From 5f20df00d04c14fa4896fb0d88a72b8fbec78f43 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Skj=C3=B8lberg?= <thomas.skjolberg@gmail.com>
Date: Fri, 26 May 2017 21:37:45 +0200
Subject: [PATCH] [KEYCLOAK-4979] Move picketlink schema, fix resolver and some
 related tests

---
 .../core/util/IDFedLSInputResolver.java       |  76 +-
 .../core/util/SchemaManagerUtil.java          |   4 +-
 .../oasis-sstc-saml-schema-assertion-1.1.xsd  | 225 +++++
 .../saml/v1/saml-schema-assertion-1.0.xsd     | 227 +++++
 .../saml/v1/saml-schema-protocol-1.1.xsd      | 153 ++++
 ...rol-xacml-2.0-saml-assertion-schema-os.xsd |  54 ++
 ...trol-xacml-2.0-saml-protocol-schema-os.xsd |  63 ++
 .../saml/v2/saml-schema-assertion-2.0.xsd     | 283 ++++++
 .../saml/v2/saml-schema-authn-context-2.0.xsd |  23 +
 ...chema-authn-context-auth-telephony-2.0.xsd |  81 ++
 .../v2/saml-schema-authn-context-ip-2.0.xsd   |  65 ++
 .../saml-schema-authn-context-ippword-2.0.xsd |  66 ++
 ...saml-schema-authn-context-kerberos-2.0.xsd |  83 ++
 ...-authn-context-mobileonefactor-reg-2.0.xsd | 186 ++++
 ...uthn-context-mobileonefactor-unreg-2.0.xsd | 183 ++++
 ...-authn-context-mobiletwofactor-reg-2.0.xsd | 202 +++++
 ...uthn-context-mobiletwofactor-unreg-2.0.xsd | 200 +++++
 ...hema-authn-context-nomad-telephony-2.0.xsd |  81 ++
 ...a-authn-context-personal-telephony-2.0.xsd |  80 ++
 .../v2/saml-schema-authn-context-pgp-2.0.xsd  |  83 ++
 .../v2/saml-schema-authn-context-ppt-2.0.xsd  |  81 ++
 .../saml-schema-authn-context-pword-2.0.xsd   |  64 ++
 .../saml-schema-authn-context-session-2.0.xsd |  64 ++
 ...aml-schema-authn-context-smartcard-2.0.xsd |  64 ++
 ...-schema-authn-context-smartcardpki-2.0.xsd | 129 +++
 ...l-schema-authn-context-softwarepki-2.0.xsd | 129 +++
 .../v2/saml-schema-authn-context-spki-2.0.xsd |  83 ++
 .../v2/saml-schema-authn-context-srp-2.0.xsd  |  82 ++
 .../saml-schema-authn-context-sslcert-2.0.xsd |  97 +++
 ...aml-schema-authn-context-telephony-2.0.xsd |  79 ++
 ...saml-schema-authn-context-timesync-2.0.xsd | 105 +++
 .../saml-schema-authn-context-types-2.0.xsd   | 823 ++++++++++++++++++
 .../v2/saml-schema-authn-context-x509-2.0.xsd |  83 ++
 .../saml-schema-authn-context-xmldsig-2.0.xsd |  83 ++
 .../schema/saml/v2/saml-schema-dce-2.0.xsd    |  29 +
 .../schema/saml/v2/saml-schema-ecp-2.0.xsd    |  57 ++
 .../saml/v2/saml-schema-metadata-2.0.xsd      | 337 +++++++
 .../saml/v2/saml-schema-protocol-2.0.xsd      | 302 +++++++
 .../schema/saml/v2/saml-schema-x500-2.0.xsd   |  20 +
 .../schema/saml/v2/saml-schema-xacml-2.0.xsd  |  19 +
 .../w3c/xmldsig/xmldsig-core-schema.xsd       | 319 +++++++
 .../schema/w3c/xmlenc/xenc-schema.xsd         | 154 ++++
 .../schema/w3c/xmlschema/XMLSchema.dtd        | 402 +++++++++
 .../schema/w3c/xmlschema/datatypes.dtd        | 203 +++++
 .../resources/schema/w3c/xmlschema/xml.xsd    | 124 +++
 ...oasis-200401-wss-wssecurity-secext-1.0.xsd | 210 +++++
 ...asis-200401-wss-wssecurity-utility-1.0.xsd | 109 +++
 .../resources/schema/wstrust/v1_3/ws-addr.xsd | 140 +++
 .../schema/wstrust/v1_3/ws-policy.xsd         | 117 +++
 .../schema/wstrust/v1_3/ws-trust-1.3.xsd      | 444 ++++++++++
 ...ss_control-xacml-2.0-context-schema-os.xsd | 135 +++
 ...ess_control-xacml-2.0-policy-schema-os.xsd | 380 ++++++++
 .../core/util/IDFedLSInputResolverTest.java   |  77 ++
 .../testsuite/saml/ValidationTest.java        |  97 +--
 54 files changed, 7967 insertions(+), 92 deletions(-)
 create mode 100644 saml-core/src/main/resources/schema/saml/v1/oasis-sstc-saml-schema-assertion-1.1.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v1/saml-schema-assertion-1.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v1/saml-schema-protocol-1.1.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/access_control-xacml-2.0-saml-assertion-schema-os.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/access_control-xacml-2.0-saml-protocol-schema-os.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-assertion-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-auth-telephony-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-ip-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-ippword-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-kerberos-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-mobileonefactor-reg-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-mobileonefactor-unreg-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-mobiletwofactor-reg-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-mobiletwofactor-unreg-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-nomad-telephony-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-personal-telephony-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-pgp-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-ppt-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-pword-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-session-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-smartcard-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-smartcardpki-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-softwarepki-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-spki-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-srp-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-sslcert-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-telephony-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-timesync-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-types-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-x509-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-xmldsig-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-dce-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-ecp-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-metadata-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-protocol-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-x500-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/saml/v2/saml-schema-xacml-2.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/w3c/xmldsig/xmldsig-core-schema.xsd
 create mode 100644 saml-core/src/main/resources/schema/w3c/xmlenc/xenc-schema.xsd
 create mode 100644 saml-core/src/main/resources/schema/w3c/xmlschema/XMLSchema.dtd
 create mode 100644 saml-core/src/main/resources/schema/w3c/xmlschema/datatypes.dtd
 create mode 100644 saml-core/src/main/resources/schema/w3c/xmlschema/xml.xsd
 create mode 100644 saml-core/src/main/resources/schema/wstrust/v1_3/oasis-200401-wss-wssecurity-secext-1.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/wstrust/v1_3/oasis-200401-wss-wssecurity-utility-1.0.xsd
 create mode 100644 saml-core/src/main/resources/schema/wstrust/v1_3/ws-addr.xsd
 create mode 100644 saml-core/src/main/resources/schema/wstrust/v1_3/ws-policy.xsd
 create mode 100644 saml-core/src/main/resources/schema/wstrust/v1_3/ws-trust-1.3.xsd
 create mode 100644 saml-core/src/main/resources/schema/xacml/access_control-xacml-2.0-context-schema-os.xsd
 create mode 100644 saml-core/src/main/resources/schema/xacml/access_control-xacml-2.0-policy-schema-os.xsd
 create mode 100644 saml-core/src/test/java/org/keycloak/saml/processing/core/util/IDFedLSInputResolverTest.java

diff --git a/saml-core/src/main/java/org/keycloak/saml/processing/core/util/IDFedLSInputResolver.java b/saml-core/src/main/java/org/keycloak/saml/processing/core/util/IDFedLSInputResolver.java
index 41a54b0df7..c5c3c95ddf 100755
--- a/saml-core/src/main/java/org/keycloak/saml/processing/core/util/IDFedLSInputResolver.java
+++ b/saml-core/src/main/java/org/keycloak/saml/processing/core/util/IDFedLSInputResolver.java
@@ -16,21 +16,19 @@
  */
 package org.keycloak.saml.processing.core.util;
 
-import org.keycloak.saml.common.PicketLinkLogger;
-import org.keycloak.saml.common.PicketLinkLoggerFactory;
-import org.keycloak.saml.common.util.StringUtil;
-import org.w3c.dom.ls.LSInput;
-import org.w3c.dom.ls.LSResourceResolver;
-
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.Reader;
 import java.net.URL;
 import java.util.Collection;
-import java.util.HashMap;
+import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.Map;
 
+import org.jboss.logging.Logger;
+import org.w3c.dom.ls.LSInput;
+import org.w3c.dom.ls.LSResourceResolver;
+
 /**
  * An LSResource Resolver for schema validation
  *
@@ -39,22 +37,22 @@ import java.util.Map;
  */
 public class IDFedLSInputResolver implements LSResourceResolver {
 
-    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+    protected static final Logger logger = Logger.getLogger(IDFedLSInputResolver.class);
 
-    private static Map<String, LSInput> lsmap = new HashMap<String, LSInput>();
-
-    private static Map<String, String> schemaLocationMap = new LinkedHashMap<String, String>();
+    private static Map<String, String> schemaLocationMap = new LinkedHashMap<String, String>(); // thread safe for reading
 
     static {
         // XML Schema/DTD
         schemaLocationMap.put("datatypes.dtd", "schema/w3c/xmlschema/datatypes.dtd");
         schemaLocationMap.put("XMLSchema.dtd", "schema/w3c/xmlschema/XMLSchema.dtd");
+        schemaLocationMap.put("http://www.w3.org/2001/XMLSchema.dtd", "schema/w3c/xmlschema/XMLSchema.dtd");        
         schemaLocationMap.put("http://www.w3.org/2001/xml.xsd", "schema/w3c/xmlschema/xml.xsd");
 
         // XML DSIG
         schemaLocationMap.put("http://www.w3.org/2000/09/xmldsig#", "schema/w3c/xmldsig/xmldsig-core-schema.xsd");
         schemaLocationMap.put("http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd",
                 "schema/w3c/xmldsig/xmldsig-core-schema.xsd");
+        schemaLocationMap.put("http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd", "schema/w3c/xmldsig/xmldsig-core-schema.xsd");
 
         // XML Enc
         schemaLocationMap.put("http://www.w3.org/2001/04/xmlenc#", "schema/w3c/xmlenc/xenc-schema.xsd");
@@ -63,14 +61,17 @@ public class IDFedLSInputResolver implements LSResourceResolver {
 
         // XACML
         schemaLocationMap.put("access_control-xacml-2.0-context-schema-os.xsd",
-                "schema/access_control-xacml-2.0-context-schema-os.xsd");
+                "schema/xacml/access_control-xacml-2.0-context-schema-os.xsd");
+        schemaLocationMap.put("http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd",
+                "schema/xacml/access_control-xacml-2.0-context-schema-os.xsd");        
         schemaLocationMap.put("access_control-xacml-2.0-policy-schema-os.xsd",
-                "schema/access_control-xacml-2.0-policy-schema-os.xsd");
+                "schema/xacml/access_control-xacml-2.0-policy-schema-os.xsd");
 
         // SAML
-
         schemaLocationMap.put("saml-schema-assertion-2.0.xsd", "schema/saml/v2/saml-schema-assertion-2.0.xsd");
+        schemaLocationMap.put("http://www.oasis-open.org/committees/download.php/11027/sstc-saml-schema-assertion-2.0.xsd", "schema/saml/v2/saml-schema-assertion-2.0.xsd");
         schemaLocationMap.put("saml-schema-protocol-2.0.xsd", "schema/saml/v2/saml-schema-protocol-2.0.xsd");
+        schemaLocationMap.put("http://www.oasis-open.org/committees/download.php/11026/sstc-saml-schema-protocol-2.0.xsd", "schema/saml/v2/saml-schema-protocol-2.0.xsd");
         schemaLocationMap.put("saml-schema-metadata-2.0.xsd", "schema/saml/v2/saml-schema-metadata-2.0.xsd");
         schemaLocationMap.put("saml-schema-x500-2.0.xsd", "schema/saml/v2/saml-schema-x500-2.0.xsd");
         schemaLocationMap.put("saml-schema-xacml-2.0.xsd", "schema/saml/v2/saml-schema-xacml-2.0.xsd");
@@ -89,7 +90,8 @@ public class IDFedLSInputResolver implements LSResourceResolver {
 
         schemaLocationMap.put("access_control-xacml-2.0-saml-protocol-schema-os.xsd",
                 "schema/saml/v2/access_control-xacml-2.0-saml-protocol-schema-os.xsd");
-
+        
+        
         // WS-T
         schemaLocationMap.put("http://docs.oasis-open.org/ws-sx/ws-trust/200512", "schema/wstrust/v1_3/ws-trust-1.3.xsd");
         schemaLocationMap.put("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd",
@@ -97,42 +99,33 @@ public class IDFedLSInputResolver implements LSResourceResolver {
         schemaLocationMap.put("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd",
                 "schema/wstrust/v1_3/oasis-200401-wss-wssecurity-utility-1.0.xsd");
         schemaLocationMap.put("http://schemas.xmlsoap.org/ws/2004/09/policy", "schema/wstrust/v1_3/ws-policy.xsd");
+        schemaLocationMap.put("http://schemas.xmlsoap.org/ws/2004/09/policy/ws-policy.xsd", "schema/wstrust/v1_3/ws-policy.xsd");
         schemaLocationMap.put("http://www.w3.org/2005/08/addressing", "schema/wstrust/v1_3/ws-addr.xsd");
+        schemaLocationMap.put("http://www.w3.org/2006/03/addressing/ws-addr.xsd", "schema/wstrust/v1_3/ws-addr.xsd");
     }
 
     public static Collection<String> schemas() {
-        Collection<String> schemaValues = schemaLocationMap.values();
+        Collection<String> schemaValues = new HashSet<String>(schemaLocationMap.values());
         schemaValues.remove("schema/w3c/xmlschema/datatypes.dtd");
         schemaValues.remove("schema/w3c/xmlschema/XMLSchema.dtd");
         logger.info("Considered the schemas:" + schemaValues);
         return schemaValues;
     }
 
-    public LSInput resolveResource(String type, String namespaceURI, final String publicId, final String systemId,
-                                   final String baseURI) {
-        LSInput lsi = null;
-        if (systemId == null)
-            throw logger.nullValueError("systemid");
-        if (StringUtil.isNotNull(systemId) && systemId.endsWith("dtd") && StringUtil.isNotNull(baseURI)) {
-            lsi = lsmap.get(baseURI);
+    public IDFedLSInput resolveResource(String type, String namespaceURI, final String publicId, final String systemId, final String baseURI) {
+        if (systemId == null) {
+            throw new IllegalArgumentException("Expected systemId");
         }
-        if (lsi == null)
-            lsi = lsmap.get(systemId);
-        if (lsi == null) {
-            final String loc = schemaLocationMap.get(systemId);
-            if (loc == null)
-                return null;
-
-            lsi = new PicketLinkLSInput(baseURI, loc, publicId, systemId);
-
-            logger.trace("Loaded:" + lsi);
-
-            lsmap.put(systemId, lsi);
+        
+        final String loc = schemaLocationMap.get(systemId);
+        if (loc == null) {
+            return null;
         }
-        return lsi;
+        
+        return new IDFedLSInput(baseURI, loc, publicId, systemId);
     }
 
-    public static class PicketLinkLSInput implements LSInput {
+    public static class IDFedLSInput implements LSInput {
 
         private final String baseURI;
 
@@ -142,7 +135,7 @@ public class IDFedLSInputResolver implements LSResourceResolver {
 
         private final String systemId;
 
-        public PicketLinkLSInput(String baseURI, String loc, String publicID, String systemID) {
+        public IDFedLSInput(String baseURI, String loc, String publicID, String systemID) {
             this.baseURI = baseURI;
             this.loc = loc;
             this.publicId = publicID;
@@ -159,10 +152,11 @@ public class IDFedLSInputResolver implements LSResourceResolver {
             try {
                 is = url.openStream();
             } catch (IOException e) {
-                throw new RuntimeException(logger.classNotLoadedError(loc));
+                throw new RuntimeException(e);
+            }
+            if (is == null) {
+                throw new RuntimeException("inputstream is null for " + loc);
             }
-            if (is == null)
-                throw logger.nullValueError("inputstream is null for " + loc);
             return is;
         }
 
diff --git a/saml-core/src/main/java/org/keycloak/saml/processing/core/util/SchemaManagerUtil.java b/saml-core/src/main/java/org/keycloak/saml/processing/core/util/SchemaManagerUtil.java
index f1ffbbfcff..d73c85c4ba 100755
--- a/saml-core/src/main/java/org/keycloak/saml/processing/core/util/SchemaManagerUtil.java
+++ b/saml-core/src/main/java/org/keycloak/saml/processing/core/util/SchemaManagerUtil.java
@@ -51,8 +51,8 @@ public class SchemaManagerUtil {
     public static List<String> getXACMLSchemas() {
         List<String> list = new ArrayList<String>();
 
-        list.add("schema/access_control-xacml-2.0-policy-schema-os.xsd");
-        list.add("schema/access_control-xacml-2.0-context-schema-os.xsd");
+        list.add("schema/xacml/access_control-xacml-2.0-policy-schema-os.xsd");
+        list.add("schema/xacml/access_control-xacml-2.0-context-schema-os.xsd");
         return list;
     }
 
