice - the key is stored in a mobile device.
118
+ MobileAuthCard - the key is stored in a mobile
119
+ authentication card.
120
+ </xs:documentation>
121
+ </xs:annotation>
122
+ </xs:element>
123
+
124
+ <xs:element name="SubscriberLineNumber" type="ExtensionOnlyType"/>
125
+ <xs:element name="UserSuffix" type="ExtensionOnlyType"/>
126
+
127
+ <xs:element name="Password" type="PasswordType">
128
+ <xs:annotation>
129
+ <xs:documentation>
130
+ This element indicates that a password (or passphrase)
131
+ has been used to
132
+ authenticate the Principal to a remote system.
133
+ </xs:documentation>
134
+ </xs:annotation>
135
+ </xs:element>
136
+
137
+ <xs:element name="ActivationPin" type="ActivationPinType">
138
+ <xs:annotation>
139
+ <xs:documentation>
140
+ This element indicates that a Pin (Personal
141
+ Identification Number) has been used to authenticate the Principal to
142
+ some local system in order to activate a key.
143
+ </xs:documentation>
144
+ </xs:annotation>
145
+ </xs:element>
146
+
147
+ <xs:element name="Token" type="TokenType">
148
+ <xs:annotation>
149
+ <xs:documentation>
150
+ This element indicates that a hardware or software
151
+ token is used
152
+ as a method of identifying the Principal.
153
+ </xs:documentation>
154
+ </xs:annotation>
155
+ </xs:element>
156
+
157
+ <xs:element name="TimeSyncToken" type="TimeSyncTokenType">
158
+ <xs:annotation>
159
+ <xs:documentation>
160
+ This element indicates that a time synchronization
161
+ token is used to identify the Principal. hardware -
162
+ the time synchonization
163
+ token has been implemented in hardware. software - the
164
+ time synchronization
165
+ token has been implemented in software. SeedLength -
166
+ the length, in bits, of the
167
+ random seed used in the time synchronization token.
168
+ </xs:documentation>
169
+ </xs:annotation>
170
+ </xs:element>
171
+
172
+ <xs:element name="Smartcard" type="ExtensionOnlyType">
173
+ <xs:annotation>
174
+ <xs:documentation>
175
+ This element indicates that a smartcard is used to
176
+ identity the Principal.
177
+ </xs:documentation>
178
+ </xs:annotation>
179
+ </xs:element>
180
+
181
+ <xs:element name="Length" type="LengthType">
182
+ <xs:annotation>
183
+ <xs:documentation>
184
+ This element indicates the minimum and/or maximum
185
+ ASCII length of the password which is enforced (by the UA or the
186
+ IdP). In other words, this is the minimum and/or maximum number of
187
+ ASCII characters required to represent a valid password.
188
+ min - the minimum number of ASCII characters required
189
+ in a valid password, as enforced by the UA or the IdP.
190
+ max - the maximum number of ASCII characters required
191
+ in a valid password, as enforced by the UA or the IdP.
192
+ </xs:documentation>
193
+ </xs:annotation>
194
+ </xs:element>
195
+
196
+ <xs:element name="ActivationLimit" type="ActivationLimitType">
197
+ <xs:annotation>
198
+ <xs:documentation>
199
+ This element indicates the length of time for which an
200
+ PIN-based authentication is valid.
201
+ </xs:documentation>
202
+ </xs:annotation>
203
+ </xs:element>
204
+
205
+ <xs:element name="Generation">
206
+ <xs:annotation>
207
+ <xs:documentation>
208
+ Indicates whether the password was chosen by the
209
+ Principal or auto-supplied by the Authentication Authority.
210
+ principalchosen - the Principal is allowed to choose
211
+ the value of the password. This is true even if
212
+ the initial password is chosen at random by the UA or
213
+ the IdP and the Principal is then free to change
214
+ the password.
215
+ automatic - the password is chosen by the UA or the
216
+ IdP to be cryptographically strong in some sense,
217
+ or to satisfy certain password rules, and that the
218
+ Principal is not free to change it or to choose a new password.
