<<if: ZXIDBOOK>>
<<else: >>Schemata of Various IdM Protocols
#################################
<<class: article!a4paper!!Schemata 01>>
<<author: Sampo Kellomäki (sampo@iki.fi)>>
<<cvsid: $Id: schemata.pd,v 1.3 2009-09-16 10:14:57 sampo Exp $>>
<<fi: >>

99 Appendix: Schema Grammars
============================

Large parts of ZXID code are generated from +schema grammars+ which
are a convenient notation for describing XML schmata. This appendix
contains the schema grammars that are currently implemented and
distributed in the ZXID package.

<<tex: \small>>

99.1 SAML 2.0
-------------

99.1.1 saml-schema-assertion-2.0 (sa)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/saml-schema-assertion-2.0.sg>>
>>

99.1.2 saml-schema-protocol-2.0 (sp)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/saml-schema-protocol-2.0.sg>>
>>

99.1.4 saml-schema-metadata-2.0 (md)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/saml-schema-metadata-2.0.sg>>
>>

99.2 SAML 1.1
-------------

99.2.1 oasis-sstc-saml-schema-assertion-1.1 (sa11)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/oasis-sstc-saml-schema-assertion-1.1.sg>>
>>

99.2.2 oasis-sstc-saml-schema-protocol-1.1 (sp11)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/oasis-sstc-saml-schema-protocol-1.1.sg>>
>>

99.3 Liberty ID-FF 1.2
----------------------

99.3.1 liberty-idff-protocols-schema-1.2 (ff12)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/liberty-idff-protocols-schema-1.2-errata-v2.0.sg>>
>>

99.3.2 liberty-metadata-v2.0 (m20)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/liberty-metadata-v2.0.sg>>
>>

99.3.3 liberty-authentication-context-v2.0 (ac)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/liberty-authentication-context-v2.0.sg>>
>>

99.4 Liberty ID-WSF 1.1
-----------------------

99.4.1 liberty-idwsf-soap-binding-v1.2 (b12)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/liberty-idwsf-soap-binding-v1.2.sg>>
>>

99.4.2 liberty-idwsf-security-mechanisms-v1.2 (sec12)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/liberty-idwsf-security-mechanisms-v1.2.sg>>
>>

99.4.3 liberty-idwsf-disco-svc-v1.2 (di12)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/liberty-idwsf-disco-svc-v1.2.sg>>
>>

99.4.5 liberty-idwsf-interaction-svc-v1.1 (is12)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/liberty-idwsf-interaction-svc-v1.1.sg>>
>>

99.5 Liberty ID-WSF 2.0
-----------------------

99.5.1 liberty-idwsf-utility-v2.0 (lu)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/liberty-idwsf-utility-v2.0.sg>>
>>

99.5.2 liberty-idwsf-soap-binding (no version, sbf)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/liberty-idwsf-soap-binding.sg>>
>>

99.5.3 liberty-idwsf-soap-binding-v2.0 (b)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/liberty-idwsf-soap-binding-v2.0.sg>>
>>

99.5.4 liberty-idwsf-security-mechanisms-v2.0 (sec)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/liberty-idwsf-security-mechanisms-v2.0.sg>>
>>

99.5.5 liberty-idwsf-disco-svc-v2.0 (di)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/liberty-idwsf-disco-svc-v2.0.sg>>
>>

99.5.6 liberty-idwsf-interaction-svc-v2.0 (is)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/liberty-idwsf-interaction-svc-v2.0.sg>>
>>

99.5.7 id-dap (dap)
~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/id-dap.sg>>
>>

99.5.8 liberty-idwsf-subs-v1.0 (subs)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/liberty-idwsf-subs-v1.0.sg>>
>>

99.5.9 liberty-idwsf-dst-v2.1 (dst)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/liberty-idwsf-dst-v2.1.sg>>
>>

99.5.10 liberty-idwsf-idmapping-svc-v2.0 (im)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/liberty-idwsf-idmapping-svc-v2.0.sg>>
>>

99.5.11 liberty-idwsf-people-service-v1.0 (ps)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/liberty-idwsf-people-service-v1.0.sg>>
>>

99.5.12 liberty-idwsf-authn-svc-v2.0 (as)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/liberty-idwsf-authn-svc-v2.0.sg>>
>>

99.6 SOAP 1.1 Processors
------------------------

99.6.2 wsf-soap11 (e)
~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/wsf-soap11.sg>>
>>

