Extended schema-validation to also support SAML 1.1 messages, and added some
additional sanity checks. git-svn-id: http://simplesamlphp.googlecode.com/svn/trunk@622 44740490-163a-0410-bde0-09ae8108e29a
This commit is contained in:
parent
9d0354d8cb
commit
bfef539a0c
|
@ -41,10 +41,10 @@ $config = array (
|
|||
'showerrors' => true,
|
||||
|
||||
/**
|
||||
* This option allows you to enable validation of SAML 2.0 messages against their
|
||||
* This option allows you to enable validation of SAML messages against their
|
||||
* schemas. A warning will be written to the log if validation fails.
|
||||
*/
|
||||
'debug.validatesaml2messages' => false,
|
||||
'debug.validatesamlmessages' => false,
|
||||
|
||||
/**
|
||||
* This password must be kept secret, and modified from the default value 123.
|
||||
|
|
|
@ -20,7 +20,7 @@ class SimpleSAML_Bindings_SAML20_HTTPPost {
|
|||
|
||||
public function sendResponseUnsigned($response, $idpentityid, $spentityid, $relayState = null, $endpoint = 'AssertionConsumerService') {
|
||||
|
||||
SimpleSAML_Utilities::validateSAML2Message($response);
|
||||
SimpleSAML_Utilities::validateSAMLMessage($response, 'saml20');
|
||||
|
||||
$idpmd = $this->metadata->getMetaData($idpentityid, 'saml20-idp-hosted');
|
||||
$spmd = $this->metadata->getMetaData($spentityid, 'saml20-sp-remote');
|
||||
|
@ -183,7 +183,7 @@ class SimpleSAML_Bindings_SAML20_HTTPPost {
|
|||
}
|
||||
$response = $responsedom->saveXML();
|
||||
|
||||
SimpleSAML_Utilities::validateSAML2Message($response);
|
||||
SimpleSAML_Utilities::validateSAMLMessage($response, 'saml20');
|
||||
|
||||
# openssl genrsa -des3 -out server.key 1024
|
||||
# openssl rsa -in server.key -out server.pem
|
||||
|
@ -231,7 +231,7 @@ class SimpleSAML_Bindings_SAML20_HTTPPost {
|
|||
|
||||
$samlResponseXML = base64_decode( $rawResponse );
|
||||
|
||||
SimpleSAML_Utilities::validateSAML2Message($samlResponseXML);
|
||||
SimpleSAML_Utilities::validateSAMLMessage($samlResponseXML, 'saml20');
|
||||
|
||||
//error_log("Response is: " . $samlResponseXML);
|
||||
|
||||
|
|
|
@ -180,7 +180,7 @@ class SimpleSAML_Bindings_SAML20_HTTPRedirect {
|
|||
|
||||
public function sendMessage($request, $localentityid, $remoteentityid, $relayState = null, $endpoint = 'SingleSignOnService', $direction = 'SAMLRequest', $mode = 'SP') {
|
||||
|
||||
SimpleSAML_Utilities::validateSAML2Message($request);
|
||||
SimpleSAML_Utilities::validateSAMLMessage($request, 'saml20');
|
||||
|
||||
$redirectURL = $this->getRedirectURL($request, $localentityid, $remoteentityid, $relayState, $endpoint, $direction, $mode);
|
||||
|
||||
|
@ -234,7 +234,7 @@ class SimpleSAML_Bindings_SAML20_HTTPRedirect {
|
|||
throw new Exception('Could not gzinflate base64 decoded SAMLRequest: ' . $error['message'] );
|
||||
}
|
||||
|
||||
SimpleSAML_Utilities::validateSAML2Message($samlRequestXML);
|
||||
SimpleSAML_Utilities::validateSAMLMessage($samlRequestXML, 'saml20');
