From 5d57c29faef622856e8197040dc12374599d8d72 Mon Sep 17 00:00:00 2001
From: mhajas <mhajas@redhat.com>
Date: Tue, 27 Sep 2016 13:39:03 +0200
Subject: [PATCH] KEYCLOAK-3268 KEYCLOAK-3100 Validate SAML Idp and SP metadata

---
 .../AbstractSAMLServletsAdapterTest.java      |  48 +++
 .../saml-schema-assertion-2.0.xsd             | 283 +++++++++++++++
 .../saml-schema-metadata-2.0.xsd              | 337 ++++++++++++++++++
 3 files changed, 668 insertions(+)
 create mode 100644 testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/keycloak-saml/metadata-schema/saml-schema-assertion-2.0.xsd
 create mode 100644 testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/keycloak-saml/metadata-schema/saml-schema-metadata-2.0.xsd

diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractSAMLServletsAdapterTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractSAMLServletsAdapterTest.java
index 9db0e516ac..290677848d 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractSAMLServletsAdapterTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractSAMLServletsAdapterTest.java
@@ -61,13 +61,25 @@ import org.keycloak.testsuite.page.AbstractPage;
 import org.keycloak.testsuite.util.IOUtil;
 import org.openqa.selenium.By;
 import org.w3c.dom.Document;
+import org.xml.sax.SAXException;
 
 import javax.ws.rs.client.Client;
 import javax.ws.rs.client.ClientBuilder;
 import javax.ws.rs.client.Entity;
+import javax.ws.rs.client.WebTarget;
 import javax.ws.rs.core.Form;
+import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.Response;
+import javax.xml.XMLConstants;
+import javax.xml.transform.Source;
+import javax.xml.transform.stream.StreamSource;
+import javax.xml.validation.Schema;
+import javax.xml.validation.SchemaFactory;
+import javax.xml.validation.Validator;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
 import java.net.URI;
+import java.net.URL;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
@@ -724,6 +736,42 @@ public abstract class AbstractSAMLServletsAdapterTest extends AbstractServletsAd
         checkLoggedOut(employee2ServletPage, testRealmSAMLPostLoginPage);
     }
 
+    @Test
+    public void idpMetadataValidation() throws Exception {
+        driver.navigate().to(authServerPage.toString() + "/realms/" + SAMLSERVLETDEMO + "/protocol/saml/descriptor");
+        validateXMLWithSchema(driver.getPageSource(), "/adapter-test/keycloak-saml/metadata-schema/saml-schema-metadata-2.0.xsd");
+    }
+
+
+    @Test
+    public void spMetadataValidation() throws Exception {
+        ClientResource clientResource = ApiUtil.findClientResourceByClientId(testRealmResource(), "http://localhost:8081/sales-post-sig/");
+        ClientRepresentation representation = clientResource.toRepresentation();
+        Client client = ClientBuilder.newClient();
+        WebTarget target = client.target(authServerPage.toString() + "/admin/realms/" + SAMLSERVLETDEMO + "/clients/" + representation.getId() + "/installation/providers/saml-sp-descriptor");
+        Response response = target.request().header(HttpHeaders.AUTHORIZATION, "Bearer " + adminClient.tokenManager().getAccessToken().getToken()).get();
+        validateXMLWithSchema(response.readEntity(String.class), "/adapter-test/keycloak-saml/metadata-schema/saml-schema-metadata-2.0.xsd");
+        response.close();
+    }
+
+    private void validateXMLWithSchema(String xml, String schemaFileName) throws SAXException, IOException {
+        URL schemaFile = getClass().getResource(schemaFileName);
+
+        Source xmlFile = new StreamSource(new ByteArrayInputStream(xml.getBytes()), xml);
+        SchemaFactory schemaFactory = SchemaFactory
+                .newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
+        Schema schema = schemaFactory.newSchema(schemaFile);
+        Validator validator = schema.newValidator();
+        try {