219
+ </xs:documentation>
220
+ </xs:annotation>
221
+
222
+ <xs:complexType>
223
+ <xs:attribute name="mechanism" use="required">
224
+ <xs:simpleType>
225
+ <xs:restriction base="xs:NMTOKEN">
226
+ <xs:enumeration value="principalchosen"/>
227
+ <xs:enumeration value="automatic"/>
228
+ </xs:restriction>
229
+ </xs:simpleType>
230
+ </xs:attribute>
231
+ </xs:complexType>
232
+ </xs:element>
233
+
234
+ <xs:element name="AuthnMethod" type="AuthnMethodBaseType">
235
+ <xs:annotation>
236
+ <xs:documentation>
237
+ Refers to those characteristics that define the
238
+ mechanisms by which the Principal authenticates to the Authentication
239
+ Authority.
240
+ </xs:documentation>
241
+ </xs:annotation>
242
+ </xs:element>
243
+
244
+ <xs:element name="PrincipalAuthenticationMechanism" type="PrincipalAuthenticationMechanismType">
245
+ <xs:annotation>
246
+ <xs:documentation>
247
+ The method that a Principal employs to perform
248
+ authentication to local system components.
249
+ </xs:documentation>
250
+ </xs:annotation>
251
+ </xs:element>
252
+
253
+ <xs:element name="Authenticator" type="AuthenticatorBaseType">
254
+ <xs:annotation>
255
+ <xs:documentation>
256
+ The method applied to validate a principal's
257
+ authentication across a network
258
+ </xs:documentation>
259
+ </xs:annotation>
260
+ </xs:element>
261
+
262
+ <xs:element name="ComplexAuthenticator" type="ComplexAuthenticatorType">
263
+ <xs:annotation>
264
+ <xs:documentation>
265
+ Supports Authenticators with nested combinations of
266
+ additional complexity.
267
+ </xs:documentation>
268
+ </xs:annotation>
269
+ </xs:element>
270
+
271
+ <xs:element name="PreviousSession" type="ExtensionOnlyType">
272
+ <xs:annotation>
273
+ <xs:documentation>
274
+ Indicates that the Principal has been strongly
275
+ authenticated in a previous session during which the IdP has set a
276
+ cookie in the UA. During the present session the Principal has only
277
+ been authenticated by the UA returning the cookie to the IdP.
278
+ </xs:documentation>
279
+ </xs:annotation>
280
+ </xs:element>
281
+
282
+ <xs:element name="ResumeSession" type="ExtensionOnlyType">
283
+ <xs:annotation>
284
+ <xs:documentation>
285
+ Rather like PreviousSession but using stronger
286
+ security. A secret that was established in a previous session with
287
+ the Authentication Authority has been cached by the local system and
288
+ is now re-used (e.g. a Master Secret is used to derive new session
289
+ keys in TLS, SSL, WTLS).
290
+ </xs:documentation>
291
+ </xs:annotation>
292
+ </xs:element>
293
+
294
+ <xs:element name="ZeroKnowledge" type="ExtensionOnlyType">
295
+ <xs:annotation>
296
+ <xs:documentation>
297
+ This element indicates that the Principal has been
298
+ authenticated by a zero knowledge technique as specified in ISO/IEC
299
+ 9798-5.
300
+ </xs:documentation>
301
+ </xs:annotation>
302
+ </xs:element>
303
+
304
+ <xs:element name="SharedSecretChallengeResponse" type="SharedSecretChallengeResponseType"/>
305
+
306
+ <xs:complexType name="SharedSecretChallengeResponseType">
307
+ <xs:annotation>
308
+ <xs:documentation>
309
+ This element indicates that the Principal has been
310
+ authenticated by a challenge-response protocol utilizing shared secret
311
+ keys and symmetric cryptography.
312
+ </xs:documentation>
313
+ </xs:annotation>
314
+ <xs:sequence>
315
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
316
+ </xs:sequence>
317
+ <xs:attribute name="method" type="xs:anyURI" use="optional"/>
318
+ </xs:complexType>
319
+
320
+ <xs:element name="DigSig" type="PublicKeyType">
321
+ <xs:annotation>
322
+ <xs:documentation>
323
+ This element indicates that the Principal has been
324
+ authenticated by a mechanism which involves the Principal computing a
325
+ digital signature over at least challenge data provided by the IdP.
326
+ </xs:documentation>
327
+ </xs:annotation>
328
+ </xs:element>
329
+
330
+ <xs:element name="AsymmetricDecryption" type="PublicKeyType">
331
+ <xs:annotation>
332
+ <xs:documentation>
333
+ The local system has a private key but it is used
334
+ in decryption mode, rather than signature mode. For example, the
335
+ Authentication Authority generates a secret and encrypts it using the
336
+ local system's public key: the local system then proves it has
337
+ decrypted the secret.