|
||||
|
||||
$samlRequest = new SimpleSAML_XML_SAML20_AuthnRequest($this->configuration, $this->metadata);
|
||||
|
||||
|
@ -272,7 +272,7 @@ class SimpleSAML_Bindings_SAML20_HTTPRedirect {
|
|||
throw new Exception('Could not gzinflate base64 decoded SAMLRequest: ' . $error['message'] );
|
||||
}
|
||||
|
||||
SimpleSAML_Utilities::validateSAML2Message($samlRequestXML);
|
||||
SimpleSAML_Utilities::validateSAMLMessage($samlRequestXML, 'saml20');
|
||||
|
||||
$samlRequest = new SimpleSAML_XML_SAML20_LogoutRequest($this->configuration, $this->metadata);
|
||||
|
||||
|
@ -311,7 +311,7 @@ class SimpleSAML_Bindings_SAML20_HTTPRedirect {
|
|||
throw new Exception('Could not gzinflate base64 decoded SAMLRequest: ' . $error['message'] );
|
||||
}
|
||||
|
||||
SimpleSAML_Utilities::validateSAML2Message($samlRequestXML);
|
||||
SimpleSAML_Utilities::validateSAMLMessage($samlRequestXML, 'saml20');
|
||||
|
||||
|
||||
$samlRequest = new SimpleSAML_XML_SAML20_LogoutResponse($this->configuration, $this->metadata);
|
||||
|
|
|
@ -20,6 +20,8 @@ class SimpleSAML_Bindings_Shib13_HTTPPost {
|
|||
|
||||
public function sendResponseUnsigned($response, $idpentityid, $spentityid, $relayState = null, $endpoint = 'AssertionConsumerService') {
|
||||
|
||||
SimpleSAML_Utilities::validateSAMLMessage($response, 'saml11');
|
||||
|
||||
$idpmd = $this->metadata->getMetaData($idpentityid, 'saml20-idp-hosted');
|
||||
$spmd = $this->metadata->getMetaData($spentityid, 'saml20-sp-remote');
|
||||
|
||||
|
@ -62,6 +64,8 @@ class SimpleSAML_Bindings_Shib13_HTTPPost {
|
|||
*/
|
||||
public function sendResponse($response, $idpmetaindex, $spentityid, $relayState = null, $claimedacs = null) {
|
||||
|
||||
SimpleSAML_Utilities::validateSAMLMessage($response, 'saml11');
|
||||
|
||||
$idpmd = $this->metadata->getMetaData($idpmetaindex, 'shib13-idp-hosted');
|
||||
$spmd = $this->metadata->getMetaData($spentityid, 'shib13-sp-remote');
|
||||
|
||||
|
@ -201,6 +205,8 @@ class SimpleSAML_Bindings_Shib13_HTTPPost {
|
|||
$relaystate = $post["TARGET"];
|
||||
|
||||
$samlResponseXML = base64_decode( $rawResponse );
|
||||
|
||||
SimpleSAML_Utilities::validateSAMLMessage($samlResponseXML, 'saml11');
|
||||
|
||||
$samlResponse = new SimpleSAML_XML_Shib13_AuthnResponse($this->configuration, $this->metadata);
|
||||
|
||||
|
|
|
@ -793,24 +793,44 @@ class SimpleSAML_Utilities {
|
|||
|
||||
|
||||
/**
|
||||
* This function validates a SAML2 message against its schema.
|
||||
* A warning will be printed to the log if validation fails.
|
||||
* This function performs some sanity checks on SAML messages, and optionally validates them
|
||||
* against their schema. A warning will be printed to the log if validation fails.
|
||||
*
|
||||
* @param $message The message which should be validated.
|
||||
* @param $type The type of message - can be either 'saml20' or 'saml11'.
