saml_tools 0.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +15 -0
- data/LICENSE +24 -0
- data/README.rdoc +65 -0
- data/Rakefile +28 -0
- data/lib/saml_tool.rb +23 -0
- data/lib/saml_tool/certificate.rb +27 -0
- data/lib/saml_tool/decoder.rb +35 -0
- data/lib/saml_tool/encoder.rb +31 -0
- data/lib/saml_tool/erb_builder.rb +33 -0
- data/lib/saml_tool/reader.rb +40 -0
- data/lib/saml_tool/redirect.rb +45 -0
- data/lib/saml_tool/response_reader.rb +148 -0
- data/lib/saml_tool/rsa_key.rb +13 -0
- data/lib/saml_tool/saml.rb +30 -0
- data/lib/saml_tool/settings.rb +24 -0
- data/lib/saml_tool/validator.rb +40 -0
- data/lib/saml_tool/version.rb +8 -0
- data/lib/saml_tools.rb +1 -0
- data/lib/schema/localised-saml-schema-assertion-2.0.xsd +292 -0
- data/lib/schema/localised-saml-schema-protocol-2.0.xsd +309 -0
- data/lib/schema/localised-xenc-schema.xsd +151 -0
- data/lib/schema/xmldsig-core-schema.xsd +318 -0
- data/test/files/TEST_FILES.rdoc +22 -0
- data/test/files/cacert.pem +21 -0
- data/test/files/open_saml_response.xml +56 -0
- data/test/files/request.saml.erb +28 -0
- data/test/files/response.xml +94 -0
- data/test/files/response_template.xml +63 -0
- data/test/files/usercert.p12 +0 -0
- data/test/files/userkey.pem +18 -0
- data/test/files/valid_saml_request.xml +13 -0
- data/test/test_helper.rb +51 -0
- data/test/units/saml_tool/certificate_test.rb +30 -0
- data/test/units/saml_tool/decoder_test.rb +36 -0
- data/test/units/saml_tool/encoder_test.rb +38 -0
- data/test/units/saml_tool/erb_builder_test.rb +50 -0
- data/test/units/saml_tool/reader_test.rb +104 -0
- data/test/units/saml_tool/redirect_test.rb +70 -0
- data/test/units/saml_tool/response_reader_test.rb +144 -0
- data/test/units/saml_tool/rsa_key_test.rb +21 -0
- data/test/units/saml_tool/saml_test.rb +21 -0
- data/test/units/saml_tool/settings_test.rb +36 -0
- data/test/units/saml_tool/validator_test.rb +16 -0
- metadata +168 -0
@@ -0,0 +1,30 @@
|
|
1
|
+
module SamlTool
|
2
|
+
|
3
|
+
class << self
|
4
|
+
# Parse XML. Convenience method for Nokogiri::XML::Document.parse
|
5
|
+
# but defaults to strict mode
|
6
|
+
def SAML thing, url = nil, encoding = nil, options = SAML::ParseOptions::DEFAULT_SAML, &block
|
7
|
+
SAML::Document.parse(thing, url, encoding, options, &block)
|
8
|
+
end
|
9
|
+
end
|
10
|
+
|
11
|
+
# A wrapper for Nokogiri::XML, that applies defaults that are appropriate for SAML
|
12
|
+
module SAML
|
13
|
+
|
14
|
+
class ParseOptions < Nokogiri::XML::ParseOptions
|
15
|
+
DEFAULT_SAML = STRICT
|
16
|
+
end
|
17
|
+
|
18
|
+
class Document < Nokogiri::XML::Document
|
19
|
+
def self.parse string_or_io, url = nil, encoding = nil, options = ParseOptions::DEFAULT_SAML, &block
|
20
|
+
super
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
24
|
+
# Parse XML. Convenience method for Nokogiri::XML::Document.parse
|
25
|
+
def self.parse thing, url = nil, encoding = nil, options = ParseOptions::DEFAULT_SAML, &block
|
26
|
+
Document.parse(thing, url, encoding, options, &block)
|
27
|
+
end
|
28
|
+
|
29
|
+
end
|
30
|
+
end
|
@@ -0,0 +1,24 @@
|
|
1
|
+
require 'securerandom'
|
2
|
+
require 'time'
|
3
|
+
module SamlTool
|
4
|
+
class Settings < Hashie::Mash
|
5
|
+
|
6
|
+
def uuid
|
7
|
+
fetch :uuid, auto_uuid
|
8
|
+
end
|
9
|
+
|
10
|
+
def issue_instance
|
11
|
+
fetch :issue_instance, auto_issue_instance
|
12
|
+
end
|
13
|
+
|
14
|
+
private
|
15
|
+
def auto_uuid
|
16
|
+
@auto_uuid ||= ('_' + SecureRandom.uuid)
|
17
|
+
end
|
18
|
+
|
19
|
+
def auto_issue_instance
|
20
|
+
@auto_issue_instance ||= Time.now.utc.iso8601
|
21
|
+
end
|
22
|
+
|
23
|
+
end
|
24
|
+
end
|
@@ -0,0 +1,40 @@
|
|
1
|
+
module SamlTool
|
2
|
+
class Validator
|
3
|
+
attr_reader :saml
|
4
|
+
def initialize(saml)
|
5
|
+
@saml = saml
|
6
|
+
end
|
7
|
+
|
8
|
+
def valid?