338
+ </xs:documentation>
339
+ </xs:annotation>
340
+ </xs:element>
341
+
342
+ <xs:element name="AsymmetricKeyAgreement" type="PublicKeyType">
343
+ <xs:annotation>
344
+ <xs:documentation>
345
+ The local system has a private key and uses it for
346
+ shared secret key agreement with the Authentication Authority (e.g.
347
+ via Diffie Helman).
348
+ </xs:documentation>
349
+ </xs:annotation>
350
+ </xs:element>
351
+
352
+ <xs:complexType name="PublicKeyType">
353
+ <xs:sequence>
354
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
355
+ </xs:sequence>
356
+ <xs:attribute name="keyValidation" use="optional"/>
357
+ </xs:complexType>
358
+
359
+ <xs:element name="IPAddress" type="ExtensionOnlyType">
360
+ <xs:annotation>
361
+ <xs:documentation>
362
+ This element indicates that the Principal has been
363
+ authenticated through connection from a particular IP address.
364
+ </xs:documentation>
365
+ </xs:annotation>
366
+ </xs:element>
367
+
368
+ <xs:element name="SharedSecretDynamicPlaintext" type="ExtensionOnlyType">
369
+ <xs:annotation>
370
+ <xs:documentation>
371
+ The local system and Authentication Authority
372
+ share a secret key. The local system uses this to encrypt a
373
+ randomised string to pass to the Authentication Authority.
374
+ </xs:documentation>
375
+ </xs:annotation>
376
+ </xs:element>
377
+
378
+ <xs:element name="AuthenticatorTransportProtocol" type="AuthenticatorTransportProtocolType">
379
+ <xs:annotation>
380
+ <xs:documentation>
381
+ The protocol across which Authenticator information is
382
+ transferred to an Authentication Authority verifier.
383
+ </xs:documentation>
384
+ </xs:annotation>
385
+ </xs:element>
386
+
387
+ <xs:element name="HTTP" type="ExtensionOnlyType">
388
+ <xs:annotation>
389
+ <xs:documentation>
390
+ This element indicates that the Authenticator has been
391
+ transmitted using bare HTTP utilizing no additional security
392
+ protocols.
393
+ </xs:documentation>
394
+ </xs:annotation>
395
+ </xs:element>
396
+
397
+ <xs:element name="IPSec" type="ExtensionOnlyType">
398
+ <xs:annotation>
399
+ <xs:documentation>
400
+ This element indicates that the Authenticator has been
401
+ transmitted using a transport mechanism protected by an IPSEC session.
402
+ </xs:documentation>
403
+ </xs:annotation>
404
+ </xs:element>
405
+
406
+ <xs:element name="WTLS" type="ExtensionOnlyType">
407
+ <xs:annotation>
408
+ <xs:documentation>
409
+ This element indicates that the Authenticator has been
410
+ transmitted using a transport mechanism protected by a WTLS session.
411
+ </xs:documentation>
412
+ </xs:annotation>
413
+ </xs:element>
414
+
415
+ <xs:element name="MobileNetworkNoEncryption" type="ExtensionOnlyType">
416
+ <xs:annotation>
417
+ <xs:documentation>
418
+ This element indicates that the Authenticator has been
419
+ transmitted solely across a mobile network using no additional
420
+ security mechanism.
421
+ </xs:documentation>
422
+ </xs:annotation>
423
+ </xs:element>
424
+
425
+ <xs:element name="MobileNetworkRadioEncryption" type="ExtensionOnlyType"/>
426
+ <xs:element name="MobileNetworkEndToEndEncryption" type="ExtensionOnlyType"/>
427
+
428
+ <xs:element name="SSL" type="ExtensionOnlyType">
429
+ <xs:annotation>
430
+ <xs:documentation>
431
+ This element indicates that the Authenticator has been
432
+ transmitted using a transport mechnanism protected by an SSL or TLS
433
+ session.
