Merge remote branch 'tags/2.3.4'
[java-idp.git] / src / main / resources / schema / shibboleth-2.0-idp-profile-handler.xsd
1 <?xml version="1.0" encoding="UTF-8"?>
2 <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="urn:mace:shibboleth:2.0:idp:profile-handler" xmlns:service="urn:mace:shibboleth:2.0:services" targetNamespace="urn:mace:shibboleth:2.0:idp:profile-handler" elementFormDefault="qualified">
3
4     <xsd:include schemaLocation="classpath:/schema/shibboleth-2.0-profile-handler.xsd"/>
5
6     <xsd:import namespace="urn:mace:shibboleth:2.0:services" schemaLocation="classpath:/schema/shibboleth-2.0-services.xsd"/>
7
8     <xsd:annotation>
9         <xsd:documentation>
10             This schema specifies the configuration options for Shibboleth IdP profile handlers.
11         </xsd:documentation>
12     </xsd:annotation>
13
14     <xsd:complexType name="IdPProfileHandlerManager">
15         <xsd:annotation>
16             <xsd:documentation>Definition for the basic Shibboleth profile handler manager service.</xsd:documentation>
17         </xsd:annotation>
18         <xsd:complexContent>
19             <xsd:extension base="service:ReloadableServiceType"/>
20         </xsd:complexContent>
21     </xsd:complexType>
22
23     <xsd:element name="ProfileHandlerGroup">
24         <xsd:annotation>
25             <xsd:documentation>Root of a profile handler configuration file.</xsd:documentation>
26         </xsd:annotation>
27         <xsd:complexType>
28             <xsd:sequence>
29                 <xsd:element name="ErrorHandler" type="ErrorHandlerType"/>
30                 <xsd:element name="ProfileHandler" type="RequestHandlerType" minOccurs="0" maxOccurs="unbounded"/>
31                 <xsd:element name="LoginHandler" type="LoginHandlerType" minOccurs="0" maxOccurs="unbounded"/>
32             </xsd:sequence>
33         </xsd:complexType>
34     </xsd:element>
35
36     <xsd:complexType name="Status">
37         <xsd:annotation>
38             <xsd:documentation>Basic handler that returns a general status of the IdP.</xsd:documentation>
39         </xsd:annotation>
40         <xsd:complexContent>
41             <xsd:extension base="RequestURIMappedProfileHandlerType"/>
42         </xsd:complexContent>
43     </xsd:complexType>
44
45     <xsd:complexType name="SAMLMetadata">
46         <xsd:annotation>
47             <xsd:documentation>Basic handler that returns a general status of the IdP.</xsd:documentation>
48         </xsd:annotation>
49         <xsd:complexContent>
50             <xsd:extension base="RequestURIMappedProfileHandlerType">
51                 <xsd:attribute name="metadataFile" type="xsd:string" use="required">
52                     <xsd:annotation>
53                         <xsd:documentation>Location of the static IdP metadata file.</xsd:documentation>
54                     </xsd:annotation>
55                 </xsd:attribute>
56                 <xsd:attribute name="parserPoolRef" type="xsd:string" default="shibboleth.ParserPool">
57                     <xsd:annotation>
58                         <xsd:documentation>Reference to the parser pool used to parse the metadata.</xsd:documentation>
59                     </xsd:annotation>
60                 </xsd:attribute>
61             </xsd:extension>
62         </xsd:complexContent>
63     </xsd:complexType>
64
65     <xsd:complexType name="SAML2SSO">
66         <xsd:annotation>
67             <xsd:documentation>Configuration type for SAML 2 SSO profile handlers.</xsd:documentation>
68         </xsd:annotation>
69         <xsd:complexContent>
70             <xsd:extension base="SAML2ProfileHandler">
71                 <xsd:attribute name="authenticationManagerPath" type="xsd:string">
72                     <xsd:annotation>
73                         <xsd:documentation>
74                             The context relative path to the authentication manager used by this profile handler. This
75                             should match the URL pattern given in the web.xml
76                         </xsd:documentation>
77                     </xsd:annotation>
78                 </xsd:attribute>
79             </xsd:extension>
80         </xsd:complexContent>
81     </xsd:complexType>
82
83     <xsd:complexType name="SAML2SLO">
84         <xsd:annotation>
85             <xsd:documentation>Configuration type for SAML 2 SLO profile handlers.</xsd:documentation>
86         </xsd:annotation>
87         <xsd:complexContent>
88             <xsd:extension base="SAML2ProfileHandler" />
89         </xsd:complexContent>
90     </xsd:complexType>
91
92     <xsd:complexType name="SAML2ECP">
93         <xsd:annotation>
94             <xsd:documentation>Configuration type for ECP SAML 2 SSO profile handlers.</xsd:documentation>