|
9
|
+
validate
|
10
|
+
errors.empty?
|
11
|
+
end
|
12
|
+
|
13
|
+
def errors
|
14
|
+
@errors ||= []
|
15
|
+
end
|
16
|
+
|
17
|
+
#
|
18
|
+
def validate
|
19
|
+
# Need to load schema with other schemas in path
|
20
|
+
# see http://ktulu.com.ar/blog/2011/06/26/resolving-validation-errors-using-nokogiri-and-schemas/
|
21
|
+
Dir.chdir(schema_path) do
|
22
|
+
schema = Nokogiri::XML::Schema(File.read('localised-saml-schema-protocol-2.0.xsd'))
|
23
|
+
|
24
|
+
schema.validate(saml_document).each do |error|
|
25
|
+
errors << error.message unless errors.include? error.message
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
|
30
|
+
def schema_path
|
31
|
+
File.expand_path('../schema/', File.dirname(__FILE__))
|
32
|
+
end
|
33
|
+
|
34
|
+
def saml_document
|
35
|
+
@saml_document ||= Nokogiri::XML(saml)
|
36
|
+
end
|
37
|
+
|
38
|
+
|
39
|
+
end
|
40
|
+
end
|
data/lib/saml_tools.rb
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
require_relative 'saml_tool'
|
@@ -0,0 +1,292 @@
|
|
1
|
+
<?xml version="1.0" encoding="US-ASCII"?>
|
2
|
+
<!-- This file has been modified so that import elements point at local uris -->
|
3
|
+
<schema
|
4
|
+
targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion"
|
5
|
+
xmlns="http://www.w3.org/2001/XMLSchema"
|
6
|
+
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
|
7
|
+
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
|
8
|
+
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
|
9
|
+
elementFormDefault="unqualified"
|
10
|
+
attributeFormDefault="unqualified"
|
11
|
+
blockDefault="substitution"
|
12
|
+
version="2.0">
|
13
|
+
<!-- original
|
14
|
+
<import namespace="http://www.w3.org/2000/09/xmldsig#"
|
15
|
+
schemaLocation="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
|
16
|
+
<import namespace="http://www.w3.org/2001/04/xmlenc#"
|
17
|
+
schemaLocation="http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd"/>
|
18
|
+
-->
|
19
|
+
|
20
|
+
<import namespace="http://www.w3.org/2000/09/xmldsig#"
|
21
|
+
schemaLocation="xmldsig-core-schema.xsd"/><!-- localised version -->
|
22
|
+
<import namespace="http://www.w3.org/2001/04/xmlenc#"
|
23
|
+
schemaLocation="localised-xenc-schema.xsd"/><!-- localised version -->
|
24
|
+
|
25
|
+
<annotation>
|
26
|
+
<documentation>
|
27
|
+
Document identifier: saml-schema-assertion-2.0
|
28
|
+
Location: http://docs.oasis-open.org/security/saml/v2.0/
|
29
|
+
Revision history:
|
30
|
+
V1.0 (November, 2002):
|
31
|
+
Initial Standard Schema.
|
32
|
+
V1.1 (September, 2003):
|
33
|
+
Updates within the same V1.0 namespace.
|
34
|
+
V2.0 (March, 2005):
|
35
|
+
New assertion schema for SAML V2.0 namespace.
|
36
|
+
</documentation>
|
37
|
+
</annotation>
|
38
|
+
<attributeGroup name="IDNameQualifiers">
|
39
|
+
<attribute name="NameQualifier" type="string" use="optional"/>
|
40
|
+
<attribute name="SPNameQualifier" type="string" use="optional"/>
|
41
|
+
</attributeGroup>
|
42
|
+
<element name="BaseID" type="saml:BaseIDAbstractType"/>
|
43
|
+
<complexType name="BaseIDAbstractType" abstract="true">
|
44
|
+
<attributeGroup ref="saml:IDNameQualifiers"/>
|
45
|
+
</complexType>
|
46
|
+
<element name="NameID" type="saml:NameIDType"/>
|
47
|
+
<complexType name="NameIDType">
|
48
|
+
<simpleContent>
|
49
|
+
<extension base="string">
|
50
|
+
<attributeGroup ref="saml:IDNameQualifiers"/>
|
51
|
+
<attribute name="Format" type="anyURI" use="optional"/>
|
52
|
+
<attribute name="SPProvidedID" type="string" use="optional"/>
|
53
|
+
</extension>
|
54
|
+
</simpleContent>
|
55
|
+
</complexType>
|
56
|
+
<complexType name="EncryptedElementType">
|
57
|
+
<sequence>
|
58
|
+
<element ref="xenc:EncryptedData"/>
|
59
|
+
<element ref="xenc:EncryptedKey" minOccurs="0" maxOccurs="unbounded"/>
|
60
|
+
</sequence>
|
61
|
+
</complexType>
|
62
|
+
<element name="EncryptedID" type="saml:EncryptedElementType"/>
|
63
|
+
<element name="Issuer" type="saml:NameIDType"/>
|
64
|
+
<element name="AssertionIDRef" type="NCName"/>
