saml2 1.0.0

data/lib/saml2/namespaces.rb

@@ -0,0 +1,21 @@
+module SAML2
+  module Namespaces
+    DSIG     = "http://www.w3.org/2000/09/xmldsig#".freeze
+    METADATA = "urn:oasis:names:tc:SAML:2.0:metadata".freeze
+    SAML     = "urn:oasis:names:tc:SAML:2.0:assertion".freeze
+    SAMLP    = "urn:oasis:names:tc:SAML:2.0:protocol".freeze
+    XENC     = "http://www.w3.org/2001/04/xmlenc#".freeze
+    XSI      = "http://www.w3.org/2001/XMLSchema-instance".freeze
+    X500     = "urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500".freeze
+
+    ALL = {
+        'dsig'  => DSIG,
+        'md'    => METADATA,
+        'saml'  => SAML,
+        'samlp' => SAMLP,
+        'x500'  => X500,
+        'xenc'  => XENC,
+        'xsi'   => XSI
+    }.freeze
+  end
+end

data/lib/saml2/organization.rb

@@ -0,0 +1,74 @@
+require 'saml2/namespaces'
+
+module SAML2
+  class Organization
+    def self.from_xml(node)
+      return nil unless node
+
+      new(nodes_to_hash(node.xpath('md:OrganizationName', Namespaces::ALL)),
+        nodes_to_hash(node.xpath('md:OrganizationDisplayName', Namespaces::ALL)),
+        nodes_to_hash(node.xpath('md:OrganizationURL', Namespaces::ALL)))
+    end
+
+    def initialize(name, display_name, url)
+      if !name.is_a?(Hash)
+        name = { nil => name}
+      end
+      if !display_name.is_a?(Hash)
+        display_name = { nil => display_name }
+      end
+      if !url.is_a?(Hash)
+        url = { nil => url }
+      end
+
+      @name, @display_name, @url = name, display_name, url
+    end
+
+    def name(lang = nil)
+      self.class.localized_name(@name, lang)
+    end
+
+    def display_name(lang = nil)
+      self.class.localized_name(@display_name, lang)
+    end
+
+    def url(lang = nil)
+      self.class.localized_name(@url, lang)
+    end
+
+    def build(builder)
+      builder['md'].Organization do |builder|
+        self.class.build(builder, @name, 'OrganizationName')
+        self.class.build(builder, @display_name, 'OrganizationDisplayName')
+        self.class.build(builder, @url, 'OrganizationURL')
+      end
+    end
+
+    private
+
+    def self.build(builder, hash, element)
+      hash.each do |lang, value|
+        builder['md'].__send__(element, value, 'xml:lang' => lang)
+      end
+    end
+
+    def self.nodes_to_hash(nodes)
+      hash = {}
+      nodes.each do |node|
+        hash[node['xml:lang'].to_sym] = node.content && node.content.strip
+      end
+      hash
+    end
+
+    def self.localized_name(hash, lang)
+      case lang
+        when :all
+          hash
+        when nil
+          !hash.empty? && hash.first.last
+        else
+          hash[lang.to_sym]
+      end
+    end
+  end
+end

data/lib/saml2/organization_and_contacts.rb

@@ -0,0 +1,35 @@
+require 'saml2/contact'
+require 'saml2/organization'
+
+module SAML2
+  module OrganizationAndContacts
+    attr_writer :organization, :contacts
+
+    def initialize(node = nil)
+      unless node
+        @organization = nil
+        @contacts = []
+      end
+    end
+
+    def organization
+      unless instance_variable_defined?(:@organization)
+        @organization = Organization.from_xml(@root.at_xpath('md:Organization', Namespaces::ALL))
+      end
+      @organization
+    end
+
+    def contacts
+      @contacts ||= load_object_array(@root, 'md:ContactPerson', Contact)
+    end
+
+    protected
+
+    def build(builder)
+      organization.build(builder) if organization
+      contacts.each do |contact|
+        contact.build(builder)
+      end
+    end
+  end
+end

data/lib/saml2/profiles.rb

@@ -0,0 +1,7 @@
+module SAML2
+  module Profiles
+    # http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
+    WEB_BROWSER_SSO = 'urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser'.freeze
+    INTEROPERABLE = 'http://saml2int.org/profile'.freeze
+  end
+end

