From 18ffcd56a4cddda5eedd701957949e5fe32f3b84 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Thu, 28 Aug 2014 10:11:07 +0000
Subject: [PATCH 01/56] Add default exclusion rules to the export preview
 aggregate.

ExportOptOut always opts an entity out. ExportOptIn always opts an entity in. If an entity has neither label, it is included in the export preview aggregate unless it falls into one of these categories:

* IdPs lacking SAML 2.0 support
* aggregated schools sector IdPs
* IdPs with Scope elements with regexp="true"
---
 mdx/common-beans.xml |  6 ++++
 mdx/uk/generate.xml  | 86 +++++++++++++++++++++++++++++++++++++++++---
 2 files changed, 88 insertions(+), 4 deletions(-)

diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index 37e99e1f..e2dc16df 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -261,6 +261,12 @@
 
     <bean id="PipelineMergeStage.deduplicate" abstract="true" parent="PipelineMergeStage"
         p:collectionMergeStrategy-ref="deduplicateMergeStrategy"/>
+
+    <bean id="SplitMergeStage" abstract="true" parent="stage_parent"
+        class="net.shibboleth.metadata.pipeline.SplitMergeStage"/>
+
+    <bean id="XPathItemSelectionStrategy" abstract="true"
+        class="net.shibboleth.metadata.dom.XPathItemSelectionStrategy"/>
     
     <!-- *** Parent beans for ukf-mda. *** -->
     
diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index 91b25280..388e3463 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -361,7 +361,7 @@
         ***************************************
     -->
     
-    <bean id="uk_wayfSelector" class="net.shibboleth.metadata.dom.XPathItemSelectionStrategy">
+    <bean id="uk_wayfSelector" parent="XPathItemSelectionStrategy">
         <constructor-arg value="/md:EntityDescriptor[not(md:Extensions/wayf:HideFromWAYF)]"/>
         <constructor-arg ref="commonNamespaces"/>
     </bean>
@@ -479,7 +479,7 @@
         Entities in the CDSALL aggregate are restricted to those entities registered by the
         UK federation plus all identity providers from whatever source.
     -->
-    <bean id="CDSAllSelector" class="net.shibboleth.metadata.dom.XPathItemSelectionStrategy">
+    <bean id="CDSAllSelector" parent="XPathItemSelectionStrategy">
         <constructor-arg value="/md:EntityDescriptor[md:IDPSSODescriptor or
             md:Extensions/mdrpi:RegistrationInfo/@registrationAuthority = 'http://ukfederation.org.uk']"/>
         <constructor-arg ref="commonNamespaces"/>
@@ -674,7 +674,7 @@
         </property>
     </bean>
     
-    <bean id="uk_exportSelector" class="net.shibboleth.metadata.dom.XPathItemSelectionStrategy">
+    <bean id="uk_exportSelector" parent="XPathItemSelectionStrategy">
         <constructor-arg value="/md:EntityDescriptor[md:Extensions/ukfedlabel:ExportOptIn]"/>
         <constructor-arg ref="commonNamespaces"/>
     </bean>
@@ -731,7 +731,7 @@
         ***********************************************************
     -->
     
-    <bean id="uk_exportPreviewSelector" class="net.shibboleth.metadata.dom.XPathItemSelectionStrategy">
+    <bean id="uk_exportPreviewSelector" parent="XPathItemSelectionStrategy">
         <constructor-arg value="/md:EntityDescriptor[not(md:Extensions/ukfedlabel:ExportOptOut)]"/>
         <constructor-arg ref="commonNamespaces"/>
     </bean>
@@ -740,6 +740,84 @@
         p:id="uk_exportPreviewPipeline">
         <property name="stages">
             <list>
+
+                <!--
+                    Additional rules excluding entities from the aggregate.
+                    
+                    The basic rule (expressed in uk_exportPreviewSelector) is that
+                    entities are excluded if they do not have the ExportOptOut label.
+                    Additional rules below are applied to entities which do not
+                    have the ExportOptIn label: in other words, a rule in this section
+                    can always be overridden by an explicit ExportOptIn.
+                -->
+                <bean p:id="exclusion" parent="SplitMergeStage">
+
+                    <!-- select entities with ExportOptIn label -->
+                    <property name="selectionStrategy">
+                        <bean parent="XPathItemSelectionStrategy">
+                            <constructor-arg value="/md:EntityDescriptor[md:Extensions/ukfedlabel:ExportOptIn]"/>
+                            <constructor-arg ref="commonNamespaces"/>
+                        </bean>
+                    </property>
+
+                    <!--
+                        Pipeline for selected (explicitly opted in) items.
+                    -->
+                    <property name="selectedItemPipeline">
+                        <bean p:id="selectedItemPipeline" parent="SimplePipeline">
+                            <property name="stages">
+                                <list>
+                                    <!-- nothing required -->
+                                </list>
+                            </property>
+                        </bean>
+                    </property>
+
+                    <!--
+                        The pipeline for unselected (not explicitly opted in) items removes entities
+                        matching specific rules.
+                    -->
+                    <property name="nonselectedItemPipeline">
+                        <bean p:id="nonSelectedItemPipeline" parent="SimplePipeline">
+                            <property name="stages">
+                                <list>
+
+                                    <!-- Identity providers lacking support for SAML 2.0 -->
+                                    <bean p:id="SAML1onlyIdPs" parent="XPathFilteringStage"
+                                        p:XPathExpression="md:IDPSSODescriptor
+                                            [not(contains(@protocolSupportEnumeration,'urn:oasis:names:tc:SAML:2.0:protocol'))]">
+                                    </bean>
+
+                                    <!-- Aggregated schools sector identity providers -->
+                                    <!--
+                                        Preferred implementation:
+                                        
+                                        <bean p:id="syntheticScopes" parent="XPathFilteringStage"
+                                            p:XPathExpression="shibmd:Scope[ends-with(., '.eng.ukfederation.org.uk']"/>
+                                        
+                                        Unfortunately, the "ends-with" function is an XPath 2 feature, so we settle for
+                                        using "contains" instead; in our case it is equivalent.
+                                    -->
+                                    <bean p:id="syntheticScopes" parent="XPathFilteringStage"
+                                        p:XPathExpression="//shibmd:Scope[contains(., '.eng.ukfederation.org.uk')]"/>
+                                    <!-- Specific providers not caught by the previous condition -->
+                                    <bean p:id="GlowScotland" parent="EntityFilterStage">
+                                        <property name="designatedEntities">
+                                            <set>
+                                                <value>https://idp.glowscotland.org.uk/shibboleth</value>
+                                            </set>
+                                        </property>
+                                    </bean>
+
+                                    <!-- Identity providers with regular expression scopes -->
+                                    <bean p:id="regexScopes" parent="XPathFilteringStage"
+                                        p:XPathExpression="//shibmd:Scope[@regexp='true']"/>
+                                </list>
+                            </property>
+                        </bean>
+                    </property>
+                </bean>
+
                 <!--
                     Enforce IdP display name uniqueness before assembling aggregate
                 -->

From d10270ab0fb50087a0ca66902ed32928e5130b8a Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 8 Sep 2014 14:43:43 +0000
Subject: [PATCH 02/56] Permit entity attributes in fallback aggregate.

---
 mdx/uk/generate.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index 388e3463..98b6f57d 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -569,7 +569,6 @@
                 <ref bean="errorTerminatingFilter"/>
                 
                 <ref bean="uk_assemble"/>
-                <ref bean="stripMdattrNamespace"/>
                 <ref bean="fixup_EncryptionMethod"/>
                 <ref bean="performOtherFixups"/>
                 <ref bean="removeEmptyExtensions"/>

From be5c8bbbab05bad020b9bdc92f6dcc08e81f852c Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Wed, 10 Sep 2014 13:13:13 +0000
Subject: [PATCH 03/56] Display export opt outs as well as opt ins.

---
 mdx/uk/statistics.xsl | 69 ++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 62 insertions(+), 7 deletions(-)

diff --git a/mdx/uk/statistics.xsl b/mdx/uk/statistics.xsl
index 195941e2..9c2ab72d 100644
--- a/mdx/uk/statistics.xsl
+++ b/mdx/uk/statistics.xsl
@@ -138,7 +138,8 @@
                     <li><p><a href="#undeployedMembers">Members Lacking Deployment</a></p></li>
                     <li><p><a href="#shib13">Shibboleth 1.3 Remnants</a></p></li>
                     <li><p><a href="#mdui">Entities with mdui:UIInfo support</a></p></li>
-                    <li><p><a href="#export">Entities in Export Aggregate</a></p></li>
+                    <li><p><a href="#exportOptIn">Export Aggregate: Entities Opted In</a></p></li>
+                    <li><p><a href="#exportOptOut">Export Preview Aggregate: Entities Opted Out</a></p></li>
                     <li><p><a href="#nosaml2">Entities Without SAML 2.0 Support</a></p></li>
                 </ul>
                 
@@ -1117,14 +1118,14 @@
                 
                 
                 <!--
-                    *******************************************
-                    ***                                     ***
-                    ***   E X P O R T   A G G R E G A T E   ***
-                    ***                                     ***
-                    *******************************************
+                    *************************************
+                    ***                               ***
+                    ***   E X P O R T   O P T   I N   ***
+                    ***                               ***
+                    *************************************
                 -->
                 
-                <h2><a name="export">Entities in Export Aggregate</a></h2>
+                <h2><a name="exportOptIn">Export Aggregate: Entities Opted In</a></h2>
                 <xsl:variable name="entities.export" select="$entities[descendant::ukfedlabel:ExportOptIn]"/>
                 <xsl:variable name="entities.export.count" select="count($entities.export)"/>
                 <xsl:if test="$entities.export.count != 0">
@@ -1170,6 +1171,60 @@
                     </ul>
                 </xsl:if>
                 
+                <!--
+                    ***************************************
+                    ***                                 ***
+                    ***   E X P O R T   O P T   O U T   ***
+                    ***                                 ***
+                    ***************************************
+                -->
+                
+                <h2><a name="exportOptOut">Export Preview Aggregate: Entities Opted Out</a></h2>
+                <xsl:variable name="entities.export.opt.out" select="$entities[descendant::ukfedlabel:ExportOptOut]"/>
+                <xsl:variable name="entities.export.opt.out.count" select="count($entities.export.opt.out)"/>
+                <xsl:if test="$entities.export.opt.out.count != 0">
+                    <ul>
+                        <xsl:for-each select="$entities.export.opt.out">
+                            <li>
+                                <xsl:value-of select="@ID"/>
+                                <xsl:text>: </xsl:text>
+                                <xsl:if test="md:IDPSSODescriptor">
+                                    <xsl:text>[IdP] </xsl:text>
+                                </xsl:if>
+                                <xsl:if test="md:SPSSODescriptor">
+                                    <xsl:text>[SP] </xsl:text>
+                                    <xsl:choose>
+                                        <xsl:when test="descendant::md:RequestedAttribute">
+                                            <xsl:text>[RqA] </xsl:text>
+                                        </xsl:when>
+                                        <xsl:otherwise>
+                                            <xsl:text>[!RqA] </xsl:text> 
+                                        </xsl:otherwise>
+                                    </xsl:choose>
+                                </xsl:if>
+                                <xsl:choose>
+                                    <xsl:when test="descendant::mdui:DisplayName">
+                                        <xsl:value-of select="descendant::mdui:DisplayName"/>
+                                    </xsl:when>
+                                    <xsl:otherwise>
+                                        <xsl:text>(</xsl:text>
+                                        <xsl:value-of select="descendant::md:OrganizationDisplayName"/>
+                                        <xsl:text>)</xsl:text>
+                                    </xsl:otherwise>
+                                </xsl:choose>
+                                <xsl:if test="not(descendant::*[contains(@protocolSupportEnumeration,
+                                    'urn:oasis:names:tc:SAML:2.0:protocol')])">
+                                    <ul>
+                                        <li>
+                                            No SAML 2.0 support
+                                        </li>
+                                    </ul>                                    
+                                </xsl:if>
+                            </li>
+                        </xsl:for-each>
+                    </ul>
+                </xsl:if>
+                
                 <!--
                     *****************************************************************************
                     ***                                                                       ***

From 64ccb33fea9b3e91979f0b30a0ffe8db67fbf59c Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Wed, 10 Sep 2014 13:22:50 +0000
Subject: [PATCH 04/56] Merge indication of mdui:UIInfo into main entity
 listing rather than have an ever-growing separate section.

---
 mdx/uk/statistics.xsl | 41 +----------------------------------------
 1 file changed, 1 insertion(+), 40 deletions(-)

diff --git a/mdx/uk/statistics.xsl b/mdx/uk/statistics.xsl
index 9c2ab72d..ef784dab 100644
--- a/mdx/uk/statistics.xsl
+++ b/mdx/uk/statistics.xsl
@@ -137,7 +137,6 @@
                     <li><p><a href="#membersByScope">Members by Primary Scope</a></p></li>
                     <li><p><a href="#undeployedMembers">Members Lacking Deployment</a></p></li>
                     <li><p><a href="#shib13">Shibboleth 1.3 Remnants</a></p></li>
-                    <li><p><a href="#mdui">Entities with mdui:UIInfo support</a></p></li>
                     <li><p><a href="#exportOptIn">Export Aggregate: Entities Opted In</a></p></li>
                     <li><p><a href="#exportOptOut">Export Preview Aggregate: Entities Opted Out</a></p></li>
                     <li><p><a href="#nosaml2">Entities Without SAML 2.0 Support</a></p></li>
@@ -1078,45 +1077,6 @@
                 </xsl:call-template>
  
  
-                <!--
-                    *************************************************
-                    ***                                           ***
-                    ***   m d u i : U I I n f o   S U P P O R T   ***
-                    ***                                           ***
-                    *************************************************
-                -->
-                
-                <h2><a name="mdui">Entities with mdui:UIInfo support</a></h2>
-                <xsl:variable name="uiInfoEntities" select="$entities[descendant::mdui:UIInfo]"/>
-                <xsl:variable name="uiInfoEntitiesCount" select="count($uiInfoEntities)"/>
-                <xsl:if test="$uiInfoEntitiesCount != 0">
-                    <ul>
-                        <xsl:for-each select="$uiInfoEntities">
-                            <li>
-                                <xsl:value-of select="@ID"/>
-                                <xsl:text>: </xsl:text>
-                                <xsl:if test="md:IDPSSODescriptor">
-                                    <xsl:text>[IdP] </xsl:text>
-                                </xsl:if>
-                                <xsl:if test="md:SPSSODescriptor">
-                                    <xsl:text>[SP] </xsl:text>
-                                </xsl:if>
-                                <xsl:choose>
-                                    <xsl:when test="descendant::mdui:DisplayName">
-                                        <xsl:value-of select="descendant::mdui:DisplayName"/>
-                                    </xsl:when>
-                                    <xsl:otherwise>
-                                        <xsl:text>(</xsl:text>
-                                        <xsl:value-of select="descendant::md:OrganizationDisplayName"/>
-                                        <xsl:text>)</xsl:text>
-                                    </xsl:otherwise>
-                                </xsl:choose>
-                            </li>
-                        </xsl:for-each>
-                    </ul>
-                </xsl:if>
-                
-                
                 <!--
                     *************************************
                     ***                               ***
@@ -1394,6 +1354,7 @@
                             <xsl:if test="md:IDPSSODescriptor"> [IdP]</xsl:if>
                             <xsl:if test="md:Extensions/wayf:HideFromWAYF"> [H]</xsl:if>
                             <xsl:if test="md:SPSSODescriptor"> [SP]</xsl:if>
+                            <xsl:if test="descendant::mdui:UIInfo"> [UIInfo]</xsl:if>
                             <xsl:apply-templates select="md:Extensions/ukfedlabel:Software" mode="short"/>
                             <xsl:text> </xsl:text>
                             <code><xsl:value-of select="@entityID"/></code>

From b5ac70911bf2e1d2ae641f130f7f52343181aaa9 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Thu, 11 Sep 2014 11:25:59 +0000
Subject: [PATCH 05/56] Create a dummy trust root which can be used to replace
 the last real one.