|
65
|
+
<element name="AssertionURIRef" type="anyURI"/>
|
66
|
+
<element name="Assertion" type="saml:AssertionType"/>
|
67
|
+
<complexType name="AssertionType">
|
68
|
+
<sequence>
|
69
|
+
<element ref="saml:Issuer"/>
|
70
|
+
<element ref="ds:Signature" minOccurs="0"/>
|
71
|
+
<element ref="saml:Subject" minOccurs="0"/>
|
72
|
+
<element ref="saml:Conditions" minOccurs="0"/>
|
73
|
+
<element ref="saml:Advice" minOccurs="0"/>
|
74
|
+
<choice minOccurs="0" maxOccurs="unbounded">
|
75
|
+
<element ref="saml:Statement"/>
|
76
|
+
<element ref="saml:AuthnStatement"/>
|
77
|
+
<element ref="saml:AuthzDecisionStatement"/>
|
78
|
+
<element ref="saml:AttributeStatement"/>
|
79
|
+
</choice>
|
80
|
+
</sequence>
|
81
|
+
<attribute name="Version" type="string" use="required"/>
|
82
|
+
<attribute name="ID" type="ID" use="required"/>
|
83
|
+
<attribute name="IssueInstant" type="dateTime" use="required"/>
|
84
|
+
</complexType>
|
85
|
+
<element name="Subject" type="saml:SubjectType"/>
|
86
|
+
<complexType name="SubjectType">
|
87
|
+
<choice>
|
88
|
+
<sequence>
|
89
|
+
<choice>
|
90
|
+
<element ref="saml:BaseID"/>
|
91
|
+
<element ref="saml:NameID"/>
|
92
|
+
<element ref="saml:EncryptedID"/>
|
93
|
+
</choice>
|
94
|
+
<element ref="saml:SubjectConfirmation" minOccurs="0" maxOccurs="unbounded"/>
|
95
|
+
</sequence>
|
96
|
+
<element ref="saml:SubjectConfirmation" maxOccurs="unbounded"/>
|
97
|
+
</choice>
|
98
|
+
</complexType>
|
99
|
+
<element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/>
|
100
|
+
<complexType name="SubjectConfirmationType">
|
101
|
+
<sequence>
|
102
|
+
<choice minOccurs="0">
|
103
|
+
<element ref="saml:BaseID"/>
|
104
|
+
<element ref="saml:NameID"/>
|
105
|
+
<element ref="saml:EncryptedID"/>
|
106
|
+
</choice>
|
107
|
+
<element ref="saml:SubjectConfirmationData" minOccurs="0"/>
|
108
|
+
</sequence>
|
109
|
+
<attribute name="Method" type="anyURI" use="required"/>
|
110
|
+
</complexType>
|
111
|
+
<element name="SubjectConfirmationData" type="saml:SubjectConfirmationDataType"/>
|
112
|
+
<complexType name="SubjectConfirmationDataType" mixed="true">
|
113
|
+
<complexContent>
|
114
|
+
<restriction base="anyType">
|
115
|
+
<sequence>
|
116
|
+
<any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
|
117
|
+
</sequence>
|
118
|
+
<attribute name="NotBefore" type="dateTime" use="optional"/>
|
119
|
+
<attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
|
120
|
+
<attribute name="Recipient" type="anyURI" use="optional"/>
|
121
|
+
<attribute name="InResponseTo" type="NCName" use="optional"/>
|
122
|
+
<attribute name="Address" type="string" use="optional"/>
|
123
|
+
<anyAttribute namespace="##other" processContents="lax"/>
|
124
|
+
</restriction>
|
125
|
+
</complexContent>
|
126
|
+
</complexType>
|
127
|
+
<complexType name="KeyInfoConfirmationDataType" mixed="false">
|
128
|
+
<complexContent>
|
129
|
+
<restriction base="saml:SubjectConfirmationDataType">
|
130
|
+
<sequence>
|
131
|
+
<element ref="ds:KeyInfo" maxOccurs="unbounded"/>
|
132
|
+
</sequence>
|
133
|
+
</restriction>
|
134
|
+
</complexContent>
|
135
|
+
</complexType>
|
136
|
+
<element name="Conditions" type="saml:ConditionsType"/>
|
137
|
+
<complexType name="ConditionsType">
|
138
|
+
<choice minOccurs="0" maxOccurs="unbounded">
|
139
|
+
<element ref="saml:Condition"/>
|
140
|
+
<element ref="saml:AudienceRestriction"/>
|
141
|
+
<element ref="saml:OneTimeUse"/>
|
142
|
+
<element ref="saml:ProxyRestriction"/>
|
143
|
+
</choice>
|
144
|
+
<attribute name="NotBefore" type="dateTime" use="optional"/>
|
145
|
+
<attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
|
146
|
+
</complexType>
|
147
|
+
<element name="Condition" type="saml:ConditionAbstractType"/>
|
148
|
+
<complexType name="ConditionAbstractType" abstract="true"/>
|
149
|
+
<element name="AudienceRestriction" type="saml:AudienceRestrictionType"/>
|
150
|
+
<complexType name="AudienceRestrictionType">
|
151