diff --git a/saml-core/src/main/resources/schema/saml/v1/oasis-sstc-saml-schema-assertion-1.1.xsd b/saml-core/src/main/resources/schema/saml/v1/oasis-sstc-saml-schema-assertion-1.1.xsd
new file mode 100644
index 0000000000..7d7aa166c6
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v1/oasis-sstc-saml-schema-assertion-1.1.xsd
@@ -0,0 +1,225 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema targetNamespace="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+        xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns="http://www.w3.org/2001/XMLSchema"
+        elementFormDefault="unqualified" attributeFormDefault="unqualified" version="1.1">
+  <import namespace="http://www.w3.org/2000/09/xmldsig#"
+          schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/>
+  <annotation>
+    <documentation>
+      Document identifier: oasis-sstc-saml-schema-assertion-1.1
+      Location: http://www.oasis-open.org/committees/documents.php?wg_abbrev=security
+      Revision history:
+      V1.0 (November, 2002):
+      Initial standard schema.
+      V1.1 (September, 2003):
+      * Note that V1.1 of this schema has the same XML namespace as V1.0.
+      Rebased ID content directly on XML Schema types
+      Added DoNotCacheCondition element and DoNotCacheConditionType
+    </documentation>
+  </annotation>
+  <simpleType name="DecisionType">
+    <restriction base="string">
+
+      <enumeration value="Permit"/>
+      <enumeration value="Deny"/>
+      <enumeration value="Indeterminate"/>
+    </restriction>
+  </simpleType>
+  <element name="AssertionIDReference" type="NCName"/>
+  <element name="Assertion" type="saml:AssertionType"/>
+  <complexType name="AssertionType">
+    <sequence>
+
+      <element ref="saml:Conditions" minOccurs="0"/>
+      <element ref="saml:Advice" minOccurs="0"/>
+      <choice maxOccurs="unbounded">
+        <element ref="saml:Statement"/>
+        <element ref="saml:SubjectStatement"/>
+        <element ref="saml:AuthenticationStatement"/>
+        <element ref="saml:AuthorizationDecisionStatement"/>
+        <element ref="saml:AttributeStatement"/>
+      </choice>
+
+      <element ref="ds:Signature" minOccurs="0"/>
+    </sequence>
+    <attribute name="MajorVersion" type="integer" use="required"/>
+    <attribute name="MinorVersion" type="integer" use="required"/>
+    <attribute name="AssertionID" type="ID" use="required"/>
+    <attribute name="Issuer" type="string" use="required"/>
+    <attribute name="IssueInstant" type="dateTime" use="required"/>
+  </complexType>
+  <element name="Conditions" type="saml:ConditionsType"/>
+
+  <complexType name="ConditionsType">
+    <choice minOccurs="0" maxOccurs="unbounded">
+      <element ref="saml:AudienceRestrictionCondition"/>
+      <element ref="saml:DoNotCacheCondition"/>
+      <element ref="saml:Condition"/>
+    </choice>
+    <attribute name="NotBefore" type="dateTime" use="optional"/>
+    <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+  </complexType>
+
+  <element name="Condition" type="saml:ConditionAbstractType"/>
+  <complexType name="ConditionAbstractType" abstract="true"/>
+  <element name="AudienceRestrictionCondition" type="saml:AudienceRestrictionConditionType"/>
+  <complexType name="AudienceRestrictionConditionType">
+    <complexContent>
+      <extension base="saml:ConditionAbstractType">
+        <sequence>
+          <element ref="saml:Audience" maxOccurs="unbounded"/>
+        </sequence>
+
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="Audience" type="anyURI"/>
+  <element name="DoNotCacheCondition" type="saml:DoNotCacheConditionType"/>
+  <complexType name="DoNotCacheConditionType">
+    <complexContent>
+      <extension base="saml:ConditionAbstractType"/>
+    </complexContent>
+
+  </complexType>
+  <element name="Advice" type="saml:AdviceType"/>
+  <complexType name="AdviceType">
+    <choice minOccurs="0" maxOccurs="unbounded">
+      <element ref="saml:AssertionIDReference"/>
+      <element ref="saml:Assertion"/>
+      <any namespace="##other" processContents="lax"/>
+    </choice>
+  </complexType>
+
+  <element name="Statement" type="saml:StatementAbstractType"/>
+  <complexType name="StatementAbstractType" abstract="true"/>
+  <element name="SubjectStatement" type="saml:SubjectStatementAbstractType"/>
+  <complexType name="SubjectStatementAbstractType" abstract="true">
+    <complexContent>
+      <extension base="saml:StatementAbstractType">
+        <sequence>
+          <element ref="saml:Subject"/>
+        </sequence>
+
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="Subject" type="saml:SubjectType"/>
+  <complexType name="SubjectType">
+    <choice>
+      <sequence>
+        <element ref="saml:NameIdentifier"/>
+        <element ref="saml:SubjectConfirmation" minOccurs="0"/>
+
+      </sequence>
+      <element ref="saml:SubjectConfirmation"/>
+    </choice>
+  </complexType>
+  <element name="NameIdentifier" type="saml:NameIdentifierType"/>
+  <complexType name="NameIdentifierType">
+    <simpleContent>
+      <extension base="string">
+        <attribute name="NameQualifier" type="string" use="optional"/>
+
+        <attribute name="Format" type="anyURI" use="optional"/>
+      </extension>
+    </simpleContent>
+  </complexType>
+  <element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/>
+  <complexType name="SubjectConfirmationType">
+    <sequence>
+      <element ref="saml:ConfirmationMethod" maxOccurs="unbounded"/>
+      <element ref="saml:SubjectConfirmationData" minOccurs="0"/>
+
+      <element ref="ds:KeyInfo" minOccurs="0"/>
+    </sequence>
+  </complexType>
+  <element name="SubjectConfirmationData" type="anyType"/>
+  <element name="ConfirmationMethod" type="anyURI"/>
+  <element name="AuthenticationStatement" type="saml:AuthenticationStatementType"/>
+  <complexType name="AuthenticationStatementType">
+    <complexContent>
+      <extension base="saml:SubjectStatementAbstractType">
+
+        <sequence>
+          <element ref="saml:SubjectLocality" minOccurs="0"/>
+          <element ref="saml:AuthorityBinding" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="AuthenticationMethod" type="anyURI" use="required"/>
+        <attribute name="AuthenticationInstant" type="dateTime" use="required"/>
+      </extension>
+    </complexContent>
+  </complexType>
+
+  <element name="SubjectLocality" type="saml:SubjectLocalityType"/>
+  <complexType name="SubjectLocalityType">
+    <attribute name="IPAddress" type="string" use="optional"/>
+    <attribute name="DNSAddress" type="string" use="optional"/>
+  </complexType>
+  <element name="AuthorityBinding" type="saml:AuthorityBindingType"/>
+  <complexType name="AuthorityBindingType">
+    <attribute name="AuthorityKind" type="QName" use="required"/>
+    <attribute name="Location" type="anyURI" use="required"/>
+
+    <attribute name="Binding" type="anyURI" use="required"/>
+  </complexType>
+  <element name="AuthorizationDecisionStatement" type="saml:AuthorizationDecisionStatementType"/>
+  <complexType name="AuthorizationDecisionStatementType">
+    <complexContent>
+      <extension base="saml:SubjectStatementAbstractType">
+        <sequence>
+          <element ref="saml:Action" maxOccurs="unbounded"/>
+          <element ref="saml:Evidence" minOccurs="0"/>
+
+        </sequence>
+        <attribute name="Resource" type="anyURI" use="required"/>
+        <attribute name="Decision" type="saml:DecisionType" use="required"/>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="Action" type="saml:ActionType"/>
+  <complexType name="ActionType">
+    <simpleContent>
+
+      <extension base="string">
+        <attribute name="Namespace" type="anyURI"/>
+      </extension>
+    </simpleContent>
+  </complexType>
+  <element name="Evidence" type="saml:EvidenceType"/>
+  <complexType name="EvidenceType">
+    <choice maxOccurs="unbounded">
+      <element ref="saml:AssertionIDReference"/>
+
+      <element ref="saml:Assertion"/>
+    </choice>
+  </complexType>
+  <element name="AttributeStatement" type="saml:AttributeStatementType"/>
+  <complexType name="AttributeStatementType">
+    <complexContent>
+      <extension base="saml:SubjectStatementAbstractType">
+        <sequence>
+          <element ref="saml:Attribute" maxOccurs="unbounded"/>
+
+        </sequence>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="AttributeDesignator" type="saml:AttributeDesignatorType"/>
+  <complexType name="AttributeDesignatorType">
+    <attribute name="AttributeName" type="string" use="required"/>
+    <attribute name="AttributeNamespace" type="anyURI" use="required"/>
+  </complexType>
+
+  <element name="Attribute" type="saml:AttributeType"/>
+  <complexType name="AttributeType">
+    <complexContent>
+      <extension base="saml:AttributeDesignatorType">
+        <sequence>
+          <element ref="saml:AttributeValue" maxOccurs="unbounded"/>
+        </sequence>
+      </extension>
+    </complexContent>
+
+  </complexType>
+  <element name="AttributeValue" type="anyType"/>
+</schema>
diff --git a/saml-core/src/main/resources/schema/saml/v1/saml-schema-assertion-1.0.xsd b/saml-core/src/main/resources/schema/saml/v1/saml-schema-assertion-1.0.xsd
new file mode 100644
index 0000000000..435037346d
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v1/saml-schema-assertion-1.0.xsd
@@ -0,0 +1,227 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema targetNamespace="urn:oasis:names:tc:SAML:1.0:assertion"
+        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+        xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
+        xmlns="http://www.w3.org/2001/XMLSchema"
+        elementFormDefault="unqualified"
+        attributeFormDefault="unqualified" version="1.1">
+  <import namespace="http://www.w3.org/2000/09/xmldsig#"
+          schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/>
+  <annotation>
+    <documentation>
+      Document identifier: oasis-sstc-saml-schema-assertion-1.1
+      Location: http://www.oasis-open.org/committees/documents.php?wg_abbrev=security
+      Revision history:
+      V1.0 (November, 2002):
+      Initial standard schema.
+      V1.1 (September, 2003):
+      * Note that V1.1 of this schema has the same XML namespace as V1.0.
+      Rebased ID content directly on XML Schema types
+      Added DoNotCacheCondition element and DoNotCacheConditionType
+    </documentation>
+  </annotation>
+  <simpleType name="DecisionType">
+    <restriction base="string">
+
+      <enumeration value="Permit"/>
+      <enumeration value="Deny"/>
+      <enumeration value="Indeterminate"/>
+    </restriction>
+  </simpleType>
+  <element name="AssertionIDReference" type="NCName"/>
+  <element name="Assertion" type="saml:AssertionType"/>
+  <complexType name="AssertionType">
+    <sequence>
+
+      <element ref="saml:Conditions" minOccurs="0"/>
+      <element ref="saml:Advice" minOccurs="0"/>
+      <choice maxOccurs="unbounded">
+        <element ref="saml:Statement"/>
+        <element ref="saml:SubjectStatement"/>
+        <element ref="saml:AuthenticationStatement"/>
+        <element ref="saml:AuthorizationDecisionStatement"/>
+        <element ref="saml:AttributeStatement"/>
+      </choice>
+
+      <element ref="ds:Signature" minOccurs="0"/>
+    </sequence>
+    <attribute name="MajorVersion" type="integer" use="required"/>
+    <attribute name="MinorVersion" type="integer" use="required"/>
+    <attribute name="AssertionID" type="ID" use="required"/>
+    <attribute name="Issuer" type="string" use="required"/>
+    <attribute name="IssueInstant" type="dateTime" use="required"/>
+  </complexType>
+  <element name="Conditions" type="saml:ConditionsType"/>
+
+  <complexType name="ConditionsType">
+    <choice minOccurs="0" maxOccurs="unbounded">
+      <element ref="saml:AudienceRestrictionCondition"/>
+      <element ref="saml:DoNotCacheCondition"/>
+      <element ref="saml:Condition"/>
+    </choice>
+    <attribute name="NotBefore" type="dateTime" use="optional"/>
+    <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+  </complexType>
+
+  <element name="Condition" type="saml:ConditionAbstractType"/>
+  <complexType name="ConditionAbstractType" abstract="true"/>
+  <element name="AudienceRestrictionCondition" type="saml:AudienceRestrictionConditionType"/>
+  <complexType name="AudienceRestrictionConditionType">
+    <complexContent>
+      <extension base="saml:ConditionAbstractType">
+        <sequence>
+          <element ref="saml:Audience" maxOccurs="unbounded"/>
+        </sequence>
+
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="Audience" type="anyURI"/>
+  <element name="DoNotCacheCondition" type="saml:DoNotCacheConditionType"/>
+  <complexType name="DoNotCacheConditionType">
+    <complexContent>
+      <extension base="saml:ConditionAbstractType"/>
+    </complexContent>
+
+  </complexType>
+  <element name="Advice" type="saml:AdviceType"/>
+  <complexType name="AdviceType">
+    <choice minOccurs="0" maxOccurs="unbounded">
+      <element ref="saml:AssertionIDReference"/>
+      <element ref="saml:Assertion"/>
+      <any namespace="##other" processContents="lax"/>
+    </choice>
+  </complexType>
+
+  <element name="Statement" type="saml:StatementAbstractType"/>
+  <complexType name="StatementAbstractType" abstract="true"/>
+  <element name="SubjectStatement" type="saml:SubjectStatementAbstractType"/>
+  <complexType name="SubjectStatementAbstractType" abstract="true">
+    <complexContent>
+      <extension base="saml:StatementAbstractType">
+        <sequence>
+          <element ref="saml:Subject"/>
+        </sequence>
+
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="Subject" type="saml:SubjectType"/>
+  <complexType name="SubjectType">
+    <choice>
+      <sequence>
+        <element ref="saml:NameIdentifier"/>
+        <element ref="saml:SubjectConfirmation" minOccurs="0"/>
+
+      </sequence>
+      <element ref="saml:SubjectConfirmation"/>
+    </choice>
+  </complexType>
+  <element name="NameIdentifier" type="saml:NameIdentifierType"/>
+  <complexType name="NameIdentifierType">
+    <simpleContent>
+      <extension base="string">
+        <attribute name="NameQualifier" type="string" use="optional"/>
+
+        <attribute name="Format" type="anyURI" use="optional"/>
+      </extension>
+    </simpleContent>
+  </complexType>
+  <element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/>
+  <complexType name="SubjectConfirmationType">
+    <sequence>
+      <element ref="saml:ConfirmationMethod" maxOccurs="unbounded"/>
+      <element ref="saml:SubjectConfirmationData" minOccurs="0"/>
+
+      <element ref="ds:KeyInfo" minOccurs="0"/>
+    </sequence>
+  </complexType>
+  <element name="SubjectConfirmationData" type="anyType"/>
+  <element name="ConfirmationMethod" type="anyURI"/>
+  <element name="AuthenticationStatement" type="saml:AuthenticationStatementType"/>
+  <complexType name="AuthenticationStatementType">
+    <complexContent>
+      <extension base="saml:SubjectStatementAbstractType">
+
+        <sequence>
+          <element ref="saml:SubjectLocality" minOccurs="0"/>
+          <element ref="saml:AuthorityBinding" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="AuthenticationMethod" type="anyURI" use="required"/>
+        <attribute name="AuthenticationInstant" type="dateTime" use="required"/>
+      </extension>
+    </complexContent>
+  </complexType>
+
+  <element name="SubjectLocality" type="saml:SubjectLocalityType"/>
+  <complexType name="SubjectLocalityType">
+    <attribute name="IPAddress" type="string" use="optional"/>
+    <attribute name="DNSAddress" type="string" use="optional"/>
+  </complexType>
+  <element name="AuthorityBinding" type="saml:AuthorityBindingType"/>
+  <complexType name="AuthorityBindingType">
+    <attribute name="AuthorityKind" type="QName" use="required"/>
+    <attribute name="Location" type="anyURI" use="required"/>
+
+    <attribute name="Binding" type="anyURI" use="required"/>
+  </complexType>
+  <element name="AuthorizationDecisionStatement" type="saml:AuthorizationDecisionStatementType"/>
+  <complexType name="AuthorizationDecisionStatementType">
+    <complexContent>
+      <extension base="saml:SubjectStatementAbstractType">
+        <sequence>
+          <element ref="saml:Action" maxOccurs="unbounded"/>
+          <element ref="saml:Evidence" minOccurs="0"/>
+
+        </sequence>
+        <attribute name="Resource" type="anyURI" use="required"/>
+        <attribute name="Decision" type="saml:DecisionType" use="required"/>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="Action" type="saml:ActionType"/>
+  <complexType name="ActionType">
+    <simpleContent>
+
+      <extension base="string">
+        <attribute name="Namespace" type="anyURI"/>
+      </extension>
+    </simpleContent>
+  </complexType>
+  <element name="Evidence" type="saml:EvidenceType"/>
+  <complexType name="EvidenceType">
+    <choice maxOccurs="unbounded">
+      <element ref="saml:AssertionIDReference"/>
+      <element ref="saml:Assertion"/>
+    </choice>
+  </complexType>
+  <element name="AttributeStatement" type="saml:AttributeStatementType"/>
+  <complexType name="AttributeStatementType">
+    <complexContent>
+      <extension base="saml:SubjectStatementAbstractType">
+        <sequence>
+          <element ref="saml:Attribute" maxOccurs="unbounded"/>
+
+        </sequence>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="AttributeDesignator" type="saml:AttributeDesignatorType"/>
+  <complexType name="AttributeDesignatorType">
+    <attribute name="AttributeName" type="string" use="required"/>
+    <attribute name="AttributeNamespace" type="anyURI" use="required"/>
+  </complexType>
+
+  <element name="Attribute" type="saml:AttributeType"/>
+  <complexType name="AttributeType">
+    <complexContent>
+      <extension base="saml:AttributeDesignatorType">
+        <sequence>
+          <element ref="saml:AttributeValue" maxOccurs="unbounded"/>
+        </sequence>
+      </extension>
+    </complexContent>
+
+  </complexType>
+  <element name="AttributeValue" type="anyType"/>
+</schema>
\ No newline at end of file
diff --git a/saml-core/src/main/resources/schema/saml/v1/saml-schema-protocol-1.1.xsd b/saml-core/src/main/resources/schema/saml/v1/saml-schema-protocol-1.1.xsd
new file mode 100644
index 0000000000..7884c8aa20
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v1/saml-schema-protocol-1.1.xsd
@@ -0,0 +1,153 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema targetNamespace="urn:oasis:names:tc:SAML:1.0:protocol"
+        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+        xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
+        xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
+        xmlns="http://www.w3.org/2001/XMLSchema"
+        elementFormDefault="unqualified"
+        attributeFormDefault="unqualified" version="1.1">
+  <import namespace="urn:oasis:names:tc:SAML:1.0:assertion"
+          schemaLocation="oasis-sstc-saml-schema-assertion-1.1.xsd"/>
+  <import namespace="http://www.w3.org/2000/09/xmldsig#"
+          schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/>
+  <annotation>
+    <documentation>
+      Document identifier: oasis-sstc-saml-schema-protocol-1.1
+      Location: http://www.oasis-open.org/committees/documents.php?wg_abbrev=security
+      Revision history:
+      V1.0 (November, 2002):
+      Initial standard schema.
+      V1.1 (September, 2003):
+      * Note that V1.1 of this schema has the same XML namespace as V1.0.
+      Rebased ID content directly on XML Schema types
+    </documentation>
+  </annotation>
+  <complexType name="RequestAbstractType" abstract="true">
+
+    <sequence>
+      <element ref="samlp:RespondWith" minOccurs="0" maxOccurs="unbounded"/>
+      <element ref="ds:Signature" minOccurs="0"/>
+    </sequence>
+    <attribute name="RequestID" type="ID" use="required"/>
+    <attribute name="MajorVersion" type="integer" use="required"/>
+    <attribute name="MinorVersion" type="integer" use="required"/>
+    <attribute name="IssueInstant" type="dateTime" use="required"/>
+  </complexType>
+
+  <element name="RespondWith" type="QName"/>
+  <element name="Request" type="samlp:RequestType"/>
+  <complexType name="RequestType">
+    <complexContent>
+      <extension base="samlp:RequestAbstractType">
+        <choice>
+          <element ref="samlp:Query"/>
+          <element ref="samlp:SubjectQuery"/>
+          <element ref="samlp:AuthenticationQuery"/>
+
+          <element ref="samlp:AttributeQuery"/>
+          <element ref="samlp:AuthorizationDecisionQuery"/>
+          <element ref="saml:AssertionIDReference" maxOccurs="unbounded"/>
+          <element ref="samlp:AssertionArtifact" maxOccurs="unbounded"/>
+        </choice>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="AssertionArtifact" type="string"/>
+
+  <element name="Query" type="samlp:QueryAbstractType"/>
+  <complexType name="QueryAbstractType" abstract="true"/>
+  <element name="SubjectQuery" type="samlp:SubjectQueryAbstractType"/>
+  <complexType name="SubjectQueryAbstractType" abstract="true">
+    <complexContent>
+      <extension base="samlp:QueryAbstractType">
+        <sequence>
+          <element ref="saml:Subject"/>
+        </sequence>
+
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="AuthenticationQuery" type="samlp:AuthenticationQueryType"/>
+  <complexType name="AuthenticationQueryType">
+    <complexContent>
+      <extension base="samlp:SubjectQueryAbstractType">
+        <attribute name="AuthenticationMethod" type="anyURI"/>
+      </extension>
+
+    </complexContent>
+  </complexType>
+  <element name="AttributeQuery" type="samlp:AttributeQueryType"/>
+  <complexType name="AttributeQueryType">
+    <complexContent>
+      <extension base="samlp:SubjectQueryAbstractType">
+        <sequence>
+          <element ref="saml:AttributeDesignator" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+
+        <attribute name="Resource" type="anyURI" use="optional"/>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="AuthorizationDecisionQuery" type="samlp:AuthorizationDecisionQueryType"/>
+  <complexType name="AuthorizationDecisionQueryType">
+    <complexContent>
+      <extension base="samlp:SubjectQueryAbstractType">
+        <sequence>
+
+          <element ref="saml:Action" maxOccurs="unbounded"/>
+          <element ref="saml:Evidence" minOccurs="0"/>
+        </sequence>
+        <attribute name="Resource" type="anyURI" use="required"/>
+      </extension>
+    </complexContent>
+  </complexType>
+  <complexType name="ResponseAbstractType" abstract="true">
+    <sequence>
+
+      <element ref="ds:Signature" minOccurs="0"/>
+    </sequence>
+    <attribute name="ResponseID" type="ID" use="required"/>
+    <attribute name="InResponseTo" type="NCName" use="optional"/>
+    <attribute name="MajorVersion" type="integer" use="required"/>
+    <attribute name="MinorVersion" type="integer" use="required"/>
+    <attribute name="IssueInstant" type="dateTime" use="required"/>
+    <attribute name="Recipient" type="anyURI" use="optional"/>
+  </complexType>
+
+  <element name="Response" type="samlp:ResponseType"/>
+  <complexType name="ResponseType">
+    <complexContent>
+      <extension base="samlp:ResponseAbstractType">
+        <sequence>
+          <element ref="samlp:Status"/>
+          <element ref="saml:Assertion" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+      </extension>
+
+    </complexContent>
+  </complexType>
+  <element name="Status" type="samlp:StatusType"/>
+  <complexType name="StatusType">
+    <sequence>
+      <element ref="samlp:StatusCode"/>
+      <element ref="samlp:StatusMessage" minOccurs="0"/>
+      <element ref="samlp:StatusDetail" minOccurs="0"/>
+    </sequence>
+
+  </complexType>
+  <element name="StatusCode" type="samlp:StatusCodeType"/>
+  <complexType name="StatusCodeType">
+    <sequence>
+      <element ref="samlp:StatusCode" minOccurs="0"/>
+    </sequence>
+    <attribute name="Value" type="QName" use="required"/>
+  </complexType>
+  <element name="StatusMessage" type="string"/>
+
+  <element name="StatusDetail" type="samlp:StatusDetailType"/>
+  <complexType name="StatusDetailType">
+    <sequence>
+      <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+    </sequence>
+  </complexType>
+</schema>
\ No newline at end of file
diff --git a/saml-core/src/main/resources/schema/saml/v2/access_control-xacml-2.0-saml-assertion-schema-os.xsd b/saml-core/src/main/resources/schema/saml/v2/access_control-xacml-2.0-saml-assertion-schema-os.xsd
new file mode 100644
index 0000000000..be86e3f341
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/access_control-xacml-2.0-saml-assertion-schema-os.xsd
@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+        targetNamespace="urn:oasis:xacml:2.0:saml:assertion:schema:os"
+        xmlns="http://www.w3.org/2001/XMLSchema"
+        xmlns:xs="http://www.w3.org/2001/XMLSchema"
+        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+        xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
+        xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+        xmlns:xacml-saml="urn:oasis:xacml:2.0:saml:assertion:schema:os"
+        elementFormDefault="unqualified"
+        attributeFormDefault="unqualified"
+        blockDefault="substitution"
+        version="2.0">
+  <xs:import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+             schemaLocation="http://www.oasis-open.org/committees/download.php/11027/sstc-saml-schema-assertion-2.0.xsd"/>
+  <xs:import namespace="urn:oasis:names:tc:SAML:2.0:protocol"
+             schemaLocation="http://www.oasis-open.org/committees/download.php/11026/sstc-saml-schema-protocol-2.0.xsd"/>
+  <xs:import namespace="urn:oasis:names:tc:xacml:2.0:context:schema:os"
+             schemaLocation="http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd"/>
+  <xs:import namespace="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+             schemaLocation="http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd"/>
+  <xs:annotation>
+    <xs:documentation>
+      Document identifier: access_control-xacml-2.0-saml-assertion-schema-cd-02.xsd
+      Location: http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-assertion-schema-cd-os.xsd
+    </xs:documentation>
+  </xs:annotation>
+  <!--    -->
+  <xs:element name="XACMLAuthzDecisionStatement"
+              type="xacml-saml:XACMLAuthzDecisionStatementType"/>
+  <xs:complexType name="XACMLAuthzDecisionStatementType">
+    <xs:complexContent>
+      <xs:extension base="saml:StatementAbstractType">
+        <xs:sequence>
+          <xs:element ref="xacml-context:Response"/>
+          <xs:element ref="xacml-context:Request" minOccurs="0"/>
+        </xs:sequence>
+      </xs:extension>
+    </xs:complexContent>
+  </xs:complexType>
+  <!--    -->
+  <xs:element name="XACMLPolicyStatement"
+              type="xacml-saml:XACMLPolicyStatementType"/>
+  <xs:complexType name="XACMLPolicyStatementType">
+    <xs:complexContent>
+      <xs:extension base="saml:StatementAbstractType">
+        <xs:choice minOccurs="0" maxOccurs="unbounded">
+          <xs:element ref="xacml:Policy"/>
+          <xs:element ref="xacml:PolicySet"/>
+        </xs:choice>
+      </xs:extension>
+    </xs:complexContent>
+  </xs:complexType>
+</schema>
diff --git a/saml-core/src/main/resources/schema/saml/v2/access_control-xacml-2.0-saml-protocol-schema-os.xsd b/saml-core/src/main/resources/schema/saml/v2/access_control-xacml-2.0-saml-protocol-schema-os.xsd
new file mode 100644
index 0000000000..88f0b9b157
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/access_control-xacml-2.0-saml-protocol-schema-os.xsd
@@ -0,0 +1,63 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+        targetNamespace="urn:oasis:xacml:2.0:saml:protocol:schema:os"
+        xmlns:xs="http://www.w3.org/2001/XMLSchema"
+        xmlns="http://www.w3.org/2001/XMLSchema"
+        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+        xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
+        xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+        xmlns:xacml-samlp="urn:oasis:xacml:2.0:saml:protocol:schema:os"
+        elementFormDefault="unqualified"
+        attributeFormDefault="unqualified"
+        blockDefault="substitution"
+        version="2.0">
+  <xs:import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+             schemaLocation="http://www.oasis-open.org/committees/download.php/11027/sstc-saml-schema-assertion-2.0.xsd"/>
+  <xs:import namespace="urn:oasis:names:tc:SAML:2.0:protocol"
+             schemaLocation="http://www.oasis-open.org/committees/download.php/11026/sstc-saml-schema-protocol-2.0.xsd"/>
+  <xs:import namespace="urn:oasis:names:tc:xacml:2.0:context:schema:os"
+             schemaLocation="http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd"/>
+  <xs:import namespace="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+             schemaLocation="http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd"/>
+  <xs:annotation>
+    <xs:documentation>
+      Document identifier: access_control-xacml-2.0-saml-protocol-schema-os.xsd
+      Location: http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-protocol-schema-os.xsd
+    </xs:documentation>
+  </xs:annotation>
+  <!--    -->
+  <xs:element name="XACMLAuthzDecisionQuery"
+              type="xacml-samlp:XACMLAuthzDecisionQueryType"/>
+  <xs:complexType name="XACMLAuthzDecisionQueryType">
+    <xs:complexContent>
+      <xs:extension base="samlp:RequestAbstractType">
+        <xs:sequence>
+          <xs:element ref="xacml-context:Request"/>
+        </xs:sequence>
+        <xs:attribute name="InputContextOnly"
+                      type="boolean"
+                      use="optional"
+                      default="false"/>
+        <xs:attribute name="ReturnContext"
+                      type="boolean"
+                      use="optional"
+                      default="false"/>
+      </xs:extension>
+    </xs:complexContent>
+  </xs:complexType>
+  <!--    -->
+  <xs:element name="XACMLPolicyQuery"
+              type="xacml-samlp:XACMLPolicyQueryType"/>
+  <xs:complexType name="XACMLPolicyQueryType">
+    <xs:complexContent>
+      <xs:extension base="samlp:RequestAbstractType">
+        <xs:choice minOccurs="0" maxOccurs="unbounded">
+          <xs:element ref="xacml-context:Request"/>
+          <xs:element ref="xacml:Target"/>
+          <xs:element ref="xacml:PolicySetIdReference"/>
+          <xs:element ref="xacml:PolicyIdReference"/>
+        </xs:choice>
+      </xs:extension>
+    </xs:complexContent>
+  </xs:complexType>
+</schema>
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-assertion-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-assertion-2.0.xsd
new file mode 100644
index 0000000000..cdd365d885
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-assertion-2.0.xsd
@@ -0,0 +1,283 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<schema
+        targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion"
+        xmlns="http://www.w3.org/2001/XMLSchema"
+        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+        xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+        elementFormDefault="unqualified"
+        attributeFormDefault="unqualified"
+        blockDefault="substitution"
+        version="2.0">
+  <import namespace="http://www.w3.org/2000/09/xmldsig#"
+          schemaLocation="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
+  <import namespace="http://www.w3.org/2001/04/xmlenc#"
+          schemaLocation="http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd"/>
+  <annotation>
+    <documentation>
+      Document identifier: saml-schema-assertion-2.0
+      Location: http://docs.oasis-open.org/security/saml/v2.0/
+      Revision history:
+      V1.0 (November, 2002):
+      Initial Standard Schema.
+      V1.1 (September, 2003):
+      Updates within the same V1.0 namespace.
+      V2.0 (March, 2005):
+      New assertion schema for SAML V2.0 namespace.
+    </documentation>
+  </annotation>
+  <attributeGroup name="IDNameQualifiers">
+    <attribute name="NameQualifier" type="string" use="optional"/>
+    <attribute name="SPNameQualifier" type="string" use="optional"/>
+  </attributeGroup>
+  <element name="BaseID" type="saml:BaseIDAbstractType"/>
+  <complexType name="BaseIDAbstractType" abstract="true">
+    <attributeGroup ref="saml:IDNameQualifiers"/>
+  </complexType>
+  <element name="NameID" type="saml:NameIDType"/>
+  <complexType name="NameIDType">
+    <simpleContent>
+      <extension base="string">
+        <attributeGroup ref="saml:IDNameQualifiers"/>
+        <attribute name="Format" type="anyURI" use="optional"/>
+        <attribute name="SPProvidedID" type="string" use="optional"/>
+      </extension>
+    </simpleContent>
+  </complexType>
+  <complexType name="EncryptedElementType">
+    <sequence>
+      <element ref="xenc:EncryptedData"/>
+      <element ref="xenc:EncryptedKey" minOccurs="0" maxOccurs="unbounded"/>
+    </sequence>
+  </complexType>
+  <element name="EncryptedID" type="saml:EncryptedElementType"/>
+  <element name="Issuer" type="saml:NameIDType"/>
+  <element name="AssertionIDRef" type="NCName"/>
+  <element name="AssertionURIRef" type="anyURI"/>
+  <element name="Assertion" type="saml:AssertionType"/>
+  <complexType name="AssertionType">
+    <sequence>
+      <element ref="saml:Issuer"/>
+      <element ref="ds:Signature" minOccurs="0"/>
+      <element ref="saml:Subject" minOccurs="0"/>
+      <element ref="saml:Conditions" minOccurs="0"/>
+      <element ref="saml:Advice" minOccurs="0"/>
+      <choice minOccurs="0" maxOccurs="unbounded">
+        <element ref="saml:Statement"/>
+        <element ref="saml:AuthnStatement"/>
+        <element ref="saml:AuthzDecisionStatement"/>
+        <element ref="saml:AttributeStatement"/>
+      </choice>
+    </sequence>
+    <attribute name="Version" type="string" use="required"/>
+    <attribute name="ID" type="ID" use="required"/>
+    <attribute name="IssueInstant" type="dateTime" use="required"/>
+  </complexType>
+  <element name="Subject" type="saml:SubjectType"/>
+  <complexType name="SubjectType">
+    <choice>
+      <sequence>
+        <choice>
+          <element ref="saml:BaseID"/>
+          <element ref="saml:NameID"/>
+          <element ref="saml:EncryptedID"/>
+        </choice>
+        <element ref="saml:SubjectConfirmation" minOccurs="0" maxOccurs="unbounded"/>
+      </sequence>
+      <element ref="saml:SubjectConfirmation" maxOccurs="unbounded"/>
+    </choice>
+  </complexType>
+  <element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/>
+  <complexType name="SubjectConfirmationType">
+    <sequence>
+      <choice minOccurs="0">
+        <element ref="saml:BaseID"/>
+        <element ref="saml:NameID"/>
+        <element ref="saml:EncryptedID"/>
+      </choice>
+      <element ref="saml:SubjectConfirmationData" minOccurs="0"/>
+    </sequence>
+    <attribute name="Method" type="anyURI" use="required"/>
+  </complexType>
+  <element name="SubjectConfirmationData" type="saml:SubjectConfirmationDataType"/>
+  <complexType name="SubjectConfirmationDataType" mixed="true">
+    <complexContent>
+      <restriction base="anyType">
+        <sequence>
+          <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="NotBefore" type="dateTime" use="optional"/>
+        <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+        <attribute name="Recipient" type="anyURI" use="optional"/>
+        <attribute name="InResponseTo" type="NCName" use="optional"/>
+        <attribute name="Address" type="string" use="optional"/>
+        <anyAttribute namespace="##other" processContents="lax"/>
+      </restriction>
+    </complexContent>
+  </complexType>
+  <complexType name="KeyInfoConfirmationDataType" mixed="false">
+    <complexContent>
+      <restriction base="saml:SubjectConfirmationDataType">
+        <sequence>
+          <element ref="ds:KeyInfo" maxOccurs="unbounded"/>
+        </sequence>
+      </restriction>
+    </complexContent>
+  </complexType>
+  <element name="Conditions" type="saml:ConditionsType"/>
+  <complexType name="ConditionsType">
+    <choice minOccurs="0" maxOccurs="unbounded">
+      <element ref="saml:Condition"/>
+      <element ref="saml:AudienceRestriction"/>
+      <element ref="saml:OneTimeUse"/>
+      <element ref="saml:ProxyRestriction"/>
+    </choice>
+    <attribute name="NotBefore" type="dateTime" use="optional"/>
+    <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+  </complexType>
+  <element name="Condition" type="saml:ConditionAbstractType"/>
+  <complexType name="ConditionAbstractType" abstract="true"/>
+  <element name="AudienceRestriction" type="saml:AudienceRestrictionType"/>
+  <complexType name="AudienceRestrictionType">
+    <complexContent>
+      <extension base="saml:ConditionAbstractType">
+        <sequence>
+          <element ref="saml:Audience" maxOccurs="unbounded"/>
+        </sequence>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="Audience" type="anyURI"/>
+  <element name="OneTimeUse" type="saml:OneTimeUseType"/>
+  <complexType name="OneTimeUseType">
+    <complexContent>
+      <extension base="saml:ConditionAbstractType"/>
+    </complexContent>
+  </complexType>
+  <element name="ProxyRestriction" type="saml:ProxyRestrictionType"/>
+  <complexType name="ProxyRestrictionType">
+    <complexContent>
+      <extension base="saml:ConditionAbstractType">
+        <sequence>
+          <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="Count" type="nonNegativeInteger" use="optional"/>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="Advice" type="saml:AdviceType"/>
+  <complexType name="AdviceType">
+    <choice minOccurs="0" maxOccurs="unbounded">
+      <element ref="saml:AssertionIDRef"/>
+      <element ref="saml:AssertionURIRef"/>
+      <element ref="saml:Assertion"/>
+      <element ref="saml:EncryptedAssertion"/>
+      <any namespace="##other" processContents="lax"/>
+    </choice>
+  </complexType>
+  <element name="EncryptedAssertion" type="saml:EncryptedElementType"/>
+  <element name="Statement" type="saml:StatementAbstractType"/>
+  <complexType name="StatementAbstractType" abstract="true"/>
+  <element name="AuthnStatement" type="saml:AuthnStatementType"/>
+  <complexType name="AuthnStatementType">
+    <complexContent>
+      <extension base="saml:StatementAbstractType">
+        <sequence>
+          <element ref="saml:SubjectLocality" minOccurs="0"/>
+          <element ref="saml:AuthnContext"/>
+        </sequence>
+        <attribute name="AuthnInstant" type="dateTime" use="required"/>
+        <attribute name="SessionIndex" type="string" use="optional"/>
+        <attribute name="SessionNotOnOrAfter" type="dateTime" use="optional"/>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="SubjectLocality" type="saml:SubjectLocalityType"/>
+  <complexType name="SubjectLocalityType">
+    <attribute name="Address" type="string" use="optional"/>
+    <attribute name="DNSName" type="string" use="optional"/>
+  </complexType>
+  <element name="AuthnContext" type="saml:AuthnContextType"/>
+  <complexType name="AuthnContextType">
+    <sequence>
+      <choice>
+        <sequence>
+          <element ref="saml:AuthnContextClassRef"/>
+          <choice minOccurs="0">
+            <element ref="saml:AuthnContextDecl"/>
+            <element ref="saml:AuthnContextDeclRef"/>
+          </choice>
+        </sequence>
+        <choice>
+          <element ref="saml:AuthnContextDecl"/>
+          <element ref="saml:AuthnContextDeclRef"/>
+        </choice>
+      </choice>
+      <element ref="saml:AuthenticatingAuthority" minOccurs="0" maxOccurs="unbounded"/>
+    </sequence>
+  </complexType>
+  <element name="AuthnContextClassRef" type="anyURI"/>
+  <element name="AuthnContextDeclRef" type="anyURI"/>
+  <element name="AuthnContextDecl" type="anyType"/>
+  <element name="AuthenticatingAuthority" type="anyURI"/>
+  <element name="AuthzDecisionStatement" type="saml:AuthzDecisionStatementType"/>
+  <complexType name="AuthzDecisionStatementType">
+    <complexContent>
+      <extension base="saml:StatementAbstractType">
+        <sequence>
+          <element ref="saml:Action" maxOccurs="unbounded"/>
+          <element ref="saml:Evidence" minOccurs="0"/>
+        </sequence>
+        <attribute name="Resource" type="anyURI" use="required"/>
+        <attribute name="Decision" type="saml:DecisionType" use="required"/>
+      </extension>
+    </complexContent>
+  </complexType>
+  <simpleType name="DecisionType">
+    <restriction base="string">
+      <enumeration value="Permit"/>
+      <enumeration value="Deny"/>
+      <enumeration value="Indeterminate"/>
+    </restriction>
+  </simpleType>
+  <element name="Action" type="saml:ActionType"/>
+  <complexType name="ActionType">
+    <simpleContent>
+      <extension base="string">
+        <attribute name="Namespace" type="anyURI" use="required"/>
+      </extension>
+    </simpleContent>
+  </complexType>
+  <element name="Evidence" type="saml:EvidenceType"/>
+  <complexType name="EvidenceType">
+    <choice maxOccurs="unbounded">
+      <element ref="saml:AssertionIDRef"/>
+      <element ref="saml:AssertionURIRef"/>
+      <element ref="saml:Assertion"/>
+      <element ref="saml:EncryptedAssertion"/>
+    </choice>
+  </complexType>
+  <element name="AttributeStatement" type="saml:AttributeStatementType"/>
+  <complexType name="AttributeStatementType">
+    <complexContent>
+      <extension base="saml:StatementAbstractType">
+        <choice maxOccurs="unbounded">
+          <element ref="saml:Attribute"/>
+          <element ref="saml:EncryptedAttribute"/>
+        </choice>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="Attribute" type="saml:AttributeType"/>
+  <complexType name="AttributeType">
+    <sequence>
+      <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
+    </sequence>
+    <attribute name="Name" type="string" use="required"/>
+    <attribute name="NameFormat" type="anyURI" use="optional"/>
+    <attribute name="FriendlyName" type="string" use="optional"/>
+    <anyAttribute namespace="##other" processContents="lax"/>
+  </complexType>
+  <element name="AttributeValue" type="anyType" nillable="true"/>
+  <element name="EncryptedAttribute" type="saml:EncryptedElementType"/>
+</schema>
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-2.0.xsd
new file mode 100644
index 0000000000..7fbc11b41f
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-2.0.xsd
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema
+        targetNamespace="urn:oasis:names:tc:SAML:2.0:ac"
+        xmlns:xs="http://www.w3.org/2001/XMLSchema"
+        xmlns="urn:oasis:names:tc:SAML:2.0:ac"
+        blockDefault="substitution"
+        version="2.0">
+
+  <xs:annotation>
+    <xs:documentation>
+      Document identifier: saml-schema-authn-context-2.0
+      Location: http://docs.oasis-open.org/security/saml/v2.0/
+      Revision history:
+      V2.0 (March, 2005):
+      New core authentication context schema for SAML V2.0.
+      This is just an include of all types from the schema
+      referred to in the include statement below.
+    </xs:documentation>
+  </xs:annotation>
+
+  <xs:include schemaLocation="saml-schema-authn-context-types-2.0.xsd"/>
+
+</xs:schema>
\ No newline at end of file
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-auth-telephony-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-auth-telephony-2.0.xsd
new file mode 100644
index 0000000000..fa8e44e802
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-auth-telephony-2.0.xsd
@@ -0,0 +1,81 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony"
+           finalDefault="extension"
+           blockDefault="substitution"
+           version="2.0">
+
+  <xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">
+
+    <xs:annotation>
+      <xs:documentation>
+        Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony
+        Document identifier: saml-schema-authn-context-auth-telephony-2.0
+        Location: http://docs.oasis-open.org/security/saml/v2.0/
+        Revision history:
+        V2.0 (March, 2005):
+        New authentication context class schema for SAML V2.0.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType name="AuthnContextDeclarationBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnContextDeclarationBaseType">
+          <xs:sequence>
+            <xs:element ref="Identification" minOccurs="0"/>
+            <xs:element ref="TechnicalProtection" minOccurs="0"/>
+            <xs:element ref="OperationalProtection" minOccurs="0"/>
+            <xs:element ref="AuthnMethod"/>
+            <xs:element ref="GoverningAgreements" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="ID" type="xs:ID" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthnMethodBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnMethodBaseType">
+          <xs:sequence>
+            <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/>
+            <xs:element ref="Authenticator"/>
+            <xs:element ref="AuthenticatorTransportProtocol"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorBaseType">
+          <xs:sequence>
+            <xs:element ref="Password"/>
+            <xs:element ref="SubscriberLineNumber"/>
+            <xs:element ref="UserSuffix"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorTransportProtocolType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorTransportProtocolType">
+          <xs:sequence>
+            <xs:choice>
+              <xs:element ref="PSTN"/>
+              <xs:element ref="ISDN"/>
+              <xs:element ref="ADSL"/>
+            </xs:choice>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+  </xs:redefine>
+
+</xs:schema>
\ No newline at end of file
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-ip-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-ip-2.0.xsd
new file mode 100644
index 0000000000..db44c738e1
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-ip-2.0.xsd
@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema
+        targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol"
+        xmlns:xs="http://www.w3.org/2001/XMLSchema"
+        xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol"
+        finalDefault="extension"
+        blockDefault="substitution"
+        version="2.0">
+
+  <xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">
+
+    <xs:annotation>
+      <xs:documentation>
+        Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol
+        Document identifier: saml-schema-authn-context-ip-2.0
+        Location: http://docs.oasis-open.org/security/saml/v2.0/
+        Revision history:
+        V2.0 (March, 2005):
+        New authentication context class schema for SAML V2.0.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType name="AuthnContextDeclarationBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnContextDeclarationBaseType">
+          <xs:sequence>
+            <xs:element ref="Identification" minOccurs="0"/>
+            <xs:element ref="TechnicalProtection" minOccurs="0"/>
+            <xs:element ref="OperationalProtection" minOccurs="0"/>
+            <xs:element ref="AuthnMethod"/>
+            <xs:element ref="GoverningAgreements" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="ID" type="xs:ID" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthnMethodBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnMethodBaseType">
+          <xs:sequence>
+            <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/>
+            <xs:element ref="Authenticator"/>
+            <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorBaseType">
+          <xs:sequence>
+            <xs:element ref="IPAddress"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+  </xs:redefine>
+
+</xs:schema>
\ No newline at end of file
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-ippword-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-ippword-2.0.xsd
new file mode 100644
index 0000000000..8d436d2b1f
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-ippword-2.0.xsd
@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword"
+           finalDefault="extension"
+           blockDefault="substitution"
+           version="2.0">
+
+  <xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">
+
+    <xs:annotation>
+      <xs:documentation>
+        Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword
+        Document identifier: saml-schema-authn-context-ippword-2.0
+        Location: http://docs.oasis-open.org/security/saml/v2.0/
+        Revision history:
+        V2.0 (March, 2005):
+        New authentication context class schema for SAML V2.0.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType name="AuthnContextDeclarationBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnContextDeclarationBaseType">
+          <xs:sequence>
+            <xs:element ref="Identification" minOccurs="0"/>
+            <xs:element ref="TechnicalProtection" minOccurs="0"/>
+            <xs:element ref="OperationalProtection" minOccurs="0"/>
+            <xs:element ref="AuthnMethod"/>
+            <xs:element ref="GoverningAgreements" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="ID" type="xs:ID" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthnMethodBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnMethodBaseType">
+          <xs:sequence>
+            <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/>
+            <xs:element ref="Authenticator"/>
+            <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorBaseType">
+          <xs:sequence>
+            <xs:element ref="Password"/>
+            <xs:element ref="IPAddress"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+  </xs:redefine>
+
+</xs:schema>
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-kerberos-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-kerberos-2.0.xsd
new file mode 100644
index 0000000000..e0ddd78e31
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-kerberos-2.0.xsd
@@ -0,0 +1,83 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos"
+           finalDefault="extension"
+           blockDefault="substitution"
+           version="2.0">
+
+  <xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">
+
+    <xs:annotation>
+      <xs:documentation>
+        Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos
+        Document identifier: saml-schema-authn-context-kerberos-2.0
+        Location: http://docs.oasis-open.org/security/saml/v2.0/
+        Revision history:
+        V2.0 (March, 2005):
+        New authentication context class schema for SAML V2.0.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType name="AuthnContextDeclarationBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnContextDeclarationBaseType">
+          <xs:sequence>
+            <xs:element ref="Identification" minOccurs="0"/>
+            <xs:element ref="TechnicalProtection" minOccurs="0"/>
+            <xs:element ref="OperationalProtection" minOccurs="0"/>
+            <xs:element ref="AuthnMethod"/>
+            <xs:element ref="GoverningAgreements" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="ID" type="xs:ID" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthnMethodBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnMethodBaseType">
+          <xs:sequence>
+            <xs:element ref="PrincipalAuthenticationMechanism"/>
+            <xs:element ref="Authenticator"/>
+            <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="PrincipalAuthenticationMechanismType">
+      <xs:complexContent>
+        <xs:restriction base="PrincipalAuthenticationMechanismType">
+          <xs:sequence>
+            <xs:element ref="RestrictedPassword"/>
+          </xs:sequence>
+          <xs:attribute name="preauth" type="xs:integer" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorBaseType">
+          <xs:sequence>
+            <xs:element ref="SharedSecretChallengeResponse"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="SharedSecretChallengeResponseType">
+      <xs:complexContent>
+        <xs:restriction base="SharedSecretChallengeResponseType">
+          <xs:attribute name="method" type="xs:anyURI" fixed="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+  </xs:redefine>
+
+</xs:schema>
\ No newline at end of file
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-mobileonefactor-reg-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-mobileonefactor-reg-2.0.xsd
new file mode 100644
index 0000000000..f60d04db0d
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-mobileonefactor-reg-2.0.xsd
@@ -0,0 +1,186 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract"
+           finalDefault="extension"
+           blockDefault="substitution"
+           version="2.0">
+
+  <xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">
+
+    <xs:annotation>
+      <xs:documentation>
+        Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract
+        Document identifier: saml-schema-authn-context-mobileonefactor-reg-2.0
+        Location: http://docs.oasis-open.org/security/saml/v2.0/
+        Revision history:
+        V2.0 (March, 2005):
+        New authentication context class schema for SAML V2.0.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType name="AuthnContextDeclarationBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnContextDeclarationBaseType">
+          <xs:sequence>
+            <xs:element ref="Identification" minOccurs="0"/>
+            <xs:element ref="TechnicalProtection" minOccurs="0"/>
+            <xs:element ref="OperationalProtection" minOccurs="0"/>
+            <xs:element ref="AuthnMethod"/>
+            <xs:element ref="GoverningAgreements" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="ID" type="xs:ID" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthnMethodBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnMethodBaseType">
+          <xs:sequence>
+            <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/>
+            <xs:element ref="Authenticator"/>
+            <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorBaseType">
+          <xs:sequence>
+            <xs:choice>
+              <xs:element ref="DigSig"/>
+              <xs:element ref="ZeroKnowledge"/>
+              <xs:element ref="SharedSecretChallengeResponse"/>
+              <xs:element ref="SharedSecretDynamicPlaintext"/>
+              <xs:element ref="AsymmetricDecryption"/>
+              <xs:element ref="AsymmetricKeyAgreement"/>
+            </xs:choice>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorTransportProtocolType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorTransportProtocolType">
+          <xs:sequence>
+            <xs:choice>
+              <xs:element ref="SSL"/>
+              <xs:element ref="MobileNetworkNoEncryption"/>
+              <xs:element ref="MobileNetworkRadioEncryption"/>
+              <xs:element ref="MobileNetworkEndToEndEncryption"/>
+              <xs:element ref="WTLS"/>
+            </xs:choice>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="OperationalProtectionType">
+      <xs:complexContent>
+        <xs:restriction base="OperationalProtectionType">
+          <xs:sequence>
+            <xs:element ref="SecurityAudit"/>
+            <xs:element ref="DeactivationCallCenter"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="TechnicalProtectionBaseType">
+      <xs:complexContent>
+        <xs:restriction base="TechnicalProtectionBaseType">
+          <xs:sequence>
+            <xs:choice>
+              <xs:element ref="PrivateKeyProtection"/>
+              <xs:element ref="SecretKeyProtection"/>
+            </xs:choice>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="PrivateKeyProtectionType">
+      <xs:complexContent>
+        <xs:restriction base="PrivateKeyProtectionType">
+          <xs:sequence>
+            <xs:element ref="KeyStorage"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="SecretKeyProtectionType">
+      <xs:complexContent>
+        <xs:restriction base="SecretKeyProtectionType">
+          <xs:sequence>
+            <xs:element ref="KeyStorage"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="KeyStorageType">
+      <xs:complexContent>
+        <xs:restriction base="KeyStorageType">
+          <xs:attribute name="medium" use="required">
+            <xs:simpleType>
+              <xs:restriction base="mediumType">
+                <xs:enumeration value="smartcard"/>
+                <xs:enumeration value="MobileDevice"/>
+                <xs:enumeration value="MobileAuthCard"/>
+              </xs:restriction>
+            </xs:simpleType>
+          </xs:attribute>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="SecurityAuditType">
+      <xs:complexContent>
+        <xs:restriction base="SecurityAuditType">
+          <xs:sequence>
+            <xs:element ref="SwitchAudit"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="IdentificationType">
+      <xs:complexContent>
+        <xs:restriction base="IdentificationType">
+          <xs:sequence>
+            <xs:element ref="PhysicalVerification"/>
+            <xs:element ref="WrittenConsent"/>
+            <xs:element ref="GoverningAgreements"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="nym">
+            <xs:simpleType>
+              <xs:restriction base="nymType">
+                <xs:enumeration value="anonymity"/>
+                <xs:enumeration value="verinymity"/>
+                <xs:enumeration value="pseudonymity"/>
+              </xs:restriction>
+            </xs:simpleType>
+          </xs:attribute>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+  </xs:redefine>
+
+</xs:schema>
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-mobileonefactor-unreg-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-mobileonefactor-unreg-2.0.xsd
new file mode 100644
index 0000000000..d061f2d451
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-mobileonefactor-unreg-2.0.xsd
@@ -0,0 +1,183 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered"
+           finalDefault="extension"
+           blockDefault="substitution"
+           version="2.0">
+
+  <xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">
+
+    <xs:annotation>
+      <xs:documentation>
+        Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered
+        Document identifier: saml-schema-authn-context-mobileonefactor-unreg-2.0
+        Location: http://docs.oasis-open.org/security/saml/v2.0/
+        Revision history:
+        V2.0 (March, 2005):
+        New authentication context class schema for SAML V2.0.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType name="AuthnContextDeclarationBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnContextDeclarationBaseType">
+          <xs:sequence>
+            <xs:element ref="Identification" minOccurs="0"/>
+            <xs:element ref="TechnicalProtection" minOccurs="0"/>
+            <xs:element ref="OperationalProtection" minOccurs="0"/>
+            <xs:element ref="AuthnMethod"/>