+            validator.validate(xmlFile);
+            System.out.println(xmlFile.getSystemId() + " is valid");
+        } catch (SAXException e) {
+            System.out.println(xmlFile.getSystemId() + " is NOT valid");
+            System.out.println("Reason: " + e.getLocalizedMessage());
+            Assert.fail();
+        }
+    }
+
     private void createProtocolMapper(ProtocolMappersResource resource, String name, String protocol, String protocolMapper, Map<String, String> config) {
         ProtocolMapperRepresentation representation = new ProtocolMapperRepresentation();
         representation.setName(name);
diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/keycloak-saml/metadata-schema/saml-schema-assertion-2.0.xsd b/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/keycloak-saml/metadata-schema/saml-schema-assertion-2.0.xsd
new file mode 100644
index 0000000000..cdd365d885
--- /dev/null
+++ b/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/keycloak-saml/metadata-schema/saml-schema-assertion-2.0.xsd
@@ -0,0 +1,283 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<schema
+        targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion"
+        xmlns="http://www.w3.org/2001/XMLSchema"
+        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+        xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+        elementFormDefault="unqualified"
+        attributeFormDefault="unqualified"
+        blockDefault="substitution"
+        version="2.0">
+  <import namespace="http://www.w3.org/2000/09/xmldsig#"
+          schemaLocation="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
+  <import namespace="http://www.w3.org/2001/04/xmlenc#"
+          schemaLocation="http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd"/>
+  <annotation>
+    <documentation>
+      Document identifier: saml-schema-assertion-2.0
+      Location: http://docs.oasis-open.org/security/saml/v2.0/
+      Revision history:
+      V1.0 (November, 2002):
+      Initial Standard Schema.
+      V1.1 (September, 2003):
+      Updates within the same V1.0 namespace.
+      V2.0 (March, 2005):
+      New assertion schema for SAML V2.0 namespace.
+    </documentation>
+  </annotation>
+  <attributeGroup name="IDNameQualifiers">
+    <attribute name="NameQualifier" type="string" use="optional"/>
+    <attribute name="SPNameQualifier" type="string" use="optional"/>
+  </attributeGroup>
+  <element name="BaseID" type="saml:BaseIDAbstractType"/>
+  <complexType name="BaseIDAbstractType" abstract="true">
+    <attributeGroup ref="saml:IDNameQualifiers"/>
+  </complexType>
+  <element name="NameID" type="saml:NameIDType"/>
+  <complexType name="NameIDType">
+    <simpleContent>
+      <extension base="string">
+        <attributeGroup ref="saml:IDNameQualifiers"/>
+        <attribute name="Format" type="anyURI" use="optional"/>
+        <attribute name="SPProvidedID" type="string" use="optional"/>
+      </extension>
+    </simpleContent>
+  </complexType>
+  <complexType name="EncryptedElementType">
+    <sequence>
+      <element ref="xenc:EncryptedData"/>
+      <element ref="xenc:EncryptedKey" minOccurs="0" maxOccurs="unbounded"/>
+    </sequence>
+  </complexType>
+  <element name="EncryptedID" type="saml:EncryptedElementType"/>
+  <element name="Issuer" type="saml:NameIDType"/>
+  <element name="AssertionIDRef" type="NCName"/>
+  <element name="AssertionURIRef" type="anyURI"/>
+  <element name="Assertion" type="saml:AssertionType"/>
+  <complexType name="AssertionType">
+    <sequence>
+      <element ref="saml:Issuer"/>
+      <element ref="ds:Signature" minOccurs="0"/>
+      <element ref="saml:Subject" minOccurs="0"/>
+      <element ref="saml:Conditions" minOccurs="0"/>
+      <element ref="saml:Advice" minOccurs="0"/>
+      <choice minOccurs="0" maxOccurs="unbounded">
+        <element ref="saml:Statement"/>