|
||||
*/
|
||||
public static function validateSAML2Message($message) {
|
||||
public static function validateSAMLMessage($message, $type) {
|
||||
assert('is_string($message)');
|
||||
assert($type === 'saml11' || $type === 'saml20');
|
||||
|
||||
$enabled = SimpleSAML_Configuration::getInstance()->getValue('debug.validatesaml2messages', FALSE);
|
||||
if(!is_bool($enabled)) {
|
||||
throw new Exception('Expected "debug.validatesaml2messages" to be set to a boolean value.');
|
||||
/* A SAML message should not contain a doctype-declaration. */
|
||||
if(strpos($message, '<!DOCTYPE') !== FALSE) {
|
||||
throw new Exception('SAML message contained a doctype declaration.');
|
||||
}
|
||||
|
||||
$enabled = SimpleSAML_Configuration::getInstance()->getValue('debug.validatesamlmessages', NULL);
|
||||
if($enabled === NULL) {
|
||||
/* Fall back to old configuration option. */
|
||||
$enabled = SimpleSAML_Configuration::getInstance()->getValue('debug.validatesaml2messages', FALSE);
|
||||
if(!is_bool($enabled)) {
|
||||
throw new Exception('Expected "debug.validatesaml2messages" to be set to a boolean value.');
|
||||
}
|
||||
} elseif(!is_bool($enabled)) {
|
||||
throw new Exception('Expected "debug.validatesamlmessages" to be set to a boolean value.');
|
||||
}
|
||||
|
||||
if(!$enabled) {
|
||||
return;
|
||||
}
|
||||
|
||||
$result = self::validateXML($message, 'saml-schema-protocol-2.0.xsd');
|
||||
if($type === 'saml11') {
|
||||
$result = self::validateXML($message, 'oasis-sstc-saml-schema-protocol-1.1.xsd');
|
||||
} elseif($type === 'saml20') {
|
||||
$result = self::validateXML($message, 'saml-schema-protocol-2.0.xsd');
|
||||
} else {
|
||||
throw new Exception('Invalid message type.');
|
||||
}
|
||||
|
||||
if($result !== '') {
|
||||
SimpleSAML_Logger::warning($result);
|
||||
}
|
||||
|
|
|
@ -0,0 +1,201 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<schema targetNamespace="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns="http://www.w3.org/2001/XMLSchema" elementFormDefault="unqualified" attributeFormDefault="unqualified" version="1.1">
|
||||
<import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/>
|
||||
<annotation>
|
||||
<documentation>
|
||||
Document identifier: oasis-sstc-saml-schema-assertion-1.1
|
||||
Location: http://www.oasis-open.org/committees/documents.php?wg_abbrev=security
|
||||
Revision history:
|
||||
V1.0 (November, 2002):
|
||||
Initial standard schema.
|
||||
V1.1 (September, 2003):
|
||||
* Note that V1.1 of this schema has the same XML namespace as V1.0.
|
||||
Rebased ID content directly on XML Schema types
|
||||
Added DoNotCacheCondition element and DoNotCacheConditionType
|
||||
</documentation>
|
||||
</annotation>
|
||||
<simpleType name="DecisionType">
|
||||
<restriction base="string">
|
||||
<enumeration value="Permit"/>
|
||||
<enumeration value="Deny"/>
|
||||
<enumeration value="Indeterminate"/>
|
||||
</restriction>
|
||||
</simpleType>
|
||||
<element name="AssertionIDReference" type="NCName"/>
|
||||
<element name="Assertion" type="saml:AssertionType"/>
|
||||
<complexType name="AssertionType">
|
||||
<sequence>
|
||||
<element ref="saml:Conditions" minOccurs="0"/>
|
||||
<element ref="saml:Advice" minOccurs="0"/>
|
||||
<choice maxOccurs="unbounded">
|
||||
<element ref="saml:Statement"/>
|
||||
