ZXID Schemata

Sampo Kellomäki (sampo@iki.fi)

1 Appendix: Schema Grammars

Large parts of ZXID code are generated from schema grammars which are a convenient notation for describing XML schmata. This appendix contains the schema grammars that are currently implemented and distributed in the ZXID package.

1.1 SAML 2.0

1.1.1 saml-schema-assertion-2.0 (sa)

# zxid/sg/saml-schema-assertion-2.0.sg
# $Id: saml-schema-assertion-2.0.sg,v 1.10 2009-11-14 22:44:43 sampo Exp $
#
# N.B. This file is not a direct conversion. Instead it has been manually edited to
# make it simpler and to facilitate code generation.
# 15.10.2006, extended AttributeValue schema to cater for bootstrap, Sampo Kellomaki (sampo@iki.fi)
# 10.2.2007, added other types of assertions as potential Advice content --Sampo
# 3.3.2007,  added XACML support --Sampo
# 24.8.2009, modified sa:Statement to be able to carry xac:Response --Sampo

target(sa, urn:oasis:names:tc:SAML:2.0:assertion)
ns(xs,http://www.w3.org/2001/XMLSchema)
import(ds,http://www.w3.org/2000/09/xmldsig#,http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd)
import(xenc,http://www.w3.org/2001/04/xmlenc#,http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd)
ns(di12, urn:liberty:disco:2003-08)
ns(a,    http://www.w3.org/2005/08/addressing)
ns(sa11, urn:oasis:names:tc:SAML:1.0:assertion)
ns(ff12, urn:liberty:iff:2003-08)
ns(xasa, urn:oasis:xacml:2.0:saml:assertion:schema:os)
ns(xasacd1, urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:assertion:cd-01)
ns(xac,  urn:oasis:names:tc:xacml:2.0:context:schema:os)
ns(xsi,  http://www.w3.org/2001/XMLSchema-instance)
ns(idp,  urn:liberty:idp:2006-12)

&@IDNameQualifiers: 
  @NameQualifier?   -> %xs:string
  @SPNameQualifier? -> %xs:string
  ;

BaseID	 -> %sa:BaseIDAbstractType
%BaseIDAbstractType:
  &@sa:IDNameQualifiers
  ;

NameID	 -> %sa:NameIDType
%NameIDType:	 base(xs:string)
  @Format?	 -> %xs:anyURI
  &@sa:IDNameQualifiers
  @SPProvidedID? -> %xs:string
  ;

%EncryptedElementType:
  xenc:EncryptedData
  xenc:EncryptedKey*
  ;

EncryptedID      -> %sa:EncryptedElementType
Issuer           -> %sa:NameIDType
AssertionIDRef   -> %xs:NCName
AssertionURIRef  -> %xs:anyURI

Assertion        -> %sa:AssertionType
%AssertionType:
  sa:Issuer
  ds:Signature?
  sa:Subject?
  sa:Conditions?
  sa:Advice?
  sa:Statement*                  # *** how to express * for choice
  sa:AuthnStatement*
  sa:AuthzDecisionStatement*
  sa:AttributeStatement*
  xasa:XACMLAuthzDecisionStatement*
  xasa:XACMLPolicyStatement*
  xasacd1:XACMLAuthzDecisionStatement*
  xasacd1:XACMLPolicyStatement*
  @ID	         -> %xs:ID
  @IssueInstant  -> %xs:dateTime
  @Version       -> %xs:string
  ;

Subject	 -> %sa:SubjectType
%SubjectType:
  sa:BaseID?                     # Only one of the IDs should occur
  sa:NameID?
  sa:EncryptedID?
  sa:SubjectConfirmation*        # SAML spec is more lax than the schema: saml-core-2.0-os.pdf ll.653-657 says  [Zero or More]
  ;

SubjectConfirmation	 -> %sa:SubjectConfirmationType
%SubjectConfirmationType:
  sa:BaseID?                     # Only one of the IDs should occur
  sa:NameID?
  sa:EncryptedID?
  sa:SubjectConfirmationData?
  @Method	 -> %xs:anyURI
  ;

SubjectConfirmationData	 -> %sa:SubjectConfirmationDataType
%SubjectConfirmationDataType:	 base(anyType)
  ds:KeyInfo+
  @Address?	 -> %xs:string
  @InResponseTo? -> %xs:NCName
  @NotBefore?	 -> %xs:dateTime
  @NotOnOrAfter? -> %xs:dateTime
  @Recipient?	 -> %xs:anyURI
  @xsi:type?
  @any
  ;

%KeyInfoConfirmationDataType:	 base(sa:SubjectConfirmationDataType)
  ds:KeyInfo+
  ;

Conditions	 -> %sa:ConditionsType
%ConditionsType:
  sa:Condition*                  # *** Stated differently in XSD
  sa:AudienceRestriction*
  sa:OneTimeUse*
  sa:ProxyRestriction*
  idp:SubjectRestriction*
  @NotBefore?	 -> %xs:dateTime
  @NotOnOrAfter? -> %xs:dateTime
  ;

Condition	 -> %sa:ConditionAbstractType

AudienceRestriction -> %sa:AudienceRestrictionType
%AudienceRestrictionType:	 base(sa:ConditionAbstractType)
  sa:Audience+
  ;

Audience	 -> %xs:anyURI

OneTimeUse	 -> %sa:OneTimeUseType
%OneTimeUseType: base(sa:ConditionAbstractType) ;

ProxyRestriction -> %sa:ProxyRestrictionType
%ProxyRestrictionType:	 base(sa:ConditionAbstractType)
  sa:Audience*
  @Count?	 -> %xs:nonNegativeInteger
  ;

Advice	 -> %sa:AdviceType
%AdviceType:
  sa:AssertionIDRef*    # *** really a choice, but maxOccurs="unbounded"
  sa:AssertionURIRef*
  sa:Assertion*
  sa:EncryptedAssertion*
  sa11:Assertion*
  ff12:Assertion*
  any*  ns(##other)  processContents(lax)
  ;

EncryptedAssertion -> %sa:EncryptedElementType

#Statement	 -> %sa:StatementAbstractType

Statement	 -> %sa:StatementType

%StatementType:   base(sa:StatementAbstractType)
  xac:Response*
  xac:Request*
  any*  ns(##other)  processContents(lax)
  @xsi:type? -> %xs:string
  ;

AuthnStatement	 -> %sa:AuthnStatementType
%AuthnStatementType:	 base(sa:StatementAbstractType)
  sa:SubjectLocality?
  sa:AuthnContext
  @AuthnInstant	         -> %xs:dateTime
  @SessionIndex?	 -> %xs:string
  @SessionNotOnOrAfter?	 -> %xs:dateTime
  ;

SubjectLocality	 -> %sa:SubjectLocalityType
%SubjectLocalityType:
  @Address?	 -> %xs:string
  @DNSName?	 -> %xs:string
  ;

AuthnContext	 -> %sa:AuthnContextType
%AuthnContextType:
  sa:AuthnContextClassRef?    # N.B. We diverge from canonical XSD
  sa:AuthnContextDecl?
  sa:AuthnContextDeclRef?
  sa:AuthenticatingAuthority*
  ;

AuthnContextClassRef	 -> %xs:anyURI
AuthnContextDeclRef	 -> %xs:anyURI
AuthnContextDecl	 -> %xs:anyType
AuthenticatingAuthority	 -> %xs:anyURI

AuthzDecisionStatement	 -> %sa:AuthzDecisionStatementType
%AuthzDecisionStatementType:	 base(sa:StatementAbstractType)
  sa:Action+
  sa:Evidence?
  @Decision	 -> %sa:DecisionType
  @Resource	 -> %xs:anyURI
  ;

%DecisionType:	 enum( Permit Deny Indeterminate ) ;

Action	 -> %sa:ActionType
%ActionType:	 base(string)
  @Namespace	 -> %xs:anyURI
  ;

Evidence	 -> %sa:EvidenceType
%EvidenceType:
  sa:AssertionIDRef*      # XSD has choice maxOccurs="unbounded"
  sa:AssertionURIRef*
  sa:Assertion*
  sa:EncryptedAssertion*
  ;

AttributeStatement	 -> %sa:AttributeStatementType
%AttributeStatementType: base(sa:StatementAbstractType)
  sa:Attribute*           # XSD has choice maxOccurs="unbounded"
  sa:EncryptedAttribute*
  ;

Attribute	 -> %sa:AttributeType
%AttributeType:
  sa:AttributeValue*
  @FriendlyName? -> %xs:string
  @Name	         -> %xs:string
  @NameFormat?	 -> %xs:anyURI
  @any
  ;

# To cater for discovery bootstraps we add them to schema here
#AttributeValue	   -> %xs:anyType

AttributeValue -> %sa:AttributeValueType
%AttributeValueType:
  di12:ResourceOffering*
  a:EndpointReference*
  sa:Assertion*
  sa:EncryptedAssertion*
  @xsi:type?              # often any attribute extension point is used for this
  ;

EncryptedAttribute -> %sa:EncryptedElementType

TestElem:
  sa:AttributeValue*
  ;

#EOF

1.1.2 saml-schema-protocol-2.0 (sp)

# zxid/sg/saml-schema-protocol-2.0.sg
# $Id: saml-schema-protocol-2.0.sg,v 1.5 2008-02-23 03:59:31 sampo Exp $
#
# N.B. This file is not a direct conversion. Instead it has been manually
# edited to make it simpler and to facilitate code generation.

target(sp,urn:oasis:names:tc:SAML:2.0:protocol)
import(sa,urn:oasis:names:tc:SAML:2.0:assertion,saml-schema-assertion-2.0.xsd)
import(ds,http://www.w3.org/2000/09/xmldsig#,http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd)
ns(xs, http://www.w3.org/2001/XMLSchema)

%RequestAbstractType:
  sa:Issuer?
  ds:Signature?
  sp:Extensions?
  @ID	 -> %xs:ID
  @Version	 -> %xs:string
  @IssueInstant	 -> %xs:dateTime
  @Destination?	 -> %xs:anyURI
  @Consent?	 -> %xs:anyURI
  ;

Extensions	 -> %sp:ExtensionsType
%ExtensionsType:
  any+
  ;

%StatusResponseType:
  sa:Issuer?
  ds:Signature?
  sp:Extensions?
  sp:Status
  @ID	 -> %xs:ID
  @InResponseTo? -> %xs:NCName
  @Version	 -> %xs:string
  @IssueInstant	 -> %xs:dateTime
  @Destination?	 -> %xs:anyURI
  @Consent?	 -> %xs:anyURI
  ;

Status	 -> %sp:StatusType
%StatusType:
  sp:StatusCode
  sp:StatusMessage?
  sp:StatusDetail?
  ;

StatusCode	 -> %sp:StatusCodeType
%StatusCodeType:
  sp:StatusCode?
  @Value	 -> %xs:anyURI
  ;

StatusMessage	 -> %xs:string

StatusDetail	 -> %sp:StatusDetailType
%StatusDetailType:
  any*
  ;

AssertionIDRequest	 -> %sp:AssertionIDRequestType
%AssertionIDRequestType: base(sp:RequestAbstractType)
  sa:AssertionIDRef+
  ;

SubjectQuery	 -> %sp:SubjectQueryAbstractType
%SubjectQueryAbstractType: base(sp:RequestAbstractType)
  sa:Subject
  ;

AuthnQuery	 -> %sp:AuthnQueryType
%AuthnQueryType:	 base(sp:SubjectQueryAbstractType)
  sp:RequestedAuthnContext?
  @SessionIndex?	 -> %xs:string
  ;

RequestedAuthnContext	 -> %sp:RequestedAuthnContextType
%RequestedAuthnContextType:
  sa:AuthnContextClassRef*
  sa:AuthnContextDeclRef*
  @Comparison?	 -> %sp:AuthnContextComparisonType
  ;

%AuthnContextComparisonType:	 enum( exact minimum maximum better ) ;

AttributeQuery	 -> %sp:AttributeQueryType
%AttributeQueryType:	 base(sp:SubjectQueryAbstractType)
  sa:Attribute*
  ;

AuthzDecisionQuery	 -> %sp:AuthzDecisionQueryType
%AuthzDecisionQueryType: base(sp:SubjectQueryAbstractType)
  sa:Action+
  sa:Evidence?
  @Resource	 -> %xs:anyURI
  ;

AuthnRequest	 -> %sp:AuthnRequestType
%AuthnRequestType:	 base(sp:RequestAbstractType)
  sa:Subject?
  sp:NameIDPolicy?
  sa:Conditions?
  sp:RequestedAuthnContext?
  sp:Scoping?
  @ForceAuthn?	 -> %xs:boolean
  @IsPassive?	 -> %xs:boolean
  @ProtocolBinding?	 -> %xs:anyURI
  @AssertionConsumerServiceIndex?	 -> %xs:unsignedShort
  @AssertionConsumerServiceURL?	 -> %xs:anyURI
  @AttributeConsumingServiceIndex?	 -> %xs:unsignedShort
  @ProviderName?	 -> %xs:string
  ;

NameIDPolicy	 -> %sp:NameIDPolicyType
%NameIDPolicyType:
  @Format?	 -> %xs:anyURI
  @SPNameQualifier?	 -> %xs:string
  @AllowCreate?	 -> %xs:boolean
  ;

Scoping	 -> %sp:ScopingType
%ScopingType:
  sp:IDPList?
  sp:RequesterID*
  @ProxyCount?	 -> %xs:nonNegativeInteger
  ;

RequesterID	 -> %xs:anyURI

IDPList	 -> %sp:IDPListType
%IDPListType:
  sp:IDPEntry+
  sp:GetComplete?
  ;

IDPEntry	 -> %sp:IDPEntryType
%IDPEntryType:
  @ProviderID	 -> %xs:anyURI
  @Name?	 -> %xs:string
  @Loc?	 -> %xs:anyURI
  ;

GetComplete	 -> %xs:anyURI

Response	 -> %sp:ResponseType
%ResponseType:	 base(sp:StatusResponseType)
  sa:Assertion?
  sa:EncryptedAssertion?
  ;

ArtifactResolve	 -> %sp:ArtifactResolveType
%ArtifactResolveType:	 base(sp:RequestAbstractType)
  sp:Artifact
  ;

Artifact	 -> %xs:string

ArtifactResponse	 -> %sp:ArtifactResponseType
%ArtifactResponseType:	 base(sp:StatusResponseType)
  sp:Response?
  any?
  ;

ManageNameIDRequest	 -> %sp:ManageNameIDRequestType
%ManageNameIDRequestType:	 base(sp:RequestAbstractType)
  sa:NameID?
  sa:EncryptedID?
  sp:NewID?
  sp:NewEncryptedID?
  sp:Terminate?
  ;

NewID	 -> %xs:string

NewEncryptedID	 -> %sa:EncryptedElementType

Terminate	 -> %sp:TerminateType

ManageNameIDResponse	 -> %sp:StatusResponseType

LogoutRequest	 -> %sp:LogoutRequestType
%LogoutRequestType:	 base(sp:RequestAbstractType)
  sa:BaseID?
  sa:NameID?
  sa:EncryptedID?
  sp:SessionIndex*
  @Reason?	 -> %xs:string
  @NotOnOrAfter?	 -> %xs:dateTime
  ;

SessionIndex	 -> %xs:string

LogoutResponse	 -> %sp:StatusResponseType

NameIDMappingRequest	 -> %sp:NameIDMappingRequestType
%NameIDMappingRequestType:	 base(sp:RequestAbstractType)
  sa:BaseID?
  sa:NameID?
  sa:EncryptedID?
  sp:NameIDPolicy
  ;

NameIDMappingResponse	 -> %sp:NameIDMappingResponseType
%NameIDMappingResponseType:	 base(sp:StatusResponseType)
  sa:NameID?
  sa:EncryptedID?
  ;

#EOF

1.1.3 saml-schema-metadata-2.0 (md)

# zxid/sg/saml-schema-metadata-2.0.sh .sg
# Slightly edited, 27.5.2006, Sampo Kellomaki (sampo@iki.fi)
# 22.11.2009, added shib metadata support --Sampo
# $Id: saml-schema-metadata-2.0.sg,v 1.4 2009-11-24 23:53:40 sampo Exp $

target(md,urn:oasis:names:tc:SAML:2.0:metadata)
import(ds,http://www.w3.org/2000/09/xmldsig#,http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd)
import(xenc,http://www.w3.org/2001/04/xmlenc#,http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd)
import(sa,urn:oasis:names:tc:SAML:2.0:assertion,saml-schema-assertion-2.0.xsd)
ns(idpdisc,urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol)
# import(xml,http://www.w3.org/XML/1998/namespace,http://www.w3.org/2001/xml.xsd)
ns(xs,  http://www.w3.org/2001/XMLSchema)
ns(xml, http://www.w3.org/XML/1998/namespace)
ns(shibmd, urn:mace:shibboleth:metadata:1.0)

%entityIDType:	 base(xs:anyURI) ;

%localizedNameType:	 base(xs:string)
  @xml:lang? -> %xs:string  #@xml:lang vs. @lang   ***
  #@lang? -> %xs:string
  ;

%localizedURIType:	 base(xs:anyURI)
  @xml:lang? -> %xs:string  #@xml:lang vs. @lang   ***
  #@lang? -> %xs:string
  ;

Extensions	 -> %md:ExtensionsType
%ExtensionsType:
  shibmd:Scope*
  shibmd:KeyAuthority*
  idpdisc:DiscoveryResponse*
  any+
  ;

# What about IndexedEndpointType as needed in idpdisc,urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol --Sampo

%EndpointType:
  any*
  @Binding	 -> %xs:anyURI
  @Location	 -> %xs:anyURI
  @ResponseLocation?	 -> %xs:anyURI
  @index?	 -> %xs:unsignedShort
  @isDefault?	 -> %xs:boolean
  @any
  ;

EntitiesDescriptor	 -> %md:EntitiesDescriptorType
%EntitiesDescriptorType:
  ds:Signature?
  md:Extensions?
  md:EntityDescriptor*         # these were originally choice unbounded
  md:EntitiesDescriptor*
  @validUntil?	 -> %dateTime
  @cacheDuration?	 -> %duration
  @ID?	 -> %xs:ID
  @Name?	 -> %xs:string
  ;

EntityDescriptor	 -> %md:EntityDescriptorType
%EntityDescriptorType:
  ds:Signature?
  md:Extensions?
  md:RoleDescriptor*                 # following were originally choice unbounded
  md:IDPSSODescriptor*
  md:SPSSODescriptor*
  md:AuthnAuthorityDescriptor*
  md:AttributeAuthorityDescriptor*
  md:PDPDescriptor*
  md:AffiliationDescriptor*
  md:Organization?
  md:ContactPerson*
  md:AdditionalMetadataLocation*
  @entityID	 -> %md:entityIDType
  @validUntil?	 -> %dateTime
  @cacheDuration?	 -> %duration
  @ID?	 -> %xs:ID
  @any
  ;

Organization	 -> %md:OrganizationType
%OrganizationType:
  md:Extensions?
  md:OrganizationName+
  md:OrganizationDisplayName+
  md:OrganizationURL+
  @any
  ;

OrganizationName	 -> %md:localizedNameType
OrganizationDisplayName	 -> %md:localizedNameType
OrganizationURL	 -> %md:localizedURIType

