samlsso 0.1.0

data/lib/samlsso/version.rb

@@ -0,0 +1,3 @@
+module Samlsso
+  VERSION = "0.1.0"
+end

data/lib/schemas/saml-schema-assertion-2.0.xsd

@@ -0,0 +1,283 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<schema
+    targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns="http://www.w3.org/2001/XMLSchema"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+    elementFormDefault="unqualified"
+    attributeFormDefault="unqualified"
+    blockDefault="substitution"
+    version="2.0">
+    <import namespace="http://www.w3.org/2000/09/xmldsig#"
+        schemaLocation="xmldsig-core-schema.xsd"/>
+    <import namespace="http://www.w3.org/2001/04/xmlenc#"
+        schemaLocation="xenc-schema.xsd"/>
+    <annotation>
+        <documentation>
+            Document identifier: saml-schema-assertion-2.0
+            Location: http://docs.oasis-open.org/security/saml/v2.0/
+            Revision history:
+            V1.0 (November, 2002):
+              Initial Standard Schema.
+            V1.1 (September, 2003):
+              Updates within the same V1.0 namespace.
+            V2.0 (March, 2005):
+              New assertion schema for SAML V2.0 namespace.
+        </documentation>
+    </annotation>
+    <attributeGroup name="IDNameQualifiers">
+        <attribute name="NameQualifier" type="string" use="optional"/>
+        <attribute name="SPNameQualifier" type="string" use="optional"/>
+    </attributeGroup>
+    <element name="BaseID" type="saml:BaseIDAbstractType"/>
+    <complexType name="BaseIDAbstractType" abstract="true">
+        <attributeGroup ref="saml:IDNameQualifiers"/>
+    </complexType>
+    <element name="NameID" type="saml:NameIDType"/>
+    <complexType name="NameIDType">
+        <simpleContent>
+            <extension base="string">
+                <attributeGroup ref="saml:IDNameQualifiers"/>
+                <attribute name="Format" type="anyURI" use="optional"/>
+                <attribute name="SPProvidedID" type="string" use="optional"/>
+            </extension>
+        </simpleContent>
+    </complexType>
+    <complexType name="EncryptedElementType">
+        <sequence>
+            <element ref="xenc:EncryptedData"/>
+            <element ref="xenc:EncryptedKey" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+    </complexType>
+    <element name="EncryptedID" type="saml:EncryptedElementType"/>
+    <element name="Issuer" type="saml:NameIDType"/>
+    <element name="AssertionIDRef" type="NCName"/>
+    <element name="AssertionURIRef" type="anyURI"/>
+    <element name="Assertion" type="saml:AssertionType"/>
+    <complexType name="AssertionType">
+        <sequence>
+            <element ref="saml:Issuer"/>
+            <element ref="ds:Signature" minOccurs="0"/>
+            <element ref="saml:Subject" minOccurs="0"/>
+            <element ref="saml:Conditions" minOccurs="0"/>
+            <element ref="saml:Advice" minOccurs="0"/>
+            <choice minOccurs="0" maxOccurs="unbounded">
+                <element ref="saml:Statement"/>
+                <element ref="saml:AuthnStatement"/>
+                <element ref="saml:AuthzDecisionStatement"/>
+                <element ref="saml:AttributeStatement"/>
+            </choice>
+        </sequence>
+        <attribute name="Version" type="string" use="required"/>
+        <attribute name="ID" type="ID" use="required"/>
+        <attribute name="IssueInstant" type="dateTime" use="required"/>
+    </complexType>
+    <element name="Subject" type="saml:SubjectType"/>
+    <complexType name="SubjectType">
+        <choice>
+            <sequence>
+                <choice>
+                    <element ref="saml:BaseID"/>
+                    <element ref="saml:NameID"/>
+                    <element ref="saml:EncryptedID"/>
+                </choice>
+                <element ref="saml:SubjectConfirmation" minOccurs="0" maxOccurs="unbounded"/>
+            </sequence>
+            <element ref="saml:SubjectConfirmation" maxOccurs="unbounded"/>
+        </choice>
+    </complexType>
+    <element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/>
+    <complexType name="SubjectConfirmationType">
+        <sequence>
+            <choice minOccurs="0">
+                <element ref="saml:BaseID"/>
+                <element ref="saml:NameID"/>
+                <element ref="saml:EncryptedID"/>
+            </choice>
+            <element ref="saml:SubjectConfirmationData" minOccurs="0"/>
+        </sequence>
+        <attribute name="Method" type="anyURI" use="required"/>
+    </complexType>
+    <element name="SubjectConfirmationData" type="saml:SubjectConfirmationDataType"/>
+    <complexType name="SubjectConfirmationDataType" mixed="true">