434
+ </xs:documentation>
435
+ </xs:annotation>
436
+ </xs:element>
437
+
438
+ <xs:element name="PSTN" type="ExtensionOnlyType"/>
439
+ <xs:element name="ISDN" type="ExtensionOnlyType"/>
440
+ <xs:element name="ADSL" type="ExtensionOnlyType"/>
441
+
442
+ <xs:element name="OperationalProtection" type="OperationalProtectionType">
443
+ <xs:annotation>
444
+ <xs:documentation>
445
+ Refers to those characteristics that describe
446
+ procedural security controls employed by the Authentication Authority.
447
+ </xs:documentation>
448
+ </xs:annotation>
449
+ </xs:element>
450
+
451
+ <xs:element name="SecurityAudit" type="SecurityAuditType"/>
452
+ <xs:element name="SwitchAudit" type="ExtensionOnlyType"/>
453
+ <xs:element name="DeactivationCallCenter" type="ExtensionOnlyType"/>
454
+
455
+ <xs:element name="GoverningAgreements" type="GoverningAgreementsType">
456
+ <xs:annotation>
457
+ <xs:documentation>
458
+ Provides a mechanism for linking to external (likely
459
+ human readable) documents in which additional business agreements,
460
+ (e.g. liability constraints, obligations, etc) can be placed.
461
+ </xs:documentation>
462
+ </xs:annotation>
463
+ </xs:element>
464
+
465
+ <xs:element name="GoverningAgreementRef" type="GoverningAgreementRefType"/>
466
+
467
+ <xs:simpleType name="nymType">
468
+ <xs:restriction base="xs:NMTOKEN">
469
+ <xs:enumeration value="anonymity"/>
470
+ <xs:enumeration value="verinymity"/>
471
+ <xs:enumeration value="pseudonymity"/>
472
+ </xs:restriction>
473
+ </xs:simpleType>
474
+
475
+ <xs:complexType name="AuthnContextDeclarationBaseType">
476
+ <xs:sequence>
477
+ <xs:element ref="Identification" minOccurs="0"/>
478
+ <xs:element ref="TechnicalProtection" minOccurs="0"/>
479
+ <xs:element ref="OperationalProtection" minOccurs="0"/>
480
+ <xs:element ref="AuthnMethod" minOccurs="0"/>
481
+ <xs:element ref="GoverningAgreements" minOccurs="0"/>
482
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
483
+ </xs:sequence>
484
+ <xs:attribute name="ID" type="xs:ID" use="optional"/>
485
+ </xs:complexType>
486
+
487
+ <xs:complexType name="IdentificationType">
488
+ <xs:sequence>
489
+ <xs:element ref="PhysicalVerification" minOccurs="0"/>
490
+ <xs:element ref="WrittenConsent" minOccurs="0"/>
491
+ <xs:element ref="GoverningAgreements" minOccurs="0"/>
492
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
493
+ </xs:sequence>
494
+ <xs:attribute name="nym" type="nymType">
495
+ <xs:annotation>
496
+ <xs:documentation>
497
+ This attribute indicates whether or not the
498
+ Identification mechanisms allow the actions of the Principal to be
499
+ linked to an actual end user.
500
+ </xs:documentation>
501
+ </xs:annotation>
502
+ </xs:attribute>
503
+ </xs:complexType>
504
+
505
+ <xs:complexType name="TechnicalProtectionBaseType">
506
+ <xs:sequence>
507
+ <xs:choice minOccurs="0">
508
+ <xs:element ref="PrivateKeyProtection"/>
509
+ <xs:element ref="SecretKeyProtection"/>
510
+ </xs:choice>
511
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
512
+ </xs:sequence>
513
+ </xs:complexType>
514
+
515
+ <xs:complexType name="OperationalProtectionType">
516
+ <xs:sequence>
517
+ <xs:element ref="SecurityAudit" minOccurs="0"/>
518
+ <xs:element ref="DeactivationCallCenter" minOccurs="0"/>
519
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
520
+ </xs:sequence>
521
+ </xs:complexType>
522
+
523
+ <xs:complexType name="AuthnMethodBaseType">
524
+ <xs:sequence>
525
+ <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/>
526
+ <xs:element ref="Authenticator" minOccurs="0"/>
527
+ <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/>
528
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
529
+ </xs:sequence>
530
+ </xs:complexType>
531
+
532
+ <xs:complexType name="GoverningAgreementsType">
533
+ <xs:sequence>
534
+ <xs:element ref="GoverningAgreementRef" maxOccurs="unbounded"/>