data/lib/saml2/response.rb

@@ -0,0 +1,92 @@
+require 'nokogiri-xmlsec'
+require 'securerandom'
+require 'time'
+
+require 'saml2/assertion'
+require 'saml2/authn_statement'
+require 'saml2/base'
+require 'saml2/subject'
+
+module SAML2
+  class Response < Base
+    module Status
+      SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success".freeze
+    end
+
+    attr_reader :id, :issue_instant, :assertions
+    attr_accessor :issuer, :in_response_to, :destination, :status_code
+
+    def self.respond_to(authn_request, issuer, name_id, attributes = nil)
+      response = initiate(nil, issuer, name_id)
+      response.in_response_to = authn_request.id
+      response.destination = authn_request.assertion_consumer_service.location
+      confirmation = response.assertions.first.subject.confirmation
+      confirmation.in_response_to = authn_request.id
+      confirmation.recipient = response.destination
+      if attributes && authn_request.attribute_consuming_service
+        statement = authn_request.attribute_consuming_service.create_statement(attributes)
+        response.assertions.first.statements << statement if statement
+      end
+      response
+    end
+
+    def self.initiate(service_provider, issuer, name_id, attributes = nil)
+      response = new
+      response.issuer = issuer
+      response.destination = service_provider.assertion_consumer_services.default.location if service_provider
+      assertion = Assertion.new
+      assertion.subject = Subject.new
+      assertion.subject.name_id = name_id
+      assertion.subject.confirmation = Subject::Confirmation.new
+      assertion.subject.confirmation.method = Subject::Confirmation::Methods::BEARER
+      assertion.subject.confirmation.not_before = Time.now.utc
+      assertion.subject.confirmation.not_on_or_after = Time.now.utc + 30
+      assertion.subject.confirmation.recipient = response.destination if response.destination
+      assertion.issuer = issuer
+      authn_statement = AuthnStatement.new
+      authn_statement.authn_instant = response.issue_instant
+      authn_statement.authn_context_class_ref = AuthnStatement::Classes::UNSPECIFIED
+      assertion.statements << authn_statement
+      if attributes && service_provider.attribute_consuming_services.default
+        statement = service_provider.attribute_consuming_services.default.create_statement(attributes)
+        assertion.statements << statement if statement
+      end
+      response.assertions << assertion
+      response
+    end
+
+    def initialize
+      @id = "_#{SecureRandom.uuid}"
+      @status_code = Status::SUCCESS
+      @issue_instant = Time.now.utc
+      @assertions = []
+    end
+
+    def sign(*args)
+      assertions.each { |assertion| assertion.sign(*args) }
+    end
+
+    private
+    def build(builder)
+      builder['samlp'].Response(
+        'xmlns:samlp' => Namespaces::SAMLP,
+        ID: id,
+        Version: '2.0',
+        IssueInstant: issue_instant.iso8601,
+        Destination: destination
+      ) do |builder|
+        builder.parent['InResponseTo'] = in_response_to if in_response_to
+
+        issuer.build(builder, element: 'Issuer', include_namespace: true) if issuer
+
+        builder['samlp'].Status do |builder|
+          builder['samlp'].StatusCode(Value: status_code)
+          end
+
+        assertions.each do |assertion|
+          builder.parent << assertion.to_xml
+        end
+      end
+    end
+  end
+end

data/lib/saml2/role.rb

@@ -0,0 +1,53 @@
+require 'set'
+
+require 'saml2/base'
+require 'saml2/organization_and_contacts'
+require 'saml2/key'
+
+module SAML2
+  class Role < Base
+    module Protocols
+      SAML2 = 'urn:oasis:names:tc:SAML:2.0:protocol'.freeze
+    end
+
+    include OrganizationAndContacts
+
+    attr_writer :supported_protocols, :keys
+
+    def initialize(node = nil)
+      super
+      @root = node
+      unless @root
+        @supported_protocols = Set.new
+        @supported_protocols << Protocols::SAML2
+        @keys = []
+      end
+    end
+
+    def supported_protocols
+      @supported_protocols ||= @root['protocolSupportEnumeration'].split
+    end
+
+    def keys
+      @keys ||= load_object_array(@root, 'md:KeyDescriptor', Key)
+    end
+
+    def signing_keys
+      keys.select { |key| key.signing? }
+    end
+
+    def encryption_keys
+      keys.select { |key| key.encryption? }
+    end
+
+    protected
+    # should be called from inside the role element
+    def build(builder)
+      builder.parent['protocolSupportEnumeration'] = supported_protocols.to_a.join(' ')
+      keys.each do |key|
+        key.build(builder)
+      end
+      super
+    end
+  end
+end

