| <?xml version="1.0" encoding="UTF-8"?> |
| <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> |
| |
| <xs:element name="FedizConfig"> |
| <xs:complexType> |
| <xs:sequence minOccurs="1" maxOccurs="unbounded"> |
| <xs:element ref="contextConfig" /> |
| </xs:sequence> |
| </xs:complexType> |
| </xs:element> |
| |
| <xs:element name="contextConfig"> |
| <xs:complexType> |
| <xs:sequence> |
| <xs:element ref="audienceUris" minOccurs="0" /> |
| <xs:element ref="certificateValidation" /> |
| <xs:element ref="certificateStores" /> |
| <xs:element ref="tokenExpirationValidation" minOccurs="0" /> |
| <xs:element ref="addAuthenticatedRole" minOccurs="0" /> |
| <xs:element ref="maximumClockSkew" /> |
| <xs:element ref="tokenReplayCache" /> |
| <xs:element ref="serviceCertificate" /> |
| <xs:element ref="signingKey" /> |
| <xs:element ref="tokenDecryptionKey" /> |
| <xs:element ref="trustedIssuers" /> |
| <xs:element ref="protocol" /> |
| <xs:element ref="claimsProcessor" minOccurs="0" /> |
| <xs:element ref="logoutURL" minOccurs="0" /> |
| <xs:element ref="logoutRedirectTo" minOccurs="0" /> |
| <xs:element ref="logoutRedirectToConstraint" minOccurs="0" /> |
| <xs:element ref="requestStateValidation" minOccurs="0" /> |
| </xs:sequence> |
| <xs:attribute name="name" use="required" type="xs:string" /> |
| |
| </xs:complexType> |
| </xs:element> |
| |
| <xs:element name="trustedIssuers"> |
| <xs:complexType> |
| <xs:sequence minOccurs="1" maxOccurs="unbounded"> |
| <xs:element name="issuer" type="TrustedIssuerType" /> |
| </xs:sequence> |
| </xs:complexType> |
| </xs:element> |
| |
| <xs:complexType name="TrustedIssuerType"> |
| <xs:attribute name="name" type="xs:string" use="optional" /> |
| <xs:attribute name="certificateValidation" type="validationType" use="optional" /> |
| <xs:attribute name="subject" type="xs:string" use="optional" /> |
| </xs:complexType> |
| |
| <xs:element name="certificateStores"> |
| <xs:complexType> |
| <xs:sequence minOccurs="1" maxOccurs="unbounded"> |
| <xs:element name="trustManager" type="TrustManagersType" /> |
| </xs:sequence> |
| </xs:complexType> |
| </xs:element> |
| |
| <xs:element name="audienceUris"> |
| <xs:annotation> |
| <xs:documentation>If a SAML token contains a audience restriction which is not listed |
| within this collection, |
| the token will be refused. |
| </xs:documentation> |
| </xs:annotation> |
| <xs:complexType> |
| <xs:sequence minOccurs="0" maxOccurs="unbounded"> |
| <xs:element ref="audienceItem" /> |
| </xs:sequence> |
| </xs:complexType> |
| </xs:element> |
| |
| <xs:element name="audienceItem" type="xs:anyURI"> |
| <xs:annotation> |
| <xs:documentation>Valid value within the SAML token audience restriction element.</xs:documentation> |
| </xs:annotation> |
| </xs:element> |
| |
| <xs:element name="certificateValidation" type="validationType" /> |
| |
| <xs:simpleType name="validationType"> |
| <xs:restriction base="xs:string"> |
| <xs:enumeration value="PeerTrust" /> |
| <xs:enumeration value="ChainTrust" /> |
| </xs:restriction> |
| </xs:simpleType> |
| |
| <xs:element name="maximumClockSkew" type="xs:integer" default="5" /> |
| |
| <xs:element name="tokenExpirationValidation" type="xs:boolean" default="false" > |
| <xs:annotation> |
| <xs:documentation>Decision whether the token validation (e.g. lifetime) shall be |
| performed on every request |
| (true) or only once at initial authentication (false). |
| </xs:documentation> |
| </xs:annotation> |
| </xs:element> |
| |
| <xs:element name="addAuthenticatedRole" type="xs:boolean" default="false" > |