535
+ </xs:sequence>
536
+ </xs:complexType>
537
+
538
+ <xs:complexType name="GoverningAgreementRefType">
539
+ <xs:attribute name="governingAgreementRef" type="xs:anyURI" use="required"/>
540
+ </xs:complexType>
541
+
542
+ <xs:complexType name="PrincipalAuthenticationMechanismType">
543
+ <xs:sequence>
544
+ <xs:element ref="Password" minOccurs="0"/>
545
+ <xs:element ref="RestrictedPassword" minOccurs="0"/>
546
+ <xs:element ref="Token" minOccurs="0"/>
547
+ <xs:element ref="Smartcard" minOccurs="0"/>
548
+ <xs:element ref="ActivationPin" minOccurs="0"/>
549
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
550
+ </xs:sequence>
551
+ <xs:attribute name="preauth" type="xs:integer" use="optional"/>
552
+ </xs:complexType>
553
+
554
+ <xs:group name="AuthenticatorChoiceGroup">
555
+ <xs:choice>
556
+ <xs:element ref="PreviousSession"/>
557
+ <xs:element ref="ResumeSession"/>
558
+ <xs:element ref="DigSig"/>
559
+ <xs:element ref="Password"/>
560
+ <xs:element ref="RestrictedPassword"/>
561
+ <xs:element ref="ZeroKnowledge"/>
562
+ <xs:element ref="SharedSecretChallengeResponse"/>
563
+ <xs:element ref="SharedSecretDynamicPlaintext"/>
564
+ <xs:element ref="IPAddress"/>
565
+ <xs:element ref="AsymmetricDecryption"/>
566
+ <xs:element ref="AsymmetricKeyAgreement"/>
567
+ <xs:element ref="SubscriberLineNumber"/>
568
+ <xs:element ref="UserSuffix"/>
569
+ <xs:element ref="ComplexAuthenticator"/>
570
+ </xs:choice>
571
+ </xs:group>
572
+
573
+ <xs:group name="AuthenticatorSequenceGroup">
574
+ <xs:sequence>
575
+ <xs:element ref="PreviousSession" minOccurs="0"/>
576
+ <xs:element ref="ResumeSession" minOccurs="0"/>
577
+ <xs:element ref="DigSig" minOccurs="0"/>
578
+ <xs:element ref="Password" minOccurs="0"/>
579
+ <xs:element ref="RestrictedPassword" minOccurs="0"/>
580
+ <xs:element ref="ZeroKnowledge" minOccurs="0"/>
581
+ <xs:element ref="SharedSecretChallengeResponse" minOccurs="0"/>
582
+ <xs:element ref="SharedSecretDynamicPlaintext" minOccurs="0"/>
583
+ <xs:element ref="IPAddress" minOccurs="0"/>
584
+ <xs:element ref="AsymmetricDecryption" minOccurs="0"/>
585
+ <xs:element ref="AsymmetricKeyAgreement" minOccurs="0"/>
586
+ <xs:element ref="SubscriberLineNumber" minOccurs="0"/>
587
+ <xs:element ref="UserSuffix" minOccurs="0"/>
588
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
589
+ </xs:sequence>
590
+ </xs:group>
591
+
592
+ <xs:complexType name="AuthenticatorBaseType">
593
+ <xs:sequence>
594
+ <xs:group ref="AuthenticatorChoiceGroup"/>
595
+ <xs:group ref="AuthenticatorSequenceGroup"/>
596
+ </xs:sequence>
597
+ </xs:complexType>
598
+
599
+ <xs:complexType name="ComplexAuthenticatorType">
600
+ <xs:sequence>
601
+ <xs:group ref="AuthenticatorChoiceGroup"/>
602
+ <xs:group ref="AuthenticatorSequenceGroup"/>
603
+ </xs:sequence>
604
+ </xs:complexType>
605
+
606
+ <xs:complexType name="AuthenticatorTransportProtocolType">
607
+ <xs:sequence>
608
+ <xs:choice minOccurs="0">
609
+ <xs:element ref="HTTP"/>
610
+ <xs:element ref="SSL"/>
611
+ <xs:element ref="MobileNetworkNoEncryption"/>
612
+ <xs:element ref="MobileNetworkRadioEncryption"/>
613
+ <xs:element ref="MobileNetworkEndToEndEncryption"/>
614
+ <xs:element ref="WTLS"/>
615
+ <xs:element ref="IPSec"/>
616
+ <xs:element ref="PSTN"/>
617
+ <xs:element ref="ISDN"/>
618
+ <xs:element ref="ADSL"/>
619
+ </xs:choice>
620
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
621
+ </xs:sequence>
622
+ </xs:complexType>
623
+
624
+ <xs:complexType name="KeyActivationType">
625
+ <xs:sequence>
626
+ <xs:element ref="ActivationPin" minOccurs="0"/>
627
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
628
+ </xs:sequence>
629
+ </xs:complexType>
630
+
631
+ <xs:complexType name="KeySharingType">
632
+ <xs:attribute name="sharing" type="xs:boolean" use="required"/>
633
+ </xs:complexType>
634
+
635
+ <xs:complexType name="PrivateKeyProtectionType">