99.7 XML and Web Services Infrastructure
----------------------------------------

99.7.1 xmldsig-core (ds)
~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/xmldsig-core.sg>>
>>

99.7.2 xenc-schema (xenc)
~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/xenc-schema.sg>>
>>

99.7.3 ws-addr-1.0 (a)
~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/ws-addr-1.0.sg>>
>>

99.7.4 wss-secext-1.0 (wsse)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/wss-secext-1.0.sg>>
>>

99.7.5 wss-util-1.0 (wsu)
~~~~~~~~~~~~~~~~~~~~~~~~~

<<schema:
<<sg/wss-util-1.0.sg>>
>>

100 Appendix: Some Example XML Blobs
====================================

These XML blobs are for reference. They have been pretty
printed. Indentation indicates nesting level and closing tags have
been abbreviated as "</>". The actual XML on wire generally does not
have any whitespace.

100.1 SAML 2.0 Artifact Response with SAML 2.0 SSO Assertion and Two Bootstraps
-------------------------------------------------------------------------------

This example corresponds to t/sso-w-bootstraps.xml in the distribution.

Both bootstraps illustrate SAML assertion as bearer token.

 <soap:Envelope
    xmlns:lib="urn:liberty:iff:2003-08"
    xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:wsa="http://www.w3.org/2005/08/addressing">
  <soap:Body>

    <sp:ArtifactResponse
        xmlns:sp="urn:oasis:names:tc:SAML:2.0:protocol"
        ID="REvgoIIlkzTmk-aIX6tKE"
        InResponseTo="RfAsltVf2"
        IssueInstant="2007-02-10T05:38:15Z"
        Version="2.0">
      <sa:Issuer
          xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion"
          Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
        https://a-idp.liberty-iop.org:8881/idp.xml</>
      <sp:Status>
        <sp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></>

      <sp:Response
          xmlns:sp="urn:oasis:names:tc:SAML:2.0:protocol"
          ID="RCCzu13z77SiSXqsFp1u1"
          InResponseTo="NojFIIhxw"
          IssueInstant="2007-02-10T05:37:42Z"
          Version="2.0">
        <sa:Issuer
            xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion"
            Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
          https://a-idp.liberty-iop.org:8881/idp.xml</>
        <sp:Status>
          <sp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></>

        <sa:Assertion
            xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion"
            ID="ASSE6bgfaV-sapQsAilXOvBu"
            IssueInstant="2007-02-10T05:37:42Z"
            Version="2.0">
          <sa:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
            https://a-idp.liberty-iop.org:8881/idp.xml</>

          <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
              <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
              <ds:Reference URI="#ASSE6bgfaV-sapQsAilXOvBu">
                <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>r8OvtNmq5LkYwCNg6bsRZAdT4NE=</></></>
            <ds:SignatureValue>GtWVZzHYW54ioHk/C7zjDRThohrpwC4=</></>

          <sa:Subject>
            <sa:NameID
                Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                NameQualifier="https://a-idp.liberty-iop.org:8881/idp.xml">PB5fLIA4lRU2bH4HkQsn9</>
            <sa:SubjectConfirmation
                Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
              <sa:SubjectConfirmationData
                  NotOnOrAfter="2007-02-10T06:37:41Z"
                  Recipient="https://sp1.zxidsp.org:8443/zxidhlo"/></></>

          <sa:Conditions
              NotBefore="2007-02-10T05:32:42Z"
              NotOnOrAfter="2007-02-10T06:37:42Z">
            <sa:AudienceRestriction>
              <sa:Audience>https://sp1.zxidsp.org:8443/zxidhlo?o=B</></></>

          <sa:Advice>

            <!-- This assertion is the credential for the ID-WSF 1.1 bootstrap (below). -->

            <sa:Assertion
                ID="CREDOTGAkvhNoP1aiTq4bXBg"
                IssueInstant="2007-02-10T05:37:42Z"
                Version="2.0">
              <sa:Issuer
                  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
                https://a-idp.liberty-iop.org:8881/idp.xml</>
              <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:SignedInfo>