| <xs:annotation> |
| <xs:documentation>Whether to add the "Authenticated" role to the list of roles associated |
| with the "authenticated" user. This could be useful if you don't care about authorizing |
| the user, only about authentication. A role is required to activate authentication, and it |
| may be problematic to list all relevant roles in web.xml. Note that if the user has no |
| roles, then the "Authenticated" role is added automatically. |
| </xs:documentation> |
| </xs:annotation> |
| </xs:element> |
| |
| <xs:element name="tokenReplayCache" type="xs:string" /> |
| |
| <xs:element name="serviceCertificate" type="KeyManagersType" /> |
| |
| <xs:element name="signingKey" type="KeyManagersType"> |
| <xs:annotation> |
| <xs:documentation>Signing key required to generate a XML signature element within the federation |
| metadata |
| document, as well as for generating a signed signin request. |
| </xs:documentation> |
| </xs:annotation> |
| </xs:element> |
| |
| <xs:element name="tokenDecryptionKey" type="KeyManagersType" /> |
| |
| <xs:element name="protocol" type="protocolType" /> |
| |
| <xs:element name="logoutURL" type="xs:string"> |
| <xs:annotation> |
| <xs:documentation>User defined logout URL to trigger federated logout process. This URL will be |
| available in |
| addition to the 'wa=wsignout1.0' URL parameter. |
| If the URL is overlapping an existing resource URL, the |
| logout handling will be performed instead of |
| accessing the resource. |
| Example: '/logout' |
| </xs:documentation> |
| </xs:annotation> |
| </xs:element> |
| |
| <xs:element name="logoutRedirectTo" type="xs:string"> |
| <xs:annotation> |
| <xs:documentation>URL to landing-page after successful logout. |
| Example: '/index.jsp' |
| </xs:documentation> |
| </xs:annotation> |
| </xs:element> |
| |
| <xs:complexType name="federationProtocolType"> |
| <xs:complexContent> |
| <xs:extension base="protocolType"> |
| <xs:sequence> |
| <xs:element ref="authenticationType" /> |
| <xs:element ref="homeRealm" /> |
| <xs:element ref="freshness" /> |
| <xs:element ref="request" /> |
| <xs:element ref="signInQuery" /> |
| <xs:element ref="signOutQuery" /> |
| </xs:sequence> |
| <xs:attribute name="version" use="required" type="xs:string" /> |
| </xs:extension> |
| </xs:complexContent> |
| </xs:complexType> |
| |
| <xs:complexType name="samlProtocolType"> |
| <xs:complexContent> |
| <xs:extension base="protocolType"> |
| <xs:sequence> |
| <xs:element ref="signRequest" /> |
| <xs:element ref="authnRequestBuilder" /> |
| <xs:element ref="disableDeflateEncoding" /> |
| <xs:element ref="disableClientAddressCheck" /> |
| <xs:element ref="doNotEnforceKnownIssuer" /> |
| <xs:element ref="doNotEnforceEncryptedAssertionsSigned" /> |
| <xs:element ref="issuerLogoutURL" /> |
| </xs:sequence> |
| <xs:attribute name="version" use="required" type="xs:string" /> |
| </xs:extension> |
| </xs:complexContent> |
| </xs:complexType> |
| |
| <xs:element name="roleDelimiter" type="xs:string" /> |
| <xs:element name="roleURI" type="xs:string" /> |
| <xs:element name="realm" type="CallbackType" /> |
| <xs:element name="applicationServiceURL" type="xs:string" /> |
| <xs:element name="metadataURI" type="xs:string" /> |
| |
| <xs:element name="signRequest" type="SignRequestType" /> |
| <xs:element name="authnRequestBuilder" type="xs:string" /> |
| <xs:element name="disableDeflateEncoding" type="xs:boolean" /> |
| <xs:element name="doNotEnforceKnownIssuer" type="xs:boolean" /> |
| <xs:element name="doNotEnforceEncryptedAssertionsSigned" type="xs:boolean" /> |