---
 mdx/uk/beans.xml       | 35 ++++++++++++++++++
 mdx/uk/trust-dummy.xml | 84 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 119 insertions(+)
 create mode 100644 mdx/uk/trust-dummy.xml

diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
index a643801f..ef90c323 100644
--- a/mdx/uk/beans.xml
+++ b/mdx/uk/beans.xml
@@ -339,6 +339,41 @@
     </bean>
     
 
+    <!--
+        uk_dummyTrustRootsDocument
+        
+        This bean contains the contents of the dummy trust roots file as a DOM Document.
+    -->
+    <bean id="uk_dummyTrustRootsDocument" parent="DOMDocumentFactoryBean">
+        <property name="parserPool" ref="parserPool"/>
+        <property name="documentResource">
+            <bean parent="FileSystemResource">
+                <constructor-arg value="${basedir}/mdx/uk/trust-dummy.xml"/>
+            </bean>
+        </property>
+    </bean>    
+    
+    
+    <!--
+        uk_addDummyTrustRoots
+        
+        This stage adds the dummy UK federation trust roots to an EntitiesDescriptor.
+    -->
+    <bean id="uk_addDummyTrustRoots" parent="XSLTransformationStage"
+        p:id="uk_addDummyTrustRoots">
+        <property name="XSLResource">
+            <bean parent="ClassPathResource">
+                <constructor-arg value="uk/trust-roots.xsl"/>
+            </bean>
+        </property>
+        <property name="transformParameters">
+            <map>
+                <entry key="trustRootsDocument" value-ref="uk_dummyTrustRootsDocument"/>
+            </map>
+        </property>
+    </bean>
+    
+    
     <!--
         uk_processFragment
         
diff --git a/mdx/uk/trust-dummy.xml b/mdx/uk/trust-dummy.xml
new file mode 100644
index 00000000..8a65fc78
--- /dev/null
+++ b/mdx/uk/trust-dummy.xml
@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntitiesDescriptor
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+	Name="http://ukfederation.org.uk"
+	xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata ../../xml/saml-schema-metadata-2.0.xsd
+		urn:mace:shibboleth:metadata:1.0 ../../xml/shibboleth-metadata-1.0.xsd
+		http://www.w3.org/2001/04/xmlenc# ../../xml/xenc-schema.xsd
+		http://www.w3.org/2000/09/xmldsig# ../../xml/xmldsig-core-schema.xsd">
+
+	<Extensions>
+
+		<shibmd:KeyAuthority VerifyDepth="3">
+            <!--
+		          Authorities accepted for the federation.
+		          
+		          The KeyAuthority element's VerifyDepth attribute must be at least as
+		          large as the verification depth required by each root certificate below.
+            -->
+              
+		    <ds:KeyInfo>
+		        <!--
+		            Dummy Trust Root
+		            
+		            This trust root is included because the schema for KeyAuthority
+		            requires at least one KeyInfo element to be present. The private
+		            key for this certificate has been destroyed and will never be
+		            used for signing.
+
+		            Subject and issuer:
+		                C=GB
+		                O=UK Access Management Federation for Education and Research
+		                CN=UK Federation Dummy Trust Root
+
+		            Validity
+		                Not Before: Sep 11 11:12:46 2014 GMT
+		                Not After : Dec 31 11:12:46 2037 GMT
+		        -->
+		        <ds:X509Data>
+		            <ds:X509Certificate>
+		            	MIIDyTCCArGgAwIBAgIJANzhVoorjiDkMA0GCSqGSIb3DQEBCwUAMHsxCzAJBgNV
+		            	BAYTAkdCMUMwQQYDVQQKDDpVSyBBY2Nlc3MgTWFuYWdlbWVudCBGZWRlcmF0aW9u
+		            	IGZvciBFZHVjYXRpb24gYW5kIFJlc2VhcmNoMScwJQYDVQQDDB5VSyBGZWRlcmF0
+		            	aW9uIER1bW15IFRydXN0IFJvb3QwHhcNMTQwOTExMTExMjQ2WhcNMzcxMjMxMTEx
+		            	MjQ2WjB7MQswCQYDVQQGEwJHQjFDMEEGA1UECgw6VUsgQWNjZXNzIE1hbmFnZW1l
+		            	bnQgRmVkZXJhdGlvbiBmb3IgRWR1Y2F0aW9uIGFuZCBSZXNlYXJjaDEnMCUGA1UE
+		            	AwweVUsgRmVkZXJhdGlvbiBEdW1teSBUcnVzdCBSb290MIIBIjANBgkqhkiG9w0B
+		            	AQEFAAOCAQ8AMIIBCgKCAQEAveglhNmpxkFYOK3eDy5klZFRONJOojXnrbNftFQc
+		            	9FLZdKfC2dEj4DoOl34dc0x958NO5xNr2TpVrjbrW0rC2WV0b3J9e1essclcazFy
+		            	BECiKyvKBQRlwDQDaO24b5UCSmmdpuEk5bj0PDDArox06xDDEc3xiKH46EX2yrvS
+		            	mvQSBPR7l2vJGMbUkL6SkD9K2VbBP6rqoK7FdN/zpV/U5cM3fFcpIZGUfVPkP55P
+		            	F+/pUQ9RhL5SZfo5hWgYKecVRimLmK7hIIQ6ykzJwOk95NwuNXFhinZMkjV+ECr4
+		            	uoUNDnBPZdoVy8TxuYVqqs+orQ94yrp/BdKj5paQTZwNZwIDAQABo1AwTjAdBgNV
+		            	HQ4EFgQUD2aE2xpdeqknmgnSY+JCXJ4187kwHwYDVR0jBBgwFoAUD2aE2xpdeqkn
+		            	mgnSY+JCXJ4187kwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAKjoq
+		            	8ORqQF8W4ZuEMaQsTOJxfgeRHgk1DvY1YzCt0VqMPnvbsMLI2vC1YIGVKEuds6ZA
+		            	VxIt+yng7WZOcAmHDdUjUczXRxoYrwJt1QpF+kFCnjHOD+Ra4GjryIIkCHYU5wDp
+		            	o8EVbWM5KiwUhkekjBeL/WyIyk3tHLWwr9qz0Idye0w3FczOLqkb4NgXC54miXeS
+		            	pLfExLaTc4OvsJy/DYeda8GAars4m3Q7agQxdd+0F3xiKWB60L+xoOQ3xgW4QYwS
+		            	uBMMvnRdg8I5SHquBAFXHcXhKeC/onN9J8sZIRD/vUWWasiyMNGQeh4dWcbz7PM6
+		            	h0ok321gwSmdcL+svA==
+		            </ds:X509Certificate>
+		        </ds:X509Data>
+		    </ds:KeyInfo>
+				
+		</shibmd:KeyAuthority>
+	</Extensions>
+	
+	<EntityDescriptor entityID="dummy">
+		<!--
+			Dummy entity, present simply because the schema for EntitiesDescriptor
+			requires at least one.  Removed by applications that read this file.
+			
+			*** DO NOT REMOVE THIS ENTITY FROM THE MASTER FILE ***
+		-->
+		<SPSSODescriptor protocolSupportEnumeration="dummy">
+			<AssertionConsumerService index="0" Binding="dummy" Location="dummy"/>
+		</SPSSODescriptor>
+	</EntityDescriptor>
+	
+</EntitiesDescriptor>
+

From ecea7a4878ffa0dfbaf31126ca0e2d7c2eda2a7f Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Thu, 11 Sep 2014 11:30:00 +0000
Subject: [PATCH 06/56] Add registrar URI for Japanese GakuNin federation.

---
 mdx/common-beans.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index e2dc16df..a64deb1f 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -463,6 +463,7 @@
     -->
     <bean id="hr_eduhr_registrar" parent="String" c:_0="http://www.srce.hr"/>
     <bean id="il_iif_registrar"   parent="String" c:_0="http://iif.iucc.ac.il"/>
+    <bean id="jp_gakunin_registrar" parent="String" c:_0="https://www.gakunin.jp"/>
     
     <!--
         identificationStrategy
@@ -499,6 +500,7 @@
                 <entry key="http://eduid.hu"                  value="HU"/>
                 <entry key="http://www.heanet.ie"             value="IE"/>
                 <entry key="http://www.idem.garr.it/"         value="IT"/>
+                <entry key-ref="jp_gakunin_registrar"         value="JP"/>
                 <entry key="http://laife.lanet.lv/"           value="LV"/>
                 <entry key="http://feide.no/"                 value="NO"/>
                 <entry key="http://aai.pionier.net.pl"        value="PL"/>

From 6832134172dbd198ceba18c2f6cc4b36b14f2080 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 16 Sep 2014 11:03:56 +0000
Subject: [PATCH 07/56] Trim whitespace from md:EmailAddress elements.

---
 mdx/common-beans.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index a64deb1f..24e66b1a 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -615,6 +615,7 @@
     <!--
         QNames for SAML metadata elements.
     -->
+    <bean id="md-EmailAddress"            parent="QName" c:_0-ref="md_namespace" c:_1="EmailAddress"/>
     <bean id="md-NameIDFormat"            parent="QName" c:_0-ref="md_namespace" c:_1="NameIDFormat"/>
     <bean id="md-OrganizationDisplayName" parent="QName" c:_0-ref="md_namespace" c:_1="OrganizationDisplayName"/>
     <bean id="md-OrganizationURL"         parent="QName" c:_0-ref="md_namespace" c:_1="OrganizationURL"/>
@@ -1030,6 +1031,7 @@
         p:id="trimImportElementWhitespace">
         <property name="elementNames">
             <set>
+                <ref bean="md-EmailAddress"/>
                 <ref bean="md-NameIDFormat"/>
                 <ref bean="md-OrganizationDisplayName"/>
                 <ref bean="md-OrganizationURL"/>

From b9e5da7306a9e39b411141b358879ecddbf92f9e Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Wed, 24 Sep 2014 14:30:50 +0000
Subject: [PATCH 08/56] Include a dummy trust root in the test aggregate.

---
 mdx/uk/generate.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index 98b6f57d..80fc3cbc 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -634,6 +634,7 @@
                 
                 <ref bean="uk_assemble"/>
                 <ref bean="performOtherFixups"/>
+                <ref bean="uk_addDummyTrustRoots"/>
                 <ref bean="uk_finaliseTest"/>
                 <ref bean="uk_normaliseTest"/>
                 

From 558b15d647485c951a098b5b176adc6263a59699 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 29 Sep 2014 15:52:51 +0000
Subject: [PATCH 09/56] Bugzilla 1153: remove an entity from Jenkins' courtesy
 check on AT federation metadata.

---
 mdx/at_aconet/verbs.xml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/mdx/at_aconet/verbs.xml b/mdx/at_aconet/verbs.xml
index f731c821..0a7547ff 100644
--- a/mdx/at_aconet/verbs.xml
+++ b/mdx/at_aconet/verbs.xml
@@ -92,6 +92,21 @@
                         </list>
                     </property>
                 </bean>
+                
+                <!--
+                    Remove a specific entity we know has a problem that it will take
+                    a while to resolve.
+                -->
+                <bean parent="stage_parent"
+                    class="net.shibboleth.metadata.dom.saml.EntityFilterStage"
+                    p:id="filterEntities"
+                    p:whitelistingEntities="false">
+                    <property name="designatedEntities">
+                        <set>
+                            <value>https://zididp.uni-graz.at/idp/shibboleth</value>
+                        </set>
+                    </property>
+                </bean>
 
                 <ref bean="errorTerminatingFilter"/>
             </list>

From c83a1ac9a8ab443df3c85502978c25632800a72e Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 21 Oct 2014 10:30:57 +0000
Subject: [PATCH 10/56] Remove dummy trust root from the test aggregate again.

---
 mdx/uk/generate.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index 80fc3cbc..98b6f57d 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -634,7 +634,6 @@
                 
                 <ref bean="uk_assemble"/>
                 <ref bean="performOtherFixups"/>
-                <ref bean="uk_addDummyTrustRoots"/>
                 <ref bean="uk_finaliseTest"/>
                 <ref bean="uk_normaliseTest"/>
                 

From 2bbf90d3c9276825dbc0a362b9de5e0b50128c62 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 21 Oct 2014 10:51:49 +0000
Subject: [PATCH 11/56] Simplify by removing almost everything to do with
 KeyName.

---
 build/check_embedded.pl | 54 +++--------------------------------------
 1 file changed, 3 insertions(+), 51 deletions(-)

diff --git a/build/check_embedded.pl b/build/check_embedded.pl
index 8268a246..a0515531 100755
--- a/build/check_embedded.pl
+++ b/build/check_embedded.pl
@@ -147,14 +147,12 @@ sub comment {
 		#
 		# Output header line.
 		#
-		$oline = "Entity $entity ";
+		$oline = "Entity $entity";
 		$hasKeyName = !($keyname eq '(none)');
+		push(@olines, $oline);
 		if ($hasKeyName) {
-			$oline .= "has KeyName $keyname";
-		} else {
-			$oline .= "has no KeyName";
+			error("descriptor has unexpected KeyName $keyname");
 		}
-		push(@olines, $oline);
 
 		#
 		# Start building a new blob.
@@ -280,7 +278,6 @@ sub comment {
 				#
 				if ($notAfter =~ /(\d\d\d\d)/) {
 					my $year = $1;
-					$expiryYear = $year;
 					if ($year > $maxYear) {
 						$maxYear = $year;
 					}
@@ -362,14 +359,6 @@ sub comment {
 		}
 
 
-		#
-		# Check KeyName if one has been supplied.
-		#
-		if ($hasKeyName && !defined($names{lc $keyname})) {
-			my $nameList = join ", ", sort keys %names;
-			error("KeyName mismatch: $keyname not in {$nameList}");
-		}
-		
 		#
 		# Use openssl to ask whether this matches our trust fabric or not.
 		#
@@ -427,25 +416,6 @@ sub comment {
 			} elsif ($clientOK) {
 				# $error = "certificate matches trust fabric; add KeyName?";
 			}
-		} else {
-			#
-			# If a KeyName is present, we must match the trust fabric.
-			#
-			if ($error eq 'self signed certificate') {
-				$error = 'self signed certificate: remove KeyName?';
-			} elsif ($error eq 'unable to get local issuer certificate') {
-				$error = "non trust fabric issuer: $issuerCN: remove KeyName?";
-			}
-
-			#
-			# KeyName with an expired certificate indicates some kind of misconfiguration.
-			# Either the KeyDescriptor isn't working, or the expired certificate is still
-			# in use (in which case the KeyName is superfluous) or a different certificate
-			# is in use via PKIX (which means we have the wrong one).
-			#
-			if ($days < 0) {
-				error("expired certificate has KeyName; acquire/ensure correct certificate and remove KeyName");
-			}
 		}
 
 		if ($error eq 'certificate has expired' && $days < 0) {
@@ -478,13 +448,6 @@ sub comment {
 				warning("issuer '$issuerCN' suspect; verify");
 			}
 		}
-		if ($hasKeyName && ($issuerCN =~ /(Global|Veri)Sign/)) {
-			warning("issuer \"$issuerCN\" to be retired; certificate expires $notAfter; remove KeyName?");
-			$issuerMark{$issuerCN} = '*';
-		}
-		if ($hasKeyName && ($expiryYear > 2014)) {
-			warning("expires $notAfter, which is later than 2014");
-		}
 
 		#
 		# Count issuers.
@@ -497,9 +460,6 @@ sub comment {
 			} else {
 				$issuers{$issuerCN}++;
 			}
-			if ($hasKeyName) {
-				$knIssuers{$issuerCN}++;
-			}
 		}
 
 		#
@@ -544,14 +504,6 @@ sub comment {
 	}
 	print "\n";
 
-	print "KeyName certificate issuers:\n";
-	foreach $issuer (sort keys %knIssuers) {
-		my $count = $knIssuers{$issuer};
-		my $mark = $issuerMark{$issuer} ? $issuerMark{$issuer}: ' ';
-		print " $mark $issuer: $count\n";
-	}
-	print "\n";
-
 	my $first = 1;
 	foreach $fingerprint (sort keys %expiry_whitelist) {
 		if ($expiry_whitelist{$fingerprint} eq 'unused') {

From 9779aade50a201a7130967472465f0e7119a0be1 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 21 Oct 2014 12:06:29 +0000
Subject: [PATCH 12/56] Tidier display of entity IDs.

---
 build/check_embedded.pl | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/build/check_embedded.pl b/build/check_embedded.pl
index a0515531..3fe5485e 100755
--- a/build/check_embedded.pl
+++ b/build/check_embedded.pl
@@ -143,6 +143,13 @@ sub comment {
 		@args = split;
 		$entity = $args[1];
 		$keyname = $args[3];
+
+		#
+		# Tidy entity ID if it includes a UK ID as well.
+		#
+		if ($entity =~ /^\[(.+)\](.+)$/) {
+			$entity = $2 . ' (' . $1 . ')';
+		}
 		
 		#
 		# Output header line.
@@ -439,6 +446,14 @@ sub comment {
 		#
 		close $fh;
 
+		#if ($issuer eq $subject) {
+		#	# self-signed
+		#} elsif ($issuerCN eq 'TERENA SSL CA') {
+		#	# this one we know about
+		#} else {
+		#	warning("issuer is '$issuerCN'");
+		#}
+
 		#
 		# Add a warning for certain issuers.
 		#

From d189bb52e17cd2eba0cd59b77550dae5b7d79c04 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 21 Oct 2014 13:00:55 +0000
Subject: [PATCH 13/56] Add some more federation registrar URIs.

---
 mdx/common-beans.xml | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index 24e66b1a..a3307c98 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -461,9 +461,15 @@
     <!--
         Federation registrationAuthority URIs.
     -->
-    <bean id="hr_eduhr_registrar" parent="String" c:_0="http://www.srce.hr"/>
-    <bean id="il_iif_registrar"   parent="String" c:_0="http://iif.iucc.ac.il"/>
+    <bean id="ar_mate_registrar"    parent="String" c:_0="http://www.federacionmate.gob.ar"/>
+    <bean id="am_afire_registrar"   parent="String" c:_0="http://afire.asnet.am"/>
+    <bean id="au_aaf_registrar"     parent="String" c:_0="http://aaf.edu.au/"/>
+    <bean id="co_colfire_registrar" parent="String" c:_0="http://colfire.co"/>
+    <bean id="ec_minga_registrar"   parent="String" c:_0="https://minga.cedia.org.ec"/>
+    <bean id="hr_eduhr_registrar"   parent="String" c:_0="http://www.srce.hr"/>
+    <bean id="il_iif_registrar"     parent="String" c:_0="http://iif.iucc.ac.il"/>
     <bean id="jp_gakunin_registrar" parent="String" c:_0="https://www.gakunin.jp"/>
+    <bean id="lt_litnet_registrar"  parent="String" c:_0="https://fedi.litnet.lt"/>
     
     <!--
         identificationStrategy
@@ -493,6 +499,7 @@
                 <entry key-ref="hr_eduhr_registrar"           value="HR"/>
                 <entry key="http://www.eduid.cz/"             value="CZ"/>
                 <entry key="https://www.wayf.dk"              value="DK"/>
+                <entry key-ref="ec_minga_registrar"           value="EC"/>
                 <entry key="http://www.csc.fi/haka"           value="FI"/>
                 <entry key="https://federation.renater.fr/"   value="FR"/>
                 <entry key="https://www.aai.dfn.de"           value="DE"/>
@@ -502,6 +509,7 @@
                 <entry key="http://www.idem.garr.it/"         value="IT"/>
                 <entry key-ref="jp_gakunin_registrar"         value="JP"/>
                 <entry key="http://laife.lanet.lv/"           value="LV"/>
+                <entry key-ref="lt_litnet_registrar"          value="LT"/>
                 <entry key="http://feide.no/"                 value="NO"/>
                 <entry key="http://aai.pionier.net.pl"        value="PL"/>
                 <entry key="http://aai.arnes.si"              value="SI"/>
@@ -509,13 +517,17 @@
                 <entry key="http://www.swamid.se/"            value="SE"/>
                 <entry key="http://rr.aai.switch.ch/"         value="CH"/>
                 <entry key="http://www.surfconext.nl/"        value="NL"/>
+                <entry key="https://incommon.org"             value="US"/>
                 <entry key="http://ukfederation.org.uk"       value="UK"/>
                 
                 <!-- Joining eduGAIN -->
-                <entry key="https://incommon.org"             value="US"/>
-                
-                <!-- eduGAIN candidates -->
+                <entry key-ref="ar_mate_registrar"            value="AR"/>
+                <entry key-ref="au_aaf_registrar"             value="AU"/>
+                <entry key-ref="co_colfire_registrar"         value="CO"/>
                 <entry key-ref="il_iif_registrar"             value="IL"/>
+                
+                <!-- Candidates -->
+                <entry key-ref="am_afire_registrar"           value="AM"/>
             </map>
         </property>
     </bean>

From 1b5b0d0a427322642cba7bdea636d20c38c26b3b Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 21 Oct 2014 13:32:48 +0000
Subject: [PATCH 14/56] Pull up declarations of some registrar URIs into
 common-beans so that they only appear once.