ContactPerson	 -> %md:ContactType
%ContactType:
  md:Extensions?
  md:Company?
  md:GivenName?
  md:SurName?
  md:EmailAddress*
  md:TelephoneNumber*
  @contactType	 -> %md:ContactTypeType
  @any
  ;

Company	 -> %xs:string
GivenName	 -> %xs:string
SurName	 -> %xs:string
EmailAddress	 -> %xs:anyURI
TelephoneNumber	 -> %xs:string

%ContactTypeType:	 enum( technical support administrative billing other ) ;

AdditionalMetadataLocation	 -> %md:AdditionalMetadataLocationType
%AdditionalMetadataLocationType:	 base(xs:anyURI)
  @namespace	 -> %xs:anyURI
  ;

RoleDescriptor	 -> %md:RoleDescriptorType
%RoleDescriptorType:
  ds:Signature?
  md:Extensions?
  md:KeyDescriptor*
  md:Organization?
  md:ContactPerson*
  @ID?	 -> %xs:ID
  @validUntil?	 -> %dateTime
  @cacheDuration?	 -> %duration
  @protocolSupportEnumeration	 -> %xs:anyURI
  @errorURL?	 -> %xs:anyURI
  @any
  ;

KeyDescriptor	 -> %md:KeyDescriptorType
%KeyDescriptorType:
  ds:KeyInfo
  md:EncryptionMethod*
  @use?	 -> %md:KeyTypes
  ;

%KeyTypes:	 enum( encryption signing ) ;
EncryptionMethod	 -> %xenc:EncryptionMethodType
%SSODescriptorType:	 base(md:RoleDescriptorType)
  md:ArtifactResolutionService*
  md:SingleLogoutService*
  md:ManageNameIDService*
  md:NameIDFormat*
  ;

ArtifactResolutionService	 -> %md:EndpointType
SingleLogoutService	 -> %md:EndpointType
ManageNameIDService	 -> %md:EndpointType
NameIDFormat	 -> %xs:anyURI

IDPSSODescriptor	 -> %md:IDPSSODescriptorType
%IDPSSODescriptorType:	 base(md:SSODescriptorType)
  md:SingleSignOnService+
  md:NameIDMappingService*
  md:AssertionIDRequestService*
  md:AttributeProfile*
  sa:Attribute*
  @WantAuthnRequestsSigned?	 -> %xs:boolean
  ;

SingleSignOnService	 -> %md:EndpointType
NameIDMappingService	 -> %md:EndpointType
AssertionIDRequestService	 -> %md:EndpointType
AttributeProfile	 -> %xs:anyURI

SPSSODescriptor	 -> %md:SPSSODescriptorType
%SPSSODescriptorType:	 base(md:SSODescriptorType)
  md:AssertionConsumerService+
  md:AttributeConsumingService*
  @AuthnRequestsSigned?	 -> %xs:boolean
  @WantAssertionsSigned?	 -> %xs:boolean
  ;

AssertionConsumerService	 -> %md:EndpointType

AttributeConsumingService	 -> %md:AttributeConsumingServiceType
%AttributeConsumingServiceType:
  md:ServiceName+
  md:ServiceDescription*
  md:RequestedAttribute+
  @index	 -> %xs:unsignedShort
  @isDefault?	 -> %xs:boolean
  ;

ServiceName	 -> %md:localizedNameType
ServiceDescription	 -> %md:localizedNameType

RequestedAttribute	 -> %md:RequestedAttributeType
%RequestedAttributeType:	 base(sa:AttributeType)
  @isRequired?	 -> %xs:boolean
  ;

AuthnAuthorityDescriptor	 -> %md:AuthnAuthorityDescriptorType
%AuthnAuthorityDescriptorType:	 base(md:RoleDescriptorType)
    md:AuthnQueryService+
    md:AssertionIDRequestService*
    md:NameIDFormat*
  ;

AuthnQueryService	 -> %md:EndpointType

PDPDescriptor	 -> %md:PDPDescriptorType
%PDPDescriptorType:	 base(md:RoleDescriptorType)
  md:AuthzService+
  md:AssertionIDRequestService*
  md:NameIDFormat*
  ;

AuthzService	 -> %md:EndpointType

AttributeAuthorityDescriptor	 -> %md:AttributeAuthorityDescriptorType
%AttributeAuthorityDescriptorType:	 base(md:RoleDescriptorType)
  md:AttributeService+
  md:AssertionIDRequestService*
  md:NameIDFormat*
  md:AttributeProfile*
  sa:Attribute*
  ;

AttributeService	 -> %md:EndpointType

AffiliationDescriptor	 -> %md:AffiliationDescriptorType
%AffiliationDescriptorType:
  ds:Signature?
  md:Extensions?
  md:AffiliateMember+
  md:KeyDescriptor*
  @affiliationOwnerID	 -> %md:entityIDType
  @validUntil?	 -> %dateTime
  @cacheDuration?	 -> %duration
  @ID?	 -> %xs:ID
  @any
  ;

AffiliateMember	 -> %md:entityIDType

#EOF

1.2 SAML 1.1

1.2.1 oasis-sstc-saml-schema-assertion-1.1 (sa11)

# zxid/sg/oasis-sstc-saml-schema-assertion-1.1.sg
# Slightly edited, 5.9.2006, Sampo Kellomaki (sampo@iki.fi)
# 15.10.2006, extended AttributeValue schema to cater for bootstraps --Sampo
# 10.2.2007, added other types of assertions as potential Advice content --Sampo
# 3.3.2007, added XACML support --Sampo
# $Id: oasis-sstc-saml-schema-assertion-1.1.sg,v 1.6 2009-11-14 22:44:43 sampo Exp $

target(sa11, urn:oasis:names:tc:SAML:1.0:assertion)
ns(xs,http://www.w3.org/2001/XMLSchema)
import(ds, http://www.w3.org/2000/09/xmldsig#, http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd)
ns(di12, urn:liberty:disco:2003-08)
ns(a,    http://www.w3.org/2005/08/addressing)
ns(sa,   urn:oasis:names:tc:SAML:2.0:assertion)
ns(ff12, urn:liberty:iff:2003-08)
ns(xasa, urn:oasis:xacml:2.0:saml:assertion:schema:os)
ns(xasacd1, urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:assertion:cd-01)

%DecisionType:   enum( Permit Deny Indeterminate ) ;
AssertionIDReference -> %xs:NCName

Assertion        -> %sa11:AssertionType
%AssertionType:
  sa11:Conditions?
  sa11:Advice?
  sa11:Statement*
  sa11:SubjectStatement*
  sa11:AuthenticationStatement*
  sa11:AuthorizationDecisionStatement*
  sa11:AttributeStatement*
  xasa:XACMLAuthzDecisionStatement*
  xasa:XACMLPolicyStatement*
  xasacd1:XACMLAuthzDecisionStatement*
  xasacd1:XACMLPolicyStatement*
  ds:Signature?
  @MajorVersion  -> %xs:integer
  @MinorVersion  -> %xs:integer
  @AssertionID   -> %xs:ID
  @Issuer        -> %xs:string
  @IssueInstant  -> %xs:dateTime
  ;

Conditions       -> %sa11:ConditionsType
%ConditionsType:
  sa11:AudienceRestrictionCondition*
  sa11:DoNotCacheCondition*
  sa11:Condition*
  @NotBefore?    -> %xs:dateTime
  @NotOnOrAfter? -> %xs:dateTime
  ;
Condition        -> %sa11:ConditionAbstractType

AudienceRestrictionCondition       -> %sa11:AudienceRestrictionConditionType
%AudienceRestrictionConditionType: base(sa11:ConditionAbstractType)
  sa11:Audience+
  ;

Audience -> %xs:anyURI

DoNotCacheCondition       -> %sa11:DoNotCacheConditionType
%DoNotCacheConditionType: base(sa11:ConditionAbstractType) ;

Advice -> %sa11:AdviceType
%AdviceType:
  sa11:AssertionIDReference*
  sa11:Assertion*
  ff12:Assertion*
  sa:Assertion*
  any*  ns(##other)  processContents(lax)
  ;

Statement -> %sa11:StatementAbstractType

SubjectStatement -> %sa11:SubjectStatementAbstractType
%SubjectStatementAbstractType: base(sa11:StatementAbstractType)
  sa11:Subject
  ;

Subject -> %sa11:SubjectType
%SubjectType:
  sa11:NameIdentifier?
  sa11:SubjectConfirmation?
  ;

NameIdentifier -> %sa11:NameIdentifierType
%NameIdentifierType: base(xs:string)
  @NameQualifier? -> %xs:string
  @Format? -> %xs:anyURI
  ;

SubjectConfirmation -> %sa11:SubjectConfirmationType
%SubjectConfirmationType:
  sa11:ConfirmationMethod+
  sa11:SubjectConfirmationData?
  ds:KeyInfo?
  ;

SubjectConfirmationData -> %xs:anyType
ConfirmationMethod -> %xs:anyURI

AuthenticationStatement -> %sa11:AuthenticationStatementType
%AuthenticationStatementType: base(sa11:SubjectStatementAbstractType)
  sa11:SubjectLocality?
  sa11:AuthorityBinding*
  @AuthenticationMethod -> %xs:anyURI
  @AuthenticationInstant -> %xs:dateTime
  ;

SubjectLocality  -> %sa11:SubjectLocalityType
%SubjectLocalityType:
  @IPAddress?    -> %xs:string
  @DNSAddress?   -> %xs:string
  ;

AuthorityBinding -> %sa11:AuthorityBindingType
%AuthorityBindingType:
  @AuthorityKind -> %xs:QName
  @Location      -> %xs:anyURI
  @Binding       -> %xs:anyURI
  ;

AuthorizationDecisionStatement       -> %sa11:AuthorizationDecisionStatementType
%AuthorizationDecisionStatementType: base(sa11:SubjectStatementAbstractType)
  sa11:Action+
  sa11:Evidence?
  @Resource      -> %xs:anyURI
  @Decision      -> %sa11:DecisionType
  ;

Action           -> %sa11:ActionType
%ActionType:     base(string)
  @Namespace?    -> %xs:anyURI
  ;

Evidence         -> %sa11:EvidenceType
%EvidenceType:
  sa11:AssertionIDReference*
  sa11:Assertion*
  ;

AttributeStatement -> %sa11:AttributeStatementType
%AttributeStatementType: base(sa11:SubjectStatementAbstractType)
  sa11:Attribute+
  ;

AttributeDesignator   -> %sa11:AttributeDesignatorType
%AttributeDesignatorType:
  @AttributeName      -> %xs:string
  @AttributeNamespace -> %xs:anyURI
  ;

Attribute -> %sa11:AttributeType
%AttributeType: base(sa11:AttributeDesignatorType)
  sa11:AttributeValue+
  ;

# To cater for discovery bootstraps we add them to schema here --Sampo
#AttributeValue	   -> %xs:anyType

AttributeValue -> %sa11:AttributeValueType
%AttributeValueType:
  di12:ResourceOffering*
  a:EndpointReference*
  ;

#EOF

1.2.2 oasis-sstc-saml-schema-protocol-1.1 (sp11)

# zxid/sg/oasis-sstc-saml-schema-protocol-1.1.sg
# Slightly edited, 5.9.2006, Sampo Kellomaki (sampo@iki.fi)
# $Id: oasis-sstc-saml-schema-protocol-1.1.sg,v 1.2 2009-09-05 02:23:41 sampo Exp $

target(sp11, urn:oasis:names:tc:SAML:1.0:protocol)

import(sa11, urn:oasis:names:tc:SAML:1.0:assertion, oasis-sstc-saml-schema-assertion-1.1.xsd)
import(ds,   http://www.w3.org/2000/09/xmldsig#, http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd)

ns(xs,http://www.w3.org/2001/XMLSchema)

%RequestAbstractType:
  sp11:RespondWith*
  ds:Signature?
  @RequestID	 -> %xs:ID
  @MajorVersion	 -> %xs:integer
  @MinorVersion	 -> %xs:integer
  @IssueInstant	 -> %xs:dateTime
  ;
RespondWith	 -> %xs:QName

Request	 -> %sp11:RequestType
%RequestType:	 base(sp11:RequestAbstractType)
  sp11:Query?
  sp11:SubjectQuery?
  sp11:AuthenticationQuery?
  sp11:AttributeQuery?
  sp11:AuthorizationDecisionQuery?
  sa11:AssertionIDReference+
  sp11:AssertionArtifact+
  ;

AssertionArtifact -> %xs:string

Query	 -> %sp11:QueryAbstractType

SubjectQuery	 -> %sp11:SubjectQueryAbstractType
%SubjectQueryAbstractType: base(sp11:QueryAbstractType)
  sa11:Subject
  ;

AuthenticationQuery	  -> %sp11:AuthenticationQueryType
%AuthenticationQueryType: base(sp11:SubjectQueryAbstractType)
  @AuthenticationMethod?  -> %xs:anyURI
  ;

AttributeQuery	 -> %sp11:AttributeQueryType
%AttributeQueryType:	 base(sp11:SubjectQueryAbstractType)
  sa11:AttributeDesignator*
  @Resource?	 -> %xs:anyURI
  ;

AuthorizationDecisionQuery	 -> %sp11:AuthorizationDecisionQueryType
%AuthorizationDecisionQueryType: base(sp11:SubjectQueryAbstractType)
  sa11:Action+
  sa11:Evidence?
  @Resource	 -> %xs:anyURI
  ;

%ResponseAbstractType:
  ds:Signature?
  @ResponseID	 -> %xs:ID
  @InResponseTo? -> %xs:NCName
  @MajorVersion	 -> %xs:integer
  @MinorVersion	 -> %xs:integer
  @IssueInstant	 -> %xs:dateTime
  @Recipient?	 -> %xs:anyURI
  ;

Response	 -> %sp11:ResponseType
%ResponseType:	 base(sp11:ResponseAbstractType)
  sp11:Status
  sa11:Assertion*
  ;

Status	 -> %sp11:StatusType
%StatusType:
  sp11:StatusCode
  sp11:StatusMessage?
  sp11:StatusDetail?
  ;

StatusCode	 -> %sp11:StatusCodeType
%StatusCodeType:
  sp11:StatusCode?
  @Value	 -> %xs:QName
  ;

StatusMessage	 -> %xs:string

StatusDetail	 -> %sp11:StatusDetailType
%StatusDetailType:
  any*  processContents(lax)
  ;

#EOF

1.3 Liberty ID-FF 1.2

1.3.1 liberty-idff-protocols-schema-1.2 (ff12)

# zxid/sg/liberty-idff-protocols-schema-1.2-errata-v2.0.sg
# Slightly edited, 5.9.2006, Sampo Kellomaki (sampo@iki.fi)
# $Id: liberty-idff-protocols-schema-1.2-errata-v2.0.sg,v 1.4 2009-09-05 02:23:41 sampo Exp $
#
# N.B. In order to remove dependency on metadata, all instances
# of %m12:entityIDType have been replaced with %xs:anyURI, which
# is what the former expands to in the metadata schema. This makes
# world a simpler and better place.

target(ff12, urn:liberty:iff:2003-08)

import(sa11, urn:oasis:names:tc:SAML:1.0:assertion,oasis-sstc-saml-schema-assertion-1.1.xsd)
import(sp11, urn:oasis:names:tc:SAML:1.0:protocol,oasis-sstc-saml-schema-protocol-1.1.xsd)
import(xenc, http://www.w3.org/2001/04/xmlenc#, http://www.w3.org/TR/xmlenc-core/xenc-schema.xsd)
#import(ac,   urn:liberty:ac:2003-08, liberty-authentication-context-1.2-errata-v1.0.xsd)
import(ac,   urn:liberty:ac:2004-12, liberty-authentication-context-v2.0.xsd)

#include(liberty-idff-utility-v1.0.xsd)   necessary definitions have been inline expanded

Extension        -> %ff12:extensionType
%extensionType:
  any+  ns(##other)  processContents(lax)
  ;

ProviderID	 -> %xs:anyURI
AffiliationID	 -> %xs:anyURI
AuthnRequest	 -> %ff12:AuthnRequestType
%AuthnRequestType:	 base(sp11:RequestAbstractType)
  ff12:Extension*
  ff12:ProviderID
  ff12:AffiliationID?
  ff12:NameIDPolicy?
  ff12:ForceAuthn?	 -> %xs:boolean
  ff12:IsPassive?	 -> %xs:boolean
  ff12:ProtocolProfile?
  ff12:AssertionConsumerServiceID?	 -> %xs:string
  ff12:RequestAuthnContext?
  ff12:RelayState?
  ff12:Scoping?
  @consent?	 -> %xs:string
  ;

%NameIDPolicyType:	 enum( none onetime federated any ) ;
NameIDPolicy	 -> %ff12:NameIDPolicyType

%AuthnContextComparisonType:	 enum( exact minimum maximum better ) ;

%ScopingType:
  ff12:ProxyCount?	 -> %xs:nonNegativeInteger
  ff12:IDPList?
  ;
Scoping	 -> %ff12:ScopingType

RelayState	 -> %xs:string

ProtocolProfile	 -> %xs:anyURI

RequestAuthnContext:
  ff12:AuthnContextClassRef+     -> %xs:anyURI
  ff12:AuthnContextStatementRef+ -> %xs:anyURI
  ff12:AuthnContextComparison?   -> %ff12:AuthnContextComparisonType
  ;

AuthnResponse	 -> %ff12:AuthnResponseType
%AuthnResponseType:	 base(sp11:ResponseType)
  ff12:Extension*
  ff12:ProviderID
  ff12:RelayState?
  @consent?	 -> %xs:string
  ;

Assertion	 -> %ff12:AssertionType
%AssertionType:	 base(sa11:AssertionType)
  @InResponseTo?	 -> %xs:NCName
  ;

%SubjectType:	 base(sa11:SubjectType)
  ff12:IDPProvidedNameIdentifier?
  ;
Subject	 -> %ff12:SubjectType

EncryptableNameIdentifier	 -> %ff12:EncryptableNameIdentifierType
%EncryptableNameIdentifierType:	 base(sa11:NameIdentifierType)
  @IssueInstant?	 -> %xs:dateTime
  @Nonce?	 -> %xs:string
  ;

EncryptedNameIdentifier	 -> %ff12:EncryptedNameIdentifierType
%EncryptedNameIdentifierType:
  xenc:EncryptedData
  xenc:EncryptedKey?
  ;

AuthenticationStatement	 -> %ff12:AuthenticationStatementType
%AuthenticationStatementType:	 base(sa11:AuthenticationStatementType)
  ff12:AuthnContext?:
      ff12:AuthnContextClassRef?	 -> %xs:anyURI
      ac:AuthenticationContextStatement?
      ff12:AuthnContextStatementRef?	 -> %xs:anyURI
      ;
  @ReauthenticateOnOrAfter?	 -> %xs:dateTime
  @SessionIndex	 -> %xs:string
  ;

AuthnRequestEnvelope	 -> %ff12:AuthnRequestEnvelopeType
%AuthnRequestEnvelopeType:	 base(ff12:RequestEnvelopeType)
  ff12:AuthnRequest
  ff12:ProviderID
  ff12:ProviderName?	 -> %xs:string
  ff12:AssertionConsumerServiceURL	 -> %xs:anyURI
  ff12:IDPList?
  ff12:IsPassive?	 -> %xs:boolean
  ;
%RequestEnvelopeType:
  ff12:Extension*
  ;