                  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                  <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                  <ds:Reference URI="#CREDOTGAkvhNoP1aiTq4bXBg">
                    <ds:Transforms>
                      <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                      <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <ds:DigestValue>dqq/28hw5eEv+ceFyiLImeJ1P8w=</></></>
                <ds:SignatureValue>UKlEgHKQwuoCE=</></>
              <sa:Subject>
                <sa:NameID/>  <!-- *** Bug here!!! -->
                <sa:SubjectConfirmation
                    Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></>
              <sa:Conditions
                  NotBefore="2007-02-10T05:32:42Z"
                  NotOnOrAfter="2007-02-10T06:37:42Z">
                <sa:AudienceRestriction>
                  <sa:Audience>https://sp1.zxidsp.org:8443/zxidhlo?o=B</></></></></>

          <sa:AuthnStatement
              AuthnInstant="2007-02-10T05:37:42Z"
              SessionIndex="1171085858-4">
            <sa:AuthnContext>
              <sa:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:Password</></></>

          <sa:AttributeStatement>

            <!-- Regular attribute -->

            <sa:Attribute
                Name="cn"
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
              <sa:AttributeValue>Sue</></>

	    <!-- ID-WSF 1.1 Bootstrap for discover. See also the Advice, above. -->

            <sa:Attribute
                Name="DiscoveryResourceOffering"
                NameFormat="urn:liberty:disco:2003-08">
              <sa:AttributeValue>
                <disco:ResourceOffering
                    xmlns:disco="urn:liberty:disco:2003-08"
                    entryID="2">
                  <disco:ResourceID>
                    https://a-idp.liberty-iop.org/profiles/WSF1.1/RID-DISCO-sue</>
                  <disco:ServiceInstance>
                    <disco:ServiceType>urn:liberty:disco:2003-08</>
                    <disco:ProviderID>
                      https://a-idp.liberty-iop.org:8881/idp.xml</>
                    <disco:Description>
                      <disco:SecurityMechID>urn:liberty:security:2005-02:TLS:Bearer</>
                      <disco:CredentialRef>CREDOTGAkvhNoP1aiTq4bXBg</>
                      <disco:Endpoint>
                        https://a-idp.liberty-iop.org:8881/DISCO-S</></></>
                  <disco:Abstract>Symlabs Discovery Service Team G</></></></>

            <!-- ID-WSF 2.0 Bootstrap for Discovery. The credential (bearer token) is inline. -->

            <sa:Attribute
                Name="urn:liberty:disco:2006-08:DiscoveryEPR"
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
              <sa:AttributeValue>
                <wsa:EndpointReference
                    xmlns:wsa="http://www.w3.org/2005/08/addressing"
                    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                    notOnOrAfter="2007-02-10T07:37:42Z"
                    wsu:Id="EPRIDcjP8ObO9In47SDjO9b37">
                  <wsa:Address>
                    https://a-idp.liberty-iop.org:8881/DISCO-S</>
                  <wsa:Metadata>
                    <disco:Abstract
                        xmlns:disco="urn:liberty:disco:2006-08">SYMfiam Discovery Service</>
                    <sbf:Framework
                        xmlns:sbf="urn:liberty:sb"
                        version="2.0"/>
                    <disco:ProviderID
                        xmlns:disco="urn:liberty:disco:2006-08">
                      https://a-idp.liberty-iop.org:8881/idp.xml</>
                    <disco:ServiceType
                        xmlns:disco="urn:liberty:disco:2006-08">urn:liberty:disco:2006-08</>
                    <disco:SecurityContext
                        xmlns:disco="urn:liberty:disco:2006-08">
                      <disco:SecurityMechID>urn:liberty:security:2005-02:TLS:Bearer</>

                      <sec:Token
                          xmlns:sec="urn:liberty:security:2006-08"
                          usage="urn:liberty:security:tokenusage:2006-08:SecurityToken">

                        <sa:Assertion
                            ID="CREDV6ZBMyicmyvDq9pLIoSR"
                            IssueInstant="2007-02-10T05:37:42Z"
                            Version="2.0">
                          <sa:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