+            <xs:element ref="GoverningAgreements" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="ID" type="xs:ID" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthnMethodBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnMethodBaseType">
+          <xs:sequence>
+            <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/>
+            <xs:element ref="Authenticator"/>
+            <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorBaseType">
+          <xs:sequence>
+            <xs:choice>
+              <xs:element ref="DigSig"/>
+              <xs:element ref="ZeroKnowledge"/>
+              <xs:element ref="SharedSecretChallengeResponse"/>
+              <xs:element ref="SharedSecretDynamicPlaintext"/>
+              <xs:element ref="AsymmetricDecryption"/>
+              <xs:element ref="AsymmetricKeyAgreement"/>
+            </xs:choice>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorTransportProtocolType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorTransportProtocolType">
+          <xs:sequence>
+            <xs:choice>
+              <xs:element ref="SSL"/>
+              <xs:element ref="MobileNetworkNoEncryption"/>
+              <xs:element ref="MobileNetworkRadioEncryption"/>
+              <xs:element ref="MobileNetworkEndToEndEncryption"/>
+              <xs:element ref="WTLS"/>
+            </xs:choice>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="OperationalProtectionType">
+      <xs:complexContent>
+        <xs:restriction base="OperationalProtectionType">
+          <xs:sequence>
+            <xs:element ref="SecurityAudit"/>
+            <xs:element ref="DeactivationCallCenter"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="TechnicalProtectionBaseType">
+      <xs:complexContent>
+        <xs:restriction base="TechnicalProtectionBaseType">
+          <xs:sequence>
+            <xs:choice>
+              <xs:element ref="PrivateKeyProtection"/>
+              <xs:element ref="SecretKeyProtection"/>
+            </xs:choice>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="PrivateKeyProtectionType">
+      <xs:complexContent>
+        <xs:restriction base="PrivateKeyProtectionType">
+          <xs:sequence>
+            <xs:element ref="KeyStorage"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="SecretKeyProtectionType">
+      <xs:complexContent>
+        <xs:restriction base="SecretKeyProtectionType">
+          <xs:sequence>
+            <xs:element ref="KeyStorage"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="KeyStorageType">
+      <xs:complexContent>
+        <xs:restriction base="KeyStorageType">
+          <xs:attribute name="medium" use="required">
+            <xs:simpleType>
+              <xs:restriction base="mediumType">
+                <xs:enumeration value="MobileDevice"/>
+                <xs:enumeration value="MobileAuthCard"/>
+                <xs:enumeration value="smartcard"/>
+              </xs:restriction>
+            </xs:simpleType>
+          </xs:attribute>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="SecurityAuditType">
+      <xs:complexContent>
+        <xs:restriction base="SecurityAuditType">
+          <xs:sequence>
+            <xs:element ref="SwitchAudit"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="IdentificationType">
+      <xs:complexContent>
+        <xs:restriction base="IdentificationType">
+          <xs:sequence>
+            <xs:element ref="GoverningAgreements"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="nym">
+            <xs:simpleType>
+              <xs:restriction base="nymType">
+                <xs:enumeration value="anonymity"/>
+                <xs:enumeration value="pseudonymity"/>
+              </xs:restriction>
+            </xs:simpleType>
+          </xs:attribute>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+  </xs:redefine>
+
+</xs:schema>
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-mobiletwofactor-reg-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-mobiletwofactor-reg-2.0.xsd
new file mode 100644
index 0000000000..9d5e3a3656
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-mobiletwofactor-reg-2.0.xsd
@@ -0,0 +1,202 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract"
+           finalDefault="extension"
+           blockDefault="substitution"
+           version="2.0">
+
+  <xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">
+
+    <xs:annotation>
+      <xs:documentation>
+        Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract
+        Document identifier: saml-schema-authn-context-mobiletwofactor-reg-2.0
+        Location: http://docs.oasis-open.org/security/saml/v2.0/
+        Revision history:
+        V2.0 (March, 2005):
+        New authentication context class schema for SAML V2.0.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType name="AuthnContextDeclarationBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnContextDeclarationBaseType">
+          <xs:sequence>
+            <xs:element ref="Identification" minOccurs="0"/>
+            <xs:element ref="TechnicalProtection" minOccurs="0"/>
+            <xs:element ref="OperationalProtection" minOccurs="0"/>
+            <xs:element ref="AuthnMethod"/>
+            <xs:element ref="GoverningAgreements" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="ID" type="xs:ID" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthnMethodBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnMethodBaseType">
+          <xs:sequence>
+            <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/>
+            <xs:element ref="Authenticator"/>
+            <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorBaseType">
+          <xs:sequence>
+            <xs:choice>
+              <xs:element ref="DigSig"/>
+              <xs:element ref="ZeroKnowledge"/>
+              <xs:element ref="SharedSecretChallengeResponse"/>
+              <xs:element ref="SharedSecretDynamicPlaintext"/>
+              <xs:element ref="AsymmetricDecryption"/>
+              <xs:element ref="AsymmetricKeyAgreement"/>
+              <xs:element ref="ComplexAuthenticator"/>
+            </xs:choice>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="ComplexAuthenticatorType">
+      <xs:complexContent>
+        <xs:restriction base="ComplexAuthenticatorType">
+          <xs:sequence>
+            <xs:choice>
+              <xs:element ref="SharedSecretChallengeResponse"/>
+              <xs:element ref="SharedSecretDynamicPlaintext"/>
+            </xs:choice>
+            <xs:element ref="Password"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorTransportProtocolType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorTransportProtocolType">
+          <xs:sequence>
+            <xs:choice>
+              <xs:element ref="SSL"/>
+              <xs:element ref="MobileNetworkNoEncryption"/>
+              <xs:element ref="MobileNetworkRadioEncryption"/>
+              <xs:element ref="MobileNetworkEndToEndEncryption"/>
+              <xs:element ref="WTLS"/>
+            </xs:choice>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="OperationalProtectionType">
+      <xs:complexContent>
+        <xs:restriction base="OperationalProtectionType">
+          <xs:sequence>
+            <xs:element ref="SecurityAudit"/>
+            <xs:element ref="DeactivationCallCenter"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="TechnicalProtectionBaseType">
+      <xs:complexContent>
+        <xs:restriction base="TechnicalProtectionBaseType">
+          <xs:sequence>
+            <xs:choice>
+              <xs:element ref="PrivateKeyProtection"/>
+              <xs:element ref="SecretKeyProtection"/>
+            </xs:choice>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="PrivateKeyProtectionType">
+      <xs:complexContent>
+        <xs:restriction base="PrivateKeyProtectionType">
+          <xs:sequence>
+            <xs:element ref="KeyActivation"/>
+            <xs:element ref="KeyStorage"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="SecretKeyProtectionType">
+      <xs:complexContent>
+        <xs:restriction base="SecretKeyProtectionType">
+          <xs:sequence>
+            <xs:element ref="KeyActivation"/>
+            <xs:element ref="KeyStorage"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="KeyStorageType">
+      <xs:complexContent>
+        <xs:restriction base="KeyStorageType">
+          <xs:attribute name="medium" use="required">
+            <xs:simpleType>
+              <xs:restriction base="mediumType">
+                <xs:enumeration value="MobileDevice"/>
+                <xs:enumeration value="MobileAuthCard"/>
+                <xs:enumeration value="smartcard"/>
+              </xs:restriction>
+            </xs:simpleType>
+          </xs:attribute>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="SecurityAuditType">
+      <xs:complexContent>
+        <xs:restriction base="SecurityAuditType">
+          <xs:sequence>
+            <xs:element ref="SwitchAudit"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="IdentificationType">
+      <xs:complexContent>
+        <xs:restriction base="IdentificationType">
+          <xs:sequence>
+            <xs:element ref="PhysicalVerification"/>
+            <xs:element ref="WrittenConsent"/>
+            <xs:element ref="GoverningAgreements"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="nym">
+            <xs:simpleType>
+              <xs:restriction base="nymType">
+                <xs:enumeration value="anonymity"/>
+                <xs:enumeration value="verinymity"/>
+                <xs:enumeration value="pseudonymity"/>
+              </xs:restriction>
+            </xs:simpleType>
+          </xs:attribute>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+  </xs:redefine>
+
+</xs:schema>
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-mobiletwofactor-unreg-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-mobiletwofactor-unreg-2.0.xsd
new file mode 100644
index 0000000000..e5d0a7f338
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-mobiletwofactor-unreg-2.0.xsd
@@ -0,0 +1,200 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered"
+           finalDefault="extension"
+           blockDefault="substitution"
+           version="2.0">
+
+  <xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">
+
+    <xs:annotation>
+      <xs:documentation>
+        Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered
+        Document identifier: saml-schema-authn-context-mobiletwofactor-unreg-2.0
+        Location: http://docs.oasis-open.org/security/saml/v2.0/
+        Revision history:
+        V2.0 (March, 2005):
+        New authentication context class schema for SAML V2.0.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType name="AuthnContextDeclarationBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnContextDeclarationBaseType">
+          <xs:sequence>
+            <xs:element ref="Identification" minOccurs="0"/>
+            <xs:element ref="TechnicalProtection" minOccurs="0"/>
+            <xs:element ref="OperationalProtection" minOccurs="0"/>
+            <xs:element ref="AuthnMethod"/>
+            <xs:element ref="GoverningAgreements" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="ID" type="xs:ID" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthnMethodBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnMethodBaseType">
+          <xs:sequence>
+            <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/>
+            <xs:element ref="Authenticator"/>
+            <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorBaseType">
+          <xs:sequence>
+            <xs:choice>
+              <xs:element ref="DigSig"/>
+              <xs:element ref="ZeroKnowledge"/>
+              <xs:element ref="SharedSecretChallengeResponse"/>
+              <xs:element ref="SharedSecretDynamicPlaintext"/>
+              <xs:element ref="AsymmetricDecryption"/>
+              <xs:element ref="AsymmetricKeyAgreement"/>
+              <xs:element ref="ComplexAuthenticator"/>
+            </xs:choice>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="ComplexAuthenticatorType">
+      <xs:complexContent>
+        <xs:restriction base="ComplexAuthenticatorType">
+          <xs:sequence>
+            <xs:choice>
+              <xs:element ref="SharedSecretChallengeResponse"/>
+              <xs:element ref="SharedSecretDynamicPlaintext"/>
+            </xs:choice>
+            <xs:element ref="Password"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorTransportProtocolType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorTransportProtocolType">
+          <xs:sequence>
+            <xs:choice>
+              <xs:element ref="SSL"/>
+              <xs:element ref="MobileNetworkNoEncryption"/>
+              <xs:element ref="MobileNetworkRadioEncryption"/>
+              <xs:element ref="MobileNetworkEndToEndEncryption"/>
+              <xs:element ref="WTLS"/>
+            </xs:choice>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="OperationalProtectionType">
+      <xs:complexContent>
+        <xs:restriction base="OperationalProtectionType">
+          <xs:sequence>
+            <xs:element ref="SecurityAudit"/>
+            <xs:element ref="DeactivationCallCenter"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="TechnicalProtectionBaseType">
+      <xs:complexContent>
+        <xs:restriction base="TechnicalProtectionBaseType">
+          <xs:sequence>
+            <xs:choice>
+              <xs:element ref="PrivateKeyProtection"/>
+              <xs:element ref="SecretKeyProtection"/>
+            </xs:choice>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="PrivateKeyProtectionType">
+      <xs:complexContent>
+        <xs:restriction base="PrivateKeyProtectionType">
+          <xs:sequence>
+            <xs:element ref="KeyActivation"/>
+            <xs:element ref="KeyStorage"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="SecretKeyProtectionType">
+      <xs:complexContent>
+        <xs:restriction base="SecretKeyProtectionType">
+          <xs:sequence>
+            <xs:element ref="KeyActivation"/>
+            <xs:element ref="KeyStorage"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="KeyStorageType">
+      <xs:complexContent>
+        <xs:restriction base="KeyStorageType">
+          <xs:attribute name="medium" use="required">
+            <xs:simpleType>
+              <xs:restriction base="mediumType">
+                <xs:enumeration value="MobileDevice"/>
+                <xs:enumeration value="MobileAuthCard"/>
+                <xs:enumeration value="smartcard"/>
+              </xs:restriction>
+            </xs:simpleType>
+          </xs:attribute>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="SecurityAuditType">
+      <xs:complexContent>
+        <xs:restriction base="SecurityAuditType">
+          <xs:sequence>
+            <xs:element ref="SwitchAudit"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="IdentificationType">
+      <xs:complexContent>
+        <xs:restriction base="IdentificationType">
+          <xs:sequence>
+            <xs:element ref="GoverningAgreements"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="nym">
+            <xs:simpleType>
+              <xs:restriction base="nymType">
+                <xs:enumeration value="anonymity"/>
+                <xs:enumeration value="pseudonymity"/>
+              </xs:restriction>
+            </xs:simpleType>
+          </xs:attribute>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+  </xs:redefine>
+
+</xs:schema>
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-nomad-telephony-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-nomad-telephony-2.0.xsd
new file mode 100644
index 0000000000..f492daa668
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-nomad-telephony-2.0.xsd
@@ -0,0 +1,81 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony"
+           finalDefault="extension"
+           blockDefault="substitution"
+           version="2.0">
+
+  <xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">
+
+    <xs:annotation>
+      <xs:documentation>
+        Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony
+        Document identifier: saml-schema-authn-context-nomad-telephony-2.0
+        Location: http://docs.oasis-open.org/security/saml/v2.0/
+        Revision history:
+        V2.0 (March, 2005):
+        New authentication context class schema for SAML V2.0.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType name="AuthnContextDeclarationBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnContextDeclarationBaseType">
+          <xs:sequence>
+            <xs:element ref="Identification" minOccurs="0"/>
+            <xs:element ref="TechnicalProtection" minOccurs="0"/>
+            <xs:element ref="OperationalProtection" minOccurs="0"/>
+            <xs:element ref="AuthnMethod"/>
+            <xs:element ref="GoverningAgreements" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="ID" type="xs:ID" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthnMethodBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnMethodBaseType">
+          <xs:sequence>
+            <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/>
+            <xs:element ref="Authenticator"/>
+            <xs:element ref="AuthenticatorTransportProtocol"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorBaseType">
+          <xs:sequence>
+            <xs:element ref="Password"/>
+            <xs:element ref="SubscriberLineNumber"/>
+            <xs:element ref="UserSuffix"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorTransportProtocolType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorTransportProtocolType">
+          <xs:sequence>
+            <xs:choice>
+              <xs:element ref="PSTN"/>
+              <xs:element ref="ISDN"/>
+              <xs:element ref="ADSL"/>
+            </xs:choice>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+  </xs:redefine>
+
+</xs:schema>
\ No newline at end of file
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-personal-telephony-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-personal-telephony-2.0.xsd
new file mode 100644
index 0000000000..5e8a684a2b
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-personal-telephony-2.0.xsd
@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalizedTelephony"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalizedTelephony"
+           finalDefault="extension"
+           blockDefault="substitution"
+           version="2.0">
+
+  <xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">
+
+    <xs:annotation>
+      <xs:documentation>
+        Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalizedTelephony
+        Document identifier: saml-schema-authn-context-personal-telephony-2.0
+        Location: http://docs.oasis-open.org/security/saml/v2.0/
+        Revision history:
+        V2.0 (March, 2005):
+        New authentication context class schema for SAML V2.0.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType name="AuthnContextDeclarationBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnContextDeclarationBaseType">
+          <xs:sequence>
+            <xs:element ref="Identification" minOccurs="0"/>
+            <xs:element ref="TechnicalProtection" minOccurs="0"/>
+            <xs:element ref="OperationalProtection" minOccurs="0"/>
+            <xs:element ref="AuthnMethod"/>
+            <xs:element ref="GoverningAgreements" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="ID" type="xs:ID" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthnMethodBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnMethodBaseType">
+          <xs:sequence>
+            <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/>
+            <xs:element ref="Authenticator"/>
+            <xs:element ref="AuthenticatorTransportProtocol"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorBaseType">
+          <xs:sequence>
+            <xs:element ref="SubscriberLineNumber"/>
+            <xs:element ref="UserSuffix"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorTransportProtocolType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorTransportProtocolType">
+          <xs:sequence>
+            <xs:choice>
+              <xs:element ref="PSTN"/>
+              <xs:element ref="ISDN"/>
+              <xs:element ref="ADSL"/>
+            </xs:choice>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+  </xs:redefine>
+
+</xs:schema>
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-pgp-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-pgp-2.0.xsd
new file mode 100644
index 0000000000..be64d8b796
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-pgp-2.0.xsd
@@ -0,0 +1,83 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:PGP"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:PGP"
+           finalDefault="extension"
+           blockDefault="substitution"
+           version="2.0">
+
+  <xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">
+
+    <xs:annotation>
+      <xs:documentation>
+        Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:PGP
+        Document identifier: saml-schema-authn-context-pgp-2.0
+        Location: http://docs.oasis-open.org/security/saml/v2.0/
+        Revision history:
+        V2.0 (March, 2005):
+        New authentication context class schema for SAML V2.0.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType name="AuthnContextDeclarationBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnContextDeclarationBaseType">
+          <xs:sequence>
+            <xs:element ref="Identification" minOccurs="0"/>
+            <xs:element ref="TechnicalProtection" minOccurs="0"/>
+            <xs:element ref="OperationalProtection" minOccurs="0"/>
+            <xs:element ref="AuthnMethod"/>
+            <xs:element ref="GoverningAgreements" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="ID" type="xs:ID" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthnMethodBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnMethodBaseType">
+          <xs:sequence>
+            <xs:element ref="PrincipalAuthenticationMechanism"/>
+            <xs:element ref="Authenticator"/>
+            <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="PrincipalAuthenticationMechanismType">
+      <xs:complexContent>
+        <xs:restriction base="PrincipalAuthenticationMechanismType">
+          <xs:sequence>
+            <xs:element ref="RestrictedPassword"/>
+          </xs:sequence>
+          <xs:attribute name="preauth" type="xs:integer" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorBaseType">
+          <xs:sequence>
+            <xs:element ref="DigSig"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="PublicKeyType">
+      <xs:complexContent>
+        <xs:restriction base="PublicKeyType">
+          <xs:attribute name="keyValidation" fixed="urn:oasis:names:tc:SAML:2.0:ac:classes:PGP"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+  </xs:redefine>
+
+</xs:schema>
\ No newline at end of file
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-ppt-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-ppt-2.0.xsd
new file mode 100644
index 0000000000..b24a4ebfb8
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-ppt-2.0.xsd
@@ -0,0 +1,81 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+           finalDefault="extension"
+           blockDefault="substitution"
+           version="2.0">
+
+  <xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">
+
+    <xs:annotation>
+      <xs:documentation>
+        Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+        Document identifier: saml-schema-authn-context-ppt-2.0
+        Location: http://docs.oasis-open.org/security/saml/v2.0/
+        Revision history:
+        V2.0 (March, 2005):
+        New authentication context class schema for SAML V2.0.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType name="AuthnContextDeclarationBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnContextDeclarationBaseType">
+          <xs:sequence>
+            <xs:element ref="Identification" minOccurs="0"/>
+            <xs:element ref="TechnicalProtection" minOccurs="0"/>
+            <xs:element ref="OperationalProtection" minOccurs="0"/>
+            <xs:element ref="AuthnMethod"/>
+            <xs:element ref="GoverningAgreements" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="ID" type="xs:ID" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthnMethodBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnMethodBaseType">
+          <xs:sequence>
+            <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/>
+            <xs:element ref="Authenticator"/>
+            <xs:element ref="AuthenticatorTransportProtocol"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorBaseType">
+          <xs:sequence>
+            <xs:element ref="RestrictedPassword"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorTransportProtocolType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorTransportProtocolType">
+          <xs:sequence>
+            <xs:choice>
+              <xs:element ref="SSL"/>
+              <xs:element ref="MobileNetworkRadioEncryption"/>
+              <xs:element ref="MobileNetworkEndToEndEncryption"/>
+              <xs:element ref="WTLS"/>
+              <xs:element ref="IPSec"/>
+            </xs:choice>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+  </xs:redefine>
+
+</xs:schema>
\ No newline at end of file
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-pword-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-pword-2.0.xsd
new file mode 100644
index 0000000000..75952d5cdd
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-pword-2.0.xsd
@@ -0,0 +1,64 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
+           finalDefault="extension"
+           blockDefault="substitution"
+           version="2.0">
+
+  <xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">
+
+    <xs:annotation>
+      <xs:documentation>
+        Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:Password
+        Document identifier: saml-schema-authn-context-pword-2.0
+        Location: http://docs.oasis-open.org/security/saml/v2.0/
+        Revision history:
+        V2.0 (March, 2005):
+        New authentication context class schema for SAML V2.0.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType name="AuthnContextDeclarationBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnContextDeclarationBaseType">
+          <xs:sequence>
+            <xs:element ref="Identification" minOccurs="0"/>
+            <xs:element ref="TechnicalProtection" minOccurs="0"/>
+            <xs:element ref="OperationalProtection" minOccurs="0"/>
+            <xs:element ref="AuthnMethod"/>
+            <xs:element ref="GoverningAgreements" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="ID" type="xs:ID" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthnMethodBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnMethodBaseType">
+          <xs:sequence>
+            <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/>
+            <xs:element ref="Authenticator"/>
+            <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorBaseType">
+          <xs:sequence>
+            <xs:element ref="RestrictedPassword"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+  </xs:redefine>
+
+</xs:schema>
\ No newline at end of file
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-session-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-session-2.0.xsd
new file mode 100644
index 0000000000..fea86e7fb1
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-session-2.0.xsd
@@ -0,0 +1,64 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession"
+           finalDefault="extension"
+           blockDefault="substitution"
+           version="2.0">
+
+  <xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">
+
+    <xs:annotation>
+      <xs:documentation>
+        Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession
+        Document identifier: saml-schema-authn-context-session-2.0
+        Location: http://docs.oasis-open.org/security/saml/v2.0/
+        Revision history:
+        V2.0 (March, 2005):
+        New authentication context class schema for SAML V2.0.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType name="AuthnContextDeclarationBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnContextDeclarationBaseType">
+          <xs:sequence>
+            <xs:element ref="Identification" minOccurs="0"/>
+            <xs:element ref="TechnicalProtection" minOccurs="0"/>
+            <xs:element ref="OperationalProtection" minOccurs="0"/>
+            <xs:element ref="AuthnMethod"/>
+            <xs:element ref="GoverningAgreements" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="ID" type="xs:ID" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthnMethodBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnMethodBaseType">
+          <xs:sequence>
+            <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/>
+            <xs:element ref="Authenticator"/>
+            <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorBaseType">
+          <xs:sequence>
+            <xs:element ref="PreviousSession"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+  </xs:redefine>
+
+</xs:schema>
\ No newline at end of file
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-smartcard-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-smartcard-2.0.xsd
new file mode 100644
index 0000000000..abda34e822
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-smartcard-2.0.xsd
@@ -0,0 +1,64 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard"
+           finalDefault="extension"
+           blockDefault="substitution"
+           version="2.0">
+
+  <xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">
+
+    <xs:annotation>
+      <xs:documentation>
+        Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard
+        Document identifier: saml-schema-authn-context-smartcard-2.0
+        Location: http://docs.oasis-open.org/security/saml/v2.0/
+        Revision history:
+        V2.0 (March, 2005):
+        New authentication context class schema for SAML V2.0.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType name="AuthnContextDeclarationBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnContextDeclarationBaseType">
+          <xs:sequence>
+            <xs:element ref="Identification" minOccurs="0"/>
+            <xs:element ref="TechnicalProtection" minOccurs="0"/>
+            <xs:element ref="OperationalProtection" minOccurs="0"/>
+            <xs:element ref="AuthnMethod"/>
+            <xs:element ref="GoverningAgreements" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="ID" type="xs:ID" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthnMethodBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnMethodBaseType">
+          <xs:sequence>
+            <xs:element ref="PrincipalAuthenticationMechanism"/>
+            <xs:element ref="Authenticator"/>
+            <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="PrincipalAuthenticationMechanismType">
+      <xs:complexContent>
+        <xs:restriction base="PrincipalAuthenticationMechanismType">
+          <xs:sequence>
+            <xs:element ref="Smartcard"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+  </xs:redefine>
+
+</xs:schema>
\ No newline at end of file
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-smartcardpki-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-smartcardpki-2.0.xsd
new file mode 100644
index 0000000000..7d9f5a726a
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-smartcardpki-2.0.xsd
@@ -0,0 +1,129 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI"
+           finalDefault="extension"
+           blockDefault="substitution"
+           version="2.0">
+
+  <xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">
+
+    <xs:annotation>
+      <xs:documentation>
+        Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI
+        Document identifier: saml-schema-authn-context-smartcardpki-2.0
+        Location: http://docs.oasis-open.org/security/saml/v2.0/
+        Revision history:
+        V2.0 (March, 2005):
+        New authentication context class schema for SAML V2.0.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType name="AuthnContextDeclarationBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnContextDeclarationBaseType">
+          <xs:sequence>
+            <xs:element ref="Identification" minOccurs="0"/>
+            <xs:element ref="TechnicalProtection"/>
+            <xs:element ref="OperationalProtection" minOccurs="0"/>
+            <xs:element ref="AuthnMethod"/>
+            <xs:element ref="GoverningAgreements" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="ID" type="xs:ID" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthnMethodBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnMethodBaseType">
+          <xs:sequence>
+            <xs:element ref="PrincipalAuthenticationMechanism"/>
+            <xs:element ref="Authenticator"/>
+            <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="TechnicalProtectionBaseType">
+      <xs:complexContent>
+        <xs:restriction base="TechnicalProtectionBaseType">
+          <xs:sequence>
+            <xs:choice>
+              <xs:element ref="PrivateKeyProtection"/>
+            </xs:choice>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="PrincipalAuthenticationMechanismType">
+      <xs:complexContent>
+        <xs:restriction base="PrincipalAuthenticationMechanismType">
+          <xs:sequence>
+            <xs:element ref="Smartcard"/>
+            <xs:element ref="ActivationPin"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorBaseType">
+          <xs:sequence>
+            <xs:choice>
+              <xs:element ref="DigSig"/>
+              <xs:element ref="AsymmetricDecryption"/>
+              <xs:element ref="AsymmetricKeyAgreement"/>
+            </xs:choice>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="PrivateKeyProtectionType">
+      <xs:complexContent>
+        <xs:restriction base="PrivateKeyProtectionType">
+          <xs:sequence>
+            <xs:element ref="KeyActivation"/>
+            <xs:element ref="KeyStorage"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="KeyActivationType">
+      <xs:complexContent>
+        <xs:restriction base="KeyActivationType">
+          <xs:sequence>
+            <xs:element ref="ActivationPin"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="KeyStorageType">
+      <xs:complexContent>
+        <xs:restriction base="KeyStorageType">
+          <xs:attribute name="medium" use="required">
+            <xs:simpleType>
+              <xs:restriction base="mediumType">
+                <xs:enumeration value="smartcard"/>
+              </xs:restriction>
+            </xs:simpleType>
+          </xs:attribute>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+  </xs:redefine>
+
+</xs:schema>
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-softwarepki-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-softwarepki-2.0.xsd
new file mode 100644
index 0000000000..bd4cfdfa7d
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-softwarepki-2.0.xsd
@@ -0,0 +1,129 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI"
+           finalDefault="extension"
+           blockDefault="substitution"
+           version="2.0">
+
+  <xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">
+
+    <xs:annotation>
+      <xs:documentation>
+        Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI
+        Document identifier: saml-schema-authn-context-softwarepki-2.0
+        Location: http://docs.oasis-open.org/security/saml/v2.0/
+        Revision history:
+        V2.0 (March, 2005):
+        New authentication context class schema for SAML V2.0.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType name="AuthnContextDeclarationBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnContextDeclarationBaseType">
+          <xs:sequence>
+            <xs:element ref="Identification" minOccurs="0"/>
+            <xs:element ref="TechnicalProtection"/>
+            <xs:element ref="OperationalProtection" minOccurs="0"/>
+            <xs:element ref="AuthnMethod"/>
+            <xs:element ref="GoverningAgreements" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="ID" type="xs:ID" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthnMethodBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnMethodBaseType">
+          <xs:sequence>
+            <xs:element ref="PrincipalAuthenticationMechanism"/>
+            <xs:element ref="Authenticator"/>
+            <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="TechnicalProtectionBaseType">
+      <xs:complexContent>
+        <xs:restriction base="TechnicalProtectionBaseType">
+          <xs:sequence>
+            <xs:choice>
+              <xs:element ref="PrivateKeyProtection"/>
+            </xs:choice>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="PrincipalAuthenticationMechanismType">
+      <xs:complexContent>
+        <xs:restriction base="PrincipalAuthenticationMechanismType">
+          <xs:sequence>
+            <xs:element ref="ActivationPin"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorBaseType">
+          <xs:sequence>
+            <xs:choice>
+              <xs:element ref="DigSig"/>
+              <xs:element ref="AsymmetricDecryption"/>
+              <xs:element ref="AsymmetricKeyAgreement"/>
+            </xs:choice>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="PrivateKeyProtectionType">
+      <xs:complexContent>
+        <xs:restriction base="PrivateKeyProtectionType">
+          <xs:sequence>
+            <xs:element ref="KeyActivation"/>
+            <xs:element ref="KeyStorage"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="KeyActivationType">
+      <xs:complexContent>
+        <xs:restriction base="KeyActivationType">
+          <xs:sequence>
+            <xs:element ref="ActivationPin"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="KeyStorageType">
+      <xs:complexContent>
+        <xs:restriction base="KeyStorageType">
+          <xs:attribute name="medium" use="required">
+            <xs:simpleType>
+              <xs:restriction base="mediumType">
+                <xs:enumeration value="memory"/>
+              </xs:restriction>
+            </xs:simpleType>
+          </xs:attribute>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+  </xs:redefine>
+
+</xs:schema>
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-spki-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-spki-2.0.xsd
new file mode 100644
index 0000000000..3827cc1cbe
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-spki-2.0.xsd
@@ -0,0 +1,83 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI"
+           finalDefault="extension"
+           blockDefault="substitution"
+           version="2.0">
+
+  <xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">
+
+    <xs:annotation>
+      <xs:documentation>
+        Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI
+        Document identifier: saml-schema-authn-context-spki-2.0
+        Location: http://docs.oasis-open.org/security/saml/v2.0/
+        Revision history:
+        V2.0 (March, 2005):
+        New authentication context class schema for SAML V2.0.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType name="AuthnContextDeclarationBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnContextDeclarationBaseType">
+          <xs:sequence>
+            <xs:element ref="Identification" minOccurs="0"/>
+            <xs:element ref="TechnicalProtection" minOccurs="0"/>
+            <xs:element ref="OperationalProtection" minOccurs="0"/>
+            <xs:element ref="AuthnMethod"/>
+            <xs:element ref="GoverningAgreements" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="ID" type="xs:ID" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthnMethodBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnMethodBaseType">
+          <xs:sequence>
+            <xs:element ref="PrincipalAuthenticationMechanism"/>
+            <xs:element ref="Authenticator"/>
+            <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="PrincipalAuthenticationMechanismType">
+      <xs:complexContent>
+        <xs:restriction base="PrincipalAuthenticationMechanismType">
+          <xs:sequence>
+            <xs:element ref="RestrictedPassword"/>
+          </xs:sequence>
+          <xs:attribute name="preauth" type="xs:integer" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorBaseType">
+          <xs:sequence>
+            <xs:element ref="DigSig"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="PublicKeyType">
+      <xs:complexContent>
+        <xs:restriction base="PublicKeyType">
+          <xs:attribute name="keyValidation" fixed="urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+  </xs:redefine>
+
+</xs:schema>
\ No newline at end of file
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-srp-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-srp-2.0.xsd
new file mode 100644
index 0000000000..9457ea20c2
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-srp-2.0.xsd
@@ -0,0 +1,82 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword"
+           finalDefault="extension"
+           blockDefault="substitution"
+           version="2.0">
+
+  <xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">
+
+    <xs:annotation>
+      <xs:documentation>
+        Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword
+        Document identifier: saml-schema-authn-context-srp-2.0
+        Location: http://docs.oasis-open.org/security/saml/v2.0/
+        Revision history:
+        V2.0 (March, 2005):
+        New authentication context class schema for SAML V2.0.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType name="AuthnContextDeclarationBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnContextDeclarationBaseType">
+          <xs:sequence>
+            <xs:element ref="Identification" minOccurs="0"/>
+            <xs:element ref="TechnicalProtection" minOccurs="0"/>
+            <xs:element ref="OperationalProtection" minOccurs="0"/>
+            <xs:element ref="AuthnMethod"/>
+            <xs:element ref="GoverningAgreements" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="ID" type="xs:ID" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthnMethodBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnMethodBaseType">
+          <xs:sequence>
+            <xs:element ref="PrincipalAuthenticationMechanism"/>
+            <xs:element ref="Authenticator"/>
+            <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="PrincipalAuthenticationMechanismType">
+      <xs:complexContent>
+        <xs:restriction base="PrincipalAuthenticationMechanismType">
+          <xs:sequence>
+            <xs:element ref="RestrictedPassword"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorBaseType">
+          <xs:sequence>
+            <xs:element ref="SharedSecretChallengeResponse"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="SharedSecretChallengeResponseType">
+      <xs:complexContent>
+        <xs:restriction base="SharedSecretChallengeResponseType">
+          <xs:attribute name="method" type="xs:anyURI" fixed="urn:ietf:rfc:2945"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+  </xs:redefine>
+
+</xs:schema>
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-sslcert-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-sslcert-2.0.xsd
new file mode 100644
index 0000000000..a9387ecfed
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-sslcert-2.0.xsd
@@ -0,0 +1,97 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient"
+           finalDefault="extension"
+           blockDefault="substitution"
+           version="2.0">
+
+  <xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">
+
+    <xs:annotation>
+      <xs:documentation>
+        Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
+        Document identifier: saml-schema-authn-context-sslcert-2.0
+        Location: http://docs.oasis-open.org/security/saml/v2.0/
+        Revision history:
+        V2.0 (March, 2005):
+        New authentication context class schema for SAML V2.0.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType name="AuthnContextDeclarationBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnContextDeclarationBaseType">
+          <xs:sequence>
+            <xs:element ref="Identification" minOccurs="0"/>
+            <xs:element ref="TechnicalProtection" minOccurs="0"/>
+            <xs:element ref="OperationalProtection" minOccurs="0"/>
+            <xs:element ref="AuthnMethod"/>
+            <xs:element ref="GoverningAgreements" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="ID" type="xs:ID" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthnMethodBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnMethodBaseType">
+          <xs:sequence>
+            <xs:element ref="PrincipalAuthenticationMechanism"/>
+            <xs:element ref="Authenticator"/>
+            <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="PrincipalAuthenticationMechanismType">
+      <xs:complexContent>
+        <xs:restriction base="PrincipalAuthenticationMechanismType">
+          <xs:sequence>
+            <xs:element ref="RestrictedPassword"/>
+          </xs:sequence>
+          <xs:attribute name="preauth" type="xs:integer" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorBaseType">
+          <xs:sequence>
+            <xs:element ref="DigSig"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="PublicKeyType">
+      <xs:complexContent>
+        <xs:restriction base="PublicKeyType">
+          <xs:attribute name="keyValidation" type="xs:anyURI" fixed="urn:oasis:names:tc:SAML:2.0:ac:classes:X509"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorTransportProtocolType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorTransportProtocolType">
+          <xs:sequence>
+            <xs:choice>
+              <xs:element ref="SSL"/>
+              <xs:element ref="WTLS"/>
+            </xs:choice>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+  </xs:redefine>
+
+</xs:schema>
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-telephony-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-telephony-2.0.xsd
new file mode 100644
index 0000000000..4e4b339799
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-telephony-2.0.xsd
@@ -0,0 +1,79 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony"
+           finalDefault="extension"
+           blockDefault="substitution"
+           version="2.0">
+
+  <xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">
+
+    <xs:annotation>
+      <xs:documentation>
+        Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony
+        Document identifier: saml-schema-authn-context-telephony-2.0
+        Location: http://docs.oasis-open.org/security/saml/v2.0/
+        Revision history:
+        V2.0 (March, 2005):
+        New authentication context class schema for SAML V2.0.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType name="AuthnContextDeclarationBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnContextDeclarationBaseType">
+          <xs:sequence>
+            <xs:element ref="Identification" minOccurs="0"/>
+            <xs:element ref="TechnicalProtection" minOccurs="0"/>
+            <xs:element ref="OperationalProtection" minOccurs="0"/>
+            <xs:element ref="AuthnMethod"/>
+            <xs:element ref="GoverningAgreements" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="ID" type="xs:ID" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthnMethodBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnMethodBaseType">
+          <xs:sequence>
+            <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/>
+            <xs:element ref="Authenticator"/>
+            <xs:element ref="AuthenticatorTransportProtocol"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorBaseType">
+          <xs:sequence>
+            <xs:element ref="SubscriberLineNumber"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorTransportProtocolType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorTransportProtocolType">
+          <xs:sequence>
+            <xs:choice>
+              <xs:element ref="PSTN"/>
+              <xs:element ref="ISDN"/>
+              <xs:element ref="ADSL"/>
+            </xs:choice>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+  </xs:redefine>
+
+</xs:schema>
\ No newline at end of file
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-timesync-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-timesync-2.0.xsd
new file mode 100644
index 0000000000..076e21dee3
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-timesync-2.0.xsd
@@ -0,0 +1,105 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken"
+           finalDefault="extension"
+           blockDefault="substitution"
+           version="2.0">
+
+  <xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">
+
+    <xs:annotation>
+      <xs:documentation>
+        Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken
+        Document identifier: saml-schema-authn-context-timesync-2.0
+        Location: http://docs.oasis-open.org/security/saml/v2.0/
+        Revision history:
+        V2.0 (March, 2005):
+        New authentication context class schema for SAML V2.0.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType name="AuthnContextDeclarationBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnContextDeclarationBaseType">
+          <xs:sequence>
+            <xs:element ref="Identification" minOccurs="0"/>
+            <xs:element ref="TechnicalProtection" minOccurs="0"/>
+            <xs:element ref="OperationalProtection" minOccurs="0"/>
+            <xs:element ref="AuthnMethod"/>
+            <xs:element ref="GoverningAgreements" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="ID" type="xs:ID" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthnMethodBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnMethodBaseType">
+          <xs:sequence>
+            <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/>
+            <xs:element ref="Authenticator"/>
+            <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="PrincipalAuthenticationMechanismType">
+      <xs:complexContent>
+        <xs:restriction base="PrincipalAuthenticationMechanismType">
+          <xs:sequence>
+            <xs:element ref="Token"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="TokenType">
+      <xs:complexContent>
+        <xs:restriction base="TokenType">
+          <xs:sequence>
+            <xs:element ref="TimeSyncToken"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="TimeSyncTokenType">
+      <xs:complexContent>
+        <xs:restriction base="TimeSyncTokenType">
+          <xs:attribute name="DeviceType" use="required">
+            <xs:simpleType>
+              <xs:restriction base="DeviceTypeType">
+                <xs:enumeration value="hardware"/>
+              </xs:restriction>
+            </xs:simpleType>
+          </xs:attribute>
+
+          <xs:attribute name="SeedLength" use="required">
+            <xs:simpleType>
+              <xs:restriction base="xs:integer">
+                <xs:minInclusive value="64"/>
+              </xs:restriction>
+            </xs:simpleType>
+          </xs:attribute>
+
+          <xs:attribute name="DeviceInHand" use="required">
+            <xs:simpleType>
+              <xs:restriction base="booleanType">
+                <xs:enumeration value="true"/>
+              </xs:restriction>
+            </xs:simpleType>
+          </xs:attribute>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+  </xs:redefine>
+
+</xs:schema>
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-types-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-types-2.0.xsd
new file mode 100644
index 0000000000..1df3e68e71
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-types-2.0.xsd
@@ -0,0 +1,823 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema
+        xmlns:xs="http://www.w3.org/2001/XMLSchema"
+        elementFormDefault="qualified"
+        version="2.0">
+
+  <xs:annotation>
+    <xs:documentation>
+      Document identifier: saml-schema-authn-context-types-2.0
+      Location: http://docs.oasis-open.org/security/saml/v2.0/
+      Revision history:
+      V2.0 (March, 2005):
+      New core authentication context schema types for SAML V2.0.
+    </xs:documentation>
+  </xs:annotation>
+
+  <xs:element name="AuthenticationContextDeclaration" type="AuthnContextDeclarationBaseType">
+    <xs:annotation>
+      <xs:documentation>
+        A particular assertion on an identity
+        provider's part with respect to the authentication
+        context associated with an authentication assertion.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="Identification" type="IdentificationType">
+    <xs:annotation>
+      <xs:documentation>
+        Refers to those characteristics that describe the
+        processes and mechanisms
+        the Authentication Authority uses to initially create
+        an association between a Principal
+        and the identity (or name) by which the Principal will
+        be known
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="PhysicalVerification">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that identification has been
+        performed in a physical
+        face-to-face meeting with the principal and not in an
+        online manner.
+      </xs:documentation>
+    </xs:annotation>
+    <xs:complexType>
+      <xs:attribute name="credentialLevel">
+        <xs:simpleType>
+          <xs:restriction base="xs:NMTOKEN">
+            <xs:enumeration value="primary"/>
+            <xs:enumeration value="secondary"/>
+          </xs:restriction>
+        </xs:simpleType>
+      </xs:attribute>
+    </xs:complexType>
+  </xs:element>
+
+  <xs:element name="WrittenConsent" type="ExtensionOnlyType"/>
+
+  <xs:element name="TechnicalProtection" type="TechnicalProtectionBaseType">
+    <xs:annotation>
+      <xs:documentation>
+        Refers to those characterstics that describe how the
+        'secret' (the knowledge or possession
+        of which allows the Principal to authenticate to the
+        Authentication Authority) is kept secure
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="SecretKeyProtection" type="SecretKeyProtectionType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates the types and strengths of
+        facilities
+        of a UA used to protect a shared secret key from
+        unauthorized access and/or use.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="PrivateKeyProtection" type="PrivateKeyProtectionType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates the types and strengths of
+        facilities
+        of a UA used to protect a private key from
+        unauthorized access and/or use.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="KeyActivation" type="KeyActivationType">
+    <xs:annotation>
+      <xs:documentation>The actions that must be performed
+        before the private key can be used.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="KeySharing" type="KeySharingType">
+    <xs:annotation>
+      <xs:documentation>Whether or not the private key is shared
+        with the certificate authority.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="KeyStorage" type="KeyStorageType">
+    <xs:annotation>
+      <xs:documentation>
+        In which medium is the key stored.
+        memory - the key is stored in memory.
+        smartcard - the key is stored in a smartcard.
+        token - the key is stored in a hardware token.
+        MobileDevice - the key is stored in a mobile device.
+        MobileAuthCard - the key is stored in a mobile
+        authentication card.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="SubscriberLineNumber" type="ExtensionOnlyType"/>
+  <xs:element name="UserSuffix" type="ExtensionOnlyType"/>
+
+  <xs:element name="Password" type="PasswordType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that a password (or passphrase)
+        has been used to
+        authenticate the Principal to a remote system.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="ActivationPin" type="ActivationPinType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that a Pin (Personal
+        Identification Number) has been used to authenticate the Principal to
+        some local system in order to activate a key.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="Token" type="TokenType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that a hardware or software
+        token is used
+        as a method of identifying the Principal.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="TimeSyncToken" type="TimeSyncTokenType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that a time synchronization
+        token is used to identify the Principal. hardware -
+        the time synchonization
+        token has been implemented in hardware. software - the
+        time synchronization
+        token has been implemented in software. SeedLength -
+        the length, in bits, of the
+        random seed used in the time synchronization token.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="Smartcard" type="ExtensionOnlyType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that a smartcard is used to
+        identity the Principal.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="Length" type="LengthType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates the minimum and/or maximum
+        ASCII length of the password which is enforced (by the UA or the
+        IdP). In other words, this is the minimum and/or maximum number of
+        ASCII characters required to represent a valid password.
+        min - the minimum number of ASCII characters required
+        in a valid password, as enforced by the UA or the IdP.
+        max - the maximum number of ASCII characters required
+        in a valid password, as enforced by the UA or the IdP.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="ActivationLimit" type="ActivationLimitType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates the length of time for which an
+        PIN-based authentication is valid.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="Generation">
+    <xs:annotation>
+      <xs:documentation>
+        Indicates whether the password was chosen by the
+        Principal or auto-supplied by the Authentication Authority.
+        principalchosen - the Principal is allowed to choose
+        the value of the password. This is true even if
+        the initial password is chosen at random by the UA or
+        the IdP and the Principal is then free to change
+        the password.
+        automatic - the password is chosen by the UA or the
+        IdP to be cryptographically strong in some sense,
+        or to satisfy certain password rules, and that the