IDPList	 -> %ff12:IDPListType
%IDPListType:
  ff12:IDPEntries
  ff12:GetComplete?
  ;
IDPEntry:
  ff12:ProviderID
  ff12:ProviderName?	 -> %xs:string
  ff12:Loc	 -> %xs:anyURI
  ;
IDPEntries:
  ff12:IDPEntry+
  ;
GetComplete	 -> %xs:anyURI

AuthnResponseEnvelope	 -> %ff12:AuthnResponseEnvelopeType
%AuthnResponseEnvelopeType:	 base(ff12:ResponseEnvelopeType)
  ff12:AuthnResponse
  ff12:AssertionConsumerServiceURL	 -> %xs:anyURI
  ;
%ResponseEnvelopeType:
  ff12:Extension*
  ;
RegisterNameIdentifierRequest	 -> %ff12:RegisterNameIdentifierRequestType
%RegisterNameIdentifierRequestType:	 base(sp11:RequestAbstractType)
  ff12:Extension*
  ff12:ProviderID
  ff12:IDPProvidedNameIdentifier
  ff12:SPProvidedNameIdentifier?
  ff12:OldProvidedNameIdentifier
  ff12:RelayState?
  ;

IDPProvidedNameIdentifier	 -> %sa11:NameIdentifierType
SPProvidedNameIdentifier	 -> %sa11:NameIdentifierType
OldProvidedNameIdentifier	 -> %sa11:NameIdentifierType

RegisterNameIdentifierResponse	 -> %ff12:StatusResponseType
%StatusResponseType:	 base(sp11:ResponseAbstractType)
  ff12:Extension*
  ff12:ProviderID
  sp11:Status
  ff12:RelayState?
  ;

FederationTerminationNotification	 -> %ff12:FederationTerminationNotificationType
%FederationTerminationNotificationType:	 base(sp11:RequestAbstractType)
  ff12:Extension*
  ff12:ProviderID
  sa11:NameIdentifier
  @consent?	 -> %xs:string
  ;

LogoutRequest         -> %ff12:LogoutRequestType
%LogoutRequestType:   base(sp11:RequestAbstractType)
  ff12:Extension*
  ff12:ProviderID
  sa11:NameIdentifier
  ff12:SessionIndex*  -> %xs:string
  ff12:RelayState?
  @consent?           -> %xs:string
  @NotOnOrAfter?      -> %xs:dateTime
  ;
LogoutResponse	 -> %ff12:StatusResponseType

NameIdentifierMappingRequest	 -> %ff12:NameIdentifierMappingRequestType
%NameIdentifierMappingRequestType:	 base(sp11:RequestAbstractType)
  ff12:Extension*
  ff12:ProviderID
  sa11:NameIdentifier
  ff12:TargetNamespace  -> %xs:anyURI
  @consent?             -> %xs:string
  ;

NameIdentifierMappingResponse	 -> %ff12:NameIdentifierMappingResponseType
%NameIdentifierMappingResponseType:	 base(sp11:ResponseAbstractType)
  ff12:Extension*
  ff12:ProviderID
  sp11:Status
  sa11:NameIdentifier?
  ;

# EOF

1.3.2 liberty-metadata-v2.0 (m20)

# zxid/sg/liberty-metadata-v2.0.sg
# Slightly edited, 5.9.2006, Sampo Kellomaki (sampo@iki.fi)
# $Id: liberty-metadata-v2.0.sg,v 1.5 2009-09-05 02:23:41 sampo Exp $
#
# N.B. Older Liberty metadata, liberty-metadata-1.0-errata-v2.0.xsd,
# urn:liberty:metadata:2003-08, is nearly identical to this one except
# for the actual namespace URI. We therfore adopt convention of using
# this new metadata even where strictly speaking the old one should be used.

target(m20, urn:liberty:metadata:2004-12)
import(ds,  http://www.w3.org/2000/09/xmldsig#,   http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd)

import(xs,  http://www.w3.org/2001/XMLSchema, http://www.w3.org/2001/xml.xsd)
#import(xs,  http://www.w3.org/XML/1998/namespace, http://www.w3.org/2001/xml.xsd)
# include(liberty-idwsf-utility-v2.0.xsd)

Extension        -> %m20:extensionType
%extensionType:
  any+  ns(##other)  processContents(lax)
  ;

%entityIDType:	 base(xs:anyURI) ;

%additionalMetadataLocationType:	 base(xs:anyURI)
  @namespace?	 -> %xs:anyURI
  ;

%organizationNameType:	 base(xs:string)
  @lang -> %xs:string  #@xml:lang   ***
  ;

%organizationDisplayNameType:	 base(xs:string)
  @lang -> %xs:string  #@xml:lang   ***
  ;

%organizationType:
  m20:OrganizationName+         -> %m20:organizationNameType
  m20:OrganizationDisplayName+  -> %m20:organizationDisplayNameType
  m20:OrganizationURL+          -> %m20:localizedURIType
  m20:Extension?
  ;

%localizedURIType:	 base(xs:anyURI)
  @lang -> %xs:string  #@xml:lang   ***
  ;

%contactType:
  m20:Company?         -> %xs:string
  m20:GivenName?       -> %xs:string
  m20:SurName?         -> %xs:string
  m20:EmailAddress*    -> %xs:anyURI
  m20:TelephoneNumber* -> %xs:string
  m20:Extension?
  @libertyPrincipalIdentifier?	 -> %m20:entityIDType
  @contactType	 -> %m20:attrContactType
  ;

%attrContactType: enum( technical administrative billing other ) ;

%keyTypes:        enum( encryption signing ) ;

%providerDescriptorType:
  m20:KeyDescriptor*
  m20:SoapEndpoint?	 -> %xs:anyURI
  m20:SingleLogoutServiceURL?                           -> %xs:anyURI
  m20:SingleLogoutServiceReturnURL?                     -> %xs:anyURI
  m20:FederationTerminationServiceURL?                  -> %xs:anyURI
  m20:FederationTerminationServiceReturnURL?            -> %xs:anyURI
  m20:FederationTerminationNotificationProtocolProfile* -> %xs:anyURI
  m20:SingleLogoutProtocolProfile*                      -> %xs:anyURI
  m20:RegisterNameIdentifierProtocolProfile*            -> %xs:anyURI
  m20:RegisterNameIdentifierServiceURL?                 -> %xs:anyURI
  m20:RegisterNameIdentifierServiceReturnURL?           -> %xs:anyURI
  m20:NameIdentifierMappingProtocolProfile*             -> %xs:anyURI
  m20:NameIdentifierMappingEncryptionProfile*           -> %xs:anyURI
  m20:Organization?                                     -> %m20:organizationType
  m20:ContactPerson*                                    -> %m20:contactType
  m20:AdditionalMetaLocation*	 -> %m20:additionalMetadataLocationType
  m20:Extension?
  ds:Signature?
  @protocolSupportEnumeration -> %xs:string
  @id?                        -> %xs:ID
  @validUntil?                -> %xs:dateTime
  @cacheDuration?             -> %xs:duration
  ;

KeyDescriptor	 -> %m20:keyDescriptorType
%keyDescriptorType:
  m20:EncryptionMethod?  -> %xs:anyURI
  m20:KeySize?           -> %xs:integer
  ds:KeyInfo?
  m20:Extension?
  @use?	 -> %keyTypes
  ;

EntitiesDescriptor -> %m20:entitiesDescriptorType
%entitiesDescriptorType:
  m20:EntityDescriptor{2,unbounded}
  ;

EntityDescriptor -> %m20:entityDescriptorType
%entityDescriptorType:
  m20:IDPDescriptor*          -> %m20:IDPDescriptorType
  m20:SPDescriptor*           -> %m20:SPDescriptorType
  m20:AffiliationDescriptor*  -> %m20:affiliationDescriptorType
  m20:ContactPerson?          -> %m20:contactType
  m20:Organization?           -> %m20:organizationType
  m20:Extension?
  ds:Signature?
  @providerID                 -> %m20:entityIDType
  @id?                        -> %xs:ID
  @validUntil?                -> %xs:dateTime
  @cacheDuration?             -> %xs:duration
  ;

%SPDescriptorType:	 base(m20:providerDescriptorType)
    m20:AssertionConsumerServiceURL+:	 base(xs:anyURI)
      @id          -> %xs:ID
      @isDefault?  -> %xs:boolean  default (false)
      ;
    m20:AuthnRequestsSigned	 -> %xs:boolean
  ;

%IDPDescriptorType:	 base(m20:providerDescriptorType)
    m20:SingleSignOnServiceURL        -> %xs:anyURI
    m20:SingleSignOnProtocolProfile+  -> %xs:anyURI
    m20:AuthnServiceURL?              -> %xs:anyURI
  ;

%affiliationDescriptorType:
  m20:AffiliateMember+	 -> %m20:entityIDType
  m20:Extension?
  m20:KeyDescriptor*	 -> %m20:keyDescriptorType
  ds:Signature?
  @affiliationOwnerID	 -> %m20:entityIDType
  @validUntil?	         -> %xs:dateTime
  @cacheDuration?	 -> %xs:duration
  @id?	 -> %xs:ID
  ;

#EOF

1.3.3 liberty-authentication-context-v2.0 (ac)

# zxid/sg/liberty-authentication-context-v2.0.sg
# Slightly edited, 5.9.2006, Sampo Kellomaki (sampo@iki.fi)
# $Id: liberty-authentication-context-v2.0.sg,v 1.3 2009-09-05 02:23:41 sampo Exp $
#
# N.B. This file is nearly identical to urn:liberty:ac:2003-08,
# liberty-authentication-context-1.2-errata-v1.0.xsd. Thus we adopt the convention
# of using this collection of authentication contexts.

target(ac, urn:liberty:ac:2004-12)
#include(liberty-utility-v2.0.xsd)   necessary definitions have been inline expanded

Extension        -> %ac:extensionType
%extensionType:
  any+  ns(##other)  processContents(lax)
  ;

AuthenticationContextStatement	 -> %ac:AuthenticationContextStatementType
Identification	 -> %ac:IdentificationType

PhysicalVerification:
  @credentialLevel?:	 enum( primary secondary ) ;
  ;
WrittenConsent:
  ac:Extension*
  ;

TechnicalProtection	 -> %ac:TechnicalProtectionType
SecretKeyProtection	 -> %ac:SecretKeyProtectionType
PrivateKeyProtection	 -> %ac:PrivateKeyProtectionType
KeyActivation	 -> %ac:KeyActivationType
KeySharing	 -> %ac:KeySharingType
KeyStorage	 -> %ac:KeyStorageType
Password	 -> %ac:PasswordType
ActivationPin	 -> %ac:ActivationPinType
Token            -> %ac:TokenType
TimeSyncToken	 -> %ac:TimeSyncTokenType

Smartcard:
  ac:Extension*
  ;

Length           -> %ac:LengthType
ActivationLimit  -> %ac:ActivationLimitType

Generation:
  @mechanism:	 enum( principalchosen automatic ) ;
  ;

AuthenticationMethod	 -> %ac:AuthenticationMethodType
PrincipalAuthenticationMechanism	 -> %ac:PrincipalAuthenticationMechanismType
Authenticator	 -> %ac:AuthenticatorType

PreviousSession:
  ac:Extension*
  ;
ResumeSession:
  ac:Extension*
  ;
ZeroKnowledge:
  ac:Extension*
  ;
SharedSecretChallengeResponse:
  ac:Extension*
  ;
DigSig:
  ac:Extension*
  ;
IPAddress:
  ac:Extension*
  ;
AsymmetricDecryption:
  ac:Extension*
  ;
AsymmetricKeyAgreement:
  ac:Extension*
  ;
SharedSecretDynamicPlaintext:
  ac:Extension*
  ;
AuthenticatorTransportProtocol	 -> %ac:AuthenticatorTransportProtocolType
HTTP:
  ac:Extension*
  ;
IPSec:
  ac:Extension*
  ;
WTLS:
  ac:Extension*
  ;
MobileNetworkNoEncryption:
  ac:Extension*
  ;
MobileNetworkRadioEncryption:
  ac:Extension*
  ;
MobileNetworkEndToEndEncryption:
  ac:Extension*
  ;
SSL:
  ac:Extension*
  ;
OperationalProtection	 -> %ac:OperationalProtectionType
SecurityAudit	 -> %ac:SecurityAuditType
SwitchAudit:
  ac:Extension*
  ;
DeactivationCallCenter:
  ac:Extension*
  ;
GoverningAgreements	 -> %ac:GoverningAgreementsType
GoverningAgreementRef	 -> %ac:GoverningAgreementRefType
AuthenticatingAuthority	 -> %ac:AuthenticatingAuthorityType
%IdentificationType:
  ac:PhysicalVerification?
  ac:WrittenConsent?
  ac:Extension*
  @nym?:	 enum( anonymity verinymity pseudonymity ) ;
  ;
%GoverningAgreementsType:
  ac:GoverningAgreementRef+
  ;
%GoverningAgreementRefType:
  @governingAgreementRef	 -> %xs:anyURI
  ;
%AuthenticatingAuthorityType:
  ac:GoverningAgreements
  @ID	 -> %xs:anyURI
  ;
%AuthenticatorTransportProtocolType:
  ac:HTTP?
  ac:SSL?
  ac:MobileNetworkNoEncryption?
  ac:MobileNetworkRadioEncryption?
  ac:MobileNetworkEndToEndEncryption?
  ac:WTLS?
  ac:IPSec?
  ac:Extension+
  ;
%PrincipalAuthenticationMechanismType:
  ac:Password?
  ac:Token?
  ac:Smartcard?
  ac:ActivationPin?
  ac:Extension+
  ;
%AuthenticationMethodType:
  ac:PrincipalAuthenticationMechanism?
  ac:Authenticator?
  ac:AuthenticatorTransportProtocol?
  ac:Extension*
  ;
%AuthenticationContextStatementType:
  ac:Identification?
  ac:TechnicalProtection?
  ac:OperationalProtection?
  ac:AuthenticationMethod?
  ac:GoverningAgreements?
  ac:AuthenticatingAuthority*
  ac:Extension*
  @ID?	 -> %xs:ID
  ;
%TechnicalProtectionType:
  ac:PrivateKeyProtection?
  ac:SecretKeyProtection?
  ac:Extension*
  ;
%OperationalProtectionType:
  ac:SecurityAudit?
  ac:DeactivationCallCenter?
  ac:Extension*
  ;
%AuthenticatorType:
  ac:PreviousSession?
  ac:ResumeSession?
  ac:DigSig?
  ac:Password?
  ac:ZeroKnowledge?
  ac:SharedSecretChallengeResponse?
  ac:SharedSecretDynamicPlaintext?
  ac:IPAddress?
  ac:AsymmetricDecryption?
  ac:AsymmetricKeyAgreement?
  ac:Extension+
  ;
%KeyActivationType:
  ac:ActivationPin?
  ac:Extension+
  ;
%KeySharingType:
  @sharing	 -> %xs:boolean
  ;
%PrivateKeyProtectionType:
  ac:KeyActivation?
  ac:KeyStorage?
  ac:KeySharing?
  ac:Extension*
  ;
%PasswordType:
  ac:Length?
  ac:Alphabet?
  ac:Generation?
  ac:Extension*
  ;
%ActivationPinType:
  ac:Length?
  ac:Alphabet?
  ac:Generation?
  ac:ActivationLimit?
  ac:Extension*
  ;

Alphabet	 -> %ac:AlphabetType
%AlphabetType:
  @requiredChars  -> %xs:string
  @excludedChars? -> %xs:string
  @case?          -> %xs:string
  ;

%TokenType:
  ac:TimeSyncToken
  ac:Extension*

  ;
%TimeSyncTokenType:
  @DeviceType:	 enum( hardware software ) ;
  @SeedLength	 -> %xs:integer
  @DeviceInHand:	 enum( true false ) ;
  ;

%ActivationLimitType:
  ac:ActivationLimitDuration?
  ac:ActivationLimitUsages?
  ac:ActivationLimitSession?
  ;
ActivationLimitDuration	 -> %ac:ActivationLimitDurationType
ActivationLimitUsages	 -> %ac:ActivationLimitUsagesType
ActivationLimitSession	 -> %ac:ActivationLimitSessionType
%ActivationLimitDurationType:
  @duration	 -> %xs:duration
  ;
%ActivationLimitUsagesType:
  @number	 -> %xs:integer
  ;

%LengthType:
  @min	 -> %xs:integer
  @max?	 -> %xs:integer
  ;
%KeyStorageType:
  @medium:	 enum( memory smartcard token MobileDevice MobileAuthCard ) ;
  ;
%SecretKeyProtectionType:
  ac:KeyActivation?
  ac:KeyStorage?
  ac:Extension+
  ;
%SecurityAuditType:
  ac:SwitchAudit?
  ac:Extension*
  ;

# EOF

1.4 Liberty ID-WSF 1.1

1.4.1 liberty-idwsf-soap-binding-v1.2 (b12)

# zxid/sg/liberty-idwsf-disco-svc-v1.2.sg
# Slightly edited, 14.9.2006, Sampo Kellomaki (sampo@iki.fi)
# $Id: liberty-idwsf-soap-binding-v1.2.sg,v 1.3 2009-09-05 02:23:41 sampo Exp $

target(b12, urn:liberty:sb:2003-08)
import(e, http://schemas.xmlsoap.org/soap/envelope/, http://schemas.xmlsoap.org/soap/envelope/)
include(liberty-idwsf-utility-v1.1.xsd)

%CorrelationType:
  @messageID       -> %xs:string   # %IDType
  @refToMessageID? -> %xs:string   # %IDType
  @timestamp       -> %xs:dateTime
  @id?             -> %xs:ID
  @e:mustUnderstand?
  @e:actor?
  ;
Correlation -> %b12:CorrelationType

%ProviderType:
  @providerID     -> %xs:anyURI
  @affiliationID? -> %xs:anyURI
  @id?            -> %xs:ID
  @e:mustUnderstand?
  @e:actor?
  ;
Provider -> %b12:ProviderType

%ProcessingContextType:	 base(xs:anyURI)
  @id?	 -> %xs:ID
  @e:mustUnderstand?
  @e:actor?
  ;
ProcessingContext -> %b12:ProcessingContextType

%ConsentType:
  @uri        -> %xs:anyURI
  @timestamp? -> %xs:dateTime
  @id?        -> %xs:ID
  @e:mustUnderstand?
  @e:actor?
  ;
Consent -> %b12:ConsentType

%UsageDirectiveType:
  any+  ns(##other)  processContents(lax)
  @id?	 -> %xs:ID
  @ref	 -> %xs:IDREF
  @e:mustUnderstand?
  @e:actor?
  ;
UsageDirective -> %b12:UsageDirectiveType

#EOF

1.4.2 liberty-idwsf-security-mechanisms-v1.2 (sec12)

# zxid/sg/liberty-idwsf-security-mechanism-v1.2.sg
# Slightly edited, 14.9.2006, Sampo Kellomaki (sampo@iki.fi)
# $Id: liberty-idwsf-security-mechanisms-v1.2.sg,v 1.3 2009-09-05 02:23:41 sampo Exp $

target(sec12, urn:liberty:sec:2003-08)
import(sa11, urn:oasis:names:tc:SAML:1.0:assertion, oasis-sstc-saml-schema-assertion-1.1.xsd)
import(ff12, urn:liberty:iff:2003-08,liberty-idff-protocols-schema-1.2-errata-v3.0.xsd)
import(di12, urn:liberty:disco:2003-08,liberty-idwsf-disco-svc-v1.2.xsd)
import(ds, http://www.w3.org/2000/09/xmldsig#, http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd)