+        <complexContent>
+            <restriction base="anyType">
+                <sequence>
+                    <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+                </sequence>
+                <attribute name="NotBefore" type="dateTime" use="optional"/>
+                <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+                <attribute name="Recipient" type="anyURI" use="optional"/>
+                <attribute name="InResponseTo" type="NCName" use="optional"/>
+                <attribute name="Address" type="string" use="optional"/>
+                <anyAttribute namespace="##other" processContents="lax"/>
+            </restriction>
+        </complexContent>
+    </complexType>
+    <complexType name="KeyInfoConfirmationDataType" mixed="false">
+        <complexContent>
+            <restriction base="saml:SubjectConfirmationDataType">
+                <sequence>
+                    <element ref="ds:KeyInfo" maxOccurs="unbounded"/>
+                </sequence>
+            </restriction>
+        </complexContent>
+    </complexType>
+    <element name="Conditions" type="saml:ConditionsType"/>
+    <complexType name="ConditionsType">
+        <choice minOccurs="0" maxOccurs="unbounded">
+            <element ref="saml:Condition"/>
+            <element ref="saml:AudienceRestriction"/>
+            <element ref="saml:OneTimeUse"/>
+            <element ref="saml:ProxyRestriction"/>
+        </choice>
+        <attribute name="NotBefore" type="dateTime" use="optional"/>
+        <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+    </complexType>
+    <element name="Condition" type="saml:ConditionAbstractType"/>
+    <complexType name="ConditionAbstractType" abstract="true"/>
+    <element name="AudienceRestriction" type="saml:AudienceRestrictionType"/>
+    <complexType name="AudienceRestrictionType">
+        <complexContent>
+            <extension base="saml:ConditionAbstractType">
+                <sequence>
+                    <element ref="saml:Audience" maxOccurs="unbounded"/>
+                </sequence>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="Audience" type="anyURI"/>
+    <element name="OneTimeUse" type="saml:OneTimeUseType" />
+    <complexType name="OneTimeUseType">
+        <complexContent>
+            <extension base="saml:ConditionAbstractType"/>
+        </complexContent>
+    </complexType>
+    <element name="ProxyRestriction" type="saml:ProxyRestrictionType"/>
+    <complexType name="ProxyRestrictionType">
+    <complexContent>
+        <extension base="saml:ConditionAbstractType">
+            <sequence>
+                <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
+            </sequence>
+            <attribute name="Count" type="nonNegativeInteger" use="optional"/>
+        </extension>
+	</complexContent>
+    </complexType>
+    <element name="Advice" type="saml:AdviceType"/>
+    <complexType name="AdviceType">
+        <choice minOccurs="0" maxOccurs="unbounded">
+            <element ref="saml:AssertionIDRef"/>
+            <element ref="saml:AssertionURIRef"/>
+            <element ref="saml:Assertion"/>
+            <element ref="saml:EncryptedAssertion"/>
+            <any namespace="##other" processContents="lax"/>
+        </choice>
+    </complexType>
+    <element name="EncryptedAssertion" type="saml:EncryptedElementType"/>
+    <element name="Statement" type="saml:StatementAbstractType"/>
+    <complexType name="StatementAbstractType" abstract="true"/>
+    <element name="AuthnStatement" type="saml:AuthnStatementType"/>
+    <complexType name="AuthnStatementType">
+        <complexContent>
+            <extension base="saml:StatementAbstractType">
+                <sequence>
+                    <element ref="saml:SubjectLocality" minOccurs="0"/>
+                    <element ref="saml:AuthnContext"/>
+                </sequence>
+                <attribute name="AuthnInstant" type="dateTime" use="required"/>
+                <attribute name="SessionIndex" type="string" use="optional"/>
+                <attribute name="SessionNotOnOrAfter" type="dateTime" use="optional"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="SubjectLocality" type="saml:SubjectLocalityType"/>
+    <complexType name="SubjectLocalityType">
+        <attribute name="Address" type="string" use="optional"/>
+        <attribute name="DNSName" type="string" use="optional"/>
+    </complexType>
+    <element name="AuthnContext" type="saml:AuthnContextType"/>
+    <complexType name="AuthnContextType">
+        <sequence>
+            <choice>
+                <sequence>
+                    <element ref="saml:AuthnContextClassRef"/>