+        Principal is not free to change it or to choose a new password.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType>
+      <xs:attribute name="mechanism" use="required">
+        <xs:simpleType>
+          <xs:restriction base="xs:NMTOKEN">
+            <xs:enumeration value="principalchosen"/>
+            <xs:enumeration value="automatic"/>
+          </xs:restriction>
+        </xs:simpleType>
+      </xs:attribute>
+    </xs:complexType>
+  </xs:element>
+
+  <xs:element name="AuthnMethod" type="AuthnMethodBaseType">
+    <xs:annotation>
+      <xs:documentation>
+        Refers to those characteristics that define the
+        mechanisms by which the Principal authenticates to the Authentication
+        Authority.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="PrincipalAuthenticationMechanism" type="PrincipalAuthenticationMechanismType">
+    <xs:annotation>
+      <xs:documentation>
+        The method that a Principal employs to perform
+        authentication to local system components.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="Authenticator" type="AuthenticatorBaseType">
+    <xs:annotation>
+      <xs:documentation>
+        The method applied to validate a principal's
+        authentication across a network
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="ComplexAuthenticator" type="ComplexAuthenticatorType">
+    <xs:annotation>
+      <xs:documentation>
+        Supports Authenticators with nested combinations of
+        additional complexity.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="PreviousSession" type="ExtensionOnlyType">
+    <xs:annotation>
+      <xs:documentation>
+        Indicates that the Principal has been strongly
+        authenticated in a previous session during which the IdP has set a
+        cookie in the UA. During the present session the Principal has only
+        been authenticated by the UA returning the cookie to the IdP.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="ResumeSession" type="ExtensionOnlyType">
+    <xs:annotation>
+      <xs:documentation>
+        Rather like PreviousSession but using stronger
+        security. A secret that was established in a previous session with
+        the Authentication Authority has been cached by the local system and
+        is now re-used (e.g. a Master Secret is used to derive new session
+        keys in TLS, SSL, WTLS).
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="ZeroKnowledge" type="ExtensionOnlyType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that the Principal has been
+        authenticated by a zero knowledge technique as specified in ISO/IEC
+        9798-5.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="SharedSecretChallengeResponse" type="SharedSecretChallengeResponseType"/>
+
+  <xs:complexType name="SharedSecretChallengeResponseType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that the Principal has been
+        authenticated by a challenge-response protocol utilizing shared secret
+        keys and symmetric cryptography.
+      </xs:documentation>
+    </xs:annotation>
+    <xs:sequence>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+    <xs:attribute name="method" type="xs:anyURI" use="optional"/>
+  </xs:complexType>
+
+  <xs:element name="DigSig" type="PublicKeyType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that the Principal has been
+        authenticated by a mechanism which involves the Principal computing a
+        digital signature over at least challenge data provided by the IdP.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="AsymmetricDecryption" type="PublicKeyType">
+    <xs:annotation>
+      <xs:documentation>
+        The local system has a private key but it is used
+        in decryption mode, rather than signature mode. For example, the
+        Authentication Authority generates a secret and encrypts it using the
+        local system's public key: the local system then proves it has
+        decrypted the secret.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="AsymmetricKeyAgreement" type="PublicKeyType">
+    <xs:annotation>
+      <xs:documentation>
+        The local system has a private key and uses it for
+        shared secret key agreement with the Authentication Authority (e.g.
+        via Diffie Helman).
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:complexType name="PublicKeyType">
+    <xs:sequence>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+    <xs:attribute name="keyValidation" use="optional"/>
+  </xs:complexType>
+
+  <xs:element name="IPAddress" type="ExtensionOnlyType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that the Principal has been
+        authenticated through connection from a particular IP address.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="SharedSecretDynamicPlaintext" type="ExtensionOnlyType">
+    <xs:annotation>
+      <xs:documentation>
+        The local system and Authentication Authority
+        share a secret key. The local system uses this to encrypt a
+        randomised string to pass to the Authentication Authority.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="AuthenticatorTransportProtocol" type="AuthenticatorTransportProtocolType">
+    <xs:annotation>
+      <xs:documentation>
+        The protocol across which Authenticator information is
+        transferred to an Authentication Authority verifier.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="HTTP" type="ExtensionOnlyType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that the Authenticator has been
+        transmitted using bare HTTP utilizing no additional security
+        protocols.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="IPSec" type="ExtensionOnlyType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that the Authenticator has been
+        transmitted using a transport mechanism protected by an IPSEC session.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="WTLS" type="ExtensionOnlyType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that the Authenticator has been
+        transmitted using a transport mechanism protected by a WTLS session.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="MobileNetworkNoEncryption" type="ExtensionOnlyType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that the Authenticator has been
+        transmitted solely across a mobile network using no additional
+        security mechanism.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="MobileNetworkRadioEncryption" type="ExtensionOnlyType"/>
+  <xs:element name="MobileNetworkEndToEndEncryption" type="ExtensionOnlyType"/>
+
+  <xs:element name="SSL" type="ExtensionOnlyType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that the Authenticator has been
+        transmitted using a transport mechnanism protected by an SSL or TLS
+        session.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="PSTN" type="ExtensionOnlyType"/>
+  <xs:element name="ISDN" type="ExtensionOnlyType"/>
+  <xs:element name="ADSL" type="ExtensionOnlyType"/>
+
+  <xs:element name="OperationalProtection" type="OperationalProtectionType">
+    <xs:annotation>
+      <xs:documentation>
+        Refers to those characteristics that describe
+        procedural security controls employed by the Authentication Authority.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="SecurityAudit" type="SecurityAuditType"/>
+  <xs:element name="SwitchAudit" type="ExtensionOnlyType"/>
+  <xs:element name="DeactivationCallCenter" type="ExtensionOnlyType"/>
+
+  <xs:element name="GoverningAgreements" type="GoverningAgreementsType">
+    <xs:annotation>
+      <xs:documentation>
+        Provides a mechanism for linking to external (likely
+        human readable) documents in which additional business agreements,
+        (e.g. liability constraints, obligations, etc) can be placed.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="GoverningAgreementRef" type="GoverningAgreementRefType"/>
+
+  <xs:simpleType name="nymType">
+    <xs:restriction base="xs:NMTOKEN">
+      <xs:enumeration value="anonymity"/>
+      <xs:enumeration value="verinymity"/>
+      <xs:enumeration value="pseudonymity"/>
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:complexType name="AuthnContextDeclarationBaseType">
+    <xs:sequence>
+      <xs:element ref="Identification" minOccurs="0"/>
+      <xs:element ref="TechnicalProtection" minOccurs="0"/>
+      <xs:element ref="OperationalProtection" minOccurs="0"/>
+      <xs:element ref="AuthnMethod" minOccurs="0"/>
+      <xs:element ref="GoverningAgreements" minOccurs="0"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+    <xs:attribute name="ID" type="xs:ID" use="optional"/>
+  </xs:complexType>
+
+  <xs:complexType name="IdentificationType">
+    <xs:sequence>
+      <xs:element ref="PhysicalVerification" minOccurs="0"/>
+      <xs:element ref="WrittenConsent" minOccurs="0"/>
+      <xs:element ref="GoverningAgreements" minOccurs="0"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+    <xs:attribute name="nym" type="nymType">
+      <xs:annotation>
+        <xs:documentation>
+          This attribute indicates whether or not the
+          Identification mechanisms allow the actions of the Principal to be
+          linked to an actual end user.
+        </xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
+  </xs:complexType>
+
+  <xs:complexType name="TechnicalProtectionBaseType">
+    <xs:sequence>
+      <xs:choice minOccurs="0">
+        <xs:element ref="PrivateKeyProtection"/>
+        <xs:element ref="SecretKeyProtection"/>
+      </xs:choice>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="OperationalProtectionType">
+    <xs:sequence>
+      <xs:element ref="SecurityAudit" minOccurs="0"/>
+      <xs:element ref="DeactivationCallCenter" minOccurs="0"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="AuthnMethodBaseType">
+    <xs:sequence>
+      <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/>
+      <xs:element ref="Authenticator" minOccurs="0"/>
+      <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="GoverningAgreementsType">
+    <xs:sequence>
+      <xs:element ref="GoverningAgreementRef" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="GoverningAgreementRefType">
+    <xs:attribute name="governingAgreementRef" type="xs:anyURI" use="required"/>
+  </xs:complexType>
+
+  <xs:complexType name="PrincipalAuthenticationMechanismType">
+    <xs:sequence>
+      <xs:element ref="Password" minOccurs="0"/>
+      <xs:element ref="RestrictedPassword" minOccurs="0"/>
+      <xs:element ref="Token" minOccurs="0"/>
+      <xs:element ref="Smartcard" minOccurs="0"/>
+      <xs:element ref="ActivationPin" minOccurs="0"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+    <xs:attribute name="preauth" type="xs:integer" use="optional"/>
+  </xs:complexType>
+
+  <xs:group name="AuthenticatorChoiceGroup">
+    <xs:choice>
+      <xs:element ref="PreviousSession"/>
+      <xs:element ref="ResumeSession"/>
+      <xs:element ref="DigSig"/>
+      <xs:element ref="Password"/>
+      <xs:element ref="RestrictedPassword"/>
+      <xs:element ref="ZeroKnowledge"/>
+      <xs:element ref="SharedSecretChallengeResponse"/>
+      <xs:element ref="SharedSecretDynamicPlaintext"/>
+      <xs:element ref="IPAddress"/>
+      <xs:element ref="AsymmetricDecryption"/>
+      <xs:element ref="AsymmetricKeyAgreement"/>
+      <xs:element ref="SubscriberLineNumber"/>
+      <xs:element ref="UserSuffix"/>
+      <xs:element ref="ComplexAuthenticator"/>
+    </xs:choice>
+  </xs:group>
+
+  <xs:group name="AuthenticatorSequenceGroup">
+    <xs:sequence>
+      <xs:element ref="PreviousSession" minOccurs="0"/>
+      <xs:element ref="ResumeSession" minOccurs="0"/>
+      <xs:element ref="DigSig" minOccurs="0"/>
+      <xs:element ref="Password" minOccurs="0"/>
+      <xs:element ref="RestrictedPassword" minOccurs="0"/>
+      <xs:element ref="ZeroKnowledge" minOccurs="0"/>
+      <xs:element ref="SharedSecretChallengeResponse" minOccurs="0"/>
+      <xs:element ref="SharedSecretDynamicPlaintext" minOccurs="0"/>
+      <xs:element ref="IPAddress" minOccurs="0"/>
+      <xs:element ref="AsymmetricDecryption" minOccurs="0"/>
+      <xs:element ref="AsymmetricKeyAgreement" minOccurs="0"/>
+      <xs:element ref="SubscriberLineNumber" minOccurs="0"/>
+      <xs:element ref="UserSuffix" minOccurs="0"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:group>
+
+  <xs:complexType name="AuthenticatorBaseType">
+    <xs:sequence>
+      <xs:group ref="AuthenticatorChoiceGroup"/>
+      <xs:group ref="AuthenticatorSequenceGroup"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="ComplexAuthenticatorType">
+    <xs:sequence>
+      <xs:group ref="AuthenticatorChoiceGroup"/>
+      <xs:group ref="AuthenticatorSequenceGroup"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="AuthenticatorTransportProtocolType">
+    <xs:sequence>
+      <xs:choice minOccurs="0">
+        <xs:element ref="HTTP"/>
+        <xs:element ref="SSL"/>
+        <xs:element ref="MobileNetworkNoEncryption"/>
+        <xs:element ref="MobileNetworkRadioEncryption"/>
+        <xs:element ref="MobileNetworkEndToEndEncryption"/>
+        <xs:element ref="WTLS"/>
+        <xs:element ref="IPSec"/>
+        <xs:element ref="PSTN"/>
+        <xs:element ref="ISDN"/>
+        <xs:element ref="ADSL"/>
+      </xs:choice>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="KeyActivationType">
+    <xs:sequence>
+      <xs:element ref="ActivationPin" minOccurs="0"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="KeySharingType">
+    <xs:attribute name="sharing" type="xs:boolean" use="required"/>
+  </xs:complexType>
+
+  <xs:complexType name="PrivateKeyProtectionType">
+    <xs:sequence>
+      <xs:element ref="KeyActivation" minOccurs="0"/>
+      <xs:element ref="KeyStorage" minOccurs="0"/>
+      <xs:element ref="KeySharing" minOccurs="0"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="PasswordType">
+    <xs:sequence>
+      <xs:element ref="Length" minOccurs="0"/>
+      <xs:element ref="Alphabet" minOccurs="0"/>
+      <xs:element ref="Generation" minOccurs="0"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+    <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/>
+  </xs:complexType>
+
+  <xs:element name="RestrictedPassword" type="RestrictedPasswordType"/>
+
+  <xs:complexType name="RestrictedPasswordType">
+    <xs:complexContent>
+      <xs:restriction base="PasswordType">
+        <xs:sequence>
+          <xs:element name="Length" type="RestrictedLengthType" minOccurs="1"/>
+          <xs:element ref="Generation" minOccurs="0"/>
+          <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+        </xs:sequence>
+        <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/>
+      </xs:restriction>
+    </xs:complexContent>
+  </xs:complexType>
+
+  <xs:complexType name="RestrictedLengthType">
+    <xs:complexContent>
+      <xs:restriction base="LengthType">
+        <xs:attribute name="min" use="required">
+          <xs:simpleType>
+            <xs:restriction base="xs:integer">
+              <xs:minInclusive value="3"/>
+            </xs:restriction>
+          </xs:simpleType>
+        </xs:attribute>
+        <xs:attribute name="max" type="xs:integer" use="optional"/>
+      </xs:restriction>
+    </xs:complexContent>
+  </xs:complexType>
+
+  <xs:complexType name="ActivationPinType">
+    <xs:sequence>
+      <xs:element ref="Length" minOccurs="0"/>
+      <xs:element ref="Alphabet" minOccurs="0"/>
+      <xs:element ref="Generation" minOccurs="0"/>
+      <xs:element ref="ActivationLimit" minOccurs="0"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:element name="Alphabet" type="AlphabetType"/>
+  <xs:complexType name="AlphabetType">
+    <xs:attribute name="requiredChars" type="xs:string" use="required"/>
+    <xs:attribute name="excludedChars" type="xs:string" use="optional"/>
+    <xs:attribute name="case" type="xs:string" use="optional"/>
+  </xs:complexType>
+
+  <xs:complexType name="TokenType">
+    <xs:sequence>
+      <xs:element ref="TimeSyncToken"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:simpleType name="DeviceTypeType">
+    <xs:restriction base="xs:NMTOKEN">
+      <xs:enumeration value="hardware"/>
+      <xs:enumeration value="software"/>
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:simpleType name="booleanType">
+    <xs:restriction base="xs:NMTOKEN">
+      <xs:enumeration value="true"/>
+      <xs:enumeration value="false"/>
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:complexType name="TimeSyncTokenType">
+    <xs:attribute name="DeviceType" type="DeviceTypeType" use="required"/>
+    <xs:attribute name="SeedLength" type="xs:integer" use="required"/>
+    <xs:attribute name="DeviceInHand" type="booleanType" use="required"/>
+  </xs:complexType>
+
+  <xs:complexType name="ActivationLimitType">
+    <xs:choice>
+      <xs:element ref="ActivationLimitDuration"/>
+      <xs:element ref="ActivationLimitUsages"/>
+      <xs:element ref="ActivationLimitSession"/>
+    </xs:choice>
+  </xs:complexType>
+
+  <xs:element name="ActivationLimitDuration" type="ActivationLimitDurationType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that the Key Activation Limit is
+        defined as a specific duration of time.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="ActivationLimitUsages" type="ActivationLimitUsagesType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that the Key Activation Limit is
+        defined as a number of usages.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="ActivationLimitSession" type="ActivationLimitSessionType">
+    <xs:annotation>
+      <xs:documentation>
+        This element indicates that the Key Activation Limit is
+        the session.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:complexType name="ActivationLimitDurationType">
+    <xs:attribute name="duration" type="xs:duration" use="required"/>
+  </xs:complexType>
+
+  <xs:complexType name="ActivationLimitUsagesType">
+    <xs:attribute name="number" type="xs:integer" use="required"/>
+  </xs:complexType>
+
+  <xs:complexType name="ActivationLimitSessionType"/>
+
+  <xs:complexType name="LengthType">
+    <xs:attribute name="min" type="xs:integer" use="required"/>
+    <xs:attribute name="max" type="xs:integer" use="optional"/>
+  </xs:complexType>
+
+  <xs:simpleType name="mediumType">
+    <xs:restriction base="xs:NMTOKEN">
+      <xs:enumeration value="memory"/>
+      <xs:enumeration value="smartcard"/>
+      <xs:enumeration value="token"/>
+      <xs:enumeration value="MobileDevice"/>
+      <xs:enumeration value="MobileAuthCard"/>
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:complexType name="KeyStorageType">
+    <xs:attribute name="medium" type="mediumType" use="required"/>
+  </xs:complexType>
+
+  <xs:complexType name="SecretKeyProtectionType">
+    <xs:sequence>
+      <xs:element ref="KeyActivation" minOccurs="0"/>
+      <xs:element ref="KeyStorage" minOccurs="0"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="SecurityAuditType">
+    <xs:sequence>
+      <xs:element ref="SwitchAudit" minOccurs="0"/>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="ExtensionOnlyType">
+    <xs:sequence>
+      <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:element name="Extension" type="ExtensionType"/>
+
+  <xs:complexType name="ExtensionType">
+    <xs:sequence>
+      <xs:any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+
+</xs:schema>
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-x509-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-x509-2.0.xsd
new file mode 100644
index 0000000000..112331757f
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-x509-2.0.xsd
@@ -0,0 +1,83 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:X509"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:X509"
+           finalDefault="extension"
+           blockDefault="substitution"
+           version="2.0">
+
+  <xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">
+
+    <xs:annotation>
+      <xs:documentation>
+        Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:X509
+        Document identifier: saml-schema-authn-context-x509-2.0
+        Location: http://docs.oasis-open.org/security/saml/v2.0/
+        Revision history:
+        V2.0 (March, 2005):
+        New authentication context class schema for SAML V2.0.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType name="AuthnContextDeclarationBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnContextDeclarationBaseType">
+          <xs:sequence>
+            <xs:element ref="Identification" minOccurs="0"/>
+            <xs:element ref="TechnicalProtection" minOccurs="0"/>
+            <xs:element ref="OperationalProtection" minOccurs="0"/>
+            <xs:element ref="AuthnMethod"/>
+            <xs:element ref="GoverningAgreements" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="ID" type="xs:ID" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthnMethodBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnMethodBaseType">
+          <xs:sequence>
+            <xs:element ref="PrincipalAuthenticationMechanism"/>
+            <xs:element ref="Authenticator"/>
+            <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="PrincipalAuthenticationMechanismType">
+      <xs:complexContent>
+        <xs:restriction base="PrincipalAuthenticationMechanismType">
+          <xs:sequence>
+            <xs:element ref="RestrictedPassword"/>
+          </xs:sequence>
+          <xs:attribute name="preauth" type="xs:integer" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorBaseType">
+          <xs:sequence>
+            <xs:element ref="DigSig"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="PublicKeyType">
+      <xs:complexContent>
+        <xs:restriction base="PublicKeyType">
+          <xs:attribute name="keyValidation" type="xs:anyURI" fixed="urn:oasis:names:tc:SAML:2.0:ac:classes:X509"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+  </xs:redefine>
+
+</xs:schema>
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-xmldsig-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-xmldsig-2.0.xsd
new file mode 100644
index 0000000000..f4be6abd23
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-authn-context-xmldsig-2.0.xsd
@@ -0,0 +1,83 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns="urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig"
+           finalDefault="extension"
+           blockDefault="substitution"
+           version="2.0">
+
+  <xs:redefine schemaLocation="saml-schema-authn-context-types-2.0.xsd">
+
+    <xs:annotation>
+      <xs:documentation>
+        Class identifier: urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig
+        Document identifier: saml-schema-authn-context-xmldsig-2.0
+        Location: http://docs.oasis-open.org/security/saml/v2.0/
+        Revision history:
+        V2.0 (March, 2005):
+        New authentication context class schema for SAML V2.0.
+      </xs:documentation>
+    </xs:annotation>
+
+    <xs:complexType name="AuthnContextDeclarationBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnContextDeclarationBaseType">
+          <xs:sequence>
+            <xs:element ref="Identification" minOccurs="0"/>
+            <xs:element ref="TechnicalProtection" minOccurs="0"/>
+            <xs:element ref="OperationalProtection" minOccurs="0"/>
+            <xs:element ref="AuthnMethod"/>
+            <xs:element ref="GoverningAgreements" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+          <xs:attribute name="ID" type="xs:ID" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthnMethodBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthnMethodBaseType">
+          <xs:sequence>
+            <xs:element ref="PrincipalAuthenticationMechanism"/>
+            <xs:element ref="Authenticator"/>
+            <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/>
+            <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="PrincipalAuthenticationMechanismType">
+      <xs:complexContent>
+        <xs:restriction base="PrincipalAuthenticationMechanismType">
+          <xs:sequence>
+            <xs:element ref="RestrictedPassword"/>
+          </xs:sequence>
+          <xs:attribute name="preauth" type="xs:integer" use="optional"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="AuthenticatorBaseType">
+      <xs:complexContent>
+        <xs:restriction base="AuthenticatorBaseType">
+          <xs:sequence>
+            <xs:element ref="DigSig"/>
+          </xs:sequence>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+    <xs:complexType name="PublicKeyType">
+      <xs:complexContent>
+        <xs:restriction base="PublicKeyType">
+          <xs:attribute name="keyValidation" type="xs:anyURI" fixed="urn:ietf:rfc:3075"/>
+        </xs:restriction>
+      </xs:complexContent>
+    </xs:complexType>
+
+  </xs:redefine>
+
+</xs:schema>
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-dce-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-dce-2.0.xsd
new file mode 100644
index 0000000000..6517ca2e62
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-dce-2.0.xsd
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema targetNamespace="urn:oasis:names:tc:SAML:2.0:profiles:attribute:DCE"
+        xmlns:dce="urn:oasis:names:tc:SAML:2.0:profiles:attribute:DCE"
+        xmlns="http://www.w3.org/2001/XMLSchema"
+        elementFormDefault="unqualified"
+        attributeFormDefault="unqualified"
+        blockDefault="substitution"
+        version="2.0">
+  <annotation>
+    <documentation>
+      Document identifier: saml-schema-dce-2.0
+      Location: http://docs.oasis-open.org/security/saml/v2.0/
+      Revision history:
+      V2.0 (March, 2005):
+      Custom schema for DCE attribute profile, first published in SAML 2.0.
+    </documentation>
+  </annotation>
+  <complexType name="DCEValueType">
+    <simpleContent>
+      <extension base="anyURI">
+        <attribute ref="dce:Realm" use="optional"/>
+        <attribute ref="dce:FriendlyName" use="optional"/>
+      </extension>
+    </simpleContent>
+  </complexType>
+  <attribute name="Realm" type="anyURI"/>
+  <attribute name="FriendlyName" type="string"/>
+</schema>
+
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-ecp-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-ecp-2.0.xsd
new file mode 100644
index 0000000000..37a66dc15b
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-ecp-2.0.xsd
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+        targetNamespace="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
+        xmlns="http://www.w3.org/2001/XMLSchema"
+        xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
+        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+        xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"
+        elementFormDefault="unqualified"
+        attributeFormDefault="unqualified"
+        blockDefault="substitution"
+        version="2.0">
+  <import namespace="urn:oasis:names:tc:SAML:2.0:protocol"
+          schemaLocation="saml-schema-protocol-2.0.xsd"/>
+  <import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+          schemaLocation="saml-schema-assertion-2.0.xsd"/>
+  <import namespace="http://schemas.xmlsoap.org/soap/envelope/"
+          schemaLocation="http://schemas.xmlsoap.org/soap/envelope/"/>
+  <annotation>
+    <documentation>
+      Document identifier: saml-schema-ecp-2.0
+      Location: http://docs.oasis-open.org/security/saml/v2.0/
+      Revision history:
+      V2.0 (March, 2005):
+      Custom schema for ECP profile, first published in SAML 2.0.
+    </documentation>
+  </annotation>
+
+  <element name="Request" type="ecp:RequestType"/>
+  <complexType name="RequestType">
+    <sequence>
+      <element ref="saml:Issuer"/>
+      <element ref="samlp:IDPList" minOccurs="0"/>
+    </sequence>
+    <attribute ref="S:mustUnderstand" use="required"/>
+    <attribute ref="S:actor" use="required"/>
+    <attribute name="ProviderName" type="string" use="optional"/>
+    <attribute name="IsPassive" type="boolean" use="optional"/>
+  </complexType>
+
+  <element name="Response" type="ecp:ResponseType"/>
+  <complexType name="ResponseType">
+    <attribute ref="S:mustUnderstand" use="required"/>
+    <attribute ref="S:actor" use="required"/>
+    <attribute name="AssertionConsumerServiceURL" type="anyURI" use="required"/>
+  </complexType>
+
+  <element name="RelayState" type="ecp:RelayStateType"/>
+  <complexType name="RelayStateType">
+    <simpleContent>
+      <extension base="string">
+        <attribute ref="S:mustUnderstand" use="required"/>
+        <attribute ref="S:actor" use="required"/>
+      </extension>
+    </simpleContent>
+  </complexType>
+</schema>
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-metadata-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-metadata-2.0.xsd
new file mode 100644
index 0000000000..5c8d217190
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-metadata-2.0.xsd
@@ -0,0 +1,337 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+        targetNamespace="urn:oasis:names:tc:SAML:2.0:metadata"
+        xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+        xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+        xmlns="http://www.w3.org/2001/XMLSchema"
+        elementFormDefault="unqualified"
+        attributeFormDefault="unqualified"
+        blockDefault="substitution"
+        version="2.0">
+  <import namespace="http://www.w3.org/2000/09/xmldsig#"
+          schemaLocation="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
+  <import namespace="http://www.w3.org/2001/04/xmlenc#"
+          schemaLocation="http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd"/>
+  <import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+          schemaLocation="saml-schema-assertion-2.0.xsd"/>
+  <import namespace="http://www.w3.org/XML/1998/namespace"
+          schemaLocation="http://www.w3.org/2001/xml.xsd"/>
+  <annotation>
+    <documentation>
+      Document identifier: saml-schema-metadata-2.0
+      Location: http://docs.oasis-open.org/security/saml/v2.0/
+      Revision history:
+      V2.0 (March, 2005):
+      Schema for SAML metadata, first published in SAML 2.0.
+    </documentation>
+  </annotation>
+
+  <simpleType name="entityIDType">
+    <restriction base="anyURI">
+      <maxLength value="1024"/>
+    </restriction>
+  </simpleType>
+  <complexType name="localizedNameType">
+    <simpleContent>
+      <extension base="string">
+        <attribute ref="xml:lang" use="required"/>
+      </extension>
+    </simpleContent>
+  </complexType>
+  <complexType name="localizedURIType">
+    <simpleContent>
+      <extension base="anyURI">
+        <attribute ref="xml:lang" use="required"/>
+      </extension>
+    </simpleContent>
+  </complexType>
+
+  <element name="Extensions" type="md:ExtensionsType"/>
+  <complexType final="#all" name="ExtensionsType">
+    <sequence>
+      <any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
+    </sequence>
+  </complexType>
+
+  <complexType name="EndpointType">
+    <sequence>
+      <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+    </sequence>
+    <attribute name="Binding" type="anyURI" use="required"/>
+    <attribute name="Location" type="anyURI" use="required"/>
+    <attribute name="ResponseLocation" type="anyURI" use="optional"/>
+    <anyAttribute namespace="##other" processContents="lax"/>
+  </complexType>
+
+  <complexType name="IndexedEndpointType">
+    <complexContent>
+      <extension base="md:EndpointType">
+        <attribute name="index" type="unsignedShort" use="required"/>
+        <attribute name="isDefault" type="boolean" use="optional"/>
+      </extension>
+    </complexContent>
+  </complexType>
+
+  <element name="EntitiesDescriptor" type="md:EntitiesDescriptorType"/>
+  <complexType name="EntitiesDescriptorType">
+    <sequence>
+      <element ref="ds:Signature" minOccurs="0"/>
+      <element ref="md:Extensions" minOccurs="0"/>
+      <choice minOccurs="1" maxOccurs="unbounded">
+        <element ref="md:EntityDescriptor"/>
+        <element ref="md:EntitiesDescriptor"/>
+      </choice>
+    </sequence>
+    <attribute name="validUntil" type="dateTime" use="optional"/>
+    <attribute name="cacheDuration" type="duration" use="optional"/>
+    <attribute name="ID" type="ID" use="optional"/>
+    <attribute name="Name" type="string" use="optional"/>
+  </complexType>
+
+  <element name="EntityDescriptor" type="md:EntityDescriptorType"/>
+  <complexType name="EntityDescriptorType">
+    <sequence>
+      <element ref="ds:Signature" minOccurs="0"/>
+      <element ref="md:Extensions" minOccurs="0"/>
+      <choice>
+        <choice maxOccurs="unbounded">
+          <element ref="md:RoleDescriptor"/>
+          <element ref="md:IDPSSODescriptor"/>
+          <element ref="md:SPSSODescriptor"/>
+          <element ref="md:AuthnAuthorityDescriptor"/>
+          <element ref="md:AttributeAuthorityDescriptor"/>
+          <element ref="md:PDPDescriptor"/>
+        </choice>
+        <element ref="md:AffiliationDescriptor"/>
+      </choice>
+      <element ref="md:Organization" minOccurs="0"/>
+      <element ref="md:ContactPerson" minOccurs="0" maxOccurs="unbounded"/>
+      <element ref="md:AdditionalMetadataLocation" minOccurs="0" maxOccurs="unbounded"/>
+    </sequence>
+    <attribute name="entityID" type="md:entityIDType" use="required"/>
+    <attribute name="validUntil" type="dateTime" use="optional"/>
+    <attribute name="cacheDuration" type="duration" use="optional"/>
+    <attribute name="ID" type="ID" use="optional"/>
+    <anyAttribute namespace="##other" processContents="lax"/>
+  </complexType>
+
+  <element name="Organization" type="md:OrganizationType"/>
+  <complexType name="OrganizationType">
+    <sequence>
+      <element ref="md:Extensions" minOccurs="0"/>
+      <element ref="md:OrganizationName" maxOccurs="unbounded"/>
+      <element ref="md:OrganizationDisplayName" maxOccurs="unbounded"/>
+      <element ref="md:OrganizationURL" maxOccurs="unbounded"/>
+    </sequence>
+    <anyAttribute namespace="##other" processContents="lax"/>
+  </complexType>
+  <element name="OrganizationName" type="md:localizedNameType"/>
+  <element name="OrganizationDisplayName" type="md:localizedNameType"/>
+  <element name="OrganizationURL" type="md:localizedURIType"/>
+  <element name="ContactPerson" type="md:ContactType"/>
+  <complexType name="ContactType">
+    <sequence>
+      <element ref="md:Extensions" minOccurs="0"/>
+      <element ref="md:Company" minOccurs="0"/>
+      <element ref="md:GivenName" minOccurs="0"/>
+      <element ref="md:SurName" minOccurs="0"/>
+      <element ref="md:EmailAddress" minOccurs="0" maxOccurs="unbounded"/>
+      <element ref="md:TelephoneNumber" minOccurs="0" maxOccurs="unbounded"/>
+    </sequence>
+    <attribute name="contactType" type="md:ContactTypeType" use="required"/>
+    <anyAttribute namespace="##other" processContents="lax"/>
+  </complexType>
+  <element name="Company" type="string"/>
+  <element name="GivenName" type="string"/>
+  <element name="SurName" type="string"/>
+  <element name="EmailAddress" type="anyURI"/>
+  <element name="TelephoneNumber" type="string"/>
+  <simpleType name="ContactTypeType">
+    <restriction base="string">
+      <enumeration value="technical"/>
+      <enumeration value="support"/>
+      <enumeration value="administrative"/>
+      <enumeration value="billing"/>
+      <enumeration value="other"/>
+    </restriction>
+  </simpleType>
+
+  <element name="AdditionalMetadataLocation" type="md:AdditionalMetadataLocationType"/>
+  <complexType name="AdditionalMetadataLocationType">
+    <simpleContent>
+      <extension base="anyURI">
+        <attribute name="namespace" type="anyURI" use="required"/>
+      </extension>
+    </simpleContent>
+  </complexType>
+
+  <element name="RoleDescriptor" type="md:RoleDescriptorType"/>
+  <complexType name="RoleDescriptorType" abstract="true">
+    <sequence>
+      <element ref="ds:Signature" minOccurs="0"/>
+      <element ref="md:Extensions" minOccurs="0"/>
+      <element ref="md:KeyDescriptor" minOccurs="0" maxOccurs="unbounded"/>
+      <element ref="md:Organization" minOccurs="0"/>
+      <element ref="md:ContactPerson" minOccurs="0" maxOccurs="unbounded"/>
+    </sequence>
+    <attribute name="ID" type="ID" use="optional"/>
+    <attribute name="validUntil" type="dateTime" use="optional"/>
+    <attribute name="cacheDuration" type="duration" use="optional"/>
+    <attribute name="protocolSupportEnumeration" type="md:anyURIListType" use="required"/>
+    <attribute name="errorURL" type="anyURI" use="optional"/>
+    <anyAttribute namespace="##other" processContents="lax"/>
+  </complexType>
+  <simpleType name="anyURIListType">
+    <list itemType="anyURI"/>
+  </simpleType>
+
+  <element name="KeyDescriptor" type="md:KeyDescriptorType"/>
+  <complexType name="KeyDescriptorType">
+    <sequence>
+      <element ref="ds:KeyInfo"/>
+      <element ref="md:EncryptionMethod" minOccurs="0" maxOccurs="unbounded"/>
+    </sequence>
+    <attribute name="use" type="md:KeyTypes" use="optional"/>
+  </complexType>
+  <simpleType name="KeyTypes">
+    <restriction base="string">
+      <enumeration value="encryption"/>
+      <enumeration value="signing"/>
+    </restriction>
+  </simpleType>
+  <element name="EncryptionMethod" type="xenc:EncryptionMethodType"/>
+
+  <complexType name="SSODescriptorType" abstract="true">
+    <complexContent>
+      <extension base="md:RoleDescriptorType">
+        <sequence>
+          <element ref="md:ArtifactResolutionService" minOccurs="0" maxOccurs="unbounded"/>
+          <element ref="md:SingleLogoutService" minOccurs="0" maxOccurs="unbounded"/>
+          <element ref="md:ManageNameIDService" minOccurs="0" maxOccurs="unbounded"/>
+          <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="ArtifactResolutionService" type="md:IndexedEndpointType"/>
+  <element name="SingleLogoutService" type="md:EndpointType"/>
+  <element name="ManageNameIDService" type="md:EndpointType"/>
+  <element name="NameIDFormat" type="anyURI"/>
+
+  <element name="IDPSSODescriptor" type="md:IDPSSODescriptorType"/>
+  <complexType name="IDPSSODescriptorType">
+    <complexContent>
+      <extension base="md:SSODescriptorType">
+        <sequence>
+          <element ref="md:SingleSignOnService" maxOccurs="unbounded"/>
+          <element ref="md:NameIDMappingService" minOccurs="0" maxOccurs="unbounded"/>
+          <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+          <element ref="md:AttributeProfile" minOccurs="0" maxOccurs="unbounded"/>
+          <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="WantAuthnRequestsSigned" type="boolean" use="optional"/>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="SingleSignOnService" type="md:EndpointType"/>
+  <element name="NameIDMappingService" type="md:EndpointType"/>
+  <element name="AssertionIDRequestService" type="md:EndpointType"/>
+  <element name="AttributeProfile" type="anyURI"/>
+
+  <element name="SPSSODescriptor" type="md:SPSSODescriptorType"/>
+  <complexType name="SPSSODescriptorType">
+    <complexContent>
+      <extension base="md:SSODescriptorType">
+        <sequence>
+          <element ref="md:AssertionConsumerService" maxOccurs="unbounded"/>
+          <element ref="md:AttributeConsumingService" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="AuthnRequestsSigned" type="boolean" use="optional"/>
+        <attribute name="WantAssertionsSigned" type="boolean" use="optional"/>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="AssertionConsumerService" type="md:IndexedEndpointType"/>
+  <element name="AttributeConsumingService" type="md:AttributeConsumingServiceType"/>
+  <complexType name="AttributeConsumingServiceType">
+    <sequence>
+      <element ref="md:ServiceName" maxOccurs="unbounded"/>
+      <element ref="md:ServiceDescription" minOccurs="0" maxOccurs="unbounded"/>
+      <element ref="md:RequestedAttribute" maxOccurs="unbounded"/>
+    </sequence>
+    <attribute name="index" type="unsignedShort" use="required"/>
+    <attribute name="isDefault" type="boolean" use="optional"/>
+  </complexType>
+  <element name="ServiceName" type="md:localizedNameType"/>
+  <element name="ServiceDescription" type="md:localizedNameType"/>
+  <element name="RequestedAttribute" type="md:RequestedAttributeType"/>
+  <complexType name="RequestedAttributeType">
+    <complexContent>
+      <extension base="saml:AttributeType">
+        <attribute name="isRequired" type="boolean" use="optional"/>
+      </extension>
+    </complexContent>
+  </complexType>
+
+  <element name="AuthnAuthorityDescriptor" type="md:AuthnAuthorityDescriptorType"/>
+  <complexType name="AuthnAuthorityDescriptorType">
+    <complexContent>
+      <extension base="md:RoleDescriptorType">
+        <sequence>
+          <element ref="md:AuthnQueryService" maxOccurs="unbounded"/>
+          <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+          <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="AuthnQueryService" type="md:EndpointType"/>
+
+  <element name="PDPDescriptor" type="md:PDPDescriptorType"/>
+  <complexType name="PDPDescriptorType">
+    <complexContent>
+      <extension base="md:RoleDescriptorType">
+        <sequence>
+          <element ref="md:AuthzService" maxOccurs="unbounded"/>
+          <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+          <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="AuthzService" type="md:EndpointType"/>
+
+  <element name="AttributeAuthorityDescriptor" type="md:AttributeAuthorityDescriptorType"/>
+  <complexType name="AttributeAuthorityDescriptorType">
+    <complexContent>
+      <extension base="md:RoleDescriptorType">
+        <sequence>
+          <element ref="md:AttributeService" maxOccurs="unbounded"/>
+          <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+          <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+          <element ref="md:AttributeProfile" minOccurs="0" maxOccurs="unbounded"/>
+          <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="AttributeService" type="md:EndpointType"/>
+
+  <element name="AffiliationDescriptor" type="md:AffiliationDescriptorType"/>
+  <complexType name="AffiliationDescriptorType">
+    <sequence>
+      <element ref="ds:Signature" minOccurs="0"/>
+      <element ref="md:Extensions" minOccurs="0"/>
+      <element ref="md:AffiliateMember" maxOccurs="unbounded"/>
+      <element ref="md:KeyDescriptor" minOccurs="0" maxOccurs="unbounded"/>
+    </sequence>
+    <attribute name="affiliationOwnerID" type="md:entityIDType" use="required"/>
+    <attribute name="validUntil" type="dateTime" use="optional"/>
+    <attribute name="cacheDuration" type="duration" use="optional"/>
+    <attribute name="ID" type="ID" use="optional"/>
+    <anyAttribute namespace="##other" processContents="lax"/>
+  </complexType>
+  <element name="AffiliateMember" type="md:entityIDType"/>
+</schema>
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-protocol-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-protocol-2.0.xsd
new file mode 100644
index 0000000000..4441fe7dd7
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-protocol-2.0.xsd
@@ -0,0 +1,302 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+        targetNamespace="urn:oasis:names:tc:SAML:2.0:protocol"
+        xmlns="http://www.w3.org/2001/XMLSchema"
+        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+        elementFormDefault="unqualified"
+        attributeFormDefault="unqualified"
+        blockDefault="substitution"
+        version="2.0">
+  <import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+          schemaLocation="saml-schema-assertion-2.0.xsd"/>
+  <import namespace="http://www.w3.org/2000/09/xmldsig#"
+          schemaLocation="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
+  <annotation>
+    <documentation>
+      Document identifier: saml-schema-protocol-2.0
+      Location: http://docs.oasis-open.org/security/saml/v2.0/
+      Revision history:
+      V1.0 (November, 2002):
+      Initial Standard Schema.
+      V1.1 (September, 2003):
+      Updates within the same V1.0 namespace.
+      V2.0 (March, 2005):
+      New protocol schema based in a SAML V2.0 namespace.
+    </documentation>
+  </annotation>
+  <complexType name="RequestAbstractType" abstract="true">
+    <sequence>
+      <element ref="saml:Issuer" minOccurs="0"/>
+      <element ref="ds:Signature" minOccurs="0"/>
+      <element ref="samlp:Extensions" minOccurs="0"/>
+    </sequence>
+    <attribute name="ID" type="ID" use="required"/>
+    <attribute name="Version" type="string" use="required"/>
+    <attribute name="IssueInstant" type="dateTime" use="required"/>
+    <attribute name="Destination" type="anyURI" use="optional"/>
+    <attribute name="Consent" type="anyURI" use="optional"/>
+  </complexType>
+  <element name="Extensions" type="samlp:ExtensionsType"/>
+  <complexType name="ExtensionsType">
+    <sequence>
+      <any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
+    </sequence>
+  </complexType>
+  <complexType name="StatusResponseType">
+    <sequence>
+      <element ref="saml:Issuer" minOccurs="0"/>
+      <element ref="ds:Signature" minOccurs="0"/>
+      <element ref="samlp:Extensions" minOccurs="0"/>
+      <element ref="samlp:Status"/>
+    </sequence>
+    <attribute name="ID" type="ID" use="required"/>
+    <attribute name="InResponseTo" type="NCName" use="optional"/>
+    <attribute name="Version" type="string" use="required"/>
+    <attribute name="IssueInstant" type="dateTime" use="required"/>
+    <attribute name="Destination" type="anyURI" use="optional"/>
+    <attribute name="Consent" type="anyURI" use="optional"/>
+  </complexType>
+  <element name="Status" type="samlp:StatusType"/>
+  <complexType name="StatusType">
+    <sequence>
+      <element ref="samlp:StatusCode"/>
+      <element ref="samlp:StatusMessage" minOccurs="0"/>
+      <element ref="samlp:StatusDetail" minOccurs="0"/>
+    </sequence>
+  </complexType>
+  <element name="StatusCode" type="samlp:StatusCodeType"/>
+  <complexType name="StatusCodeType">
+    <sequence>
+      <element ref="samlp:StatusCode" minOccurs="0"/>
+    </sequence>
+    <attribute name="Value" type="anyURI" use="required"/>
+  </complexType>
+  <element name="StatusMessage" type="string"/>
+  <element name="StatusDetail" type="samlp:StatusDetailType"/>
+  <complexType name="StatusDetailType">
+    <sequence>
+      <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+    </sequence>
+  </complexType>
+  <element name="AssertionIDRequest" type="samlp:AssertionIDRequestType"/>
+  <complexType name="AssertionIDRequestType">
+    <complexContent>
+      <extension base="samlp:RequestAbstractType">
+        <sequence>
+          <element ref="saml:AssertionIDRef" maxOccurs="unbounded"/>
+        </sequence>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="SubjectQuery" type="samlp:SubjectQueryAbstractType"/>
+  <complexType name="SubjectQueryAbstractType" abstract="true">
+    <complexContent>
+      <extension base="samlp:RequestAbstractType">
+        <sequence>
+          <element ref="saml:Subject"/>
+        </sequence>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="AuthnQuery" type="samlp:AuthnQueryType"/>
+  <complexType name="AuthnQueryType">
+    <complexContent>
+      <extension base="samlp:SubjectQueryAbstractType">
+        <sequence>
+          <element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
+        </sequence>
+        <attribute name="SessionIndex" type="string" use="optional"/>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="RequestedAuthnContext" type="samlp:RequestedAuthnContextType"/>
+  <complexType name="RequestedAuthnContextType">
+    <choice>
+      <element ref="saml:AuthnContextClassRef" maxOccurs="unbounded"/>
+      <element ref="saml:AuthnContextDeclRef" maxOccurs="unbounded"/>
+    </choice>
+    <attribute name="Comparison" type="samlp:AuthnContextComparisonType" use="optional"/>
+  </complexType>
+  <simpleType name="AuthnContextComparisonType">
+    <restriction base="string">
+      <enumeration value="exact"/>
+      <enumeration value="minimum"/>
+      <enumeration value="maximum"/>
+      <enumeration value="better"/>
+    </restriction>
+  </simpleType>
+  <element name="AttributeQuery" type="samlp:AttributeQueryType"/>
+  <complexType name="AttributeQueryType">
+    <complexContent>
+      <extension base="samlp:SubjectQueryAbstractType">
+        <sequence>
+          <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="AuthzDecisionQuery" type="samlp:AuthzDecisionQueryType"/>
+  <complexType name="AuthzDecisionQueryType">
+    <complexContent>
+      <extension base="samlp:SubjectQueryAbstractType">
+        <sequence>
+          <element ref="saml:Action" maxOccurs="unbounded"/>
+          <element ref="saml:Evidence" minOccurs="0"/>
+        </sequence>
+        <attribute name="Resource" type="anyURI" use="required"/>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="AuthnRequest" type="samlp:AuthnRequestType"/>
+  <complexType name="AuthnRequestType">
+    <complexContent>
+      <extension base="samlp:RequestAbstractType">
+        <sequence>
+          <element ref="saml:Subject" minOccurs="0"/>
+          <element ref="samlp:NameIDPolicy" minOccurs="0"/>
+          <element ref="saml:Conditions" minOccurs="0"/>
+          <element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
+          <element ref="samlp:Scoping" minOccurs="0"/>
+        </sequence>
+        <attribute name="ForceAuthn" type="boolean" use="optional"/>
+        <attribute name="IsPassive" type="boolean" use="optional"/>
+        <attribute name="ProtocolBinding" type="anyURI" use="optional"/>
+        <attribute name="AssertionConsumerServiceIndex" type="unsignedShort" use="optional"/>
+        <attribute name="AssertionConsumerServiceURL" type="anyURI" use="optional"/>
+        <attribute name="AttributeConsumingServiceIndex" type="unsignedShort" use="optional"/>
+        <attribute name="ProviderName" type="string" use="optional"/>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="NameIDPolicy" type="samlp:NameIDPolicyType"/>
+  <complexType name="NameIDPolicyType">
+    <attribute name="Format" type="anyURI" use="optional"/>
+    <attribute name="SPNameQualifier" type="string" use="optional"/>
+    <attribute name="AllowCreate" type="boolean" use="optional"/>
+  </complexType>
+  <element name="Scoping" type="samlp:ScopingType"/>
+  <complexType name="ScopingType">
+    <sequence>
+      <element ref="samlp:IDPList" minOccurs="0"/>
+      <element ref="samlp:RequesterID" minOccurs="0" maxOccurs="unbounded"/>
+    </sequence>
+    <attribute name="ProxyCount" type="nonNegativeInteger" use="optional"/>
+  </complexType>
+  <element name="RequesterID" type="anyURI"/>
+  <element name="IDPList" type="samlp:IDPListType"/>
+  <complexType name="IDPListType">
+    <sequence>
+      <element ref="samlp:IDPEntry" maxOccurs="unbounded"/>
+      <element ref="samlp:GetComplete" minOccurs="0"/>
+    </sequence>
+  </complexType>
+  <element name="IDPEntry" type="samlp:IDPEntryType"/>
+  <complexType name="IDPEntryType">
+    <attribute name="ProviderID" type="anyURI" use="required"/>
+    <attribute name="Name" type="string" use="optional"/>
+    <attribute name="Loc" type="anyURI" use="optional"/>
+  </complexType>
+  <element name="GetComplete" type="anyURI"/>
+  <element name="Response" type="samlp:ResponseType"/>
+  <complexType name="ResponseType">
+    <complexContent>
+      <extension base="samlp:StatusResponseType">
+        <choice minOccurs="0" maxOccurs="unbounded">
+          <element ref="saml:Assertion"/>
+          <element ref="saml:EncryptedAssertion"/>
+        </choice>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="ArtifactResolve" type="samlp:ArtifactResolveType"/>
+  <complexType name="ArtifactResolveType">
+    <complexContent>
+      <extension base="samlp:RequestAbstractType">
+        <sequence>
+          <element ref="samlp:Artifact"/>
+        </sequence>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="Artifact" type="string"/>
+  <element name="ArtifactResponse" type="samlp:ArtifactResponseType"/>
+  <complexType name="ArtifactResponseType">
+    <complexContent>
+      <extension base="samlp:StatusResponseType">
+        <sequence>
+          <any namespace="##any" processContents="lax" minOccurs="0"/>
+        </sequence>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="ManageNameIDRequest" type="samlp:ManageNameIDRequestType"/>
+  <complexType name="ManageNameIDRequestType">
+    <complexContent>
+      <extension base="samlp:RequestAbstractType">
+        <sequence>
+          <choice>
+            <element ref="saml:NameID"/>
+            <element ref="saml:EncryptedID"/>
+          </choice>
+          <choice>
+            <element ref="samlp:NewID"/>
+            <element ref="samlp:NewEncryptedID"/>
+            <element ref="samlp:Terminate"/>
+          </choice>
+        </sequence>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="NewID" type="string"/>
+  <element name="NewEncryptedID" type="saml:EncryptedElementType"/>
+  <element name="Terminate" type="samlp:TerminateType"/>
+  <complexType name="TerminateType"/>
+  <element name="ManageNameIDResponse" type="samlp:StatusResponseType"/>
+  <element name="LogoutRequest" type="samlp:LogoutRequestType"/>
+  <complexType name="LogoutRequestType">
+    <complexContent>
+      <extension base="samlp:RequestAbstractType">
+        <sequence>
+          <choice>
+            <element ref="saml:BaseID"/>
+            <element ref="saml:NameID"/>
+            <element ref="saml:EncryptedID"/>
+          </choice>
+          <element ref="samlp:SessionIndex" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="Reason" type="string" use="optional"/>
+        <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="SessionIndex" type="string"/>
+  <element name="LogoutResponse" type="samlp:StatusResponseType"/>
+  <element name="NameIDMappingRequest" type="samlp:NameIDMappingRequestType"/>
+  <complexType name="NameIDMappingRequestType">
+    <complexContent>
+      <extension base="samlp:RequestAbstractType">
+        <sequence>
+          <choice>
+            <element ref="saml:BaseID"/>
+            <element ref="saml:NameID"/>
+            <element ref="saml:EncryptedID"/>
+          </choice>
+          <element ref="samlp:NameIDPolicy"/>
+        </sequence>
+      </extension>
+    </complexContent>
+  </complexType>
+  <element name="NameIDMappingResponse" type="samlp:NameIDMappingResponseType"/>
+  <complexType name="NameIDMappingResponseType">
+    <complexContent>
+      <extension base="samlp:StatusResponseType">
+        <choice>
+          <element ref="saml:NameID"/>
+          <element ref="saml:EncryptedID"/>
+        </choice>
+      </extension>
+    </complexContent>
+  </complexType>
+</schema>
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-x500-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-x500-2.0.xsd
new file mode 100644
index 0000000000..8de37c116a
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-x500-2.0.xsd
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+        targetNamespace="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
+        xmlns="http://www.w3.org/2001/XMLSchema"
+        elementFormDefault="unqualified"
+        attributeFormDefault="unqualified"
+        blockDefault="substitution"
+        version="2.0">
+  <annotation>
+    <documentation>
+      Document identifier: saml-schema-x500-2.0
+      Location: http://docs.oasis-open.org/security/saml/v2.0/
+      Revision history:
+      V2.0 (March, 2005):
+      Custom schema for X.500 attribute profile, first published in SAML 2.0.
+    </documentation>
+  </annotation>
+  <attribute name="Encoding" type="string"/>
+</schema>
+
diff --git a/saml-core/src/main/resources/schema/saml/v2/saml-schema-xacml-2.0.xsd b/saml-core/src/main/resources/schema/saml/v2/saml-schema-xacml-2.0.xsd
new file mode 100644
index 0000000000..206fe7fcdc
--- /dev/null
+++ b/saml-core/src/main/resources/schema/saml/v2/saml-schema-xacml-2.0.xsd
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+        targetNamespace="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
+        xmlns="http://www.w3.org/2001/XMLSchema"
+        elementFormDefault="unqualified"
+        attributeFormDefault="unqualified"
+        blockDefault="substitution"
+        version="2.0">
+  <annotation>
+    <documentation>
+      Document identifier: saml-schema-xacml-2.0
+      Location: http://docs.oasis-open.org/security/saml/v2.0/
+      Revision history:
+      V2.0 (March, 2005):
+      Custom schema for XACML attribute profile, first published in SAML 2.0.
+    </documentation>
+  </annotation>
+  <attribute name="DataType" type="anyURI"/>
+</schema>
diff --git a/saml-core/src/main/resources/schema/w3c/xmldsig/xmldsig-core-schema.xsd b/saml-core/src/main/resources/schema/w3c/xmldsig/xmldsig-core-schema.xsd
new file mode 100644
index 0000000000..2a8633f653
--- /dev/null
+++ b/saml-core/src/main/resources/schema/w3c/xmldsig/xmldsig-core-schema.xsd
@@ -0,0 +1,319 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE schema
+        PUBLIC "-//W3C//DTD XMLSchema 200102//EN" "http://www.w3.org/2001/XMLSchema.dtd"
+        [
+                <!ATTLIST schema
+                        xmlns:ds CDATA #FIXED "http://www.w3.org/2000/09/xmldsig#">
+                <!ENTITY dsig 'http://www.w3.org/2000/09/xmldsig#'>
+                <!ENTITY % p ''>
+                <!ENTITY % s ''>
+                ]>
+
+<!-- Schema for XML Signatures
+    http://www.w3.org/2000/09/xmldsig#
+    $Revision: 1.1 $ on $Date: 2002/02/08 20:32:26 $ by $Author: reagle $
+
+    Copyright 2001 The Internet Society and W3C (Massachusetts Institute
+    of Technology, Institut National de Recherche en Informatique et en
+    Automatique, Keio University). All Rights Reserved.
+    http://www.w3.org/Consortium/Legal/
+
+    This document is governed by the W3C Software License [1] as described
+    in the FAQ [2].
+
+    [1] http://www.w3.org/Consortium/Legal/copyright-software-19980720
+    [2] http://www.w3.org/Consortium/Legal/IPR-FAQ-20000620.html#DTD
+-->
+
+
+<schema xmlns="http://www.w3.org/2001/XMLSchema"
+        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+        targetNamespace="http://www.w3.org/2000/09/xmldsig#"
+        version="0.1" elementFormDefault="qualified">
+
+  <!-- Basic Types Defined for Signatures -->
+
+  <simpleType name="CryptoBinary">
+    <restriction base="base64Binary">
+    </restriction>
+  </simpleType>
+
+  <!-- Start Signature -->
+
+  <element name="Signature" type="ds:SignatureType"/>
+  <complexType name="SignatureType">
+    <sequence>
+      <element ref="ds:SignedInfo"/>
+      <element ref="ds:SignatureValue"/>
+      <element ref="ds:KeyInfo" minOccurs="0"/>
+      <element ref="ds:Object" minOccurs="0" maxOccurs="unbounded"/>
+    </sequence>
+    <attribute name="Id" type="ID" use="optional"/>