636
+ <xs:sequence>
637
+ <xs:element ref="KeyActivation" minOccurs="0"/>
638
+ <xs:element ref="KeyStorage" minOccurs="0"/>
639
+ <xs:element ref="KeySharing" minOccurs="0"/>
640
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
641
+ </xs:sequence>
642
+ </xs:complexType>
643
+
644
+ <xs:complexType name="PasswordType">
645
+ <xs:sequence>
646
+ <xs:element ref="Length" minOccurs="0"/>
647
+ <xs:element ref="Alphabet" minOccurs="0"/>
648
+ <xs:element ref="Generation" minOccurs="0"/>
649
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
650
+ </xs:sequence>
651
+ <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/>
652
+ </xs:complexType>
653
+
654
+ <xs:element name="RestrictedPassword" type="RestrictedPasswordType"/>
655
+
656
+ <xs:complexType name="RestrictedPasswordType">
657
+ <xs:complexContent>
658
+ <xs:restriction base="PasswordType">
659
+ <xs:sequence>
660
+ <xs:element name="Length" type="RestrictedLengthType" minOccurs="1"/>
661
+ <xs:element ref="Generation" minOccurs="0"/>
662
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
663
+ </xs:sequence>
664
+ <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/>
665
+ </xs:restriction>
666
+ </xs:complexContent>
667
+ </xs:complexType>
668
+
669
+ <xs:complexType name="RestrictedLengthType">
670
+ <xs:complexContent>
671
+ <xs:restriction base="LengthType">
672
+ <xs:attribute name="min" use="required">
673
+ <xs:simpleType>
674
+ <xs:restriction base="xs:integer">
675
+ <xs:minInclusive value="3"/>
676
+ </xs:restriction>
677
+ </xs:simpleType>
678
+ </xs:attribute>
679
+ <xs:attribute name="max" type="xs:integer" use="optional"/>
680
+ </xs:restriction>
681
+ </xs:complexContent>
682
+ </xs:complexType>
683
+
684
+ <xs:complexType name="ActivationPinType">
685
+ <xs:sequence>
686
+ <xs:element ref="Length" minOccurs="0"/>
687
+ <xs:element ref="Alphabet" minOccurs="0"/>
688
+ <xs:element ref="Generation" minOccurs="0"/>
689
+ <xs:element ref="ActivationLimit" minOccurs="0"/>
690
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
691
+ </xs:sequence>
692
+ </xs:complexType>
693
+
694
+ <xs:element name="Alphabet" type="AlphabetType"/>
695
+ <xs:complexType name="AlphabetType">
696
+ <xs:attribute name="requiredChars" type="xs:string" use="required"/>
697
+ <xs:attribute name="excludedChars" type="xs:string" use="optional"/>
698
+ <xs:attribute name="case" type="xs:string" use="optional"/>
699
+ </xs:complexType>
700
+
701
+ <xs:complexType name="TokenType">
702
+ <xs:sequence>
703
+ <xs:element ref="TimeSyncToken"/>
704
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
705
+ </xs:sequence>
706
+ </xs:complexType>
707
+
708
+ <xs:simpleType name="DeviceTypeType">
709
+ <xs:restriction base="xs:NMTOKEN">
710
+ <xs:enumeration value="hardware"/>
711
+ <xs:enumeration value="software"/>
712
+ </xs:restriction>
713
+ </xs:simpleType>
714
+
715
+ <xs:simpleType name="booleanType">
716
+ <xs:restriction base="xs:NMTOKEN">
717
+ <xs:enumeration value="true"/>
718
+ <xs:enumeration value="false"/>
719
+ </xs:restriction>
720
+ </xs:simpleType>
721
+
722
+ <xs:complexType name="TimeSyncTokenType">
723
+ <xs:attribute name="DeviceType" type="DeviceTypeType" use="required"/>
724
+ <xs:attribute name="SeedLength" type="xs:integer" use="required"/>
725
+ <xs:attribute name="DeviceInHand" type="booleanType" use="required"/>
726
+ </xs:complexType>
727
+
728
+ <xs:complexType name="ActivationLimitType">
729
+ <xs:choice>
730
+ <xs:element ref="ActivationLimitDuration"/>
731
+ <xs:element ref="ActivationLimitUsages"/>
732
+ <xs:element ref="ActivationLimitSession"/>
733
+ </xs:choice>
734
+ </xs:complexType>
735
+
736
+ <xs:element name="ActivationLimitDuration" type="ActivationLimitDurationType">
737
+ <xs:annotation>
738
+ <xs:documentation>
739
+ This element indicates that the Key Activation Limit is
740
+ defined as a specific duration of time.