+                    <choice minOccurs="0">
+                        <element ref="saml:AuthnContextDecl"/>
+                        <element ref="saml:AuthnContextDeclRef"/>
+                    </choice>
+                </sequence>
+                <choice>
+                    <element ref="saml:AuthnContextDecl"/>
+                    <element ref="saml:AuthnContextDeclRef"/>
+                </choice>
+            </choice>
+            <element ref="saml:AuthenticatingAuthority" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+    </complexType>
+    <element name="AuthnContextClassRef" type="anyURI"/>
+    <element name="AuthnContextDeclRef" type="anyURI"/>
+    <element name="AuthnContextDecl" type="anyType"/>
+    <element name="AuthenticatingAuthority" type="anyURI"/>
+    <element name="AuthzDecisionStatement" type="saml:AuthzDecisionStatementType"/>
+    <complexType name="AuthzDecisionStatementType">
+        <complexContent>
+            <extension base="saml:StatementAbstractType">
+                <sequence>
+                    <element ref="saml:Action" maxOccurs="unbounded"/>
+                    <element ref="saml:Evidence" minOccurs="0"/>
+                </sequence>
+                <attribute name="Resource" type="anyURI" use="required"/>
+                <attribute name="Decision" type="saml:DecisionType" use="required"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <simpleType name="DecisionType">
+        <restriction base="string">
+            <enumeration value="Permit"/>
+            <enumeration value="Deny"/>
+            <enumeration value="Indeterminate"/>
+        </restriction>
+    </simpleType>
+    <element name="Action" type="saml:ActionType"/>
+    <complexType name="ActionType">
+        <simpleContent>
+            <extension base="string">
+                <attribute name="Namespace" type="anyURI" use="required"/>
+            </extension>
+        </simpleContent>
+    </complexType>
+    <element name="Evidence" type="saml:EvidenceType"/>
+    <complexType name="EvidenceType">
+        <choice maxOccurs="unbounded">
+            <element ref="saml:AssertionIDRef"/>
+            <element ref="saml:AssertionURIRef"/>
+            <element ref="saml:Assertion"/>
+            <element ref="saml:EncryptedAssertion"/>
+        </choice>
+    </complexType>
+    <element name="AttributeStatement" type="saml:AttributeStatementType"/>
+    <complexType name="AttributeStatementType">
+        <complexContent>
+            <extension base="saml:StatementAbstractType">
+                <choice maxOccurs="unbounded">
+                    <element ref="saml:Attribute"/>
+                    <element ref="saml:EncryptedAttribute"/>
+                </choice>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="Attribute" type="saml:AttributeType"/>
+    <complexType name="AttributeType">
+        <sequence>
+            <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="Name" type="string" use="required"/>
+        <attribute name="NameFormat" type="anyURI" use="optional"/>
+        <attribute name="FriendlyName" type="string" use="optional"/>
+        <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+    <element name="AttributeValue" type="anyType" nillable="true"/>
+    <element name="EncryptedAttribute" type="saml:EncryptedElementType"/>
+</schema>

data/lib/schemas/saml-schema-authn-context-2.0.xsd

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema 
+  targetNamespace="urn:oasis:names:tc:SAML:2.0:ac"
+  xmlns:xs="http://www.w3.org/2001/XMLSchema"
+  xmlns="urn:oasis:names:tc:SAML:2.0:ac"
+  blockDefault="substitution"
+  version="2.0">
+
+  <xs:annotation>
+    <xs:documentation>
+      Document identifier: saml-schema-authn-context-2.0
+      Location: http://docs.oasis-open.org/security/saml/v2.0/
+      Revision history:
+        V2.0 (March, 2005):
+          New core authentication context schema for SAML V2.0. 
+          This is just an include of all types from the schema
+          referred to in the include statement below.
+    </xs:documentation>
+  </xs:annotation>
+
+  <xs:include schemaLocation="saml-schema-authn-context-types-2.0.xsd"/>
+
+</xs:schema>

data/lib/schemas/saml-schema-authn-context-types-2.0.xsd

@@ -0,0 +1,821 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema 
+  xmlns:xs="http://www.w3.org/2001/XMLSchema"
+  elementFormDefault="qualified"
+  version="2.0">
+
+  <xs:annotation>
+    <xs:documentation>
+      Document identifier: saml-schema-authn-context-types-2.0
+      Location: http://docs.oasis-open.org/security/saml/v2.0/
+      Revision history:
+          V2.0 (March, 2005):
+          New core authentication context schema types for SAML V2.0. 