ValidityRestrictionCondition       -> %sec12:ValidityRestrictionConditionType
%ValidityRestrictionConditionType: base(sa11:ConditionAbstractType)
  sec12:NumberOfUses -> %xs:integer
  ;

ProxySubject -> %sa11:SubjectType

ProxyTransitedStatement -> %sa11:SubjectStatementAbstractType

ProxyInfoConfirmationData -> %sec12:ProxyInfoConfirmationType
%ProxyInfoConfirmationType:
  sa11:AssertionIDReference
  sec12:Issuer	 -> %xs:string
  sec12:IssueInstant	 -> %xs:dateTime
  ds:Signature?
  @id?	 -> %xs:ID
  ;

SessionContext -> %sec12:SessionContextType
%SessionContextType:
  sec12:SessionSubject   -> %ff12:SubjectType
  sec12:ProviderID       -> %xs:anyURI    #  %md:entityIDType
  ff12:RequestAuthnContext?
  @SessionIndex?         -> %xs:string
  @AuthenticationInstant -> %xs:dateTime
  @AssertionIssueInstant -> %xs:dateTime
  ;

SessionContextStatement       -> %sec12:SessionContextStatementType
%SessionContextStatementType: base(sa11:SubjectStatementAbstractType)
    sec12:ProxySubject?
    sec12:SessionContext
  ;

ResourceAccessStatement       -> %sec12:ResourceAccessStatementType
%ResourceAccessStatementType: base(sa11:SubjectStatementAbstractType)
  &di12:ResourceIDGroup
  sec12:ProxySubject
  sec12:SessionContext?
  ;

#EOF

1.4.3 liberty-idwsf-disco-svc-v1.2 (di12)

# zxid/sg/liberty-idwsf-disco-svc-v1.2.sg
# Slightly edited, 14.9.2006, Sampo Kellomaki (sampo@iki.fi)
# $Id: liberty-idwsf-disco-svc-v1.2.sg,v 1.3 2009-09-05 02:23:41 sampo Exp $

target(di12, urn:liberty:disco:2003-08)
import(xenc, http://www.w3.org/2001/04/xmlenc#, http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd)
#include(liberty-idwsf-utility-v1.1.xsd)

ServiceType	 -> %xs:anyURI

%ResourceIDType:	 base(xs:anyURI)
  @id?	 -> %xs:ID
  ;

%EncryptedResourceIDType:
  xenc:EncryptedData
  xenc:EncryptedKey       # N.B. Encrypted data itself can carry a key, too
  ;

ResourceID -> %di12:ResourceIDType

EncryptedResourceID -> %di12:EncryptedResourceIDType

&ResourceIDGroup: 
  di12:ResourceID?
  di12:EncryptedResourceID?
  ;

%DescriptionType:
  di12:SecurityMechID+	 -> %xs:anyURI
  di12:CredentialRef*	 -> %xs:IDREF
  &di12:WsdlRef*
  &di12:BriefSoapHttpDescription*
  @id?	 -> %xs:ID
  ;

&WsdlRef: 
  di12:WsdlURI        -> %xs:anyURI
  di12:ServiceNameRef -> %xs:QName
  ;

&BriefSoapHttpDescription: 
  di12:Endpoint    -> %xs:anyURI
  di12:SoapAction? -> %xs:anyURI
  ;

%ServiceInstanceType:
  di12:ServiceType
  di12:ProviderID	 -> %xs:anyURI        #%md:entityIDType
  di12:Description+	 -> %di12:DescriptionType
  ;

ResourceOffering	 -> %di12:ResourceOfferingType
%ResourceOfferingType:
  &di12:ResourceIDGroup
  di12:ServiceInstance	 -> %di12:ServiceInstanceType
  di12:Options?
  di12:Abstract?	 -> %xs:string
  @entryID?	 -> %xs:string   #%IDType
  ;

Options	 -> %di12:OptionsType
%OptionsType:
  di12:Option*	 -> %xs:anyURI
  ;

Query	 -> %di12:QueryType
%QueryType:
  &di12:ResourceIDGroup
  di12:RequestedServiceType*:
    di12:ServiceType
    di12:Options?
    ;
  @id?	 -> %xs:ID
  ;

QueryResponse	 -> %di12:QueryResponseType
%QueryResponseType:
  di12:Status
  di12:ResourceOffering*
  di12:Credentials?:
    any*  processContents(lax)
    ;
  @id?	 -> %xs:ID
  ;

%InsertEntryType:
  di12:ResourceOffering
  any*  processContents(lax)
  ;

%RemoveEntryType:
  @entryID	 -> %xs:string #%IDReferenceType
  ;

Modify	 -> %di12:ModifyType
%ModifyType:
  &di12:ResourceIDGroup
  di12:InsertEntry*	 -> %di12:InsertEntryType
  di12:RemoveEntry*	 -> %di12:RemoveEntryType
  @id?	 -> %xs:ID
  ;

%DirectiveType:
  @descriptionIDRefs?	 -> %xs:IDREFS
  ;

AuthenticateRequester	   -> %di12:DirectiveType
AuthorizeRequester	   -> %di12:DirectiveType
AuthenticateSessionContext -> %di12:DirectiveType
EncryptResourceID	   -> %di12:DirectiveType

ModifyResponse	 -> %di12:ModifyResponseType
%ModifyResponseType:
  di12:Status
  di12:Extension?
  @id?	 -> %xs:ID
  @newEntryIDs? -> %xs:string       # : list (IDReferenceType) ;
  ;

# From liberty-idwsf-utility-v1.1.sg

Status   -> %di12:StatusType
%StatusType:
  di12:Status*
  @code     -> %xs:QName
  @ref?     -> %xs:string
  @comment? -> %xs:string
  ;

Extension        -> %di12:extensionType
%extensionType:
  any+  ns(##other)  processContents(lax)
  ;

#EOF

1.4.4 liberty-idwsf-interaction-svc-v1.1 (is12)

# zxid/sg/liberty-idwsf-interaction-svc-v1.2.sg
# Slightly edited, 14.9.2006, Sampo Kellomaki (sampo@iki.fi)
# $Id: liberty-idwsf-interaction-svc-v1.1.sg,v 1.3 2009-09-05 02:23:41 sampo Exp $

target(is12, urn:liberty:is:2003-08)
import(di12, urn:liberty:disco:2003-08, liberty-idwsf-disco-svc-v1.2.xsd)
import(e,    http://schemas.xmlsoap.org/soap/envelope/, http://schemas.xmlsoap.org/soap/envelope/)
import(ds,   http://www.w3.org/2000/09/xmldsig#,http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd)
#include(liberty-idwsf-utility-v1.1.xsd)

UserInteraction -> %is12:UserInteractionHeaderType
%UserInteractionHeaderType:
  is12:InteractionService? -> %di12:ResourceOfferingType
  @id?              -> %xs:ID
  @interact?        -> %xs:QName  default (is12:interactIfNeeded)
  @language?        -> %xs:NMTOKENS
  @redirect?        -> %xs:boolean  default (0)
  @maxInteractTime? -> %xs:integer
  @e:actor?
  @e:mustUnderstand?
  ;

RedirectRequest	 -> %is12:RedirectRequestType
%RedirectRequestType:
  @redirectURL	 -> %xs:anyURI
  ;

ResourceID -> %di12:ResourceIDType

EncryptedResourceID -> %di12:EncryptedResourceIDType

&ResourceIDGroup: 
  is12:ResourceID | is12:EncryptedResourceID
  ;

InteractionRequest	 -> %is12:InteractionRequestType
%InteractionRequestType:
  &is12:ResourceIDGroup?
  is12:Inquiry+
  ds:KeyInfo?
  @id?              -> %xs:ID
  @language?        -> %xs:NMTOKENS
  @maxInteractTime? -> %xs:integer
  @signed?          -> %xs:token
  ;

Inquiry         -> %is12:InquiryType
%InquiryType:
  is12:Help?
  is12:Select*
  is12:Confirm* -> %is12:InquiryElementType
  is12:Text*
  @id?          -> %xs:ID
  @title?       -> %xs:string
  ;

Help         -> %is12:HelpType
%HelpType:
  @label?    -> %xs:string
  @link?     -> %xs:anyURI
  @moreLink? -> %xs:anyURI
  ;

Hint	 -> %xs:string

Select           -> %is12:SelectType
%SelectType:     base(is12:InquiryElementType)
    is12:Item{2,unbounded}:
      is12:Hint?
      @label?	 -> %xs:string
      @value	 -> %xs:NMTOKEN
      ;
  @multiple?	 -> %xs:boolean  default (false)
  ;

Text         -> %is12:TextType
%TextType:   base(is12:InquiryElementType)
  @minChars? -> %xs:integer
  @maxChars? -> %xs:integer
  @format?   -> %xs:string
  ;

%InquiryElementType:
  is12:Help?
  is12:Hint?
  is12:Label? -> %xs:normalizedString
  is12:Value? -> %xs:normalizedString
  @name       -> %xs:ID
  ;

InteractionResponse          -> %is12:InteractionResponseType
%InteractionResponseType:
  is12:Status
  is12:InteractionStatement* -> %is12:InteractionStatementType
  is12:Parameter*            -> %is12:ParameterType
  ;

%InteractionStatementType:
  is12:Inquiry+
  ds:Signature
  ;

%ParameterType:
  @name  -> %xs:ID
  @value -> %xs:string
  ;

# From liberty-idwsf-utility-v1.1.sg

Status   -> %is12:StatusType
%StatusType:
  is12:Status*
  @code     -> %xs:QName
  @ref?     -> %xs:string
  @comment? -> %xs:string
  ;

Extension        -> %is12:extensionType
%extensionType:
  any+  ns(##other)  processContents(lax)
  ;

#EOF

1.5 Liberty ID-WSF 2.0

1.5.1 liberty-idwsf-utility-v2.0 (lu)

# zxid/sg/liberty-idwsf-utility-v2.0.sg
# Slightly edited, 18.9.2006, Sampo Kellomaki (sampo@iki.fi)
# $Id: liberty-idwsf-utility-v2.0.sg,v 1.3 2009-09-05 02:23:41 sampo Exp $

target(lu, urn:liberty:util:2006-08)

%IDType:    base(xs:string) ;
%IDReferenceType: base(xs:string) ;
@itemID     -> %lu:IDType
@itemIDRef  -> %lu:IDReferenceType

%StatusType:
  lu:Status*
  @code     -> %xs:string
  @ref?     -> %lu:IDReferenceType
  @comment? -> %xs:string
  ;
Status      -> %lu:StatusType

%ResponseType:
  lu:Status
  lu:Extension*
  @itemIDRef?  -> %lu:IDReferenceType
  @any
  ;

TestResult       -> %lu:TestResultType
%TestResultType: base(xs:boolean)
  @itemIDRef  -> %lu:IDReferenceType
  ;

%EmptyType:	 base(xs:anyType) ;

Extension -> %lu:extensionType
%extensionType:
  any+  ns(##other)  processContents(lax)
  ;

#EOF

1.5.2 liberty-idwsf-soap-binding (no version, sbf)

# zxid/sg/liberty-idwsf-soap-binding.sg
# Slightly edited, 14.9.2006, Sampo Kellomaki (sampo@iki.fi)
# $Id: liberty-idwsf-soap-binding.sg,v 1.4 2009-09-05 02:23:41 sampo Exp $

target(sbf, urn:liberty:sb)
import(wsu, http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd)
import(e,   http://schemas.xmlsoap.org/soap/envelope/)

%FrameworkType:
  any*  processContents(lax)
  @version  -> %xs:string
  @wsu:Id?
  @e:mustUnderstand?
  @e:actor?
  @any
  ;
Framework   -> %sbf:FrameworkType

#EOF

1.5.3 liberty-idwsf-soap-binding-v2.0 (b)

# zxid/sg/liberty-idwsf-soap-binding-v2.0.sg
# Slightly edited, 5.9.2006, Sampo Kellomaki (sampo@iki.fi)
# $Id: liberty-idwsf-soap-binding-v2.0.sg,v 1.8 2009-11-24 23:53:40 sampo Exp $

target(b,    urn:liberty:sb:2006-08)
import(sp,   urn:oasis:names:tc:SAML:2.0:protocol)
import(wsu,  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd,wss-util-1.0.xsd)
import(a,    http://www.w3.org/2005/08/addressing,ws-addr-1.0.xsd)
import(lu,   urn:liberty:util:2006-08,liberty-idwsf-utility-v2.0.xsd)
import(e,    http://schemas.xmlsoap.org/soap/envelope/)
import(sa11, urn:oasis:names:tc:SAML:1.0:assertion)
import(sa,   urn:oasis:names:tc:SAML:2.0:assertion)
import(ff12, urn:liberty:iff:2003-08)
import(xa,   urn:oasis:names:tc:xacml:2.0:policy:schema:os, http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd)
import(tas3sol, http://tas3.eu/tas3sol/200911/)

&@hdr:
  @wsu:Id?
  @e:mustUnderstand?
  @e:actor?
  @id? -> %xs:anyURI
  ;

Framework	 -> %b:FrameworkType
%FrameworkType:
  any*  processContents(lax)
  @version	 -> %xs:string
  &@b:hdr        # Added by Sampo
  @any
  ;

Sender	 -> %b:SenderType
%SenderType:
  @providerID      -> %xs:anyURI
  @affiliationID?  -> %xs:anyURI
  &@b:hdr        # Added by Sampo
  @any
  ;

TargetIdentity	 -> %b:TargetIdentityType
%TargetIdentityType:
  sa:Assertion?
  sa:EncryptedAssertion?
  sa11:Assertion?
  ff12:Assertion?
  any*  processContents(lax)
  &@b:hdr        # Added by Sampo
  @any
  ;

CredentialsContext	 -> %b:CredentialsContextType
%CredentialsContextType:
  sp:RequestedAuthnContext?
  b:SecurityMechID*	 -> %xs:anyURI
  &@b:hdr        # Added by Sampo
  @any
  ;

EndpointUpdate	 -> %b:EndpointUpdateType
%EndpointUpdateType:	 base(a:EndpointReferenceType)
  @updateType?	 -> %xs:anyURI
  ;

Timeout	 -> %b:TimeoutType
%TimeoutType:
  @maxProcessingTime	 -> %xs:integer
  &@b:hdr        # Added by Sampo
  @any
  ;

ProcessingContext	 -> %b:ProcessingContextType
%ProcessingContextType:	 base(xs:anyURI)
  &@b:hdr        # Added by Sampo
  @any
  ;

Consent	 -> %b:ConsentType
%ConsentType:
  @uri	 -> %xs:anyURI
  @timestamp?	 -> %xs:dateTime
  &@b:hdr        # Added by Sampo
  @any
  ;

UsageDirective	 -> %b:UsageDirectiveType
%UsageDirectiveType:
  xa:Obligation*
  tas3sol:Dict?
  any+  ns(##other)  processContents(lax)
  @ref	 -> %xs:IDREF
  &@b:hdr        # Added by Sampo
  @any
  ;

#  tas3sol:Obligations?

ApplicationEPR	 -> %a:EndpointReferenceType

UserInteraction	 -> %b:UserInteractionHeaderType
%UserInteractionHeaderType:
  b:InteractionService* -> %a:EndpointReferenceType
  @interact?	 -> %xs:string  default (interactIfNeeded)
  @language?	 -> %xs:NMTOKENS
  @redirect?	 -> %xs:boolean  default (0)
  @maxInteractTime? -> %xs:integer
  &@b:hdr        # Added by Sampo
  @any
  ;

RedirectRequest	 -> %b:RedirectRequestType
%RedirectRequestType:
  @redirectURL	 -> %xs:anyURI
  &@b:hdr        # Added by Sampo
  ;

#EOF

1.5.4 liberty-idwsf-security-mechanisms-v2.0 (sec)

# zxid/sg/liberty-idwsf-security-mechanisms-v2.0.sg
# Slightly edited, 5.9.2006, Sampo Kellomaki (sampo@iki.fi)
# 10.2.2007, added sa:Assertion as potential security token type --Sampo
# $Id: liberty-idwsf-security-mechanisms-v2.0.sg,v 1.7 2009-08-25 16:22:45 sampo Exp $

target(sec, urn:liberty:security:2006-08)
ns(sa,     urn:oasis:names:tc:SAML:2.0:assertion)
ns(sp,     urn:oasis:names:tc:SAML:2.0:protocol)
ns(sa11,   urn:oasis:names:tc:SAML:1.0:assertion)
ns(ff12,   urn:liberty:iff:2003-08)

TokenPolicy	 -> %sec:TokenPolicyType
%TokenPolicyType:
  sp:NameIDPolicy?
  any*  processContents(lax)
  @validUntil?	 -> %xs:dateTime
  @issueTo?	 -> %xs:anyURI
  @type?	 -> %xs:anyURI
  @wantDSEPR?    -> %xs:boolean
  ;

#   @any*

TransitedProvider	 -> %sec:TransitedProviderType
%TransitedProviderType:	 base(xs:anyURI)
  @timeStamp?	 -> %xs:dateTime
  @confirmationURI?	 -> %xs:anyURI
  ;

TransitedProviderPath	 -> %sec:TransitedProviderPathType
%TransitedProviderPathType:
  sec:TransitedProvider+
  ;

Token     -> %sec:TokenType
%TokenType:
  sa:Assertion?
  sa:EncryptedAssertion?
  sa11:Assertion?
  ff12:Assertion?
  any*  processContents(lax)
  @id?    -> %xs:ID
  @ref?   -> %xs:anyURI
  @usage? -> %xs:anyURI
  ;

#EOF

1.5.5 liberty-idwsf-disco-svc-v2.0 (di)

# zxid/sg/liberty-idwsf-disco-svc-v2.0.sg
# Slightly edited, 18.9.2006, Sampo Kellomaki (sampo@iki.fi)
# $Id: liberty-idwsf-disco-svc-v2.0.sg,v 1.2 2009-09-05 02:23:41 sampo Exp $

target(di,  urn:liberty:disco:2006-08)
import(md,  urn:oasis:names:tc:SAML:2.0:metadata, saml-schema-metadata-2.0.xsd)
import(b,   urn:liberty:sb:2006-08, liberty-idwsf-soap-binding-v2.0.xsd)
import(sbf, urn:liberty:sb, liberty-idwsf-soap-binding.xsd)
import(a,   http://www.w3.org/2005/08/addressing, ws-addr-1.0.xsd)
import(lu,  urn:liberty:util:2006-08, liberty-idwsf-utility-v2.0.xsd)
import(sec, urn:liberty:security:2006-08, liberty-idwsf-security-mechanisms-v2.0.xsd)

Abstract	 -> %xs:string
ProviderID	 -> %xs:anyURI
ServiceType	 -> %xs:anyURI
Framework	 -> %sbf:FrameworkType
@NotOnOrAfter	 -> %xs:dateTime

SecurityContext:
  di:SecurityMechID+
  sec:Token*
  ;
SecurityMechID	 -> %xs:anyURI

Options	 -> %di:OptionsType
Option	 -> %xs:anyURI
%OptionsType:
  di:Option*
  ;

Address	 -> %xs:anyURI
Action	 -> %xs:anyURI

Keys	 -> %di:KeysType
%KeysType:
  md:KeyDescriptor+
  ;