+  </complexType>
+
+  <element name="SignatureValue" type="ds:SignatureValueType"/>
+  <complexType name="SignatureValueType">
+    <simpleContent>
+      <extension base="base64Binary">
+        <attribute name="Id" type="ID" use="optional"/>
+      </extension>
+    </simpleContent>
+  </complexType>
+
+  <!-- Start SignedInfo -->
+
+  <element name="SignedInfo" type="ds:SignedInfoType"/>
+  <complexType name="SignedInfoType">
+    <sequence>
+      <element ref="ds:CanonicalizationMethod"/>
+      <element ref="ds:SignatureMethod"/>
+      <element ref="ds:Reference" maxOccurs="unbounded"/>
+    </sequence>
+    <attribute name="Id" type="ID" use="optional"/>
+  </complexType>
+
+  <element name="CanonicalizationMethod" type="ds:CanonicalizationMethodType"/>
+  <complexType name="CanonicalizationMethodType" mixed="true">
+    <sequence>
+      <any namespace="##any" minOccurs="0" maxOccurs="unbounded"/>
+      <!-- (0,unbounded) elements from (1,1) namespace -->
+    </sequence>
+    <attribute name="Algorithm" type="anyURI" use="required"/>
+  </complexType>
+
+  <element name="SignatureMethod" type="ds:SignatureMethodType"/>
+  <complexType name="SignatureMethodType" mixed="true">
+    <sequence>
+      <element name="HMACOutputLength" minOccurs="0" type="ds:HMACOutputLengthType"/>
+      <any namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
+      <!-- (0,unbounded) elements from (1,1) external namespace -->
+    </sequence>
+    <attribute name="Algorithm" type="anyURI" use="required"/>
+  </complexType>
+
+  <!-- Start Reference -->
+
+  <element name="Reference" type="ds:ReferenceType"/>
+  <complexType name="ReferenceType">
+    <sequence>
+      <element ref="ds:Transforms" minOccurs="0"/>
+      <element ref="ds:DigestMethod"/>
+      <element ref="ds:DigestValue"/>
+    </sequence>
+    <attribute name="Id" type="ID" use="optional"/>
+    <attribute name="URI" type="anyURI" use="optional"/>
+    <attribute name="Type" type="anyURI" use="optional"/>
+  </complexType>
+
+  <element name="Transforms" type="ds:TransformsType"/>
+  <complexType name="TransformsType">
+    <sequence>
+      <element ref="ds:Transform" maxOccurs="unbounded"/>
+    </sequence>
+  </complexType>
+
+  <element name="Transform" type="ds:TransformType"/>
+  <complexType name="TransformType" mixed="true">
+    <choice minOccurs="0" maxOccurs="unbounded">
+      <any namespace="##other" processContents="lax"/>
+      <!-- (1,1) elements from (0,unbounded) namespaces -->
+      <element name="XPath" type="string"/>
+    </choice>
+    <attribute name="Algorithm" type="anyURI" use="required"/>
+  </complexType>
+
+  <!-- End Reference -->
+
+  <element name="DigestMethod" type="ds:DigestMethodType"/>
+  <complexType name="DigestMethodType" mixed="true">
+    <sequence>
+      <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+    </sequence>
+    <attribute name="Algorithm" type="anyURI" use="required"/>
+  </complexType>
+
+  <element name="DigestValue" type="ds:DigestValueType"/>
+  <simpleType name="DigestValueType">
+    <restriction base="base64Binary"/>
+  </simpleType>
+
+  <!-- End SignedInfo -->
+
+  <!-- Start KeyInfo -->
+
+  <element name="KeyInfo" type="ds:KeyInfoType"/>
+  <complexType name="KeyInfoType" mixed="true">
+    <choice maxOccurs="unbounded">
+      <element ref="ds:KeyName"/>
+      <element ref="ds:KeyValue"/>
+      <element ref="ds:RetrievalMethod"/>
+      <element ref="ds:X509Data"/>
+      <element ref="ds:PGPData"/>
+      <element ref="ds:SPKIData"/>
+      <element ref="ds:MgmtData"/>
+      <any processContents="lax" namespace="##other"/>
+      <!-- (1,1) elements from (0,unbounded) namespaces -->
+    </choice>
+    <attribute name="Id" type="ID" use="optional"/>
+  </complexType>
+
+  <element name="KeyName" type="string"/>
+  <element name="MgmtData" type="string"/>
+
+  <element name="KeyValue" type="ds:KeyValueType"/>
+  <complexType name="KeyValueType" mixed="true">
+    <choice>
+      <element ref="ds:DSAKeyValue"/>
+      <element ref="ds:RSAKeyValue"/>
+      <any namespace="##other" processContents="lax"/>
+    </choice>
+  </complexType>
+
+  <element name="RetrievalMethod" type="ds:RetrievalMethodType"/>
+  <complexType name="RetrievalMethodType">
+    <sequence>
+      <element ref="ds:Transforms" minOccurs="0"/>
+    </sequence>
+    <attribute name="URI" type="anyURI"/>
+    <attribute name="Type" type="anyURI" use="optional"/>
+  </complexType>
+
+  <!-- Start X509Data -->
+
+  <element name="X509Data" type="ds:X509DataType"/>
+  <complexType name="X509DataType">
+    <sequence maxOccurs="unbounded">
+      <choice>
+        <element name="X509IssuerSerial" type="ds:X509IssuerSerialType"/>
+        <element name="X509SKI" type="base64Binary"/>
+        <element name="X509SubjectName" type="string"/>
+        <element name="X509Certificate" type="base64Binary"/>
+        <element name="X509CRL" type="base64Binary"/>
+        <any namespace="##other" processContents="lax"/>
+      </choice>
+    </sequence>
+  </complexType>
+
+  <complexType name="X509IssuerSerialType">
+    <sequence>
+      <element name="X509IssuerName" type="string"/>
+      <element name="X509SerialNumber" type="integer"/>
+    </sequence>
+  </complexType>
+
+  <!-- End X509Data -->
+
+  <!-- Begin PGPData -->
+
+  <element name="PGPData" type="ds:PGPDataType"/>
+  <complexType name="PGPDataType">
+    <choice>
+      <sequence>
+        <element name="PGPKeyID" type="base64Binary"/>
+        <element name="PGPKeyPacket" type="base64Binary" minOccurs="0"/>
+        <any namespace="##other" processContents="lax" minOccurs="0"
+             maxOccurs="unbounded"/>
+      </sequence>
+      <sequence>
+        <element name="PGPKeyPacket" type="base64Binary"/>
+        <any namespace="##other" processContents="lax" minOccurs="0"
+             maxOccurs="unbounded"/>
+      </sequence>
+    </choice>
+  </complexType>
+
+  <!-- End PGPData -->
+
+  <!-- Begin SPKIData -->
+
+  <element name="SPKIData" type="ds:SPKIDataType"/>
+  <complexType name="SPKIDataType">
+    <sequence maxOccurs="unbounded">
+      <element name="SPKISexp" type="base64Binary"/>
+      <any namespace="##other" processContents="lax" minOccurs="0"/>
+    </sequence>
+  </complexType>
+
+  <!-- End SPKIData -->
+
+  <!-- End KeyInfo -->
+
+  <!-- Start Object (Manifest, SignatureProperty) -->
+
+  <element name="Object" type="ds:ObjectType"/>
+  <complexType name="ObjectType" mixed="true">
+    <sequence minOccurs="0" maxOccurs="unbounded">
+      <any namespace="##any" processContents="lax"/>
+    </sequence>
+    <attribute name="Id" type="ID" use="optional"/>
+    <attribute name="MimeType" type="string" use="optional"/>
+    <!-- add a grep facet -->
+    <attribute name="Encoding" type="anyURI" use="optional"/>
+  </complexType>
+
+  <element name="Manifest" type="ds:ManifestType"/>
+  <complexType name="ManifestType">
+    <sequence>
+      <element ref="ds:Reference" maxOccurs="unbounded"/>
+    </sequence>
+    <attribute name="Id" type="ID" use="optional"/>
+  </complexType>
+
+  <element name="SignatureProperties" type="ds:SignaturePropertiesType"/>
+  <complexType name="SignaturePropertiesType">
+    <sequence>
+      <element ref="ds:SignatureProperty" maxOccurs="unbounded"/>
+    </sequence>
+    <attribute name="Id" type="ID" use="optional"/>
+  </complexType>
+
+  <element name="SignatureProperty" type="ds:SignaturePropertyType"/>
+  <complexType name="SignaturePropertyType" mixed="true">
+    <choice maxOccurs="unbounded">
+      <any namespace="##other" processContents="lax"/>
+      <!-- (1,1) elements from (1,unbounded) namespaces -->
+    </choice>
+    <attribute name="Target" type="anyURI" use="required"/>
+    <attribute name="Id" type="ID" use="optional"/>
+  </complexType>
+
+  <!-- End Object (Manifest, SignatureProperty) -->
+
+  <!-- Start Algorithm Parameters -->
+
+  <simpleType name="HMACOutputLengthType">
+    <restriction base="integer"/>
+  </simpleType>
+
+  <!-- Start KeyValue Element-types -->
+
+  <element name="DSAKeyValue" type="ds:DSAKeyValueType"/>
+  <complexType name="DSAKeyValueType">
+    <sequence>
+      <sequence minOccurs="0">
+        <element name="P" type="ds:CryptoBinary"/>
+        <element name="Q" type="ds:CryptoBinary"/>
+      </sequence>
+      <element name="G" type="ds:CryptoBinary" minOccurs="0"/>
+      <element name="Y" type="ds:CryptoBinary"/>
+      <element name="J" type="ds:CryptoBinary" minOccurs="0"/>
+      <sequence minOccurs="0">
+        <element name="Seed" type="ds:CryptoBinary"/>
+        <element name="PgenCounter" type="ds:CryptoBinary"/>
+      </sequence>
+    </sequence>
+  </complexType>
+
+  <element name="RSAKeyValue" type="ds:RSAKeyValueType"/>
+  <complexType name="RSAKeyValueType">
+    <sequence>
+      <element name="Modulus" type="ds:CryptoBinary"/>
+      <element name="Exponent" type="ds:CryptoBinary"/>
+    </sequence>
+  </complexType>
+
+  <!-- End KeyValue Element-types -->
+
+  <!-- End Signature -->
+
+</schema>
diff --git a/saml-core/src/main/resources/schema/w3c/xmlenc/xenc-schema.xsd b/saml-core/src/main/resources/schema/w3c/xmlenc/xenc-schema.xsd
new file mode 100644
index 0000000000..ea16a71b32
--- /dev/null
+++ b/saml-core/src/main/resources/schema/w3c/xmlenc/xenc-schema.xsd
@@ -0,0 +1,154 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE schema  PUBLIC "-//W3C//DTD XMLSchema 200102//EN"
+        "http://www.w3.org/2001/XMLSchema.dtd"
+        [
+                <!ATTLIST schema
+                        xmlns:xenc CDATA #FIXED 'http://www.w3.org/2001/04/xmlenc#'
+                        xmlns:ds CDATA #FIXED 'http://www.w3.org/2000/09/xmldsig#'>
+                <!ENTITY xenc 'http://www.w3.org/2001/04/xmlenc#'>
+                <!ENTITY % p ''>
+                <!ENTITY % s ''>
+                ]>
+
+<schema xmlns='http://www.w3.org/2001/XMLSchema' version='1.0'
+        xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'
+        xmlns:ds='http://www.w3.org/2000/09/xmldsig#'
+        targetNamespace='http://www.w3.org/2001/04/xmlenc#'
+        elementFormDefault='qualified'>
+
+  <import namespace='http://www.w3.org/2000/09/xmldsig#'
+          schemaLocation='http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd'/>
+
+  <complexType name='EncryptedType' abstract='true'>
+
+    <sequence>
+      <element name='EncryptionMethod' type='xenc:EncryptionMethodType'
+               minOccurs='0'/>
+      <element ref='ds:KeyInfo' minOccurs='0'/>
+      <element ref='xenc:CipherData'/>
+      <element ref='xenc:EncryptionProperties' minOccurs='0'/>
+    </sequence>
+    <attribute name='Id' type='ID' use='optional'/>
+    <attribute name='Type' type='anyURI' use='optional'/>
+    <attribute name='MimeType' type='string' use='optional'/>
+
+    <attribute name='Encoding' type='anyURI' use='optional'/>
+  </complexType>
+
+  <complexType name='EncryptionMethodType' mixed='true'>
+    <sequence>
+      <element name='KeySize' minOccurs='0' type='xenc:KeySizeType'/>
+      <element name='OAEPparams' minOccurs='0' type='base64Binary'/>
+      <any namespace='##other' minOccurs='0' maxOccurs='unbounded'/>
+    </sequence>
+    <attribute name='Algorithm' type='anyURI' use='required'/>
+
+  </complexType>
+
+  <simpleType name='KeySizeType'>
+    <restriction base="integer"/>
+  </simpleType>
+
+  <element name='CipherData' type='xenc:CipherDataType'/>
+  <complexType name='CipherDataType'>
+    <choice>
+      <element name='CipherValue' type='base64Binary'/>
+      <element ref='xenc:CipherReference'/>
+    </choice>
+  </complexType>
+
+  <element name='CipherReference' type='xenc:CipherReferenceType'/>
+  <complexType name='CipherReferenceType'>
+    <choice>
+      <element name='Transforms' type='xenc:TransformsType' minOccurs='0'/>
+    </choice>
+
+    <attribute name='URI' type='anyURI' use='required'/>
+  </complexType>
+
+  <complexType name='TransformsType'>
+    <sequence>
+      <element ref='ds:Transform' maxOccurs='unbounded'/>
+    </sequence>
+  </complexType>
+
+
+  <element name='EncryptedData' type='xenc:EncryptedDataType'/>
+  <complexType name='EncryptedDataType'>
+    <complexContent>
+      <extension base='xenc:EncryptedType'>
+      </extension>
+    </complexContent>
+  </complexType>
+
+  <!-- Children of ds:KeyInfo -->
+
+  <element name='EncryptedKey' type='xenc:EncryptedKeyType'/>
+  <complexType name='EncryptedKeyType'>
+    <complexContent>
+      <extension base='xenc:EncryptedType'>
+        <sequence>
+          <element ref='xenc:ReferenceList' minOccurs='0'/>
+          <element name='CarriedKeyName' type='string' minOccurs='0'/>
+        </sequence>
+        <attribute name='Recipient' type='string'
+                   use='optional'/>
+      </extension>
+    </complexContent>
+  </complexType>
+
+  <element name="AgreementMethod" type="xenc:AgreementMethodType"/>
+  <complexType name="AgreementMethodType" mixed="true">
+    <sequence>
+      <element name="KA-Nonce" minOccurs="0" type="base64Binary"/>
+
+      <!-- <element ref="ds:DigestMethod" minOccurs="0"/> -->
+      <any namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
+      <element name="OriginatorKeyInfo" minOccurs="0" type="ds:KeyInfoType"/>
+      <element name="RecipientKeyInfo" minOccurs="0" type="ds:KeyInfoType"/>
+    </sequence>
+    <attribute name="Algorithm" type="anyURI" use="required"/>
+  </complexType>
+
+  <!-- End Children of ds:KeyInfo -->
+
+  <element name='ReferenceList'>
+    <complexType>
+      <choice minOccurs='1' maxOccurs='unbounded'>
+        <element name='DataReference' type='xenc:ReferenceType'/>
+        <element name='KeyReference' type='xenc:ReferenceType'/>
+      </choice>
+    </complexType>
+  </element>
+
+  <complexType name='ReferenceType'>
+    <sequence>
+      <any namespace='##other' minOccurs='0' maxOccurs='unbounded'/>
+    </sequence>
+    <attribute name='URI' type='anyURI' use='required'/>
+  </complexType>
+
+
+  <element name='EncryptionProperties' type='xenc:EncryptionPropertiesType'/>
+
+  <complexType name='EncryptionPropertiesType'>
+    <sequence>
+      <element ref='xenc:EncryptionProperty' maxOccurs='unbounded'/>
+    </sequence>
+    <attribute name='Id' type='ID' use='optional'/>
+  </complexType>
+
+  <element name='EncryptionProperty' type='xenc:EncryptionPropertyType'/>
+  <complexType name='EncryptionPropertyType' mixed='true'>
+
+    <choice maxOccurs='unbounded'>
+      <any namespace='##other' processContents='lax'/>
+    </choice>
+    <attribute name='Target' type='anyURI' use='optional'/>
+    <attribute name='Id' type='ID' use='optional'/>
+    <anyAttribute namespace="http://www.w3.org/XML/1998/namespace"/>
+  </complexType>
+
+</schema>
+
+
diff --git a/saml-core/src/main/resources/schema/w3c/xmlschema/XMLSchema.dtd b/saml-core/src/main/resources/schema/w3c/xmlschema/XMLSchema.dtd
new file mode 100644
index 0000000000..3803ed6ce8
--- /dev/null
+++ b/saml-core/src/main/resources/schema/w3c/xmlschema/XMLSchema.dtd
@@ -0,0 +1,402 @@
+<!-- DTD for XML Schemas: Part 1: Structures
+     Public Identifier: "-//W3C//DTD XMLSCHEMA 200102//EN"
+     Official Location: http://www.w3.org/2001/XMLSchema.dtd -->
+        <!-- $Id: XMLSchema.dtd 20476 2004-04-17 13:29:24Z tdiesler $ -->
+        <!-- Note this DTD is NOT normative, or even definitive. -->           <!--d-->
+        <!-- prose copy in the structures REC is the definitive version -->    <!--d-->
+        <!-- (which shouldn't differ from this one except for this -->         <!--d-->
+        <!-- comment and entity expansions, but just in case) -->              <!--d-->
+        <!-- With the exception of cases with multiple namespace
+             prefixes for the XML Schema namespace, any XML document which is
+             not valid per this DTD given redefinitions in its internal subset of the
+             'p' and 's' parameter entities below appropriate to its namespace
+             declaration of the XML Schema namespace is almost certainly not
+             a valid schema. -->
+
+        <!-- The simpleType element and its constituent parts
+             are defined in XML Schema: Part 2: Datatypes -->
+        <!ENTITY % xs-datatypes PUBLIC 'datatypes' 'datatypes.dtd' >
+
+        <!ENTITY % p 'xs:'> <!-- can be overriden in the internal subset of a
+                         schema document to establish a different
+                         namespace prefix -->
+        <!ENTITY % s ':xs'> <!-- if %p is defined (e.g. as foo:) then you must
+                         also define %s as the suffix for the appropriate
+                         namespace declaration (e.g. :foo) -->
+        <!ENTITY % nds 'xmlns%s;'>
+
+        <!-- Define all the element names, with optional prefix -->
+        <!ENTITY % schema "%p;schema">
+        <!ENTITY % complexType "%p;complexType">
+        <!ENTITY % complexContent "%p;complexContent">
+        <!ENTITY % simpleContent "%p;simpleContent">
+        <!ENTITY % extension "%p;extension">
+        <!ENTITY % element "%p;element">
+        <!ENTITY % unique "%p;unique">
+        <!ENTITY % key "%p;key">
+        <!ENTITY % keyref "%p;keyref">
+        <!ENTITY % selector "%p;selector">
+        <!ENTITY % field "%p;field">
+        <!ENTITY % group "%p;group">
+        <!ENTITY % all "%p;all">
+        <!ENTITY % choice "%p;choice">
+        <!ENTITY % sequence "%p;sequence">
+        <!ENTITY % any "%p;any">
+        <!ENTITY % anyAttribute "%p;anyAttribute">
+        <!ENTITY % attribute "%p;attribute">
+        <!ENTITY % attributeGroup "%p;attributeGroup">
+        <!ENTITY % include "%p;include">
+        <!ENTITY % import "%p;import">
+        <!ENTITY % redefine "%p;redefine">
+        <!ENTITY % notation "%p;notation">
+
+        <!-- annotation elements -->
+        <!ENTITY % annotation "%p;annotation">
+        <!ENTITY % appinfo "%p;appinfo">
+        <!ENTITY % documentation "%p;documentation">
+
+        <!-- Customisation entities for the ATTLIST of each element type.
+             Define one of these if your schema takes advantage of the
+             anyAttribute='##other' in the schema for schemas -->
+
+        <!ENTITY % schemaAttrs ''>
+        <!ENTITY % complexTypeAttrs ''>
+        <!ENTITY % complexContentAttrs ''>
+        <!ENTITY % simpleContentAttrs ''>
+        <!ENTITY % extensionAttrs ''>
+        <!ENTITY % elementAttrs ''>
+        <!ENTITY % groupAttrs ''>
+        <!ENTITY % allAttrs ''>
+        <!ENTITY % choiceAttrs ''>
+        <!ENTITY % sequenceAttrs ''>
+        <!ENTITY % anyAttrs ''>
+        <!ENTITY % anyAttributeAttrs ''>
+        <!ENTITY % attributeAttrs ''>
+        <!ENTITY % attributeGroupAttrs ''>
+        <!ENTITY % uniqueAttrs ''>
+        <!ENTITY % keyAttrs ''>
+        <!ENTITY % keyrefAttrs ''>
+        <!ENTITY % selectorAttrs ''>
+        <!ENTITY % fieldAttrs ''>
+        <!ENTITY % includeAttrs ''>
+        <!ENTITY % importAttrs ''>
+        <!ENTITY % redefineAttrs ''>
+        <!ENTITY % notationAttrs ''>
+        <!ENTITY % annotationAttrs ''>
+        <!ENTITY % appinfoAttrs ''>
+        <!ENTITY % documentationAttrs ''>
+
+        <!ENTITY % complexDerivationSet "CDATA">
+        <!-- #all or space-separated list drawn from derivationChoice -->
+        <!ENTITY % blockSet "CDATA">
+        <!-- #all or space-separated list drawn from
+                        derivationChoice + 'substitution' -->
+
+        <!ENTITY % mgs '%all; | %choice; | %sequence;'>
+        <!ENTITY % cs '%choice; | %sequence;'>
+        <!ENTITY % formValues '(qualified|unqualified)'>
+
+
+        <!ENTITY % attrDecls    '((%attribute;| %attributeGroup;)*,(%anyAttribute;)?)'>
+
+        <!ENTITY % particleAndAttrs '((%mgs; | %group;)?, %attrDecls;)'>
+
+        <!-- This is used in part2 -->
+        <!ENTITY % restriction1 '((%mgs; | %group;)?)'>
+
+        %xs-datatypes;
+
+        <!-- the duplication below is to produce an unambiguous content model
+             which allows annotation everywhere -->
+        <!ELEMENT %schema; ((%include; | %import; | %redefine; | %annotation;)*,
+                ((%simpleType; | %complexType;
+                        | %element; | %attribute;
+                        | %attributeGroup; | %group;
+                        | %notation; ),
+                        (%annotation;)*)* )>
+        <!ATTLIST %schema;
+                targetNamespace      %URIref;               #IMPLIED
+                version              CDATA                  #IMPLIED
+                %nds;                %URIref;               #FIXED 'http://www.w3.org/2001/XMLSchema'
+                xmlns                CDATA                  #IMPLIED
+                finalDefault         %complexDerivationSet; ''
+                blockDefault         %blockSet;             ''
+                id                   ID                     #IMPLIED
+                elementFormDefault   %formValues;           'unqualified'
+                attributeFormDefault %formValues;           'unqualified'
+                xml:lang             CDATA                  #IMPLIED
+                %schemaAttrs;>
+        <!-- Note the xmlns declaration is NOT in the Schema for Schemas,
+             because at the Infoset level where schemas operate,
+             xmlns(:prefix) is NOT an attribute! -->
+        <!-- The declaration of xmlns is a convenience for schema authors -->
+
+        <!-- The id attribute here and below is for use in external references
+             from non-schemas using simple fragment identifiers.
+             It is NOT used for schema-to-schema reference, internal or
+             external. -->
+
+        <!-- a type is a named content type specification which allows attribute
+             declarations-->
+        <!-- -->
+
+        <!ELEMENT %complexType; ((%annotation;)?,
+                (%simpleContent;|%complexContent;|
+                        %particleAndAttrs;))>
+
+        <!ATTLIST %complexType;
+                name      %NCName;                        #IMPLIED
+                id        ID                              #IMPLIED
+                abstract  %boolean;                       #IMPLIED
+                final     %complexDerivationSet;          #IMPLIED
+                block     %complexDerivationSet;          #IMPLIED
+                mixed (true|false) 'false'
+                %complexTypeAttrs;>
+
+        <!-- particleAndAttrs is shorthand for a root type -->
+        <!-- mixed is disallowed if simpleContent, overriden if complexContent
+             has one too. -->
+
+        <!-- If anyAttribute appears in one or more referenced attributeGroups
+             and/or explicitly, the intersection of the permissions is used -->
+
+        <!ELEMENT %complexContent; ((%annotation;)?, (%restriction;|%extension;))>
+        <!ATTLIST %complexContent;
+                mixed (true|false) #IMPLIED
+                id    ID           #IMPLIED
+                %complexContentAttrs;>
+
+        <!-- restriction should use the branch defined above, not the simple
+             one from part2; extension should use the full model  -->
+
+        <!ELEMENT %simpleContent; ((%annotation;)?, (%restriction;|%extension;))>
+        <!ATTLIST %simpleContent;
+                id    ID           #IMPLIED
+                %simpleContentAttrs;>
+
+        <!-- restriction should use the simple branch from part2, not the
+             one defined above; extension should have no particle  -->
+
+        <!ELEMENT %extension; ((%annotation;)?, (%particleAndAttrs;))>
+        <!ATTLIST %extension;
+                base  %QName;      #REQUIRED
+                id    ID           #IMPLIED
+                %extensionAttrs;>
+
+        <!-- an element is declared by either:
+         a name and a type (either nested or referenced via the type attribute)
+         or a ref to an existing element declaration -->
+
+        <!ELEMENT %element; ((%annotation;)?, (%complexType;| %simpleType;)?,
+                (%unique; | %key; | %keyref;)*)>
+        <!-- simpleType or complexType only if no type|ref attribute -->
+        <!-- ref not allowed at top level -->
+        <!ATTLIST %element;
+                name               %NCName;               #IMPLIED
+                id                 ID                     #IMPLIED
+                ref                %QName;                #IMPLIED
+                type               %QName;                #IMPLIED
+                minOccurs          %nonNegativeInteger;   #IMPLIED
+                maxOccurs          CDATA                  #IMPLIED
+                nillable           %boolean;              #IMPLIED
+                substitutionGroup  %QName;                #IMPLIED
+                abstract           %boolean;              #IMPLIED
+                final              %complexDerivationSet; #IMPLIED
+                block              %blockSet;             #IMPLIED
+                default            CDATA                  #IMPLIED
+                fixed              CDATA                  #IMPLIED
+                form               %formValues;           #IMPLIED
+                %elementAttrs;>
+        <!-- type and ref are mutually exclusive.
+             name and ref are mutually exclusive, one is required -->
+        <!-- In the absence of type AND ref, type defaults to type of
+             substitutionGroup, if any, else the ur-type, i.e. unconstrained -->
+        <!-- default and fixed are mutually exclusive -->
+
+        <!ELEMENT %group; ((%annotation;)?,(%mgs;)?)>
+        <!ATTLIST %group;
+                name        %NCName;               #IMPLIED
+                ref         %QName;                #IMPLIED
+                minOccurs   %nonNegativeInteger;   #IMPLIED
+                maxOccurs   CDATA                  #IMPLIED
+                id          ID                     #IMPLIED
+                %groupAttrs;>
+
+        <!ELEMENT %all; ((%annotation;)?, (%element;)*)>
+        <!ATTLIST %all;
+                minOccurs   (1)                    #IMPLIED
+                maxOccurs   (1)                    #IMPLIED
+                id          ID                     #IMPLIED
+                %allAttrs;>
+
+        <!ELEMENT %choice; ((%annotation;)?, (%element;| %group;| %cs; | %any;)*)>
+        <!ATTLIST %choice;
+                minOccurs   %nonNegativeInteger;   #IMPLIED
+                maxOccurs   CDATA                  #IMPLIED
+                id          ID                     #IMPLIED
+                %choiceAttrs;>
+
+        <!ELEMENT %sequence; ((%annotation;)?, (%element;| %group;| %cs; | %any;)*)>
+        <!ATTLIST %sequence;
+                minOccurs   %nonNegativeInteger;   #IMPLIED
+                maxOccurs   CDATA                  #IMPLIED
+                id          ID                     #IMPLIED
+                %sequenceAttrs;>
+
+        <!-- an anonymous grouping in a model, or
+             a top-level named group definition, or a reference to same -->
+
+        <!-- Note that if order is 'all', group is not allowed inside.
+             If order is 'all' THIS group must be alone (or referenced alone) at
+             the top level of a content model -->
+        <!-- If order is 'all', minOccurs==maxOccurs==1 on element/any inside -->
+        <!-- Should allow minOccurs=0 inside order='all' . . . -->
+
+        <!ELEMENT %any; (%annotation;)?>
+        <!ATTLIST %any;
+                namespace       CDATA                  '##any'
+                processContents (skip|lax|strict)      'strict'
+                minOccurs       %nonNegativeInteger;   '1'
+                maxOccurs       CDATA                  '1'
+                id              ID                     #IMPLIED
+                %anyAttrs;>
+
+        <!-- namespace is interpreted as follows:
+                          ##any      - - any non-conflicting WFXML at all
+
+                          ##other    - - any non-conflicting WFXML from namespace other
+                                          than targetNamespace
+
+                          ##local    - - any unqualified non-conflicting WFXML/attribute
+                          one or     - - any non-conflicting WFXML from
+                          more URI        the listed namespaces
+                          references
+
+                          ##targetNamespace ##local may appear in the above list,
+                            with the obvious meaning -->
+
+        <!ELEMENT %anyAttribute; (%annotation;)?>
+        <!ATTLIST %anyAttribute;
+                namespace       CDATA              '##any'
+                processContents (skip|lax|strict)  'strict'
+                id              ID                 #IMPLIED
+                %anyAttributeAttrs;>
+        <!-- namespace is interpreted as for 'any' above -->
+
+        <!-- simpleType only if no type|ref attribute -->
+        <!-- ref not allowed at top level, name iff at top level -->
+        <!ELEMENT %attribute; ((%annotation;)?, (%simpleType;)?)>
+        <!ATTLIST %attribute;
+                name      %NCName;      #IMPLIED
+                id        ID            #IMPLIED
+                ref       %QName;       #IMPLIED
+                type      %QName;       #IMPLIED
+                use       (prohibited|optional|required) #IMPLIED
+                default   CDATA         #IMPLIED
+                fixed     CDATA         #IMPLIED
+                form      %formValues;  #IMPLIED
+                %attributeAttrs;>
+        <!-- type and ref are mutually exclusive.
+             name and ref are mutually exclusive, one is required -->
+        <!-- default for use is optional when nested, none otherwise -->
+        <!-- default and fixed are mutually exclusive -->
+        <!-- type attr and simpleType content are mutually exclusive -->
+
+        <!-- an attributeGroup is a named collection of attribute decls, or a
+             reference thereto -->
+        <!ELEMENT %attributeGroup; ((%annotation;)?,
+                (%attribute; | %attributeGroup;)*,
+                (%anyAttribute;)?) >
+        <!ATTLIST %attributeGroup;
+                name       %NCName;       #IMPLIED
+                id         ID             #IMPLIED
+                ref        %QName;        #IMPLIED
+                %attributeGroupAttrs;>
+
+        <!-- ref iff no content, no name.  ref iff not top level -->
+
+        <!-- better reference mechanisms -->
+        <!ELEMENT %unique; ((%annotation;)?, %selector;, (%field;)+)>
+        <!ATTLIST %unique;
+                name     %NCName;       #REQUIRED
+                id       ID             #IMPLIED
+                %uniqueAttrs;>
+
+        <!ELEMENT %key;    ((%annotation;)?, %selector;, (%field;)+)>
+        <!ATTLIST %key;
+                name     %NCName;       #REQUIRED
+                id       ID             #IMPLIED
+                %keyAttrs;>
+
+        <!ELEMENT %keyref; ((%annotation;)?, %selector;, (%field;)+)>
+        <!ATTLIST %keyref;
+                name     %NCName;       #REQUIRED
+                refer    %QName;        #REQUIRED
+                id       ID             #IMPLIED
+                %keyrefAttrs;>
+
+        <!ELEMENT %selector; ((%annotation;)?)>
+        <!ATTLIST %selector;
+                xpath %XPathExpr; #REQUIRED
+                id    ID          #IMPLIED
+                %selectorAttrs;>
+        <!ELEMENT %field; ((%annotation;)?)>
+        <!ATTLIST %field;
+                xpath %XPathExpr; #REQUIRED
+                id    ID          #IMPLIED
+                %fieldAttrs;>
+
+        <!-- Schema combination mechanisms -->
+        <!ELEMENT %include; (%annotation;)?>
+        <!ATTLIST %include;
+                schemaLocation %URIref; #REQUIRED
+                id             ID       #IMPLIED
+                %includeAttrs;>
+
+        <!ELEMENT %import; (%annotation;)?>
+        <!ATTLIST %import;
+                namespace      %URIref; #IMPLIED
+                schemaLocation %URIref; #IMPLIED
+                id             ID       #IMPLIED
+                %importAttrs;>
+
+        <!ELEMENT %redefine; (%annotation; | %simpleType; | %complexType; |
+                %attributeGroup; | %group;)*>
+        <!ATTLIST %redefine;
+                schemaLocation %URIref; #REQUIRED
+                id             ID       #IMPLIED
+                %redefineAttrs;>
+
+        <!ELEMENT %notation; (%annotation;)?>
+        <!ATTLIST %notation;
+                name        %NCName;    #REQUIRED
+                id          ID          #IMPLIED
+                public      CDATA       #REQUIRED
+                system      %URIref;    #IMPLIED
+                %notationAttrs;>
+
+        <!-- Annotation is either application information or documentation -->
+        <!-- By having these here they are available for datatypes as well
+             as all the structures elements -->
+
+        <!ELEMENT %annotation; (%appinfo; | %documentation;)*>
+        <!ATTLIST %annotation; %annotationAttrs;>
+
+        <!-- User must define annotation elements in internal subset for this
+             to work -->
+        <!ELEMENT %appinfo; ANY>   <!-- too restrictive -->
+        <!ATTLIST %appinfo;
+                source     %URIref;      #IMPLIED
+                id         ID         #IMPLIED
+                %appinfoAttrs;>
+        <!ELEMENT %documentation; ANY>   <!-- too restrictive -->
+        <!ATTLIST %documentation;
+                source     %URIref;   #IMPLIED
+                id         ID         #IMPLIED
+                xml:lang   CDATA      #IMPLIED
+                %documentationAttrs;>
+
+        <!NOTATION XMLSchemaStructures PUBLIC
+                'structures' 'http://www.w3.org/2001/XMLSchema.xsd' >
+        <!NOTATION XML PUBLIC
+                'REC-xml-1998-0210' 'http://www.w3.org/TR/1998/REC-xml-19980210' >
diff --git a/saml-core/src/main/resources/schema/w3c/xmlschema/datatypes.dtd b/saml-core/src/main/resources/schema/w3c/xmlschema/datatypes.dtd
new file mode 100644
index 0000000000..facfaad05f
--- /dev/null
+++ b/saml-core/src/main/resources/schema/w3c/xmlschema/datatypes.dtd
@@ -0,0 +1,203 @@
+<!--
+        DTD for XML Schemas: Part 2: Datatypes
+        $Id: datatypes.dtd 20476 2004-04-17 13:29:24Z tdiesler $
+        Note this DTD is NOT normative, or even definitive. - - the
+        prose copy in the datatypes REC is the definitive version
+        (which shouldn't differ from this one except for this comment
+        and entity expansions, but just in case)
+  -->
+
+        <!--
+                This DTD cannot be used on its own, it is intended
+                only for incorporation in XMLSchema.dtd, q.v.
+          -->
+
+        <!-- Define all the element names, with optional prefix -->
+        <!ENTITY % simpleType "%p;simpleType">
+        <!ENTITY % restriction "%p;restriction">
+        <!ENTITY % list "%p;list">
+        <!ENTITY % union "%p;union">
+        <!ENTITY % maxExclusive "%p;maxExclusive">
+        <!ENTITY % minExclusive "%p;minExclusive">
+        <!ENTITY % maxInclusive "%p;maxInclusive">
+        <!ENTITY % minInclusive "%p;minInclusive">
+        <!ENTITY % totalDigits "%p;totalDigits">
+        <!ENTITY % fractionDigits "%p;fractionDigits">
+        <!ENTITY % length "%p;length">
+        <!ENTITY % minLength "%p;minLength">
+        <!ENTITY % maxLength "%p;maxLength">
+        <!ENTITY % enumeration "%p;enumeration">
+        <!ENTITY % whiteSpace "%p;whiteSpace">
+        <!ENTITY % pattern "%p;pattern">
+
+        <!--
+                Customisation entities for the ATTLIST of each element
+                type. Define one of these if your schema takes advantage
+                of the anyAttribute='##other' in the schema for schemas
+          -->
+
+        <!ENTITY % simpleTypeAttrs "">
+        <!ENTITY % restrictionAttrs "">
+        <!ENTITY % listAttrs "">
+        <!ENTITY % unionAttrs "">
+        <!ENTITY % maxExclusiveAttrs "">
+        <!ENTITY % minExclusiveAttrs "">
+        <!ENTITY % maxInclusiveAttrs "">
+        <!ENTITY % minInclusiveAttrs "">
+        <!ENTITY % totalDigitsAttrs "">
+        <!ENTITY % fractionDigitsAttrs "">
+        <!ENTITY % lengthAttrs "">
+        <!ENTITY % minLengthAttrs "">
+        <!ENTITY % maxLengthAttrs "">
+        <!ENTITY % enumerationAttrs "">
+        <!ENTITY % whiteSpaceAttrs "">
+        <!ENTITY % patternAttrs "">
+
+        <!-- Define some entities for informative use as attribute
+                types -->
+        <!ENTITY % URIref "CDATA">
+        <!ENTITY % XPathExpr "CDATA">
+        <!ENTITY % QName "NMTOKEN">
+        <!ENTITY % QNames "NMTOKENS">
+        <!ENTITY % NCName "NMTOKEN">
+        <!ENTITY % nonNegativeInteger "NMTOKEN">
+        <!ENTITY % boolean "(true|false)">
+        <!ENTITY % simpleDerivationSet "CDATA">
+        <!--
+                #all or space-separated list drawn from derivationChoice
+          -->
+
+        <!--
+                Note that the use of 'facet' below is less restrictive
+                than is really intended:  There should in fact be no
+                more than one of each of minInclusive, minExclusive,
+                maxInclusive, maxExclusive, totalDigits, fractionDigits,
+                length, maxLength, minLength within datatype,
+                and the min- and max- variants of Inclusive and Exclusive
+                are mutually exclusive. On the other hand,  pattern and
+                enumeration may repeat.
+          -->
+        <!ENTITY % minBound "(%minInclusive; | %minExclusive;)">
+        <!ENTITY % maxBound "(%maxInclusive; | %maxExclusive;)">
+        <!ENTITY % bounds "%minBound; | %maxBound;">
+        <!ENTITY % numeric "%totalDigits; | %fractionDigits;">
+        <!ENTITY % ordered "%bounds; | %numeric;">
+        <!ENTITY % unordered
+                "%pattern; | %enumeration; | %whiteSpace; | %length; |
+   %maxLength; | %minLength;">
+        <!ENTITY % facet "%ordered; | %unordered;">
+        <!ENTITY % facetAttr
+                "value CDATA #REQUIRED
+        id ID #IMPLIED">
+        <!ENTITY % fixedAttr "fixed %boolean; #IMPLIED">
+        <!ENTITY % facetModel "(%annotation;)?">
+        <!ELEMENT %simpleType;
+                ((%annotation;)?, (%restriction; | %list; | %union;))>
+        <!ATTLIST %simpleType;
+                name      %NCName; #IMPLIED
+                final     %simpleDerivationSet; #IMPLIED
+                id        ID       #IMPLIED
+                %simpleTypeAttrs;>
+        <!-- name is required at top level -->
+        <!ELEMENT %restriction; ((%annotation;)?,
+                (%restriction1; |
+                        ((%simpleType;)?,(%facet;)*)),
+                (%attrDecls;))>
+        <!ATTLIST %restriction;
+                base      %QName;                  #IMPLIED
+                id        ID       #IMPLIED
+                %restrictionAttrs;>
+        <!--
+                base and simpleType child are mutually exclusive,
+                one is required.
+
+                restriction is shared between simpleType and
+                simpleContent and complexContent (in XMLSchema.xsd).
+                restriction1 is for the latter cases, when this
+                is restricting a complex type, as is attrDecls.
+          -->
+        <!ELEMENT %list; ((%annotation;)?,(%simpleType;)?)>
+        <!ATTLIST %list;
+                itemType      %QName;             #IMPLIED
+                id        ID       #IMPLIED
+                %listAttrs;>
+        <!--
+                itemType and simpleType child are mutually exclusive,
+                one is required
+          -->
+        <!ELEMENT %union; ((%annotation;)?,(%simpleType;)*)>
+        <!ATTLIST %union;
+                id            ID       #IMPLIED
+                memberTypes   %QNames;            #IMPLIED
+                %unionAttrs;>
+        <!--
+                At least one item in memberTypes or one simpleType
+                child is required
+          -->
+
+        <!ELEMENT %maxExclusive; %facetModel;>
+        <!ATTLIST %maxExclusive;
+                %facetAttr;
+                %fixedAttr;
+                %maxExclusiveAttrs;>
+        <!ELEMENT %minExclusive; %facetModel;>
+        <!ATTLIST %minExclusive;
+                %facetAttr;
+                %fixedAttr;
+                %minExclusiveAttrs;>
+
+        <!ELEMENT %maxInclusive; %facetModel;>
+        <!ATTLIST %maxInclusive;
+                %facetAttr;
+                %fixedAttr;
+                %maxInclusiveAttrs;>
+        <!ELEMENT %minInclusive; %facetModel;>
+        <!ATTLIST %minInclusive;
+                %facetAttr;
+                %fixedAttr;
+                %minInclusiveAttrs;>
+
+        <!ELEMENT %totalDigits; %facetModel;>
+        <!ATTLIST %totalDigits;
+                %facetAttr;
+                %fixedAttr;
+                %totalDigitsAttrs;>
+        <!ELEMENT %fractionDigits; %facetModel;>
+        <!ATTLIST %fractionDigits;
+                %facetAttr;
+                %fixedAttr;
+                %fractionDigitsAttrs;>
+
+        <!ELEMENT %length; %facetModel;>
+        <!ATTLIST %length;
+                %facetAttr;
+                %fixedAttr;
+                %lengthAttrs;>
+        <!ELEMENT %minLength; %facetModel;>
+        <!ATTLIST %minLength;
+                %facetAttr;
+                %fixedAttr;
+                %minLengthAttrs;>
+        <!ELEMENT %maxLength; %facetModel;>
+        <!ATTLIST %maxLength;
+                %facetAttr;
+                %fixedAttr;
+                %maxLengthAttrs;>
+
+        <!-- This one can be repeated -->
+        <!ELEMENT %enumeration; %facetModel;>
+        <!ATTLIST %enumeration;
+                %facetAttr;
+                %enumerationAttrs;>
+
+        <!ELEMENT %whiteSpace; %facetModel;>
+        <!ATTLIST %whiteSpace;
+                %facetAttr;
+                %fixedAttr;
+                %whiteSpaceAttrs;>
+
+        <!-- This one can be repeated -->
+        <!ELEMENT %pattern; %facetModel;>
+        <!ATTLIST %pattern;
+                %facetAttr;
+                %patternAttrs;>
diff --git a/saml-core/src/main/resources/schema/w3c/xmlschema/xml.xsd b/saml-core/src/main/resources/schema/w3c/xmlschema/xml.xsd
new file mode 100644
index 0000000000..bb46b0e63e
--- /dev/null
+++ b/saml-core/src/main/resources/schema/w3c/xmlschema/xml.xsd
@@ -0,0 +1,124 @@
+<?xml version='1.0'?>
+<!DOCTYPE xs:schema PUBLIC "-//W3C//DTD XMLSCHEMA 200102//EN" "XMLSchema.dtd" >
+<xs:schema targetNamespace="http://www.w3.org/XML/1998/namespace" xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xml:lang="en">
+
+  <xs:annotation>
+    <xs:documentation>
+      See http://www.w3.org/XML/1998/namespace.html and
+      http://www.w3.org/TR/REC-xml for information about this namespace.
+
+      This schema document describes the XML namespace, in a form
+      suitable for import by other schema documents.
+
+      Note that local names in this namespace are intended to be defined
+      only by the World Wide Web Consortium or its subgroups. The
+      following names are currently defined in this namespace and should
+      not be used with conflicting semantics by any Working Group,
+      specification, or document instance:
+
+      base (as an attribute name): denotes an attribute whose value
+      provides a URI to be used as the base for interpreting any
+      relative URIs in the scope of the element on which it
+      appears; its value is inherited. This name is reserved
+      by virtue of its definition in the XML Base specification.
+
+      lang (as an attribute name): denotes an attribute whose value
+      is a language code for the natural language of the content of
+      any element; its value is inherited. This name is reserved
+      by virtue of its definition in the XML specification.
+
+      space (as an attribute name): denotes an attribute whose
+      value is a keyword indicating what whitespace processing
+      discipline is intended for the content of the element; its
+      value is inherited. This name is reserved by virtue of its
+      definition in the XML specification.
+
+      Father (in any context at all): denotes Jon Bosak, the chair of
+      the original XML Working Group. This name is reserved by
+      the following decision of the W3C XML Plenary and
+      XML Coordination groups:
+
+      In appreciation for his vision, leadership and dedication
+      the W3C XML Plenary on this 10th day of February, 2000
+      reserves for Jon Bosak in perpetuity the XML name
+      xml:Father
+    </xs:documentation>
+  </xs:annotation>
+
+  <xs:annotation>
+    <xs:documentation>This schema defines attributes and an attribute group
+      suitable for use by
+      schemas wishing to allow xml:base, xml:lang or xml:space attributes
+      on elements they define.
+
+      To enable this, such a schema must import this schema
+      for the XML namespace, e.g. as follows:
+      &lt;schema . . .>
+      . . .
+      &lt;import namespace="http://www.w3.org/XML/1998/namespace"
+      schemaLocation="http://www.w3.org/2001/03/xml.xsd"/>
+
+      Subsequently, qualified reference to any of the attributes
+      or the group defined below will have the desired effect, e.g.
+
+      &lt;type . . .>
+      . . .
+      &lt;attributeGroup ref="xml:specialAttrs"/>
+
+      will define a type which will schema-validate an instance
+      element with any of those attributes
+    </xs:documentation>
+
+  </xs:annotation>
+
+  <xs:annotation>
+    <xs:documentation>In keeping with the XML Schema WG's standard versioning
+      policy, this schema document will persist at
+      http://www.w3.org/2001/03/xml.xsd.
+      At the date of issue it can also be found at
+      http://www.w3.org/2001/xml.xsd.
+      The schema document at that URI may however change in the future,
+      in order to remain compatible with the latest version of XML Schema
+      itself. In other words, if the XML Schema namespace changes, the version
+      of this document at
+      http://www.w3.org/2001/xml.xsd will change
+      accordingly; the version at
+      http://www.w3.org/2001/03/xml.xsd will not change.
+    </xs:documentation>
+  </xs:annotation>
+
+  <xs:attribute name="lang" type="xs:language">
+    <xs:annotation>
+      <xs:documentation>In due course, we should install the relevant ISO 2- and 3-letter
+        codes as the enumerated possible values . . .
+      </xs:documentation>
+
+    </xs:annotation>
+  </xs:attribute>
+
+  <xs:attribute name="space" default="preserve">
+    <xs:simpleType>
+      <xs:restriction base="xs:NCName">
+        <xs:enumeration value="default"/>
+        <xs:enumeration value="preserve"/>
+      </xs:restriction>
+
+    </xs:simpleType>
+  </xs:attribute>
+
+  <xs:attribute name="base" type="xs:anyURI">
+    <xs:annotation>
+      <xs:documentation>See http://www.w3.org/TR/xmlbase/ for
+        information about this attribute.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:attribute>
+
+  <xs:attributeGroup name="specialAttrs">
+    <xs:attribute ref="xml:base"/>
+    <xs:attribute ref="xml:lang"/>
+    <xs:attribute ref="xml:space"/>
+  </xs:attributeGroup>
+
+</xs:schema>
diff --git a/saml-core/src/main/resources/schema/wstrust/v1_3/oasis-200401-wss-wssecurity-secext-1.0.xsd b/saml-core/src/main/resources/schema/wstrust/v1_3/oasis-200401-wss-wssecurity-secext-1.0.xsd
new file mode 100644
index 0000000000..491430b2bf
--- /dev/null
+++ b/saml-core/src/main/resources/schema/wstrust/v1_3/oasis-200401-wss-wssecurity-secext-1.0.xsd
@@ -0,0 +1,210 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- 
+OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification, can be obtained from the OASIS Executive Director.
+OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to implement this specification. Please address the information to the OASIS Executive Director.
+Copyright © OASIS Open 2002-2004. All Rights Reserved.
+This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself does not be modified in any way, such as by removing the copyright notice or references to OASIS, except as needed for the purpose of developing OASIS specifications, in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to translate it into languages other than English.
+The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.
+This document and the information contained herein is provided on an “AS IS” basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+-->
+<xsd:schema targetNamespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
+            xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
+            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
+            xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+            elementFormDefault="qualified" attributeFormDefault="unqualified" blockDefault="#all" version="0.2">
+  <xsd:import namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+              schemaLocation="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"/>
+  <xsd:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd"/>
+  <xsd:import namespace="http://www.w3.org/2000/09/xmldsig#"
+              schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/>
+  <xsd:complexType name="AttributedString">
+    <xsd:annotation>
+      <xsd:documentation>This type represents an element with arbitrary attributes.</xsd:documentation>
+    </xsd:annotation>
+    <xsd:simpleContent>
+      <xsd:extension base="xsd:string">
+        <xsd:attribute ref="wsu:Id"/>
+        <xsd:anyAttribute namespace="##other" processContents="lax"/>
+      </xsd:extension>
+    </xsd:simpleContent>
+  </xsd:complexType>
+  <xsd:complexType name="PasswordString">
+    <xsd:annotation>
+      <xsd:documentation>This type is used for password elements per Section 4.1.</xsd:documentation>
+    </xsd:annotation>
+    <xsd:simpleContent>
+      <xsd:extension base="wsse:AttributedString">
+        <xsd:attribute name="Type" type="xsd:anyURI"/>
+      </xsd:extension>
+    </xsd:simpleContent>
+  </xsd:complexType>
+  <xsd:complexType name="EncodedString">
+    <xsd:annotation>
+      <xsd:documentation>This type is used for elements containing stringified binary data.</xsd:documentation>
+    </xsd:annotation>
+    <xsd:simpleContent>
+      <xsd:extension base="wsse:AttributedString">
+        <xsd:attribute name="EncodingType" type="xsd:anyURI"/>
+      </xsd:extension>
+    </xsd:simpleContent>
+  </xsd:complexType>
+  <xsd:complexType name="UsernameTokenType">
+    <xsd:annotation>
+      <xsd:documentation>This type represents a username token per Section 4.1</xsd:documentation>
+    </xsd:annotation>
+    <xsd:sequence>
+      <xsd:element name="Username" type="wsse:AttributedString"/>
+      <xsd:any processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+    </xsd:sequence>
+    <xsd:attribute ref="wsu:Id"/>
+    <xsd:anyAttribute namespace="##other" processContents="lax"/>
+  </xsd:complexType>
+  <xsd:complexType name="BinarySecurityTokenType">
+    <xsd:annotation>
+      <xsd:documentation>A security token that is encoded in binary</xsd:documentation>
+    </xsd:annotation>
+    <xsd:simpleContent>
+      <xsd:extension base="wsse:EncodedString">
+        <xsd:attribute name="ValueType" type="xsd:anyURI"/>
+      </xsd:extension>
+    </xsd:simpleContent>
+  </xsd:complexType>
+  <xsd:complexType name="KeyIdentifierType">
+    <xsd:annotation>
+      <xsd:documentation>A security token key identifier</xsd:documentation>
+    </xsd:annotation>
+    <xsd:simpleContent>
+      <xsd:extension base="wsse:EncodedString">
+        <xsd:attribute name="ValueType" type="xsd:anyURI"/>
+      </xsd:extension>
+    </xsd:simpleContent>
+  </xsd:complexType>
+  <xsd:simpleType name="tUsage">
+    <xsd:annotation>
+      <xsd:documentation>Typedef to allow a list of usages (as URIs).</xsd:documentation>
+    </xsd:annotation>
+    <xsd:list itemType="xsd:anyURI"/>
+  </xsd:simpleType>
+  <xsd:attribute name="Usage" type="tUsage">
+    <xsd:annotation>
+      <xsd:documentation>This global attribute is used to indicate the usage of a referenced or indicated token within
+        the containing context
+      </xsd:documentation>
+    </xsd:annotation>
+  </xsd:attribute>
+  <xsd:complexType name="ReferenceType">
+    <xsd:annotation>
+      <xsd:documentation>This type represents a reference to an external security token.</xsd:documentation>
+    </xsd:annotation>
+    <xsd:attribute name="URI" type="xsd:anyURI"/>
+    <xsd:attribute name="ValueType" type="xsd:anyURI"/>
+    <xsd:anyAttribute namespace="##other" processContents="lax"/>
+  </xsd:complexType>
+  <xsd:complexType name="EmbeddedType">
+    <xsd:annotation>
+      <xsd:documentation>This type represents a reference to an embedded security token.</xsd:documentation>
+    </xsd:annotation>
+    <xsd:choice minOccurs="0" maxOccurs="unbounded">
+      <xsd:any processContents="lax"/>
+    </xsd:choice>
+    <xsd:attribute name="ValueType" type="xsd:anyURI"/>
+    <xsd:anyAttribute namespace="##other" processContents="lax"/>
+  </xsd:complexType>
+  <xsd:complexType name="SecurityTokenReferenceType">
+    <xsd:annotation>
+      <xsd:documentation>This type is used reference a security token.</xsd:documentation>
+    </xsd:annotation>
+    <xsd:choice minOccurs="0" maxOccurs="unbounded">
+      <xsd:any processContents="lax"/>
+    </xsd:choice>
+    <xsd:attribute ref="wsu:Id"/>
+    <xsd:attribute ref="wsse:Usage"/>
+    <xsd:anyAttribute namespace="##other" processContents="lax"/>
+  </xsd:complexType>
+  <xsd:complexType name="SecurityHeaderType">
+    <xsd:annotation>
+      <xsd:documentation>This complexType defines header block to use for security-relevant data directed at a specific
+        SOAP actor.
+      </xsd:documentation>
+    </xsd:annotation>
+    <xsd:sequence>
+      <xsd:any processContents="lax" minOccurs="0" maxOccurs="unbounded">
+        <xsd:annotation>
+          <xsd:documentation>The use of "any" is to allow extensibility and different forms of security data.
+          </xsd:documentation>
+        </xsd:annotation>
+      </xsd:any>
+    </xsd:sequence>
+    <xsd:anyAttribute namespace="##other" processContents="lax"/>
+  </xsd:complexType>
+  <xsd:complexType name="TransformationParametersType">
+    <xsd:annotation>
+      <xsd:documentation>This complexType defines a container for elements to be specified from any namespace as
+        properties/parameters of a DSIG transformation.
+      </xsd:documentation>
+    </xsd:annotation>
+    <xsd:sequence>
+      <xsd:any processContents="lax" minOccurs="0" maxOccurs="unbounded">
+        <xsd:annotation>
+          <xsd:documentation>The use of "any" is to allow extensibility from any namespace.</xsd:documentation>
+        </xsd:annotation>
+      </xsd:any>
+    </xsd:sequence>
+    <xsd:anyAttribute namespace="##other" processContents="lax"/>
+  </xsd:complexType>
+  <xsd:element name="UsernameToken" type="wsse:UsernameTokenType">
+    <xsd:annotation>
+      <xsd:documentation>This element defines the wsse:UsernameToken element per Section 4.1.</xsd:documentation>
+    </xsd:annotation>
+  </xsd:element>
+  <xsd:element name="BinarySecurityToken" type="wsse:BinarySecurityTokenType">
+    <xsd:annotation>
+      <xsd:documentation>This element defines the wsse:BinarySecurityToken element per Section 4.2.</xsd:documentation>
+    </xsd:annotation>
+  </xsd:element>
+  <xsd:element name="Reference" type="wsse:ReferenceType">
+    <xsd:annotation>
+      <xsd:documentation>This element defines a security token reference</xsd:documentation>
+    </xsd:annotation>
+  </xsd:element>
+  <xsd:element name="Embedded" type="wsse:EmbeddedType">
+    <xsd:annotation>
+      <xsd:documentation>This element defines a security token embedded reference</xsd:documentation>
+    </xsd:annotation>
+  </xsd:element>
+  <xsd:element name="KeyIdentifier" type="wsse:KeyIdentifierType">
+    <xsd:annotation>
+      <xsd:documentation>This element defines a key identifier reference</xsd:documentation>
+    </xsd:annotation>
+  </xsd:element>
+  <xsd:element name="SecurityTokenReference" type="wsse:SecurityTokenReferenceType">
+    <xsd:annotation>
+      <xsd:documentation>This element defines the wsse:SecurityTokenReference per Section 4.3.</xsd:documentation>
+    </xsd:annotation>
+  </xsd:element>
+  <xsd:element name="Security" type="wsse:SecurityHeaderType">
+    <xsd:annotation>
+      <xsd:documentation>This element defines the wsse:Security SOAP header element per Section 4.</xsd:documentation>
+    </xsd:annotation>
+  </xsd:element>
+  <xsd:element name="TransformationParameters" type="wsse:TransformationParametersType">
+    <xsd:annotation>
+      <xsd:documentation>This element contains properties for transformations from any namespace, including DSIG.
+      </xsd:documentation>
+    </xsd:annotation>
+  </xsd:element>
+  <xsd:element name="Password" type="wsse:PasswordString"/>
+  <xsd:element name="Nonce" type="wsse:EncodedString"/>
+  <xsd:simpleType name="FaultcodeEnum">
+    <xsd:restriction base="xsd:QName">
+      <xsd:enumeration value="wsse:UnsupportedSecurityToken"/>
+      <xsd:enumeration value="wsse:UnsupportedAlgorithm"/>
+      <xsd:enumeration value="wsse:InvalidSecurity"/>
+      <xsd:enumeration value="wsse:InvalidSecurityToken"/>
+      <xsd:enumeration value="wsse:FailedAuthentication"/>
+      <xsd:enumeration value="wsse:FailedCheck"/>
+      <xsd:enumeration value="wsse:SecurityTokenUnavailable"/>
+    </xsd:restriction>
+  </xsd:simpleType>
+</xsd:schema>
diff --git a/saml-core/src/main/resources/schema/wstrust/v1_3/oasis-200401-wss-wssecurity-utility-1.0.xsd b/saml-core/src/main/resources/schema/wstrust/v1_3/oasis-200401-wss-wssecurity-utility-1.0.xsd
new file mode 100644
index 0000000000..31a68bccc5
--- /dev/null
+++ b/saml-core/src/main/resources/schema/wstrust/v1_3/oasis-200401-wss-wssecurity-utility-1.0.xsd
@@ -0,0 +1,109 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- 
+OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification, can be obtained from the OASIS Executive Director.
+OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to implement this specification. Please address the information to the OASIS Executive Director.
+Copyright © OASIS Open 2002-2004. All Rights Reserved.
+This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself does not be modified in any way, such as by removing the copyright notice or references to OASIS, except as needed for the purpose of developing OASIS specifications, in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to translate it into languages other than English.
+The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.
+This document and the information contained herein is provided on an “AS IS” basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+-->
+<xsd:schema targetNamespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+            xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+
+
+            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+            xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+            elementFormDefault="qualified" attributeFormDefault="unqualified" version="0.1">
+  <!-- // Fault Codes /////////////////////////////////////////// -->
+  <xsd:simpleType name="tTimestampFault">