+    </xs:documentation>
+  </xs:annotation>
+
+  <xs:element name="AuthenticationContextDeclaration" type="AuthnContextDeclarationBaseType">
+    <xs:annotation>
+      <xs:documentation>
+        A particular assertion on an identity
+        provider's part with respect to the authentication
+        context associated with an authentication assertion.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="Identification" type="IdentificationType">
+    <xs:annotation>
+      <xs:documentation>
+        Refers to those characteristics that describe the
+        processes and mechanisms
+        the Authentication Authority uses to initially create
+        an association between a Principal
+        and the identity (or name) by which the Principal will
+        be known
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="PhysicalVerification">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that identification has been
+        performed in a physical
+        face-to-face meeting with the principal and not in an
+        online manner.
+      </xs:documentation>
+    </xs:annotation>
+    <xs:complexType>
+      <xs:attribute name="credentialLevel">
+        <xs:simpleType>
+          <xs:restriction base="xs:NMTOKEN">
+            <xs:enumeration value="primary"/>
+            <xs:enumeration value="secondary"/>
+          </xs:restriction>
+        </xs:simpleType>
+      </xs:attribute>
+    </xs:complexType>
+  </xs:element>
+
+  <xs:element name="WrittenConsent" type="ExtensionOnlyType"/>
+
+  <xs:element name="TechnicalProtection" type="TechnicalProtectionBaseType">
+    <xs:annotation>
+      <xs:documentation>
+        Refers to those characterstics that describe how the
+        'secret' (the knowledge or possession
+        of which allows the Principal to authenticate to the
+        Authentication Authority) is kept secure
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="SecretKeyProtection" type="SecretKeyProtectionType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates the types and strengths of
+        facilities
+        of a UA used to protect a shared secret key from
+        unauthorized access and/or use.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="PrivateKeyProtection" type="PrivateKeyProtectionType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates the types and strengths of
+        facilities
+        of a UA used to protect a private key from
+        unauthorized access and/or use.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="KeyActivation" type="KeyActivationType">
+    <xs:annotation>
+      <xs:documentation>The actions that must be performed
+        before the private key can be used. </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="KeySharing" type="KeySharingType">
+    <xs:annotation>
+      <xs:documentation>Whether or not the private key is shared
+        with the certificate authority.</xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="KeyStorage" type="KeyStorageType">
+    <xs:annotation>
+      <xs:documentation>
+        In which medium is the key stored.
+        memory - the key is stored in memory.
+        smartcard - the key is stored in a smartcard.
+        token - the key is stored in a hardware token.
+        MobileDevice - the key is stored in a mobile device.
+        MobileAuthCard - the key is stored in a mobile
+        authentication card.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="SubscriberLineNumber" type="ExtensionOnlyType"/>
+  <xs:element name="UserSuffix" type="ExtensionOnlyType"/>
+
+  <xs:element name="Password" type="PasswordType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that a password (or passphrase)
+        has been used to
+        authenticate the Principal to a remote system.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="ActivationPin" type="ActivationPinType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that a Pin (Personal
+        Identification Number) has been used to authenticate the Principal to
+        some local system in order to activate a key.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="Token" type="TokenType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that a hardware or software
+        token is used
+        as a method of identifying the Principal.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="TimeSyncToken" type="TimeSyncTokenType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that a time synchronization
+        token is used to identify the Principal. hardware -
+        the time synchonization
+        token has been implemented in hardware. software - the
+        time synchronization
+        token has been implemented in software. SeedLength -
+        the length, in bits, of the
+        random seed used in the time synchronization token.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="Smartcard" type="ExtensionOnlyType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that a smartcard is used to
+        identity the Principal.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="Length" type="LengthType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates the minimum and/or maximum
+        ASCII length of the password which is enforced (by the UA or the
+        IdP). In other words, this is the minimum and/or maximum number of
+        ASCII characters required to represent a valid password.
+        min - the minimum number of ASCII characters required
+        in a valid password, as enforced by the UA or the IdP.
+        max - the maximum number of ASCII characters required
+        in a valid password, as enforced by the UA or the IdP.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="ActivationLimit" type="ActivationLimitType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates the length of time for which an
+        PIN-based authentication is valid.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="Generation">
+    <xs:annotation>
+      <xs:documentation>
+        Indicates whether the password was chosen by the
+        Principal or auto-supplied by the Authentication Authority.
+        principalchosen - the Principal is allowed to choose
+        the value of the password. This is true even if
+        the initial password is chosen at random by the UA or
+        the IdP and the Principal is then free to change
+        the password.