---
 mdx/at_aconet/beans.xml   |  9 ---------
 mdx/cl_cofre/beans.xml    |  9 ---------
 mdx/common-beans.xml      | 42 +++++++++++++++++++++++----------------
 mdx/fr_renater/beans.xml  |  9 ---------
 mdx/hu_eduid/beans.xml    |  9 ---------
 mdx/ie_edugate/beans.xml  |  9 ---------
 mdx/pl_pionier/beans.xml  |  9 ---------
 mdx/se_swamid/beans.xml   |  9 ---------
 mdx/us_incommon/beans.xml | 12 -----------
 9 files changed, 25 insertions(+), 92 deletions(-)

diff --git a/mdx/at_aconet/beans.xml b/mdx/at_aconet/beans.xml
index 4fcf3c37..57c1d42d 100644
--- a/mdx/at_aconet/beans.xml
+++ b/mdx/at_aconet/beans.xml
@@ -73,15 +73,6 @@
         <property name="verificationCertificate" ref="at_aconet_signingCertificate"/>
     </bean>
     
-    <!--
-        at_aconet_registrar
-        
-        Unique ID for the registrar associated with this channel.
-    -->
-    <bean id="at_aconet_registrar" class="java.lang.String">
-        <constructor-arg value="http://eduid.at"/>
-    </bean>
-    
     <!--
         at_aconet_check_regauth
         
diff --git a/mdx/cl_cofre/beans.xml b/mdx/cl_cofre/beans.xml
index 42b9628d..d7381766 100644
--- a/mdx/cl_cofre/beans.xml
+++ b/mdx/cl_cofre/beans.xml
@@ -52,15 +52,6 @@
         <property name="verificationCertificate" ref="cl_cofre_signingCertificate"/>
     </bean>
     
-    <!--
-        cl_cofre_registrar
-        
-        Unique ID for the registrar associated with this channel.
-    -->
-    <bean id="cl_cofre_registrar" class="java.lang.String">
-        <constructor-arg value="http://cofre.reuna.cl"/>
-    </bean>
-    
     <!--
         cl_cofre_check_regauth
         
diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index a3307c98..669ca938 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -461,15 +461,23 @@
     <!--
         Federation registrationAuthority URIs.
     -->
-    <bean id="ar_mate_registrar"    parent="String" c:_0="http://www.federacionmate.gob.ar"/>
-    <bean id="am_afire_registrar"   parent="String" c:_0="http://afire.asnet.am"/>
-    <bean id="au_aaf_registrar"     parent="String" c:_0="http://aaf.edu.au/"/>
-    <bean id="co_colfire_registrar" parent="String" c:_0="http://colfire.co"/>
-    <bean id="ec_minga_registrar"   parent="String" c:_0="https://minga.cedia.org.ec"/>
-    <bean id="hr_eduhr_registrar"   parent="String" c:_0="http://www.srce.hr"/>
-    <bean id="il_iif_registrar"     parent="String" c:_0="http://iif.iucc.ac.il"/>
-    <bean id="jp_gakunin_registrar" parent="String" c:_0="https://www.gakunin.jp"/>
-    <bean id="lt_litnet_registrar"  parent="String" c:_0="https://fedi.litnet.lt"/>
+    <bean id="ar_mate_registrar"     parent="String" c:_0="http://www.federacionmate.gob.ar"/>
+    <bean id="am_afire_registrar"    parent="String" c:_0="http://afire.asnet.am"/>
+    <bean id="at_aconet_registrar"   parent="String" c:_0="http://eduid.at"/>
+    <bean id="au_aaf_registrar"      parent="String" c:_0="http://aaf.edu.au/"/>
+    <bean id="cl_cofre_registrar"    parent="String" c:_0="http://cofre.reuna.cl"/>
+    <bean id="co_colfire_registrar"  parent="String" c:_0="http://colfire.co"/>
+    <bean id="ec_minga_registrar"    parent="String" c:_0="https://minga.cedia.org.ec"/>
+    <bean id="fr_renater_registrar"  parent="String" c:_0="https://federation.renater.fr/"/>
+    <bean id="hr_eduhr_registrar"    parent="String" c:_0="http://www.srce.hr"/>
+    <bean id="hu_eduid_registrar"    parent="String" c:_0="http://eduid.hu"/>
+    <bean id="ie_edugate_registrar"  parent="String" c:_0="http://www.heanet.ie"/>
+    <bean id="il_iif_registrar"      parent="String" c:_0="http://iif.iucc.ac.il"/>
+    <bean id="jp_gakunin_registrar"  parent="String" c:_0="https://www.gakunin.jp"/>
+    <bean id="lt_litnet_registrar"   parent="String" c:_0="https://fedi.litnet.lt"/>
+    <bean id="pl_pionier_registrar"  parent="String" c:_0="http://aai.pionier.net.pl"/>
+    <bean id="se_swamid_registrar"   parent="String" c:_0="http://www.swamid.se/"/>
+    <bean id="us_incommon_registrar" parent="String" c:_0="https://incommon.org"/>
     
     <!--
         identificationStrategy
@@ -491,33 +499,33 @@
                     
                     http://www.edugain.org/technical/status.php
                 -->
-                <entry key="http://eduid.at"                  value="AT"/>
+                <entry key-ref="at_aconet_registrar"          value="AT"/>
                 <entry key="http://federation.belnet.be/"     value="BE"/>
                 <entry key="http://cafe.rnp.br"               value="BR"/>
                 <entry key="http://www.canarie.ca"            value="CA"/>
-                <entry key="http://cofre.reuna.cl"            value="CL"/>
+                <entry key-ref="cl_cofre_registrar"           value="CL"/>
                 <entry key-ref="hr_eduhr_registrar"           value="HR"/>
                 <entry key="http://www.eduid.cz/"             value="CZ"/>
                 <entry key="https://www.wayf.dk"              value="DK"/>
                 <entry key-ref="ec_minga_registrar"           value="EC"/>
                 <entry key="http://www.csc.fi/haka"           value="FI"/>
-                <entry key="https://federation.renater.fr/"   value="FR"/>
+                <entry key-ref="fr_renater_registrar"         value="FR"/>
                 <entry key="https://www.aai.dfn.de"           value="DE"/>
                 <entry key="http://aai.grnet.gr/"             value="GR"/>
-                <entry key="http://eduid.hu"                  value="HU"/>
-                <entry key="http://www.heanet.ie"             value="IE"/>
+                <entry key-ref="hu_eduid_registrar"           value="HU"/>
+                <entry key-ref="ie_edugate_registrar"         value="IE"/>
                 <entry key="http://www.idem.garr.it/"         value="IT"/>
                 <entry key-ref="jp_gakunin_registrar"         value="JP"/>
                 <entry key="http://laife.lanet.lv/"           value="LV"/>
                 <entry key-ref="lt_litnet_registrar"          value="LT"/>
                 <entry key="http://feide.no/"                 value="NO"/>
-                <entry key="http://aai.pionier.net.pl"        value="PL"/>
+                <entry key-ref="pl_pionier_registrar"         value="PL"/>
                 <entry key="http://aai.arnes.si"              value="SI"/>
                 <entry key="http://www.rediris.es/"           value="ES"/>
-                <entry key="http://www.swamid.se/"            value="SE"/>
+                <entry key-ref="se_swamid_registrar"          value="SE"/>
                 <entry key="http://rr.aai.switch.ch/"         value="CH"/>
                 <entry key="http://www.surfconext.nl/"        value="NL"/>
-                <entry key="https://incommon.org"             value="US"/>
+                <entry key-ref="us_incommon_registrar"        value="US"/>
                 <entry key="http://ukfederation.org.uk"       value="UK"/>
                 
                 <!-- Joining eduGAIN -->
diff --git a/mdx/fr_renater/beans.xml b/mdx/fr_renater/beans.xml
index 4a9fbec8..209af1e8 100644
--- a/mdx/fr_renater/beans.xml
+++ b/mdx/fr_renater/beans.xml
@@ -104,15 +104,6 @@
         <property name="permittingEmptyReferences" value="true"/>
     </bean>
     
-    <!--
-        fr_renater_registrar
-        
-        Unique ID for the registrar associated with this channel.
-    -->
-    <bean id="fr_renater_registrar" class="java.lang.String">
-        <constructor-arg value="https://federation.renater.fr/"/>
-    </bean>
-    
     <!--
         fr_renater_check_regauth
         
diff --git a/mdx/hu_eduid/beans.xml b/mdx/hu_eduid/beans.xml
index f9d369be..9eb23676 100644
--- a/mdx/hu_eduid/beans.xml
+++ b/mdx/hu_eduid/beans.xml
@@ -74,15 +74,6 @@
         p:id="hu_eduid_stripEntityAttributesNamespace"
         p:namespace="urn:geant:niif.hu:eduid.hu:entity-attributes:processing-info"/>
 
-    <!--
-        hu_eduid_registrar
-        
-        Unique ID for the registrar associated with this channel.
-    -->
-    <bean id="hu_eduid_registrar" class="java.lang.String">
-        <constructor-arg value="http://eduid.hu"/>
-    </bean>
-    
     <!--
         hu_eduid_check_regauth
         
diff --git a/mdx/ie_edugate/beans.xml b/mdx/ie_edugate/beans.xml
index 59cc6135..deab5bfe 100644
--- a/mdx/ie_edugate/beans.xml
+++ b/mdx/ie_edugate/beans.xml
@@ -78,15 +78,6 @@
         <property name="maxValidityInterval" value="#{ 1000L * 60 * 60 * 24 * 14 }"/>
     </bean>
     
-    <!--
-        ie_edugate_registrar
-        
-        Unique ID for the registrar associated with this channel.
-    -->
-    <bean id="ie_edugate_registrar" class="java.lang.String">
-        <constructor-arg value="http://edugate.heanet.ie"/>
-    </bean>
-    
     <!--
         ie_edugate_check_regauth
         
diff --git a/mdx/pl_pionier/beans.xml b/mdx/pl_pionier/beans.xml
index df44df76..1dfc9cfa 100644
--- a/mdx/pl_pionier/beans.xml
+++ b/mdx/pl_pionier/beans.xml
@@ -84,15 +84,6 @@
         <property name="verificationCertificate" ref="pl_pionier_edugainCertificate"/>
     </bean>
     
-    <!--
-        pl_pionier_registrar
-        
-        Unique ID for the registrar associated with this channel.
-    -->
-    <bean id="pl_pionier_registrar" class="java.lang.String">
-        <constructor-arg value="https://aai.pionier.net.pl"/>
-    </bean>
-    
     <!--
         pl_pionier_check_regauth
         
diff --git a/mdx/se_swamid/beans.xml b/mdx/se_swamid/beans.xml
index 77fa9495..ddf52177 100644
--- a/mdx/se_swamid/beans.xml
+++ b/mdx/se_swamid/beans.xml
@@ -74,15 +74,6 @@
         <property name="permittingEmptyReferences" value="true"/>
     </bean>
     
-    <!--
-        se_swamid_registrar
-        
-        Unique ID for the registrar associated with this channel.
-    -->
-    <bean id="se_swamid_registrar" class="java.lang.String">
-        <constructor-arg value="http://www.swamid.se/"/>
-    </bean>
-    
     <!--
         se_swamid_check_regauth
         
diff --git a/mdx/us_incommon/beans.xml b/mdx/us_incommon/beans.xml
index b64b0d3e..1d113c63 100644
--- a/mdx/us_incommon/beans.xml
+++ b/mdx/us_incommon/beans.xml
@@ -60,18 +60,6 @@
         <property name="verificationCertificate" ref="us_incommon_signingCertificate"/>
     </bean>
 
-    <!--
-        us_incommon_registrar
-        
-        Unique ID for the registrar associated with this channel.
-        
-        This isn't a formalised value, but a placeholder Tom Scavo thinks
-        might be what they will end up using.
-    -->
-    <bean id="us_incommon_registrar" class="java.lang.String">
-        <constructor-arg value="https://incommon.org"/>
-    </bean>
-    
     <!--
         us_incommon_check_regauth
         

From 9146be2e3271a28fa69a626e8fe73f43fc010bc1 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 4 Nov 2014 10:05:08 +0000
Subject: [PATCH 15/56] Rewrite mdui:Logo check as a single template to avoid
 one template overriding the other. Add a test for mdui:Logo including a line
 break, which causes problems for the CDS.

---
 mdx/_rules/check_mdui.xsl | 51 ++++++++++++++++++++++++---------------
 1 file changed, 31 insertions(+), 20 deletions(-)

diff --git a/mdx/_rules/check_mdui.xsl b/mdx/_rules/check_mdui.xsl
index 5615990b..47f789b1 100644
--- a/mdx/_rules/check_mdui.xsl
+++ b/mdx/_rules/check_mdui.xsl
@@ -172,6 +172,16 @@
 		Section 2.1.5 Element <mdui:Logo>
 	-->
 	<xsl:template match="mdui:Logo">
+        <!--
+            Logos must never include un-encoded line breaks. This makes them invalid
+            URLs, but also causes problems with the Shibboleth CDS.
+        -->
+        <xsl:if test="contains(., '&#10;')">
+            <xsl:call-template name="error">
+                <xsl:with-param name="m">mdui:Logo contains line break</xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+
 		<!--
 			Require that the URL starts with https://
 			
@@ -189,28 +199,29 @@
 				</xsl:call-template>
 			</xsl:if>
 		</xsl:if>
-	</xsl:template>
-	
-	<!--
-        Check for <mdui:Logo> elements that aren't valid URLs.
         
-        Again, explicitly permit anything starting with 'data:'.
-    -->
-	<xsl:template match="mdui:Logo[mdxURL:invalidURL(.)]">
-		<xsl:if test="not(starts-with(., 'data:'))">
-			<xsl:call-template name="error">
-				<xsl:with-param name="m">
-					<xsl:text>mdui:</xsl:text>
-					<xsl:value-of select='local-name()'/>
-					<xsl:text> '</xsl:text>
-					<xsl:value-of select="."/>
-					<xsl:text>' is not a valid URL: </xsl:text>
-					<xsl:value-of select="mdxURL:whyInvalid(.)"/>
-				</xsl:with-param>
-			</xsl:call-template>
-		</xsl:if>
+        <!--
+            Check for <mdui:Logo> elements that aren't valid URLs.
+            
+            Again, explicitly permit anything starting with 'data:', so that the
+            only validity test we're performing on data: URLs is the "no newline" rule.
+        -->
+        <xsl:if test="mdxURL:invalidURL(.)">
+            <xsl:if test="not(starts-with(., 'data:'))">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">
+                        <xsl:text>mdui:</xsl:text>
+                        <xsl:value-of select='local-name()'/>
+                        <xsl:text> '</xsl:text>
+                        <xsl:value-of select="."/>
+                        <xsl:text>' is not a valid URL: </xsl:text>
+                        <xsl:value-of select="mdxURL:whyInvalid(.)"/>
+                    </xsl:with-param>
+                </xsl:call-template>
+            </xsl:if>
+        </xsl:if>
 	</xsl:template>
-	
+
 	<!--
 		Section 2.1.6 Element <mdui:InformationURL>
 		

From 024212e0aad12856ed26749d163ec98eb4019aaa Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Fri, 7 Nov 2014 15:34:14 +0000
Subject: [PATCH 16/56] Accept hide-from-discovery entity category from eduGAIN
 participants. Also, tidy the list and use Spring c:-notation for categories.

---
 mdx/uk/generate.xml | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index 98b6f57d..e4e7531e 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -262,18 +262,21 @@
                 <bean parent="EntityAttributeFilteringStage" p:id="entityAttributes">
                     <property name="rules">
                         <list>
+                            <!-- Permit GÉANT CoC category from any eduGAIN participant. -->
+                            <bean parent="EntityCategoryMatcher"
+                                c:category="http://www.geant.net/uri/dataprotection-code-of-conduct/v1"/>
+
+                            <!-- Permit REFEDS Hide From Discovery category from any eduGAIN participant. -->
+                            <bean parent="EntityCategoryMatcher"
+                                c:category="http://refeds.org/category/hide-from-discovery"/>
+
                             <!-- Permit REFEDS R&S category from any eduGAIN participant. -->
-                            <bean parent="EntityCategoryMatcher">
-                                <constructor-arg value="http://refeds.org/category/research-and-scholarship"/>
-                            </bean>
+                            <bean parent="EntityCategoryMatcher"
+                            	c:category="http://refeds.org/category/research-and-scholarship"/>
+
                             <!-- Permit REFEDS R&S category *support* from any eduGAIN participant. -->
-                            <bean parent="EntityCategorySupportMatcher">
-                                <constructor-arg value="http://refeds.org/category/research-and-scholarship"/>
-                            </bean>
-                            <!-- Permit GÉANT CoC category from any eduGAIN participant. -->
-                            <bean parent="EntityCategoryMatcher">
-                                <constructor-arg value="http://www.geant.net/uri/dataprotection-code-of-conduct/v1"/>
-                            </bean>
+                            <bean parent="EntityCategorySupportMatcher"
+                                c:category="http://refeds.org/category/research-and-scholarship"/>
                         </list>
                     </property>
                 </bean>

From 0c37a5b345228967f50a9d26503481ce2a1e85bd Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Wed, 12 Nov 2014 09:59:43 +0000
Subject: [PATCH 17/56] Switch over to using the 2014 certificate for
 verification.