data/lib/saml2/schemas.rb

@@ -0,0 +1,18 @@
+module SAML2
+  module Schemas
+    def self.metadata
+      @metadata ||= schema('saml-schema-metadata-2.0.xsd')
+    end
+
+    def self.protocol
+      @protocol ||= schema('saml-schema-protocol-2.0.xsd')
+    end
+
+    private
+    def self.schema(filename)
+      Dir.chdir(File.expand_path(File.join(__FILE__, '../../../schemas'))) do
+        Nokogiri::XML::Schema(File.read(filename))
+      end
+    end
+  end
+end

data/lib/saml2/service_provider.rb

@@ -0,0 +1,30 @@
+require 'nokogiri'
+
+require 'saml2/endpoint'
+require 'saml2/sso'
+
+module SAML2
+  class ServiceProvider < SSO
+    class << self
+      alias_method :from_xml, :new
+    end
+
+    def initialize(root)
+      @root = root
+    end
+
+    def assertion_consumer_services
+      @assertion_consumer_services ||= begin
+        nodes = @root.xpath('md:AssertionConsumerService', Namespaces::ALL)
+        Endpoint::Indexed::Array.from_xml(nodes)
+      end
+    end
+
+    def attribute_consuming_services
+      @attribute_consuming_services ||= begin
+        nodes = @root.xpath('md:AttributeConsumingService', Namespaces::ALL)
+        AttributeConsumingService::Array.from_xml(nodes)
+      end
+    end
+  end
+end

data/lib/saml2/sso.rb

@@ -0,0 +1,36 @@
+require 'saml2/role'
+
+module SAML2
+  class SSO < Role
+    attr_reader :single_logout_services, :name_id_formats
+
+    def initialize(node = nil)
+      super
+      unless node
+        @single_logout_services = []
+        @name_id_formats = []
+      end
+    end
+
+    def single_logout_services
+      @single_logout_services ||= load_object_array(@root, 'md:SingleLogoutService', Endpoint)
+    end
+
+    def name_id_formats
+      @name_id_formats ||= load_string_array(@root, 'md:NameIDFormat')
+    end
+
+    protected
+    # should be called from inside the role element
+    def build(builder)
+      super
+
+      single_logout_services.each do |slo|
+        slo.build(builder, 'SingleLogoutService')
+      end
+      name_id_formats.each do |nif|
+        builder['md'].NameIDFormat(nif)
+      end
+    end
+  end
+end

data/lib/saml2/subject.rb

@@ -0,0 +1,49 @@
+require 'saml2/name_id'
+require 'saml2/namespaces'
+
+module SAML2
+  class Subject
+    attr_accessor :name_id, :confirmation
+
+    def self.from_xml(node)
+      return nil unless node
+      subject = new
+      subject.name_id = NameID.from_xml(node.at_xpath('saml:NameID', Namespaces::ALL))
+
+      subject
+    end
+
+    def build(builder)
+      builder['saml'].Subject do |builder|
+        name_id.build(builder) if name_id
+        confirmation.build(builder) if confirmation
+      end
+    end
+
+    class Confirmation
+      module Methods
+        BEARER         = 'urn:oasis:names:tc:SAML:2.0:cm:bearer'.freeze
+        HOLDER_OF_KEY  = 'urn:oasis:names:tc:SAML:2.0:cm:holder-of-key'.freeze
+        SENDER_VOUCHES = 'urn:oasis:names:tc:SAML:2.0:cm:sender-vouches'.freeze
+      end
+
+      attr_accessor :method, :not_before, :not_on_or_after, :recipient, :in_response_to
+
+      def build(builder)
+        builder['saml'].SubjectConfirmation('Method' => method) do |builder|
+          if in_response_to ||
+              recipient ||
+              not_before ||
+              not_on_or_after
+            builder['saml'].SubjectConfirmationData do |builder|
+              builder.parent['NotBefore'] = not_before.iso8601 if not_before
+              builder.parent['NotOnOrAfter'] = not_on_or_after.iso8601 if not_on_or_after
+              builder.parent['Recipient'] = recipient if recipient
+              builder.parent['InResponseTo'] = in_response_to if in_response_to
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/saml2/version.rb