741
+ </xs:documentation>
742
+ </xs:annotation>
743
+ </xs:element>
744
+
745
+ <xs:element name="ActivationLimitUsages" type="ActivationLimitUsagesType">
746
+ <xs:annotation>
747
+ <xs:documentation>
748
+ This element indicates that the Key Activation Limit is
749
+ defined as a number of usages.
750
+ </xs:documentation>
751
+ </xs:annotation>
752
+ </xs:element>
753
+
754
+ <xs:element name="ActivationLimitSession" type="ActivationLimitSessionType">
755
+ <xs:annotation>
756
+ <xs:documentation>
757
+ This element indicates that the Key Activation Limit is
758
+ the session.
759
+ </xs:documentation>
760
+ </xs:annotation>
761
+ </xs:element>
762
+
763
+ <xs:complexType name="ActivationLimitDurationType">
764
+ <xs:attribute name="duration" type="xs:duration" use="required"/>
765
+ </xs:complexType>
766
+
767
+ <xs:complexType name="ActivationLimitUsagesType">
768
+ <xs:attribute name="number" type="xs:integer" use="required"/>
769
+ </xs:complexType>
770
+
771
+ <xs:complexType name="ActivationLimitSessionType"/>
772
+
773
+ <xs:complexType name="LengthType">
774
+ <xs:attribute name="min" type="xs:integer" use="required"/>
775
+ <xs:attribute name="max" type="xs:integer" use="optional"/>
776
+ </xs:complexType>
777
+
778
+ <xs:simpleType name="mediumType">
779
+ <xs:restriction base="xs:NMTOKEN">
780
+ <xs:enumeration value="memory"/>
781
+ <xs:enumeration value="smartcard"/>
782
+ <xs:enumeration value="token"/>
783
+ <xs:enumeration value="MobileDevice"/>
784
+ <xs:enumeration value="MobileAuthCard"/>
785
+ </xs:restriction>
786
+ </xs:simpleType>
787
+
788
+ <xs:complexType name="KeyStorageType">
789
+ <xs:attribute name="medium" type="mediumType" use="required"/>
790
+ </xs:complexType>
791
+
792
+ <xs:complexType name="SecretKeyProtectionType">
793
+ <xs:sequence>
794
+ <xs:element ref="KeyActivation" minOccurs="0"/>
795
+ <xs:element ref="KeyStorage" minOccurs="0"/>
796
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
797
+ </xs:sequence>
798
+ </xs:complexType>
799
+
800
+ <xs:complexType name="SecurityAuditType">
801
+ <xs:sequence>
802
+ <xs:element ref="SwitchAudit" minOccurs="0"/>
803
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
804
+ </xs:sequence>
805
+ </xs:complexType>
806
+
807
+ <xs:complexType name="ExtensionOnlyType">
808
+ <xs:sequence>
809
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
810
+ </xs:sequence>
811
+ </xs:complexType>
812
+
813
+ <xs:element name="Extension" type="ExtensionType"/>
814
+
815
+ <xs:complexType name="ExtensionType">
816
+ <xs:sequence>
817
+ <xs:any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
818
+ </xs:sequence>
819
+ </xs:complexType>
820
+
821
+ </xs:schema>