                            https://a-idp.liberty-iop.org:8881/idp.xml</>
                          <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                            <ds:SignedInfo>
                              <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                              <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                              <ds:Reference URI="#CREDV6ZBMyicmyvDq9pLIoSR">
                                <ds:Transforms>
                                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></>
                                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                <ds:DigestValue>o2SgbuKIBzl4e0dQoTwiyqXr/8Y=</></></>
                            <ds:SignatureValue>hHdUKaZ//cZ8UYJxvTReNU=</></>
                          <sa:Subject>
                            <sa:NameID
                                Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                                NameQualifier="https://a-idp.liberty-iop.org:8881/idp.xml">
                              9my93VkP3tSxEOIb3ckvjLpn0pa6aV3yFXioWX-TzZI=</>
                            <sa:SubjectConfirmation
                                Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></>
                          <sa:Conditions
                              NotBefore="2007-02-10T05:32:42Z"
                              NotOnOrAfter="2007-02-10T06:37:42Z">
                            <sa:AudienceRestriction>
                              <sa:Audience>
                                https://a-idp.liberty-iop.org:8881/idp.xml</></></>
                          <sa:AuthnStatement
                              AuthnInstant="2007-02-10T05:37:42Z">
                            <sa:AuthnContext>
                              <sa:AuthnContextClassRef>
                                urn:oasis:names:tc:SAML:2.0:ac:classes:Password</></></></></></></></></></></></></></></></>

100.2 ID-WSF 2.0 Call with X509v3 Sec Mech
------------------------------------------

 <e:Envelope
    xmlns:e="http://schemas.xmlsoap.org /soap/envelope/"
    xmlns:b="urn:liberty:sb:2005-11"
    xmlns:sec="urn:liberty:security:2005-11"
    xmlns:wsse="http://docs.oasis-open.org/wss/20 04/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:wsa="http://www.w3.org/2005/08/ addressing">
  <e:Header>
    <wsa:MessageID wsu:Id="MID">123</>
    <wsa:To wsu:Id="TO">...</>
    <wsa:Action wsu:Id="ACT">...</>
    <wsse:Security mustUnderstand="1">
      <wsu:Timestamp wsu:Id="TS"><wsu:Created>2005-06-17T04:49:17Z</></>
      <wsse:BinarySecurityToken
          ValueType="http://docs.oasis-open.org/wss/2004/0 1/oasis-200401-wss-x509-token-profile-1.0#X509v3"
          wsu:Id="X509Token"
          EncodingType="http://docs.oas is-open.org/wss/2004/01/oasis- 200401-wss-soap-message-securiy-1.0#Base64Binary">
        MIIB9zCCAWSgAwIBAgIQ...</>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/x mldsig#">
        <ds:SignedInfo>
          <ds:Reference URI="#MID">...</>
          <ds:Reference URI="#TO">...</>
          <ds:Reference URI="#ACT">...</>
          <ds:Reference URI="#TS">...</>
          <ds:Reference URI="#X509">
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>Ru4cAfeBAB</></>
          <ds:Reference URI="#BDY">
            <ds:DigestMethod Algorithm="http://www.w3.org/ 2000/09/xmldsig#sha1"/>
            <ds:DigestValue>YgGfS0pi56p</></></>
        <ds:KeyInfo><wsse:SecurityTokenReference><wsse:Reference URI="#X509"/></></>
        <ds:SignatureValue>HJJWbvqW9E84vJVQkjDElgscSXZ5Ekw==</></></></>
  <e:Body wsu:Id="BDY">
    <xx:Query/></></>

The salient features of the above XML blob are

* Signature that covers relevant SOAP headers and Body
* Absence of any explicit identity token.

Absence of identity token means that from the headers it is not
possible to identify the taget identity. The signature generally
coveys the Invoker identity (the WSC that is calling the
service). Since one WSC typically serves many principals, knowing
which is impossible.  For this reason X509 security mechanism is
seldom used in ID-WSF 2.0 world (with ID-WSF 1.1 the ResourceID
provides an alternative way of identifying the principal, thus making
X509 a viable option).

100.3 ID-WSF 2.0 Call with Bearer (Binary) Sec Mech
---------------------------------------------------

 <e:Envelope