@@ -0,0 +1,3 @@
+module SAML2
+  VERSION = '1.0.0'
+end

data/schemas/saml-schema-assertion-2.0.xsd

@@ -0,0 +1,283 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<schema
+    targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns="http://www.w3.org/2001/XMLSchema"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+    elementFormDefault="unqualified"
+    attributeFormDefault="unqualified"
+    blockDefault="substitution"
+    version="2.0">
+    <import namespace="http://www.w3.org/2000/09/xmldsig#"
+        schemaLocation="xmldsig-core-schema.xsd"/>
+    <import namespace="http://www.w3.org/2001/04/xmlenc#"
+        schemaLocation="xenc-schema.xsd"/>
+    <annotation>
+        <documentation>
+            Document identifier: saml-schema-assertion-2.0
+            Location: http://docs.oasis-open.org/security/saml/v2.0/
+            Revision history:
+            V1.0 (November, 2002):
+              Initial Standard Schema.
+            V1.1 (September, 2003):
+              Updates within the same V1.0 namespace.
+            V2.0 (March, 2005):
+              New assertion schema for SAML V2.0 namespace.
+        </documentation>
+    </annotation>
+    <attributeGroup name="IDNameQualifiers">
+        <attribute name="NameQualifier" type="string" use="optional"/>
+        <attribute name="SPNameQualifier" type="string" use="optional"/>
+    </attributeGroup>
+    <element name="BaseID" type="saml:BaseIDAbstractType"/>
+    <complexType name="BaseIDAbstractType" abstract="true">
+        <attributeGroup ref="saml:IDNameQualifiers"/>
+    </complexType>
+    <element name="NameID" type="saml:NameIDType"/>
+    <complexType name="NameIDType">
+        <simpleContent>
+            <extension base="string">
+                <attributeGroup ref="saml:IDNameQualifiers"/>
+                <attribute name="Format" type="anyURI" use="optional"/>
+                <attribute name="SPProvidedID" type="string" use="optional"/>
+            </extension>
+        </simpleContent>
+    </complexType>
+    <complexType name="EncryptedElementType">
+        <sequence>
+            <element ref="xenc:EncryptedData"/>
+            <element ref="xenc:EncryptedKey" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+    </complexType>
+    <element name="EncryptedID" type="saml:EncryptedElementType"/>
+    <element name="Issuer" type="saml:NameIDType"/>
+    <element name="AssertionIDRef" type="NCName"/>
+    <element name="AssertionURIRef" type="anyURI"/>
+    <element name="Assertion" type="saml:AssertionType"/>
+    <complexType name="AssertionType">
+        <sequence>
+            <element ref="saml:Issuer"/>
+            <element ref="ds:Signature" minOccurs="0"/>
+            <element ref="saml:Subject" minOccurs="0"/>
+            <element ref="saml:Conditions" minOccurs="0"/>
+            <element ref="saml:Advice" minOccurs="0"/>
+            <choice minOccurs="0" maxOccurs="unbounded">
+                <element ref="saml:Statement"/>
+                <element ref="saml:AuthnStatement"/>
+                <element ref="saml:AuthzDecisionStatement"/>
+                <element ref="saml:AttributeStatement"/>
+            </choice>
+        </sequence>
+        <attribute name="Version" type="string" use="required"/>
+        <attribute name="ID" type="ID" use="required"/>
+        <attribute name="IssueInstant" type="dateTime" use="required"/>
+    </complexType>
+    <element name="Subject" type="saml:SubjectType"/>
+    <complexType name="SubjectType">
+        <choice>
+            <sequence>
+                <choice>
+                    <element ref="saml:BaseID"/>
+                    <element ref="saml:NameID"/>
+                    <element ref="saml:EncryptedID"/>
+                </choice>
+                <element ref="saml:SubjectConfirmation" minOccurs="0" maxOccurs="unbounded"/>
+            </sequence>
+            <element ref="saml:SubjectConfirmation" maxOccurs="unbounded"/>
+        </choice>
+    </complexType>
+    <element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/>
+    <complexType name="SubjectConfirmationType">
+        <sequence>
+            <choice minOccurs="0">
+                <element ref="saml:BaseID"/>