+    <xsd:annotation>
+      <xsd:documentation>
+        This type defines the fault code value for Timestamp message expiration.
+      </xsd:documentation>
+    </xsd:annotation>
+    <xsd:restriction base="xsd:QName">
+      <xsd:enumeration value="wsu:MessageExpired"/>
+    </xsd:restriction>
+  </xsd:simpleType>
+  <!-- // Global attributes //////////////////////////////////// -->
+  <xsd:attribute name="Id" type="xsd:ID">
+    <xsd:annotation>
+      <xsd:documentation>
+        This global attribute supports annotating arbitrary elements with an ID.
+      </xsd:documentation>
+    </xsd:annotation>
+  </xsd:attribute>
+  <xsd:attributeGroup name="commonAtts">
+    <xsd:annotation>
+      <xsd:documentation>
+        Convenience attribute group used to simplify this schema.
+      </xsd:documentation>
+    </xsd:annotation>
+    <xsd:attribute ref="wsu:Id" use="optional"/>
+    <xsd:anyAttribute namespace="##other" processContents="lax"/>
+  </xsd:attributeGroup>
+  <!-- // Utility types //////////////////////////////////////// -->
+  <xsd:complexType name="AttributedDateTime">
+    <xsd:annotation>
+      <xsd:documentation>
+        This type is for elements whose [children] is a psuedo-dateTime and can have arbitrary attributes.
+      </xsd:documentation>
+    </xsd:annotation>
+    <xsd:simpleContent>
+      <xsd:extension base="xsd:string">
+        <xsd:attributeGroup ref="wsu:commonAtts"/>
+      </xsd:extension>
+    </xsd:simpleContent>
+  </xsd:complexType>
+  <xsd:complexType name="AttributedURI">
+    <xsd:annotation>
+      <xsd:documentation>
+        This type is for elements whose [children] is an anyURI and can have arbitrary attributes.
+      </xsd:documentation>
+    </xsd:annotation>
+    <xsd:simpleContent>
+      <xsd:extension base="xsd:anyURI">
+        <xsd:attributeGroup ref="wsu:commonAtts"/>
+      </xsd:extension>
+    </xsd:simpleContent>
+  </xsd:complexType>
+  <!-- // Timestamp header components /////////////////////////// -->
+  <xsd:complexType name="TimestampType">
+    <xsd:annotation>
+      <xsd:documentation>
+        This complex type ties together the timestamp related elements into a composite type.
+      </xsd:documentation>
+    </xsd:annotation>
+    <xsd:sequence>
+      <xsd:element ref="wsu:Created" minOccurs="0"/>
+      <xsd:element ref="wsu:Expires" minOccurs="0"/>
+      <xsd:choice minOccurs="0" maxOccurs="unbounded">
+        <xsd:any namespace="##other" processContents="lax"/>
+      </xsd:choice>
+    </xsd:sequence>
+    <xsd:attributeGroup ref="wsu:commonAtts"/>
+  </xsd:complexType>
+  <xsd:element name="Timestamp" type="wsu:TimestampType">
+    <xsd:annotation>
+      <xsd:documentation>
+        This element allows Timestamps to be applied anywhere element wildcards are present,
+        including as a SOAP header.
+      </xsd:documentation>
+    </xsd:annotation>
+  </xsd:element>
+  <!-- global element decls to allow individual elements to appear anywhere -->
+  <xsd:element name="Expires" type="wsu:AttributedDateTime">
+    <xsd:annotation>
+      <xsd:documentation>
+        This element allows an expiration time to be applied anywhere element wildcards are present.
+      </xsd:documentation>
+    </xsd:annotation>
+  </xsd:element>
+  <xsd:element name="Created" type="wsu:AttributedDateTime">
+    <xsd:annotation>
+      <xsd:documentation>
+        This element allows a creation time to be applied anywhere element wildcards are present.
+      </xsd:documentation>
+    </xsd:annotation>
+  </xsd:element>
+</xsd:schema>
diff --git a/saml-core/src/main/resources/schema/wstrust/v1_3/ws-addr.xsd b/saml-core/src/main/resources/schema/wstrust/v1_3/ws-addr.xsd
new file mode 100644
index 0000000000..58ddcf0044
--- /dev/null
+++ b/saml-core/src/main/resources/schema/wstrust/v1_3/ws-addr.xsd
@@ -0,0 +1,140 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+    W3C XML Schema defined in the Web Services Addressing 1.0 specification
+    http://www.w3.org/TR/ws-addr-core
+
+   Copyright © 2005 World Wide Web Consortium,
+
+   (Massachusetts Institute of Technology, European Research Consortium for
+   Informatics and Mathematics, Keio University). All Rights Reserved. This
+   work is distributed under the W3C® Software License [1] in the hope that
+   it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+   [1] http://www.w3.org/Consortium/Legal/2002/copyright-software-20021231
+
+   $Id: ws-addr.xsd,v 1.2 2008/07/23 13:38:16 plehegar Exp $
+-->
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:tns="http://www.w3.org/2005/08/addressing"
+           targetNamespace="http://www.w3.org/2005/08/addressing" blockDefault="#all" elementFormDefault="qualified"
+           finalDefault="" attributeFormDefault="unqualified">
+
+  <!-- Constructs from the WS-Addressing Core -->
+
+  <xs:element name="EndpointReference" type="tns:EndpointReferenceType"/>
+  <xs:complexType name="EndpointReferenceType" mixed="false">
+    <xs:sequence>
+      <xs:element name="Address" type="tns:AttributedURIType"/>
+      <xs:element ref="tns:ReferenceParameters" minOccurs="0"/>
+      <xs:element ref="tns:Metadata" minOccurs="0"/>
+      <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+    <xs:anyAttribute namespace="##other" processContents="lax"/>
+  </xs:complexType>
+
+  <xs:element name="ReferenceParameters" type="tns:ReferenceParametersType"/>
+  <xs:complexType name="ReferenceParametersType" mixed="false">
+    <xs:sequence>
+      <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+    <xs:anyAttribute namespace="##other" processContents="lax"/>
+  </xs:complexType>
+
+  <xs:element name="Metadata" type="tns:MetadataType"/>
+  <xs:complexType name="MetadataType" mixed="false">
+    <xs:sequence>
+      <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+    <xs:anyAttribute namespace="##other" processContents="lax"/>
+  </xs:complexType>
+
+  <xs:element name="MessageID" type="tns:AttributedURIType"/>
+  <xs:element name="RelatesTo" type="tns:RelatesToType"/>
+  <xs:complexType name="RelatesToType" mixed="false">
+    <xs:simpleContent>
+      <xs:extension base="xs:anyURI">
+        <xs:attribute name="RelationshipType" type="tns:RelationshipTypeOpenEnum" use="optional"
+                      default="http://www.w3.org/2005/08/addressing/reply"/>
+        <xs:anyAttribute namespace="##other" processContents="lax"/>
+      </xs:extension>
+    </xs:simpleContent>
+  </xs:complexType>
+
+  <xs:simpleType name="RelationshipTypeOpenEnum">
+    <xs:union memberTypes="tns:RelationshipType xs:anyURI"/>
+  </xs:simpleType>
+
+  <xs:simpleType name="RelationshipType">
+    <xs:restriction base="xs:anyURI">
+      <xs:enumeration value="http://www.w3.org/2005/08/addressing/reply"/>
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:element name="ReplyTo" type="tns:EndpointReferenceType"/>
+  <xs:element name="From" type="tns:EndpointReferenceType"/>
+  <xs:element name="FaultTo" type="tns:EndpointReferenceType"/>
+  <xs:element name="To" type="tns:AttributedURIType"/>
+  <xs:element name="Action" type="tns:AttributedURIType"/>
+
+  <xs:complexType name="AttributedURIType" mixed="false">
+    <xs:simpleContent>
+      <xs:extension base="xs:anyURI">
+        <xs:anyAttribute namespace="##other" processContents="lax"/>
+      </xs:extension>
+    </xs:simpleContent>
+  </xs:complexType>
+
+  <!-- Constructs from the WS-Addressing SOAP binding -->
+
+  <xs:attribute name="IsReferenceParameter" type="xs:boolean"/>
+
+  <xs:simpleType name="FaultCodesOpenEnumType">
+    <xs:union memberTypes="tns:FaultCodesType xs:QName"/>
+  </xs:simpleType>
+
+  <xs:simpleType name="FaultCodesType">
+    <xs:restriction base="xs:QName">
+      <xs:enumeration value="tns:InvalidAddressingHeader"/>
+      <xs:enumeration value="tns:InvalidAddress"/>
+      <xs:enumeration value="tns:InvalidEPR"/>
+      <xs:enumeration value="tns:InvalidCardinality"/>
+      <xs:enumeration value="tns:MissingAddressInEPR"/>
+      <xs:enumeration value="tns:DuplicateMessageID"/>
+      <xs:enumeration value="tns:ActionMismatch"/>
+      <xs:enumeration value="tns:MessageAddressingHeaderRequired"/>
+      <xs:enumeration value="tns:DestinationUnreachable"/>
+      <xs:enumeration value="tns:ActionNotSupported"/>
+      <xs:enumeration value="tns:EndpointUnavailable"/>
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:element name="RetryAfter" type="tns:AttributedUnsignedLongType"/>
+  <xs:complexType name="AttributedUnsignedLongType" mixed="false">
+    <xs:simpleContent>
+      <xs:extension base="xs:unsignedLong">
+        <xs:anyAttribute namespace="##other" processContents="lax"/>
+      </xs:extension>
+    </xs:simpleContent>
+  </xs:complexType>
+
+  <xs:element name="ProblemHeaderQName" type="tns:AttributedQNameType"/>
+  <xs:complexType name="AttributedQNameType" mixed="false">
+    <xs:simpleContent>
+      <xs:extension base="xs:QName">
+        <xs:anyAttribute namespace="##other" processContents="lax"/>
+      </xs:extension>
+    </xs:simpleContent>
+  </xs:complexType>
+
+  <xs:element name="ProblemIRI" type="tns:AttributedURIType"/>
+
+  <xs:element name="ProblemAction" type="tns:ProblemActionType"/>
+  <xs:complexType name="ProblemActionType" mixed="false">
+    <xs:sequence>
+      <xs:element ref="tns:Action" minOccurs="0"/>
+      <xs:element name="SoapAction" minOccurs="0" type="xs:anyURI"/>
+    </xs:sequence>
+    <xs:anyAttribute namespace="##other" processContents="lax"/>
+  </xs:complexType>
+
+</xs:schema>
diff --git a/saml-core/src/main/resources/schema/wstrust/v1_3/ws-policy.xsd b/saml-core/src/main/resources/schema/wstrust/v1_3/ws-policy.xsd
new file mode 100644
index 0000000000..7223b59e74
--- /dev/null
+++ b/saml-core/src/main/resources/schema/wstrust/v1_3/ws-policy.xsd
@@ -0,0 +1,117 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- 
+(c) 2001-2006 BEA Systems Inc., International Business Machines Corporation, Microsoft Corporation, Inc., SAP AG, Sonic Software, and VeriSign, Inc. All rights reserved.
+
+Permission to copy and display the WS-Policy Specification (the "Specification", which includes WSDL and schema documents), in any medium without fee or royalty is hereby granted, provided that you include the following on ALL copies of the WS-Policy Specification, that you make:
+
+1.	A link or URL to the WS-Policy Specification at one of the Authors' websites
+2.	The copyright notice as shown in the WS-Policy Specification.
+
+BEA Systems, IBM, Microsoft, SAP, Sonic Software, and VeriSign (collectively, the "Authors") each agree to grant you a license, under royalty-free and otherwise reasonable, non-discriminatory terms and conditions, to their respective essential patent claims that they deem necessary to implement the WS-Policy Specification.
+
+THE WS-POLICY SPECIFICATION IS PROVIDED "AS IS," AND THE AUTHORS MAKE NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR TITLE; THAT THE CONTENTS OF THE WS-POLICY SPECIFICATION ARE SUITABLE FOR ANY PURPOSE; NOR THAT THE IMPLEMENTATION OF SUCH CONTENTS WILL NOT INFRINGE ANY THIRD PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
+
+THE AUTHORS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR RELATING TO ANY USE OR DISTRIBUTION OF THE WS-POLICY SPECIFICATION.
+
+The name and trademarks of the Authors may NOT be used in any manner, including advertising or publicity pertaining to the WS-Policy Specification or its contents without specific, written prior permission. Title to copyright in the WS-Policy Specification will at all times remain with the Authors.
+
+No other rights are granted by implication, estoppel or otherwise.
+-->
+<xs:schema
+        targetNamespace="http://schemas.xmlsoap.org/ws/2004/09/policy"
+        xmlns:tns="http://schemas.xmlsoap.org/ws/2004/09/policy"
+        xmlns:xs="http://www.w3.org/2001/XMLSchema"
+        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+        elementFormDefault="qualified"
+        blockDefault="#all">
+
+  <xs:import
+          namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
+          schemaLocation="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
+
+  <xs:import
+          namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+          schemaLocation="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"/>
+
+  <!-- ////////// WS-Policy ////////// -->
+
+  <xs:element name="Policy">
+    <xs:complexType>
+      <xs:complexContent>
+        <xs:extension base="tns:OperatorContentType">
+          <xs:attribute name="Name" type="xs:anyURI"/>
+          <xs:attribute ref="wsu:Id"/>
+          <xs:anyAttribute namespace="##any" processContents="lax"/>
+        </xs:extension>
+      </xs:complexContent>
+    </xs:complexType>
+  </xs:element>
+  <xs:element name="All" type="tns:OperatorContentType"/>
+  <xs:element name="ExactlyOne" type="tns:OperatorContentType"/>
+
+  <xs:complexType name="OperatorContentType">
+    <xs:sequence>
+      <xs:choice minOccurs="0" maxOccurs="unbounded">
+        <xs:element ref="tns:Policy"/>
+        <xs:element ref="tns:All"/>
+        <xs:element ref="tns:ExactlyOne"/>
+        <xs:element ref="tns:PolicyReference"/>
+        <xs:any namespace="##other" processContents="lax"/>
+      </xs:choice>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:element name="PolicyReference">
+    <xs:complexType>
+      <xs:attribute name="URI" type="xs:anyURI" use="required"/>
+      <xs:attribute name="Digest" type="xs:base64Binary"/>
+      <xs:attribute name="DigestAlgorithm"
+                    type="xs:anyURI"
+                    default="http://schemas.xmlsoap.org/ws/2004/09/policy/Sha1Exc"
+              />
+      <xs:anyAttribute namespace="##any" processContents="lax"/>
+    </xs:complexType>
+  </xs:element>
+
+  <xs:attribute name="Optional" type="xs:boolean" default="false"/>
+
+  <!-- ////////// WS-PolicyAttachment ////////// -->
+
+  <xs:attribute name="PolicyURIs">
+    <xs:simpleType>
+      <xs:list itemType="xs:anyURI"/>
+    </xs:simpleType>
+  </xs:attribute>
+
+  <xs:element name="PolicyAttachment">
+    <xs:complexType>
+      <xs:sequence>
+        <xs:element ref="tns:AppliesTo"/>
+        <xs:choice maxOccurs="unbounded">
+          <xs:element ref="tns:Policy"/>
+          <xs:element ref="tns:PolicyReference"/>
+        </xs:choice>
+        <!-- omitted only because it causes the content model to be non-determistic
+        <xs:element ref="wsse:Security" minOccurs="0" />
+-->
+        <xs:any namespace="##other"
+                processContents="lax"
+                minOccurs="0"
+                maxOccurs="unbounded"/>
+      </xs:sequence>
+      <xs:anyAttribute namespace="##any" processContents="lax"/>
+    </xs:complexType>
+  </xs:element>
+
+  <xs:element name="AppliesTo">
+    <xs:complexType>
+      <xs:sequence>
+        <xs:any namespace="##any"
+                processContents="lax"
+                maxOccurs="unbounded"/>
+      </xs:sequence>
+      <xs:anyAttribute namespace="##any" processContents="lax"/>
+    </xs:complexType>
+  </xs:element>
+
+</xs:schema>
\ No newline at end of file
diff --git a/saml-core/src/main/resources/schema/wstrust/v1_3/ws-trust-1.3.xsd b/saml-core/src/main/resources/schema/wstrust/v1_3/ws-trust-1.3.xsd
new file mode 100644
index 0000000000..be28c3d0d2
--- /dev/null
+++ b/saml-core/src/main/resources/schema/wstrust/v1_3/ws-trust-1.3.xsd
@@ -0,0 +1,444 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- 
+OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification, can be obtained from the OASIS Executive Director.
+OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to implement this specification. Please address the information to the OASIS Executive Director.
+Copyright © OASIS Open 2002-2006. All Rights Reserved.
+This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself does not be modified in any way, such as by removing the copyright notice or references to OASIS, except as needed for the purpose of developing OASIS specifications, in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to translate it into languages other than English.
+The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.
+This document and the information contained herein is provided on an AS IS basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+-->
+<xs:schema xmlns:xs='http://www.w3.org/2001/XMLSchema'
+           xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
+           xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
+           xmlns:wsa='http://www.w3.org/2005/08/addressing'
+           xmlns:wst='http://docs.oasis-open.org/ws-sx/ws-trust/200512'
+           targetNamespace='http://docs.oasis-open.org/ws-sx/ws-trust/200512'
+           elementFormDefault='qualified'>
+
+  <xs:import namespace='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
+             schemaLocation='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'/>
+  <xs:import namespace='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
+             schemaLocation='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'/>
+  <xs:import namespace='http://schemas.xmlsoap.org/ws/2004/09/policy'
+             schemaLocation='http://schemas.xmlsoap.org/ws/2004/09/policy/ws-policy.xsd'/>
+  <xs:import namespace='http://www.w3.org/2005/08/addressing'
+             schemaLocation='http://www.w3.org/2006/03/addressing/ws-addr.xsd'/>
+
+  <!-- WS-Trust Section 3.1 -->
+  <xs:element name='RequestSecurityToken' type='wst:RequestSecurityTokenType'/>
+  <xs:complexType name='RequestSecurityTokenType'>
+    <xs:annotation>
+      <xs:documentation>
+        Actual content model is non-deterministic, hence wildcard. The following shows intended content model:
+
+        &lt;xs:element ref='wst:TokenType' minOccurs='0' />
+        &lt;xs:element ref='wst:RequestType' />
+        &lt;xs:element ref='wsp:AppliesTo' minOccurs='0' />
+        &lt;xs:element ref='wst:Claims' minOccurs='0' />
+        &lt;xs:element ref='wst:Entropy' minOccurs='0' />
+        &lt;xs:element ref='wst:Lifetime' minOccurs='0' />
+        &lt;xs:element ref='wst:AllowPostdating' minOccurs='0' />
+        &lt;xs:element ref='wst:Renewing' minOccurs='0' />
+        &lt;xs:element ref='wst:OnBehalfOf' minOccurs='0' />
+        &lt;xs:element ref='wst:Issuer' minOccurs='0' />
+        &lt;xs:element ref='wst:AuthenticationType' minOccurs='0' />
+        &lt;xs:element ref='wst:KeyType' minOccurs='0' />
+        &lt;xs:element ref='wst:KeySize' minOccurs='0' />
+        &lt;xs:element ref='wst:SignatureAlgorithm' minOccurs='0' />
+        &lt;xs:element ref='wst:Encryption' minOccurs='0' />
+        &lt;xs:element ref='wst:EncryptionAlgorithm' minOccurs='0' />
+        &lt;xs:element ref='wst:CanonicalizationAlgorithm' minOccurs='0' />
+        &lt;xs:element ref='wst:ProofEncryption' minOccurs='0' />
+        &lt;xs:element ref='wst:UseKey' minOccurs='0' />
+        &lt;xs:element ref='wst:SignWith' minOccurs='0' />
+        &lt;xs:element ref='wst:EncryptWith' minOccurs='0' />
+        &lt;xs:element ref='wst:DelegateTo' minOccurs='0' />
+        &lt;xs:element ref='wst:Forwardable' minOccurs='0' />
+        &lt;xs:element ref='wst:Delegatable' minOccurs='0' />
+        &lt;xs:element ref='wsp:Policy' minOccurs='0' />
+        &lt;xs:element ref='wsp:PolicyReference' minOccurs='0' />
+        &lt;xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+
+      </xs:documentation>
+    </xs:annotation>
+    <xs:sequence>
+      <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded'/>
+    </xs:sequence>
+    <xs:attribute name='Context' type='xs:anyURI' use='optional'/>
+    <xs:anyAttribute namespace='##other' processContents='lax'/>
+  </xs:complexType>
+
+  <xs:element name='TokenType' type='xs:anyURI'/>
+
+  <xs:element name='RequestType' type='wst:RequestTypeOpenEnum'/>
+
+  <xs:simpleType name='RequestTypeOpenEnum'>
+    <xs:union memberTypes='wst:RequestTypeEnum xs:anyURI'/>
+  </xs:simpleType>
+
+  <xs:simpleType name='RequestTypeEnum'>
+    <xs:restriction base='xs:anyURI'>
+      <xs:enumeration value='http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue'/>
+      <xs:enumeration value='http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew'/>
+      <xs:enumeration value='http://docs.oasis-open.org/ws-sx/ws-trust/200512/Cancel'/>
+      <xs:enumeration value='http://docs.oasis-open.org/ws-sx/ws-trust/200512/STSCancel'/>
+      <xs:enumeration value='http://docs.oasis-open.org/ws-sx/ws-trust/200512/Validate'/>
+    </xs:restriction>
+  </xs:simpleType>
+
+  <!-- WS-Trust Section 3.2 -->
+  <xs:element name='RequestSecurityTokenResponse' type='wst:RequestSecurityTokenResponseType'/>
+  <xs:complexType name='RequestSecurityTokenResponseType'>
+    <xs:annotation>
+      <xs:documentation>
+        Actual content model is non-deterministic, hence wildcard. The following shows intended content model:
+
+        &lt;xs:element ref='wst:TokenType' minOccurs='0' />
+        &lt;xs:element ref='wst:RequestType' />
+        &lt;xs:element ref='wst:RequestedSecurityToken' minOccurs='0' />
+        &lt;xs:element ref='wsp:AppliesTo' minOccurs='0' />
+        &lt;xs:element ref='wst:RequestedAttachedReference' minOccurs='0' />
+        &lt;xs:element ref='wst:RequestedUnattachedReference' minOccurs='0' />
+        &lt;xs:element ref='wst:RequestedProofToken' minOccurs='0' />
+        &lt;xs:element ref='wst:Entropy' minOccurs='0' />
+        &lt;xs:element ref='wst:Lifetime' minOccurs='0' />
+        &lt;xs:element ref='wst:Status' minOccurs='0' />
+        &lt;xs:element ref='wst:AllowPostdating' minOccurs='0' />
+        &lt;xs:element ref='wst:Renewing' minOccurs='0' />
+        &lt;xs:element ref='wst:OnBehalfOf' minOccurs='0' />
+        &lt;xs:element ref='wst:Issuer' minOccurs='0' />
+        &lt;xs:element ref='wst:AuthenticationType' minOccurs='0' />
+        &lt;xs:element ref='wst:Authenticator' minOccurs='0' />
+        &lt;xs:element ref='wst:KeyType' minOccurs='0' />
+        &lt;xs:element ref='wst:KeySize' minOccurs='0' />
+        &lt;xs:element ref='wst:SignatureAlgorithm' minOccurs='0' />
+        &lt;xs:element ref='wst:Encryption' minOccurs='0' />
+        &lt;xs:element ref='wst:EncryptionAlgorithm' minOccurs='0' />
+        &lt;xs:element ref='wst:CanonicalizationAlgorithm' minOccurs='0' />
+        &lt;xs:element ref='wst:ProofEncryption' minOccurs='0' />
+        &lt;xs:element ref='wst:UseKey' minOccurs='0' />
+        &lt;xs:element ref='wst:SignWith' minOccurs='0' />
+        &lt;xs:element ref='wst:EncryptWith' minOccurs='0' />
+        &lt;xs:element ref='wst:DelegateTo' minOccurs='0' />
+        &lt;xs:element ref='wst:Forwardable' minOccurs='0' />
+        &lt;xs:element ref='wst:Delegatable' minOccurs='0' />
+        &lt;xs:element ref='wsp:Policy' minOccurs='0' />
+        &lt;xs:element ref='wsp:PolicyReference' minOccurs='0' />
+        &lt;xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+
+      </xs:documentation>
+    </xs:annotation>
+    <xs:sequence>
+      <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded'/>
+    </xs:sequence>
+    <xs:attribute name='Context' type='xs:anyURI' use='optional'/>
+    <xs:anyAttribute namespace='##other' processContents='lax'/>
+  </xs:complexType>
+
+  <xs:element name='RequestedSecurityToken' type='wst:RequestedSecurityTokenType'/>
+  <xs:complexType name='RequestedSecurityTokenType'>
+    <xs:sequence>
+      <xs:any namespace='##any' processContents='lax'/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <!-- WS-Trust Section 3.3 -->
+  <xs:element name='BinarySecret' type='wst:BinarySecretType'/>
+  <xs:complexType name='BinarySecretType'>
+    <xs:simpleContent>
+      <xs:extension base='xs:base64Binary'>
+        <xs:attribute name='Type' type='wst:BinarySecretTypeOpenEnum' use='optional'/>
+        <xs:anyAttribute namespace='##other' processContents='lax'/>
+      </xs:extension>
+    </xs:simpleContent>
+  </xs:complexType>
+
+  <xs:simpleType name='BinarySecretTypeEnum'>
+    <xs:restriction base='xs:anyURI'>
+      <xs:enumeration value='http://docs.oasis-open.org/ws-sx/ws-trust/200512/AsymmetricKey'/>
+      <xs:enumeration value='http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey'/>
+      <xs:enumeration value='http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce'/>
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:simpleType name='BinarySecretTypeOpenEnum'>
+    <xs:union memberTypes='wst:BinarySecretTypeEnum xs:anyURI'/>
+  </xs:simpleType>
+
+
+  <!-- WS-Trust Section 4.1 -->
+  <xs:element name='Claims' type='wst:ClaimsType'/>
+  <xs:complexType name='ClaimsType'>
+    <xs:sequence>
+      <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded'/>
+    </xs:sequence>
+    <xs:attribute name='Dialect' type='xs:anyURI' use='optional'/>
+    <xs:anyAttribute namespace='##other' processContents='lax'/>
+  </xs:complexType>
+
+  <xs:element name='Entropy' type='wst:EntropyType'/>
+  <xs:complexType name='EntropyType'>
+    <xs:sequence>
+      <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded'/>
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax'/>
+  </xs:complexType>
+
+  <xs:element name='Lifetime' type='wst:LifetimeType'/>
+  <xs:complexType name='LifetimeType'>
+    <xs:sequence>
+      <xs:element ref='wsu:Created' minOccurs='0'/>
+      <xs:element ref='wsu:Expires' minOccurs='0'/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <!-- WS-Trust Section 4.2 -->
+  <xs:element name='RequestSecurityTokenCollection' type='wst:RequestSecurityTokenCollectionType'/>
+  <xs:complexType name='RequestSecurityTokenCollectionType'>
+    <xs:annotation>
+      <xs:documentation>
+        The RequestSecurityTokenCollection (RSTC) element is used to provide multiple RST requests.
+        One or more RSTR elements in an RSTRC element are returned in the response to the
+        RequestSecurityTokenCollection.
+      </xs:documentation>
+    </xs:annotation>
+    <xs:sequence>
+      <xs:element name='RequestSecurityToken' type='wst:RequestSecurityTokenType' minOccurs='2' maxOccurs='unbounded'/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:element name='RequestSecurityTokenResponseCollection' type='wst:RequestSecurityTokenResponseCollectionType'/>
+  <xs:complexType name='RequestSecurityTokenResponseCollectionType'>
+    <xs:annotation>
+      <xs:documentation>
+        The &lt;wst:RequestSecurityTokenResponseCollection> element (RSTRC) MUST be used to return a security token or
+        response to a security token request on the final response.
+      </xs:documentation>
+    </xs:annotation>
+    <xs:sequence>
+      <xs:element ref='wst:RequestSecurityTokenResponse' minOccurs='1' maxOccurs='unbounded'/>
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax'/>
+  </xs:complexType>
+
+  <!-- WS-Trust Section 4.3 -->
+  <xs:element name='ComputedKey' type='wst:ComputedKeyOpenEnum'/>
+  <xs:simpleType name='ComputedKeyEnum'>
+    <xs:restriction base='xs:anyURI'>
+      <xs:enumeration value='http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1'/>
+      <xs:enumeration value='http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/HASH'/>
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:simpleType name='ComputedKeyOpenEnum'>
+    <xs:union memberTypes='wst:ComputedKeyEnum xs:anyURI'/>
+  </xs:simpleType>
+
+  <xs:element name='RequestedAttachedReference' type='wst:RequestedReferenceType'/>
+  <xs:element name='RequestedUnattachedReference' type='wst:RequestedReferenceType'/>
+  <xs:complexType name='RequestedReferenceType'>
+    <xs:sequence>
+      <xs:element ref='wsse:SecurityTokenReference'/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:element name='RequestedProofToken' type='wst:RequestedProofTokenType'/>
+  <xs:complexType name='RequestedProofTokenType'>
+    <xs:sequence>
+      <xs:any namespace='##any' processContents='lax'/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <!-- WS-Trust Section 6.4 -->
+  <xs:element name='IssuedTokens' type='wst:RequestSecurityTokenResponseCollectionType'/>
+
+  <!-- WS-Trust Section 5 -->
+  <xs:element name='RenewTarget' type='wst:RenewTargetType'/>
+  <xs:complexType name='RenewTargetType'>
+    <xs:sequence>
+      <xs:any namespace='##other' minOccurs='1' maxOccurs='1'/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:element name='AllowPostdating' type='wst:AllowPostdatingType'/>
+  <xs:complexType name='AllowPostdatingType'/>
+
+  <xs:element name='Renewing' type='wst:RenewingType'/>
+  <xs:complexType name='RenewingType'>
+    <xs:attribute name='Allow' type='xs:boolean' use='optional'/>
+    <xs:attribute name='OK' type='xs:boolean' use='optional'/>
+  </xs:complexType>
+
+  <!-- WS-Trust Section 6 -->
+  <xs:element name='CancelTarget' type='wst:CancelTargetType'/>
+  <xs:complexType name='CancelTargetType'>
+    <xs:sequence>
+      <xs:any namespace='##other' minOccurs='1' maxOccurs='1'/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:element name='RequestedTokenCancelled' type='wst:RequestedTokenCancelledType'/>
+  <xs:complexType name='RequestedTokenCancelledType'/>
+
+  <!-- WS-Trust Section 7 -->
+  <xs:element name='ValidateTarget' type='wst:ValidateTargetType'/>
+  <xs:complexType name='ValidateTargetType'>
+    <xs:sequence>
+      <xs:any namespace='##other' minOccurs='1' maxOccurs='1'/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:element name='Status' type='wst:StatusType'/>
+  <xs:complexType name='StatusType'>
+    <xs:sequence>
+      <xs:element name='Code' type='wst:StatusCodeOpenEnum'/>
+      <xs:element name='Reason' type='xs:string' minOccurs='0'/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:simpleType name='StatusCodeEnum'>
+    <xs:restriction base='xs:anyURI'>
+      <xs:enumeration value='http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid'/>
+      <xs:enumeration value='http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/invalid'/>
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:simpleType name='StatusCodeOpenEnum'>
+    <xs:union memberTypes='wst:StatusCodeEnum xs:anyURI'/>
+  </xs:simpleType>
+
+  <!-- WS-Trust Section 8.2 -->
+  <xs:element name='SignChallenge' type='wst:SignChallengeType'/>
+  <xs:element name='SignChallengeResponse' type='wst:SignChallengeType'/>
+  <xs:complexType name='SignChallengeType'>
+    <xs:sequence>
+      <xs:element ref='wst:Challenge'/>
+      <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded'/>
+    </xs:sequence>
+    <xs:anyAttribute namespace='##any' processContents='lax'/>
+  </xs:complexType>
+
+  <xs:element name='Challenge' type='xs:string'/>
+
+
+  <!-- WS-Trust Section 8.3 -->
+  <xs:element name='BinaryExchange' type='wst:BinaryExchangeType'/>
+  <xs:complexType name='BinaryExchangeType'>
+    <xs:simpleContent>
+      <xs:extension base='xs:string'>
+        <xs:attribute name='ValueType' type='xs:anyURI' use='required'/>
+        <xs:attribute name='EncodingType' type='xs:anyURI' use='required'/>
+        <xs:anyAttribute namespace='##other' processContents='lax'/>
+      </xs:extension>
+    </xs:simpleContent>
+  </xs:complexType>
+
+  <!-- WS-Trust Section 8.4 -->
+  <xs:element name='RequestKET' type='wst:RequestKETType'/>
+  <xs:complexType name='RequestKETType'/>
+
+  <xs:element name='KeyExchangeToken' type='wst:KeyExchangeTokenType'/>
+  <xs:complexType name='KeyExchangeTokenType'>
+    <xs:sequence>
+      <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded'/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <!-- WS-Trust Section 8.9 -->
+  <xs:element name='Authenticator' type='wst:AuthenticatorType'/>
+  <xs:complexType name='AuthenticatorType'>
+    <xs:sequence>
+      <xs:element ref='wst:CombinedHash' minOccurs='0'/>
+      <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded'/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:element name='CombinedHash' type='xs:base64Binary'/>
+
+  <!-- WS-Trust Section 9.1 -->
+  <xs:element name='OnBehalfOf' type='wst:OnBehalfOfType'/>
+  <xs:complexType name='OnBehalfOfType'>
+    <xs:sequence>
+      <xs:any namespace='##any' processContents='lax'/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:element name='Issuer' type='wsa:EndpointReferenceType'/>
+
+  <!-- WS-Trust Section 9.2 -->
+  <xs:element name='AuthenticationType' type='xs:anyURI'/>
+
+  <xs:element name='KeyType' type='wst:KeyTypeOpenEnum'/>
+  <xs:simpleType name='KeyTypeEnum'>
+    <xs:restriction base='xs:anyURI'>
+      <xs:enumeration value='http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey'/>
+      <xs:enumeration value='http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey'/>
+      <xs:enumeration value='http://docs.oasis-open.org/wssx/wstrust/200512/Bearer'/>
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:simpleType name='KeyTypeOpenEnum'>
+    <xs:union memberTypes='wst:KeyTypeEnum xs:anyURI'/>
+  </xs:simpleType>
+
+  <xs:element name='KeySize' type='xs:unsignedInt'/>
+
+  <xs:element name='SignatureAlgorithm' type='xs:anyURI'/>
+  <xs:element name='EncryptionAlgorithm' type='xs:anyURI'/>
+  <xs:element name='CanonicalizationAlgorithm' type='xs:anyURI'/>
+  <xs:element name='ComputedKeyAlgorithm' type='xs:anyURI'/>
+
+  <xs:element name='Encryption' type='wst:EncryptionType'/>
+  <xs:complexType name='EncryptionType'>
+    <xs:sequence>
+      <xs:any namespace='##any' processContents='lax'/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:element name='ProofEncryption' type='wst:ProofEncryptionType'/>
+  <xs:complexType name='ProofEncryptionType'>
+    <xs:sequence>
+      <xs:any namespace='##any' processContents='lax'/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:element name='UseKey' type='wst:UseKeyType'/>
+  <xs:complexType name='UseKeyType'>
+    <xs:sequence>
+      <xs:any namespace='##any' processContents='lax' minOccurs='0'/>
+    </xs:sequence>
+    <xs:attribute name='Sig' type='xs:anyURI' use='optional'/>
+  </xs:complexType>
+
+  <xs:element name='KeyWrapAlgorithm' type='xs:anyURI'/>
+  <xs:element name='SignWith' type='xs:anyURI'/>
+  <xs:element name='EncryptWith' type='xs:anyURI'/>
+
+  <!-- WS-Trust Section 9.3 -->
+  <xs:element name='DelegateTo' type='wst:DelegateToType'/>
+  <xs:complexType name='DelegateToType'>
+    <xs:sequence>
+      <xs:any namespace='##any' processContents='lax'/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:element name='Forwardable' type='xs:boolean'/>
+  <xs:element name='Delegatable' type='xs:boolean'/>
+
+  <!-- WS-Trust Section 9.5 -->
+  <xs:element name='Participants' type='wst:ParticipantsType'/>
+  <xs:complexType name='ParticipantsType'>
+    <xs:sequence>
+      <xs:element name='Primary' type='wst:ParticipantType' minOccurs='0'/>
+      <xs:element name='Participant' type='wst:ParticipantType' minOccurs='0' maxOccurs='unbounded'/>
+      <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded'/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name='ParticipantType'>
+    <xs:sequence>
+      <xs:any namespace='##any' processContents='lax'/>
+    </xs:sequence>
+  </xs:complexType>
+
+</xs:schema>
diff --git a/saml-core/src/main/resources/schema/xacml/access_control-xacml-2.0-context-schema-os.xsd b/saml-core/src/main/resources/schema/xacml/access_control-xacml-2.0-context-schema-os.xsd
new file mode 100644
index 0000000000..51311667aa
--- /dev/null
+++ b/saml-core/src/main/resources/schema/xacml/access_control-xacml-2.0-context-schema-os.xsd
@@ -0,0 +1,135 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="urn:oasis:names:tc:xacml:2.0:context:schema:os" elementFormDefault="qualified" attributeFormDefault="unqualified">
+	<xs:import namespace="urn:oasis:names:tc:xacml:2.0:policy:schema:os" schemaLocation="access_control-xacml-2.0-policy-schema-os.xsd"/>
+	<!-- 	-->
+	<xs:element name="Request" type="xacml-context:RequestType"/>
+	<xs:complexType name="RequestType">
+		<xs:sequence>
+			<xs:element ref="xacml-context:Subject" maxOccurs="unbounded"/>
+			<xs:element ref="xacml-context:Resource" maxOccurs="unbounded"/>
+			<xs:element ref="xacml-context:Action"/>
+			<xs:element ref="xacml-context:Environment"/>
+		</xs:sequence>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="Response" type="xacml-context:ResponseType"/>
+	<xs:complexType name="ResponseType">
+		<xs:sequence>
+			<xs:element ref="xacml-context:Result" maxOccurs="unbounded"/>
+		</xs:sequence>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="Subject" type="xacml-context:SubjectType"/>
+	<xs:complexType name="SubjectType">
+		<xs:sequence>
+			<xs:element ref="xacml-context:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+		</xs:sequence>
+		<xs:attribute name="SubjectCategory" type="xs:anyURI" default="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"/>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="Resource" type="xacml-context:ResourceType"/>
+	<xs:complexType name="ResourceType">
+		<xs:sequence>
+			<xs:element ref="xacml-context:ResourceContent" minOccurs="0"/>
+			<xs:element ref="xacml-context:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+		</xs:sequence>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="ResourceContent" type="xacml-context:ResourceContentType"/>
+	<xs:complexType name="ResourceContentType" mixed="true">
+		<xs:sequence>
+			<xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+		</xs:sequence>
+		<xs:anyAttribute namespace="##any" processContents="lax"/>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="Action" type="xacml-context:ActionType"/>
+	<xs:complexType name="ActionType">
+		<xs:sequence>
+			<xs:element ref="xacml-context:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+		</xs:sequence>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="Environment" type="xacml-context:EnvironmentType"/>
+	<xs:complexType name="EnvironmentType">
+		<xs:sequence>
+			<xs:element ref="xacml-context:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+		</xs:sequence>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="Attribute" type="xacml-context:AttributeType"/>
+	<xs:complexType name="AttributeType">
+		<xs:sequence>
+			<xs:element ref="xacml-context:AttributeValue" maxOccurs="unbounded"/>
+		</xs:sequence>
+		<xs:attribute name="AttributeId" type="xs:anyURI" use="required"/>
+		<xs:attribute name="DataType" type="xs:anyURI" use="required"/>
+		<xs:attribute name="Issuer" type="xs:string" use="optional"/>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="AttributeValue" type="xacml-context:AttributeValueType"/>
+	<xs:complexType name="AttributeValueType" mixed="true">
+		<xs:sequence>
+			<xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+		</xs:sequence>
+		<xs:anyAttribute namespace="##any" processContents="lax"/>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="Result" type="xacml-context:ResultType"/>
+	<xs:complexType name="ResultType">
+		<xs:sequence>
+			<xs:element ref="xacml-context:Decision"/>
+			<xs:element ref="xacml-context:Status" minOccurs="0"/>
+			<xs:element ref="xacml:Obligations" minOccurs="0"/>
+		</xs:sequence>
+		<xs:attribute name="ResourceId" type="xs:string" use="optional"/>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="Decision" type="xacml-context:DecisionType"/>
+	<xs:simpleType name="DecisionType">
+		<xs:restriction base="xs:string">
+			<xs:enumeration value="Permit"/>
+			<xs:enumeration value="Deny"/>
+			<xs:enumeration value="Indeterminate"/>
+			<xs:enumeration value="NotApplicable"/>
+		</xs:restriction>
+	</xs:simpleType>
+	<!-- -->
+	<xs:element name="Status" type="xacml-context:StatusType"/>
+	<xs:complexType name="StatusType">
+		<xs:sequence>
+			<xs:element ref="xacml-context:StatusCode"/>
+			<xs:element ref="xacml-context:StatusMessage" minOccurs="0"/>
+			<xs:element ref="xacml-context:StatusDetail" minOccurs="0"/>
+		</xs:sequence>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="StatusCode" type="xacml-context:StatusCodeType"/>
+	<xs:complexType name="StatusCodeType">
+		<xs:sequence>
+			<xs:element ref="xacml-context:StatusCode" minOccurs="0"/>
+		</xs:sequence>
+		<xs:attribute name="Value" type="xs:anyURI" use="required"/>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="StatusMessage" type="xs:string"/>
+	<!-- -->
+	<xs:element name="StatusDetail" type="xacml-context:StatusDetailType"/>
+	<xs:complexType name="StatusDetailType">
+		<xs:sequence>
+			<xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+		</xs:sequence>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="MissingAttributeDetail" type="xacml-context:MissingAttributeDetailType"/>
+	<xs:complexType name="MissingAttributeDetailType">
+		<xs:sequence>
+			<xs:element ref="xacml-context:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
+		</xs:sequence>
+		<xs:attribute name="AttributeId" type="xs:anyURI" use="required"/>
+		<xs:attribute name="DataType" type="xs:anyURI" use="required"/>
+		<xs:attribute name="Issuer" type="xs:string" use="optional"/>
+	</xs:complexType>
+	<!-- -->
+</xs:schema>
+
diff --git a/saml-core/src/main/resources/schema/xacml/access_control-xacml-2.0-policy-schema-os.xsd b/saml-core/src/main/resources/schema/xacml/access_control-xacml-2.0-policy-schema-os.xsd
new file mode 100644
index 0000000000..51b6dbb65a
--- /dev/null
+++ b/saml-core/src/main/resources/schema/xacml/access_control-xacml-2.0-policy-schema-os.xsd
@@ -0,0 +1,380 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="urn:oasis:names:tc:xacml:2.0:policy:schema:os" elementFormDefault="qualified" attributeFormDefault="unqualified">
+	<!-- -->
+	<xs:element name="PolicySet" type="xacml:PolicySetType"/>
+	<xs:complexType name="PolicySetType">
+		<xs:sequence>
+			<xs:element ref="xacml:Description" minOccurs="0"/>
+			<xs:element ref="xacml:PolicySetDefaults" minOccurs="0"/>
+			<xs:element ref="xacml:Target"/>
+			<xs:choice minOccurs="0" maxOccurs="unbounded">
+				<xs:element ref="xacml:PolicySet"/>
+				<xs:element ref="xacml:Policy"/>
+				<xs:element ref="xacml:PolicySetIdReference"/>
+				<xs:element ref="xacml:PolicyIdReference"/>
+				<xs:element ref="xacml:CombinerParameters"/>
+				<xs:element ref="xacml:PolicyCombinerParameters"/>
+				<xs:element ref="xacml:PolicySetCombinerParameters"/>
+			</xs:choice>
+			<xs:element ref="xacml:Obligations" minOccurs="0"/>
+		</xs:sequence>
+		<xs:attribute name="PolicySetId" type="xs:anyURI" use="required"/>
+		<xs:attribute name="Version" type="xacml:VersionType" default="1.0"/>
+		<xs:attribute name="PolicyCombiningAlgId" type="xs:anyURI" use="required"/>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="CombinerParameters" type="xacml:CombinerParametersType"/>
+	<xs:complexType name="CombinerParametersType">
+		<xs:sequence>
+			<xs:element ref="xacml:CombinerParameter" minOccurs="0" maxOccurs="unbounded"/>
+		</xs:sequence>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="CombinerParameter" type="xacml:CombinerParameterType"/>
+	<xs:complexType name="CombinerParameterType">
+		<xs:sequence>
+			<xs:element ref="xacml:AttributeValue"/>
+		</xs:sequence>
+		<xs:attribute name="ParameterName" type="xs:string" use="required"/>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="RuleCombinerParameters" type="xacml:RuleCombinerParametersType"/>
+	<xs:complexType name="RuleCombinerParametersType">
+		<xs:complexContent>
+			<xs:extension base="xacml:CombinerParametersType">
+				<xs:attribute name="RuleIdRef" type="xs:string" use="required"/>
+			</xs:extension>
+		</xs:complexContent>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="PolicyCombinerParameters" type="xacml:PolicyCombinerParametersType"/>
+	<xs:complexType name="PolicyCombinerParametersType">
+		<xs:complexContent>
+			<xs:extension base="xacml:CombinerParametersType">
+				<xs:attribute name="PolicyIdRef" type="xs:anyURI" use="required"/>
+			</xs:extension>
+		</xs:complexContent>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="PolicySetCombinerParameters" type="xacml:PolicySetCombinerParametersType"/>
+	<xs:complexType name="PolicySetCombinerParametersType">
+		<xs:complexContent>
+			<xs:extension base="xacml:CombinerParametersType">
+				<xs:attribute name="PolicySetIdRef" type="xs:anyURI" use="required"/>
+			</xs:extension>
+		</xs:complexContent>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="PolicySetIdReference" type="xacml:IdReferenceType"/>
+	<xs:element name="PolicyIdReference" type="xacml:IdReferenceType"/>
+	<!-- -->
+	<xs:element name="PolicySetDefaults" type="xacml:DefaultsType"/>
+	<xs:element name="PolicyDefaults" type="xacml:DefaultsType"/>
+	<xs:complexType name="DefaultsType">
+		<xs:sequence>
+			<xs:choice>
+				<xs:element ref="xacml:XPathVersion"/>
+			</xs:choice>
+		</xs:sequence>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="XPathVersion" type="xs:anyURI"/>
+	<!-- -->
+	<xs:complexType name="IdReferenceType">
+		<xs:simpleContent>
+			<xs:extension base="xs:anyURI">
+				<xs:attribute name="Version" type="xacml:VersionMatchType" use="optional"/>
+				<xs:attribute name="EarliestVersion" type="xacml:VersionMatchType" use="optional"/>
+				<xs:attribute name="LatestVersion" type="xacml:VersionMatchType" use="optional"/>
+			</xs:extension>
+		</xs:simpleContent>
+	</xs:complexType>
+	<!-- -->
+	<xs:simpleType name="VersionType">
+		<xs:restriction base="xs:string">
+			<xs:pattern value="(\d+\.)*\d+"/>
+		</xs:restriction>
+	</xs:simpleType>
+	<!-- -->
+	<xs:simpleType name="VersionMatchType">
+		<xs:restriction base="xs:string">
+			<xs:pattern value="((\d+|\*)\.)*(\d+|\*|\+)"/>
+		</xs:restriction>
+	</xs:simpleType>
+	<!-- -->
+	<xs:element name="Policy" type="xacml:PolicyType"/>
+	<xs:complexType name="PolicyType">
+		<xs:sequence>
+			<xs:element ref="xacml:Description" minOccurs="0"/>
+			<xs:element ref="xacml:PolicyDefaults" minOccurs="0"/>
+			<xs:element ref="xacml:Target"/>
+			<xs:choice maxOccurs="unbounded">
+				<xs:element ref="xacml:CombinerParameters" minOccurs="0"/>
+				<xs:element ref="xacml:RuleCombinerParameters" minOccurs="0"/>
+				<xs:element ref="xacml:VariableDefinition"/>
+				<xs:element ref="xacml:Rule"/>
+			</xs:choice>
+			<xs:element ref="xacml:Obligations" minOccurs="0"/>
+		</xs:sequence>
+		<xs:attribute name="PolicyId" type="xs:anyURI" use="required"/>
+		<xs:attribute name="Version" type="xacml:VersionType" default="1.0"/>
+		<xs:attribute name="RuleCombiningAlgId" type="xs:anyURI" use="required"/>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="Description" type="xs:string"/>
+	<!-- -->
+	<xs:element name="Rule" type="xacml:RuleType"/>
+	<xs:complexType name="RuleType">
+		<xs:sequence>
+			<xs:element ref="xacml:Description" minOccurs="0"/>
+			<xs:element ref="xacml:Target" minOccurs="0"/>
+			<xs:element ref="xacml:Condition" minOccurs="0"/>
+		</xs:sequence>
+		<xs:attribute name="RuleId" type="xs:string" use="required"/>
+		<xs:attribute name="Effect" type="xacml:EffectType" use="required"/>
+	</xs:complexType>
+	<!-- -->
+	<xs:simpleType name="EffectType">
+		<xs:restriction base="xs:string">
+			<xs:enumeration value="Permit"/>
+			<xs:enumeration value="Deny"/>
+		</xs:restriction>
+	</xs:simpleType>
+	<!-- -->
+	<xs:element name="Target" type="xacml:TargetType"/>
+	<xs:complexType name="TargetType">
+		<xs:sequence>
+			<xs:element ref="xacml:Subjects" minOccurs="0"/>
+			<xs:element ref="xacml:Resources" minOccurs="0"/>
+			<xs:element ref="xacml:Actions" minOccurs="0"/>
+			<xs:element ref="xacml:Environments" minOccurs="0"/>
+		</xs:sequence>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="Subjects" type="xacml:SubjectsType"/>
+	<xs:complexType name="SubjectsType">
+		<xs:sequence>
+			<xs:element ref="xacml:Subject" maxOccurs="unbounded"/>
+		</xs:sequence>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="Subject" type="xacml:SubjectType"/>
+	<xs:complexType name="SubjectType">
+		<xs:sequence>
+			<xs:element ref="xacml:SubjectMatch" maxOccurs="unbounded"/>
+		</xs:sequence>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="Resources" type="xacml:ResourcesType"/>
+	<xs:complexType name="ResourcesType">
+		<xs:sequence>
+			<xs:element ref="xacml:Resource" maxOccurs="unbounded"/>
+		</xs:sequence>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="Resource" type="xacml:ResourceType"/>
+	<xs:complexType name="ResourceType">
+		<xs:sequence>
+			<xs:element ref="xacml:ResourceMatch" maxOccurs="unbounded"/>
+		</xs:sequence>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="Actions" type="xacml:ActionsType"/>
+	<xs:complexType name="ActionsType">
+		<xs:sequence>
+			<xs:element ref="xacml:Action" maxOccurs="unbounded"/>
+		</xs:sequence>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="Action" type="xacml:ActionType"/>
+	<xs:complexType name="ActionType">
+		<xs:sequence>
+			<xs:element ref="xacml:ActionMatch" maxOccurs="unbounded"/>
+		</xs:sequence>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="Environments" type="xacml:EnvironmentsType"/>
+	<xs:complexType name="EnvironmentsType">
+		<xs:sequence>
+			<xs:element ref="xacml:Environment" maxOccurs="unbounded"/>
+		</xs:sequence>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="Environment" type="xacml:EnvironmentType"/>
+	<xs:complexType name="EnvironmentType">
+		<xs:sequence>
+			<xs:element ref="xacml:EnvironmentMatch" maxOccurs="unbounded"/>
+		</xs:sequence>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="SubjectMatch" type="xacml:SubjectMatchType"/>
+	<xs:complexType name="SubjectMatchType">
+		<xs:sequence>
+			<xs:element ref="xacml:AttributeValue"/>
+			<xs:choice>
+				<xs:element ref="xacml:SubjectAttributeDesignator"/>
+				<xs:element ref="xacml:AttributeSelector"/>
+			</xs:choice>
+		</xs:sequence>
+		<xs:attribute name="MatchId" type="xs:anyURI" use="required"/>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="ResourceMatch" type="xacml:ResourceMatchType"/>
+	<xs:complexType name="ResourceMatchType">
+		<xs:sequence>
+			<xs:element ref="xacml:AttributeValue"/>
+			<xs:choice>
+				<xs:element ref="xacml:ResourceAttributeDesignator"/>
+				<xs:element ref="xacml:AttributeSelector"/>
+			</xs:choice>
+		</xs:sequence>
+		<xs:attribute name="MatchId" type="xs:anyURI" use="required"/>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="ActionMatch" type="xacml:ActionMatchType"/>
+	<xs:complexType name="ActionMatchType">
+		<xs:sequence>
+			<xs:element ref="xacml:AttributeValue"/>
+			<xs:choice>
+				<xs:element ref="xacml:ActionAttributeDesignator"/>
+				<xs:element ref="xacml:AttributeSelector"/>
+			</xs:choice>
+		</xs:sequence>
+		<xs:attribute name="MatchId" type="xs:anyURI" use="required"/>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="EnvironmentMatch" type="xacml:EnvironmentMatchType"/>
+	<xs:complexType name="EnvironmentMatchType">
+		<xs:sequence>
+			<xs:element ref="xacml:AttributeValue"/>
+			<xs:choice>
+				<xs:element ref="xacml:EnvironmentAttributeDesignator"/>
+				<xs:element ref="xacml:AttributeSelector"/>
+			</xs:choice>
+		</xs:sequence>
+		<xs:attribute name="MatchId" type="xs:anyURI" use="required"/>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="VariableDefinition" type="xacml:VariableDefinitionType"/>
+	<xs:complexType name="VariableDefinitionType">
+		<xs:sequence>
+			<xs:element ref="xacml:Expression"/>
+		</xs:sequence>
+		<xs:attribute name="VariableId" type="xs:string" use="required"/>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="Expression" type="xacml:ExpressionType" abstract="true"/>
+	<xs:complexType name="ExpressionType" abstract="true"/>
+	<!-- -->
+	<xs:element name="VariableReference" type="xacml:VariableReferenceType" substitutionGroup="xacml:Expression"/>
+	<xs:complexType name="VariableReferenceType">
+		<xs:complexContent>
+			<xs:extension base="xacml:ExpressionType">
+				<xs:attribute name="VariableId" type="xs:string" use="required"/>
+			</xs:extension>
+		</xs:complexContent>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="AttributeSelector" type="xacml:AttributeSelectorType" substitutionGroup="xacml:Expression"/>
+	<xs:complexType name="AttributeSelectorType">
+		<xs:complexContent>
+			<xs:extension base="xacml:ExpressionType">
+				<xs:attribute name="RequestContextPath" type="xs:string" use="required"/>
+				<xs:attribute name="DataType" type="xs:anyURI" use="required"/>
+				<xs:attribute name="MustBePresent" type="xs:boolean" use="optional" default="false"/>
+			</xs:extension>
+		</xs:complexContent>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="ResourceAttributeDesignator" type="xacml:AttributeDesignatorType" substitutionGroup="xacml:Expression"/>
+	<xs:element name="ActionAttributeDesignator" type="xacml:AttributeDesignatorType" substitutionGroup="xacml:Expression"/>
+	<xs:element name="EnvironmentAttributeDesignator" type="xacml:AttributeDesignatorType" substitutionGroup="xacml:Expression"/>
+	<!-- -->
+	<xs:complexType name="AttributeDesignatorType">
+		<xs:complexContent>
+			<xs:extension base="xacml:ExpressionType">
+				<xs:attribute name="AttributeId" type="xs:anyURI" use="required"/>
+				<xs:attribute name="DataType" type="xs:anyURI" use="required"/>
+				<xs:attribute name="Issuer" type="xs:string" use="optional"/>
+				<xs:attribute name="MustBePresent" type="xs:boolean" use="optional" default="false"/>
+			</xs:extension>
+		</xs:complexContent>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="SubjectAttributeDesignator" type="xacml:SubjectAttributeDesignatorType" substitutionGroup="xacml:Expression"/>
+	<xs:complexType name="SubjectAttributeDesignatorType">
+		<xs:complexContent>
+			<xs:extension base="xacml:AttributeDesignatorType">
+				<xs:attribute name="SubjectCategory" type="xs:anyURI" use="optional" default="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"/>
+			</xs:extension>
+		</xs:complexContent>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="AttributeValue" type="xacml:AttributeValueType" substitutionGroup="xacml:Expression"/>
+	<xs:complexType name="AttributeValueType" mixed="true">
+		<xs:complexContent mixed="true">
+			<xs:extension base="xacml:ExpressionType">
+				<xs:sequence>
+					<xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+				</xs:sequence>
+				<xs:attribute name="DataType" type="xs:anyURI" use="required"/>
+				<xs:anyAttribute namespace="##any" processContents="lax"/>
+			</xs:extension>
+		</xs:complexContent>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="Function" type="xacml:FunctionType" substitutionGroup="xacml:Expression"/>
+	<xs:complexType name="FunctionType">
+		<xs:complexContent>
+			<xs:extension base="xacml:ExpressionType">
+				<xs:attribute name="FunctionId" type="xs:anyURI" use="required"/>
+			</xs:extension>
+		</xs:complexContent>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="Condition" type="xacml:ConditionType"/>
+	<xs:complexType name="ConditionType">
+		<xs:sequence>
+			<xs:element ref="xacml:Expression"/>
+		</xs:sequence>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="Apply" type="xacml:ApplyType" substitutionGroup="xacml:Expression"/>
+	<xs:complexType name="ApplyType">
+		<xs:complexContent>
+			<xs:extension base="xacml:ExpressionType">
+				<xs:sequence>
+					<xs:element ref="xacml:Expression" minOccurs="0" maxOccurs="unbounded"/>
+				</xs:sequence>
+				<xs:attribute name="FunctionId" type="xs:anyURI" use="required"/>
+			</xs:extension>
+		</xs:complexContent>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="Obligations" type="xacml:ObligationsType"/>
+	<xs:complexType name="ObligationsType">
+		<xs:sequence>
+			<xs:element ref="xacml:Obligation" maxOccurs="unbounded"/>
+		</xs:sequence>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="Obligation" type="xacml:ObligationType"/>
+	<xs:complexType name="ObligationType">
+		<xs:sequence>
+			<xs:element ref="xacml:AttributeAssignment" minOccurs="0" maxOccurs="unbounded"/>
+		</xs:sequence>
+		<xs:attribute name="ObligationId" type="xs:anyURI" use="required"/>
+		<xs:attribute name="FulfillOn" type="xacml:EffectType" use="required"/>
+	</xs:complexType>
+	<!-- -->
+	<xs:element name="AttributeAssignment" type="xacml:AttributeAssignmentType"/>
+	<xs:complexType name="AttributeAssignmentType" mixed="true">
+		<xs:complexContent mixed="true">
+			<xs:extension base="xacml:AttributeValueType">
+				<xs:attribute name="AttributeId" type="xs:anyURI" use="required"/>
+			</xs:extension>
+		</xs:complexContent>
+	</xs:complexType>
+	<!-- -->
+</xs:schema>
+
diff --git a/saml-core/src/test/java/org/keycloak/saml/processing/core/util/IDFedLSInputResolverTest.java b/saml-core/src/test/java/org/keycloak/saml/processing/core/util/IDFedLSInputResolverTest.java
new file mode 100644
index 0000000000..48d6a0e68e
--- /dev/null
+++ b/saml-core/src/test/java/org/keycloak/saml/processing/core/util/IDFedLSInputResolverTest.java
@@ -0,0 +1,77 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.util;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URL;
+
+import javax.xml.XMLConstants;
+import javax.xml.validation.SchemaFactory;
+
+import org.junit.Test;
+import org.w3c.dom.ls.LSInput;
+import org.w3c.dom.ls.LSResourceResolver;
+
+public class IDFedLSInputResolverTest {
+
+    @Test
+    public void testSchemaConstruction() throws Exception {
+         
+        // make sure there is no outgoing call to get schema online; 
+        // all resources must have a result for our resolver
+        SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
+
+        final IDFedLSInputResolver idFedLSInputResolver = new IDFedLSInputResolver();
+        
+        schemaFactory.setResourceResolver(new LSResourceResolver() {
+            
+            @Override
+            public LSInput resolveResource(String type, String namespaceURI, String publicId, String systemId, String baseURI) {
+                LSInput input = idFedLSInputResolver.resolveResource(type, namespaceURI, publicId, systemId, baseURI);
+                
+                if(input == null) {
+                    throw new IllegalArgumentException("Unable to resolve " + systemId);
+                }
+                
+                InputStream is = input.getByteStream();
+                if(is == null) {
+                    throw new IllegalArgumentException("Unable to resolve stream for " + systemId);
+                }
+                try {
+                    is.close();
+                } catch (IOException e) {
+                    throw new RuntimeException(e);
+                }
+                
+                return input;
+            }
+        });
+
+        // check that all schema can be resolved
+        for(String schema : SchemaManagerUtil.getSchemas()) {
+            if(schema.contains("saml")) {
+                URL schemaFile = SecurityActions.loadResource(getClass(), schema);
+                schemaFactory.newSchema(schemaFile);
+            }
+        }
+        
+        JAXPValidationUtil.validator();
+        
+    }
+
+}
\ No newline at end of file
diff --git a/testsuite/integration-deprecated/src/test/java/org/keycloak/testsuite/saml/ValidationTest.java b/testsuite/integration-deprecated/src/test/java/org/keycloak/testsuite/saml/ValidationTest.java
index de905bfe5d..bc1e3aa0d2 100644
--- a/testsuite/integration-deprecated/src/test/java/org/keycloak/testsuite/saml/ValidationTest.java
+++ b/testsuite/integration-deprecated/src/test/java/org/keycloak/testsuite/saml/ValidationTest.java
@@ -16,15 +16,11 @@
  */
 package org.keycloak.testsuite.saml;
 