+        <element ref="saml:AuthnStatement"/>
+        <element ref="saml:AuthzDecisionStatement"/>
+        <element ref="saml:AttributeStatement"/>
+      </choice>
+    </sequence>
+    <attribute name="Version" type="string" use="required"/>
+    <attribute name="ID" type="ID" use="required"/>
+    <attribute name="IssueInstant" type="dateTime" use="required"/>
+  </complexType>
+  <element name="Subject" type="saml:SubjectType"/>
+  <complexType name="SubjectType">
+    <choice>
+      <sequence>
+        <choice>
+          <element ref="saml:BaseID"/>
+          <element ref="saml:NameID"/>
+          <element ref="saml:EncryptedID"/>
+        </choice>
+        <element ref="saml:SubjectConfirmation" minOccurs="0" maxOccurs="unbounded"/>
+      </sequence>
+      <element ref="saml:SubjectConfirmation" maxOccurs="unbounded"/>
+    </choice>
+  </complexType>
+  <element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/>
+  <complexType name="SubjectConfirmationType">
+    <sequence>
+      <choice minOccurs="0">
+        <element ref="saml:BaseID"/>
+        <element ref="saml:NameID"/>
+        <element ref="saml:EncryptedID"/>
+      </choice>
+      <element ref="saml:SubjectConfirmationData" minOccurs="0"/>
+    </sequence>
+    <attribute name="Method" type="anyURI" use="required"/>
+  </complexType>
+  <element name="SubjectConfirmationData" type="saml:SubjectConfirmationDataType"/>
+  <complexType name="SubjectConfirmationDataType" mixed="true">
+    <complexContent>
+      <restriction base="anyType">
+        <sequence>
+          <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="NotBefore" type="dateTime" use="optional"/>
+        <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+        <attribute name="Recipient" type="anyURI" use="optional"/>
+        <attribute name="InResponseTo" type="NCName" use="optional"/>
+        <attribute name="Address" type="string" use="optional"/>
+        <anyAttribute namespace="##other" processContents="lax"/>
+      </restriction>
+    </complexContent>
+  </complexType>
+  <complexType name="KeyInfoConfirmationDataType" mixed="false">
+    <complexContent>
+      <restriction base="saml:SubjectConfirmationDataType">
+        <sequence>
+          <element ref="ds:KeyInfo" maxOccurs="unbounded"/>
+        </sequence>
+      </restriction>
+    </complexContent>
+  </complexType>
+  <element name="Conditions" type="saml:ConditionsType"/>
+  <complexType name="ConditionsType">
+    <choice minOccurs="0" maxOccurs="unbounded">
+      <element ref="saml:Condition"/>
+      <element ref="saml:AudienceRestriction"/>
+      <element ref="saml:OneTimeUse"/>
+      <element ref="saml:ProxyRestriction"/>
+    </choice>
+    <attribute name="NotBefore" type="dateTime" use="optional"/>
+    <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+  </complexType>
+  <element name="Condition" type="saml:ConditionAbstractType"/>
+  <complexType name="ConditionAbstractType" abstract="true"/>
+  <element name="AudienceRestriction" type="saml:AudienceRestrictionType"/>
+  <complexType name="AudienceRestrictionType">
+    <complexContent>
+      <extension base="saml:ConditionAbstractType">
+        <sequence>
+          <element ref="saml:Audience" maxOccurs="unbounded"/>
+        </sequence>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="Audience" type="anyURI"/>
+  <element name="OneTimeUse" type="saml:OneTimeUseType"/>
+  <complexType name="OneTimeUseType">
+    <complexContent>
+      <extension base="saml:ConditionAbstractType"/>
+    </complexContent>
+  </complexType>
+  <element name="ProxyRestriction" type="saml:ProxyRestrictionType"/>
+  <complexType name="ProxyRestrictionType">
+    <complexContent>
+      <extension base="saml:ConditionAbstractType">
+        <sequence>