+        automatic - the password is chosen by the UA or the
+        IdP to be cryptographically strong in some sense,
+        or to satisfy certain password rules, and that the
+        Principal is not free to change it or to choose a new password.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType>
+      <xs:attribute name="mechanism" use="required">
+        <xs:simpleType>
+          <xs:restriction base="xs:NMTOKEN">
+            <xs:enumeration value="principalchosen"/>
+            <xs:enumeration value="automatic"/>
+          </xs:restriction>
+        </xs:simpleType>
+      </xs:attribute>
+    </xs:complexType>
+  </xs:element>
+
+  <xs:element name="AuthnMethod" type="AuthnMethodBaseType">
+    <xs:annotation>
+      <xs:documentation>
+        Refers to those characteristics that define the
+        mechanisms by which the Principal authenticates to the Authentication
+        Authority.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="PrincipalAuthenticationMechanism" type="PrincipalAuthenticationMechanismType">
+    <xs:annotation>
+      <xs:documentation>
+        The method that a Principal employs to perform
+        authentication to local system components.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="Authenticator" type="AuthenticatorBaseType">
+    <xs:annotation>
+      <xs:documentation>
+        The method applied to validate a principal's
+        authentication across a network
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="ComplexAuthenticator" type="ComplexAuthenticatorType">
+    <xs:annotation>
+      <xs:documentation>
+        Supports Authenticators with nested combinations of
+        additional complexity.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="PreviousSession" type="ExtensionOnlyType">
+    <xs:annotation>
+      <xs:documentation>
+        Indicates that the Principal has been strongly
+        authenticated in a previous session during which the IdP has set a
+        cookie in the UA. During the present session the Principal has only
+        been authenticated by the UA returning the cookie to the IdP.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="ResumeSession" type="ExtensionOnlyType">
+    <xs:annotation>
+      <xs:documentation>
+        Rather like PreviousSession but using stronger
+        security. A secret that was established in a previous session with
+        the Authentication Authority has been cached by the local system and
+        is now re-used (e.g. a Master Secret is used to derive new session
+        keys in TLS, SSL, WTLS).
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="ZeroKnowledge" type="ExtensionOnlyType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that the Principal has been
+        authenticated by a zero knowledge technique as specified in ISO/IEC
+        9798-5.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="SharedSecretChallengeResponse" type="SharedSecretChallengeResponseType"/>
+
+  <xs:complexType name="SharedSecretChallengeResponseType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that the Principal has been
+        authenticated by a challenge-response protocol utilizing shared secret
+        keys and symmetric cryptography.
+      </xs:documentation>
+    </xs:annotation>
+    <xs:sequence>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+    <xs:attribute name="method" type="xs:anyURI" use="optional"/>
+  </xs:complexType>
+
+  <xs:element name="DigSig" type="PublicKeyType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that the Principal has been
+        authenticated by a mechanism which involves the Principal computing a
+        digital signature over at least challenge data provided by the IdP.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="AsymmetricDecryption" type="PublicKeyType">
+    <xs:annotation>
+      <xs:documentation>
+        The local system has a private key but it is used
+        in decryption mode, rather than signature mode. For example, the
+        Authentication Authority generates a secret and encrypts it using the
+        local system's public key: the local system then proves it has
+        decrypted the secret.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="AsymmetricKeyAgreement" type="PublicKeyType">
+    <xs:annotation>
+      <xs:documentation>
+        The local system has a private key and uses it for
+        shared secret key agreement with the Authentication Authority (e.g.
+        via Diffie Helman).
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:complexType name="PublicKeyType">
+    <xs:sequence>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+    <xs:attribute name="keyValidation" use="optional"/>
+  </xs:complexType>
+
+  <xs:element name="IPAddress" type="ExtensionOnlyType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that the Principal has been
+        authenticated through connection from a particular IP address.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="SharedSecretDynamicPlaintext" type="ExtensionOnlyType">
