JAAS based username/password authentication
[java-idp.git] / resources / classpath / schema / shibboleth-2.0-idp-profile-handler.xsd
1 <?xml version="1.0" encoding="UTF-8"?>
2
3 <xsd:schema targetNamespace="urn:mace:shibboleth:2.0:idp:profile-handler" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
4     xmlns="urn:mace:shibboleth:2.0:idp:profile-handler" xmlns:service="urn:mace:shibboleth:2.0:services"
5     elementFormDefault="qualified">
6
7     <xsd:include schemaLocation="classpath:/schema/shibboleth-2.0-profile-handler.xsd" />
8
9     <xsd:import namespace="urn:mace:shibboleth:2.0:services"
10         schemaLocation="classpath:/schema/shibboleth-2.0-services.xsd" />
11
12     <xsd:annotation>
13         <xsd:documentation>
14             This schema specifies the configuration options for Shibboleth IdP profile handlers.
15         </xsd:documentation>
16     </xsd:annotation>
17
18     <xsd:complexType name="IdPProfileHandlerManager">
19         <xsd:annotation>
20             <xsd:documentation>Definition for the basic Shibboleth profile handler manager service.</xsd:documentation>
21         </xsd:annotation>
22         <xsd:complexContent>
23             <xsd:extension base="service:ReloadableServiceType" />
24         </xsd:complexContent>
25     </xsd:complexType>
26
27     <xsd:element name="ProfileHandlerGroup">
28         <xsd:annotation>
29             <xsd:documentation>Root of a profile handler configuration file.</xsd:documentation>
30         </xsd:annotation>
31         <xsd:complexType>
32             <xsd:sequence>
33                 <xsd:element name="ErrorHandler" type="ErrorHandlerType" />
34                 <xsd:element name="ProfileHandler" type="RequestHandlerType" minOccurs="0" maxOccurs="unbounded" />
35                 <xsd:element name="AuthenticationHandler" type="AuthenticationHandlerType" minOccurs="0"
36                     maxOccurs="unbounded" />
37             </xsd:sequence>
38         </xsd:complexType>
39     </xsd:element>
40
41     <xsd:complexType name="Status">
42         <xsd:annotation>
43             <xsd:documentation>Basic handler that returns a general status of the IdP.</xsd:documentation>
44         </xsd:annotation>
45         <xsd:complexContent>
46             <xsd:extension base="RequestURIMappedProfileHandlerType" />
47         </xsd:complexContent>
48     </xsd:complexType>
49
50     <xsd:complexType name="SAML2SSO">
51         <xsd:annotation>
52             <xsd:documentation>Configuration type for SAML 2 SSO profile handlers.</xsd:documentation>
53         </xsd:annotation>
54         <xsd:complexContent>
55             <xsd:extension base="SAML2ProfileHandler">
56                 <xsd:attribute name="authenticationManagerPath" type="xsd:string" default="/AuthnEngine">
57                     <xsd:annotation>
58                         <xsd:documentation>
59                             The context relative path to the authentication manager used by this profile handler. This
60                             should match the URL pattern given in the web.xml
61                         </xsd:documentation>
62                     </xsd:annotation>
63                 </xsd:attribute>
64                 <xsd:attribute name="decodingBinding" type="xsd:anyURI"
65                     default="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
66                     <xsd:annotation>
67                         <xsd:documentation>
68                             The URI of the binding used when decoding requests from relying parties.
69                         </xsd:documentation>
70                     </xsd:annotation>
71                 </xsd:attribute>
72                 <xsd:attribute name="securityPolicyFactoryId" type="xsd:string"
73                     default="shibboleth.SAML2SSOMessageSecurityPolicyFactory">
74                     <xsd:annotation>
75                         <xsd:documentation>
76                             The component ID of the security policy factory to use with the profile handler.
77
78                             This setting should not be changed from its default unless the deployer fully understands
79                             the inter-relationship between IdP components.
80                         </xsd:documentation>
81                     </xsd:annotation>
82                 </xsd:attribute>
83                 <xsd:attribute name="outboundBindingEnumeration"
84                     default="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
85                     <xsd:annotation>
86                         <xsd:documentation>
87                             An ordered list of outbound bindings supported by this profile handler. The order provided
88                             establishs the precedence given the bindings such that, from the left to right, the first
89                             binding also supported by the relying party will be used.
