1 <?xml version="1.0" encoding="UTF-8"?>
2 <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="urn:mace:shibboleth:2.0:idp:profile-handler" xmlns:service="urn:mace:shibboleth:2.0:services" targetNamespace="urn:mace:shibboleth:2.0:idp:profile-handler" elementFormDefault="qualified">
4 <xsd:include schemaLocation="classpath:/schema/shibboleth-2.0-profile-handler.xsd"/>
6 <xsd:import namespace="urn:mace:shibboleth:2.0:services" schemaLocation="classpath:/schema/shibboleth-2.0-services.xsd"/>
10 This schema specifies the configuration options for Shibboleth IdP profile handlers.
14 <xsd:complexType name="IdPProfileHandlerManager">
16 <xsd:documentation>Definition for the basic Shibboleth profile handler manager service.</xsd:documentation>
19 <xsd:extension base="service:ReloadableServiceType"/>
23 <xsd:element name="ProfileHandlerGroup">
25 <xsd:documentation>Root of a profile handler configuration file.</xsd:documentation>
29 <xsd:element name="ErrorHandler" type="ErrorHandlerType"/>
30 <xsd:element name="ProfileHandler" type="RequestHandlerType" minOccurs="0" maxOccurs="unbounded"/>
31 <xsd:element name="LoginHandler" type="LoginHandlerType" minOccurs="0" maxOccurs="unbounded"/>
36 <xsd:complexType name="Status">
38 <xsd:documentation>Basic handler that returns a general status of the IdP.</xsd:documentation>
41 <xsd:extension base="RequestURIMappedProfileHandlerType"/>
45 <xsd:complexType name="SAMLMetadata">
47 <xsd:documentation>Basic handler that returns a general status of the IdP.</xsd:documentation>
50 <xsd:extension base="RequestURIMappedProfileHandlerType">
51 <xsd:attribute name="metadataFile" type="xsd:string" use="required">
53 <xsd:documentation>Location of the static IdP metadata file.</xsd:documentation>
56 <xsd:attribute name="parserPoolRef" type="xsd:string" default="shibboleth.ParserPool">
58 <xsd:documentation>Reference to the parser pool used to parse the metadata.</xsd:documentation>
65 <xsd:complexType name="SAML2SSO">
67 <xsd:documentation>Configuration type for SAML 2 SSO profile handlers.</xsd:documentation>
70 <xsd:extension base="SAML2ProfileHandler">
71 <xsd:attribute name="authenticationManagerPath" type="xsd:string">
74 The context relative path to the authentication manager used by this profile handler. This
75 should match the URL pattern given in the web.xml
83 <xsd:complexType name="SAML2SLO">
85 <xsd:documentation>Configuration type for SAML 2 SLO profile handlers.</xsd:documentation>
88 <xsd:extension base="SAML2ProfileHandler" />
92 <xsd:complexType name="SAML2ECP">
94 <xsd:documentation>Configuration type for ECP SAML 2 SSO profile handlers.</xsd:documentation>
97 <xsd:extension base="SAML2ProfileHandler">
98 <xsd:attribute name="authnContextClassRef" type="xsd:anyURI">
101 A context class reference to insert into the assertions generated by the handler.
106 </xsd:complexContent>
109 <xsd:complexType name="SAML2AttributeQuery">
111 <xsd:documentation>Configuration type for SAML 2 Attribute Query profile handlers.</xsd:documentation>
114 <xsd:extension base="SAML2ProfileHandler"/>
115 </xsd:complexContent>
118 <xsd:complexType name="SAML2ArtifactResolution">
120 <xsd:documentation>Configuration type for SAML 2 artifact resolution profile handlers.</xsd:documentation>
123 <xsd:extension base="SAML2ProfileHandler">
124 <xsd:attribute name="artifactMapRef" type="xsd:string" default="shibboleth.ArtifactMap">
127 Reference to SAMLArtifactMap used by handler to resolve artifact strings into artifact
133 </xsd:complexContent>
136 <xsd:complexType name="SAML2ProfileHandler" abstract="true">
138 <xsd:documentation>Base type for SAML 2 profile handlers.</xsd:documentation>
141 <xsd:extension base="SAMLProfileHandler"/>
142 </xsd:complexContent>
145 <xsd:complexType name="ShibbolethSSO">
147 <xsd:documentation>Configuration type for Shibboleth 1 SSO profile handlers.</xsd:documentation>
150 <xsd:extension base="SAML1ProfileHandler">
151 <xsd:attribute name="authenticationManagerPath" type="xsd:string">
154 The context relative path to the authentication manager used by this profile handler. This
155 should match the URL pattern given in the web.xml
160 </xsd:complexContent>
163 <xsd:complexType name="SAML1AttributeQuery">
165 <xsd:documentation>Configuration type for SAML 1 Attribute Query profile handlers.</xsd:documentation>
168 <xsd:extension base="SAML1ProfileHandler"/>
169 </xsd:complexContent>
172 <xsd:complexType name="SAML1ArtifactResolution">
174 <xsd:documentation>Configuration type for SAML 1 artifact resolution profile handlers.</xsd:documentation>
177 <xsd:extension base="SAML1ProfileHandler">
178 <xsd:attribute name="artifactMapRef" type="xsd:string" default="shibboleth.ArtifactMap">
181 Reference to SAMLArtifactMap used by handler to resolve artifact strings into artifact
187 </xsd:complexContent>
190 <xsd:complexType name="SAML1ProfileHandler" abstract="true">
192 <xsd:documentation>Base type for SAML 1 profile handlers.</xsd:documentation>
195 <xsd:extension base="SAMLProfileHandler"/>
196 </xsd:complexContent>
199 <xsd:complexType name="SAMLProfileHandler" abstract="true">
201 <xsd:documentation>Base type for Shibboleth IdP SAML profile handlers.</xsd:documentation>
204 <xsd:extension base="IdPProfileHandlerType">
205 <xsd:attribute name="idGeneratorId" type="xsd:string" default="shibboleth.IdGenerator">