-import org.junit.Assert;
-import org.junit.Ignore;
-import org.junit.Test;
-import org.keycloak.common.util.StreamUtil;
-import org.keycloak.models.utils.KeycloakModelUtils;
-import org.keycloak.protocol.saml.SamlProtocol;
-import org.keycloak.protocol.saml.SamlService;
-import org.keycloak.saml.SPMetadataDescriptor;
-import org.xml.sax.SAXException;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
 
 import javax.xml.XMLConstants;
 import javax.xml.transform.Source;
@@ -32,10 +28,19 @@ import javax.xml.transform.stream.StreamSource;
 import javax.xml.validation.Schema;
 import javax.xml.validation.SchemaFactory;
 import javax.xml.validation.Validator;
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.net.URL;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.keycloak.common.util.StreamUtil;
+import org.keycloak.dom.saml.v2.metadata.KeyTypes;
+import org.keycloak.protocol.saml.SamlProtocol;
+import org.keycloak.protocol.saml.SamlService;
+import org.keycloak.saml.SPMetadataDescriptor;
+import org.keycloak.saml.processing.core.util.IDFedLSInputResolver;
+import org.keycloak.saml.processing.core.util.JAXPValidationUtil;
+import org.w3c.dom.ls.LSInput;
+import org.w3c.dom.ls.LSResourceResolver;
+import org.xml.sax.SAXException;
 
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
@@ -43,6 +48,13 @@ import java.net.URL;
  */
 public class ValidationTest {
 
+    private static final String PRIVATE_KEY = "MIICWwIBAAKBgQDVG8a7xGN6ZIkDbeecySygcDfsypjUMNPE4QJjis8B316CvsZQ0hcTTLUyiRpHlHZys2k3xEhHBHymFC1AONcvzZzpb40tAhLHO1qtAnut00khjAdjR3muLVdGkM/zMC7G5s9iIwBVhwOQhy+VsGnCH91EzkjZ4SVEr55KJoyQJQIDAQABAoGADaTtoG/+foOZUiLjRWKL/OmyavK9vjgyFtThNkZY4qHOh0h3og0RdSbgIxAsIpEa1FUwU2W5yvI6mNeJ3ibFgCgcxqPk6GkAC7DWfQfdQ8cS+dCuaFTs8ObIQEvU50YzeNPiiFxRA+MnauCUXaKm/PnDfjd4tPgru7XZvlGh0wECQQDsBbN2cKkBKpr/b5oJiBcBaSZtWiMNuYBDn9x8uORj+Gy/49BUIMHF2EWyxOWz6ocP5YiynNRkPe21Zus7PEr1AkEA5yWQOkxUTIg43s4pxNSeHtL+Ebqcg54lY2xOQK0yufxUVZI8ODctAKmVBMiCKpU3mZQquOaQicuGtocpgxlScQI/YM31zZ5nsxLGf/5GL6KhzPJT0IYn2nk7IoFu7bjn9BjwgcPurpLA52TNMYWQsTqAKwT6DEhG1NaRqNWNpb4VAkBehObAYBwMm5udyHIeEc+CzUalm0iLLa0eRdiN7AUVNpCJ2V2Uo0NcxPux1AgeP5xXydXafDXYkwhINWcNO9qRAkEA58ckAC5loUGwU5dLaugsGH/a2Q8Ac8bmPglwfCstYDpl8Gp/eimb1eKyvDEELOhyImAv4/uZV9wN85V0xZXWsw==";
+
+    /**
+     * The public certificate that corresponds to {@link #PRIVATE_KEY}.
+     */
+    private static final String PUBLIC_CERT = "MIIDdzCCAl+gAwIBAgIEbySuqTANBgkqhkiG9w0BAQsFADBsMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3duMB4XDTE1MDEyODIyMTYyMFoXDTE3MTAyNDIyMTYyMFowbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm93bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAII/K9NNvXi9IySl7+l2zY/kKrGTtuR4WdCI0xLW/Jn4dLY7v1/HOnV4CC4ecFOzhdNFPtJkmEhP/q62CpmOYOKApXk3tfmm2rwEz9bWprVxgFGKnbrWlz61Z/cjLAlhD3IUj2ZRBquYgSXQPsYfXo1JmSWF5pZ9uh1FVqu9f4wvRqY20ZhUN+39F+1iaBsoqsrbXypCn1HgZkW1/9D9GZug1c3vB4wg1TwZZWRNGtxwoEhdK6dPrNcZ+6PdanVilWrbQFbBjY4wz8/7IMBzssoQ7Usmo8F1Piv0FGfaVeJqBrcAvbiBMpk8pT+27u6p8VyIX6LhGvnxIwM07NByeSUCAwEAAaMhMB8wHQYDVR0OBBYEFFlcNuTYwI9W0tQ224K1gFJlMam0MA0GCSqGSIb3DQEBCwUAA4IBAQB5snl1KWOJALtAjLqD0mLPg1iElmZP82Lq1htLBt3XagwzU9CaeVeCQ7lTp+DXWzPa9nCLhsC3QyrV3/+oqNli8C6NpeqI8FqN2yQW/QMWN1m5jWDbmrWwtQzRUn/rh5KEb5m3zPB+tOC6e/2bV3QeQebxeW7lVMD0tSCviUg1MQf1l2gzuXQo60411YwqrXwk6GMkDOhFDQKDlMchO3oRbQkGbcP8UeiKAXjMeHfzbiBr+cWz8NYZEtxUEDYDjTpKrYCSMJBXpmgVJCZ00BswbksxJwaGqGMPpUKmCV671pf3m8nq3xyiHMDGuGwtbU+GE8kVx85menmp8+964nin";
+
     public static String getIDPMetadataDescriptor() throws IOException {
         InputStream is = SamlService.class.getResourceAsStream("/idp-metadata-template.xml");
         String template = StreamUtil.readString(is);
@@ -50,47 +62,34 @@ public class ValidationTest {
         template = template.replace("${idp.sso.HTTP-POST}", "http://keycloak.org/auth/realms/test/saml");
         template = template.replace("${idp.sso.HTTP-Redirect}", "http://keycloak.org/auth/realms/test/saml");
         template = template.replace("${idp.sls.HTTP-POST}", "http://keycloak.org/auth/realms/test/saml");
-        template = template.replace("${idp.signing.certificate}", KeycloakModelUtils.generateKeyPairCertificate("test").getCertificate());
+        template = template.replace("${idp.signing.certificates}", "");
         return template;
     }
-
-
+    
+    private Validator validator;
+    
+    @Before
+    public void init() throws Exception {
+        validator = JAXPValidationUtil.validator();
+    }
+    
+    private void validate(String xml) throws SAXException, IOException {
+        validator.validate(new StreamSource(new ByteArrayInputStream(xml.getBytes(StandardCharsets.UTF_8))));
+    }
+    
     @Test
-    @Ignore // ignore because it goes out to web
     public void testIDPDescriptor() throws Exception {
-        URL schemaFile = getClass().getResource("/schema/saml/v2/saml-schema-metadata-2.0.xsd");
-        Source xmlFile = new StreamSource(new ByteArrayInputStream(getIDPMetadataDescriptor().getBytes()), "IDPSSODescriptor");
-        SchemaFactory schemaFactory = SchemaFactory
-                .newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
-        Schema schema = schemaFactory.newSchema(schemaFile);
-        Validator validator = schema.newValidator();
-        try {
-            validator.validate(xmlFile);
-            System.out.println(xmlFile.getSystemId() + " is valid");
-        } catch (SAXException e) {
-            System.out.println(xmlFile.getSystemId() + " is NOT valid");
-            System.out.println("Reason: " + e.getLocalizedMessage());
-            Assert.fail();
-        }
+        validate(getIDPMetadataDescriptor());
     }
+        
     @Test
-    @Ignore // ignore because it goes out to web
     public void testBrokerExportDescriptor() throws Exception {
-        URL schemaFile = getClass().getResource("/schema/saml/v2/saml-schema-metadata-2.0.xsd");
-        Source xmlFile = new StreamSource(new ByteArrayInputStream(SPMetadataDescriptor.getSPDescriptor(
-                "POST", "http://realm/assertion", "http://realm/logout", true, false, false, "test", SamlProtocol.SAML_DEFAULT_NAMEID_FORMAT, KeycloakModelUtils.generateKeyPairCertificate("test").getCertificate(), ""
-        ).getBytes()), "SP Descriptor");
-        SchemaFactory schemaFactory = SchemaFactory
-                .newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
-        Schema schema = schemaFactory.newSchema(schemaFile);
-        Validator validator = schema.newValidator();
-        try {
-            validator.validate(xmlFile);
-            System.out.println(xmlFile.getSystemId() + " is valid");
-        } catch (SAXException e) {
-            System.out.println(xmlFile.getSystemId() + " is NOT valid");
-            System.out.println("Reason: " + e.getLocalizedMessage());
-            Assert.fail();
-        }
+        String spCertificate = SPMetadataDescriptor.xmlKeyInfo("        ", null, PUBLIC_CERT, KeyTypes.SIGNING.value(), true);
+        
+        String str = SPMetadataDescriptor.getSPDescriptor(
+                "POST", "http://realm/assertion", "http://realm/logout", true, true, false, "test", SamlProtocol.SAML_DEFAULT_NAMEID_FORMAT, spCertificate, null
+        );
+        validate(str);
     }
-}
+
+}
\ No newline at end of file