How to restrict the XSD of SAML 2.0 Authentication Context

https://stackoverflow.com/questions/21835166

12-10-2022
|

Question

I have been trying to find a solution to my problem is the last 10 days, and I found nothing. So, I am trying to restrict the Authentication Context XML Schema Definition of SAML 2.0. The XSD document is accessible at http://docs.oasis-open.org/security/saml/v2.0/saml-schema-authn-context-types-2.0.xsd.

The part that I am trying to restrict is the one related to this part of the XSD document:

<xs:complexType name="PasswordType">
  <xs:sequence>
    <xs:element ref="Length" minOccurs="0"/>
    <xs:element ref="Alphabet" minOccurs="0"/>
    <xs:element ref="Generation" minOccurs="0"/>
    <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
  </xs:sequence>
  <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/>
</xs:complexType>
<xs:element name="RestrictedPassword" type="RestrictedPasswordType"/>
<xs:complexType name="RestrictedPasswordType">
  <xs:complexContent>
    <xs:restriction base="PasswordType">
      <xs:sequence>
        <xs:element name="Length" type="RestrictedLengthType" minOccurs="1"/>
        <xs:element ref="Generation" minOccurs="0"/>
        <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
      </xs:sequence>
      <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:complexContent>
</xs:complexType>

Well, I do not know how to restrict the RestrictedPassword complex Type. Below is my XSD, that tries to restrict the original XSD document.

<?xml version="1.0" encoding="UTF-8"?>

<xs:schema version="2.0"
       targetNamespace="urn:m:SAML:2.0:ac:classes:K"
       xmlns:xs="http://www.w3.org/2001/XMLSchema"
       xmlns="urn:m:SAML:2.0:ac:classes:K"           
       finalDefault="extension"
       blockDefault="substitution">

<xs:redefine schemaLocation="http://docs.oasis-open.org/security/saml/v2.0/saml-schema-authn-context-types-2.0.xsd">    

    <xs:complexType name="RestrictedPasswordType">
        <xs:complexContent>
            <xs:restriction base="RestrictedPasswordType">
                <xs:sequence>
                    <xs:element ref="Length" minOccurs="0"/>
                    <xs:element ref="Generation"/>
                    <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
                </xs:sequence>
                <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/>
            </xs:restriction>
        </xs:complexContent>
    </xs:complexType>

</xs:redefine>    
</xs:schema>

When I try to validate this XSD in this tool http://www.utilities-online.info/xsdvalidation/#.UwJAzK69h31 it returns me an error, that I do not know how to fix. This is the error:

Not valid. Error - Line 12, 51: org.xml.sax.SAXParseException; lineNumber: 12; columnNumber: 51; rcase-Recurse.2: There is not a complete functional mapping between the particles. Error - Line 12, 51: org.xml.sax.SAXParseException; lineNumber: 12; columnNumber: 51; derivation-ok-restriction.5.4.2: Error for type 'RestrictedPasswordType'. The particle of the type is not a valid restriction of the particle of the base.

Any help is welcome.

Thanks!

Domenech, Marlon

Solution

All the instances of the new restricted type must also be valid for the base type. But in your schema, it is possible to define a RestrictedPasswordType which does not have a Length attribute (minOccurs="0"), which would be illegal for the base type minOccurs="1". Making an element optional is not a restriction of the base type.

Removing minOccurs='0' from Generation is OK because having at least one element is a restriction.

Additionally your restriction references the Length element, which is not the same as the Length element defined in the base type. The Length element is of LengthType according to the base schema, and the Length element in the base type is a RestrictedLengthType which is a restriction of LengthType.

I believe that if you change the <xs:element> declaration in your derived type to:

<xs:element name="Length" type="RestrictedLengthType" minOccurs="1"/>

it should work, unless there are other problems.

EDIT: the other problems:

Since a new element Length is being declared in the <complexType> block, it needs to be declared as "qualified" otherwise it will not be part of the targetNamespace and the restriction will fail. To fix this you can either:

Add a form="qualified" attribute to <xs:element name="Length" ... />, or
Add an elementFormDefault="qualified" attribute to the` element.

More information here:

About constraints for redefinitions: XML Schema Part 1 - 4.2 Layer 2: Schema Documents, Namespaces and Composition
About qualified elements and target namespaces: XML Schema Primer - 3 Advanced Concepts I: Namespaces, Schemas & Qualification

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow