How to restrict SAML 2.0’s Authentication Context XSD

Asked

Viewed 101 times

2

I’m trying to restrict the Authentication Context XML Schema Definition of specification SAML 2.0. The XSD document is available at here.

The part I’m trying to narrow down is one related to this part of the original XSD:

<xs:complexType name="PasswordType">
  <xs:sequence>
    <xs:element ref="Length" minOccurs="0"/>
    <xs:element ref="Alphabet" minOccurs="0"/>
    <xs:element ref="Generation" minOccurs="0"/>
    <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
  </xs:sequence>
  <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/>
</xs:complexType>

<xs:element name="RestrictedPassword" type="RestrictedPasswordType"/>

<xs:complexType name="RestrictedPasswordType">
  <xs:complexContent>
    <xs:restriction base="PasswordType">
      <xs:sequence>
        <xs:element name="Length" type="RestrictedLengthType" minOccurs="1"/>
        <xs:element ref="Generation" minOccurs="0"/>
        <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
      </xs:sequence>
      <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:complexContent>
</xs:complexType>

Well, I don’t know how to narrow down the complex type RestrictedPassword. Below is my XSD, which tries to restrict the original XSD.

<?xml version="1.0" encoding="UTF-8"?>

<xs:schema version="2.0"
       targetNamespace="urn:m:SAML:2.0:ac:classes:K"
       xmlns:xs="http://www.w3.org/2001/XMLSchema"
       xmlns="urn:m:SAML:2.0:ac:classes:K"           
       finalDefault="extension"
       blockDefault="substitution">

<xs:redefine schemaLocation="http://docs.oasis-open.org/security/saml/v2.0/saml-schema-authn-context-types-2.0.xsd">    

    <xs:complexType name="RestrictedPasswordType">
        <xs:complexContent>
            <xs:restriction base="RestrictedPasswordType">
                <xs:sequence>
                    <xs:element ref="Length" minOccurs="0"/>
                    <xs:element ref="Generation"/>
                    <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
                </xs:sequence>
                <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/>
            </xs:restriction>
        </xs:complexContent>
    </xs:complexType>

</xs:redefine>    
</xs:schema>

When I try to validate this XSD in that tool, it returns me an error, that I do not know what nor how to fix. The error is as follows:

-- Not valid. Error - Line 12, 51: org.xml.sax.SAXParseException; lineNumber: 12; columnNumber: 51; rcase-Recurse.2: There is not a complete functional mapping between the particles. Error - Line 12, 51: org.xml.sax.SAXParseException; lineNumber: 12; columnNumber: 51; derivation-ok-restriction.5.4.2: Error for type 'RestrictedPasswordType'. The particle of the type is not a valid restriction of the particle of the base. –
  • Could you give more details about the mistake you mentioned.

  • Hello Lucas. Follow the mentioned error. -- Not Valid. Error - Line 12, 51: org.xml.sax.Saxparseexception; lineNumber: 12; columnNumber: 51; rcase-Recurse.2: There is not a complete Functional Mapping between the particles. Error - Line 12, 51: org.xml.sax.Saxparseexception; lineNumber: 12; columnNumber: 51; Derivation-ok-Restriction.5.4.2: Error for type 'Restrictedpasswordtype'. The Particle of the type is not a Valid Restriction of the Particle of the base.

1 answer

0


All instances of the new type must also be valid for the base type. But in your schema it is possible to define a RestrictedPasswordType which does not have an attribute Length attribute (minOccurs="0"), which would be illegal for the base type, which has minOccurs="1". Making an element optional is not a restriction.

Remove minOccurs='0' of Generation is legal because having at least one element is a restriction.

In addition its restriction references the element Length which is not the same as the Length defined in the base type. The element Length is a LengthType according to the basic scheme, and the Length base type is a RestrictedLengthType which is a restriction of LengthType.

I believe that if you change the statement <xs:element> of its redefinition to:

<xs:element name="Length" type="RestrictedLengthType" minOccurs="1"/>

should work unless there are other problems.

EDIT: the other problems:

As a new element Length is being declared in the block <complexType>, it needs to be declared as "qualified" otherwise it will not be part of the targetNamespace and the restriction will fail. To fix this you can:

  • Add an attribute form="qualified" at the <xs:element name="Length" ... />, or
  • Add an attribute elementFormDefault="qualified" ao elemento`.

More information here:

  • Hi, I agree with you. I changed the XSD as suggested, and now I have the following error (which is the same mistake as before): Not Valid. Error - Line 12, 51: org.xml.sax.Saxparseexception; lineNumber: 12; columnNumber: 51; rcase-Recurse.2: There is not a complete Functional Mapping between the particles. Error - Line 12, 51: org.xml.sax.Saxparseexception; lineNumber: 12; columnNumber: 51; Derivation-ok-Restriction.5.4.2: Error for type 'Restrictedpasswordtype'. The Particle of the type is not a Valid Restriction of the Particle of the base.

  • I see the original document you lynched does not declare a targetNamespace. Already in the derived scheme it is declared. A derived scheme cannot be of a targetNamespace different from the original. Try removing attributes xmlns and targetNamespace of your scheme.

  • It worked. I took the xmlns and targetNamespace and it worked. However, there are other documents similar to mine, which define a xmlns and targetNamespace other than the original, and these are valid. An example would be this one [http://docs.oasis-open.org/security/saml/v2.0/saml-schema-authn-context-nomad-telephony-2.0.xsd . Can you tell me why?

  • The namespace restriction is on spec "3 One of the following must be true: 3.1 SII has a targetNamespace [attribute], and its actual value is identical to the actual value of the targetNamespace [attribute] of SII' (which must have such an [attribute]). 3.2 Neither SII nor SII' have a targetNamespace [attribute]. 3.3 SII has no targetNamespace [attribute] (but SII' does)." but there may be some exception that I’m not aware of.

  • Ah. I’m seeing a problem here. The definition of the element Length must be marked with the attribute form="qualified" or will not be included in targetNamespace. This must be the problem. Instead of the attribute in the element, you can use elementFormDefault="qualified" in <xs:schema> which is better. You can keep your namespace statements as long as you use elementFormDefault="qualified"

  • In both cases it worked, both adding form="qualified" to the element as adding elementFormDefault="qualified" to the element <schema>. But let me get this straight. If I add form="qualified" element, this means that this element belongs to the original XSD namespace, correct?

  • If the schema root element does not declare the attribute elementFormDefault="qualified" in the scheme, all items declared within types that do not have the attribute form="qualified" will be considered without namespace (null namespace). This does not apply to types or elements declared in top-level. Here are more details: XML Schema Primer - 3 Advanced Concepts I: Namespaces, Schemas & Qualification

  • I read the document you indicated and was able to understand the effect of setting the attribute form of the element. Thank you very much! :)

Show 3 more comments

Browser other questions tagged

You are not signed in. Login or sign up in order to post.