| <xs:element name="issuerLogoutURL" type="xs:string" /> |
| <xs:element name="disableClientAddressCheck" type="xs:boolean"/> |
| |
| <xs:complexType name="protocolType" abstract="true"> |
| <xs:sequence> |
| <xs:element ref="applicationServiceURL" /> |
| <xs:element ref="roleDelimiter" /> |
| <xs:element ref="roleURI" /> |
| <xs:element ref="claimTypesRequested" /> |
| <xs:element ref="issuer" /> |
| <xs:element ref="realm" /> |
| <xs:element ref="tokenValidators" /> |
| <xs:element ref="metadataURI" /> |
| <xs:element ref="reply" /> |
| </xs:sequence> |
| </xs:complexType> |
| |
| <xs:complexType name="SignRequestType"> |
| <xs:simpleContent> |
| <xs:extension base="xs:boolean"> |
| <xs:attribute name="algorithm" type="signatureDigestAlgorithmType" /> |
| </xs:extension> |
| </xs:simpleContent> |
| </xs:complexType> |
| |
| <xs:simpleType name="signatureDigestAlgorithmType"> |
| <xs:restriction base="xs:string"> |
| <xs:enumeration value="RSA_SHA1" /> |
| <xs:enumeration value="RSA_SHA256" /> |
| </xs:restriction> |
| </xs:simpleType> |
| |
| <xs:complexType name="CallbackType"> |
| <xs:simpleContent> |
| <xs:extension base="xs:string"> |
| <xs:attribute name="type" type="argumentType" /> |
| </xs:extension> |
| </xs:simpleContent> |
| </xs:complexType> |
| |
| <xs:element name="logoutRedirectToConstraint" type="CallbackType"> |
| <xs:annotation> |
| <xs:documentation>A regular expression constraint on the 'wreply' parameter, which is used to obtain the URL to |
| navigate to after successful logout. If the constraint is not specified, then the 'wreply' parameter is ignored |
| and instead the URL is taken from the "logoutRedirectTo" configuration option. |
| Example: 'https://localhost:12345/logout.*/'. Alternatively it can be specified in a CallbackHandler |
| </xs:documentation> |
| </xs:annotation> |
| </xs:element> |
| |
| <xs:element name="issuer" type="CallbackType" /> |
| <xs:element name="homeRealm" type="CallbackType" /> |
| <xs:element name="authenticationType" type="CallbackType" /> |
| <xs:element name="request" type="CallbackType" /> |
| <xs:element name="freshness" type="CallbackType" /> |
| <xs:element name="signInQuery" type="CallbackType" /> |
| <xs:element name="signOutQuery" type="CallbackType" /> |
| <xs:element name="reply" type="CallbackType" /> |
| <xs:element name="claimsProcessor" type="CallbackType" /> |
| |
| <xs:simpleType name="argumentType"> |
| <xs:restriction base="xs:string"> |
| <xs:enumeration value="Class" /> |
| <xs:enumeration value="String" /> |
| </xs:restriction> |
| </xs:simpleType> |
| |
| <xs:element name="claimTypesRequested"> |
| <xs:complexType> |
| <xs:sequence minOccurs="1" maxOccurs="unbounded"> |
| <xs:element ref="claimType" /> |
| </xs:sequence> |
| </xs:complexType> |
| </xs:element> |
| |
| <xs:element name="claimType"> |
| <xs:complexType> |
| <xs:attribute name="optional" use="required" type="optionalType" /> |
| <xs:attribute name="type" use="required" type="xs:string" /> |
| </xs:complexType> |
| </xs:element> |
| |
| <xs:element name="tokenValidators"> |
| <xs:complexType> |
| <xs:sequence minOccurs="1" maxOccurs="unbounded"> |
| <xs:element name="validator" type="xs:string" /> |
| </xs:sequence> |
| </xs:complexType> |
| </xs:element> |
| |
| <xs:simpleType name="optionalType"> |
| <xs:restriction base="xs:boolean" /> |
| </xs:simpleType> |
| |
| |
| <xs:complexType name="TrustManagersType"> |
| <xs:annotation> |
| <xs:documentation> |
| This structure contains the specification of JSSE |
| TrustManagers for |