    xmlns:e="http://schemas.xmlsoap.org /soap/envelope/"
    xmlns:b="urn:liberty:sb:2005-11"
    xmlns:sec="urn:liberty:security:2005-11"
    xmlns:wsse="http://docs.oasis-open.org/wss/20 04/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:wsa="http://www.w3.org/2005/03/ addressing">
  <e:Header>
    <wsa:MessageID wsu:Id="MID">...</>
    <wsa:To wsu:Id="TO">...</>
    <wsa:Action wsu:Id="ACT">...</>
    <wsse:Security mustUnderstand="1">
      <wsu:Timestamp wsu:Id="TS">
        <wsu:Created>2005-06-17T04:49:17Z</></>
      <wsse:BinarySecurityToken
          ValueType="anyNSPrefix:ServiceSess ionContext"
          EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64 Binary"
          wsu:Id="BST">
        mQEMAzRniWkAAAEH9RWir0eKDkyFAB7PoFazx3ftp0vWwbbzqXdgcX8fpEqSr1v4
        YqUc7OMiJcBtKBp3+jlD4HPUaurIqHA0vrdmMpM+sF2BnpND118f/mXCv3XbWhiL
        VT4r9ytfpXBluelOV93X8RUz4ecZcDm9e+IEG+pQjnvgrSgac1NrW5K/CJEOUUjh
        oGTrym0Ziutezhrw/gOeLVtkywsMgDr77gWZxRvw01w1ogtUdTceuRBIDANj+KVZ
        vLKlTCaGAUNIjkiDDgti=</>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig #">
        <ds:SignedInfo>
          <ds:Reference URI="#MID">...</>
          <ds:Reference URI="#TO">...</>
          <ds:Reference URI="#ACT">...</>
          <ds:Reference URI="#TS">...</>
          <ds:Reference URI="#BST">...</>
          <ds:Reference URI="#BDY">
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 "/>
            <ds:DigestValue>YgGfS0pi56pu</></></>
        ...</></></>
  <e:Body wsu:Id="BDY">
    <xx:Query/></></>

100.4 ID-WSF 2.0 Call with Bearer (SAML) Sec Mech
-------------------------------------------------

 <e:Envelope
    xmlns:e="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:sb="urn:liberty:sb:2005-11"
    xmlns:sec="urn:liberty:security:2005-11"
    xmlns:wsse="http://docs.oasis-open.org/wss/20 04/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:wsa="http://www.w3.org/2005/08/addressing"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
  <e:Header>
    <wsa:MessageID wsu:Id="MID">...</>
    <wsa:To wsu:Id="TO">...</>
    <wsa:Action wsu:Id="ACT">...</>
    <wsse:Security mustUnderstand="1">
      <wsu:Timestamp wsu:Id="TS">
        <wsu:Created>2005-06-17T04:49:17Z</></>

      <sa:Assertion
          xmlns:sa="urn:oasis:names:tc:SAML:2. 0:assertion"
          Version="2.0"
          ID="A7N123"
          IssueInstant="2005-04-01T16:58:33.173Z">
        <sa:Issuer>http://idp.symdemo.com/</>
        <ds:Signature>...</>
        <sa:Subject>
          <sa:EncryptedID>
            <xenc:EncryptedData>U2XTCNvRX7 Bl1NK182nmY00TEk==</>
            <xenc:EncryptedKey>...</></>
          <sa:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></>
        <sa:Conditions
            NotBefore="2005-04-01T16:57:20Z"
            NotOnOrAfter="2005-04-01T21:42:4 3Z">
          <sa:AudienceRestrictionCondition>
            <sa:Audience>http://wsp.zxidsp.org</></></>
        <sa:AuthnStatement
            AuthnInstant="2005-04-01T16:57:30.000Z"
            SessionIndex="6345789">
          <sa:AuthnContext>
            <sa:AuthnContextClassRef>
              urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</></></>
        <sa:AttributeStatement>
          <sa:EncryptedAttribute>
            <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element">
              mQEMAzRniWkAAAEH9RbzqXdgcX8fpEqSr1v4=</>
            <xenc:EncryptedKey>...</></></></>

      <wsse:SecurityTokenReference
          xmlns:wsse11="..."
          wsu:Id="STR1"
          wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
        <wsse:KeyIdentifier
            ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">
          A7N123</></>

      <ds:Signature>
        <ds:SignedInfo>
          <ds:Reference URI="#MID">...</>
          <ds:Reference URI="#TO">...</>
          <ds:Reference URI="#ACT">...</>
          <ds:Reference URI="#TS">...</>
          <ds:Reference URI="#STR1">
            <ds:Transform Algorithm="...#STR-Transform">
              <wsse:TransformationParameters>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/></></></>
          <ds:Reference URI="#BDY"/></>
        ...</></></>
  <e:Body wsu:Id="BDY">
    <xx:Query/></></>

*** is the reference above to wsse11:TokenType really correct?

Note who the <Subject> and the attributes are encrypted such that only
the WSP can open them. This protects against WSC gaining knowledge of