+    <xs:annotation>
+      <xs:documentation>
+        The local system and Authentication Authority
+        share a secret key. The local system uses this to encrypt a
+        randomised string to pass to the Authentication Authority.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="AuthenticatorTransportProtocol" type="AuthenticatorTransportProtocolType">
+    <xs:annotation>
+      <xs:documentation>
+        The protocol across which Authenticator information is
+        transferred to an Authentication Authority verifier.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="HTTP" type="ExtensionOnlyType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that the Authenticator has been
+        transmitted using bare HTTP utilizing no additional security
+        protocols.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="IPSec" type="ExtensionOnlyType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that the Authenticator has been
+        transmitted using a transport mechanism protected by an IPSEC session.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+  
+  <xs:element name="WTLS" type="ExtensionOnlyType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that the Authenticator has been
+        transmitted using a transport mechanism protected by a WTLS session.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="MobileNetworkNoEncryption" type="ExtensionOnlyType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that the Authenticator has been
+        transmitted solely across a mobile network using no additional
+        security mechanism.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="MobileNetworkRadioEncryption" type="ExtensionOnlyType"/>
+  <xs:element name="MobileNetworkEndToEndEncryption" type="ExtensionOnlyType"/>
+
+  <xs:element name="SSL" type="ExtensionOnlyType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that the Authenticator has been
+        transmitted using a transport mechnanism protected by an SSL or TLS
+        session.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+  
+  <xs:element name="PSTN" type="ExtensionOnlyType"/>
+  <xs:element name="ISDN" type="ExtensionOnlyType"/>
+  <xs:element name="ADSL" type="ExtensionOnlyType"/>
+
+  <xs:element name="OperationalProtection" type="OperationalProtectionType">
+    <xs:annotation>
+      <xs:documentation>
+        Refers to those characteristics that describe
+        procedural security controls employed by the Authentication Authority.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="SecurityAudit" type="SecurityAuditType"/>
+  <xs:element name="SwitchAudit" type="ExtensionOnlyType"/>
+  <xs:element name="DeactivationCallCenter" type="ExtensionOnlyType"/>
+
+  <xs:element name="GoverningAgreements" type="GoverningAgreementsType">
+    <xs:annotation>
+      <xs:documentation>
+        Provides a mechanism for linking to external (likely
+        human readable) documents in which additional business agreements,
+        (e.g. liability constraints, obligations, etc) can be placed.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="GoverningAgreementRef" type="GoverningAgreementRefType"/>
+
+  <xs:simpleType name="nymType">
+    <xs:restriction base="xs:NMTOKEN">
+      <xs:enumeration value="anonymity"/>
+      <xs:enumeration value="verinymity"/>
+      <xs:enumeration value="pseudonymity"/>
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:complexType name="AuthnContextDeclarationBaseType">
+    <xs:sequence>
+      <xs:element ref="Identification" minOccurs="0"/>
+      <xs:element ref="TechnicalProtection" minOccurs="0"/>
+      <xs:element ref="OperationalProtection" minOccurs="0"/>
+      <xs:element ref="AuthnMethod" minOccurs="0"/>
+      <xs:element ref="GoverningAgreements" minOccurs="0"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+    <xs:attribute name="ID" type="xs:ID" use="optional"/>
+  </xs:complexType>
+  
+  <xs:complexType name="IdentificationType">
+    <xs:sequence>
+      <xs:element ref="PhysicalVerification" minOccurs="0"/>
+      <xs:element ref="WrittenConsent" minOccurs="0"/>
+      <xs:element ref="GoverningAgreements" minOccurs="0"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+    <xs:attribute name="nym" type="nymType">
+      <xs:annotation>
+        <xs:documentation>
+          This attribute indicates whether or not the
+          Identification mechanisms allow the actions of the Principal to be
+          linked to an actual end user.
+        </xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
+  </xs:complexType>
+
+  <xs:complexType name="TechnicalProtectionBaseType">
+    <xs:sequence>
+      <xs:choice minOccurs="0">
+        <xs:element ref="PrivateKeyProtection"/>
+        <xs:element ref="SecretKeyProtection"/>
+      </xs:choice>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="OperationalProtectionType">
+    <xs:sequence>