|
+
<complexContent>
|
152
|
+
<extension base="saml:ConditionAbstractType">
|
153
|
+
<sequence>
|
154
|
+
<element ref="saml:Audience" maxOccurs="unbounded"/>
|
155
|
+
</sequence>
|
156
|
+
</extension>
|
157
|
+
</complexContent>
|
158
|
+
</complexType>
|
159
|
+
<element name="Audience" type="anyURI"/>
|
160
|
+
<element name="OneTimeUse" type="saml:OneTimeUseType" />
|
161
|
+
<complexType name="OneTimeUseType">
|
162
|
+
<complexContent>
|
163
|
+
<extension base="saml:ConditionAbstractType"/>
|
164
|
+
</complexContent>
|
165
|
+
</complexType>
|
166
|
+
<element name="ProxyRestriction" type="saml:ProxyRestrictionType"/>
|
167
|
+
<complexType name="ProxyRestrictionType">
|
168
|
+
<complexContent>
|
169
|
+
<extension base="saml:ConditionAbstractType">
|
170
|
+
<sequence>
|
171
|
+
<element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
|
172
|
+
</sequence>
|
173
|
+
<attribute name="Count" type="nonNegativeInteger" use="optional"/>
|
174
|
+
</extension>
|
175
|
+
</complexContent>
|
176
|
+
</complexType>
|
177
|
+
<element name="Advice" type="saml:AdviceType"/>
|
178
|
+
<complexType name="AdviceType">
|
179
|
+
<choice minOccurs="0" maxOccurs="unbounded">
|
180
|
+
<element ref="saml:AssertionIDRef"/>
|
181
|
+
<element ref="saml:AssertionURIRef"/>
|
182
|
+
<element ref="saml:Assertion"/>
|
183
|
+
<element ref="saml:EncryptedAssertion"/>
|
184
|
+
<any namespace="##other" processContents="lax"/>
|
185
|
+
</choice>
|
186
|
+
</complexType>
|
187
|
+
<element name="EncryptedAssertion" type="saml:EncryptedElementType"/>
|
188
|
+
<element name="Statement" type="saml:StatementAbstractType"/>
|
189
|
+
<complexType name="StatementAbstractType" abstract="true"/>
|
190
|
+
<element name="AuthnStatement" type="saml:AuthnStatementType"/>
|
191
|
+
<complexType name="AuthnStatementType">
|
192
|
+
<complexContent>
|
193
|
+
<extension base="saml:StatementAbstractType">
|
194
|
+
<sequence>
|
195
|
+
<element ref="saml:SubjectLocality" minOccurs="0"/>
|
196
|
+
<element ref="saml:AuthnContext"/>
|
197
|
+
</sequence>
|
198
|
+
<attribute name="AuthnInstant" type="dateTime" use="required"/>
|
199
|
+
<attribute name="SessionIndex" type="string" use="optional"/>
|
200
|
+
<attribute name="SessionNotOnOrAfter" type="dateTime" use="optional"/>
|
201
|
+
</extension>
|
202
|
+
</complexContent>
|
203
|
+
</complexType>
|
204
|
+
<element name="SubjectLocality" type="saml:SubjectLocalityType"/>
|
205
|
+
<complexType name="SubjectLocalityType">
|
206
|
+
<attribute name="Address" type="string" use="optional"/>
|
207
|
+
<attribute name="DNSName" type="string" use="optional"/>
|
208
|
+
</complexType>
|
209
|
+
<element name="AuthnContext" type="saml:AuthnContextType"/>
|
210
|
+
<complexType name="AuthnContextType">
|
211
|
+
<sequence>
|
212
|
+
<choice>
|
213
|
+
<sequence>
|
214
|
+
<element ref="saml:AuthnContextClassRef"/>
|
215
|
+
<choice minOccurs="0">
|
216
|
+
<element ref="saml:AuthnContextDecl"/>
|
217
|
+
<element ref="saml:AuthnContextDeclRef"/>
|
218
|
+
</choice>
|
219
|
+
</sequence>
|
220
|
+
<choice>
|
221
|
+
<element ref="saml:AuthnContextDecl"/>
|
222
|
+
<element ref="saml:AuthnContextDeclRef"/>
|
223
|
+
</choice>
|
224
|
+
</choice>
|
225
|
+
<element ref="saml:AuthenticatingAuthority" minOccurs="0" maxOccurs="unbounded"/>
|
226
|
+
</sequence>
|
227
|
+
</complexType>
|
228
|
+
<element name="AuthnContextClassRef" type="anyURI"/>
|
229
|
+
<element name="AuthnContextDeclRef" type="anyURI"/>
|
230
|
+
<element name="AuthnContextDecl" type="anyType"/>
|
231
|
+
<element name="AuthenticatingAuthority" type="anyURI"/>
|
232
|
+
<element name="AuthzDecisionStatement" type="saml:AuthzDecisionStatementType"/>
|
233
|
+
<complexType name="AuthzDecisionStatementType">
|
234
|
+
<complexContent>
|
235
|
+
<extension base="saml:StatementAbstractType">
|
236
|
+
<sequence>
|
237
|
+
<element ref="saml:Action" maxOccurs="unbounded"/>
|
238
|
+
<element ref="saml:Evidence" minOccurs="0"/>
|
239