+                <element ref="saml:NameID"/>
+                <element ref="saml:EncryptedID"/>
+            </choice>
+            <element ref="saml:SubjectConfirmationData" minOccurs="0"/>
+        </sequence>
+        <attribute name="Method" type="anyURI" use="required"/>
+    </complexType>
+    <element name="SubjectConfirmationData" type="saml:SubjectConfirmationDataType"/>
+    <complexType name="SubjectConfirmationDataType" mixed="true">
+        <complexContent>
+            <restriction base="anyType">
+                <sequence>
+                    <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+                </sequence>
+                <attribute name="NotBefore" type="dateTime" use="optional"/>
+                <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+                <attribute name="Recipient" type="anyURI" use="optional"/>
+                <attribute name="InResponseTo" type="NCName" use="optional"/>
+                <attribute name="Address" type="string" use="optional"/>
+                <anyAttribute namespace="##other" processContents="lax"/>
+            </restriction>
+        </complexContent>
+    </complexType>
+    <complexType name="KeyInfoConfirmationDataType" mixed="false">
+        <complexContent>
+            <restriction base="saml:SubjectConfirmationDataType">
+                <sequence>
+                    <element ref="ds:KeyInfo" maxOccurs="unbounded"/>
+                </sequence>
+            </restriction>
+        </complexContent>
+    </complexType>
+    <element name="Conditions" type="saml:ConditionsType"/>
+    <complexType name="ConditionsType">
+        <choice minOccurs="0" maxOccurs="unbounded">
+            <element ref="saml:Condition"/>
+            <element ref="saml:AudienceRestriction"/>
+            <element ref="saml:OneTimeUse"/>
+            <element ref="saml:ProxyRestriction"/>
+        </choice>
+        <attribute name="NotBefore" type="dateTime" use="optional"/>
+        <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+    </complexType>
+    <element name="Condition" type="saml:ConditionAbstractType"/>
+    <complexType name="ConditionAbstractType" abstract="true"/>
+    <element name="AudienceRestriction" type="saml:AudienceRestrictionType"/>
+    <complexType name="AudienceRestrictionType">
+        <complexContent>
+            <extension base="saml:ConditionAbstractType">
+                <sequence>
+                    <element ref="saml:Audience" maxOccurs="unbounded"/>
+                </sequence>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="Audience" type="anyURI"/>
+    <element name="OneTimeUse" type="saml:OneTimeUseType" />
+    <complexType name="OneTimeUseType">
+        <complexContent>
+            <extension base="saml:ConditionAbstractType"/>
+        </complexContent>
+    </complexType>
+    <element name="ProxyRestriction" type="saml:ProxyRestrictionType"/>
+    <complexType name="ProxyRestrictionType">
+    <complexContent>
+        <extension base="saml:ConditionAbstractType">
+            <sequence>
+                <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
+            </sequence>
+            <attribute name="Count" type="nonNegativeInteger" use="optional"/>
+        </extension>
+	</complexContent>
+    </complexType>
+    <element name="Advice" type="saml:AdviceType"/>
+    <complexType name="AdviceType">
+        <choice minOccurs="0" maxOccurs="unbounded">
+            <element ref="saml:AssertionIDRef"/>
+            <element ref="saml:AssertionURIRef"/>
+            <element ref="saml:Assertion"/>
+            <element ref="saml:EncryptedAssertion"/>
+            <any namespace="##other" processContents="lax"/>
+        </choice>
+    </complexType>
+    <element name="EncryptedAssertion" type="saml:EncryptedElementType"/>
+    <element name="Statement" type="saml:StatementAbstractType"/>
+    <complexType name="StatementAbstractType" abstract="true"/>
+    <element name="AuthnStatement" type="saml:AuthnStatementType"/>
+    <complexType name="AuthnStatementType">
+        <complexContent>
+            <extension base="saml:StatementAbstractType">
+                <sequence>
+                    <element ref="saml:SubjectLocality" minOccurs="0"/>
