How to restrict the XSD of the SAML 2.0 Authentication Context

Navigation
2

I'm trying to restrict the Authentication Context XML Schema Definition of the SAML 2.0 specification. The XSD document is available at here .

The part I'm trying to restrict is one related to this part of the original XSD: 

<xs:complexType name="PasswordType">
  <xs:sequence>
    <xs:element ref="Length" minOccurs="0"/>
    <xs:element ref="Alphabet" minOccurs="0"/>
    <xs:element ref="Generation" minOccurs="0"/>
    <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
  </xs:sequence>
  <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/>
</xs:complexType>

<xs:element name="RestrictedPassword" type="RestrictedPasswordType"/>

<xs:complexType name="RestrictedPasswordType">
  <xs:complexContent>
    <xs:restriction base="PasswordType">
      <xs:sequence>
        <xs:element name="Length" type="RestrictedLengthType" minOccurs="1"/>
        <xs:element ref="Generation" minOccurs="0"/>
        <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
      </xs:sequence>
      <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:complexContent>
</xs:complexType>

Well, I do not know how to restrict the complex type RestrictedPassword . Below is my XSD, which attempts to restrict the original XSD. 

<?xml version="1.0" encoding="UTF-8"?>

<xs:schema version="2.0"
       targetNamespace="urn:m:SAML:2.0:ac:classes:K"
       xmlns:xs="http://www.w3.org/2001/XMLSchema"
       xmlns="urn:m:SAML:2.0:ac:classes:K"           
       finalDefault="extension"
       blockDefault="substitution">

<xs:redefine schemaLocation="http://docs.oasis-open.org/security/saml/v2.0/saml-schema-authn-context-types-2.0.xsd">    

    <xs:complexType name="RestrictedPasswordType">
        <xs:complexContent>
            <xs:restriction base="RestrictedPasswordType">
                <xs:sequence>
                    <xs:element ref="Length" minOccurs="0"/>
                    <xs:element ref="Generation"/>
                    <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
                </xs:sequence>
                <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/>
            </xs:restriction>
        </xs:complexContent>
    </xs:complexType>

</xs:redefine>    
</xs:schema>

When I try to validate this XSD in this tool , it returns me an error, which I do not know I do not even know how to fix it. The error is as follows: 

-- Not valid. Error - Line 12, 51: org.xml.sax.SAXParseException; lineNumber: 12; columnNumber: 51; rcase-Recurse.2: There is not a complete functional mapping between the particles. Error - Line 12, 51: org.xml.sax.SAXParseException; lineNumber: 12; columnNumber: 51; derivation-ok-restriction.5.4.2: Error for type 'RestrictedPasswordType'. The particle of the type is not a valid restriction of the particle of the base. –
    
asked by anonymous 17.02.2014 / 22:01

1 answer

0

All instances of the new type must also be valid for the base type. But in your schema it is possible to define a RestrictedPasswordType that does not have an attribute Length attribute ( minOccurs="0" ), which would be illegal for the base type, which has minOccurs="1" . Making an optional element is not a constraint .

Remove% with% of% with% is legal because having at least one element is a constraint.

In addition its constraint references the minOccurs='0' element that is not the same as the Generation element defined in the base type. The Length element is Length according to the base schema, and the Length element of the base type is LengthType which is a Length constraint.

I believe that if you change the RestrictedLengthType statement of your redefinition to: 

<xs:element name="Length" type="RestrictedLengthType" minOccurs="1"/>

should work, unless there are other problems.

EDIT : other issues:

As a new LengthType element is being declared in block <xs:element> , it must be declared as Length otherwise it will not be part of <complexType> and the constraint will fail. To fix this you can:

  • Add a "qualified" attribute to targetNamespace , or
  • Add an attribute form="qualified" '.

More information here:

18.02.2014 / 01:59
Client login with news access credentials How to use a local directory as a dependency?