|
+
</sequence>
|
240
|
+
<attribute name="Resource" type="anyURI" use="required"/>
|
241
|
+
<attribute name="Decision" type="saml:DecisionType" use="required"/>
|
242
|
+
</extension>
|
243
|
+
</complexContent>
|
244
|
+
</complexType>
|
245
|
+
<simpleType name="DecisionType">
|
246
|
+
<restriction base="string">
|
247
|
+
<enumeration value="Permit"/>
|
248
|
+
<enumeration value="Deny"/>
|
249
|
+
<enumeration value="Indeterminate"/>
|
250
|
+
</restriction>
|
251
|
+
</simpleType>
|
252
|
+
<element name="Action" type="saml:ActionType"/>
|
253
|
+
<complexType name="ActionType">
|
254
|
+
<simpleContent>
|
255
|
+
<extension base="string">
|
256
|
+
<attribute name="Namespace" type="anyURI" use="required"/>
|
257
|
+
</extension>
|
258
|
+
</simpleContent>
|
259
|
+
</complexType>
|
260
|
+
<element name="Evidence" type="saml:EvidenceType"/>
|
261
|
+
<complexType name="EvidenceType">
|
262
|
+
<choice maxOccurs="unbounded">
|
263
|
+
<element ref="saml:AssertionIDRef"/>
|
264
|
+
<element ref="saml:AssertionURIRef"/>
|
265
|
+
<element ref="saml:Assertion"/>
|
266
|
+
<element ref="saml:EncryptedAssertion"/>
|
267
|
+
</choice>
|
268
|
+
</complexType>
|
269
|
+
<element name="AttributeStatement" type="saml:AttributeStatementType"/>
|
270
|
+
<complexType name="AttributeStatementType">
|
271
|
+
<complexContent>
|
272
|
+
<extension base="saml:StatementAbstractType">
|
273
|
+
<choice maxOccurs="unbounded">
|
274
|
+
<element ref="saml:Attribute"/>
|
275
|
+
<element ref="saml:EncryptedAttribute"/>
|
276
|
+
</choice>
|
277
|
+
</extension>
|
278
|
+
</complexContent>
|
279
|
+
</complexType>
|
280
|
+
<element name="Attribute" type="saml:AttributeType"/>
|
281
|
+
<complexType name="AttributeType">
|
282
|
+
<sequence>
|
283
|
+
<element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
|
284
|
+
</sequence>
|
285
|
+
<attribute name="Name" type="string" use="required"/>
|
286
|
+
<attribute name="NameFormat" type="anyURI" use="optional"/>
|
287
|
+
<attribute name="FriendlyName" type="string" use="optional"/>
|
288
|
+
<anyAttribute namespace="##other" processContents="lax"/>
|
289
|
+
</complexType>
|
290
|
+
<element name="AttributeValue" type="anyType" nillable="true"/>
|
291
|
+
<element name="EncryptedAttribute" type="saml:EncryptedElementType"/>
|
292
|
+
</schema>
|
@@ -0,0 +1,309 @@
|
|
1
|
+
<?xml version="1.0" encoding="UTF-8"?>
|
2
|
+
<!-- This file has been modified so that import elements point at local uris -->
|
3
|
+
<schema
|
4
|
+
targetNamespace="urn:oasis:names:tc:SAML:2.0:protocol"
|
5
|
+
xmlns="http://www.w3.org/2001/XMLSchema"
|
6
|
+
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
|
7
|
+
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
|
8
|
+
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
|
9
|
+
elementFormDefault="unqualified"
|
10
|
+
attributeFormDefault="unqualified"
|
11
|
+
blockDefault="substitution"
|
12
|
+
version="2.0">
|
13
|
+
<!-- original
|
14
|
+
<import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
|
15
|
+
schemaLocation="saml-schema-assertion-2.0.xsd"/>
|
16
|
+
<import namespace="http://www.w3.org/2000/09/xmldsig#"
|
17
|
+
schemaLocation="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
|
18
|
+
-->
|
19
|
+
<import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
|
20
|
+
schemaLocation="localised-saml-schema-assertion-2.0.xsd"/><!-- localised version -->
|
21
|
+
<import namespace="http://www.w3.org/2000/09/xmldsig#"
|
22
|
+
schemaLocation="xmldsig-core-schema.xsd"/><!-- localised version -->
|
23
|
+
<annotation>
|
24
|
+
<documentation>
|
25
|
+
Document identifier: saml-schema-protocol-2.0
|
26
|
+
Location: http://docs.oasis-open.org/security/saml/v2.0/
|
27
|
+
Revision history:
|
28
|
+
V1.0 (November, 2002):
|
29
|
+
Initial Standard Schema.
|
30
|
+
V1.1 (September, 2003):
|
31
|
+
Updates within the same V1.0 namespace.
|
32
|
+
V2.0 (March, 2005):
|
33
|
+
New protocol schema based in a SAML V2.0 namespace.