+                    <element ref="saml:AuthnContext"/>
+                </sequence>
+                <attribute name="AuthnInstant" type="dateTime" use="required"/>
+                <attribute name="SessionIndex" type="string" use="optional"/>
+                <attribute name="SessionNotOnOrAfter" type="dateTime" use="optional"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="SubjectLocality" type="saml:SubjectLocalityType"/>
+    <complexType name="SubjectLocalityType">
+        <attribute name="Address" type="string" use="optional"/>
+        <attribute name="DNSName" type="string" use="optional"/>
+    </complexType>
+    <element name="AuthnContext" type="saml:AuthnContextType"/>
+    <complexType name="AuthnContextType">
+        <sequence>
+            <choice>
+                <sequence>
+                    <element ref="saml:AuthnContextClassRef"/>
+                    <choice minOccurs="0">
+                        <element ref="saml:AuthnContextDecl"/>
+                        <element ref="saml:AuthnContextDeclRef"/>
+                    </choice>
+                </sequence>
+                <choice>
+                    <element ref="saml:AuthnContextDecl"/>
+                    <element ref="saml:AuthnContextDeclRef"/>
+                </choice>
+            </choice>
+            <element ref="saml:AuthenticatingAuthority" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+    </complexType>
+    <element name="AuthnContextClassRef" type="anyURI"/>
+    <element name="AuthnContextDeclRef" type="anyURI"/>
+    <element name="AuthnContextDecl" type="anyType"/>
+    <element name="AuthenticatingAuthority" type="anyURI"/>
+    <element name="AuthzDecisionStatement" type="saml:AuthzDecisionStatementType"/>
+    <complexType name="AuthzDecisionStatementType">
+        <complexContent>
+            <extension base="saml:StatementAbstractType">
+                <sequence>
+                    <element ref="saml:Action" maxOccurs="unbounded"/>
+                    <element ref="saml:Evidence" minOccurs="0"/>
+                </sequence>
+                <attribute name="Resource" type="anyURI" use="required"/>
+                <attribute name="Decision" type="saml:DecisionType" use="required"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <simpleType name="DecisionType">
+        <restriction base="string">
+            <enumeration value="Permit"/>
+            <enumeration value="Deny"/>
+            <enumeration value="Indeterminate"/>
+        </restriction>
+    </simpleType>
+    <element name="Action" type="saml:ActionType"/>
+    <complexType name="ActionType">
+        <simpleContent>
+            <extension base="string">
+                <attribute name="Namespace" type="anyURI" use="required"/>
+            </extension>
+        </simpleContent>
+    </complexType>
+    <element name="Evidence" type="saml:EvidenceType"/>
+    <complexType name="EvidenceType">
+        <choice maxOccurs="unbounded">
+            <element ref="saml:AssertionIDRef"/>
+            <element ref="saml:AssertionURIRef"/>
+            <element ref="saml:Assertion"/>
+            <element ref="saml:EncryptedAssertion"/>
+        </choice>
+    </complexType>
+    <element name="AttributeStatement" type="saml:AttributeStatementType"/>
+    <complexType name="AttributeStatementType">
+        <complexContent>
+            <extension base="saml:StatementAbstractType">
+                <choice maxOccurs="unbounded">
+                    <element ref="saml:Attribute"/>
+                    <element ref="saml:EncryptedAttribute"/>
+                </choice>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="Attribute" type="saml:AttributeType"/>
+    <complexType name="AttributeType">
+        <sequence>
+            <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="Name" type="string" use="required"/>
+        <attribute name="NameFormat" type="anyURI" use="optional"/>
+        <attribute name="FriendlyName" type="string" use="optional"/>
+        <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+    <element name="AttributeValue" type="anyType" nillable="true"/>
+    <element name="EncryptedAttribute" type="saml:EncryptedElementType"/>
+</schema>