+          <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="Count" type="nonNegativeInteger" use="optional"/>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="Advice" type="saml:AdviceType"/>
+  <complexType name="AdviceType">
+    <choice minOccurs="0" maxOccurs="unbounded">
+      <element ref="saml:AssertionIDRef"/>
+      <element ref="saml:AssertionURIRef"/>
+      <element ref="saml:Assertion"/>
+      <element ref="saml:EncryptedAssertion"/>
+      <any namespace="##other" processContents="lax"/>
+    </choice>
+  </complexType>
+  <element name="EncryptedAssertion" type="saml:EncryptedElementType"/>
+  <element name="Statement" type="saml:StatementAbstractType"/>
+  <complexType name="StatementAbstractType" abstract="true"/>
+  <element name="AuthnStatement" type="saml:AuthnStatementType"/>
+  <complexType name="AuthnStatementType">
+    <complexContent>
+      <extension base="saml:StatementAbstractType">
+        <sequence>
+          <element ref="saml:SubjectLocality" minOccurs="0"/>
+          <element ref="saml:AuthnContext"/>
+        </sequence>
+        <attribute name="AuthnInstant" type="dateTime" use="required"/>
+        <attribute name="SessionIndex" type="string" use="optional"/>
+        <attribute name="SessionNotOnOrAfter" type="dateTime" use="optional"/>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="SubjectLocality" type="saml:SubjectLocalityType"/>
+  <complexType name="SubjectLocalityType">
+    <attribute name="Address" type="string" use="optional"/>
+    <attribute name="DNSName" type="string" use="optional"/>
+  </complexType>
+  <element name="AuthnContext" type="saml:AuthnContextType"/>
+  <complexType name="AuthnContextType">
+    <sequence>
+      <choice>
+        <sequence>
+          <element ref="saml:AuthnContextClassRef"/>
+          <choice minOccurs="0">
+            <element ref="saml:AuthnContextDecl"/>
+            <element ref="saml:AuthnContextDeclRef"/>
+          </choice>
+        </sequence>
+        <choice>
+          <element ref="saml:AuthnContextDecl"/>
+          <element ref="saml:AuthnContextDeclRef"/>
+        </choice>
+      </choice>
+      <element ref="saml:AuthenticatingAuthority" minOccurs="0" maxOccurs="unbounded"/>
+    </sequence>
+  </complexType>
+  <element name="AuthnContextClassRef" type="anyURI"/>
+  <element name="AuthnContextDeclRef" type="anyURI"/>
+  <element name="AuthnContextDecl" type="anyType"/>
+  <element name="AuthenticatingAuthority" type="anyURI"/>
+  <element name="AuthzDecisionStatement" type="saml:AuthzDecisionStatementType"/>
+  <complexType name="AuthzDecisionStatementType">
+    <complexContent>
+      <extension base="saml:StatementAbstractType">
+        <sequence>
+          <element ref="saml:Action" maxOccurs="unbounded"/>
+          <element ref="saml:Evidence" minOccurs="0"/>
+        </sequence>
+        <attribute name="Resource" type="anyURI" use="required"/>
+        <attribute name="Decision" type="saml:DecisionType" use="required"/>
+      </extension>
+    </complexContent>
+  </complexType>
+  <simpleType name="DecisionType">
+    <restriction base="string">
+      <enumeration value="Permit"/>
+      <enumeration value="Deny"/>
+      <enumeration value="Indeterminate"/>
+    </restriction>
+  </simpleType>
+  <element name="Action" type="saml:ActionType"/>
+  <complexType name="ActionType">
+    <simpleContent>
+      <extension base="string">
+        <attribute name="Namespace" type="anyURI" use="required"/>
+      </extension>
+    </simpleContent>
+  </complexType>
+  <element name="Evidence" type="saml:EvidenceType"/>
+  <complexType name="EvidenceType">
+    <choice maxOccurs="unbounded">
+      <element ref="saml:AssertionIDRef"/>
+      <element ref="saml:AssertionURIRef"/>
+      <element ref="saml:Assertion"/>
+      <element ref="saml:EncryptedAssertion"/>
+    </choice>
+  </complexType>
+  <element name="AttributeStatement" type="saml:AttributeStatementType"/>
+  <complexType name="AttributeStatementType">
+    <complexContent>
+      <extension base="saml:StatementAbstractType">
+        <choice maxOccurs="unbounded">
+          <element ref="saml:Attribute"/>
+          <element ref="saml:EncryptedAttribute"/>
+        </choice>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="Attribute" type="saml:AttributeType"/>
+  <complexType name="AttributeType">
+    <sequence>
+      <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
+    </sequence>
+    <attribute name="Name" type="string" use="required"/>
+    <attribute name="NameFormat" type="anyURI" use="optional"/>
+    <attribute name="FriendlyName" type="string" use="optional"/>
+    <anyAttribute namespace="##other" processContents="lax"/>
+  </complexType>
+  <element name="AttributeValue" type="anyType" nillable="true"/>
+  <element name="EncryptedAttribute" type="saml:EncryptedElementType"/>
+</schema>
diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/keycloak-saml/metadata-schema/saml-schema-metadata-2.0.xsd b/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/keycloak-saml/metadata-schema/saml-schema-metadata-2.0.xsd
new file mode 100644
index 0000000000..5c8d217190
--- /dev/null
+++ b/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/keycloak-saml/metadata-schema/saml-schema-metadata-2.0.xsd
@@ -0,0 +1,337 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+        targetNamespace="urn:oasis:names:tc:SAML:2.0:metadata"
+        xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+        xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+        xmlns="http://www.w3.org/2001/XMLSchema"
+        elementFormDefault="unqualified"
+        attributeFormDefault="unqualified"
+        blockDefault="substitution"
+        version="2.0">
+  <import namespace="http://www.w3.org/2000/09/xmldsig#"
+          schemaLocation="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
+  <import namespace="http://www.w3.org/2001/04/xmlenc#"
+          schemaLocation="http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd"/>
+  <import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+          schemaLocation="saml-schema-assertion-2.0.xsd"/>
+  <import namespace="http://www.w3.org/XML/1998/namespace"
+          schemaLocation="http://www.w3.org/2001/xml.xsd"/>
+  <annotation>
+    <documentation>
+      Document identifier: saml-schema-metadata-2.0
+      Location: http://docs.oasis-open.org/security/saml/v2.0/
+      Revision history:
+      V2.0 (March, 2005):
+      Schema for SAML metadata, first published in SAML 2.0.
+    </documentation>
+  </annotation>
+
+  <simpleType name="entityIDType">
+    <restriction base="anyURI">
+      <maxLength value="1024"/>
+    </restriction>
+  </simpleType>
+  <complexType name="localizedNameType">
+    <simpleContent>
+      <extension base="string">
+        <attribute ref="xml:lang" use="required"/>
+      </extension>
+    </simpleContent>
+  </complexType>
+  <complexType name="localizedURIType">
+    <simpleContent>
+      <extension base="anyURI">
+        <attribute ref="xml:lang" use="required"/>
+      </extension>
+    </simpleContent>
+  </complexType>
+
+  <element name="Extensions" type="md:ExtensionsType"/>
+  <complexType final="#all" name="ExtensionsType">
+    <sequence>
+      <any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
+    </sequence>
+  </complexType>
+
+  <complexType name="EndpointType">
+    <sequence>
+      <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+    </sequence>
+    <attribute name="Binding" type="anyURI" use="required"/>
+    <attribute name="Location" type="anyURI" use="required"/>
+    <attribute name="ResponseLocation" type="anyURI" use="optional"/>
+    <anyAttribute namespace="##other" processContents="lax"/>
+  </complexType>
+