95         </xsd:annotation>
96         <xsd:complexContent>
97             <xsd:extension base="SAML2ProfileHandler">
98                 <xsd:attribute name="authnContextClassRef" type="xsd:anyURI">
99                     <xsd:annotation>
100                         <xsd:documentation>
101                             A context class reference to insert into the assertions generated by the handler.
102                         </xsd:documentation>
103                     </xsd:annotation>
104                 </xsd:attribute>
105             </xsd:extension>
106         </xsd:complexContent>
107     </xsd:complexType>
108
109     <xsd:complexType name="SAML2AttributeQuery">
110         <xsd:annotation>
111             <xsd:documentation>Configuration type for SAML 2 Attribute Query profile handlers.</xsd:documentation>
112         </xsd:annotation>
113         <xsd:complexContent>
114             <xsd:extension base="SAML2ProfileHandler"/>
115         </xsd:complexContent>
116     </xsd:complexType>
117
118     <xsd:complexType name="SAML2ArtifactResolution">
119         <xsd:annotation>
120             <xsd:documentation>Configuration type for SAML 2 artifact resolution profile handlers.</xsd:documentation>
121         </xsd:annotation>
122         <xsd:complexContent>
123             <xsd:extension base="SAML2ProfileHandler">
124                 <xsd:attribute name="artifactMapRef" type="xsd:string" default="shibboleth.ArtifactMap">
125                     <xsd:annotation>
126                         <xsd:documentation>
127                             Reference to SAMLArtifactMap used by handler to resolve artifact strings into artifact
128                             objects.
129                         </xsd:documentation>
130                     </xsd:annotation>
131                 </xsd:attribute>
132             </xsd:extension>
133         </xsd:complexContent>
134     </xsd:complexType>
135
136     <xsd:complexType name="SAML2ProfileHandler" abstract="true">
137         <xsd:annotation>
138             <xsd:documentation>Base type for SAML 2 profile handlers.</xsd:documentation>
139         </xsd:annotation>
140         <xsd:complexContent>
141             <xsd:extension base="SAMLProfileHandler"/>
142         </xsd:complexContent>
143     </xsd:complexType>
144
145     <xsd:complexType name="ShibbolethSSO">
146         <xsd:annotation>
147             <xsd:documentation>Configuration type for Shibboleth 1 SSO profile handlers.</xsd:documentation>
148         </xsd:annotation>
149         <xsd:complexContent>
150             <xsd:extension base="SAML1ProfileHandler">
151                 <xsd:attribute name="authenticationManagerPath" type="xsd:string">
152                     <xsd:annotation>
153                         <xsd:documentation>
154                             The context relative path to the authentication manager used by this profile handler. This
155                             should match the URL pattern given in the web.xml
156                         </xsd:documentation>
157                     </xsd:annotation>
158                 </xsd:attribute>
159             </xsd:extension>
160         </xsd:complexContent>
161     </xsd:complexType>
162
163     <xsd:complexType name="SAML1AttributeQuery">
164         <xsd:annotation>
165             <xsd:documentation>Configuration type for SAML 1 Attribute Query profile handlers.</xsd:documentation>
166         </xsd:annotation>
167         <xsd:complexContent>
168             <xsd:extension base="SAML1ProfileHandler"/>
169         </xsd:complexContent>
170     </xsd:complexType>
171
172     <xsd:complexType name="SAML1ArtifactResolution">
173         <xsd:annotation>
174             <xsd:documentation>Configuration type for SAML 1 artifact resolution profile handlers.</xsd:documentation>
175         </xsd:annotation>
176         <xsd:complexContent>
177             <xsd:extension base="SAML1ProfileHandler">
178                 <xsd:attribute name="artifactMapRef" type="xsd:string" default="shibboleth.ArtifactMap">
179                     <xsd:annotation>
180                         <xsd:documentation>
181                             Reference to SAMLArtifactMap used by handler to resolve artifact strings into artifact
182                             objects.