the NameID at the WSP.

100.5 XACML 2.0 SAML Profile SOAP Call
--------------------------------------

 <e:Envelope xmlns:e="http://schemas.xmlsoap.org/soap/envelope/">
  <e:Body>
    <xasp:XACMLAuthzDecisionQuery
        xmlns:xasp="urn:oasis:xacml:2.0:saml:protocol:schema:os"
        ID="RX3eHFSEBW6-OnPG5sGV_EevU"
        IssueInstant="2009-09-07T21:28:05Z"
        Version="2.0">
      <sa:Issuer xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion">https://sp1.zxidsp.org:5443/protected/saml?o=B</>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#RX3eHFSEBW6-OnPG5sGV_EevU">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>F2r41OppQA2ZLsosLO6V9VNJ0J8=</></></>
        <ds:SignatureValue>sAvByKH9--(snip)--HV+1oqcdUw=</></>
      <xac:Request xmlns:xac="urn:oasis:names:tc:xacml:2.0:context:schema:os">
        <xac:Subject>
          <xac:Attribute
              AttributeId="permisRole"
              DataType="xs:string"
              Issuer="https://idp.tas3.pt:8443/zxididp?o=B">
            <xac:AttributeValue>guest</></>
          <xac:Attribute
              AttributeId="permisRole"
              DataType="xs:string"
              Issuer="https://idp.tas3.pt:8443/zxididp?o=B">
            <xac:AttributeValue>jesterbester</></>
          <xac:Attribute
              AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
              DataType="xs:string">
            <xac:AttributeValue>FdGaMOmtJPfvK9dN64lWgKTOp</></></>
        <xac:Resource>
          <xac:Attribute
              AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
              DataType="xs:string">
            <xac:AttributeValue>/protected/env.cgi</></></>
        <xac:Action>
          <xac:Attribute
              AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
              DataType="xs:string">
            <xac:AttributeValue>urn:oasis:names:tc:xacml:1.0:action:implied-action</></></>
        <xac:Environment>
          <xac:Attribute
              AttributeId="zxididp"
              DataType="xs:string"
              Issuer="https://idp.tas3.pt:8443/zxididp?o=B">
            <xac:AttributeValue>0.33 1251217347</></>
          <xac:Attribute
              AttributeId="affid"
              DataType="xs:string">
            <xac:AttributeValue>https://idp.tas3.pt:8443/zxididp?o=B</></>
          <xac:Attribute
              AttributeId="authnctxlevel"
              DataType="xs:string">
            <xac:AttributeValue>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</></>
          <xac:Attribute
              AttributeId="sesid"
              DataType="xs:string">
            <xac:AttributeValue>S6QaJzAylXfkw1tFlrZSD9Zwr</></></></></></></>


 <e:Envelope xmlns:e="http://schemas.xmlsoap.org/soap/envelope/">
  <e:Body>
    <sp:Response
        xmlns:sp="urn:oasis:names:tc:SAML:2.0:protocol"
        ID="R-Dn3MxxJ0xo7jjOeVpC1aezO"
	InResponseTo="RX3eHFSEBW6-OnPG5sGV_EevU"
        IssueInstant="2009-09-07T18:48:03Z"
        Version="2.0">
      <sa:Issuer xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.tas3.pt:8443/zxididp?o=B</>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#R-Dn3MxxJ0xo7jjOeVpC1aezO">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>jdBsc0wOvJsBJCCc4eyq1bnG1u4=</></></>
        <ds:SignatureValue>AZyw2fK5--(snip)--UTOSSov7kc=</></>
      <sp:Status>
        <sp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></>
      <sa:Assertion
          xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion"
          ID="A73VuYGSDQ8MI-TUNk8PORrZT"
          IssueInstant="2009-09-07T18:48:03Z"
          Version="2.0">
        <sa:Issuer>https://idp.tas3.pt:8443/zxididp?o=B</>
        <sa:Conditions
            NotBefore="2009-09-07T18:48:03Z"
            NotOnOrAfter="2009-09-07T19:48:03Z"/>
        <xasa:XACMLAuthzDecisionStatement xmlns:xasa="urn:oasis:xacml:2.0:saml:assertion:schema:os">
          <xac:Response xmlns:xac="urn:oasis:names:tc:xacml:2.0:context:schema:os">
            <xac:Result>
              <xac:Decision>Permit</>
              <xac:Status>
                <xac:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></></></></></></></></>


<<htmlpreamble: <title>ZXID Schemata</title><body bgcolor="#330033" text="#ffaaff" link="#ffddff" vlink="#aa44aa" alink="#ffffff"><font face=sans><h1>ZXID Schemata</h1> >>

<<if: ZXIDBOOK>>
<<else: >><<EOF: >>
<<fi: >>