+  <complexType name="IndexedEndpointType">
+    <complexContent>
+      <extension base="md:EndpointType">
+        <attribute name="index" type="unsignedShort" use="required"/>
+        <attribute name="isDefault" type="boolean" use="optional"/>
+      </extension>
+    </complexContent>
+  </complexType>
+
+  <element name="EntitiesDescriptor" type="md:EntitiesDescriptorType"/>
+  <complexType name="EntitiesDescriptorType">
+    <sequence>
+      <element ref="ds:Signature" minOccurs="0"/>
+      <element ref="md:Extensions" minOccurs="0"/>
+      <choice minOccurs="1" maxOccurs="unbounded">
+        <element ref="md:EntityDescriptor"/>
+        <element ref="md:EntitiesDescriptor"/>
+      </choice>
+    </sequence>
+    <attribute name="validUntil" type="dateTime" use="optional"/>
+    <attribute name="cacheDuration" type="duration" use="optional"/>
+    <attribute name="ID" type="ID" use="optional"/>
+    <attribute name="Name" type="string" use="optional"/>
+  </complexType>
+
+  <element name="EntityDescriptor" type="md:EntityDescriptorType"/>
+  <complexType name="EntityDescriptorType">
+    <sequence>
+      <element ref="ds:Signature" minOccurs="0"/>
+      <element ref="md:Extensions" minOccurs="0"/>
+      <choice>
+        <choice maxOccurs="unbounded">
+          <element ref="md:RoleDescriptor"/>
+          <element ref="md:IDPSSODescriptor"/>
+          <element ref="md:SPSSODescriptor"/>
+          <element ref="md:AuthnAuthorityDescriptor"/>
+          <element ref="md:AttributeAuthorityDescriptor"/>
+          <element ref="md:PDPDescriptor"/>
+        </choice>
+        <element ref="md:AffiliationDescriptor"/>
+      </choice>
+      <element ref="md:Organization" minOccurs="0"/>
+      <element ref="md:ContactPerson" minOccurs="0" maxOccurs="unbounded"/>
+      <element ref="md:AdditionalMetadataLocation" minOccurs="0" maxOccurs="unbounded"/>
+    </sequence>
+    <attribute name="entityID" type="md:entityIDType" use="required"/>
+    <attribute name="validUntil" type="dateTime" use="optional"/>
+    <attribute name="cacheDuration" type="duration" use="optional"/>
+    <attribute name="ID" type="ID" use="optional"/>
+    <anyAttribute namespace="##other" processContents="lax"/>
+  </complexType>
+
+  <element name="Organization" type="md:OrganizationType"/>
+  <complexType name="OrganizationType">
+    <sequence>
+      <element ref="md:Extensions" minOccurs="0"/>
+      <element ref="md:OrganizationName" maxOccurs="unbounded"/>
+      <element ref="md:OrganizationDisplayName" maxOccurs="unbounded"/>
+      <element ref="md:OrganizationURL" maxOccurs="unbounded"/>
+    </sequence>
+    <anyAttribute namespace="##other" processContents="lax"/>
+  </complexType>
+  <element name="OrganizationName" type="md:localizedNameType"/>
+  <element name="OrganizationDisplayName" type="md:localizedNameType"/>
+  <element name="OrganizationURL" type="md:localizedURIType"/>
+  <element name="ContactPerson" type="md:ContactType"/>
+  <complexType name="ContactType">
+    <sequence>
+      <element ref="md:Extensions" minOccurs="0"/>
+      <element ref="md:Company" minOccurs="0"/>
+      <element ref="md:GivenName" minOccurs="0"/>
+      <element ref="md:SurName" minOccurs="0"/>
+      <element ref="md:EmailAddress" minOccurs="0" maxOccurs="unbounded"/>
+      <element ref="md:TelephoneNumber" minOccurs="0" maxOccurs="unbounded"/>
+    </sequence>
+    <attribute name="contactType" type="md:ContactTypeType" use="required"/>
+    <anyAttribute namespace="##other" processContents="lax"/>
+  </complexType>
+  <element name="Company" type="string"/>
+  <element name="GivenName" type="string"/>
+  <element name="SurName" type="string"/>
+  <element name="EmailAddress" type="anyURI"/>
+  <element name="TelephoneNumber" type="string"/>
+  <simpleType name="ContactTypeType">
+    <restriction base="string">
+      <enumeration value="technical"/>
+      <enumeration value="support"/>
+      <enumeration value="administrative"/>
+      <enumeration value="billing"/>
+      <enumeration value="other"/>
+    </restriction>
+  </simpleType>
+
+  <element name="AdditionalMetadataLocation" type="md:AdditionalMetadataLocationType"/>
+  <complexType name="AdditionalMetadataLocationType">
+    <simpleContent>
+      <extension base="anyURI">
+        <attribute name="namespace" type="anyURI" use="required"/>
+      </extension>
+    </simpleContent>
+  </complexType>
+
+  <element name="RoleDescriptor" type="md:RoleDescriptorType"/>
+  <complexType name="RoleDescriptorType" abstract="true">
+    <sequence>
+      <element ref="ds:Signature" minOccurs="0"/>
+      <element ref="md:Extensions" minOccurs="0"/>
+      <element ref="md:KeyDescriptor" minOccurs="0" maxOccurs="unbounded"/>
+      <element ref="md:Organization" minOccurs="0"/>
+      <element ref="md:ContactPerson" minOccurs="0" maxOccurs="unbounded"/>
+    </sequence>
+    <attribute name="ID" type="ID" use="optional"/>
+    <attribute name="validUntil" type="dateTime" use="optional"/>
+    <attribute name="cacheDuration" type="duration" use="optional"/>
+    <attribute name="protocolSupportEnumeration" type="md:anyURIListType" use="required"/>
+    <attribute name="errorURL" type="anyURI" use="optional"/>
+    <anyAttribute namespace="##other" processContents="lax"/>
+  </complexType>
+  <simpleType name="anyURIListType">
+    <list itemType="anyURI"/>
+  </simpleType>
+
+  <element name="KeyDescriptor" type="md:KeyDescriptorType"/>
+  <complexType name="KeyDescriptorType">
+    <sequence>
+      <element ref="ds:KeyInfo"/>
+      <element ref="md:EncryptionMethod" minOccurs="0" maxOccurs="unbounded"/>
+    </sequence>
+    <attribute name="use" type="md:KeyTypes" use="optional"/>
+  </complexType>
+  <simpleType name="KeyTypes">
+    <restriction base="string">
+      <enumeration value="encryption"/>
+      <enumeration value="signing"/>
+    </restriction>
+  </simpleType>
+  <element name="EncryptionMethod" type="xenc:EncryptionMethodType"/>
+
+  <complexType name="SSODescriptorType" abstract="true">
+    <complexContent>
+      <extension base="md:RoleDescriptorType">
+        <sequence>
+          <element ref="md:ArtifactResolutionService" minOccurs="0" maxOccurs="unbounded"/>
+          <element ref="md:SingleLogoutService" minOccurs="0" maxOccurs="unbounded"/>
+          <element ref="md:ManageNameIDService" minOccurs="0" maxOccurs="unbounded"/>
+          <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="ArtifactResolutionService" type="md:IndexedEndpointType"/>
+  <element name="SingleLogoutService" type="md:EndpointType"/>
+  <element name="ManageNameIDService" type="md:EndpointType"/>
+  <element name="NameIDFormat" type="anyURI"/>
+
+  <element name="IDPSSODescriptor" type="md:IDPSSODescriptorType"/>
+  <complexType name="IDPSSODescriptorType">
+    <complexContent>
+      <extension base="md:SSODescriptorType">
+        <sequence>
+          <element ref="md:SingleSignOnService" maxOccurs="unbounded"/>
+          <element ref="md:NameIDMappingService" minOccurs="0" maxOccurs="unbounded"/>
+          <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+          <element ref="md:AttributeProfile" minOccurs="0" maxOccurs="unbounded"/>
+          <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="WantAuthnRequestsSigned" type="boolean" use="optional"/>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="SingleSignOnService" type="md:EndpointType"/>
+  <element name="NameIDMappingService" type="md:EndpointType"/>
+  <element name="AssertionIDRequestService" type="md:EndpointType"/>
+  <element name="AttributeProfile" type="anyURI"/>
+
+  <element name="SPSSODescriptor" type="md:SPSSODescriptorType"/>
+  <complexType name="SPSSODescriptorType">
+    <complexContent>
+      <extension base="md:SSODescriptorType">
+        <sequence>
+          <element ref="md:AssertionConsumerService" maxOccurs="unbounded"/>
+          <element ref="md:AttributeConsumingService" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="AuthnRequestsSigned" type="boolean" use="optional"/>
+        <attribute name="WantAssertionsSigned" type="boolean" use="optional"/>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="AssertionConsumerService" type="md:IndexedEndpointType"/>
+  <element name="AttributeConsumingService" type="md:AttributeConsumingServiceType"/>
+  <complexType name="AttributeConsumingServiceType">
+    <sequence>
+      <element ref="md:ServiceName" maxOccurs="unbounded"/>
+      <element ref="md:ServiceDescription" minOccurs="0" maxOccurs="unbounded"/>
+      <element ref="md:RequestedAttribute" maxOccurs="unbounded"/>
+    </sequence>
+    <attribute name="index" type="unsignedShort" use="required"/>
+    <attribute name="isDefault" type="boolean" use="optional"/>
+  </complexType>
+  <element name="ServiceName" type="md:localizedNameType"/>
+  <element name="ServiceDescription" type="md:localizedNameType"/>
+  <element name="RequestedAttribute" type="md:RequestedAttributeType"/>
+  <complexType name="RequestedAttributeType">
+    <complexContent>
+      <extension base="saml:AttributeType">
+        <attribute name="isRequired" type="boolean" use="optional"/>
+      </extension>
+    </complexContent>
+  </complexType>
+
+  <element name="AuthnAuthorityDescriptor" type="md:AuthnAuthorityDescriptorType"/>
+  <complexType name="AuthnAuthorityDescriptorType">
+    <complexContent>
+      <extension base="md:RoleDescriptorType">
+        <sequence>
+          <element ref="md:AuthnQueryService" maxOccurs="unbounded"/>
+          <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+          <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="AuthnQueryService" type="md:EndpointType"/>
+
+  <element name="PDPDescriptor" type="md:PDPDescriptorType"/>
+  <complexType name="PDPDescriptorType">
+    <complexContent>
+      <extension base="md:RoleDescriptorType">
+        <sequence>
+          <element ref="md:AuthzService" maxOccurs="unbounded"/>
+          <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+          <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="AuthzService" type="md:EndpointType"/>
+
+  <element name="AttributeAuthorityDescriptor" type="md:AttributeAuthorityDescriptorType"/>
+  <complexType name="AttributeAuthorityDescriptorType">
+    <complexContent>
+      <extension base="md:RoleDescriptorType">
+        <sequence>
+          <element ref="md:AttributeService" maxOccurs="unbounded"/>
+          <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+          <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+          <element ref="md:AttributeProfile" minOccurs="0" maxOccurs="unbounded"/>
+          <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="AttributeService" type="md:EndpointType"/>
+
+  <element name="AffiliationDescriptor" type="md:AffiliationDescriptorType"/>
+  <complexType name="AffiliationDescriptorType">
+    <sequence>
+      <element ref="ds:Signature" minOccurs="0"/>
+      <element ref="md:Extensions" minOccurs="0"/>
+      <element ref="md:AffiliateMember" maxOccurs="unbounded"/>
+      <element ref="md:KeyDescriptor" minOccurs="0" maxOccurs="unbounded"/>
+    </sequence>
+    <attribute name="affiliationOwnerID" type="md:entityIDType" use="required"/>
+    <attribute name="validUntil" type="dateTime" use="optional"/>
+    <attribute name="cacheDuration" type="duration" use="optional"/>
+    <attribute name="ID" type="ID" use="optional"/>
+    <anyAttribute namespace="##other" processContents="lax"/>
+  </complexType>
+  <element name="AffiliateMember" type="md:entityIDType"/>
+</schema>