This is a nominal change, as the key embedded in the signing certificate has not changed.
---
 build.xml                    |   4 ++--
 mdx/uk/beans.xml             |   2 +-
 mdx/uk/ukfederation-2012.jks | Bin 1040 -> 0 bytes
 mdx/uk/ukfederation-2012.pem |  23 -----------------------
 4 files changed, 3 insertions(+), 26 deletions(-)
 delete mode 100644 mdx/uk/ukfederation-2012.jks
 delete mode 100644 mdx/uk/ukfederation-2012.pem

diff --git a/build.xml b/build.xml
index 9dbc2387..1ce4089d 100644
--- a/build.xml
+++ b/build.xml
@@ -609,7 +609,7 @@
         <attribute name="i"/>
         <sequential>
             <MDT i="@{i}" o="${null.device}"
-                keystore="${mdx.dir}/uk/ukfederation-2012.jks"
+                keystore="${mdx.dir}/uk/ukfederation-2014.jks"
                 alias="${keystore.uk.vfy.alias}"/>
         </sequential>
     </macrodef>
@@ -702,7 +702,7 @@
                 <args>
                     <arg value="--verifySignature"/>
                     <arg value="--certificate"/>
-                    <arg value="${mdx.dir}/uk/ukfederation-2012.pem"/>
+                    <arg value="${mdx.dir}/uk/ukfederation-2014.pem"/>
                     <!--
                     <arg value="- -quiet"/>
                     -->
diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
index ef90c323..6d9aa598 100644
--- a/mdx/uk/beans.xml
+++ b/mdx/uk/beans.xml
@@ -74,7 +74,7 @@
     <bean id="uk_signingCertificate" parent="X509CertificateFactoryBean">
         <property name="certificateFile">
             <bean class="java.io.File">
-                <constructor-arg value="${basedir}/mdx/uk/ukfederation-2012.pem"/>
+                <constructor-arg value="${basedir}/mdx/uk/ukfederation-2014.pem"/>
             </bean>
         </property>
     </bean>
diff --git a/mdx/uk/ukfederation-2012.jks b/mdx/uk/ukfederation-2012.jks
deleted file mode 100644
index 6f3fff5ae1c48e8af3fa30579621918c9d0d8c08..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1040
zcmezO_TO6u1_mY|W(3nbrP*nzDXB$?C7JnoKtU^iH|r7x)(AaQ14{-5=F<jE%*PFy
znAR^~W@2Pw;$*n7QP17U=XSmUFB_*;n@8JsUPeY%RtAGALv903Hs(+kHen`rCqrig
zM-YdL$12oY!7({GwYXTpH!&|UJvBEquSCHOZlyw6evyJ}N@+6K0SbwEDGEWU#i@x!
z$r*-f1}Y#!n0aJ@h9GJ2O)W`GNi0cJ2+mB;OD!^x6X!KFGBhwWG%z=?FtmsQa!m{k
z4b7n30d-pwqY`pZF|sl+H!<=v7&I|*F*PwVGQ3(_bNbK>=?Ob8?D%KqYTL=qbMfe@
zxvtDbon1mAakE_aZJ)E|?FQ)yD^D#bojJc}%JLsQ%Y_XRJYsa0OtEi0wNX~(K%({P
zi!)}PT_$0^<C@Q;v%D+XX3n}H^Y*>P{h4Rl799`27owfTq<iE?<E+b>W!v`MPub;i
zuFIfAYr%;c$DQ}ryT}%w*uv!?_*hl;+3l$E)MvFF*H?bZ{&X*^W6HNhRU2b|9K9Q|
z)qPDh*R#Z+1vb2$30@idGGAY>7M_!>lcndJ|1o8aZ?AfbMcKCViD#7N9@Y5k`gz^$
z{-UUV(~Df1tn>MeU$e{PYrE`kV9Cx|^K+XYH_uLqO?LcRF{0j2nV1<F7#9Z^_!-Co
z<64%FMT|wn-@Qe;=h&Wu2`|2C*?(`kbD-%ei-9~yTA4+{K&%0~0v?b8VHQ>cW=6*U
z$YBmlp1?3?WRRKpOl)G?et{KQHoVDOSFxr9O}=>b{SmSF&EadmSDpMRF~?(qedXS@
z-pBr1uq7Szv2WR0d)dnCdf_4ND<7sz$n3u_n$vzi?c7lpsr1X-K6)R%F`p0B4`$&m
zvam{IID03v;fkwR)7?4x2P>TW-(>ZuOze1jnYGRNOK&^pv1qQ0hY^$Kb(C+oq5X{c
z__UtGQchn@K5oqyPdhESWc|KBCwzjwOR;eGH_ppDuw>5qyRzM1e-(0mR2J@zzqfUf
zC({?Nb8%ZIyMJ4`;oZTR??t~fueviy|Mk=Uyi5OIyR1H8&2OKOx|2QmyORCOjH#Qm
tj^&h{P`)(bWZp}&%MwLrM0fFjn)@<Lt=6?aL^|K4Q#wRJ_t1>(#{i28nvnni

diff --git a/mdx/uk/ukfederation-2012.pem b/mdx/uk/ukfederation-2012.pem
deleted file mode 100644
index a1f3a57a..00000000
--- a/mdx/uk/ukfederation-2012.pem
+++ /dev/null
@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDxzCCAq+gAwIBAgIJANixLkdCTNtvMA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV
-BAYTAkdCMUMwQQYDVQQKDDpVSyBBY2Nlc3MgTWFuYWdlbWVudCBGZWRlcmF0aW9u
-IGZvciBFZHVjYXRpb24gYW5kIFJlc2VhcmNoMSYwJAYDVQQDDB1VSyBGZWRlcmF0
-aW9uIE1ldGFkYXRhIFNpZ25lcjAeFw0xMjEwMTEwNzA4MThaFw0xNDExMTYwNzA4
-MThaMHoxCzAJBgNVBAYTAkdCMUMwQQYDVQQKDDpVSyBBY2Nlc3MgTWFuYWdlbWVu
-dCBGZWRlcmF0aW9uIGZvciBFZHVjYXRpb24gYW5kIFJlc2VhcmNoMSYwJAYDVQQD
-DB1VSyBGZWRlcmF0aW9uIE1ldGFkYXRhIFNpZ25lcjCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBAOqtfMvCmBuQudC4/jZFPYkHDNHFyp1FA3KJihIUXppF
-vrecrO2wG5CpyqB1mZ+MlKf4jKcTMGBIXC2klD+FyrEdJMBhO6vRmJnNphg3uNZM
-ks0NqIaZmtgc7e8435nMhqLHV95UK2oCLcT4gZrTaXa2vt9kukTOijB0KqDIfEG5
-369EHXPItApAEeMlHebbWndl5n2I16nya/LeaoiU9qJ6sVz4xd1UtUesewrmYVKg
-PA2JYEpovmnr13sTnGssai5Db/FkrE2NJ4Q4drbPYcwincUo/UXzrtuPclr+l3JE
-gjtvDzPrBxxvK0S/gARrbKz5tk4LDLkYsj4PKlwVS+UCAwEAAaNQME4wHQYDVR0O
-BBYEFE9HhBuMxrzBYOj1Kj/3gtzAgtUEMB8GA1UdIwQYMBaAFE9HhBuMxrzBYOj1
-Kj/3gtzAgtUEMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAByZ5haR
-hr8QqCo8DWO1qgVkUpPR1e/EFl+zV633esn5GJxIkD95va1Lxv84BmLBTD+EtX3T
-OkrXccIL1PCUkGmP3xVsh99mzsVEGmfTC0wu8PYDz1UvUwQLcjg6YQDN3GmA1EUW
-gt2cL8F4Q4/saowkkYjt0wWGQ/SNhwnGWwpo4ViTnoh3sNgr5gPHlozDGkL1NPG1
-bxdmyxmkr778yExS9xoEC4+Bnm7ApJyv3R2L9fpxCfEjE4tf3rWiSQL0Ss5etZNH
-9qmw7sGZ7xX0g6rcki/r5Y9u0v/rRKvIOw8/YGW5B2P3Ij/paJWzasZsdsgj0pDJ
-buk20xhyzBW6D/I=
------END CERTIFICATE-----

From 2855ed2ebc71758650de56758e10ed540d9bc596 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Wed, 12 Nov 2014 14:06:22 +0000
Subject: [PATCH 18/56] Add REFEDS "Hide from Discovery" entity category to
 IdPs marked with HideFromWAYF.

---
 mdx/uk/add_hide_category.xsl | 66 ++++++++++++++++++++++++++++++++++++
 mdx/uk/beans.xml             | 12 +++++++
 mdx/uk/check_uk_mdattr.xsl   |  1 +
 3 files changed, 79 insertions(+)
 create mode 100644 mdx/uk/add_hide_category.xsl

diff --git a/mdx/uk/add_hide_category.xsl b/mdx/uk/add_hide_category.xsl
new file mode 100644
index 00000000..164ffd88
--- /dev/null
+++ b/mdx/uk/add_hide_category.xsl
@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	add_hide_category.xsl
+
+	Adds the REFEDS "Hide from Discovery" entity category to IdPs which are already
+	labelled with the UK federation's "HideFromWAYF" marker element.
+	
+	Assumes that the IdP in question has an Extensions element already, but no
+	entity attributes. This is currently true for UKf-registered entities, but
+	a longer term solution will require the ability to add a new value into
+	an existing collection of entity attributes.
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
+	
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	exclude-result-prefixes="md">
+
+	<!--Force UTF-8 encoding for the output.-->
+	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+
+	<xsl:template match="md:EntityDescriptor[md:IDPSSODescriptor]/md:Extensions[wayf:HideFromWAYF]">
+		<xsl:copy>
+			<xsl:text>&#10;</xsl:text>
+			<xsl:text>        </xsl:text>
+			<xsl:element name="mdattr:EntityAttributes">
+				<xsl:text>&#10;</xsl:text>
+				<xsl:text>            </xsl:text>
+				<xsl:element name="saml:Attribute">
+					<xsl:attribute name="Name">http://macedir.org/entity-category</xsl:attribute>
+					<xsl:attribute name="NameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:uri</xsl:attribute>
+					<xsl:text>&#10;</xsl:text>
+					<xsl:text>                </xsl:text>
+					<xsl:element name="saml:AttributeValue">
+						<xsl:text>http://refeds.org/category/hide-from-discovery</xsl:text>
+					</xsl:element>
+					<xsl:text>&#10;</xsl:text>
+					<xsl:text>            </xsl:text>
+				</xsl:element>
+				<xsl:text>&#10;</xsl:text>
+				<xsl:text>        </xsl:text>
+			</xsl:element>
+			<xsl:apply-templates select="node()"/>
+		</xsl:copy>
+	</xsl:template>
+	
+	<!--By default, copy text blocks, comments and attributes unchanged.-->
+	<xsl:template match="text()|comment()|@*">
+		<xsl:copy/>
+	</xsl:template>
+	
+	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+	<xsl:template match="*">
+		<xsl:copy>
+			<xsl:apply-templates select="node()|@*"/>
+		</xsl:copy>
+	</xsl:template>
+	
+</xsl:stylesheet>
diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
index 6d9aa598..24e8febf 100644
--- a/mdx/uk/beans.xml
+++ b/mdx/uk/beans.xml
@@ -458,6 +458,18 @@
                 <ref bean="uk_default_regauth"/>
                 <ref bean="populateRegistrationAuthorities"/>
                 
+                <!--
+                    Add REFEDS Hide from Discovery category as a standardised
+                    equivalent to our HideFromWAYF element.
+                -->
+                <bean p:id="uk_addHideFromDiscovery" parent="XSLTransformationStage">
+                    <property name="XSLResource">
+                        <bean parent="ClassPathResource">
+                            <constructor-arg value="uk/add_hide_category.xsl"/>
+                        </bean>
+                    </property>                    
+                </bean>
+                
                 <ref bean="checkSchemas"/>
                 <ref bean="CHECK_std"/>
                 <ref bean="check_ukreg"/>
diff --git a/mdx/uk/check_uk_mdattr.xsl b/mdx/uk/check_uk_mdattr.xsl
index 47a257bc..df524d4f 100644
--- a/mdx/uk/check_uk_mdattr.xsl
+++ b/mdx/uk/check_uk_mdattr.xsl
@@ -77,6 +77,7 @@
 	-->
 	<xsl:template match="mdattr:EntityAttributes/saml:Attribute[@Name='http://macedir.org/entity-category']
 		/saml:AttributeValue
+		[. != 'http://refeds.org/category/hide-from-discovery']
 		[. != 'http://www.geant.net/uri/dataprotection-code-of-conduct/v1']
 		">
 		<xsl:call-template name="error">

From 20d53211282502b07fc8fdd855e07248098b8342 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Wed, 12 Nov 2014 15:45:57 +0000
Subject: [PATCH 19/56] Add HideFromWAYF marker to IdPs marked as members of
 the REFEDS "Hide from Discovery" entity category.

---
 mdx/uk/add_hide_element.xsl | 50 +++++++++++++++++++++++++++++++++++++
 mdx/uk/generate.xml         | 12 +++++++++
 2 files changed, 62 insertions(+)
 create mode 100644 mdx/uk/add_hide_element.xsl

diff --git a/mdx/uk/add_hide_element.xsl b/mdx/uk/add_hide_element.xsl
new file mode 100644
index 00000000..2b8010b6
--- /dev/null
+++ b/mdx/uk/add_hide_element.xsl
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	add_hide_element.xsl
+
+	Adds the UK federation "Hide from WAYF" marker element to IdPs which are already
+	labelled as members of the REFEDS "Hide from Discovery" entity category.
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
+	
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	exclude-result-prefixes="md">
+
+	<!--Force UTF-8 encoding for the output.-->
+	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+
+	<xsl:template match="md:EntityDescriptor[md:IDPSSODescriptor]/md:Extensions
+		[mdattr:EntityAttributes/saml:Attribute
+			[@Name = 'http://macedir.org/entity-category']
+			[@NameFormat = 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri']
+			[saml:AttributeValue[.='http://refeds.org/category/hide-from-discovery']]
+		]">
+		<xsl:copy>
+			<xsl:text>&#10;</xsl:text>
+			<xsl:text>        </xsl:text>
+			<xsl:element name="wayf:HideFromWAYF"/>
+			<xsl:apply-templates select="node()"/>
+		</xsl:copy>
+	</xsl:template>
+	
+	<!--By default, copy text blocks, comments and attributes unchanged.-->
+	<xsl:template match="text()|comment()|@*">
+		<xsl:copy/>
+	</xsl:template>
+	
+	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+	<xsl:template match="*">
+		<xsl:copy>
+			<xsl:apply-templates select="node()|@*"/>
+		</xsl:copy>
+	</xsl:template>
+	
+</xsl:stylesheet>
diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index e4e7531e..06b09848 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -239,6 +239,18 @@
                 <ref bean="removeBlacklistedEntities"/>
                 <ref bean="standardImportActions"/>
                 
+                <!--
+                    Add UK federation HideFromWAYF element as an equivalent to membership in
+                    the REFEDS Hide from Discovery category.
+                -->
+                <bean p:id="uk_addHideFromWAYF" parent="XSLTransformationStage">
+                    <property name="XSLResource">
+                        <bean parent="ClassPathResource">
+                            <constructor-arg value="uk/add_hide_element.xsl"/>
+                        </bean>
+                    </property>                    
+                </bean>
+                
                 <!--
                     Silently remove entities which are marked as
                     having errors.

From a77d39fef46996d84a1da16b800fc2b32838441e Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Fri, 14 Nov 2014 15:29:21 +0000
Subject: [PATCH 20/56] Update to ukf-mda 0.8.5 to work round problem with
 mdui:IPHint validation.