208 The component ID of a generator used to generated things like response and assertion IDs.
210 This setting should not be changed from its default unless the deployer fully understands
211 the inter-relationship between IdP components.
215 <xsd:attribute name="inboundBinding" type="xsd:anyURI" use="required">
217 <xsd:documentation>The SAML message binding used by inbound messages.</xsd:documentation>
220 <xsd:attribute name="outboundBindingEnumeration">
223 An ordered list of outbound bindings supported by this profile handler. The order provided
224 establishes the precedence given the bindings such that, from the left to right, the first
225 binding also supported by the relying party will be used.
229 <xsd:list itemType="xsd:anyURI"/>
233 </xsd:complexContent>
236 <xsd:complexType name="IdPProfileHandlerType" abstract="true">
238 <xsd:documentation>Base type for IdP profile handlers.</xsd:documentation>
241 <xsd:extension base="ShibbolethProfileHandlerType"/>
242 </xsd:complexContent>
245 <xsd:complexType name="PreviousSession">
247 <xsd:extension base="LoginHandlerType">
248 <xsd:attribute name="servletPath" type="xsd:string">
251 DEPRECATED. Optional servlet path to which the browser may be redirected.
255 <xsd:attribute name="reportPreviousSessionAuthnMethod" type="xsd:boolean">
258 Whether this login handler should report its authentication method as PreviousSession or the
259 authentication method requested by the peer.
263 <xsd:attribute name="supportsPassiveAuthentication" type="xsd:boolean">
266 DEPRECATED. Whether this login handler, when redirecting to a servlet, support passives authentication.
271 </xsd:complexContent>
274 <xsd:complexType name="ExternalAuthn">
276 <xsd:extension base="LoginHandlerType">
277 <xsd:attribute name="externalAuthnPath" type="xsd:string" use="required">
280 The servlet context path to the
281 edu.internet2.middleware.shibboleth.idp.authn.provider.ExternalAuthnSystemServlet instance
282 protected by an external authentication system that is integrated with the web server, Servlet
287 <xsd:attribute name="supportsForcedAuthentication" type="xsd:boolean">
290 Indicates whether the external authentication supports force re-authentication.
294 <xsd:attribute name="supportsPassiveAuthentication" type="xsd:boolean">
297 Indicates whether the external authentication supports passive authentication.
302 </xsd:complexContent>
305 <xsd:complexType name="RemoteUser">
307 <xsd:extension base="LoginHandlerType">
308 <xsd:attribute name="protectedServletPath" type="xsd:string">
311 The servlet context path to the
312 edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserAuthServlet instance
313 protected by the container or web server.
318 </xsd:complexContent>
321 <xsd:complexType name="UsernamePassword">
323 <xsd:extension base="LoginHandlerType">
324 <xsd:attribute name="jaasConfigurationLocation" type="xsd:anyURI">
327 Location of the JAAS configuration. If this attribute is used it will usually contain a file
328 URL to a configuration on the local filesystem. However, this attribute need not be used and
329 this information can be set within the VM in any manner supported by the JVM/container
334 <xsd:attribute name="authenticationServletURL" type="xsd:string">
337 The servlet context path to the
338 edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordAuthenticationServlet
339 that will authenticate the user.
344 </xsd:complexContent>
347 <xsd:complexType name="IPAddress">
349 <xsd:extension base="LoginHandlerType">
351 <xsd:element name="IPEntry" type="xsd:string" maxOccurs="unbounded">
354 An IP addresses in CIDR notation. For example, a single IP address of 192.168.1.1 would
355 have the CIDR notation of 192.168.1.1/32. For the entire 192.168.0.0 class B network,
356 the CIDR notation would be 192.168.0.0/16.
361 <xsd:attribute name="username" type="xsd:string">
364 The username that will be presented to the IdP for all IP-address authenticated users.
368 <xsd:attribute name="defaultDeny" type="xsd:boolean">
371 If defaultDeny is true then only the IP addresses listed will be "authenticated." If
372 defaultDeny is false, then all IP addresses except those listed will be authenticated.
377 </xsd:complexContent>
380 <xsd:complexType name="LoginHandlerType" abstract="true">
382 <xsd:documentation>Base type for authentication handler types.</xsd:documentation>
385 <xsd:element name="AuthenticationMethod" type="xsd:string" maxOccurs="unbounded">
388 The authentication methods supported by this handler. In SAML these methods represent the SAML 2
389 authentication contexts class and declaration reference URIs.
394 <xsd:attribute name="authenticationDuration" type="xsd:string">
397 The length of time that an authentication performed by this handler should be
398 considered active. After which time a user, previously authenticated by this handler, must
399 re-authenticate in order to assert the authentication method again.
401 This duration should be expressed in ISO8601 format.