<element ref="saml:SubjectStatement"/>
|
||||
<element ref="saml:AuthenticationStatement"/>
|
||||
<element ref="saml:AuthorizationDecisionStatement"/>
|
||||
<element ref="saml:AttributeStatement"/>
|
||||
</choice>
|
||||
<element ref="ds:Signature" minOccurs="0"/>
|
||||
</sequence>
|
||||
<attribute name="MajorVersion" type="integer" use="required"/>
|
||||
<attribute name="MinorVersion" type="integer" use="required"/>
|
||||
<attribute name="AssertionID" type="ID" use="required"/>
|
||||
<attribute name="Issuer" type="string" use="required"/>
|
||||
<attribute name="IssueInstant" type="dateTime" use="required"/>
|
||||
</complexType>
|
||||
<element name="Conditions" type="saml:ConditionsType"/>
|
||||
<complexType name="ConditionsType">
|
||||
<choice minOccurs="0" maxOccurs="unbounded">
|
||||
<element ref="saml:AudienceRestrictionCondition"/>
|
||||
<element ref="saml:DoNotCacheCondition"/>
|
||||
<element ref="saml:Condition"/>
|
||||
</choice>
|
||||
<attribute name="NotBefore" type="dateTime" use="optional"/>
|
||||
<attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
|
||||
</complexType>
|
||||
<element name="Condition" type="saml:ConditionAbstractType"/>
|
||||
<complexType name="ConditionAbstractType" abstract="true"/>
|
||||
<element name="AudienceRestrictionCondition" type="saml:AudienceRestrictionConditionType"/>
|
||||
<complexType name="AudienceRestrictionConditionType">
|
||||
<complexContent>
|
||||
<extension base="saml:ConditionAbstractType">
|
||||
<sequence>
|
||||
<element ref="saml:Audience" maxOccurs="unbounded"/>
|
||||
</sequence>
|
||||
</extension>
|
||||
</complexContent>
|
||||
</complexType>
|
||||
<element name="Audience" type="anyURI"/>
|
||||
<element name="DoNotCacheCondition" type="saml:DoNotCacheConditionType"/>
|
||||
<complexType name="DoNotCacheConditionType">
|
||||
<complexContent>
|
||||
<extension base="saml:ConditionAbstractType"/>
|
||||
</complexContent>
|
||||
</complexType>
|
||||
<element name="Advice" type="saml:AdviceType"/>
|
||||
<complexType name="AdviceType">
|
||||
<choice minOccurs="0" maxOccurs="unbounded">
|
||||
<element ref="saml:AssertionIDReference"/>
|
||||
<element ref="saml:Assertion"/>
|
||||
<any namespace="##other" processContents="lax"/>
|
||||
</choice>
|
||||
</complexType>
|
||||
<element name="Statement" type="saml:StatementAbstractType"/>
|
||||
<complexType name="StatementAbstractType" abstract="true"/>
|
||||
<element name="SubjectStatement" type="saml:SubjectStatementAbstractType"/>
|
||||
<complexType name="SubjectStatementAbstractType" abstract="true">
|
||||
<complexContent>
|
||||
<extension base="saml:StatementAbstractType">
|
||||
<sequence>
|
||||
<element ref="saml:Subject"/>
|
||||
</sequence>
|
||||
</extension>
|
||||
</complexContent>
|
||||
</complexType>
|
||||
<element name="Subject" type="saml:SubjectType"/>
|
||||
<complexType name="SubjectType">
|
||||
<choice>
|
||||
<sequence>
|
||||
<element ref="saml:NameIdentifier"/>
|
||||
<element ref="saml:SubjectConfirmation" minOccurs="0"/>
|
||||
</sequence>
|
||||
<element ref="saml:SubjectConfirmation"/>
|
||||
</choice>
|
||||
</complexType>
|
||||
<element name="NameIdentifier" type="saml:NameIdentifierType"/>
|
||||
<complexType name="NameIdentifierType">
|
||||
<simpleContent>
|
||||
<extension base="string">
|
||||
<attribute name="NameQualifier" type="string" use="optional"/>