---
 .../{ukf-mda-0.8.4.jar => ukf-mda-0.8.5.jar}  | Bin 63064 -> 63151 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename tools/ukf-mda/{ukf-mda-0.8.4.jar => ukf-mda-0.8.5.jar} (84%)

diff --git a/tools/ukf-mda/ukf-mda-0.8.4.jar b/tools/ukf-mda/ukf-mda-0.8.5.jar
similarity index 84%
rename from tools/ukf-mda/ukf-mda-0.8.4.jar
rename to tools/ukf-mda/ukf-mda-0.8.5.jar
index c92160a5e1eaf7317d405472515dc55333640c97..c3892cf21bed3a1affcef2ec974a0609b6d85409 100644
GIT binary patch
delta 3892
zcmY+Hc|26_7sv0+*keM*mR*!F7=!FZzV<aDOSUL`wq!}BQVAJfZiR@-nzfQ8WGS)}
z5=~?f$vQ%%sNalx`+k4l`D32<J?C?t=REgy?>*-kT|`wZq0m;QC<Zow{<AxOMn45D
z$zV$#Rni%3=;MH}41L@Yz<<oNG0aaPFvLsY-(b23<U`2sM1jT#0t7_FK^Tw+KrtjM
zIFDe14Brt)AUK57{v*+Zpb@FVO`nf!!Sg8}2>?_k05AhU#VL_WdDH}QM^wqh)WQPM
zTXYR0L@7Lb5D*n%cwlPg<%J{2{9LeYML-_~>C}XKU}6#XguOu$OYD%>UBLs6?NG$S
zw51ddQ}{tWm>Sg{G3;cVCYpn*p=G?y2mmJZjIou)+S9NqMdu;|n!c}$?Uxy;C;$j#
z0WTet0KFGPE8X<7pgf)!bHUrf90k!(8l|qwaFW>`;n3}?6gYF13G$|#En$F2C$bk_
ziYwX>ww<_G#|(J|ue-w$MACV9tG|+y7`W&u`Gg}oZD_YShywt0Q*-u#%{Rq~#~niV
z+VcK7gR8$f*e3yUa`U$FmyV*%JFaA;pjw@{86#WHX>q<?SeC7ywyT+I3wFB}z;yZ&
zw)lVxWjB?ez%Evejflm@483_1T_YuH@{z|~CT%%tS$*Q&`@_Fh76K7jt@Y|-iSOPA
zsm_L^w_g^??l~E(dizn<OZ`&MRpS2VktRc00TgR=y<&-FcITvnR$<(yP_?Uk><#HJ
zV|q@DZ#3MwTIRLCJ+4bfC9z5f?LK}nv+WdWuX;q00G09UyM?X~LEBa87+2O8Nk%#+
zxcT{0kLJA?<=FBjCw(j~6uQ(nRKD^mnRT5fxs1iL0BOj&SXSG3$JDn3d*Ute3UbrL
z%`{N|TKR_>w9;yw>2k7NDu*n~NU3LTu@J^Y?q#w1Ao*tYLWg}YSZfzK*|5+q+pCm{
zYYQ<?0&Dh~hv`a-aA;Tue{(K~Fpga^$6z`-qsBv*qzm-g60U{J<OQhf_TE`NX1=*v
zd-`<ItO2E&q>S9Y;u+Y}6=h0n`CzUZ;(<bx)d_W(V+;l}*|zKhQW71$UcgvHlFR?v
znCeRn^c6B!ek|B_|LOGS&36ZXzrpFLChWCTLFYFaoY*hhm{8_D?(EE=g{g2dUW_`k
zSlm&EQ_aUnZA5Xtx?O-(z|9-Jv7pXaNl8&7Ja1`RmKg_1oG?`$%#d>;4y$OSlFt5Z
ze&v3H<5%G-m7LbK;ZCvDyG3Aaf0<wVVDr~%pT6IAjzjMjWLBb?ALOffYTejdq_ig;
zfs9Rz7p+&RIzk)>-9@;mf+-1l@hw&jW5FzJ;o$G^<broEV`EN)NSmkSdly+uh^a0&
zdA_tnk3uCK{dsS8Ur?S@HE}WUAfxO4icz^_rY9giuc~Zj!^+sp*lxHs{wLn^!NpuA
z7Xp_AflHFBR)KZfT1-+EyLs#Yw(Xpc&&g`*2O+6Jo-)B4{&#9G%Q?PmwQVpXDvM`E
zFgi&y1>bZSnCx4^;`dzB^`7eg@!8d^Az{R<fuw5I5Z}Z$7M%NR{~qE<?*0tc@|@YQ
z`!WT1|Ea(TQ%Y;lL%eOa3(nuqiN#j?7}u>NwkMB7{#s3MoF)erJc+MSdC@d2x=yid
zmr6wHr+?pH?LFqiVRcD6+BP)zx(Uy<GWScXu171_x4K(3`7vr6iAPRQ76U=Sv#m+;
z+-jkIVJ&FijpmV~YE{pPj=nCeH|mCc^f_B>XYdBGvP;gH)i1005^C%d%Hz#8rOuU_
z`e&YU{9sW#Ot5*K-{yLTwP|hy*<M!Q>}3d8ZbbtD0^=-9=ZYx)aemnBq0QrI)pfP@
zytU6GO6x@w*WQ@Muc!ZDP7oehD@nUG?yoDYo`3gPrH5xoy_stPQGPhpVr#L^LOM*q
zz{KlA9^YI{MEPja(x}2bzu-jV?9!EKe2V0_vr|;zSs_Q&JQX7+lCAkYtHso6=L($p
zeU7%<WzjK2p$V=9bKhk7q2Nct3l5*vd^kMnKeJt4U|b$cuV++3h8**_EtvnX?wg=7
zd6p5afeq1{d0KJ+Bq~`*2+f4Qd%ndo)^_-9u-k;Vb7bTo^Zjnk_MgvwqE;9`jdk#G
zN@nywUI5pJQ9o`deV5jocQ5aemP$~2m0>QBD<{wEbzwyFi@>?<`rdmA+CmEvWA9_M
zu1%M<hsqea^>?JrO)4mbeAM8NL;_8^N)ZeW$mMoX8xnJ7g(FdDV_x_2saWZ(ILC%l
ziQn8B!`EfkS(V+QucJ0`;Wbs~3}!t%qm<{f(QlH&I{5v&`CD1FdVYcr<?GqJp4Lv}
z+vTYR-->(Q;Jd~AEcsFRI`iT$ruv*;$l35-@G)u6kvYC}&0kVqZxYBsq9+&o%uwf>
z+Fy6rqkbARwZvExXV*|1V=-AxTL?6VkUxc#{J6(Z(`LL=S4m?`ce~mA;fk-#g(GqX
zK7=^YFHtd~hK|xQ1GUZU&cU}I2a#${2~Ht5Vvt@|;!FCCjyf32Dedx!c8NpHghTBn
zzOUBsM!z|Qk3V=`tURk`5xRj8K1edOVOAv@oO%6yccFzhkrMo6r07EngLJ&X-WcG*
z=JxM4ACwKqRIus#sz>Y+Vq4>OfBs~CJ8tGo`{u)&qOm?exN1<pp<D$qVXR8WPoweC
z(pZc}O<cnK!meXajjblPekyZ}24|d17F#3!=^a=AdI8#%@*!^u0RZ1<)l(H}Fe<n2
zh{5$t{B9pyvDUKtIG}pgRw@ElwojE+aAmt!R|>ZRR?R(d^%Uz*gT3{`bqEG}mjgzQ
z$Usmqq7A{P5q&OQnycAfzkPsK2z#XffB?Eo5Wv7u41x)~I%-X1Ug^-(c-k@KWbC)z
z+nW@=)=IG;kx1K33N8&yuXrjBq_M4C7ZMTs&a729$llN)QR@AQ&+Pgu&Kg2>>#deZ
z>NocYH)*y(ob;lC#J(P`JCn_U1MEE~Lvbv}Z=Ym|??~9vLaQIm9vj@y@c1hL)$~Bs
z2*)!{F+vQOI5;0BvPQ>|bt<~!Es?*;!{XGE&E1Y5-*K{0MJ@U7be8E-64UY`;FPbp
z-0$3f{^RyX?WLXoE}_DG4O_x0d&IN$UEXJZ3R%WFOQ3ReOnFF1>W11T4*bqObwgLs
zXV%{%<8Ry-E!2gG%hnHqZeYr#{3uMVC33oD&qPNgM(k7hi3kf1myzJPZlvN~#E)^$
zsV>>OWE;W(hFxJ;<Bt3*#Q~4MKEQ3XgvKmsCq4FNGxn>U;KscGbEl`91BbdIT7Go0
z@*C&v@i!WnGbt99#4}I4&g=U2THsO`&-dvLtftWB?R`es#%y*qpGrIHuX&rt>)maW
z)#XQ|T^0^zo+Q?tcDCZx^jT@aQq`Zy<?Uv}b{xyRI@q76lAAL9)G_;`TH1TF&V%DO
zxJV;6S|^#5%1k%BoGu;~6Q{=EvQ+E2!@}#G+f@b8>i5oW6uzI}d#!qy`aZ*|tS^h2
zPA$4G@I$o(gBw&XydlOHYbVQRw>xZHy+I~w_@vONFh{0srKn1G*sY-~d{-yc#fN|V
z!a`AH;INoL%M^>GAFpT9=1}mvzg5m>+8^jDa=Ez6KRT{rwRr5C0s6A#F%wayg;GH0
zO8(&6K5Qk)ZLQYjd13`A=R@Uz_fiZj^rzCjt@{>eJK-wbtzd&!K8jbaA`mJGigrQY
zIF8~8c;!i~sT{Vir@vC=b>(ZN8IU}o3O&0RiqcNg4w_L8?YtWxi6RF<6Gah%^*^qI
zlSd#+^rQg<4O4<3WfIn5rmP|B<T^hXJEihRVhX{oX)6d^r_Vv~Zu%4iM?QK(Q2y~a
z1gtZT5O~e_LNGi7yYRDcc=2p7<P!aK27;7NVGyv*1we5A4=m1|g)E+*;YE8t!<s|$
zu&eqH$S=T}v;{vXifIuRhcCiu3@*Zn=`6vkKUs2v#JtPy@aoHE5OgnlLZGw)?=)xS
zG-P3=y6klJ|F+R!7!{5uQw5PqnIIxZlGao+f?}Cmpu#G2zyJ@g3L<^)?)YL>_d;{s
zrP;J{Xf`YG`Db=9`o}R}D}49`?W4qr27n{~cNELJgf62A4}o#3+&jX*YRKy+Xu@1t
z8-MseLi|&ja6j1dMOu_T<KrHKbZgon<;5-l(D{$>Gsv}OxieV+o0YsDZABRo05JTI
zCZl<0vcfg_9bu!ZUa=l+)lJ%}8vhac^zR6T*2ST{>8=YR8Q#)t`@p5)J+%F?i9_ek
z|BC{4|8v0!{Qms{Y+4tAp7Tjs^vVe6Iw6I#GDRSHQ2(A={|TXi>^~Ruc>E|WKn^^=
z!OrsM`wk{=@FFAWc13V>WB0!=-wMrsXM$$e<h3$or0s~l9}Pg87XVIB=vV&(bhDG+

delta 3818
zcmZXX2{=^m7soGS-?EIUWXnF5>_YO(78)i*q%2uNmWJ%hZ;T}ssp)24lOjuEM5RQE
z>_%BC%D!eq$P)dHd#hj1f1YRN{mePv^S<Za=ic|6w`>m4{{_KehC$G=0Mrjh@R~l6
zLzIr4I;y79u~A2|0Gc}P2;d*a?J>Yp{(_&I{GVW|2;5C`U?&PRrcr_bPoo9{trRFs
z%M8xYut0`Y8eIsqX%GLB9D<;h_6Rq1z7JUB<Xu_-_{snPCIGm9T!<u(_(Z!SB5^U)
zGeOkLQB4mK5y?XXQ6Vo9raBY~j`*;L3%1SgH9$Z*b%8dRnD)ECUYy7r8{|DJ?+nMj
zQB;8GhjI{1L27z1)v7<F+sQaZC`Yz>JL64y05}GK<ufLvw!`(Xig+ZFj)Qt#X`2mc
zHxU4Efe9q2iGVL=g-DJDnNS`T#$51a@tT7iP#Pr;6gbIj=OF0zk@oudGeBOVe=!|I
zM?%`+rMSWkVcVI=r;L!7@A6qV0-qQLU+UKNYf$2>d^agSwv(=60{|WBt>y!BvzWoU
zTl?`RPgx@kkz0HWp<aAsodKf}I%EDzcl8oZF*x<R`X8YaBYU9+Uz->o|K87<`@XMl
zwFqCA@+_6!R7)}h)6smPrMbB@`|J@nE%VVd<sLh$YRV=hC}rlw*4pwxplPA>k{fX_
z7Mt0NW6;oOd!_g>ij?{m$MMZq_Dyr%EsZj~ld&Fah2OY0`}|N8|AF)Q({{Y`9{urN
z{PV4ojK1MgIVmcdZ!Be-&Yo9i!qE3UjCyu8D(dh#LPqh+=FUaO!R3<?^eqPTbAxT)
zpX_GpTab+DO!oFcy9=TcnXuCCCd;zu%hzg9)?LXw969XqtplfTMX_*e^tr5Xe~Zbq
z#-p5dbZ)F1yf|Dm92z2e#%>t(J+<;IQtn)d;%OV%Ar<CWVpawU`_R%}lo%U1zQ#F?
z+6rcOc`2&1p;b5-fA_$#ho;0kEGj3Z-@lY~)=X_NmYQucZSae4%x{k$V7`>El$0XL
zqB+wd<t}bCF~cTf#qVXyQ_Ez@<P<=5_QVf-OFK-_r1>l?7uxIl_@EEQp1J4lda}^5
zL?oZx3gUWN{j2wBMO&AXDU9vx27+O2%{&iAHR2dAIdHbNK4_1Q;$nD-A`I2~rj;r-
z?81omv9h6)vNBTQ-W-a>22P65WF#k)cz@F(89on}B4T|~pNWx)?j)&Z8!oqr<ZAre
z<E>m*9rkx;^%Gq8f0cTrCw<_At;|&VuB;=-HSUGu#8hWNnZ?MkJBgzVL|2g?IRAee
z9D59$djm4Ns+y06_gBi?FO_?I+ielOUoZ5r4~oOcltokK9I3<h{nv;Ui$^P$1(cVx
zoH}h}gELRDdd2RV4i>c2%x>V~E!Olx;sexiy!`BkB}bJUR`<s7FDet#PVLERc73C9
z6lWuWls=~UpiWfUe^od;z4b;w%vXOg-<XQ<j3?yMqU<HDl$E|Qa)7|T$3>%j+T9C^
z+UB?+od-?2XHV=wlVW*#JSw~-LQI+pR!!=M%1!*V4k_jgEUHZ}+-!>Q>pfoKQjcGb
z)_!6*kA0#N5PpE`UxGY3>Sval<(P|ZleI8X@8_Mk!d2U*gHz_Xkt=?d_3z#`dy9P2
zN#{+_vMo*bDIe2R0voG8p;}I}guZT}ljNjW`Iu)vne91c706gzaN>HuV3q07bzS8f
z-epBf=QX08#4)a7mlr&FM<=uLJg+3-rz8qlhuTIFg&ztHy6g*zyLpo)>q|;*b1Sc{
zt(8PY+|T}SNw=q=ET-+=;+)Z3zjjS{TE@7ij-)AhPNE0hZ~E5Ysw>jM!{cjtm>e3d
z*g07d+URBd$-KbgQGaN5VLT@Mt!3DqWP{gJt^3MGg2W8<T;p7<ZniT#D-=#E!k1U|
zTx3J<zmn&9>(G*Em&5K^z4bV+M}(TBS>JP~%!Tqc@+6ok2W@^<l&G5Q%_Z(r9y7Nr
z^8P47?kRSB@j7DIxA+6|ef8+B0*L`*2d5*5&BEP?Fpd_Au}r&}OZ>eBsdoE<h}dk~
zb&gy9U))p%60rfTs-aOX&MIMqPfPd;G5c4Fq1{=L*;i4~*?wi{O&-45GHLfj)J7n`
zPmv(@PPJdK8ZGk|>}LbfP3P&34M#C102kG0%_Uh^8Z6rV_(gb8o_XyuG1|W&PYA&~
zSdv#GLw>ixn$GK``<#%dpLwoET3I!awfyLnr@o9c;2|%6D{p^du{?RpaSV^q^V3fc
zON&%By4WHtr$+8w7RnveKRuu0{v<A$H7NI|z5VpZa$Qba-nNy`uPG)b+(C$lIHwHv
z4aDGdt?8HP=W)-)(u^uEI63^Y$s?fR<@8g6W8ftqP$VC4nc@Bv&T3svha#>dyY6`4
zkj9am!8$SGA%kxxDl^0jusqN4ZVFNS%^lzpe}qj=Ly*noH|oak*luo=5iJt}L!~&=
zq}2P0>Fk=!^lyakYs`3skyp<OkN<M4`$N~Q{*8l|tP&FL?=f{wK%I8wNHp}=-=r>4
zv=$=LZD8D$*kP)5k;GjpblY3fNW-zYG`G^ijIUYs$zg*BN%Z$bU6mrHd3bLg8|8hq
zMgObRGXc~RM$*YphHFi5RtH>7j^%W)L$!v#R1mH@+Le#ss`LG630$TN>e}GS7Sx%-
zuv0h>G$L`HGyuT0T|8C))Std3B+0rrfQF9Rn}A(?Xb3j@4nv^bZ@?59w5I=2jr|1}
z-)}~P1PA&p@b`np1O#lyrc3ix*C!?#YeJlGl7@y&Tc3B!+asK>THnINhUjzb;{1Wg
zKH<S&@4|IbWt3Gy-}&<Cy{AW7hO|~U6ton0=si$8E4#V4Cz#rCL)GpK=gKuuF)|p%
z7=0Ime+A<*rH=bdhh{0}RS_J>`@~RJeQ^1a?srQb<lyOQ^}KWY#$QPi@N+Yqt35v$
zOPk|myz{NkcpI6-_?|RG1O-NxcJKK<`C#(!;=ha8ffH3si6^-2w-VE@aALW2xJ#4>
zy>u7%t}?hRC=!XePl{eo;X9QYg|DextSUD#LWN`#w6%25=IV_seK%Ech>@P;+}?rf
zo<vVs;{-fVpjbAmzT`?sy#{RhDEW>jVdv0$kx{XlNn&Fbx;<4kVdlx}LmDquvKwtw
zV)Io8E-<5po5>5lL)9Lx&m1?$=n}-bnbq>${l$9{xl*GqxLb^eO(oQ6vi$IMNfJm5
z$8d{viqRK;yx2Qtr&oFJ)$NXvB;kZeOnu_xXdK>-bU-RTtMa=e?`q}%s+*CX*QKak
zcY5-5I{A&St=w_H%vSGvE*U<JOii9gM{v<;y?571a&<yCI9K&h9T|34p4JRL7~RJn
z$8Yv@{q5X5>r{r&>YPd8NjGe;N$|Taw#|$l7L-T&iK92-b&8W%i{qYB_&*_^pI7Ag
zl6a}z>izZf@uw{w*gfMe!DT85l-huI@2k(>NO1IxA*!-gH2#==?DZ!7xv4DD)l$BW
zUahvFFW8C_CdybZDSdZWbiheK_@#x1r(4n~!-pYf%09ieZu)0{g#Rc`$3$(81vefC
zgC(CGB&6HT6_l(LR30fQJXBITfn(v={;!}iERB(q?r7^IsdkaNl!rmZp@Y!l>NTXi
z(_MpihO~EH6mWb<4g%D$A_SOW*mZ4K7qYw^J_>=r2nGVL5eo=jj+p*(@qu!q@Dxs?
zW{|aNG!O!XF;@uE#@v~y@9*=(1aupyIKc}Fjl=D?<G3xPsU1HLf$W4e1aTAaJT#NO
zkR@=^2ZE`|00_=bc|*|s3-qS_Axq6Pyt>#7tVx=IUF@?k#LmJR%B&|8W%mUZcYJ}<
zK+nO6rOd&rGgBNPu{Y%`ygJ1M0+D$a2(He%L$ES`4g$xo_B(y}pQaaV`wGV^F7VL~
zr2lS!aSI|s)ce&+kWGl$-k-?ZZM(vM4nz3_9<Y4jA7QG-DOa!I96JD%>;nMoUz+jk
z-xHQC?gO!lf>0v3MLyc<lK=SRAp6j^{XOZoUFe%MWH<fBM|<<>Z~KKxMo_+H4`}uk
zI<J5=+kV};zx<!;g#P#ymiTD7JOB8X#CH<^d-MI1c|M`E=eM|TNf>&FH<tKlJVDg5
zpfGh){-Xu}(cgbKfuBE9`@pSbaWG<-?f--_e+l1Hg>o`x7#dn6f_fBX0)Fl3<n5DR
qyEp(S{SE+te1ZtLxvV4f>rM3B_FdTiYW$_q1MOB!80d$n#{U6&Rgtg&


From 6029f5e8a7c73f62765067bd237330f6318303df Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 17 Nov 2014 15:09:02 +0000
Subject: [PATCH 21/56] Apply the same rules to generate the export aggregate
 as we have been using for the export preview aggregate.