SvcMD	 -> %di:SvcMetadataType
%SvcMetadataType:
  di:Abstract
  di:ProviderID
  di:ServiceContext+
  @svcMDID?	 -> %xs:string
  ;

ServiceContext	 -> %di:ServiceContextType
%ServiceContextType:
  di:ServiceType+
  di:Options*
  di:EndpointContext+
  ;

EndpointContext	 -> %di:EndpointContextType
%EndpointContextType:
  di:Address+
  sbf:Framework+
  di:SecurityMechID+
  di:Action*
  ;

SvcMDID	 -> %xs:string

Query	 -> %di:QueryType
%QueryType:
  di:RequestedService*	 -> %di:RequestedServiceType
  @any
  ;

%RequestedServiceType:
  di:ServiceType*
  di:ProviderID*
  di:Options*
  di:SecurityMechID*
  di:Framework*
  di:Action*
  any*  ns(##other)  processContents(lax)
  @reqID?	 -> %xs:string
  @resultsType?	 -> %xs:string
  ;

QueryResponse -> %di:QueryResponseType
%QueryResponseType:
  lu:Status
  a:EndpointReference*
  @any
  ;

SvcMDAssociationAdd -> %di:SvcMDAssociationAddType
%SvcMDAssociationAddType:
  di:SvcMDID+
  @any
  ;

SvcMDAssociationAddResponse -> %di:SvcMDAssociationAddResponseType
%SvcMDAssociationAddResponseType:
  lu:Status
  @any
  ;

SvcMDAssociationDelete -> %di:SvcMDAssociationDeleteType
%SvcMDAssociationDeleteType:
  di:SvcMDID+
  @any
  ;

SvcMDAssociationDeleteResponse -> %di:SvcMDAssociationDeleteResponseType
%SvcMDAssociationDeleteResponseType:
  lu:Status
  @any
  ;

SvcMDAssociationQuery -> %di:SvcMDAssociationQueryType
%SvcMDAssociationQueryType:
  di:SvcMDID*
  @any
  ;

SvcMDAssociationQueryResponse -> %di:SvcMDAssociationQueryResponseType
%SvcMDAssociationQueryResponseType:
  lu:Status
  di:SvcMDID*
  @any
  ;

SvcMDRegister -> %di:SvcMDRegisterType
%SvcMDRegisterType:
  di:SvcMD+
  @any
  ;

SvcMDRegisterResponse -> %di:SvcMDRegisterResponseType
%SvcMDRegisterResponseType:
  lu:Status
  di:SvcMDID*
  di:Keys*
  @any
  ;

SvcMDDelete -> %di:SvcMDDeleteType
%SvcMDDeleteType:
  di:SvcMDID+
  @any
  ;

SvcMDDeleteResponse -> %di:SvcMDDeleteResponseType
%SvcMDDeleteResponseType:
  lu:Status
  @any
  ;

SvcMDQuery -> %di:SvcMDQueryType
%SvcMDQueryType:
  di:SvcMDID*
  @any
  ;

SvcMDQueryResponse -> %di:SvcMDQueryResponseType
%SvcMDQueryResponseType:
  lu:Status
  di:SvcMD*
  @any
  ;

SvcMDReplace -> %di:SvcMDReplaceType
%SvcMDReplaceType:
  di:SvcMD+
  @any
  ;

SvcMDReplaceResponse -> %di:SvcMDReplaceResponseType
%SvcMDReplaceResponseType:
  lu:Status
  @any
  ;

#EOF

1.5.6 liberty-idwsf-interaction-svc-v2.0 (is)

# zxid/sg/liberty-idwsf-interaction-svc-v2.0.sg
# Slightly edited, 14.9.2006, Sampo Kellomaki (sampo@iki.fi)
# $Id: liberty-idwsf-interaction-svc-v2.0.sg,v 1.3 2009-09-05 02:23:41 sampo Exp $

target(is, urn:liberty:is:2006-08)
import(lu, urn:liberty:util:2006-08,liberty-idwsf-utility-v2.0.xsd)
import(ds, http://www.w3.org/2000/09/xmldsig#, http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd)

InteractionRequest	 -> %is:InteractionRequestType
%InteractionRequestType:
  is:Inquiry+
  ds:KeyInfo?
  @id?	 -> %xs:ID
  @language?	 -> %xs:NMTOKENS
  @maxInteractTime?	 -> %xs:integer
  @signed?	 -> %xs:token
  ;

Inquiry	 -> %is:InquiryType
%InquiryType:
  is:Help?
  is:Select*
  is:Confirm* -> %is:InquiryElementType
  is:Text*
  @id?        -> %xs:ID
  @title?     -> %xs:string
  ;

Help	 -> %is:HelpType
%HelpType:
  @label?	 -> %xs:string
  @link?	 -> %xs:anyURI
  @moreLink?	 -> %xs:anyURI
  ;

Hint	 -> %xs:string

Select	 -> %is:SelectType
%SelectType:	 base(is:InquiryElementType)
  is:Item{2,unbounded}:
      is:Hint?
      @label?	 -> %xs:string
      @value	 -> %xs:NMTOKEN
      ;
  @multiple?	 -> %xs:boolean  default (false)
  ;

Text	 -> %is:TextType
%TextType:	 base(is:InquiryElementType)
  @minChars?	 -> %xs:integer
  @maxChars?	 -> %xs:integer
  @format?	 -> %xs:string
  ;

%InquiryElementType:
  is:Help?
  is:Hint?
  is:Label?	 -> %xs:normalizedString
  is:Value?	 -> %xs:normalizedString
  @name	 -> %xs:ID
  ;

InteractionResponse	 -> %is:InteractionResponseType
%InteractionResponseType:
  lu:Status
  is:InteractionStatement* -> %is:InteractionStatementType
  is:Parameter* -> %is:ParameterType
  ;

%InteractionStatementType:
  is:Inquiry+
  ds:Signature
  ;

%ParameterType:
  @name	 -> %xs:ID
  @value -> %xs:string
  ;

#EOF

1.5.7 id-dap (dap)

# id-dap.sg  --  Authorative ID-DAP 1.0 Service Schema
# Author: Sampo Kellomaki (sampo@symlabs.com)
# http://www.w3.org/2001/03/webdata/xsv
# $Id: id-dap.sg,v 1.2 2007-06-19 15:17:04 sampo Exp $
# This schema reflects Liberty ID Directory Access Protocol,
# version 1.0-07 of 11.10.2006

target(dap,     urn:liberty:id-sis-dap:2006-08:dst-2.1)
import(dst,     urn:liberty:dst:2006-08,      liberty-idwsf-dst-v2.1.xsd)
import(subs,    urn:liberty:ssos:2006-08,     liberty-idwsf-subs-v1.0.xsd)
import(lu,      urn:liberty:util:2006-08,     liberty-idwsf-utility-v2.0.xsd)

Create         -> %dap:CreateType
CreateResponse -> %dap:CreateResponseType
Query          -> %dap:QueryType
QueryResponse  -> %dap:QueryResponseType
Modify         -> %dap:ModifyType
ModifyResponse -> %dap:ModifyResponseType
Delete         -> %dap:DeleteType
DeleteResponse -> %dap:DeleteResponseType
Notify         -> %dap:NotifyType
NotifyResponse -> %dap:NotifyResponseType

%SelectType:
    dap:dn?            -> %xs:string
    dap:filter?        -> %xs:string
    @scope?        -> %xs:integer  default(0)
    @sizelimit?    -> %xs:integer  default(0)
    @timelimit?    -> %xs:integer  default(0)
    @attributes?   -> %xs:string
    @typesonly?    -> %xs:boolean  default(false)
    @derefaliases? -> %xs:integer  default(0)
    ;

%TestOpType:      base(dap:SelectType) ;
%SortType:        base(xs:string) ;
%TriggerType:     base(xs:string) ;
%AggregationType: base(xs:string) ;

%AppDataType:
  dap:LDIF?
  dap:Subscription?
  ;

LDIF: base(xs:string)
  &@dst:localizedLeafAttributes
  ;

%CreateType:          base(dst:RequestType)
  dap:Subscription*
  dap:CreateItem+
  dap:ResultQuery*
  ;

CreateItem            -> %dap:CreateItemType
%CreateItemType:
  dap:NewData?
  &@dst:CreateItemAttributeGroup
  ;

NewData               -> %dap:AppDataType

%CreateResponseType:  base(dap:DataResponseType) ;
%DataResponseType:    base(dst:DataResponseBaseType)
  dap:ItemData*
  ;

%QueryType:      base(dst:RequestType)
  dap:TestItem*
  dap:QueryItem*
  dap:Subscription*
  ;

TestItem         -> %dap:TestItemType
%TestItemType:   base(dst:TestItemBaseType)
  dap:TestOp?    -> %dap:TestOpType
  ;

QueryItem        -> %dap:QueryItemType
%QueryItemType:  base(dap:ResultQueryType)
  &@dst:PaginationAttributeGroup
  ;

%QueryResponseType:  base(dst:DataResponseBaseType)
  dst:TestResult*
  dap:Data*
  ;

Data             -> %dap:DataType
%DataType:       base(dap:ItemDataType)
  &@dst:PaginationResponseAttributeGroup
  ;

%ModifyType:          base(dst:RequestType)
  dap:Subscription*
  dap:ModifyItem+
  dap:ResultQuery*
  ;

ModifyItem            -> %dap:ModifyItemType
%ModifyItemType:
  dap:Select?
  dap:NewData?
  &@dst:ModifyItemAttributeGroup
  ;

%ModifyResponseType:  base(dap:DataResponseType) ;

%DeleteType:          base(dst:RequestType)
  dap:DeleteItem+
  ;

DeleteItem            -> %dap:DeleteItemType
%DeleteItemType:      base(dst:DeleteItemBaseType)
  dap:Select?
  ;

%DeleteResponseType:  base(lu:ResponseType) ;

Select                -> %dap:SelectType

ResultQuery           -> %dap:ResultQueryType
%ResultQueryType:     base(dst:ResultQueryBaseType)
  dap:Select?
  dap:Sort?           -> %dap:SortType
  ;

ItemData              -> %dap:ItemDataType
%ItemDataType:        base(dap:AppDataType)
  &@dst:ItemDataAttributeGroup
  ;

Subscription          -> %dap:SubscriptionType
%SubscriptionType:    base(subs:SubscriptionType)
  dap:ResultQuery*
  dap:Aggregation?    -> %dap:AggregationType
  dap:Trigger?        -> %dap:TriggerType
  ;

%NotifyType:          base(dst:RequestType)
  dap:Notification*
  &@subs:NotifyAttributeGroup
  ;

Notification          -> %dap:NotificationType
%NotificationType:    base(subs:NotificationType)
  dap:ItemData*
  ;

%NotifyResponseType:  base(subs:NotifyResponseType) ;

#EOF

1.5.8 liberty-idwsf-subs-v1.0 (subs)

# zxid/sg/liberty-idwsf-subs-v1.0.sg
# Slightly edited, 1.3.2007, Sampo Kellomaki (sampo@iki.fi)
# $Id: liberty-idwsf-subs-v1.0.sg,v 1.2 2009-09-05 02:23:41 sampo Exp $

target(subs, urn:liberty:ssos:2006-08)
import(lu, urn:liberty:util:2006-08,liberty-idwsf-utility-v2.0.xsd)

%SubscriptionType:
  subs:RefItem*
  lu:Extension*
  @subscriptionID    -> %lu:IDType
  @notifyToRef       -> %xs:anyURI
  @adminNotifyToRef? -> %xs:anyURI
  @starts?           -> %xs:dateTime
  @expires?          -> %xs:dateTime
  @id?               -> %xs:ID
  @includeData?:     enum( Yes No YesWithCommonAttributes ) ;
  ;

RefItem	 -> %subs:RefItemType
%RefItemType:
  @subscriptionID?   -> %lu:IDType
  @lu:itemIDRef
  ;

&@NotifyAttributeGroup: 
  @timeStamp?        -> %xs:dateTime
  ;

%NotificationType:
  lu:TestResult*
  @id?               -> %xs:ID
  @subscriptionID    -> %lu:IDType
  @expires?          -> %xs:dateTime
  @endReason?        -> %xs:anyURI
  ;

%NotifyResponseType:	 base(lu:ResponseType) ;

#EOF

1.5.9 liberty-idwsf-dst-v2.1 (dst)

# zxid/sg/liberty-idwsf-dst-v2.1.sg
# Slightly edited, 1.3.2007, Sampo Kellomaki (sampo@iki.fi)
# $Id: liberty-idwsf-dst-v2.1.sg,v 1.2 2009-09-05 02:23:41 sampo Exp $

target(dst, urn:liberty:dst:2006-08)
import(lu, urn:liberty:util:2006-08, liberty-idwsf-utility-v2.0.xsd)
import(xml, http://www.w3.org/XML/1998/namespace, http://www.w3.org/2001/xml.xsd)

@id	 -> %lu:IDType
@modificationTime	 -> %xs:dateTime
&@commonAttributes: 
  @dst:id?
  @dst:modificationTime?
  ;
@ACC	 -> %xs:anyURI
@ACCTime	 -> %xs:dateTime
@modifier	 -> %xs:string

&@leafAttributes: 
  &@dst:commonAttributes
  @dst:ACC?
  @dst:ACCTime?
  @dst:modifier?
  ;

@script	 -> %xs:anyURI

&@localizedLeafAttributes: 
  &@dst:leafAttributes
  @xml:lang
  @dst:script?
  ;

@refreshOnOrAfter	 -> %xs:dateTime
@destroyOnOrAfter	 -> %xs:dateTime

%DSTLocalizedString:	 base(xs:string)
  &@dst:localizedLeafAttributes
  ;

%DSTString:	 base(xs:string)
  &@dst:leafAttributes
  ;

%DSTInteger:	 base(xs:integer)
  &@dst:leafAttributes
  ;

%DSTURI:	 base(xs:anyURI)
  &@dst:leafAttributes
  ;

%DSTDate:	 base(xs:date)
  &@dst:leafAttributes
  ;

%DSTMonthDay:	 base(xs:gMonthDay)
  &@dst:leafAttributes
  ;

@itemID    -> %lu:IDType
@itemIDRef -> %lu:IDReferenceType

%RequestType:
  lu:Extension*
  @dst:itemID?
  @any
  ;

%ResponseType:
  lu:Status
  lu:Extension*
  @dst:itemIDRef?
  @any
  ;

%DataResponseBaseType:	 base(dst:ResponseType)
  @timeStamp?	 -> %xs:dateTime
  ;

ChangeFormat:	 enum( ChangedElements CurrentElements ) ;
@changeFormat:	 enum( ChangedElements CurrentElements All ) ;
@objectType	 -> %xs:NCName
@predefined	 -> %xs:string

&@selectQualif: 
  @dst:objectType?
  @dst:predefined?
  ;

%ResultQueryBaseType:
  dst:ChangeFormat{0,2}
  &@dst:selectQualif
  @dst:itemIDRef?
  @contingency?	 -> %xs:boolean
  @includeCommonAttributes?	 -> %xs:boolean  default (0)
  @changedSince?	 -> %xs:dateTime
  @dst:itemID?
  ;

&@ItemDataAttributeGroup: 
  @dst:itemIDRef?
  @notSorted?:	 enum( Now Never ) ;
  @dst:changeFormat?
  ;

%TestItemBaseType:
  &@dst:selectQualif
  @id? -> %xs:ID
  @dst:itemID?
  ;

TestResult        -> %dst:TestResultType
%TestResultType:  base(xs:boolean)
  @dst:itemIDRef
  ;

&@PaginationAttributeGroup: 
  @count?	 -> %xs:nonNegativeInteger
  @offset?	 -> %xs:nonNegativeInteger  default (0)
  @setID?	 -> %lu:IDType
  @setReq?:	 enum( Static DeleteSet ) ;
  ;

&@PaginationResponseAttributeGroup: 
  @remaining?	 -> %xs:integer
  @nextOffset?	 -> %xs:nonNegativeInteger  default (0)
  @setID?	 -> %lu:IDType
  ;

&@CreateItemAttributeGroup: 
  @dst:objectType?
  @id?	 -> %xs:ID
  @dst:itemID?
  ;

&@ModifyItemAttributeGroup: 
  &@dst:selectQualif
  @notChangedSince?	 -> %xs:dateTime
  @overrideAllowed?	 -> %xs:boolean  default (0)
  @id?	 -> %xs:ID
  @dst:itemID?
  ;

%DeleteItemBaseType:
  &@dst:selectQualif
  @notChangedSince?	 -> %xs:dateTime
  @id?	 -> %xs:ID
  @dst:itemID?
  ;
%DeleteResponseType:	 base(dst:ResponseType) ;

#EOF

1.5.10 liberty-idwsf-idmapping-svc-v2.0 (im)

# zxid/sg/liberty-idwsf-idmapping-svc-v2.0.sg
# Slightly edited, 1.3.2007, Sampo Kellomaki (sampo@iki.fi)
# $Id: liberty-idwsf-idmapping-svc-v2.0.sg,v 1.2 2009-03-27 18:40:46 sampo Exp $

target(im, urn:liberty:ims:2006-08)
import(sec, urn:liberty:security:2006-08, liberty-idwsf-security-mechanisms-v2.0.xsd)
import(lu, urn:liberty:util:2006-08, liberty-idwsf-utility-v2.0.xsd)

MappingInput -> %im:MappingInputType
%MappingInputType:
  sec:TokenPolicy?
  sec:Token?
  @reqID? -> %lu:IDType
  ;

MappingOutput -> %im:MappingOutputType
%MappingOutputType:
  sec:Token
  @reqRef? -> %lu:IDReferenceType
  ;

IdentityMappingRequest -> %im:IdentityMappingRequestType
%IdentityMappingRequestType:
  im:MappingInput+
  @any
  ;

IdentityMappingResponse -> %im:IdentityMappingResponseType
%IdentityMappingResponseType:
  lu:Status
  im:MappingOutput*
  @any
  ;

#EOF

1.5.11 liberty-idwsf-people-service-v1.0 (ps)

# zxid/sg/liberty-idwsf-people-service-v1.0.sg
# Slightly edited, 1.3.2007, Sampo Kellomaki (sampo@iki.fi)
# $Id: liberty-idwsf-people-service-v1.0.sg,v 1.2 2009-09-05 02:23:41 sampo Exp $

target(ps, urn:liberty:ps:2006-08)
import(lu,   urn:liberty:util:2006-08,liberty-idwsf-utility-v2.0.xsd)
import(im,   urn:liberty:ims:2006-08,liberty-idwsf-idmapping-svc-v2.0.xsd)
import(subs, urn:liberty:ssos:2006-08,liberty-idwsf-subs-v1.0.xsd)
import(sec,  urn:liberty:security:2006-08,liberty-idwsf-security-mechanisms-v2.0.xsd)
#import(sp,  urn:oasis:names:tc:SAML:2.0:protocol,saml-schema-protocol-2.0.xsd)

%LocalizedDisplayNameType: base(xs:string)
  @Locale      -> %xs:language
  @IsDefault?  -> %xs:boolean
  ;

%TagType: base(xs:string)
  @Ref    -> %xs:anyURI
  ;

ObjectID -> %ps:ObjectIDType
TargetObjectID -> %ps:ObjectIDType
%ObjectIDType: base(xs:anyURI) ;