183                         </xsd:documentation>
184                     </xsd:annotation>
185                 </xsd:attribute>
186             </xsd:extension>
187         </xsd:complexContent>
188     </xsd:complexType>
189
190     <xsd:complexType name="SAML1ProfileHandler" abstract="true">
191         <xsd:annotation>
192             <xsd:documentation>Base type for SAML 1 profile handlers.</xsd:documentation>
193         </xsd:annotation>
194         <xsd:complexContent>
195             <xsd:extension base="SAMLProfileHandler"/>
196         </xsd:complexContent>
197     </xsd:complexType>
198
199     <xsd:complexType name="SAMLProfileHandler" abstract="true">
200         <xsd:annotation>
201             <xsd:documentation>Base type for Shibboleth IdP SAML profile handlers.</xsd:documentation>
202         </xsd:annotation>
203         <xsd:complexContent>
204             <xsd:extension base="IdPProfileHandlerType">
205                 <xsd:attribute name="idGeneratorId" type="xsd:string" default="shibboleth.IdGenerator">
206                     <xsd:annotation>
207                         <xsd:documentation>
208                             The component ID of a generator used to generated things like response and assertion IDs.
209
210                             This setting should not be changed from its default unless the deployer fully understands
211                             the inter-relationship between IdP components.
212                         </xsd:documentation>
213                     </xsd:annotation>
214                 </xsd:attribute>
215                 <xsd:attribute name="inboundBinding" type="xsd:anyURI" use="required">
216                     <xsd:annotation>
217                         <xsd:documentation>The SAML message binding used by inbound messages.</xsd:documentation>
218                     </xsd:annotation>
219                 </xsd:attribute>
220                 <xsd:attribute name="outboundBindingEnumeration">
221                     <xsd:annotation>
222                         <xsd:documentation>
223                             An ordered list of outbound bindings supported by this profile handler. The order provided
224                             establishes the precedence given the bindings such that, from the left to right, the first
225                             binding also supported by the relying party will be used.
226                         </xsd:documentation>
227                     </xsd:annotation>
228                     <xsd:simpleType>
229                         <xsd:list itemType="xsd:anyURI"/>
230                     </xsd:simpleType>
231                 </xsd:attribute>
232             </xsd:extension>
233         </xsd:complexContent>
234     </xsd:complexType>
235
236     <xsd:complexType name="IdPProfileHandlerType" abstract="true">
237         <xsd:annotation>
238             <xsd:documentation>Base type for IdP profile handlers.</xsd:documentation>
239         </xsd:annotation>
240         <xsd:complexContent>
241             <xsd:extension base="ShibbolethProfileHandlerType"/>
242         </xsd:complexContent>
243     </xsd:complexType>
244
245     <xsd:complexType name="PreviousSession">
246         <xsd:complexContent>
247             <xsd:extension base="LoginHandlerType">
248                 <xsd:attribute name="servletPath" type="xsd:string">
249                     <xsd:annotation>
250                         <xsd:documentation>
251                             DEPRECATED. Optional servlet path to which the browser may be redirected.
252                         </xsd:documentation>
253                     </xsd:annotation>
254                 </xsd:attribute>
255                 <xsd:attribute name="reportPreviousSessionAuthnMethod" type="xsd:boolean">
256                     <xsd:annotation>
257                         <xsd:documentation>
258                             Whether this login handler should report its authentication method as PreviousSession or the
259                             authentication method requested by the peer.
260                         </xsd:documentation>
261                     </xsd:annotation>
262                 </xsd:attribute>
263                 <xsd:attribute name="supportsPassiveAuthentication" type="xsd:boolean">
264                     <xsd:annotation>
265                         <xsd:documentation>
266                             DEPRECATED. Whether this login handler, when redirecting to a servlet, support passives authentication.
267                         </xsd:documentation>
268                     </xsd:annotation>
269                 </xsd:attribute>
270             </xsd:extension>
271         </xsd:complexContent>
272     </xsd:complexType>
273     
274     <xsd:complexType name="ExternalAuthn">
275         <xsd:complexContent>
276             <xsd:extension base="LoginHandlerType">
277                 <xsd:attribute name="externalAuthnPath" type="xsd:string" use="required">
278                     <xsd:annotation>
279                         <xsd:documentation>
280                             The servlet context path to the
281                             edu.internet2.middleware.shibboleth.idp.authn.provider.ExternalAuthnSystemServlet instance
282                             protected by an external authentication system that is integrated with the web server, Servlet
283                             container, or IdP.