---
 mdx/uk/generate.xml | 79 ++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 78 insertions(+), 1 deletion(-)

diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index 06b09848..d346dc5b 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -689,7 +689,7 @@
     </bean>
     
     <bean id="uk_exportSelector" parent="XPathItemSelectionStrategy">
-        <constructor-arg value="/md:EntityDescriptor[md:Extensions/ukfedlabel:ExportOptIn]"/>
+        <constructor-arg value="/md:EntityDescriptor[not(md:Extensions/ukfedlabel:ExportOptOut)]"/>
         <constructor-arg ref="commonNamespaces"/>
     </bean>
     
@@ -706,6 +706,83 @@
         p:id="uk_exportPipeline">
         <property name="stages">
             <list>
+                <!--
+                    Additional rules excluding entities from the aggregate.
+                    
+                    The basic rule (expressed in uk_exportPreviewSelector) is that
+                    entities are excluded if they do not have the ExportOptOut label.
+                    Additional rules below are applied to entities which do not
+                    have the ExportOptIn label: in other words, a rule in this section
+                    can always be overridden by an explicit ExportOptIn.
+                -->
+                <bean p:id="exclusion" parent="SplitMergeStage">
+                    
+                    <!-- select entities with ExportOptIn label -->
+                    <property name="selectionStrategy">
+                        <bean parent="XPathItemSelectionStrategy">
+                            <constructor-arg value="/md:EntityDescriptor[md:Extensions/ukfedlabel:ExportOptIn]"/>
+                            <constructor-arg ref="commonNamespaces"/>
+                        </bean>
+                    </property>
+                    
+                    <!--
+                        Pipeline for selected (explicitly opted in) items.
+                    -->
+                    <property name="selectedItemPipeline">
+                        <bean p:id="selectedItemPipeline" parent="SimplePipeline">
+                            <property name="stages">
+                                <list>
+                                    <!-- nothing required -->
+                                </list>
+                            </property>
+                        </bean>
+                    </property>
+                    
+                    <!--
+                        The pipeline for unselected (not explicitly opted in) items removes entities
+                        matching specific rules.
+                    -->
+                    <property name="nonselectedItemPipeline">
+                        <bean p:id="nonSelectedItemPipeline" parent="SimplePipeline">
+                            <property name="stages">
+                                <list>
+                                    
+                                    <!-- Identity providers lacking support for SAML 2.0 -->
+                                    <bean p:id="SAML1onlyIdPs" parent="XPathFilteringStage"
+                                        p:XPathExpression="md:IDPSSODescriptor
+                                        [not(contains(@protocolSupportEnumeration,'urn:oasis:names:tc:SAML:2.0:protocol'))]">
+                                    </bean>
+                                    
+                                    <!-- Aggregated schools sector identity providers -->
+                                    <!--
+                                        Preferred implementation:
+                                        
+                                        <bean p:id="syntheticScopes" parent="XPathFilteringStage"
+                                            p:XPathExpression="shibmd:Scope[ends-with(., '.eng.ukfederation.org.uk']"/>
+                                        
+                                        Unfortunately, the "ends-with" function is an XPath 2 feature, so we settle for
+                                        using "contains" instead; in our case it is equivalent.
+                                    -->
+                                    <bean p:id="syntheticScopes" parent="XPathFilteringStage"
+                                        p:XPathExpression="//shibmd:Scope[contains(., '.eng.ukfederation.org.uk')]"/>
+                                    <!-- Specific providers not caught by the previous condition -->
+                                    <bean p:id="GlowScotland" parent="EntityFilterStage">
+                                        <property name="designatedEntities">
+                                            <set>
+                                                <value>https://idp.glowscotland.org.uk/shibboleth</value>
+                                            </set>
+                                        </property>
+                                    </bean>
+                                    
+                                    <!-- Identity providers with regular expression scopes -->
+                                    <bean p:id="regexScopes" parent="XPathFilteringStage"
+                                        p:XPathExpression="//shibmd:Scope[@regexp='true']"/>
+                                </list>
+                            </property>
+                        </bean>
+                    </property>
+                </bean>
+
                 <!--
                     Enforce IdP display name uniqueness before assembling aggregate
                 -->

From e949cf897c91c4aede73448f3a2c968ed384a6fb Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Fri, 21 Nov 2014 14:51:19 +0000
Subject: [PATCH 22/56] Disable InCommon pilot import pipeline now that all
 entities involved are available through eduGAIN.

---
 mdx/uk/generate.xml | 20 +-------------------
 1 file changed, 1 insertion(+), 19 deletions(-)

diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index d346dc5b..666fa9a4 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -26,7 +26,6 @@
     <!--
         Import beans from other channels.
     -->
-    <import resource="classpath:us_incommon/beans.xml"/>
     <import resource="classpath:int_edugain/beans.xml"/>
 
 
@@ -298,23 +297,6 @@
         </property>
     </bean>
     
-    <bean id="uk_us_incommon_importPipeline" parent="SimplePipeline"
-        p:id="uk_us_incommon_importPipeline">
-        <property name="stages">
-            <list>
-                <ref bean="us_incommon_exportedEntities"/>
-
-                <!--
-                    Entity Attribute policy for entities from the InCommon pilot.
-                -->
-                <ref bean="stripMdattrNamespace"/>
-
-                <ref bean="importCommonTail"/>
-                <ref bean="uk_hide_idps"/>
-            </list>
-        </property>
-    </bean>
-    
     
     <!--
         ***************************************************
@@ -1216,7 +1198,7 @@
                     <property name="mergedPipelines">
                         <list>
                             <!-- entries earlier in the list have higher precedence -->
-                            <ref bean="uk_us_incommon_importPipeline"/>
+                            <!-- List is currently empty. -->
                         </list>
                     </property>
                 </bean>

From 2337c2a08268426074fbcc603dbd52895659b0f8 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Fri, 21 Nov 2014 15:46:46 +0000
Subject: [PATCH 23/56] Simplify by removing the member/non-member owner
 distinction, now that all owners are members.

---
 mdx/uk/statistics.xsl | 34 ++--------------------------------
 1 file changed, 2 insertions(+), 32 deletions(-)

diff --git a/mdx/uk/statistics.xsl b/mdx/uk/statistics.xsl
index ef784dab..422023f1 100644
--- a/mdx/uk/statistics.xsl
+++ b/mdx/uk/statistics.xsl
@@ -42,20 +42,12 @@
         <xsl:variable name="now" select="date:date-time()"/>
 
         <!--
-            Break down the "members" document, which despite its name
-            describes all known entity owners, whether members or non-members.
+            Break down the "members" document.
         -->
         <!-- federation members -->
         <xsl:variable name="members" select="$memberDocument//members:Member"/>
         <xsl:variable name="memberCount" select="count($members)"/>
         <xsl:variable name="memberNames" select="$members/members:Name"/>
-        <!-- federation non-member owners -->
-        <xsl:variable name="nonMembers" select="$memberDocument//members:NonMember"/>
-        <xsl:variable name="nonMemberCount" select="count($nonMembers)"/>
-        <xsl:variable name="nonMemberNames" select="$nonMembers/members:Name"/>
-        <!-- owners are the union of the above -->
-        <xsl:variable name="owners" select="$members | $nonMembers"/>
-        <xsl:variable name="ownerNames" select="$memberDocument//members:Name"/>
         
         <xsl:variable name="entities" select="//md:EntityDescriptor"/>
         <xsl:variable name="entityCount" select="count($entities)"/>
@@ -404,28 +396,6 @@
                     </li>
                 </ul>
 
-                <h3>Additional Non-member Entity Owners</h3>
-                <p>
-                    In addition, the UK federation operator maintains agreements with certain
-                    other organisations so that metadata for entities belonging to those
-                    organisations can be published within the UK federation metadata for the
-                    benefit of UK federation members.
-                </p>
-                <p>Number of non-member relationships: <xsl:value-of select="$nonMemberCount"/></p>
-                <table border="1" cellspacing="2" cellpadding="4">
-                    <tr>
-                        <th align="left">Non-member agreement</th>
-                        <th>Entities</th>
-                        <th>IdPs</th>
-                        <th>SPs</th>
-                        <th>OSrc</th>
-                        <th align="left">Scope</th>
-                    </tr>
-                    <xsl:apply-templates select="$nonMembers" mode="count">
-                        <xsl:with-param name="entities" select="$entities"/>
-                    </xsl:apply-templates>
-                </table>
-                
 
                 <!--
                     *********************************************
@@ -960,7 +930,7 @@
                     its type, the software used, etc. 
                  </p>
                 <ul>
-                    <xsl:apply-templates select="$ownerNames" mode="enumerate">
+                    <xsl:apply-templates select="$memberNames" mode="enumerate">
                         <xsl:with-param name="entities" select="$entities"/>
                     </xsl:apply-templates>
                 </ul>

From 44554551d64c0d4048200dd71961a6f757d9aff7 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 24 Nov 2014 17:32:39 +0000
Subject: [PATCH 24/56] Change opt-in/out emphasis by reversing them on
 statistics page, changing titles.

---
 mdx/uk/statistics.xsl | 44 +++++++++++++++++++++----------------------
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/mdx/uk/statistics.xsl b/mdx/uk/statistics.xsl
index 422023f1..d58a0d1c 100644
--- a/mdx/uk/statistics.xsl
+++ b/mdx/uk/statistics.xsl
@@ -129,8 +129,8 @@
                     <li><p><a href="#membersByScope">Members by Primary Scope</a></p></li>
                     <li><p><a href="#undeployedMembers">Members Lacking Deployment</a></p></li>
                     <li><p><a href="#shib13">Shibboleth 1.3 Remnants</a></p></li>
-                    <li><p><a href="#exportOptIn">Export Aggregate: Entities Opted In</a></p></li>
-                    <li><p><a href="#exportOptOut">Export Preview Aggregate: Entities Opted Out</a></p></li>
+                    <li><p><a href="#exportOptOut">Export Aggregate: Entities Opted Out</a></p></li>
+                    <li><p><a href="#exportOptIn">Export Aggregate: Entities Explicitly Opted In</a></p></li>
                     <li><p><a href="#nosaml2">Entities Without SAML 2.0 Support</a></p></li>
                 </ul>
                 
@@ -1048,19 +1048,19 @@
  
  
                 <!--
-                    *************************************
-                    ***                               ***
-                    ***   E X P O R T   O P T   I N   ***
-                    ***                               ***
-                    *************************************
+                    ***************************************
+                    ***                                 ***
+                    ***   E X P O R T   O P T   O U T   ***
+                    ***                                 ***
+                    ***************************************
                 -->
                 
-                <h2><a name="exportOptIn">Export Aggregate: Entities Opted In</a></h2>
-                <xsl:variable name="entities.export" select="$entities[descendant::ukfedlabel:ExportOptIn]"/>
-                <xsl:variable name="entities.export.count" select="count($entities.export)"/>
-                <xsl:if test="$entities.export.count != 0">
+                <h2><a name="exportOptOut">Export Aggregate: Entities Opted Out</a></h2>
+                <xsl:variable name="entities.export.opt.out" select="$entities[descendant::ukfedlabel:ExportOptOut]"/>
+                <xsl:variable name="entities.export.opt.out.count" select="count($entities.export.opt.out)"/>
+                <xsl:if test="$entities.export.opt.out.count != 0">
                     <ul>
-                        <xsl:for-each select="$entities.export">
+                        <xsl:for-each select="$entities.export.opt.out">
                             <li>
                                 <xsl:value-of select="@ID"/>
                                 <xsl:text>: </xsl:text>
@@ -1102,19 +1102,19 @@
                 </xsl:if>
                 
                 <!--
-                    ***************************************
-                    ***                                 ***
-                    ***   E X P O R T   O P T   O U T   ***
-                    ***                                 ***
-                    ***************************************
+                    *************************************
+                    ***                               ***
+                    ***   E X P O R T   O P T   I N   ***
+                    ***                               ***
+                    *************************************
                 -->
                 
-                <h2><a name="exportOptOut">Export Preview Aggregate: Entities Opted Out</a></h2>
-                <xsl:variable name="entities.export.opt.out" select="$entities[descendant::ukfedlabel:ExportOptOut]"/>
-                <xsl:variable name="entities.export.opt.out.count" select="count($entities.export.opt.out)"/>
-                <xsl:if test="$entities.export.opt.out.count != 0">
+                <h2><a name="exportOptIn">Export Aggregate: Entities Explicitly Opted In</a></h2>
+                <xsl:variable name="entities.export" select="$entities[descendant::ukfedlabel:ExportOptIn]"/>
+                <xsl:variable name="entities.export.count" select="count($entities.export)"/>
+                <xsl:if test="$entities.export.count != 0">
                     <ul>
-                        <xsl:for-each select="$entities.export.opt.out">
+                        <xsl:for-each select="$entities.export">
                             <li>
                                 <xsl:value-of select="@ID"/>
                                 <xsl:text>: </xsl:text>

From 511f73260576b477236ec2e869efb10e8a4fd153 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 9 Dec 2014 18:18:08 +0000
Subject: [PATCH 25/56] Override timeouts on HTTP fetches.

Resolves #1 from GitHub.
---
 mdx/common-beans.xml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index 669ca938..4f0cbf0b 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -836,10 +836,22 @@
         httpClientBuilder
         
         Factory for the httpClient bean below.
+        
+        Sets the option to ignore validation of a server's TLS credentials.
+        
+        Sets socket and connection timeouts explicitly (to 100s) to
+        override the tight defaults in java-support, see:
+        
+            https://github.com/ukf/ukf-meta/issues/1
+            https://issues.shibboleth.net/jira/browse/JSPT-48
+            
+        These options can be removed once the underlying issue has been resolved.
     -->
     <bean id="httpClientBuilder"
         class="net.shibboleth.utilities.java.support.httpclient.HttpClientBuilder"
         p:connectionDisregardSslCertificate="true"
+        p:socketTimeout="100000"
+        p:connectionTimeout="100000"
     />
 
     <!--

From 86bf8974062212477641cb412a202c17ee5ea72e Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Thu, 11 Dec 2014 16:57:57 +0000
Subject: [PATCH 26/56] Remove now-unused stage to hide imported IdPs.

---
 mdx/uk/beans.xml     | 18 ------------------
 mdx/uk/hide_idps.xsl | 45 --------------------------------------------
 2 files changed, 63 deletions(-)
 delete mode 100644 mdx/uk/hide_idps.xsl

diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
index 24e8febf..2989b872 100644
--- a/mdx/uk/beans.xml
+++ b/mdx/uk/beans.xml
@@ -214,24 +214,6 @@
     </bean>
     
     
-    <!--
-        uk_hide_idps
-        
-        Hide IdPs (which we assume have been imported) from the WAYF/CDS.
-
-        Requires that IdPs already have EntityDescriptor/Extensions elements to put
-        the HideFromWAYF element into.
-    -->
-    <bean id="uk_hide_idps" parent="XSLTransformationStage"
-        p:id="uk_hide_idps">
-        <property name="XSLResource">
-            <bean parent="ClassPathResource">
-                <constructor-arg value="uk/hide_idps.xsl"/>
-            </bean>
-        </property>
-    </bean>
-
-
     <!--
         check_ukreg
         
diff --git a/mdx/uk/hide_idps.xsl b/mdx/uk/hide_idps.xsl
deleted file mode 100644
index fd4e557a..00000000
--- a/mdx/uk/hide_idps.xsl
+++ /dev/null
@@ -1,45 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-
-	hide_idps.xsl
-
-    Hide IdPs (which we assume have been imported) from the WAYF/CDS.
-    
-    Requires that IdPs already have EntityDescriptor/Extensions elements to put
-    the HideFromWAYF element into.
-    
--->
-<xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	exclude-result-prefixes="md">
-
-	<!--Force UTF-8 encoding for the output.-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
-
-	<xsl:template match="md:EntityDescriptor[md:IDPSSODescriptor]/md:Extensions">
-		<xsl:copy>
-			<xsl:text>&#10;</xsl:text>
-			<xsl:text>        </xsl:text>
-			<xsl:element name="wayf:HideFromWAYF"/>
-			<xsl:apply-templates select="node()"/>
-		</xsl:copy>
-	</xsl:template>
-	
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-	
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
-	
-</xsl:stylesheet>

From 81d42be85047a2ac9f1d841e6ed14f447bec7c68 Mon Sep 17 00:00:00 2001
From: Alex Stuart <Alex.Stuart@ed.ac.uk>
Date: Mon, 15 Dec 2014 08:32:02 +0000
Subject: [PATCH 27/56] Increased metadata validity interval to 21 days for the
 Christmas and New Year holiday period.