|
34
|
+
</documentation>
|
35
|
+
</annotation>
|
36
|
+
<complexType name="RequestAbstractType" abstract="true">
|
37
|
+
<sequence>
|
38
|
+
<element ref="saml:Issuer" minOccurs="0"/>
|
39
|
+
<element ref="ds:Signature" minOccurs="0"/>
|
40
|
+
<element ref="samlp:Extensions" minOccurs="0"/>
|
41
|
+
</sequence>
|
42
|
+
<attribute name="ID" type="ID" use="required"/>
|
43
|
+
<attribute name="Version" type="string" use="required"/>
|
44
|
+
<attribute name="IssueInstant" type="dateTime" use="required"/>
|
45
|
+
<attribute name="Destination" type="anyURI" use="optional"/>
|
46
|
+
<attribute name="Consent" type="anyURI" use="optional"/>
|
47
|
+
</complexType>
|
48
|
+
<element name="Extensions" type="samlp:ExtensionsType"/>
|
49
|
+
<complexType name="ExtensionsType">
|
50
|
+
<sequence>
|
51
|
+
<any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
|
52
|
+
</sequence>
|
53
|
+
</complexType>
|
54
|
+
<complexType name="StatusResponseType">
|
55
|
+
<sequence>
|
56
|
+
<element ref="saml:Issuer" minOccurs="0"/>
|
57
|
+
<element ref="ds:Signature" minOccurs="0"/>
|
58
|
+
<element ref="samlp:Extensions" minOccurs="0"/>
|
59
|
+
<element ref="samlp:Status"/>
|
60
|
+
</sequence>
|
61
|
+
<attribute name="ID" type="ID" use="required"/>
|
62
|
+
<attribute name="InResponseTo" type="NCName" use="optional"/>
|
63
|
+
<attribute name="Version" type="string" use="required"/>
|
64
|
+
<attribute name="IssueInstant" type="dateTime" use="required"/>
|
65
|
+
<attribute name="Destination" type="anyURI" use="optional"/>
|
66
|
+
<attribute name="Consent" type="anyURI" use="optional"/>
|
67
|
+
</complexType>
|
68
|
+
<element name="Status" type="samlp:StatusType"/>
|
69
|
+
<complexType name="StatusType">
|
70
|
+
<sequence>
|
71
|
+
<element ref="samlp:StatusCode"/>
|
72
|
+
<element ref="samlp:StatusMessage" minOccurs="0"/>
|
73
|
+
<element ref="samlp:StatusDetail" minOccurs="0"/>
|
74
|
+
</sequence>
|
75
|
+
</complexType>
|
76
|
+
<element name="StatusCode" type="samlp:StatusCodeType"/>
|
77
|
+
<complexType name="StatusCodeType">
|
78
|
+
<sequence>
|
79
|
+
<element ref="samlp:StatusCode" minOccurs="0"/>
|
80
|
+
</sequence>
|
81
|
+
<attribute name="Value" type="anyURI" use="required"/>
|
82
|
+
</complexType>
|
83
|
+
<element name="StatusMessage" type="string"/>
|
84
|
+
<element name="StatusDetail" type="samlp:StatusDetailType"/>
|
85
|
+
<complexType name="StatusDetailType">
|
86
|
+
<sequence>
|
87
|
+
<any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
|
88
|
+
</sequence>
|
89
|
+
</complexType>
|
90
|
+
<element name="AssertionIDRequest" type="samlp:AssertionIDRequestType"/>
|
91
|
+
<complexType name="AssertionIDRequestType">
|
92
|
+
<complexContent>
|
93
|
+
<extension base="samlp:RequestAbstractType">
|
94
|
+
<sequence>
|
95
|
+
<element ref="saml:AssertionIDRef" maxOccurs="unbounded"/>
|
96
|
+
</sequence>
|
97
|
+
</extension>
|
98
|
+
</complexContent>
|
99
|
+
</complexType>
|
100
|
+
<element name="SubjectQuery" type="samlp:SubjectQueryAbstractType"/>
|
101
|
+
<complexType name="SubjectQueryAbstractType" abstract="true">
|
102
|
+
<complexContent>
|
103
|
+
<extension base="samlp:RequestAbstractType">
|
104
|
+
<sequence>
|
105
|
+
<element ref="saml:Subject"/>
|
106
|
+
</sequence>
|
107
|
+
</extension>
|
108
|
+
</complexContent>
|
109
|
+
</complexType>
|
110
|
+
<element name="AuthnQuery" type="samlp:AuthnQueryType"/>
|
111
|
+
<complexType name="AuthnQueryType">
|
112
|
+
<complexContent>
|
113
|
+
<extension base="samlp:SubjectQueryAbstractType">
|
114
|
+
<sequence>
|
115
|
+
<element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
|
116
|
+
</sequence>
|
117
|
+
<attribute name="SessionIndex" type="string" use="optional"/>
|
118
|
+
</extension>
|
119
|
+
</complexContent>
|
120
|
+
</complexType>
|
121
|
+
<element name="RequestedAuthnContext" type="samlp:RequestedAuthnContextType"/>
|
122
|
+
<complexType name="RequestedAuthnContextType">
|
123
|
+
<choice>
|
124
|
+
<element ref="saml:AuthnContextClassRef" maxOccurs="unbounded"/>
|
125
|
+