Object	 -> %ps:ObjectType
%ObjectType:
  ps:ObjectID?
  ps:DisplayName+     -> %ps:LocalizedDisplayNameType
  ps:Tag?             -> %ps:TagType
  ps:Object*
  ps:ObjectRef*	      -> %ps:ObjectIDType
  @NodeType           -> %xs:anyURI
  @CreatedDateTime?   -> %xs:dateTime
  @ModifiedDateTime?  -> %xs:dateTime
  ;

PStoSPRedirectURL -> %ps:PStoSPRedirectURLType
%PStoSPRedirectURLType:	base(xs:anyURI) ;

SPtoPSRedirectURL -> %ps:SPtoPSRedirectURLType
%SPtoPSRedirectURLType: base(xs:anyURI) ;

QueryString -> %ps:QueryStringType
%QueryStringType: base(xs:string) ;

CreatePSObject: ;

%RequestAbstractType:
  @id        -> %xs:ID
  ;

%ResponseAbstractType:
  lu:Status
  @id        -> %xs:ID
  @TimeStamp -> %xs:dateTime
  ;

AddEntityRequest       -> %ps:AddEntityRequestType
%AddEntityRequestType: base(ps:RequestAbstractType)
  ps:Object
  ps:PStoSPRedirectURL?
  ps:CreatePSObject?
  ps:Subscription?
  sec:TokenPolicy?
  ;

AddEntityResponse       -> %ps:AddEntityResponseType
%AddEntityResponseType: base(ps:ResponseAbstractType)
  ps:Object?
  ps:SPtoPSRedirectURL?
  ps:QueryString?
  ;

AddKnownEntityRequest       -> %ps:AddKnownEntityRequestType
%AddKnownEntityRequestType: base(ps:RequestAbstractType)
  ps:Object
  sec:Token
  ps:CreatePSObject?
  ps:Subscription?
  sec:TokenPolicy?
  ;

AddKnownEntityResponse       -> %ps:AddKnownEntityResponseType
%AddKnownEntityResponseType: base(ps:ResponseAbstractType)
  ps:Object?
  ps:SPtoPSRedirectURL?
  ps:QueryString?
  ;

AddCollectionRequest       -> %ps:AddCollectionRequestType
%AddCollectionRequestType: base(ps:RequestAbstractType)
  ps:Object
  ps:Subscription?
  ;

AddCollectionResponse       -> %ps:AddCollectionResponseType
%AddCollectionResponseType: base(ps:ResponseAbstractType)
  ps:Object?
  ;

AddToCollectionRequest       -> %ps:AddToCollectionRequestType
%AddToCollectionRequestType: base(ps:RequestAbstractType)
  ps:TargetObjectID
  ps:ObjectID+
  ps:Subscription?
  ;

AddToCollectionResponse -> %ps:ResponseAbstractType

RemoveEntityRequest       -> %ps:RemoveEntityRequestType
%RemoveEntityRequestType: base(ps:RequestAbstractType)
  ps:TargetObjectID+
  ;

RemoveEntityResponse -> %ps:ResponseAbstractType

RemoveCollectionRequest -> %ps:RemoveCollectionRequestType
%RemoveCollectionRequestType: base(ps:RequestAbstractType)
  ps:TargetObjectID+
  ;

RemoveCollectionResponse -> %ps:ResponseAbstractType

RemoveFromCollectionRequest       -> %ps:RemoveFromCollectionRequestType
%RemoveFromCollectionRequestType: base(ps:RequestAbstractType)
  ps:TargetObjectID
  ps:ObjectID+
  ps:Subscription?
  ;

RemoveFromCollectionResponse -> %ps:ResponseAbstractType

ListMembersRequest        -> %ps:ListMembersRequestType
%ListMembersRequestType: base(ps:RequestAbstractType)
  ps:TargetObjectID?
  ps:Subscription?
  @Structured?	 -> %xs:anyURI
  @Count?	 -> %xs:nonNegativeInteger
  @Offset?	 -> %xs:nonNegativeInteger  default (0)
  ;

ListMembersResponse       -> %ps:ListMembersResponseType
%ListMembersResponseType: base(ps:ResponseAbstractType)
  ps:Object*
  ;

QueryObjectsRequest -> %ps:QueryObjectsRequestType
%QueryObjectsRequestType: base(ps:RequestAbstractType)
  ps:Filter	 -> %xs:string
  ps:Subscription?
  @Count?	 -> %xs:nonNegativeInteger
  @Offset?	 -> %xs:nonNegativeInteger  default (0)
  ;

QueryObjectsResponse -> %ps:QueryObjectsResponseType
%QueryObjectsResponseType: base(ps:ResponseAbstractType)
  ps:Object*
  ;

GetObjectInfoRequest -> %ps:GetObjectInfoRequestType
%GetObjectInfoRequestType: base(ps:RequestAbstractType)
  ps:TargetObjectID?
  ps:Subscription?
  ;

GetObjectInfoResponse -> %ps:GetObjectInfoResponseType
%GetObjectInfoResponseType: base(ps:ResponseAbstractType)
  ps:Object?
  ;

SetObjectInfoRequest -> %ps:SetObjectInfoRequestType
%SetObjectInfoRequestType: base(ps:RequestAbstractType)
  ps:Object+
  ps:Subscription?
  ;

SetObjectInfoResponse -> %ps:ResponseAbstractType

TestMembershipRequest -> %ps:TestMembershipRequestType
%TestMembershipRequestType: base(ps:RequestAbstractType)
  ps:TargetObjectID?
  sec:Token
  ps:Subscription?
  ;

%ResultType: base(xs:boolean) ;

TestMembershipResponse -> %ps:TestMembershipResponseType
%TestMembershipResponseType: base(ps:ResponseAbstractType)
    ps:Result? -> %ps:ResultType
  ;

ResolveIdentifierRequest -> %ps:ResolveIdentifierRequestType
%ResolveIdentifierRequestType: base(ps:RequestAbstractType)
  ps:ResolveInput+
  ;

ResolveInput -> %ps:ResolveInputType
%ResolveInputType: base(im:MappingInputType)
  ps:TargetObjectID?
  ;

ResolveIdentifierResponse -> %ps:ResolveIdentifierResponseType
%ResolveIdentifierResponseType: base(ps:ResponseAbstractType)
  ps:ResolveOutput+
  ;

ResolveOutput -> %im:MappingOutputType

Subscription -> %subs:SubscriptionType

Notification -> %ps:NotificationType
%NotificationType: base(subs:NotificationType)
  ps:ItemData*
  ;

ItemData -> %ps:ItemDataType
%ItemDataType:
  ps:Object
  ;

Notify	 -> %ps:NotifyType
%NotifyType: base(ps:RequestAbstractType)
  ps:Notification*
  &@subs:NotifyAttributeGroup
  ;
NotifyResponse	 -> %subs:NotifyResponseType

#EOF

1.5.12 liberty-idwsf-authn-svc-v2.0 (as)

# zxid/sg/liberty-idwsf-people-service-v1.0.sg
# Slightly edited, 1.3.2007, Sampo Kellomaki (sampo@iki.fi)
# $Id: liberty-idwsf-authn-svc-v2.0.sg,v 1.2 2009-09-05 02:23:41 sampo Exp $

target(as,  urn:liberty:sa:2006-08)
import(a,   http://www.w3.org/2005/08/addressing,ws-addr-1.0.xsd)
import(sp,  urn:oasis:names:tc:SAML:2.0:protocol, saml-schema-protocol-2.0.xsd)
import(lu,  urn:liberty:util:2006-08, liberty-idwsf-utility-v2.0.xsd)

SASLRequest:
  as:Data?
  sp:RequestedAuthnContext?
  as:Extensions?:
    any+  ns(##other)  processContents(lax)
    ;
  @mechanism        -> %xs:string
  @authzID?         -> %xs:string
  @advisoryAuthnID? -> %xs:string
  @any
  ;

SASLResponse:
  lu:Status
  as:PasswordTransforms?
  as:Data?
  a:EndpointReference*
  @serverMechanism? -> %xs:string
  @any
  ;

Data: base(xs:base64Binary) ;

PasswordTransforms:
  as:Transform+:
    as:Parameter*: base(xs:string)
      @name -> %xs:string
      ;
    @name -> %xs:anyURI
    @any
    ;
  ;

#EOF

1.6 SOAP 1.1 Processors

1.6.1 wsf-soap11 (e)

# zxid/sg/wsf-soap11.sg
# $Id: wsf-soap11.sg,v 1.15 2010-01-08 02:10:09 sampo Exp $
# Heavily edited, 27.5.2006, Sampo Kellomaki (sampo@iki.fi)
# 26.2.2007, merged saml20-soap11.sg and di-soap11.sg to only
#            one SOAP processor. --Sampo
# 3.3.2007, added XACML support --Sampo
# 22.11.2009, added TAS3 support --Sampo
#
# Mega SOAP processor for Web Services and SSO Frameworks
#
# Main purpose of this schema is to permit direct, one pass, parsing of
# of SAML and WSF content in SOAP envelope. Thus relevant SOAP extension
# points have been replaced with actual SAML and WSF elements.
#
# When you add new SOAP messages, you need to add them here, to the body.
# See also zxid/c/zx-e-data.h, which is generated.

target(e, http://schemas.xmlsoap.org/soap/envelope/)
ns(xs,    http://www.w3.org/2001/XMLSchema)
ns(a,     http://www.w3.org/2005/08/addressing)
ns(sbf,   urn:liberty:sb)
ns(b,     urn:liberty:sb:2006-08)
ns(b12,   urn:liberty:sb:2003-08)
ns(di,    urn:liberty:disco:2006-08)
ns(di12,  urn:liberty:disco:2003-08)
ns(lu,    urn:liberty:util:2006-08)
ns(dap,   urn:liberty:id-sis-dap:2006-08:dst-2.1)
ns(ps,    urn:liberty:ps:2006-08)
ns(im,    urn:liberty:ims:2006-08)
ns(as,    urn:liberty:sa:2006-08)
ns(wsse,  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd)
ns(xasp,  urn:oasis:xacml:2.0:saml:protocol:schema:os)
ns(xaspcd1, urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:protocol:cd-01)
ns(mm7,   http://www.3gpp.org/ftp/Specs/archive/23_series/23.140/schema/REL-6-MM7-1-4)
ns(cb,    urn:liberty:id-sis-cb:2004-10)
ns(gl,    urn:liberty:id-sis-gl:2005-07)
ns(dp,    urn:liberty:dp:2006-12)
ns(pmm,   urn:liberty:pmm:2006-12)
ns(prov,  urn:liberty:prov:2006-12)
ns(shps,  urn:liberty:shps:2006-12)
ns(idp,   urn:liberty:idp:2006-12)
ns(idhrxml, urn:id-sis-idhrxml:2007-06:dst-2.1)
ns(demomed, urn:x-demo:me:2006-01)
ns(tas3,  http://tas3.eu/tas3/200911/)

Envelope -> %e:Envelope
%Envelope:
  e:Header?
  e:Body
  @id? -> %xs:ID
  any*
  @any?
  ;

Header -> %e:Header
%Header:
  paos:Request?
  paos:Response?
  ecp:Request?
  ecp:Response?
  ecp:RelayState?
  sbf:Framework?
  b:Sender?
  a:MessageID?
  wsse:Security?
  tas3:Status?
  a:RelatesTo?
  a:ReplyTo?
  a:From?
  a:FaultTo?
  a:To?
  a:Action?
  a:ReferenceParameters?
  b:Framework?
  b:TargetIdentity?
  b:CredentialsContext?
  b:EndpointUpdate?
  b:Timeout?
  b:ProcessingContext?
  b:Consent?
  b:UsageDirective?
  b:ApplicationEPR?
  b:UserInteraction?
  b:RedirectRequest?
  b12:Correlation?
  b12:Provider?
  b12:ProcessingContext?
  b12:Consent?
  b12:UsageDirective?
  mm7:TransactionID?
  tas3:Credentials?
  tas3:ESLPolicies?
  @id? -> %xs:ID
  any*
  @any?
  ;

Body -> %e:Body
%Body:
  sp:ArtifactResolve?
  sp:ArtifactResponse?
  sp:ManageNameIDRequest?
  sp:ManageNameIDResponse?
  sp:LogoutRequest?
  sp:LogoutResponse?
  sp:NameIDMappingRequest?
  sp:NameIDMappingResponse?
  sp:AttributeQuery?
  sp:AuthnQuery?
  sp:AuthzDecisionQuery?
  sp:AssertionIDRequest?
  sp:Response?
  sp:AuthnRequest?
  sp11:Request?
  sp11:Response?
  ff12:RegisterNameIdentifierRequest?
  ff12:RegisterNameIdentifierResponse?
  ff12:FederationTerminationNotification?
  ff12:LogoutRequest?
  ff12:LogoutResponse?
  ff12:NameIdentifierMappingRequest?
  ff12:NameIdentifierMappingResponse?
  xasp:XACMLAuthzDecisionQuery?
  xasp:XACMLPolicyQuery?
  xaspcd1:XACMLAuthzDecisionQuery?
  xaspcd1:XACMLPolicyQuery?
  xac:Request?
  xac:Response?
  di:Query?
  di:QueryResponse?
  di12:Query?
  di12:QueryResponse?
  di12:Modify?
  di12:ModifyResponse?
  e:Fault?
  di:SvcMDAssociationAdd?
  di:SvcMDAssociationAddResponse?
  di:SvcMDAssociationDelete?
  di:SvcMDAssociationDeleteResponse?
  di:SvcMDAssociationQuery?
  di:SvcMDAssociationQueryResponse?
  di:SvcMDRegister?
  di:SvcMDRegisterResponse?
  di:SvcMDDelete?
  di:SvcMDDeleteResponse?
  di:SvcMDQuery?
  di:SvcMDQueryResponse?
  di:SvcMDReplace?
  di:SvcMDReplaceResponse?
  dap:Create?
  dap:CreateResponse?
  dap:Query?
  dap:QueryResponse?
  dap:Modify?
  dap:ModifyResponse?
  dap:Delete?
  dap:DeleteResponse?
  dap:Notify?
  dap:NotifyResponse?
  ps:AddEntityRequest?
  ps:AddEntityResponse?
  ps:AddKnownEntityRequest?
  ps:AddKnownEntityResponse?
  ps:AddCollectionRequest?
  ps:AddCollectionResponse?
  ps:AddToCollectionRequest?
  ps:AddToCollectionResponse?
  ps:RemoveEntityRequest?
  ps:RemoveEntityResponse?
  ps:RemoveCollectionRequest?
  ps:RemoveCollectionResponse?
  ps:RemoveFromCollectionRequest?
  ps:RemoveFromCollectionResponse?
  ps:ListMembersRequest?
  ps:ListMembersResponse?
  ps:QueryObjectsRequest?
  ps:QueryObjectsResponse?
  ps:GetObjectInfoRequest?
  ps:GetObjectInfoResponse?
  ps:SetObjectInfoRequest?
  ps:SetObjectInfoResponse?
  ps:TestMembershipRequest?
  ps:TestMembershipResponse?
  ps:ResolveIdentifierRequest?
  ps:ResolveIdentifierResponse?
  ps:Notify?
  ps:NotifyResponse?
  im:IdentityMappingRequest?
  im:IdentityMappingResponse?
  as:SASLRequest?
  as:SASLResponse?
  mm7:SubmitReq?
  mm7:SubmitRsp?
  mm7:DeliverReq?
  mm7:DeliverRsp?
  mm7:CancelReq?
  mm7:CancelRsp?
  mm7:ReplaceReq?
  mm7:ReplaceRsp?
  mm7:extendedCancelReq?
  mm7:extendedCancelRsp?
  mm7:extendedReplaceReq?
  mm7:extendedReplaceRsp?
  mm7:DeliveryReportReq?
  mm7:DeliveryReportRsp?
  mm7:ReadReplyReq?
  mm7:ReadReplyRsp?
  mm7:RSErrorRsp?
  mm7:VASPErrorRsp?
  mm7:QueryStatusReq?
  mm7:QueryStatusRsp?
  cb:Query?
  cb:QueryResponse?
  cb:Create?
  cb:CreateResponse?
  cb:Delete?
  cb:DeleteResponse?
  cb:Modify?
  cb:ModifyResponse?
  cb:Notify?
  cb:NotifyResponse?
  cb:ReportUsage?
  cb:ReportUsageResponse?
  gl:Query?
  gl:QueryResponse?
  gl:Create?
  gl:CreateResponse?
  gl:Delete?
  gl:DeleteResponse?
  gl:Modify?
  gl:ModifyResponse?
  gl:Notify?
  gl:NotifyResponse?
  demomed:StoreObjectRequest?
  demomed:StoreObjectResponse?
  demomed:GetObjectListRequest?
  demomed:GetObjectListResponse?
  demomed:GetObjectRequest?
  demomed:GetObjectResponse?
  demomed:DeleteObjectRequest?
  demomed:DeleteObjectResponse?
  pmm:Provision?
  pmm:ProvisionResponse?
  pmm:PMActivate?
  pmm:PMActivateResponse?
  pmm:PMDeactivate?
  pmm:PMDeactivateResponse?
  pmm:PMDelete?
  pmm:PMDeleteResponse?
  pmm:PMUpdate?
  pmm:PMUpdateResponse?
  pmm:PMGetStatus?
  pmm:PMGetStatusResponse?
  pmm:PMSetStatus?
  pmm:PMSetStatusResponse?
  prov:PMERegister?
  prov:PMERegisterResponse?
  prov:PMEUpload?
  prov:PMEUploadResponse?
  prov:PMEDownload?
  prov:PMEDownloadResponse?
  prov:PMEEnable?
  prov:PMEEnableResponse?
  prov:PMEDisable?
  prov:PMEDisableResponse?
  prov:PMEDelete?
  prov:PMEDeleteResponse?
  prov:PMEGetInfo?
  prov:PMEGetInfoResponse?
  prov:PMGetStatus?
  prov:PMGetStatusResponse?
  prov:PMSetStatus?
  prov:PMSetStatusResponse?
  prov:PMGetDescriptor?
  prov:PMGetDescriptorResponse?
  prov:PMActivate?
  prov:PMActivateResponse?
  prov:PMDeactivate?
  prov:PMDeactivateResponse?
  prov:PMRegisterDescriptor?
  prov:PMRegisterDescriptorResponse?
  prov:PMUpdate?
  prov:PMUpdateResponse?
  prov:PMDelete?
  prov:PMDeleteResponse?
  prov:Poll?
  prov:PollResponse?
  prov:UpdateEPR?
  prov:UpdateEPRResponse?
  idp:GetAssertion?
  idp:GetAssertionResponse?
  idp:GetProviderInfo?
  idp:GetProviderInfoResponse?
  idp:CreatedStatus?
  idp:CreatedStatusResponse?
  shps:Delete?
  shps:DeleteResponse?
  shps:GetStatus?
  shps:GetStatusResponse?
  shps:Query?
  shps:QueryResponse?
  shps:Invoke?
  shps:InvokeResponse?
  shps:QueryRegistered?
  shps:QueryRegisteredResponse?
  shps:Register?
  shps:RegisterResponse?
  shps:SetStatus?
  shps:SetStatusResponse?
  shps:Update?
  shps:UpdateResponse?
  shps:Poll?
  shps:PollResponse?
  shps:ProxyInvoke?
  shps:ProxyInvokeResponse?
  idhrxml:Create?
  idhrxml:CreateResponse?
  idhrxml:Query?
  idhrxml:QueryResponse?
  idhrxml:Modify?
  idhrxml:ModifyResponse?
  idhrxml:Delete?
  idhrxml:DeleteResponse?
  idhrxml:Notify?
  idhrxml:NotifyResponse?
  @id? -> %xs:ID
  ;