90                         </xsd:documentation>
91                     </xsd:annotation>
92                     <xsd:simpleType>
93                         <xsd:list itemType="xsd:anyURI" />
94                     </xsd:simpleType>
95                 </xsd:attribute>
96             </xsd:extension>
97         </xsd:complexContent>
98     </xsd:complexType>
99
100     <xsd:complexType name="SAML2AttributeQuery">
101         <xsd:annotation>
102             <xsd:documentation>Configuration type for SAML 2 Attribute Query profile handlers.</xsd:documentation>
103         </xsd:annotation>
104         <xsd:complexContent>
105             <xsd:extension base="SAML2ProfileHandler">
106                 <xsd:attribute name="securityPolicyFactoryId" type="xsd:string"
107                     default="shibboleth.SAML2AttributeQueryMessageSecurityPolicyFactory">
108                     <xsd:annotation>
109                         <xsd:documentation>
110                             The component ID of the security policy factory to use with the profile handler.
111
112                             This setting should not be changed from its default unless the deployer fully understands
113                             the inter-relationship between IdP components.
114                         </xsd:documentation>
115                     </xsd:annotation>
116                 </xsd:attribute>
117             </xsd:extension>
118         </xsd:complexContent>
119     </xsd:complexType>
120
121     <xsd:complexType name="SAML2ProfileHandler" abstract="true">
122         <xsd:annotation>
123             <xsd:documentation>Base type for SAML 2 profile handlers.</xsd:documentation>
124         </xsd:annotation>
125         <xsd:complexContent>
126             <xsd:extension base="SAMLProfileHandler" />
127         </xsd:complexContent>
128     </xsd:complexType>
129
130     <xsd:complexType name="ShibbolethSSO">
131         <xsd:annotation>
132             <xsd:documentation>Configuration type for Shibboleth 1 SSO profile handlers.</xsd:documentation>
133         </xsd:annotation>
134         <xsd:complexContent>
135             <xsd:extension base="SAML1ProfileHandler">
136                 <xsd:attribute name="authenticationManagerPath" type="xsd:string" default="/AuthnEngine">
137                     <xsd:annotation>
138                         <xsd:documentation>
139                             The context relative path to the authentication manager used by this profile handler. This
140                             should match the URL pattern given in the web.xml
141                         </xsd:documentation>
142                     </xsd:annotation>
143                 </xsd:attribute>
144                 <xsd:attribute name="outboundBindingEnumeration"
145                     default="urn:oasis:names:tc:SAML:1.0:profiles:browser-post">
146                     <xsd:annotation>
147                         <xsd:documentation>
148                             An ordered list of outbound bindings supported by this profile handler. The order provided
149                             establishs the precedence given the bindings such that, from the left to right, the first
150                             binding also supported by the relying party will be used.
151                         </xsd:documentation>
152                     </xsd:annotation>
153                     <xsd:simpleType>
154                         <xsd:list itemType="xsd:anyURI" />
155                     </xsd:simpleType>
156                 </xsd:attribute>
157             </xsd:extension>
158         </xsd:complexContent>
159     </xsd:complexType>
160
161     <xsd:complexType name="SAML1AttributeQuery">
162         <xsd:annotation>
163             <xsd:documentation>Configuration type for SAML 1 Attribute Query profile handlers.</xsd:documentation>
164         </xsd:annotation>
165         <xsd:complexContent>
166             <xsd:extension base="SAML1ProfileHandler">
167                 <xsd:attribute name="securityPolicyFactoryId" type="xsd:string"
168                     default="shibboleth.SAML1AttributeQueryMessageSecurityPolicyFactory">
169                     <xsd:annotation>
170                         <xsd:documentation>
171                             The component ID of the security policy factory to use with the profile handler.
172
173                             This setting should not be changed from its default unless the deployer fully understands
174                             the inter-relationship between IdP components.
175                         </xsd:documentation>
176                     </xsd:annotation>
177                 </xsd:attribute>
178             </xsd:extension>
179         </xsd:complexContent>
180     </xsd:complexType>
181
182     <xsd:complexType name="SAML1ProfileHandler" abstract="true">
183         <xsd:annotation>
184             <xsd:documentation>Base type for SAML 1 profile handlers.</xsd:documentation>
185         </xsd:annotation>
186         <xsd:complexContent>
187             <xsd:extension base="SAMLProfileHandler" />
188         </xsd:complexContent>
189     </xsd:complexType>
190
191     <xsd:complexType name="SAMLProfileHandler" abstract="true">
192         <xsd:annotation>
193             <xsd:documentation>Base type for Shibboleth IdP SAML profile handlers.</xsd:documentation>
194         </xsd:annotation>
195         <xsd:complexContent>
196             <xsd:extension base="IdPProfileHandlerType">
197                 <xsd:attribute name="messageDecoderFactoryId" type="xsd:string"
198                     default="shibboleth.MessageDecoderFactory">
199                     <xsd:annotation>
200                         <xsd:documentation>
201                             The component ID of the message decoder to use with the profile handler.
202
203                             This setting should not be changed from its default unless the deployer fully understands
204                             the inter-relationship between IdP components.
205                         </xsd:documentation>
206                     </xsd:annotation>
207                 </xsd:attribute>
208                 <xsd:attribute name="messageEncoderFactoryId" type="xsd:string"
209                     default="shibboleth.MessageEncoderFactory">
210                     <xsd:annotation>
211                         <xsd:documentation>
212                             The component ID of the message encoder to use with the profile handler.
213
214                             This setting should not be changed from its default unless the deployer fully understands
215                             the inter-relationship between IdP components.
216                         </xsd:documentation>
217                     </xsd:annotation>
218                 </xsd:attribute>
219                 <xsd:attribute name="idGeneratorId" type="xsd:string" default="shibboleth.IdGenerator">
220                     <xsd:annotation>
221                         <xsd:documentation>
222                             The component ID of a generator used to generated things like response and assertion IDs.
223
224                             This setting should not be changed from its default unless the deployer fully understands
225                             the inter-relationship between IdP components.
226                         </xsd:documentation>
227                     </xsd:annotation>
228                 </xsd:attribute>
229             </xsd:extension>
230         </xsd:complexContent>
231     </xsd:complexType>
232
233     <xsd:complexType name="IdPProfileHandlerType" abstract="true">
234         <xsd:annotation>
235             <xsd:documentation>Base type for IdP profile handlers.</xsd:documentation>
236         </xsd:annotation>
237         <xsd:complexContent>
238             <xsd:extension base="ShibbolethProfileHandlerType" />
239         </xsd:complexContent>
240     </xsd:complexType>
241
242     <xsd:complexType name="RemoteUser">
243         <xsd:complexContent>
244             <xsd:extension base="AuthenticationHandlerType">
245                 <xsd:attribute name="protectedServletPath" type="xsd:string" default="/Authn/RemoteUser">
246                     <xsd:annotation>
247                         <xsd:documentation>
248                             The servlet context path to the
249                             edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserAuthServlet instance
250                             protected by the container or web server.
251                         </xsd:documentation>
252                     </xsd:annotation>
253                 </xsd:attribute>
254             </xsd:extension>
255         </xsd:complexContent>
256     </xsd:complexType>
257
258     <xsd:complexType name="UsernamePassword">
259         <xsd:complexContent>
260             <xsd:extension base="AuthenticationHandlerType">
261                 <xsd:attribute name="jaasConfigurationLocation" type="xsd:anyURI">
262                     <xsd:annotation>
263                         <xsd:documentation>
264                             Location of the JAAS configuration. If this attribute is used it will usually contain a file
265                             URL to a configuration on the local filesystem. However, this attribute need not be used and
266                             this information can be set within the VM in any manner supported by the JVM/container
267                             implementation.
268                         </xsd:documentation>
269                     </xsd:annotation>
270                 </xsd:attribute>
271                 <xsd:attribute name="protectedServletPath" type="xsd:string" default="/Authn/UserPassword">
272                     <xsd:annotation>
273                         <xsd:documentation>
274                             The servlet context path to the
275                             edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordAuthenticationServlet
276                             that will authenticate the user.
277                         </xsd:documentation>
278                     </xsd:annotation>
279                 </xsd:attribute>
280             </xsd:extension>
281         </xsd:complexContent>
282     </xsd:complexType>
283
284     <xsd:complexType name="AuthenticationHandlerType" abstract="true">
285         <xsd:annotation>
286             <xsd:documentation>Base type for authentication handler types.</xsd:documentation>
287         </xsd:annotation>
288         <xsd:sequence>
289             <xsd:element name="AuthenticationMethod" type="xsd:string" maxOccurs="unbounded">
290                 <xsd:annotation>
291                     <xsd:documentation>
292                         The authentication methods supported by this handler. In SAML these methods represent the SAML 2
293                         authentication contexts class and declaration reference URIs.
294                     </xsd:documentation>
295                 </xsd:annotation>
296             </xsd:element>
297         </xsd:sequence>
298         <xsd:attribute name="authenticationDuration" type="xsd:positiveInteger" default="30">
299             <xsd:annotation>
300                 <xsd:documentation>
301                     The length of time, in minutes, that an authentication performed by this handler should be
302                     considered active. After which time a user, previously authenticated by this handler, must
303                     re-authenticate in order to assert the authentication method again.
304                 </xsd:documentation>
305             </xsd:annotation>
306         </xsd:attribute>
307     </xsd:complexType>
308
309 </xsd:schema>