|
||||
<attribute name="Format" type="anyURI" use="optional"/>
|
||||
</extension>
|
||||
</simpleContent>
|
||||
</complexType>
|
||||
<element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/>
|
||||
<complexType name="SubjectConfirmationType">
|
||||
<sequence>
|
||||
<element ref="saml:ConfirmationMethod" maxOccurs="unbounded"/>
|
||||
<element ref="saml:SubjectConfirmationData" minOccurs="0"/>
|
||||
<element ref="ds:KeyInfo" minOccurs="0"/>
|
||||
</sequence>
|
||||
</complexType>
|
||||
<element name="SubjectConfirmationData" type="anyType"/>
|
||||
<element name="ConfirmationMethod" type="anyURI"/>
|
||||
<element name="AuthenticationStatement" type="saml:AuthenticationStatementType"/>
|
||||
<complexType name="AuthenticationStatementType">
|
||||
<complexContent>
|
||||
<extension base="saml:SubjectStatementAbstractType">
|
||||
<sequence>
|
||||
<element ref="saml:SubjectLocality" minOccurs="0"/>
|
||||
<element ref="saml:AuthorityBinding" minOccurs="0" maxOccurs="unbounded"/>
|
||||
</sequence>
|
||||
<attribute name="AuthenticationMethod" type="anyURI" use="required"/>
|
||||
<attribute name="AuthenticationInstant" type="dateTime" use="required"/>
|
||||
</extension>
|
||||
</complexContent>
|
||||
</complexType>
|
||||
<element name="SubjectLocality" type="saml:SubjectLocalityType"/>
|
||||
<complexType name="SubjectLocalityType">
|
||||
<attribute name="IPAddress" type="string" use="optional"/>
|
||||
<attribute name="DNSAddress" type="string" use="optional"/>
|
||||
</complexType>
|
||||
<element name="AuthorityBinding" type="saml:AuthorityBindingType"/>
|
||||
<complexType name="AuthorityBindingType">
|
||||
<attribute name="AuthorityKind" type="QName" use="required"/>
|
||||
<attribute name="Location" type="anyURI" use="required"/>
|
||||
<attribute name="Binding" type="anyURI" use="required"/>
|
||||
</complexType>
|
||||
<element name="AuthorizationDecisionStatement" type="saml:AuthorizationDecisionStatementType"/>
|
||||
<complexType name="AuthorizationDecisionStatementType">
|
||||
<complexContent>
|
||||
<extension base="saml:SubjectStatementAbstractType">
|
||||
<sequence>
|
||||
<element ref="saml:Action" maxOccurs="unbounded"/>
|
||||
<element ref="saml:Evidence" minOccurs="0"/>
|
||||
</sequence>
|
||||
<attribute name="Resource" type="anyURI" use="required"/>
|
||||
<attribute name="Decision" type="saml:DecisionType" use="required"/>
|
||||
</extension>
|
||||
</complexContent>
|
||||
</complexType>
|
||||
<element name="Action" type="saml:ActionType"/>
|
||||
<complexType name="ActionType">
|
||||
<simpleContent>
|
||||
<extension base="string">
|
||||
<attribute name="Namespace" type="anyURI"/>
|
||||
</extension>
|
||||
</simpleContent>
|
||||
</complexType>
|
||||
<element name="Evidence" type="saml:EvidenceType"/>
|
||||
<complexType name="EvidenceType">
|
||||
<choice maxOccurs="unbounded">
|
||||
<element ref="saml:AssertionIDReference"/>
|
||||
<element ref="saml:Assertion"/>
|
||||
</choice>
|
||||
</complexType>
|
||||
<element name="AttributeStatement" type="saml:AttributeStatementType"/>
|
||||
<complexType name="AttributeStatementType">
|
||||
<complexContent>
|
||||
<extension base="saml:SubjectStatementAbstractType">
|
||||
<sequence>
|
||||
<element ref="saml:Attribute" maxOccurs="unbounded"/>
|
||||
</sequence>
|
||||