<element ref="saml:AuthnContextDeclRef" maxOccurs="unbounded"/>
|
126
|
+
</choice>
|
127
|
+
<attribute name="Comparison" type="samlp:AuthnContextComparisonType" use="optional"/>
|
128
|
+
</complexType>
|
129
|
+
<simpleType name="AuthnContextComparisonType">
|
130
|
+
<restriction base="string">
|
131
|
+
<enumeration value="exact"/>
|
132
|
+
<enumeration value="minimum"/>
|
133
|
+
<enumeration value="maximum"/>
|
134
|
+
<enumeration value="better"/>
|
135
|
+
</restriction>
|
136
|
+
</simpleType>
|
137
|
+
<element name="AttributeQuery" type="samlp:AttributeQueryType"/>
|
138
|
+
<complexType name="AttributeQueryType">
|
139
|
+
<complexContent>
|
140
|
+
<extension base="samlp:SubjectQueryAbstractType">
|
141
|
+
<sequence>
|
142
|
+
<element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
|
143
|
+
</sequence>
|
144
|
+
</extension>
|
145
|
+
</complexContent>
|
146
|
+
</complexType>
|
147
|
+
<element name="AuthzDecisionQuery" type="samlp:AuthzDecisionQueryType"/>
|
148
|
+
<complexType name="AuthzDecisionQueryType">
|
149
|
+
<complexContent>
|
150
|
+
<extension base="samlp:SubjectQueryAbstractType">
|
151
|
+
<sequence>
|
152
|
+
<element ref="saml:Action" maxOccurs="unbounded"/>
|
153
|
+
<element ref="saml:Evidence" minOccurs="0"/>
|
154
|
+
</sequence>
|
155
|
+
<attribute name="Resource" type="anyURI" use="required"/>
|
156
|
+
</extension>
|
157
|
+
</complexContent>
|
158
|
+
</complexType>
|
159
|
+
<element name="AuthnRequest" type="samlp:AuthnRequestType"/>
|
160
|
+
<complexType name="AuthnRequestType">
|
161
|
+
<complexContent>
|
162
|
+
<extension base="samlp:RequestAbstractType">
|
163
|
+
<sequence>
|
164
|
+
<element ref="saml:Subject" minOccurs="0"/>
|
165
|
+
<element ref="samlp:NameIDPolicy" minOccurs="0"/>
|
166
|
+
<element ref="saml:Conditions" minOccurs="0"/>
|
167
|
+
<element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
|
168
|
+
<element ref="samlp:Scoping" minOccurs="0"/>
|
169
|
+
</sequence>
|
170
|
+
<attribute name="ForceAuthn" type="boolean" use="optional"/>
|
171
|
+
<attribute name="IsPassive" type="boolean" use="optional"/>
|
172
|
+
<attribute name="ProtocolBinding" type="anyURI" use="optional"/>
|
173
|
+
<attribute name="AssertionConsumerServiceIndex" type="unsignedShort" use="optional"/>
|
174
|
+
<attribute name="AssertionConsumerServiceURL" type="anyURI" use="optional"/>
|
175
|
+
<attribute name="AttributeConsumingServiceIndex" type="unsignedShort" use="optional"/>
|
176
|
+
<attribute name="ProviderName" type="string" use="optional"/>
|
177
|
+
</extension>
|
178
|
+
</complexContent>
|
179
|
+
</complexType>
|
180
|
+
<element name="NameIDPolicy" type="samlp:NameIDPolicyType"/>
|
181
|
+
<complexType name="NameIDPolicyType">
|
182
|
+
<attribute name="Format" type="anyURI" use="optional"/>
|
183
|
+
<attribute name="SPNameQualifier" type="string" use="optional"/>
|
184
|
+
<attribute name="AllowCreate" type="boolean" use="optional"/>
|
185
|
+
</complexType>
|
186
|
+
<element name="Scoping" type="samlp:ScopingType"/>
|
187
|
+
<complexType name="ScopingType">
|
188
|
+
<sequence>
|
189
|
+
<element ref="samlp:IDPList" minOccurs="0"/>
|
190
|
+
<element ref="samlp:RequesterID" minOccurs="0" maxOccurs="unbounded"/>
|
191
|
+
</sequence>
|
192
|
+
<attribute name="ProxyCount" type="nonNegativeInteger" use="optional"/>
|
193
|
+
</complexType>
|
194
|
+
<element name="RequesterID" type="anyURI"/>
|
195
|
+
<element name="IDPList" type="samlp:IDPListType"/>
|
196
|
+
<complexType name="IDPListType">
|
197
|
+
<sequence>
|
198
|
+
<element ref="samlp:IDPEntry" maxOccurs="unbounded"/>
|
199
|
+
<element ref="samlp:GetComplete" minOccurs="0"/>
|
200
|
+
</sequence>
|
201
|
+
</complexType>
|
202
|
+
<element name="IDPEntry" type="samlp:IDPEntryType"/>
|
203
|
+
<complexType name="IDPEntryType">
|
204
|
+
<attribute name="ProviderID" type="anyURI" use="required"/>
|
205
|
+
<attribute name="Name" type="string" use="optional"/>
|
206
|
+
<attribute name="Loc" type="anyURI" use="optional"/>
|
207
|
+
</complexType>
|
208
|
+