@mustUnderstand -> %xs:boolean
@actor          -> %xs:anyURI
@encodingStyle  -> %xs:anyURI
&@encodingStyle: 
  @e:encodingStyle?
  ;

Fault	 -> %e:Fault
%Fault:
  e:faultcode   -> %xs:QName
  e:faultstring -> %xs:string
  e:faultactor? -> %xs:anyURI
  e:detail?     -> %e:detail
  ;

%detail:
  lu:Status*
  any*
  @any
  ;

#EOF

1.7 XML and Web Services Infrastructure

1.7.1 xmldsig-core (ds)

# xmldsig-core.sg  --  Slightly edited after generation
# $Id: xmldsig-core.sg,v 1.3 2007-09-24 02:34:34 sampo Exp $

target(ds, http://www.w3.org/2000/09/xmldsig#)
ns(xs, http://www.w3.org/2001/XMLSchema)
ns(exca, http://www.w3.org/2001/10/xml-exc-c14n#)
ns(xenc, http://www.w3.org/2001/04/xmlenc#)

%CryptoBinary:	 base(xs:base64Binary) ;

Signature	 -> %ds:SignatureType
%SignatureType:
  ds:SignedInfo
  ds:SignatureValue
  ds:KeyInfo?
  ds:Object*
  @Id?	 -> %xs:ID
  ;

SignatureValue	 -> %ds:SignatureValueType
%SignatureValueType:	 base(xs:base64Binary)
  @Id?	 -> %xs:ID
  ;

SignedInfo	 -> %ds:SignedInfoType
%SignedInfoType:
  ds:CanonicalizationMethod
  ds:SignatureMethod
  ds:Reference+
  @Id?	 -> %xs:ID
  ;

CanonicalizationMethod	 -> %ds:CanonicalizationMethodType
%CanonicalizationMethodType:
  any*
  @Algorithm	 -> %xs:anyURI
  ;

SignatureMethod	 -> %ds:SignatureMethodType
%SignatureMethodType:
  ds:HMACOutputLength?	 -> %ds:HMACOutputLengthType
  any*
  @Algorithm	 -> %xs:anyURI
  ;

Reference	 -> %ds:ReferenceType
%ReferenceType:
  ds:Transforms?
  ds:DigestMethod
  ds:DigestValue
  @Id?	 -> %xs:ID
  @URI?	 -> %xs:anyURI
  @Type?	 -> %xs:anyURI
  ;

Transforms	 -> %ds:TransformsType
%TransformsType:
  ds:Transform+
  ;

Transform	 -> %ds:TransformType
%TransformType:
  ds:XPath*	 -> %xs:string
  exca:InclusiveNamespaces?
  any*
  @Algorithm	 -> %xs:anyURI
  ;

DigestMethod	 -> %ds:DigestMethodType
%DigestMethodType:
  any*
  @Algorithm	 -> %xs:anyURI
  ;

DigestValue	 -> %ds:DigestValueType
%DigestValueType:	 base(xs:base64Binary) ;

KeyInfo	 -> %ds:KeyInfoType
%KeyInfoType:
  ds:KeyName*
  ds:KeyValue*
  ds:RetrievalMethod*
  ds:X509Data*
  ds:PGPData*
  ds:SPKIData*
  ds:MgmtData*
  xenc:EncryptedKey*
  any*
  @Id?	 -> %xs:ID
  ;

KeyName	 -> %xs:string

MgmtData	 -> %xs:string

KeyValue	 -> %ds:KeyValueType
%KeyValueType:
  ds:DSAKeyValue?
  ds:RSAKeyValue?
  any?
  ;

RetrievalMethod	 -> %ds:RetrievalMethodType
%RetrievalMethodType:
  ds:Transforms?
  @URI?	 -> %xs:anyURI
  @Type?	 -> %xs:anyURI
  ;

X509Data	 -> %ds:X509DataType
%X509DataType:
       ds:X509IssuerSerial*	 -> %ds:X509IssuerSerialType
       ds:X509SKI*	 -> %xs:base64Binary
       ds:X509SubjectName*	 -> %xs:string
       ds:X509Certificate*	 -> %xs:base64Binary
       ds:X509CRL*	 -> %xs:base64Binary
       any*
       ;

%X509IssuerSerialType:
  ds:X509IssuerName	 -> %xs:string
  ds:X509SerialNumber	 -> %xs:integer
  ;

PGPData	 -> %ds:PGPDataType
%PGPDataType:
  ds:PGPKeyID?	 -> %xs:base64Binary
  ds:PGPKeyPacket?	 -> %xs:base64Binary
  any*
  ;

SPKIData	 -> %ds:SPKIDataType
%SPKIDataType:
  ds:SPKISexp	 -> %xs:base64Binary
  any?
  ;

Object	 -> %ds:ObjectType
%ObjectType:
  any*  processContents(lax)
  @Id?	 -> %xs:ID
  @MimeType?	 -> %xs:string
  @Encoding?	 -> %xs:anyURI
  ;

Manifest	 -> %ds:ManifestType
%ManifestType:
  ds:Reference+
  @Id?	 -> %xs:ID
  ;

SignatureProperties	 -> %ds:SignaturePropertiesType
%SignaturePropertiesType:
  ds:SignatureProperty+
  @Id?	 -> %xs:ID
  ;

SignatureProperty	 -> %ds:SignaturePropertyType
%SignaturePropertyType:
  any+
  @Target	 -> %xs:anyURI
  @Id?	 -> %xs:ID
  ;

%HMACOutputLengthType:	 base(xs:integer) ;

DSAKeyValue	 -> %ds:DSAKeyValueType
%DSAKeyValueType:
  ds:P?	 -> %ds:CryptoBinary
  ds:Q?	 -> %ds:CryptoBinary
  ds:G?	 -> %ds:CryptoBinary
  ds:Y	 -> %ds:CryptoBinary
  ds:J?	 -> %ds:CryptoBinary
  ds:Seed?	 -> %ds:CryptoBinary
  ds:PgenCounter?	 -> %ds:CryptoBinary
  ;

RSAKeyValue	 -> %ds:RSAKeyValueType
%RSAKeyValueType:
  ds:Modulus	 -> %ds:CryptoBinary
  ds:Exponent	 -> %ds:CryptoBinary
  ;

#EOF

1.7.2 xenc-schema (xenc)

# xenc-schema.sg  --  Slightly edited after generation
# $Id: xenc-schema.sg,v 1.2 2007-09-24 02:34:34 sampo Exp $

target(xenc,http://www.w3.org/2001/04/xmlenc#)
ns(xs,http://www.w3.org/2001/XMLSchema)
import(ds,http://www.w3.org/2000/09/xmldsig#,http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd)

%EncryptedType:
  xenc:EncryptionMethod?	 -> %xenc:EncryptionMethodType
  ds:KeyInfo?
  xenc:CipherData
  xenc:EncryptionProperties?
  @Id?	 -> %xs:ID
  @Type?	 -> %xs:anyURI
  @MimeType?	 -> %xs:string
  @Encoding?	 -> %xs:anyURI
  ;

%EncryptionMethodType:
  xenc:KeySize?	 -> %xenc:KeySizeType
  xenc:OAEPparams?	 -> %xs:base64Binary
  any*
  @Algorithm	 -> %xs:anyURI
  ;

%KeySizeType:	 base(xs:integer) ;

CipherData	 -> %xenc:CipherDataType
%CipherDataType:
     xenc:CipherValue?	 -> %xs:base64Binary
     xenc:CipherReference?
     ;

CipherReference	 -> %xenc:CipherReferenceType
%CipherReferenceType:
  xenc:Transforms?	 -> %xenc:TransformsType
  @URI	 -> %xs:anyURI
  ;

%TransformsType:
  ds:Transform+
  ;

EncryptedData	 -> %xenc:EncryptedDataType
%EncryptedDataType:	 base(xenc:EncryptedType) ;

EncryptedKey	 -> %xenc:EncryptedKeyType
%EncryptedKeyType:	 base(xenc:EncryptedType)
    xenc:ReferenceList?
    xenc:CarriedKeyName?	 -> %xs:string
  @Recipient?	 -> %xs:string
  ;

AgreementMethod	 -> %xenc:AgreementMethodType
%AgreementMethodType:
  xenc:KA-Nonce?	 -> %xs:base64Binary
  any*
  xenc:OriginatorKeyInfo?	 -> %ds:KeyInfoType
  xenc:RecipientKeyInfo?	 -> %ds:KeyInfoType
  @Algorithm	 -> %xs:anyURI
  ;

ReferenceList:
  xenc:DataReference?	 -> %xenc:ReferenceType
  xenc:KeyReference?	 -> %xenc:ReferenceType
  ;

%ReferenceType:
  any*
  @URI	 -> %xs:anyURI
  ;

EncryptionProperties	 -> %xenc:EncryptionPropertiesType
%EncryptionPropertiesType:
  xenc:EncryptionProperty+
  @Id?	 -> %xs:ID
  ;

EncryptionProperty	 -> %xenc:EncryptionPropertyType
%EncryptionPropertyType:
  any*
  @Target?	 -> %xs:anyURI
  @Id?	 -> %xs:ID
  @any?
  ;

#EOF

1.7.3 ws-addr-1.0 (a)

# zxid/sg/ws-addr-1.0.sg
# Slightly edited, 5.9.2006, Sampo Kellomaki (sampo@iki.fi)
# 6.2.2007, Added Discovery specifics to the Metadata --Sampo
# 7.12.2013, added rankKey extension to EPR MD to facilitate sorting di results --Sampo
# $Id: ws-addr-1.0.sg,v 1.9 2007-09-30 05:10:03 sampo Exp $

target(a, http://www.w3.org/2005/08/addressing)
#t arget(a, http://schemas.xmlsoap.org/ws/2004/08/addressing)  # used by WS Federation?
import(di,  urn:liberty:disco:2006-08, liberty-idwsf-disco-svc-v2.0.xsd)
import(e,   http://schemas.xmlsoap.org/soap/envelope/)
import(wsu, http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd,wss-util-1.0.xsd)
import(tas3, http://tas3.eu/tas3/200911/)
ns(sbf,     urn:liberty:sb)
ns(b,       urn:liberty:sb:2006-08)

&@hdrs:
  @wsu:Id?
  @e:mustUnderstand?
  @e:actor?
  @id?	 -> %xs:anyURI
  @ID?	 -> %xs:anyURI
  ;

EndpointReference	 -> %a:EndpointReferenceType
%EndpointReferenceType:
  a:Address	 -> %a:AttributedURIType
  a:ReferenceParameters?
  a:Metadata?
  @notOnOrAfter?  -> %xs:dateTime # Added by Sampo
  &@a:hdrs                # Added by Sampo
  any*  ns(##other)  processContents(lax)
  @any
  ;

ReferenceParameters	 -> %a:ReferenceParametersType
%ReferenceParametersType:
  b:TargetIdentity*
  any*  processContents(lax)
  &@a:hdrs        # Added by Sampo
  @any
  ;

Metadata	 -> %a:MetadataType
%MetadataType:
  sbf:Framework?
  di:Abstract?
  di:ProviderID?
  di:ServiceType?
  di:SecurityContext?
  tas3:Trust?
  any*  processContents(lax)
  @rankKey -> %xs:anyURI  # Added by Sampo
  @any
  ;

MessageID	 -> %a:AttributedURIType

RelatesTo	 -> %a:RelatesToType
%RelatesToType:	 base(xs:anyURI)
  @RelationshipType?	 -> %a:RelationshipTypeOpenEnum  # default (http://www.w3.org/2005/08/addressing/reply)
  &@a:hdrs        # Added by Sampo
  @any
  ;

%RelationshipTypeOpenEnum:  union(a:RelationshipType xs:anyURI)  ;
%RelationshipType:	 enum( http://www.w3.org/2005/08/addressing/reply ) ;

ReplyTo	 -> %a:EndpointReferenceType
From	 -> %a:EndpointReferenceType
FaultTo	 -> %a:EndpointReferenceType
To	 -> %a:AttributedURIType
Action	 -> %a:AttributedURIType

%AttributedURIType:	 base(xs:anyURI)
  &@a:hdrs        # Added by Sampo
  @any
  ;

@IsReferenceParameter	 -> %xs:boolean

%FaultCodesOpenEnumType:  union(a:FaultCodesType xs:QName)
  ;

%FaultCodesType:	 enum( a:InvalidAddressingHeader a:InvalidAddress a:InvalidEPR a:InvalidCardinality a:MissingAddressInEPR a:DuplicateMessageID a:ActionMismatch a:MessageAddressingHeaderRequired a:DestinationUnreachable a:ActionNotSupported a:EndpointUnavailable ) ;

RetryAfter	 -> %a:AttributedUnsignedLongType

%AttributedUnsignedLongType:	 base(xs:unsignedLong)
  &@a:hdrs        # Added by Sampo
  @any
  ;

ProblemHeaderQName -> %a:AttributedQNameType

%AttributedQNameType:	 base(xs:QName)
  &@a:hdrs        # Added by Sampo
  @any
  ;

ProblemHeader	 -> %a:AttributedAnyType

%AttributedAnyType:
  any*  processContents(lax)
  &@a:hdrs        # Added by Sampo
  @any
  ;

ProblemURI	 -> %a:AttributedURIType

ProblemAction	 -> %a:ProblemActionType
%ProblemActionType:
  a:Action?
  a:SoapAction? -> %xs:anyURI
  &@a:hdrs        # Added by Sampo
  @any
  ;

#EOF

1.7.4 wss-secext-1.0 (wsse)

# zxid/sg/wss-secext-1.0.sg
# Slightly edited, 5.9.2006, Sampo Kellomaki (sampo@iki.fi)
# $Id: wss-secext-1.0.sg,v 1.6 2009-11-20 20:27:13 sampo Exp $

target(wsse, http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd)
import(wsu,  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd,wss-util-1.0.xsd)
import(xml,  http://www.w3.org/XML/1998/namespace,http://www.w3.org/2001/xml.xsd)
import(ds,   http://www.w3.org/2000/09/xmldsig#,http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd)
import(e,    http://schemas.xmlsoap.org/soap/envelope/)
import(sa11, urn:oasis:names:tc:SAML:1.0:assertion)
import(sa,   urn:oasis:names:tc:SAML:2.0:assertion)
import(ff12, urn:liberty:iff:2003-08)
import(sec,  urn:liberty:security:2006-08)
ns(xs,   http://www.w3.org/2001/XMLSchema)

&@header:
  @wsu:Id?
  @e:mustUnderstand?
  @e:actor?
  ;

%AttributedString:	 base(xs:string)
  @wsu:Id?
  @any
  ;
%PasswordString:	 base(wsse:AttributedString)
  @Type?	 -> %xs:anyURI
  ;
%EncodedString:	 base(wsse:AttributedString)
  @EncodingType?	 -> %xs:anyURI
  ;

%UsernameTokenType:
  wsse:Username	 -> %wsse:AttributedString
  any*  processContents(lax)
  @wsu:Id?
  @any
  ;

%BinarySecurityTokenType:	 base(wsse:EncodedString)
  @ValueType?	 -> %xs:anyURI
  ;

%KeyIdentifierType:	 base(wsse:EncodedString)
  @ValueType?	 -> %xs:anyURI
  ;

%tUsage: xs:anyURI* ;
@Usage   -> %wsse:tUsage

%ReferenceType:
  @URI?	 -> %xs:anyURI
  @ValueType?	 -> %xs:anyURI
  @any
  ;

%EmbeddedType:
  any*  processContents(lax)
  @ValueType?	 -> %xs:anyURI
  @any
  ;

%SecurityTokenReferenceType:
  wsse:KeyIdentifier?
  any*  processContents(lax)
  @wsu:Id?
  @wsse:Usage?
  @any
  ;

%SecurityHeaderType:
  ds:Signature?
  sa:Assertion?
  sa:EncryptedAssertion?
  sa11:Assertion?
  ff12:Assertion?
  #sec:Token?  assertion is used directly
  wsse:BinarySecurityToken?       # Useful for X509 and binary bearer sec mechs
  wsse:SecurityTokenReference?    # Useful for SAML bearer sec mech
  wsu:Timestamp?
  &@wsse:header
  any*  processContents(lax)
  @any
  ;

%TransformationParametersType:
  any*  processContents(lax)
  @any
  ;

UsernameToken	 -> %wsse:UsernameTokenType
BinarySecurityToken	 -> %wsse:BinarySecurityTokenType
Reference	 -> %wsse:ReferenceType
Embedded	 -> %wsse:EmbeddedType
KeyIdentifier	 -> %wsse:KeyIdentifierType
SecurityTokenReference   -> %wsse:SecurityTokenReferenceType
Security	 -> %wsse:SecurityHeaderType
TransformationParameters -> %wsse:TransformationParametersType
Password	 -> %wsse:PasswordString
Nonce            -> %wsse:EncodedString

%FaultcodeEnum:	 enum( wsse:UnsupportedSecurityToken wsse:UnsupportedAlgorithm wsse:InvalidSecurity wsse:InvalidSecurityToken wsse:FailedAuthentication wsse:FailedCheck wsse:SecurityTokenUnavailable ) ;

# EOF

1.7.5 wss-util-1.0 (wsu)

# zxid/sg/wss-util-1.0.sg
# Slightly edited, 5.9.2006, Sampo Kellomaki (sampo@iki.fi)
# $Id: wss-util-1.0.sg,v 1.2 2007-09-30 05:10:03 sampo Exp $

target(wsu, http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd)
ns(xs,http://www.w3.org/2001/XMLSchema)

%tTimestampFault:	 enum( wsu:MessageExpired ) ;

@Id	 -> %xs:ID

&@commonAtts: 
  @wsu:Id?
  @id?	 -> %xs:anyURI
  @ID?	 -> %xs:anyURI
  @any
  ;

%AttributedDateTime:	 base(xs:string)
  &@wsu:commonAtts
  ;

%AttributedURI:	 base(xs:anyURI)
  &@wsu:commonAtts
  ;

%TimestampType:
  wsu:Created?
  wsu:Expires?
  any*  ns(##other)  processContents(lax)
  &@wsu:commonAtts
  ;

Timestamp -> %wsu:TimestampType
Expires	  -> %wsu:AttributedDateTime
Created	  -> %wsu:AttributedDateTime

#EOF

2 Appendix: Some Example XML Blobs

These XML blobs are for reference. They have been pretty printed. Indentation indicates nesting level and closing tags have been abbreviated as "</>". The actual XML on wire generally does not have any whitespace.

2.1 SAML 2.0 Artifact Response with SAML 2.0 SSO Assertion and Two Bootstraps

This example corresponds to t/sso-w-bootstraps.xml in the distribution.

Both bootstraps illustrate SAML assertion as bearer token.