---
 mdx/uk/final_tweak.xsl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mdx/uk/final_tweak.xsl b/mdx/uk/final_tweak.xsl
index f27f7e9a..86e4e700 100644
--- a/mdx/uk/final_tweak.xsl
+++ b/mdx/uk/final_tweak.xsl
@@ -44,7 +44,7 @@
 		This parameter determines the number of days between the aggregation instant and the
 		end of validity of the signed metadata.
 	-->
-	<xsl:param name="validityDays" select="14"/>
+	<xsl:param name="validityDays" select="21"/>
 	
 	<xsl:variable name="now" select="date:date-time()"/>
 	<xsl:variable name="validUntil" select="mdxDates:dateAdd($now, $validityDays)"/>

From 6019b4ebc250bca5b4b1af48cc0a253bea95e000 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 15 Dec 2014 11:34:23 +0000
Subject: [PATCH 28/56] Pivot to make hide from discovery entity category
 primary.

We still use the legacy marker in fragment files, but all decisions are made on the basis of the entity category.
---
 mdx/uk/generate.xml   | 13 ++++++++++++-
 mdx/uk/statistics.xsl | 33 ++++++++++++++++++++++++---------
 2 files changed, 36 insertions(+), 10 deletions(-)

diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index 666fa9a4..f7c586d7 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -358,8 +358,19 @@
         ***************************************
     -->
     
+    <!--
+    	Select all entities which are not both:
+    	
+    	   * identity providers, and
+    	   * members of the "hide from discovery" entity category.
+    -->
     <bean id="uk_wayfSelector" parent="XPathItemSelectionStrategy">
-        <constructor-arg value="/md:EntityDescriptor[not(md:Extensions/wayf:HideFromWAYF)]"/>
+        <constructor-arg value="/md:EntityDescriptor[not(md:IDPSSODescriptor and
+            md:Extensions[mdattr:EntityAttributes/saml:Attribute
+                [@Name = 'http://macedir.org/entity-category']
+                [@NameFormat = 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri']
+                [saml:AttributeValue[.='http://refeds.org/category/hide-from-discovery']]
+            ])]"/>
         <constructor-arg ref="commonNamespaces"/>
     </bean>
     
diff --git a/mdx/uk/statistics.xsl b/mdx/uk/statistics.xsl
index d58a0d1c..a5909989 100644
--- a/mdx/uk/statistics.xsl
+++ b/mdx/uk/statistics.xsl
@@ -15,17 +15,18 @@
     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
     xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
     xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:members="http://ukfederation.org.uk/2007/01/members"
-    xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
     xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
     xmlns:math="http://exslt.org/math"
     xmlns:date="http://exslt.org/dates-and-times"
     xmlns:dyn="http://exslt.org/dynamic"
     xmlns:set="http://exslt.org/sets"
     xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-    exclude-result-prefixes="xsl alg ds init md mdui xsi members wayf ukfedlabel math date dyn set idpdisc"
+    exclude-result-prefixes="xsl alg ds init md mdattr mdui saml xsi members ukfedlabel math date dyn set idpdisc"
     version="1.0">
 
     <xsl:output method="html" omit-xml-declaration="yes"/>
@@ -72,9 +73,6 @@
         <xsl:variable name="dualEntities" select="$entities[md:IDPSSODescriptor][md:SPSSODescriptor]"/>
         <xsl:variable name="dualEntityCount" select="count($dualEntities)"/>
         
-        <xsl:variable name="concealedCount" select="count($idps[md:Extensions/wayf:HideFromWAYF])"/>
-        <xsl:variable name="accountableCount"
-            select="count($idps[md:Extensions/ukfedlabel:AccountableUsers])"/>
         <xsl:variable name="federationMemberEntityCount"
             select="count($entities[md:Extensions/ukfedlabel:UKFederationMember])"/>
         
@@ -547,10 +545,18 @@
                 <p>Of these:</p>
                 <ul>
                     <li>
-                        <p>Hidden from main WAYF: <xsl:value-of select="$concealedCount"/>
+                        <xsl:variable name="concealedCount"
+                            select="count($idps[md:Extensions/mdattr:EntityAttributes/saml:Attribute
+                                [@Name = 'http://macedir.org/entity-category']
+                                [@NameFormat = 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri']
+                                [saml:AttributeValue[.='http://refeds.org/category/hide-from-discovery']]
+                            ])"/>
+                        <p>Hidden from main CDS: <xsl:value-of select="$concealedCount"/>
                         (<xsl:value-of select="format-number($concealedCount div $idpCount, '0.0%')"/>).</p>
                     </li>
                     <li>
+                        <xsl:variable name="accountableCount"
+                            select="count($idps[md:Extensions/ukfedlabel:AccountableUsers])"/>
                         <p>Asserting user accountability: <xsl:value-of select="$accountableCount"/>
                         (<xsl:value-of select="format-number($accountableCount div $idpCount, '0.0%')"/>).</p>
                     </li>
@@ -614,7 +620,10 @@
                                         <li>
                                             <xsl:value-of select="@ID"/>
                                             <xsl:text>: </xsl:text>
-                                            <xsl:if test="md:Extensions/wayf:HideFromWAYF"> [H]</xsl:if>
+                                            <xsl:if test="md:Extensions/mdattr:EntityAttributes/saml:Attribute
+                                                [@Name = 'http://macedir.org/entity-category']
+                                                [@NameFormat = 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri']
+                                                [saml:AttributeValue[.='http://refeds.org/category/hide-from-discovery']]"> [H]</xsl:if>
                                             <xsl:value-of select="@entityID"/>
                                         </li>
                                     </xsl:for-each>
@@ -952,7 +961,10 @@
                 </p>
                 <ul>
                     <xsl:for-each select="$idps[not(md:Extensions/ukfedlabel:AccountableUsers)]
-                            [not(md:Extensions/wayf:HideFromWAYF)]">
+                        [not(md:Extensions/mdattr:EntityAttributes/saml:Attribute
+                            [@Name = 'http://macedir.org/entity-category']
+                            [@NameFormat = 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri']
+                            [saml:AttributeValue[.='http://refeds.org/category/hide-from-discovery']])]">
                         <xsl:sort select="md:Organization/md:OrganizationDisplayName"/>
                         <li>
                             <xsl:value-of select="@ID"/>:
@@ -1322,7 +1334,10 @@
                             <xsl:text>:</xsl:text>
                             <xsl:if test="not(md:Extensions/ukfedlabel:UKFederationMember)"> [not-M]</xsl:if>
                             <xsl:if test="md:IDPSSODescriptor"> [IdP]</xsl:if>
-                            <xsl:if test="md:Extensions/wayf:HideFromWAYF"> [H]</xsl:if>
+                            <xsl:if test="md:Extensions/mdattr:EntityAttributes/saml:Attribute
+                                [@Name = 'http://macedir.org/entity-category']
+                                [@NameFormat = 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri']
+                                [saml:AttributeValue[.='http://refeds.org/category/hide-from-discovery']]"> [H]</xsl:if>
                             <xsl:if test="md:SPSSODescriptor"> [SP]</xsl:if>
                             <xsl:if test="descendant::mdui:UIInfo"> [UIInfo]</xsl:if>
                             <xsl:apply-templates select="md:Extensions/ukfedlabel:Software" mode="short"/>

From 4053e53a21b2805328101821a0718eb7ef80bd4b Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 15 Dec 2014 11:49:30 +0000
Subject: [PATCH 29/56] Remove a couple of redundant stages.

We have removed all KeyName elements from UK federation metadata, so we no longer need to explicitly strip them on export.
---
 mdx/uk/generate.xml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index f7c586d7..17adf851 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -784,7 +784,6 @@
                 
                 <ref bean="stripUkfedlabelNamespace"/>
                 <ref bean="stripWayfNamespace"/>
-                <ref bean="stripKeyNames"/>
                 <ref bean="uk_assemble"/>
                 <ref bean="stripEntityScopes"/>
                 <ref bean="removeEmptyExtensions"/>
@@ -910,7 +909,6 @@
                 
                 <ref bean="stripUkfedlabelNamespace"/>
                 <ref bean="stripWayfNamespace"/>
-                <ref bean="stripKeyNames"/>
                 <ref bean="uk_assemble"/>
                 <ref bean="stripEntityScopes"/>
                 <ref bean="removeEmptyExtensions"/>

From 1fd204cfcbef0603632919cea7a46f16907f5a7a Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 15 Dec 2014 12:25:33 +0000
Subject: [PATCH 30/56] Remove HideFromWAYF element and wayf namespace from
 test aggregate.

---
 mdx/uk/generate.xml     | 1 +
 mdx/uk/ns_norm_test.xsl | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index 17adf851..a31c63fc 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -641,6 +641,7 @@
                 <ref bean="errorTerminatingFilter"/>
                 
                 <ref bean="uk_assemble"/>
+                <ref bean="stripWayfNamespace"/>
                 <ref bean="performOtherFixups"/>
                 <ref bean="uk_finaliseTest"/>
                 <ref bean="uk_normaliseTest"/>
diff --git a/mdx/uk/ns_norm_test.xsl b/mdx/uk/ns_norm_test.xsl
index 536de548..0b30b813 100644
--- a/mdx/uk/ns_norm_test.xsl
+++ b/mdx/uk/ns_norm_test.xsl
@@ -39,7 +39,7 @@
 	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
 	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
 	
-	exclude-result-prefixes="alg md mdattr saml xenc"
+	exclude-result-prefixes="alg md mdattr saml wayf xenc"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

From 1a75f3f288a2d2e6d2e31d45bfa8f253afe2bca9 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 15 Dec 2014 15:13:29 +0000
Subject: [PATCH 31/56] Hoist mdattr and saml namespace prefixes in the test
 aggregate.

---
 mdx/uk/ns_norm_test.xsl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mdx/uk/ns_norm_test.xsl b/mdx/uk/ns_norm_test.xsl
index 0b30b813..23b6bdac 100644
--- a/mdx/uk/ns_norm_test.xsl
+++ b/mdx/uk/ns_norm_test.xsl
@@ -39,7 +39,7 @@
 	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
 	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
 	
-	exclude-result-prefixes="alg md mdattr saml wayf xenc"
+	exclude-result-prefixes="alg md wayf xenc"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

From 02f70b86fbdaf87daf8bd4505dd87d65c3e8aa43 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 16 Dec 2014 12:07:20 +0000
Subject: [PATCH 32/56] Remove md:RoleDescriptor elements from imported
 metadata.

These elements require additional schema definitions to be useful, and if those are not present at consuming entities schema validation errors will occur. We therefore strip them out entirely. This will mainly affect ADFS entities, but won't immediately allow those to be accepted as they also tend to have invalid AssertionConsumerService bindings.
---
 mdx/clean-import.xsl | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/mdx/clean-import.xsl b/mdx/clean-import.xsl
index f1a0095c..17a112a5 100644
--- a/mdx/clean-import.xsl
+++ b/mdx/clean-import.xsl
@@ -22,6 +22,9 @@
 	<xsl:template match="md:EntityDescriptor/@cacheDuration"/>
 	<xsl:template match="md:EntityDescriptor/@validUntil"/>
 	
+	<!-- Remove md:RoleDescriptor elements, which require additional schemas to be available. -->
+	<xsl:template match="md:RoleDescriptor"/>
+	
 	<!-- strip xml:base entirely -->
 	<xsl:template match="@xml:base"/>
 	

From 95446e3efde97ed9e0ba3698d35a53bffc5a12e0 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Fri, 16 Jan 2015 15:35:54 +0000
Subject: [PATCH 33/56] Permit REFEDS R&S category support on UKf-registered
 entities.

---
 mdx/uk/check_uk_mdattr.xsl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mdx/uk/check_uk_mdattr.xsl b/mdx/uk/check_uk_mdattr.xsl
index df524d4f..a8a0dbcd 100644
--- a/mdx/uk/check_uk_mdattr.xsl
+++ b/mdx/uk/check_uk_mdattr.xsl
@@ -93,6 +93,7 @@
     -->
 	<xsl:template match="mdattr:EntityAttributes/saml:Attribute[@Name='http://macedir.org/entity-category-support']
 		/saml:AttributeValue
+		[. != 'http://refeds.org/category/research-and-scholarship']
 		">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">

From adbe5102a4a6db15be8a5b45530c9c65c9705370 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Thu, 22 Jan 2015 17:02:14 +0000
Subject: [PATCH 34/56] Validate cryptographic algorithms in metadata.

Covers EncryptionMethod, SigningMethod and DigestMethod elements.
---
 mdx/_rules/check_uk_algorithms.xsl | 195 +++++++++++++++++++++++++++++
 mdx/validation-beans.xml           |  13 ++
 2 files changed, 208 insertions(+)
 create mode 100644 mdx/_rules/check_uk_algorithms.xsl

diff --git a/mdx/_rules/check_uk_algorithms.xsl b/mdx/_rules/check_uk_algorithms.xsl
new file mode 100644
index 00000000..10db2ce2
--- /dev/null
+++ b/mdx/_rules/check_uk_algorithms.xsl
@@ -0,0 +1,195 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_uk_algorithms.xsl
+	
+	Checking ruleset for cryptographic algorithms. This is named as a UK
+	ruleset because the division between acceptable and unacceptable algorithms
+	is sometimes a judgement call; however, it should be generally
+	applicable.
+
+	The best reference for *all* URIs used as algorithm identifiers is the
+	XML Security Algorithm Cross-Reference at http://www.w3.org/TR/xmlsec-algorithms/
+	Algorithm lists here are in the same order as in that document.
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="check_framework.xsl"/>
+
+	<!--
+        *************************************
+        ***                               ***
+        ***   S I G N I N G M E T H O D   ***
+        ***                               ***
+        *************************************
+    -->
+	
+	<!--
+        Check for known BAD SigningMethod algorithms.
+    -->
+	<xsl:template match="alg:SigningMethod[
+		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-md5'
+		]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">
+				<xsl:text>insecure algorithm in SigningMethod: '</xsl:text>
+				<xsl:value-of select="@Algorithm"/>
+				<xsl:text>'</xsl:text>
+			</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	<!--
+        Check for known GOOD SigningMethod algorithms.
+    -->
+	<xsl:template match="alg:SigningMethod[
+		@Algorithm = 'http://www.w3.org/2000/09/xmldsig#dsa-sha1' or
+		@Algorithm = 'http://www.w3.org/2009/xmldsig11#dsa-sha256' or
+		@Algorithm = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1' or
+		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha224' or
+		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' or
+		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384' or
+		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512' or
+		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160' or
+		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1' or
+		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224' or
+		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256' or
+		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384' or
+		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512'
+		]">
+		<!-- do nothing -->
+	</xsl:template>
+	
+	<!--
+        Misspelled or otherwise not known SigningMethod algorithms.
+    -->
+	<xsl:template match="alg:SigningMethod">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">
+				<xsl:text>unknown algorithm in SigningMethod: '</xsl:text>
+				<xsl:value-of select="@Algorithm"/>
+				<xsl:text>'</xsl:text>
+			</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	<!--
+        ***********************************
+        ***                             ***
+        ***   D I G E S T M E T H O D   ***
+        ***                             ***
+        ***********************************
+    -->
+
+	<!--
+        Check for known BAD DigestMethod algorithms.
+    -->
+	<xsl:template match="alg:DigestMethod[
+		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#md5'
+		]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">
+				<xsl:text>insecure algorithm in DigestMethod: '</xsl:text>
+				<xsl:value-of select="@Algorithm"/>
+				<xsl:text>'</xsl:text>
+			</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	<!--
+        Check for known GOOD DigestMethod algorithms.
+    -->
+	<xsl:template match="alg:DigestMethod[
+		@Algorithm = 'http://www.w3.org/2000/09/xmldsig#sha1' or
+		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#sha224' or
+		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#sha256' or
+		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#sha384' or
+		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#sha512' or
+		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#ripemd160'
+		]">
+		<!-- do nothing -->
+	</xsl:template>
+	
+	<!--
+        Misspelled or otherwise not known DigestMethod algorithms.
+    -->
+	<xsl:template match="alg:DigestMethod">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">
+				<xsl:text>unknown algorithm in DigestMethod: '</xsl:text>
+				<xsl:value-of select="@Algorithm"/>
+				<xsl:text>'</xsl:text>
+			</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+	<!--
+        *******************************************
+        ***                                     ***
+		***   E N C R Y P T I O N M E T H O D   ***
+        ***                                     ***
+        *******************************************
+	-->
+
+	<!--
+        Check for known BAD EncryptionMethod algorithms.
+		
+		This list is of symmetric key encryption algorithms *and*
+		key transport algorithms.
+    -->
+	<xsl:template match="md:EncryptionMethod[
+		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#rsa-1_5'
+		]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">
+				<xsl:text>insecure algorithm in EncryptionMethod: '</xsl:text>
+				<xsl:value-of select="@Algorithm"/>
+				<xsl:text>'</xsl:text>
+			</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	<!--
+		Check for known GOOD EncryptionMethod algorithms.
+		
+		This list is of symmetric key encryption algorithms *and*
+		key transport algorithms.
+	-->
+	<xsl:template match="md:EncryptionMethod[
+		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' or
+		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' or
+		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' or
+		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' or
+		@Algorithm = 'http://www.w3.org/2009/xmlenc11#aes128-gcm' or
+		@Algorithm = 'http://www.w3.org/2009/xmlenc11#aes192-gcm' or
+		@Algorithm = 'http://www.w3.org/2009/xmlenc11#aes256-gcm' or
+		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' or
+		@Algorithm = 'http://www.w3.org/2009/xmlenc11#rsa-oaep'
+		]">
+		<!-- do nothing -->
+	</xsl:template>
+	
+	<!--
+		Misspelled or otherwise not known EncryptionMethod algorithms.
+	-->
+	<xsl:template match="md:EncryptionMethod">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">
+				<xsl:text>unknown algorithm in EncryptionMethod: '</xsl:text>
+				<xsl:value-of select="@Algorithm"/>
+				<xsl:text>'</xsl:text>
+			</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+</xsl:stylesheet>
diff --git a/mdx/validation-beans.xml b/mdx/validation-beans.xml
index c6b9b4d4..294a2836 100644
--- a/mdx/validation-beans.xml
+++ b/mdx/validation-beans.xml
@@ -652,6 +652,18 @@
         *******************************************************************
     -->
     
+    <!--
+        check_uk_algorithms
+    -->
+    <bean id="check_uk_algorithms" parent="XSLValidationStage"
+        p:id="check_uk_algorithms">
+        <property name="XSLResource">
+            <bean parent="FileSystemResource">
+                <constructor-arg value="${rulesdir}/check_uk_algorithms.xsl"/>
+            </bean>
+        </property>
+    </bean>
+    
     <!--
         check_uk_trust
     -->
@@ -804,6 +816,7 @@
                 <ref bean="check_saml2int"/>
                 <ref bean="check_saml2meta"/>
                 <ref bean="check_shibboleth"/>
+                <ref bean="check_uk_algorithms"/>
                 <ref bean="check_uk_trust"/>
             </list>
         </property>

From 442c8705cc1f2a0e37e835ecd50e3e17cf58b9ce Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 26 Jan 2015 10:12:30 +0000
Subject: [PATCH 35/56] Update to ukf-mda 0.8.6 to get access to
 EntityAttributeAddingStage.