+      <xs:element ref="SecurityAudit" minOccurs="0"/>
+      <xs:element ref="DeactivationCallCenter" minOccurs="0"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="AuthnMethodBaseType">
+    <xs:sequence>
+      <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/>
+      <xs:element ref="Authenticator" minOccurs="0"/>
+      <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="GoverningAgreementsType">
+    <xs:sequence>
+      <xs:element ref="GoverningAgreementRef" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="GoverningAgreementRefType">
+    <xs:attribute name="governingAgreementRef" type="xs:anyURI" use="required"/>
+  </xs:complexType>
+
+  <xs:complexType name="PrincipalAuthenticationMechanismType">
+    <xs:sequence>
+      <xs:element ref="Password" minOccurs="0"/>
+      <xs:element ref="RestrictedPassword" minOccurs="0"/>
+      <xs:element ref="Token" minOccurs="0"/>
+      <xs:element ref="Smartcard" minOccurs="0"/>
+      <xs:element ref="ActivationPin" minOccurs="0"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+    <xs:attribute name="preauth" type="xs:integer" use="optional"/>
+  </xs:complexType>
+  
+  <xs:group name="AuthenticatorChoiceGroup">
+    <xs:choice>
+      <xs:element ref="PreviousSession"/>
+      <xs:element ref="ResumeSession"/>
+      <xs:element ref="DigSig"/>
+      <xs:element ref="Password"/>
+      <xs:element ref="RestrictedPassword"/>
+      <xs:element ref="ZeroKnowledge"/>
+      <xs:element ref="SharedSecretChallengeResponse"/>
+      <xs:element ref="SharedSecretDynamicPlaintext"/>
+      <xs:element ref="IPAddress"/>
+      <xs:element ref="AsymmetricDecryption"/>
+      <xs:element ref="AsymmetricKeyAgreement"/>
+      <xs:element ref="SubscriberLineNumber"/>
+      <xs:element ref="UserSuffix"/>
+      <xs:element ref="ComplexAuthenticator"/>
+    </xs:choice>
+  </xs:group>
+  
+  <xs:group name="AuthenticatorSequenceGroup">
+    <xs:sequence>
+      <xs:element ref="PreviousSession" minOccurs="0"/>
+      <xs:element ref="ResumeSession" minOccurs="0"/>
+      <xs:element ref="DigSig" minOccurs="0"/>
+      <xs:element ref="Password" minOccurs="0"/>
+      <xs:element ref="RestrictedPassword" minOccurs="0"/>
+      <xs:element ref="ZeroKnowledge" minOccurs="0"/>
+      <xs:element ref="SharedSecretChallengeResponse" minOccurs="0"/>
+      <xs:element ref="SharedSecretDynamicPlaintext" minOccurs="0"/>
+      <xs:element ref="IPAddress" minOccurs="0"/>
+      <xs:element ref="AsymmetricDecryption" minOccurs="0"/>
+      <xs:element ref="AsymmetricKeyAgreement" minOccurs="0"/>
+      <xs:element ref="SubscriberLineNumber" minOccurs="0"/>
+      <xs:element ref="UserSuffix" minOccurs="0"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:group>
+
+  <xs:complexType name="AuthenticatorBaseType">
+    <xs:sequence>
+      <xs:group ref="AuthenticatorChoiceGroup"/>
+      <xs:group ref="AuthenticatorSequenceGroup"/>
+    </xs:sequence>
+  </xs:complexType>
+  
+  <xs:complexType name="ComplexAuthenticatorType">
+    <xs:sequence>
+      <xs:group ref="AuthenticatorChoiceGroup"/>
+      <xs:group ref="AuthenticatorSequenceGroup"/>
+    </xs:sequence>
+  </xs:complexType>
+  
+  <xs:complexType name="AuthenticatorTransportProtocolType">
+    <xs:sequence>
+      <xs:choice minOccurs="0">
+        <xs:element ref="HTTP"/>
+        <xs:element ref="SSL"/>
+        <xs:element ref="MobileNetworkNoEncryption"/>
+        <xs:element ref="MobileNetworkRadioEncryption"/>
+        <xs:element ref="MobileNetworkEndToEndEncryption"/>
+        <xs:element ref="WTLS"/>
+        <xs:element ref="IPSec"/>
+        <xs:element ref="PSTN"/>
+        <xs:element ref="ISDN"/>
+        <xs:element ref="ADSL"/>
+      </xs:choice>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="KeyActivationType">
+    <xs:sequence>
+      <xs:element ref="ActivationPin" minOccurs="0"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="KeySharingType">
+    <xs:attribute name="sharing" type="xs:boolean" use="required"/>
+  </xs:complexType>
+
+  <xs:complexType name="PrivateKeyProtectionType">
+    <xs:sequence>
+      <xs:element ref="KeyActivation" minOccurs="0"/>
+      <xs:element ref="KeyStorage" minOccurs="0"/>
+      <xs:element ref="KeySharing" minOccurs="0"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="PasswordType">
+    <xs:sequence>
+      <xs:element ref="Length" minOccurs="0"/>
+      <xs:element ref="Alphabet" minOccurs="0"/>
+      <xs:element ref="Generation" minOccurs="0"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+    <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/>
+  </xs:complexType>
+
+  <xs:element name="RestrictedPassword" type="RestrictedPasswordType"/>
+
+  <xs:complexType name="RestrictedPasswordType">
+    <xs:complexContent>
+      <xs:restriction base="PasswordType">
+        <xs:sequence>
+          <xs:element name="Length" type="RestrictedLengthType" minOccurs="1"/>
+          <xs:element ref="Generation" minOccurs="0"/>