</extension>
|
||||
</complexContent>
|
||||
</complexType>
|
||||
<element name="AttributeDesignator" type="saml:AttributeDesignatorType"/>
|
||||
<complexType name="AttributeDesignatorType">
|
||||
<attribute name="AttributeName" type="string" use="required"/>
|
||||
<attribute name="AttributeNamespace" type="anyURI" use="required"/>
|
||||
</complexType>
|
||||
<element name="Attribute" type="saml:AttributeType"/>
|
||||
<complexType name="AttributeType">
|
||||
<complexContent>
|
||||
<extension base="saml:AttributeDesignatorType">
|
||||
<sequence>
|
||||
<element ref="saml:AttributeValue" maxOccurs="unbounded"/>
|
||||
</sequence>
|
||||
</extension>
|
||||
</complexContent>
|
||||
</complexType>
|
||||
<element name="AttributeValue" type="anyType"/>
|
||||
</schema>
|
|
@ -0,0 +1,132 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<schema targetNamespace="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns="http://www.w3.org/2001/XMLSchema" elementFormDefault="unqualified" attributeFormDefault="unqualified" version="1.1">
|
||||
<import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="oasis-sstc-saml-schema-assertion-1.1.xsd"/>
|
||||
<import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/>
|
||||
<annotation>
|
||||
<documentation>
|
||||
Document identifier: oasis-sstc-saml-schema-protocol-1.1
|
||||
Location: http://www.oasis-open.org/committees/documents.php?wg_abbrev=security
|
||||
Revision history:
|
||||
V1.0 (November, 2002):
|
||||
Initial standard schema.
|
||||
V1.1 (September, 2003):
|
||||
* Note that V1.1 of this schema has the same XML namespace as V1.0.
|
||||
Rebased ID content directly on XML Schema types
|
||||
</documentation>
|
||||
</annotation>
|
||||
<complexType name="RequestAbstractType" abstract="true">
|
||||
<sequence>
|
||||
<element ref="samlp:RespondWith" minOccurs="0" maxOccurs="unbounded"/>
|
||||
<element ref="ds:Signature" minOccurs="0"/>
|
||||
</sequence>
|
||||
<attribute name="RequestID" type="ID" use="required"/>
|
||||
<attribute name="MajorVersion" type="integer" use="required"/>
|
||||
<attribute name="MinorVersion" type="integer" use="required"/>
|
||||
<attribute name="IssueInstant" type="dateTime" use="required"/>
|
||||
</complexType>
|
||||
<element name="RespondWith" type="QName"/>
|
||||
<element name="Request" type="samlp:RequestType"/>
|
||||
<complexType name="RequestType">
|
||||
<complexContent>
|
||||
<extension base="samlp:RequestAbstractType">
|
||||
<choice>
|
||||
<element ref="samlp:Query"/>
|
||||
<element ref="samlp:SubjectQuery"/>
|
||||
<element ref="samlp:AuthenticationQuery"/>
|
||||
<element ref="samlp:AttributeQuery"/>
|
||||
<element ref="samlp:AuthorizationDecisionQuery"/>
|
||||
<element ref="saml:AssertionIDReference" maxOccurs="unbounded"/>
|
||||
<element ref="samlp:AssertionArtifact" maxOccurs="unbounded"/>
|
||||
</choice>
|
||||
</extension>
|
||||
</complexContent>
|
||||
</complexType>
|
||||
<element name="AssertionArtifact" type="string"/>
|
||||
<element name="Query" type="samlp:QueryAbstractType"/>
|
||||
<complexType name="QueryAbstractType" abstract="true"/>
|
||||
<element name="SubjectQuery" type="samlp:SubjectQueryAbstractType"/>
|
||||
<complexType name="SubjectQueryAbstractType" abstract="true">
|
||||
<complexContent>
|
||||
<extension base="samlp:QueryAbstractType">
|