| a single Keystore used for trusted certificates. |
| </xs:documentation> |
| </xs:annotation> |
| <xs:sequence minOccurs="1" maxOccurs="1"> |
| <xs:element name="keyStore" type="KeyStoreType" minOccurs="1"> |
| <xs:annotation> |
| <xs:documentation> |
| This element contains the KeyStore used as a |
| trust |
| store. |
| </xs:documentation> |
| </xs:annotation> |
| </xs:element> |
| </xs:sequence> |
| <xs:attribute name="provider" type="xs:string"> |
| <xs:annotation> |
| <xs:documentation> |
| This attribute contains the KeyManagers provider |
| name. |
| </xs:documentation> |
| </xs:annotation> |
| </xs:attribute> |
| <xs:attribute name="factoryAlgorithm" type="xs:string"> |
| <xs:annotation> |
| <xs:documentation> |
| This attribute contains the algorithm the KeyManagers Factory |
| will use in creating the KeyManagers from the KeyStore. Most |
| common examples are "PKIX". |
| </xs:documentation> |
| </xs:annotation> |
| </xs:attribute> |
| </xs:complexType> |
| |
| <xs:complexType name="KeyStoreType"> |
| <xs:annotation> |
| <xs:documentation> |
| A KeyStoreType represents the information needed to |
| load a collection |
| of key and certificate material from a desired |
| location. |
| The "url", "file", and "resource" attributes are intended |
| to be |
| mutually exclusive, though this assumption is not encoded in |
| schema. |
| The precedence order observed by the runtime is |
| 1) "file", 2) |
| "resource", and 3) "url". |
| </xs:documentation> |
| </xs:annotation> |
| <xs:attribute name="type" type="xs:string"> |
| <xs:annotation> |
| <xs:documentation> |
| This attribute specifies the type of the keystore. |
| It is highly correlated to the provider. Most common examples |
| are |
| "jks" "pkcs12". |
| </xs:documentation> |
| </xs:annotation> |
| </xs:attribute> |
| <xs:attribute name="password" type="xs:string"> |
| <xs:annotation> |
| <xs:documentation> |
| This attribute specifies the integrity password for |
| the keystore. |
| This is not the password that unlock keys within the |
| keystore. |
| </xs:documentation> |
| </xs:annotation> |
| </xs:attribute> |
| <xs:attribute name="provider" type="xs:string"> |
| <xs:annotation> |
| <xs:documentation> |
| This attribute specifies the keystore |
| implementation provider. |
| Most common examples are "SUN". |
| </xs:documentation> |
| </xs:annotation> |
| </xs:attribute> |
| <xs:attribute name="url" type="xs:string"> |
| <xs:annotation> |
| <xs:documentation> |
| This attribute specifies the URL location of the |
| keystore. |
| This element should be a properly accessible URL, such as |
| "http://..." "file:///...", etc. Only one attribute of |
| "url", |
| "file", or "resource" is allowed. |
| </xs:documentation> |
| </xs:annotation> |
| </xs:attribute> |
| <xs:attribute name="file" type="xs:string"> |
| <xs:annotation> |
| <xs:documentation> |
| This attribute specifies the File location of the |
| keystore. |
| This element should be a properly accessible file from the |
| working directory. Only one attribute of |
| "url", "file", or |
| "resource" is allowed. |
| </xs:documentation> |
| </xs:annotation> |
| </xs:attribute> |
| <xs:attribute name="resource" type="xs:string"> |
| <xs:annotation> |
| <xs:documentation> |
| This attribute specifies the Resource location of |
| the keystore. |
| This element should be a properly accessible on the |
| classpath. |
| Only one attribute of "url", "file", or "resource" is |
| allowed. |
| </xs:documentation> |
| </xs:annotation> |
| </xs:attribute> |
| </xs:complexType> |