<element name="GetComplete" type="anyURI"/>
|
209
|
+
<element name="Response" type="samlp:ResponseType"/>
|
210
|
+
<complexType name="ResponseType">
|
211
|
+
<complexContent>
|
212
|
+
<extension base="samlp:StatusResponseType">
|
213
|
+
<choice minOccurs="0" maxOccurs="unbounded">
|
214
|
+
<element ref="saml:Assertion"/>
|
215
|
+
<element ref="saml:EncryptedAssertion"/>
|
216
|
+
</choice>
|
217
|
+
</extension>
|
218
|
+
</complexContent>
|
219
|
+
</complexType>
|
220
|
+
<element name="ArtifactResolve" type="samlp:ArtifactResolveType"/>
|
221
|
+
<complexType name="ArtifactResolveType">
|
222
|
+
<complexContent>
|
223
|
+
<extension base="samlp:RequestAbstractType">
|
224
|
+
<sequence>
|
225
|
+
<element ref="samlp:Artifact"/>
|
226
|
+
</sequence>
|
227
|
+
</extension>
|
228
|
+
</complexContent>
|
229
|
+
</complexType>
|
230
|
+
<element name="Artifact" type="string"/>
|
231
|
+
<element name="ArtifactResponse" type="samlp:ArtifactResponseType"/>
|
232
|
+
<complexType name="ArtifactResponseType">
|
233
|
+
<complexContent>
|
234
|
+
<extension base="samlp:StatusResponseType">
|
235
|
+
<sequence>
|
236
|
+
<any namespace="##any" processContents="lax" minOccurs="0"/>
|
237
|
+
</sequence>
|
238
|
+
</extension>
|
239
|
+
</complexContent>
|
240
|
+
</complexType>
|
241
|
+
<element name="ManageNameIDRequest" type="samlp:ManageNameIDRequestType"/>
|
242
|
+
<complexType name="ManageNameIDRequestType">
|
243
|
+
<complexContent>
|
244
|
+
<extension base="samlp:RequestAbstractType">
|
245
|
+
<sequence>
|
246
|
+
<choice>
|
247
|
+
<element ref="saml:NameID"/>
|
248
|
+
<element ref="saml:EncryptedID"/>
|
249
|
+
</choice>
|
250
|
+
<choice>
|
251
|
+
<element ref="samlp:NewID"/>
|
252
|
+
<element ref="samlp:NewEncryptedID"/>
|
253
|
+
<element ref="samlp:Terminate"/>
|
254
|
+
</choice>
|
255
|
+
</sequence>
|
256
|
+
</extension>
|
257
|
+
</complexContent>
|
258
|
+
</complexType>
|
259
|
+
<element name="NewID" type="string"/>
|
260
|
+
<element name="NewEncryptedID" type="saml:EncryptedElementType"/>
|
261
|
+
<element name="Terminate" type="samlp:TerminateType"/>
|
262
|
+
<complexType name="TerminateType"/>
|
263
|
+
<element name="ManageNameIDResponse" type="samlp:StatusResponseType"/>
|
264
|
+
<element name="LogoutRequest" type="samlp:LogoutRequestType"/>
|
265
|
+
<complexType name="LogoutRequestType">
|
266
|
+
<complexContent>
|
267
|
+
<extension base="samlp:RequestAbstractType">
|
268
|
+
<sequence>
|
269
|
+
<choice>
|
270
|
+
<element ref="saml:BaseID"/>
|
271
|
+
<element ref="saml:NameID"/>
|
272
|
+
<element ref="saml:EncryptedID"/>
|
273
|
+
</choice>
|
274
|
+
<element ref="samlp:SessionIndex" minOccurs="0" maxOccurs="unbounded"/>
|
275
|
+
</sequence>
|
276
|
+
<attribute name="Reason" type="string" use="optional"/>
|
277
|
+
<attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
|
278
|
+
</extension>
|
279
|
+
</complexContent>
|
280
|
+
</complexType>
|
281
|
+
<element name="SessionIndex" type="string"/>
|
282
|
+
<element name="LogoutResponse" type="samlp:StatusResponseType"/>
|
283
|
+
<element name="NameIDMappingRequest" type="samlp:NameIDMappingRequestType"/>
|
284
|
+
<complexType name="NameIDMappingRequestType">
|
285
|
+
<complexContent>
|
286
|
+
<extension base="samlp:RequestAbstractType">
|
287
|
+
<sequence>
|
288
|
+
<choice>
|
289
|
+
<element ref="saml:BaseID"/>
|
290
|
+
<element ref="saml:NameID"/>
|
291
|
+
<element ref="saml:EncryptedID"/>
|
292
|
+
</choice>
|
293
|
+
<element ref="samlp:NameIDPolicy"/>
|
294
|
+
</sequence>
|
295
|
+
</extension>
|
296
|
+
</complexContent>
|
297
|
+
</complexType>
|
298
|
+
<element name="NameIDMappingResponse" type="samlp:NameIDMappingResponseType"/>
|
299
|
+
<complexType name="NameIDMappingResponseType">
|
300
|
+
<complexContent>
|
301
|
+
<extension base="samlp:StatusResponseType">
|
302
|
+
<choice>
|
303
|
+
<element ref="saml:NameID"/>
|
304
|
+
<element ref="saml:EncryptedID"/>
|
305
|
+
</choice>
|
306
|
+
</extension>
|
307
|
+
</complexContent>
|
308
|
+
</complexType>
|
309
|
+
</schema>
|