+          <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+        </xs:sequence>
+        <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/>
+      </xs:restriction>
+    </xs:complexContent>
+  </xs:complexType>
+  
+  <xs:complexType name="RestrictedLengthType">
+    <xs:complexContent>
+      <xs:restriction base="LengthType">
+        <xs:attribute name="min" use="required">
+          <xs:simpleType>
+            <xs:restriction base="xs:integer">
+              <xs:minInclusive value="3"/>
+            </xs:restriction>
+          </xs:simpleType>
+        </xs:attribute>
+        <xs:attribute name="max" type="xs:integer" use="optional"/>
+      </xs:restriction>
+    </xs:complexContent>
+  </xs:complexType>
+
+  <xs:complexType name="ActivationPinType">
+    <xs:sequence>
+      <xs:element ref="Length" minOccurs="0"/>
+      <xs:element ref="Alphabet" minOccurs="0"/>
+      <xs:element ref="Generation" minOccurs="0"/>
+      <xs:element ref="ActivationLimit" minOccurs="0"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+  
+  <xs:element name="Alphabet" type="AlphabetType"/>
+  <xs:complexType name="AlphabetType">
+    <xs:attribute name="requiredChars" type="xs:string" use="required"/>
+    <xs:attribute name="excludedChars" type="xs:string" use="optional"/>
+    <xs:attribute name="case" type="xs:string" use="optional"/>
+  </xs:complexType>
+  
+  <xs:complexType name="TokenType">
+    <xs:sequence>
+      <xs:element ref="TimeSyncToken"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+  
+  <xs:simpleType name="DeviceTypeType">
+    <xs:restriction base="xs:NMTOKEN">
+      <xs:enumeration value="hardware"/>
+      <xs:enumeration value="software"/>
+    </xs:restriction>
+  </xs:simpleType>
+  
+  <xs:simpleType name="booleanType">
+    <xs:restriction base="xs:NMTOKEN">
+      <xs:enumeration value="true"/>
+      <xs:enumeration value="false"/>
+    </xs:restriction>
+  </xs:simpleType>
+  
+  <xs:complexType name="TimeSyncTokenType">
+    <xs:attribute name="DeviceType" type="DeviceTypeType" use="required"/>
+    <xs:attribute name="SeedLength" type="xs:integer" use="required"/>
+    <xs:attribute name="DeviceInHand" type="booleanType" use="required"/>
+  </xs:complexType>
+  
+  <xs:complexType name="ActivationLimitType">
+    <xs:choice>
+      <xs:element ref="ActivationLimitDuration"/>
+      <xs:element ref="ActivationLimitUsages"/>
+      <xs:element ref="ActivationLimitSession"/>
+    </xs:choice>
+  </xs:complexType>
+  
+  <xs:element name="ActivationLimitDuration" type="ActivationLimitDurationType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that the Key Activation Limit is
+        defined as a specific duration of time.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+  
+  <xs:element name="ActivationLimitUsages" type="ActivationLimitUsagesType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that the Key Activation Limit is
+        defined as a number of usages.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+  
+  <xs:element name="ActivationLimitSession" type="ActivationLimitSessionType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that the Key Activation Limit is
+        the session.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+  
+  <xs:complexType name="ActivationLimitDurationType">
+    <xs:attribute name="duration" type="xs:duration" use="required"/>
+  </xs:complexType>
+  
+  <xs:complexType name="ActivationLimitUsagesType">
+    <xs:attribute name="number" type="xs:integer" use="required"/>
+  </xs:complexType>
+  
+  <xs:complexType name="ActivationLimitSessionType"/>
+  
+  <xs:complexType name="LengthType">
+    <xs:attribute name="min" type="xs:integer" use="required"/>
+    <xs:attribute name="max" type="xs:integer" use="optional"/>
+  </xs:complexType>
+
+  <xs:simpleType name="mediumType">
+    <xs:restriction base="xs:NMTOKEN">
+      <xs:enumeration value="memory"/>
+      <xs:enumeration value="smartcard"/>
+      <xs:enumeration value="token"/>
+      <xs:enumeration value="MobileDevice"/>
+      <xs:enumeration value="MobileAuthCard"/>
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:complexType name="KeyStorageType">
+    <xs:attribute name="medium" type="mediumType" use="required"/>
+  </xs:complexType>
+
+  <xs:complexType name="SecretKeyProtectionType">
+    <xs:sequence>
+      <xs:element ref="KeyActivation" minOccurs="0"/>
+      <xs:element ref="KeyStorage" minOccurs="0"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="SecurityAuditType">
+    <xs:sequence>
+      <xs:element ref="SwitchAudit" minOccurs="0"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="ExtensionOnlyType">
+    <xs:sequence>
+      <xs:element ref="Extension" minOccurs="0"  maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+  
+  <xs:element name="Extension" type="ExtensionType"/>
+
+  <xs:complexType name="ExtensionType">
+    <xs:sequence>
+      <xs:any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+
+</xs:schema>