284                         </xsd:documentation>
285                     </xsd:annotation>
286                 </xsd:attribute>
287                 <xsd:attribute name="supportsForcedAuthentication" type="xsd:boolean">
288                     <xsd:annotation>
289                         <xsd:documentation>
290                             Indicates whether the external authentication supports force re-authentication.
291                         </xsd:documentation>
292                     </xsd:annotation>
293                 </xsd:attribute>
294                 <xsd:attribute name="supportsPassiveAuthentication" type="xsd:boolean">
295                     <xsd:annotation>
296                         <xsd:documentation>
297                             Indicates whether the external authentication supports passive authentication.
298                         </xsd:documentation>
299                     </xsd:annotation>
300                 </xsd:attribute>
301             </xsd:extension>
302         </xsd:complexContent>
303     </xsd:complexType>
304
305     <xsd:complexType name="RemoteUser">
306         <xsd:complexContent>
307             <xsd:extension base="LoginHandlerType">
308                 <xsd:attribute name="protectedServletPath" type="xsd:string">
309                     <xsd:annotation>
310                         <xsd:documentation>
311                             The servlet context path to the
312                             edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserAuthServlet instance
313                             protected by the container or web server.
314                         </xsd:documentation>
315                     </xsd:annotation>
316                 </xsd:attribute>
317             </xsd:extension>
318         </xsd:complexContent>
319     </xsd:complexType>
320
321     <xsd:complexType name="UsernamePassword">
322         <xsd:complexContent>
323             <xsd:extension base="LoginHandlerType">
324                 <xsd:attribute name="jaasConfigurationLocation" type="xsd:anyURI">
325                     <xsd:annotation>
326                         <xsd:documentation>
327                             Location of the JAAS configuration. If this attribute is used it will usually contain a file
328                             URL to a configuration on the local filesystem. However, this attribute need not be used and
329                             this information can be set within the VM in any manner supported by the JVM/container
330                             implementation.
331                         </xsd:documentation>
332                     </xsd:annotation>
333                 </xsd:attribute>
334                 <xsd:attribute name="authenticationServletURL" type="xsd:string">
335                     <xsd:annotation>
336                         <xsd:documentation>
337                             The servlet context path to the
338                             edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordAuthenticationServlet
339                             that will authenticate the user.
340                         </xsd:documentation>
341                     </xsd:annotation>
342                 </xsd:attribute>
343             </xsd:extension>
344         </xsd:complexContent>
345     </xsd:complexType>
346
347     <xsd:complexType name="IPAddress">
348         <xsd:complexContent>
349             <xsd:extension base="LoginHandlerType">
350                 <xsd:sequence>
351                     <xsd:element name="IPEntry" type="xsd:string" maxOccurs="unbounded">
352                         <xsd:annotation>
353                             <xsd:documentation>
354                                 An IP addresses in CIDR notation. For example, a single IP address of 192.168.1.1 would
355                                 have the CIDR notation of 192.168.1.1/32. For the entire 192.168.0.0 class B network,
356                                 the CIDR notation would be 192.168.0.0/16.
357                             </xsd:documentation>
358                         </xsd:annotation>
359                     </xsd:element>
360                 </xsd:sequence>
361                 <xsd:attribute name="username" type="xsd:string">
362                     <xsd:annotation>
363                         <xsd:documentation>
364                             The username that will be presented to the IdP for all IP-address authenticated users.
365                         </xsd:documentation>
366                     </xsd:annotation>
367                 </xsd:attribute>
368                 <xsd:attribute name="defaultDeny" type="xsd:boolean">
369                     <xsd:annotation>
370                         <xsd:documentation>
371                             If defaultDeny is true then only the IP addresses listed will be "authenticated." If
372                             defaultDeny is false, then all IP addresses except those listed will be authenticated.
373                         </xsd:documentation>
374                     </xsd:annotation>
375                 </xsd:attribute>
376             </xsd:extension>
377         </xsd:complexContent>
378     </xsd:complexType>
379
380     <xsd:complexType name="LoginHandlerType" abstract="true">
381         <xsd:annotation>
382             <xsd:documentation>Base type for authentication handler types.</xsd:documentation>
383         </xsd:annotation>
384         <xsd:sequence>
385             <xsd:element name="AuthenticationMethod" type="xsd:string" maxOccurs="unbounded">
386                 <xsd:annotation>
387                     <xsd:documentation>
388                         The authentication methods supported by this handler. In SAML these methods represent the SAML 2
389                         authentication contexts class and declaration reference URIs.
390                     </xsd:documentation>
391                 </xsd:annotation>
392             </xsd:element>
393         </xsd:sequence>
394         <xsd:attribute name="authenticationDuration" type="xsd:string">
395             <xsd:annotation>
396                 <xsd:documentation>
397                     The length of time that an authentication performed by this handler should be
398                     considered active. After which time a user, previously authenticated by this handler, must
399                     re-authenticate in order to assert the authentication method again.
400                     
401                     This duration should be expressed in ISO8601 format.
402                 </xsd:documentation>
403             </xsd:annotation>
404         </xsd:attribute>
405     </xsd:complexType>
406
407 </xsd:schema>