How to restrict the XSD of SAML 2.0 Authentication Context

Question

I have been trying to find a solution to my problem is the last 10 days, and I found nothing. So, I am trying to restrict the Authentication Context XML Schema Definition of SAML 2.0. The XSD document is accessible at http://docs.oasis-open.org/security/saml/v2.0/saml-schema-authn-context-types-2.0.xsd.

The part that I am trying to restrict is the one related to this part of the XSD document:

<xs:complexType name="PasswordType">
  <xs:sequence>
    <xs:element ref="Length" minOccurs="0"/>
    <xs:element ref="Alphabet" minOccurs="0"/>
    <xs:element ref="Generation" minOccurs="0"/>
    <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
  </xs:sequence>
  <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/>
</xs:complexType>
<xs:element name="RestrictedPassword" type="RestrictedPasswordType"/>
<xs:complexType name="RestrictedPasswordType">
  <xs:complexContent>
    <xs:restriction base="PasswordType">
      <xs:sequence>
        <xs:element name="Length" type="RestrictedLengthType" minOccurs="1"/>
        <xs:element ref="Generation" minOccurs="0"/>
        <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
      </xs:sequence>
      <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:complexContent>
</xs:complexType>

Well, I do not know how to restrict the RestrictedPassword complex Type. Below is my XSD, that tries to restrict the original XSD document.

<?xml version="1.0" encoding="UTF-8"?>

<xs:schema version="2.0"
       targetNamespace="urn:m:SAML:2.0:ac:classes:K"
       xmlns:xs="http://www.w3.org/2001/XMLSchema"
       xmlns="urn:m:SAML:2.0:ac:classes:K"           
       finalDefault="extension"
       blockDefault="substitution">

<xs:redefine schemaLocation="http://docs.oasis-open.org/security/saml/v2.0/saml-schema-authn-context-types-2.0.xsd">    

    <xs:complexType name="RestrictedPasswordType">
        <xs:complexContent>
            <xs:restriction base="RestrictedPasswordType">
                <xs:sequence>
                    <xs:element ref="Length" minOccurs="0"/>
                    <xs:element ref="Generation"/>
                    <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
                </xs:sequence>
                <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/>
            </xs:restriction>
        </xs:complexContent>
    </xs:complexType>

</xs:redefine>    
</xs:schema>

When I try to validate this XSD in this tool http://www.utilities-online.info/xsdvalidation/#.UwJAzK69h31 it returns me an error, that I do not know how to fix. This is the error:

Not valid. Error - Line 12, 51: org.xml.sax.SAXParseException; lineNumber: 12; columnNumber: 51; rcase-Recurse.2: There is not a complete functional mapping between the particles. Error - Line 12, 51: org.xml.sax.SAXParseException; lineNumber: 12; columnNumber: 51; derivation-ok-restriction.5.4.2: Error for type 'RestrictedPasswordType'. The particle of the type is not a valid restriction of the particle of the base.

Any help is welcome.

Thanks!

Domenech, Marlon

helderdarocha · Accepted Answer · 2014-02-18T17:47:01.317

0

All the instances of the new restricted type must also be valid for the base type. But in your schema, it is possible to define a RestrictedPasswordType which does not have a Length attribute (minOccurs="0"), which would be illegal for the base type minOccurs="1". Making an element optional is not a restriction of the base type.

Removing minOccurs='0' from Generation is OK because having at least one element is a restriction.

Additionally your restriction references the Length element, which is not the same as the Length element defined in the base type. The Length element is of LengthType according to the base schema, and the Length element in the base type is a RestrictedLengthType which is a restriction of LengthType.

I believe that if you change the <xs:element> declaration in your derived type to:

<xs:element name="Length" type="RestrictedLengthType" minOccurs="1"/>

it should work, unless there are other problems.

EDIT: the other problems:

Since a new element Length is being declared in the <complexType> block, it needs to be declared as "qualified" otherwise it will not be part of the targetNamespace and the restriction will fail. To fix this you can either:

Add a form="qualified" attribute to <xs:element name="Length" ... />, or
Add an elementFormDefault="qualified" attribute to the` element.

More information here:

About constraints for redefinitions: XML Schema Part 1 - 4.2 Layer 2: Schema Documents, Namespaces and Composition
About qualified elements and target namespaces: XML Schema Primer - 3 Advanced Concepts I: Namespaces, Schemas & Qualification

edited Feb 18 '14 at 17:47

answered Feb 18 '14 at 00:54

helderdarocha

23,209
4
50
65

Hi, I agree with you. I changed the XSD, as suggested, and I have an error, as follows (it is the same error as before): Not valid. Error - Line 12, 51: org.xml.sax.SAXParseException; lineNumber: 12; columnNumber: 51; rcase-Recurse.2: There is not a complete functional mapping between the particles. Error - Line 12, 51: org.xml.sax.SAXParseException; lineNumber: 12; columnNumber: 51; derivation-ok-restriction.5.4.2: Error for type 'RestrictedPasswordType'. The particle of the type is not a valid restriction of the particle of the base – marloncdomenech Feb 18 '14 at 13:16
The base document that you linked above does not declare a `targetNamespace`. But you declare one in the derived schema. The redefined schema should have the same `targetNamespace` as the base schema. Try removing the attributes `xmlns` and `targetNamespace` from your schema. – helderdarocha Feb 18 '14 at 13:38
It worked. I took off the `xmlns` and `targetNamespace` and it worked. However, there are other similar documents that define a `xmlns` and a `targetNamespace` diferent of the original, and those are valid. Here is an example: [http://docs.oasis-open.org/security/saml/v2.0/saml-schema-authn-context-nomad-telephony-2.0.xsd . Do you know why? – marloncdomenech Feb 18 '14 at 14:59
You can keep your namespace declarations, but you need to use `elementFormDefault="qualified"` so the `Length` element is considered part of the target namespace (if for some reason you don't want to use that default for all element declarations, you can instead add the `form="qualified"` attribute in ``). The other elements are references so they won't have that problem. – helderdarocha Feb 18 '14 at 15:27
In both cases it worked, either adding `form="qualified"` to the element as adding `elementFormDefault="qualified"` to the `` element. But, let me try to understand. If I add `form="qualified"` to the element, that means that this element belongs to the original XSD namespace? – marloncdomenech Feb 18 '14 at 16:00
If the schema's root element does not include the attribute `elementFormDefault="qualified"`, all nested elements (e.g. inside a `complexType` block) that don't have the `form="qualified"` attribute will have no namespace (will belong to the null namespace). This does not apply to types. It also doesn't affect elements declared at the top level. More about this here: [XML Schema Primer - 3 Advanced Concepts I: Namespaces, Schemas & Qualification](http://www.w3.org/TR/xmlschema-0/#NS) – helderdarocha Feb 18 '14 at 17:36
I read the document that you have indicated and understood the effect of changing the `form` attribute of the element. Thank you so much. :) – marloncdomenech Feb 18 '14 at 19:58

How to restrict the XSD of SAML 2.0 Authentication Context

1 Answers1