| |
| <xs:complexType name="CertStoreType"> |
| <xs:annotation> |
| <xs:documentation> |
| A CertStoreType represents a catenated sequence of |
| X.509 certificates, |
| in PEM or DER format. |
| The "url", "file", and |
| "resource" attributes are intended to be |
| mutually exclusive, though |
| this assumption is not encoded in schema. |
| The precedence order |
| observed by the runtime is |
| 1) "file", 2) "resource", and 3) "url". |
| </xs:documentation> |
| </xs:annotation> |
| <xs:attribute name="file" type="xs:string"> |
| <xs:annotation> |
| <xs:documentation> |
| This attribute specifies the File location of the |
| certificate store. |
| This element should be a properly accessible file |
| from the working directory. Only one attribute of |
| "url", "file", or |
| "resource" is allowed. |
| </xs:documentation> |
| </xs:annotation> |
| </xs:attribute> |
| <xs:attribute name="resource" type="xs:string"> |
| <xs:annotation> |
| <xs:documentation> |
| This attribute specifies the Resource location of |
| the certificate store. |
| This element should be a properly accessible |
| on the classpath. |
| Only one attribute of "url", "file", or "resource" |
| is allowed. |
| </xs:documentation> |
| </xs:annotation> |
| </xs:attribute> |
| <xs:attribute name="url" type="xs:string"> |
| <xs:annotation> |
| <xs:documentation> |
| This attribute specifies the URL location of the |
| certificate store. |
| This element should be a properly accessible URL, |
| such as |
| "http://..." "file:///...", etc. Only one attribute of |
| "url", "file", or "resource" is allowed. |
| </xs:documentation> |
| </xs:annotation> |
| </xs:attribute> |
| </xs:complexType> |
| |
| |
| |
| <xs:complexType name="KeyManagersType"> |
| <xs:annotation> |
| <xs:documentation> |
| This structure specifies the JSSE based KeyManagers |
| for a single Keystore. |
| </xs:documentation> |
| </xs:annotation> |
| |
| <xs:sequence> |
| <xs:element name="keyStore" type="KeyStoreType" minOccurs="0"> |
| <xs:annotation> |
| <xs:documentation> |
| This element specified the Keystore for these |
| JSSE KeyManagers. |
| </xs:documentation> |
| </xs:annotation> |
| </xs:element> |
| </xs:sequence> |
| <xs:attribute name="keyPassword" type="xs:string"> |
| <xs:annotation> |
| <xs:documentation> |
| This attribute contains the password that unlocks |
| the keys within the keystore. |
| </xs:documentation> |
| </xs:annotation> |
| </xs:attribute> |
| <xs:attribute name="keyAlias" type="xs:string"> |
| <xs:annotation> |
| <xs:documentation> |
| This attribute contains the alias of the selected |
| key within the keystore. |
| </xs:documentation> |
| </xs:annotation> |
| </xs:attribute> |
| |
| <xs:attribute name="provider" type="xs:string"> |
| <xs:annotation> |
| <xs:documentation> |
| This attribute contains the KeyManagers provider name. |
| </xs:documentation> |
| </xs:annotation> |
| </xs:attribute> |
| <xs:attribute name="factoryAlgorithm" type="xs:string"> |
| <xs:annotation> |
| <xs:documentation> |
| This attribute contains the algorithm the KeyManagers Factory |
| will use in creating the KeyManagers from the KeyStore. Most |
| common examples are "PKIX". |
| </xs:documentation> |
| </xs:annotation> |
| </xs:attribute> |
| </xs:complexType> |
| |
| <xs:element name="requestStateValidation" type="xs:boolean" default="true" > |
| <xs:annotation> |
| <xs:documentation>Decision whether the received state must match the |
| state saved in the context. |
| </xs:documentation> |
| </xs:annotation> |
| </xs:element> |
| |
| </xs:schema> |