||||
<sequence>
|
||||
<element ref="saml:Subject"/>
|
||||
</sequence>
|
||||
</extension>
|
||||
</complexContent>
|
||||
</complexType>
|
||||
<element name="AuthenticationQuery" type="samlp:AuthenticationQueryType"/>
|
||||
<complexType name="AuthenticationQueryType">
|
||||
<complexContent>
|
||||
<extension base="samlp:SubjectQueryAbstractType">
|
||||
<attribute name="AuthenticationMethod" type="anyURI"/>
|
||||
</extension>
|
||||
</complexContent>
|
||||
</complexType>
|
||||
<element name="AttributeQuery" type="samlp:AttributeQueryType"/>
|
||||
<complexType name="AttributeQueryType">
|
||||
<complexContent>
|
||||
<extension base="samlp:SubjectQueryAbstractType">
|
||||
<sequence>
|
||||
<element ref="saml:AttributeDesignator" minOccurs="0" maxOccurs="unbounded"/>
|
||||
</sequence>
|
||||
<attribute name="Resource" type="anyURI" use="optional"/>
|
||||
</extension>
|
||||
</complexContent>
|
||||
</complexType>
|
||||
<element name="AuthorizationDecisionQuery" type="samlp:AuthorizationDecisionQueryType"/>
|
||||
<complexType name="AuthorizationDecisionQueryType">
|
||||
<complexContent>
|
||||
<extension base="samlp:SubjectQueryAbstractType">
|
||||
<sequence>
|
||||
<element ref="saml:Action" maxOccurs="unbounded"/>
|
||||
<element ref="saml:Evidence" minOccurs="0"/>
|
||||
</sequence>
|
||||
<attribute name="Resource" type="anyURI" use="required"/>
|
||||
</extension>
|
||||
</complexContent>
|
||||
</complexType>
|
||||
<complexType name="ResponseAbstractType" abstract="true">
|
||||
<sequence>
|
||||
<element ref="ds:Signature" minOccurs="0"/>
|
||||
</sequence>
|
||||
<attribute name="ResponseID" type="ID" use="required"/>
|
||||
<attribute name="InResponseTo" type="NCName" use="optional"/>
|
||||
<attribute name="MajorVersion" type="integer" use="required"/>
|
||||
<attribute name="MinorVersion" type="integer" use="required"/>
|
||||
<attribute name="IssueInstant" type="dateTime" use="required"/>
|
||||
<attribute name="Recipient" type="anyURI" use="optional"/>
|
||||
</complexType>
|
||||
<element name="Response" type="samlp:ResponseType"/>
|
||||
<complexType name="ResponseType">
|
||||
<complexContent>
|
||||
<extension base="samlp:ResponseAbstractType">
|
||||
<sequence>
|
||||
<element ref="samlp:Status"/>
|
||||
<element ref="saml:Assertion" minOccurs="0" maxOccurs="unbounded"/>
|
||||
</sequence>
|
||||
</extension>
|
||||
</complexContent>
|
||||
</complexType>
|
||||
<element name="Status" type="samlp:StatusType"/>
|
||||
<complexType name="StatusType">
|
||||
<sequence>
|
||||
<element ref="samlp:StatusCode"/>
|
||||
<element ref="samlp:StatusMessage" minOccurs="0"/>
|
||||
<element ref="samlp:StatusDetail" minOccurs="0"/>
|
||||
</sequence>
|
||||
</complexType>
|
||||
<element name="StatusCode" type="samlp:StatusCodeType"/>
|
||||
<complexType name="StatusCodeType">
|
||||
<sequence>
|
||||
<element ref="samlp:StatusCode" minOccurs="0"/>
|
||||
</sequence>
|
||||
<attribute name="Value" type="QName" use="required"/>
|
||||
</complexType>
|
||||
<element name="StatusMessage" type="string"/>
|
||||
<element name="StatusDetail" type="samlp:StatusDetailType"/>
|
||||
<complexType name="StatusDetailType">
|
||||
<sequence>
|
||||
<any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
|
||||
</sequence>
|
||||
</complexType>
|
||||
</schema>
|
Reference in New Issue