Skip to Content.
Sympa Menu

shibboleth-dev - RE: Origin site registry schema

Subject: Shibboleth Developers

List archive

RE: Origin site registry schema


Chronological Thread 
  • From: Scott Cantor <>
  • To: 'RL 'Bob' Morgan' <>
  • Cc: 'Shibboleth Design Team' <>
  • Subject: RE: Origin site registry schema
  • Date: Mon, 10 Jun 2002 13:58:22 -0400
  • Importance: Normal
  • Organization: The Ohio State University

> So I guess I'm behind the technology curve here, but I don't
> know how to get hold of this .xsd file ...

It's in the cvs, which is currently only accessible to shib1 users. For
now, I just attached it. We should have cvs-web up soon. The schema is
currently not all that modular, per your thoughts below, but I was
trying to get it working quickly. I'll play with it some more and
improve it.

> Seems to me the enclosing element would just be "Sites". I
> don't know why we'd want to force having to sign origins as a
> separate element from signing targets.

Currently, there is no defined use for target information in such a
fashion, but I suppose it might eventually be used to communicate site
information to AAs.

> Seems like if several Aliases can be offered it would be
> necessary to distinguish one as the preferred one. I could
> even imagine distinguishing Aliases by type ("official name",
> "mascot name"), but let's not go there yet.

If you want to have a preferred one, we can use the first one (or the
first with a particular xml:lang, etc.)

> I don't think that *.osu.edu should imply osu.edu.

I don't think the implication runs in that direction. The name of the
site itself is specifically spelled out in Name. I presumed that we
would default the site name as an acceptable attribute scope, but not
that we would automatically include all subdomains by default.

In other words, if I'm osu.edu, the registry file wouldn't have to
specify
<Domain>osu.edu</Domain> but would have to specify
<Domain>*.osu.edu</Domain> if I wanted to have all those scopes.

I can take out that code easily and just make all the domains explicit
(and require one)...

> it might be useful to be able to distinguish these for
> administrative purposes. However, since matching rules are
> potentially mysterious, I think we should re-use existing
> rules here if we can, and those that most closely apply, it
> seems to me, are those from the HTTP cookie mechanism in RFC
> 2965. However, I can't tell at first skim how these work.

I was hoping for regular expressions for simplicity of implementation.
That may sound a bit odd, but even supporting complex regexps is easy
because lots of libraries exist, whereas I have less of an idea if
there's a good self-contained cookie-matching library in C. Might be
able to hack it out of libcurl, since it does cookies, I guess. I'm sure
the code is around, just a bit more work to get it.

-- Scott
<?xml version="1.0" encoding="US-ASCII"?>
<schema targetNamespace="urn:mace:shibboleth:1.0" xmlns:shib="urn:mace:shibboleth:1.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns="http://www.w3.org/2001/XMLSchema"; elementFormDefault="qualified" attributeFormDefault="unqualified">
    <import namespace="http://www.w3.org/2000/09/xmldsig#"; schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/>
    <import namespace="http://www.w3.org/XML/1998/namespace"; schemaLocation="http://www.w3.org/2001/xml.xsd"/>
    
    <!-- Used by AA in samlp:StatusDetail to signal user wants real-time attribute release. -->
    <element name="RealTimeReleaseURL" type="anyURI"/>
    
    <!--
    The following SAML sub-status codes are defined in this namespace:
    
        "RealTimeRelease"
            Used with samlp:Responder, signals user wants real-time attribute release
        
        "InvalidHandle"
            Used with samlp:Requester, signals AA did not recognize handle as valid
    -->
    
    <!--
    Identifies a Shibboleth origin site's name, handle service (w/ optional key),
    authorized domains it may assert attributes for besides itself, and any WAYF aliases preferred.
    -->
    <element name="OriginSite">
        <complexType>
            <sequence>
                <element name="HandleService" maxOccurs="unbounded">
                    <complexType>
                        <sequence>
                            <element ref="ds:KeyInfo" minOccurs="0"/>
                        </sequence>
                        <attribute name="Name" type="string" use="required"/>
                    </complexType>
                </element>
                <element name="Domain" type="string" minOccurs="0" maxOccurs="unbounded"/>
                <element name="Alias" minOccurs="0" maxOccurs="unbounded">
                    <complexType>
                        <simpleContent>
                            <extension base="string">
                                <attribute ref="xml:lang"/>
                            </extension>
                        </simpleContent>
                    </complexType>
                </element>
            </sequence>
            <attribute name="Name" type="string" use="required"/>
        </complexType>
    </element>
    
    <!-- The registry of origin sites plus an optional signature. -->
    <element name="OriginSites">
        <complexType>
            <sequence>
                <element ref="shib:OriginSite" maxOccurs="unbounded"/>
                <element ref="ds:Signature" minOccurs="0"/>
            </sequence>
        </complexType>
    </element>
</schema>



Archive powered by MHonArc 2.6.16.

Top of Page