 <soap:Envelope
    xmlns:lib="urn:liberty:iff:2003-08"
    xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:wsa="http://www.w3.org/2005/08/addressing">
  <soap:Body>

    <sp:ArtifactResponse
        xmlns:sp="urn:oasis:names:tc:SAML:2.0:protocol"
        ID="REvgoIIlkzTmk-aIX6tKE"
        InResponseTo="RfAsltVf2"
        IssueInstant="2007-02-10T05:38:15Z"
        Version="2.0">
      <sa:Issuer
          xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion"
          Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
        https://a-idp.liberty-iop.org:8881/idp.xml</>
      <sp:Status>
        <sp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></>

      <sp:Response
          xmlns:sp="urn:oasis:names:tc:SAML:2.0:protocol"
          ID="RCCzu13z77SiSXqsFp1u1"
          InResponseTo="NojFIIhxw"
          IssueInstant="2007-02-10T05:37:42Z"
          Version="2.0">
        <sa:Issuer
            xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion"
            Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
          https://a-idp.liberty-iop.org:8881/idp.xml</>
        <sp:Status>
          <sp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></>

        <sa:Assertion
            xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion"
            ID="ASSE6bgfaV-sapQsAilXOvBu"
            IssueInstant="2007-02-10T05:37:42Z"
            Version="2.0">
          <sa:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
            https://a-idp.liberty-iop.org:8881/idp.xml</>

          <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
              <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
              <ds:Reference URI="#ASSE6bgfaV-sapQsAilXOvBu">
                <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>r8OvtNmq5LkYwCNg6bsRZAdT4NE=</></></>
            <ds:SignatureValue>GtWVZzHYW54ioHk/C7zjDRThohrpwC4=</></>

          <sa:Subject>
            <sa:NameID
                Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                NameQualifier="https://a-idp.liberty-iop.org:8881/idp.xml">PB5fLIA4lRU2bH4HkQsn9</>
            <sa:SubjectConfirmation
                Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
              <sa:SubjectConfirmationData
                  NotOnOrAfter="2007-02-10T06:37:41Z"
                  Recipient="https://sp1.zxidsp.org:8443/zxidhlo"/></></>

          <sa:Conditions
              NotBefore="2007-02-10T05:32:42Z"
              NotOnOrAfter="2007-02-10T06:37:42Z">
            <sa:AudienceRestriction>
              <sa:Audience>https://sp1.zxidsp.org:8443/zxidhlo?o=B</></></>

          <sa:Advice>

            <!-- This assertion is the credential for the ID-WSF 1.1 bootstrap (below). -->

            <sa:Assertion
                ID="CREDOTGAkvhNoP1aiTq4bXBg"
                IssueInstant="2007-02-10T05:37:42Z"
                Version="2.0">
              <sa:Issuer
                  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
                https://a-idp.liberty-iop.org:8881/idp.xml</>
              <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:SignedInfo>
                  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                  <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                  <ds:Reference URI="#CREDOTGAkvhNoP1aiTq4bXBg">
                    <ds:Transforms>
                      <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                      <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <ds:DigestValue>dqq/28hw5eEv+ceFyiLImeJ1P8w=</></></>
                <ds:SignatureValue>UKlEgHKQwuoCE=</></>
              <sa:Subject>
                <sa:NameID/>  <!-- *** Bug here!!! -->
                <sa:SubjectConfirmation
                    Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></>
              <sa:Conditions
                  NotBefore="2007-02-10T05:32:42Z"
                  NotOnOrAfter="2007-02-10T06:37:42Z">
                <sa:AudienceRestriction>
                  <sa:Audience>https://sp1.zxidsp.org:8443/zxidhlo?o=B</></></></></>

          <sa:AuthnStatement
              AuthnInstant="2007-02-10T05:37:42Z"
              SessionIndex="1171085858-4">
            <sa:AuthnContext>
              <sa:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:Password</></></>

          <sa:AttributeStatement>

            <!-- Regular attribute -->

            <sa:Attribute
                Name="cn"
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
              <sa:AttributeValue>Sue</></>
	    <!-- ID-WSF 1.1 Bootstrap for discover. See also the Advice, above. -->
            <sa:Attribute
                Name="DiscoveryResourceOffering"
                NameFormat="urn:liberty:disco:2003-08">
              <sa:AttributeValue>
                <disco:ResourceOffering
                    xmlns:disco="urn:liberty:disco:2003-08"
                    entryID="2">
                  <disco:ResourceID>
                    https://a-idp.liberty-iop.org/profiles/WSF1.1/RID-DISCO-sue</>
                  <disco:ServiceInstance>
                    <disco:ServiceType>urn:liberty:disco:2003-08</>
                    <disco:ProviderID>
                      https://a-idp.liberty-iop.org:8881/idp.xml</>
                    <disco:Description>
                      <disco:SecurityMechID>urn:liberty:security:2005-02:TLS:Bearer</>
                      <disco:CredentialRef>CREDOTGAkvhNoP1aiTq4bXBg</>
                      <disco:Endpoint>
                        https://a-idp.liberty-iop.org:8881/DISCO-S</></></>
                  <disco:Abstract>Symlabs Discovery Service Team G</></></></>

            <!-- ID-WSF 2.0 Bootstrap for Discovery. The credential (bearer token) is inline. -->

            <sa:Attribute
                Name="urn:liberty:disco:2006-08:DiscoveryEPR"
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
              <sa:AttributeValue>
                <wsa:EndpointReference
                    xmlns:wsa="http://www.w3.org/2005/08/addressing"
                    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                    notOnOrAfter="2007-02-10T07:37:42Z"
                    wsu:Id="EPRIDcjP8ObO9In47SDjO9b37">
                  <wsa:Address>
                    https://a-idp.liberty-iop.org:8881/DISCO-S</>
                  <wsa:Metadata>
                    <disco:Abstract
                        xmlns:disco="urn:liberty:disco:2006-08">SYMfiam Discovery Service</>
                    <sbf:Framework
                        xmlns:sbf="urn:liberty:sb"
                        version="2.0"/>
                    <disco:ProviderID
                        xmlns:disco="urn:liberty:disco:2006-08">
                      https://a-idp.liberty-iop.org:8881/idp.xml</>
                    <disco:ServiceType
                        xmlns:disco="urn:liberty:disco:2006-08">urn:liberty:disco:2006-08</>
                    <disco:SecurityContext
                        xmlns:disco="urn:liberty:disco:2006-08">
                      <disco:SecurityMechID>urn:liberty:security:2005-02:TLS:Bearer</>

                      <sec:Token
                          xmlns:sec="urn:liberty:security:2006-08"
                          usage="urn:liberty:security:tokenusage:2006-08:SecurityToken">

                        <sa:Assertion
                            ID="CREDV6ZBMyicmyvDq9pLIoSR"
                            IssueInstant="2007-02-10T05:37:42Z"
                            Version="2.0">
                          <sa:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
                            https://a-idp.liberty-iop.org:8881/idp.xml</>
                          <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                            <ds:SignedInfo>
                              <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                              <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                              <ds:Reference URI="#CREDV6ZBMyicmyvDq9pLIoSR">
                                <ds:Transforms>
                                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></>
                                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                <ds:DigestValue>o2SgbuKIBzl4e0dQoTwiyqXr/8Y=</></></>
                            <ds:SignatureValue>hHdUKaZ//cZ8UYJxvTReNU=</></>
                          <sa:Subject>
                            <sa:NameID
                                Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                                NameQualifier="https://a-idp.liberty-iop.org:8881/idp.xml">
                              9my93VkP3tSxEOIb3ckvjLpn0pa6aV3yFXioWX-TzZI=</>
                            <sa:SubjectConfirmation
                                Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></>
                          <sa:Conditions
                              NotBefore="2007-02-10T05:32:42Z"
                              NotOnOrAfter="2007-02-10T06:37:42Z">
                            <sa:AudienceRestriction>
                              <sa:Audience>
                                https://a-idp.liberty-iop.org:8881/idp.xml</></></>
                          <sa:AuthnStatement
                              AuthnInstant="2007-02-10T05:37:42Z">
                            <sa:AuthnContext>
                              <sa:AuthnContextClassRef>
                                urn:oasis:names:tc:SAML:2.0:ac:classes:Password</></></></></></></></></></></></></></></></>

2.2 ID-WSF 2.0 Call with X509v3 Sec Mech

 <e:Envelope
    xmlns:e="http://schemas.xmlsoap.org /soap/envelope/"
    xmlns:b="urn:liberty:sb:2005-11"
    xmlns:sec="urn:liberty:security:2005-11"
    xmlns:wsse="http://docs.oasis-open.org/wss/20 04/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:wsa="http://www.w3.org/2005/08/ addressing">
  <e:Header>
    <wsa:MessageID wsu:Id="MID">123</>
    <wsa:To wsu:Id="TO">...</>
    <wsa:Action wsu:Id="ACT">...</>
    <wsse:Security mustUnderstand="1">
      <wsu:Timestamp wsu:Id="TS"><wsu:Created>2005-06-17T04:49:17Z</></>
      <wsse:BinarySecurityToken
          ValueType="http://docs.oasis-open.org/wss/2004/0 1/oasis-200401-wss-x509-token-profile-1.0#X509v3"
          wsu:Id="X509Token"
          EncodingType="http://docs.oas is-open.org/wss/2004/01/oasis- 200401-wss-soap-message-securiy-1.0#Base64Binary">
        MIIB9zCCAWSgAwIBAgIQ...</>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/x mldsig#">
        <ds:SignedInfo>
          <ds:Reference URI="#MID">...</>
          <ds:Reference URI="#TO">...</>
          <ds:Reference URI="#ACT">...</>
          <ds:Reference URI="#TS">...</>
          <ds:Reference URI="#X509">
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>Ru4cAfeBAB</></>
          <ds:Reference URI="#BDY">
            <ds:DigestMethod Algorithm="http://www.w3.org/ 2000/09/xmldsig#sha1"/>
            <ds:DigestValue>YgGfS0pi56p</></></>
        <ds:KeyInfo><wsse:SecurityTokenReference><wsse:Reference URI="#X509"/></></>
        <ds:SignatureValue>HJJWbvqW9E84vJVQkjDElgscSXZ5Ekw==</></></></>
  <e:Body wsu:Id="BDY">
    <xx:Query/></></>

The salient features of the above XML blob are

Absence of identity token means that from the headers it is not possible to identify the taget identity. The signature generally coveys the Invoker identity (the WSC that is calling the service). Since one WSC typically serves many principals, knowing which is impossible. For this reason X509 security mechanism is seldom used in ID-WSF 2.0 world (with ID-WSF 1.1 the ResourceID provides an alternative way of identifying the principal, thus making X509 a viable option).

2.3 ID-WSF 2.0 Call with Bearer (Binary) Sec Mech

 <e:Envelope
    xmlns:e="http://schemas.xmlsoap.org /soap/envelope/"
    xmlns:b="urn:liberty:sb:2005-11"
    xmlns:sec="urn:liberty:security:2005-11"
    xmlns:wsse="http://docs.oasis-open.org/wss/20 04/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:wsa="http://www.w3.org/2005/03/ addressing">
  <e:Header>
    <wsa:MessageID wsu:Id="MID">...</>
    <wsa:To wsu:Id="TO">...</>
    <wsa:Action wsu:Id="ACT">...</>
    <wsse:Security mustUnderstand="1">
      <wsu:Timestamp wsu:Id="TS">
        <wsu:Created>2005-06-17T04:49:17Z</></>
      <wsse:BinarySecurityToken
          ValueType="anyNSPrefix:ServiceSess ionContext"
          EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64 Binary"
          wsu:Id="BST">
        mQEMAzRniWkAAAEH9RWir0eKDkyFAB7PoFazx3ftp0vWwbbzqXdgcX8fpEqSr1v4
        YqUc7OMiJcBtKBp3+jlD4HPUaurIqHA0vrdmMpM+sF2BnpND118f/mXCv3XbWhiL
        VT4r9ytfpXBluelOV93X8RUz4ecZcDm9e+IEG+pQjnvgrSgac1NrW5K/CJEOUUjh
        oGTrym0Ziutezhrw/gOeLVtkywsMgDr77gWZxRvw01w1ogtUdTceuRBIDANj+KVZ
        vLKlTCaGAUNIjkiDDgti=</>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig #">
        <ds:SignedInfo>
          <ds:Reference URI="#MID">...</>
          <ds:Reference URI="#TO">...</>
          <ds:Reference URI="#ACT">...</>
          <ds:Reference URI="#TS">...</>
          <ds:Reference URI="#BST">...</>
          <ds:Reference URI="#BDY">
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 "/>
            <ds:DigestValue>YgGfS0pi56pu</></></>
        ...</></></>
  <e:Body wsu:Id="BDY">
    <xx:Query/></></>

2.4 ID-WSF 2.0 Call with Bearer (SAML) Sec Mech

 <e:Envelope
    xmlns:e="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:sb="urn:liberty:sb:2005-11"
    xmlns:sec="urn:liberty:security:2005-11"
    xmlns:wsse="http://docs.oasis-open.org/wss/20 04/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:wsa="http://www.w3.org/2005/08/addressing"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
  <e:Header>
    <wsa:MessageID wsu:Id="MID">...</>
    <wsa:To wsu:Id="TO">...</>
    <wsa:Action wsu:Id="ACT">...</>
    <wsse:Security mustUnderstand="1">
      <wsu:Timestamp wsu:Id="TS">
        <wsu:Created>2005-06-17T04:49:17Z</></>

      <sa:Assertion
          xmlns:sa="urn:oasis:names:tc:SAML:2. 0:assertion"
          Version="2.0"
          ID="A7N123"
          IssueInstant="2005-04-01T16:58:33.173Z">
        <sa:Issuer>http://idp.symdemo.com/</>
        <ds:Signature>...</>
        <sa:Subject>
          <sa:EncryptedID>
            <xenc:EncryptedData>U2XTCNvRX7 Bl1NK182nmY00TEk==</>
            <xenc:EncryptedKey>...</></>
          <sa:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></>
        <sa:Conditions
            NotBefore="2005-04-01T16:57:20Z"
            NotOnOrAfter="2005-04-01T21:42:4 3Z">
          <sa:AudienceRestrictionCondition>
            <sa:Audience>http://wsp.zxidsp.org</></></>
        <sa:AuthnStatement
            AuthnInstant="2005-04-01T16:57:30.000Z"
            SessionIndex="6345789">
          <sa:AuthnContext>
            <sa:AuthnContextClassRef>
              urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</></></>
        <sa:AttributeStatement>
          <sa:EncryptedAttribute>
            <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element">
              mQEMAzRniWkAAAEH9RbzqXdgcX8fpEqSr1v4=</>
            <xenc:EncryptedKey>...</></></></>

      <wsse:SecurityTokenReference
          xmlns:wsse11="..."
          wsu:Id="STR1"
          wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
        <wsse:KeyIdentifier
            ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">
          A7N123</></>

      <ds:Signature>
        <ds:SignedInfo>
          <ds:Reference URI="#MID">...</>
          <ds:Reference URI="#TO">...</>
          <ds:Reference URI="#ACT">...</>
          <ds:Reference URI="#TS">...</>
          <ds:Reference URI="#STR1">
            <ds:Transform Algorithm="...#STR-Transform">
              <wsse:TransformationParameters>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/></></></>
          <ds:Reference URI="#BDY"/></>
        ...</></></>
  <e:Body wsu:Id="BDY">
    <xx:Query/></></>

*** is the reference above to wsse11:TokenType really correct?

Note who the <Subject> and the attributes are encrypted such that only the WSP can open them. This protects against WSC gaining knowledge of the NameID at the WSP.

2.5 XACML 2.0 SAML Profile SOAP Call

 <e:Envelope xmlns:e="http://schemas.xmlsoap.org/soap/envelope/">
  <e:Body>
    <xasp:XACMLAuthzDecisionQuery
        xmlns:xasp="urn:oasis:xacml:2.0:saml:protocol:schema:os"
        ID="RX3eHFSEBW6-OnPG5sGV_EevU"
        IssueInstant="2009-09-07T21:28:05Z"
        Version="2.0">
      <sa:Issuer xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion">https://sp1.zxidsp.org:5443/protected/saml?o=B</>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#RX3eHFSEBW6-OnPG5sGV_EevU">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>F2r41OppQA2ZLsosLO6V9VNJ0J8=</></></>
        <ds:SignatureValue>sAvByKH9--(snip)--HV+1oqcdUw=</></>
      <xac:Request xmlns:xac="urn:oasis:names:tc:xacml:2.0:context:schema:os">
        <xac:Subject>
          <xac:Attribute
              AttributeId="permisRole"
              DataType="xs:string"
              Issuer="https://idp.tas3.pt:8443/zxididp?o=B">
            <xac:AttributeValue>guest</></>
          <xac:Attribute
              AttributeId="permisRole"
              DataType="xs:string"
              Issuer="https://idp.tas3.pt:8443/zxididp?o=B">
            <xac:AttributeValue>jesterbester</></>
          <xac:Attribute
              AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
              DataType="xs:string">
            <xac:AttributeValue>FdGaMOmtJPfvK9dN64lWgKTOp</></></>
        <xac:Resource>
          <xac:Attribute
              AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
              DataType="xs:string">
            <xac:AttributeValue>/protected/env.cgi</></></>
        <xac:Action>
          <xac:Attribute
              AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
              DataType="xs:string">
            <xac:AttributeValue>urn:oasis:names:tc:xacml:1.0:action:implied-action</></></>
        <xac:Environment>
          <xac:Attribute
              AttributeId="zxididp"
              DataType="xs:string"
              Issuer="https://idp.tas3.pt:8443/zxididp?o=B">
            <xac:AttributeValue>0.33 1251217347</></>
          <xac:Attribute
              AttributeId="affid"
              DataType="xs:string">
            <xac:AttributeValue>https://idp.tas3.pt:8443/zxididp?o=B</></>
          <xac:Attribute
              AttributeId="authnctxlevel"
              DataType="xs:string">
            <xac:AttributeValue>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</></>
          <xac:Attribute
              AttributeId="sesid"
              DataType="xs:string">
            <xac:AttributeValue>S6QaJzAylXfkw1tFlrZSD9Zwr</></></></></></></>


 <e:Envelope xmlns:e="http://schemas.xmlsoap.org/soap/envelope/">
  <e:Body>
    <sp:Response
        xmlns:sp="urn:oasis:names:tc:SAML:2.0:protocol"
        ID="R-Dn3MxxJ0xo7jjOeVpC1aezO"
	InResponseTo="RX3eHFSEBW6-OnPG5sGV_EevU"
        IssueInstant="2009-09-07T18:48:03Z"
        Version="2.0">
      <sa:Issuer xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.tas3.pt:8443/zxididp?o=B</>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#R-Dn3MxxJ0xo7jjOeVpC1aezO">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>jdBsc0wOvJsBJCCc4eyq1bnG1u4=</></></>
        <ds:SignatureValue>AZyw2fK5--(snip)--UTOSSov7kc=</></>
      <sp:Status>
        <sp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></>
      <sa:Assertion
          xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion"
          ID="A73VuYGSDQ8MI-TUNk8PORrZT"
          IssueInstant="2009-09-07T18:48:03Z"
          Version="2.0">
        <sa:Issuer>https://idp.tas3.pt:8443/zxididp?o=B</>
        <sa:Conditions
            NotBefore="2009-09-07T18:48:03Z"
            NotOnOrAfter="2009-09-07T19:48:03Z"/>
        <xasa:XACMLAuthzDecisionStatement xmlns:xasa="urn:oasis:xacml:2.0:saml:assertion:schema:os">
          <xac:Response xmlns:xac="urn:oasis:names:tc:xacml:2.0:context:schema:os">
            <xac:Result>
              <xac:Decision>Permit</>
              <xac:Status>
                <xac:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></></></></></></></></>