---
 .../{ukf-mda-0.8.5.jar => ukf-mda-0.8.6.jar}  | Bin 63151 -> 78674 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename tools/ukf-mda/{ukf-mda-0.8.5.jar => ukf-mda-0.8.6.jar} (63%)

diff --git a/tools/ukf-mda/ukf-mda-0.8.5.jar b/tools/ukf-mda/ukf-mda-0.8.6.jar
similarity index 63%
rename from tools/ukf-mda/ukf-mda-0.8.5.jar
rename to tools/ukf-mda/ukf-mda-0.8.6.jar
index c3892cf21bed3a1affcef2ec974a0609b6d85409..10840649fc46966aca2d3f3136a29b9d6d631e8c 100644
GIT binary patch
delta 22688
zcmZU)190Tuw*DR4wrx9^*tTukNl$FswrzGY@q`oGn3xm3^SkHV_ug~=UDdr;b*<gi
zwW~h$ti7J~ZMXzqIEFw{mIH@?1NrBrugE8vghURZ_s`0i38C}PI!{RZ&-z~p|Nemf
zyL#9$JGojh|Ig-sl2Wiinf_~6iVP^*zXAX#*S`ZWniLW+*pzcnxPN`|0xJ5iKnP6m
zzf<`C74(A%qy6)H>xvjBWnds6H&7rT@*pXsN5n16;M-vTmDGX?H3ajoXc?&k@?TLB
z20G|}?IbB=g%tn?0m1wGUm5?|Ndypca&$MbakOxyU}ZA1H*s@|)6i2}6vp^WHw>mE
z!Rp<?Y)xBU>QR*_`d$pFj<YmIsUyd+<<1p#I<SC^l6MQu^GP+<Vk1%JL4~{~_;%Ul
zf0Da3^ITxm584_2ivX!G6^Jqk#dMM=T1A|mPmkAITvh{K>Ky>W?W|_j@c_7MC%VGP
zT$27ZXaN3<AkS)k-MxS)BaInthj5mC4HN$1p%q<L*~PR(XY>p+u@aEuXQ$ugy9K(q
z7mm;JeMmo1wK97wL>NW2R?3Odh_m+e(ryoCRBR<fb8#>IfV(c6SxgahX*G>b?3-8a
zdiVt|LUH1Bz3vKM&dP6`{Cj}7+IV9&3r*N`dnXxucubT6n`h4cP<|0E)CLnjNSJdO
zI{cqk{Lgqjq6|bkO7(jCM9=!Z9t>>$uLQZcq#s=;NeElz+HT+(wjZhV+ZaX4i>j|C
z@+p)43{M~1`#mICa=1SE@lE?ulUVolS4(q_Oc`yk9^Q)U`NSxB5~u*jm-r~u*lh3b
zHsL@&+*$F|9%TduD^n;=^p;F^)`SQsqAcw}GjJvOr6y}rnI4@VYUr~!xh4WCK^_m7
zwo=1tK$iE2{kvCu6Sbmi3ikMf_0|Jr-Bbc(i34z;v=RsYgu<wvdZOs<H;36fO*v^k
z>?2XHf*1qkio|aI&31qUN~{JQX1MKw+s>tmQQ@4^6hcW@J|4N?xEdlpnf^9KM@v6p
zTM@Y*+DD(5kfh(9d!s#NrGCwRzzK)ZsZQiTTw8s=3ZukHjw8~1rk4haCsEM6AORot
zu)76`IuE(wTXd}>c6VBLQhq)coM2AY!<o!$Gv<o&5R2f7I}mVoc~z27k5h+~Y(6iK
zOwE?jJ|r}{5n(<3V;2Ky(YhVe8DgxcU=^K5MtA)Mx=1J6NYTE?>5N{rp*`uRReNII
z3qnXa<AYN96#wd&Ge=*DJ~0)0DZerksx{khW0o-NqmrzF3?tTuYL21yrmq900yP%v
z+#+wzXrUOiV;ZL_AJZ3<7;lXGTwAxZo23QX-1x465!_r#CEVIw0vXynl~JEqQiXh3
zoH5At9_j3m0CVNY#U(Si(ad2=`MKP3BP{3GegPApOJZPhg!8waYwZ7~9|q(fS~tPa
z)foRW_xYFB|A#rY|7Py&ALhOs8dA|vB!q7ym(o>-k93$Bywk}FS%}zwCf8CXJM!6(
zy&9eU16@kNdkMi#IVS3bJYPyc&p^Pl-`nfKNrn?hc~kO`Nv!2uoImvsW#t~1Hk`c7
z!P4P!4tcA@AJ%y6(T1ukfQ(;P(cv}c&I&*eL<vN0993?6o3{>}{k2UxvEoDB;63HF
z^kTH7<*?_}2L4b2+8!z|%`U4NH+cCMe9sV2gjX@zFfCW_5>l9nv=9a0W3^=CA4%=u
zgZ@j|5=$4LtDWRTnh-Vk_PBZy=?r5{s|i0=$hc$*eLCjsax3mI;6A<*_6(aGk20l-
z?^!x{&(u7rbj`h~q0T0}zI+l(SVgBEm!snY5H;QAoQ!LTRO+-cQoYqkTcFfAW;cwz
zU7K1@+$~x~KsRu7{o)sL9V9uL#^y}0kf`GVK8x{euMu}82pCI)(Qq-$j^Ajs@DO>y
zuP-aXmh#vfc0lw3xKHob$0v&(vo!4G$G>?O9*`2TBG4d)11)}O-wG}`a~Ix(jSaH#
z5tY=Mf!_1cX`Ay9(?(6cqLm4lTCqI5-<r65)UnW}trWvXTyogy9CG{22B>@t&TU{R
zK)OyHctrE$yeZlEZ44e7XuQPenL9W(%#9&cu4<i|Z<UAw)P_23q9x7DZB2uVaN4%q
zjzW$|(xf)BikVmhMVbULuRmm8(wWV_(mpqoM&;o6efpRVuREko-+WT*!A(iUaqXj7
zG1l>3mB=x_4o!8B$S!+k{NNZis0<OO5b)R9DWmx~iaBS^RS<_G9r$F_IwB<55T&zc
zSzk}1=Bp9_o=_@y@zU{E-vi(p-fR@YcF~}$f8`+XgdZrIJwPa;WuSd3S|^{zymOhR
z4KwW{tf0F~V?d$*nU%gG!vr$5;w;0NG4f@;L_gdUx)V&;m!x#MlWm-?kG)}T&5qsK
zLq`Z*`MAU3)y<A?({(pW?)8rF_KFfUG{F%0@-03XmmgKF=MA6Dy<zi&w3O1y;Dy^@
zQxn2dd<%y7xfq}oyUG;0SH&40Q?$q6Dvti(1%VJ|l*?8XXftWS?O4utQ|j{x`Ja%*
z4fAG$gMxqn|GvNdUttrowy`%CF*mnyv{G|-HF3AF^7%J*3H(Yx7L>7TQJM8QEDA13
z2s8%o(@;JQOlfIU61t|IThvWHs|goxe@-YN5MnqJtJ9H0{HxoQkE`4Jw?{+}cAjaH
zS>s@qR9Qx&HWe6ml~z3y1IqPFcv@G$g56ZHrYenIOqm5UXG#us(@B7)=UrS;_UbIN
z-!M#t5~H8NVvFO$`do>7GnJC#kbOV|Ck*wdWd8&*saJ7l$8;U5iD-Xw9sQXmzG&u^
zrI7?h2<@;(gWk{XF>G0zdQBmBmB%RO_XfWH17U_Zdpx)k!cmQ3>G~0%uUMJ56wh@V
zyM(Yb2_6#4lQGKqhq6L)VyViNKbX!*1Pc;tL}c793E>Cme;(w=aMO()EC|Q|E(i$y
z|2fEi9om-mn;X6s=4XBD)8xV{Dy0iqg+uP{E2*4@VXH@SxeH;1M>UVl?`{f#VcqrB
zoYSyYTYJN!U)VN2SnJ{3t)W_^Hl`Kza`35K%0xf}mca!1pdi3^;!I)QlPh0~sXOhI
zX?L7=;8u^<wcyEHzaQYLODgd4+w1_0F@2yx1PamNG3hr>WVh>sKyl}2zXa#|%4nsR
zJs_>4(8NrI_jyIY>LJhyOgm)O^*$51;NW)l?UpAWW>+Q`X&3&5jN3@{_6VduxS{$b
zJG$X*K3GlQ03THRRvkp?AgA{Mq310<+Ucz+Xe;c7(6Rqw>=|$q8-4vY?|ASU6x|Z&
zzQ%l_E>N@IJ2=_z!k+e9fof)YH8E|4(ac^|7=PS6*562$86!3r1Om(t8VM1R__D{0
zq+iNds@Iz=eI{WvnmQg=CL}#;O`aid$!x-&Z#iQ|yITfooepP*6opTHTHA6RhZX+V
zdh&F}yg9v9xE`RpKlbSN7?pX2^aH9TOP)2YIPBBg304f4|Jm2)H5QS8gm866On?P5
zS=N-Aj~kQ3eJ3M#4l6&jz`h)rPlpFqoy4{v`2$Ux&<c#YgNouf&@WSy<M=_~Q6CMA
z@K;k=+XY=A^(kLdX#*&G3dIz3G?t#ncIkrnOdx)9ECIkl79YMKBl$Nge6Ij4Nj%Kb
z6$g8Hn_S_l4r*YUG&a4)jPy$6_k|3F<k&cuW_E4)1iU{c;bZ4k=)Sh%vpMfq2z1Mx
zGC9?arx4qknuSz$a>{1whiSp3eJ&>Y1WWh6>xEJ9V28^!WIr)%(FoGO?CAB98Sd8@
z_G%d|6^{WPqV44^c2U+U@Zp^H^3DPtOhuWL-&PLq#1#fNCPE&?((`$mjAnU7e-V~^
zT(`Jvt>G#qCN$Z5GFXgM=1|d<_zp!9PUFk4i;P)IY5gLl9q%5qN7uFh((78%aT(tx
zGXS&}yVGz^3|2dP^@5JWHUzSAHqP@cw61Gu_UZwIbWDjLV#nH&9nn5)oZY=3a%<Iw
z*fScrrmDtz8pRnHu{n_2fs_(TLFJ=HzLVjeno+TjnP`pmk|Feu47-adZYDfFoX~Zq
z#|?pQwlGi;haYm)jUAaXH+S5yO1j^Mytx?QrFKtU-Kw_|DBHDmk1RC0WU-y1%Y)R@
zOI86<?d%%417C64H@N8TmDY^EEWk1v-g7^{*%uorQN)TCIV_edsAGC+`oU{eFA1QV
zo4%h<W}nkIr9U@YnX+^1K~$H@UC4%Zu<UhZ)V=R-WJ&XmW&vpQrm185sElF}>x1w!
z+rkYxWq^*3ug=22I?wCIa3cGaMsWVBZ5qJJNjuqPa?%P*Tnt`55P`XfOxvdH8{({)
zIFP}x@M61R&oQ?0r6?Tx7Hx|XFEEsNk+5cu+FJxT^+Jo8i7Bpm8y&9YBD4EieMmxI
z=2y;LutNQ(dH#l7e<5*bR-^aFQ{WJ@4q{(toNPT>!*&;3$G3u6w5E;&LV<fhx<EkH
zo|b%B$)v%2Bd%U`e!m1z&&O8{b~0%GKr-0zHlJRIRsEBRsowem+i*l(`MfJPsmL9>
zPMv`X&($+8B|fb!qB8!X*4rO1S2WdSlB_3CpIN#xM7;^yd{5>ZiQ`Wk%~}@6_;^dT
za89P7taKX;(*?_-%qfd|O?$Gu>=-}{sb3@pK0AZW+#g}C4J;z9C-o}XyR3SOnLGoz
zr6LF~Wz9)hNg=Ge*5}CMHl_^6F5mGZ)f5ZNF0=2PH>w__#_BnBbYHTSd=m9WR5S3c
zTEjX~er7iEpIp?uHg*c8SNT-01}2#BtHJ}f<RC8{LU~B9paW^!wr5>&`J@0LFbgxr
zPE_upkesS(5n!;Bh@!%s%$m)1x85PnQ45=%h@x%G56_GQ&bp&o;cJD%qy^lzkB285
zLA$dxy#B~+=VuICU=nTR-YJGSPpP~JY=mw3E-!V`RoN3?<<d4XBr?hYH0+0%c2vZl
z9X9O*wa&c$t7eCNBvX(zd=h}7=+o1Drqt6FMXcdkjG9tX-^WtT5Xs}p3Xi${x!Z^8
z6bF)WflcONqJl?g4|x*2vgIDXKdQ%OUU&f!k*_@YU|-Cfto=LM)PeOFI+{<7!w-q=
zpb(@xB<L=Z4liEEw+Y6E24t@o<A6reRpp@<wYi&Cj%|A-&$yL?L=FHGOQ^}1xqN>J
z*8!OAY<Ics(JuQ!tfi9kG)#YR?$+-T>K>Sz{VQA!U*-64_rXygYcQs4kgFsS;C{_;
z+N%T4Z()2&hf*~A04N2p3KxgfB)-mIhDB%-c)>UlzbDyQMAap&K`nLuEgecUH&Nmw
zHwk{kg)Q->!B3hOb9KN&<G@LyD^v}{laytn?ygL$N`=l`K#yf3KVL{25nfG!#Hn+t
z=$hZtG(G^0p@0mPBSnAE$;J;5!4jyn^eL?WMUxb2qe!p0m)DAIxSqnY9af^6L!^~M
z)Qis-gzu4bFCFYFbr|`~cCJCO@g;GAQ1#LT3Ed&T$QsK}@CA?`#98mxX-$m1c$z)o
z!|~{pEOFECpx+`LHR+)nb{B)Y&l}<-+H^aP+Yy&7)jOp1Clq>zG<c!^^NIiGoj>U{
zf}%f8z-tdrMt{f_Y<k3}=BaDsnRg^0m0zBK+O)*+^tT&D<3L^^D^>~WHo&Yc8siL=
z{w&Ebv2gOCuow{b-b~c7n1Z?_F^n;=;;Rw}@yUCgx!lEav1z6oK~SbQOXl>L-;5!8
zl+Xgr%l5+s>o?NuE?)vdl`{uh+@sYNN_vEpH!4arK1Z(A2?#`zln59M9|%|~HS%O4
z9VFsxbETD>sy@+SAJ5r$|2zbj!jS@r3mXnkBT-{4d>Vi`SHF3JI98naNnB`8#clef
zth5hi8|jff4_cn29<92$Ds~MDM$J4`wo3`j9@f05#UbBA%%fvxA|S(c6BhA`)hFRM
zs}J+2KRK0kJ{z<CzGCO<JtMU~m~t?^roLoIw2V~7Gt+`anU~9_)7@TxHz2IGDm6lW
zEV%X$XgFYJr0Xu^=RWw)&l-21ITb!Fm#)6O>M27?G0%~z&e^U7b$=M*@QlQOQZhCr
z&T;=2>(SBT=uvl!Z^z{qJrq=h0hFSPou3@)M+g|#KCM5C^MZ>H1o*7xCHiiB+%vSf
zd9-%nx__)BrI9c6R|Il@1ef>~R0s->^9*>Smif_sg|G8Xk|$nmT%G{_PqkKO&c8MA
zw-a;-2?E0OuWC)g-onAc(OtpB&cgNIRj#_88agYEppD#0Ivqx84Op?TP0)955fMwA
z(D^JlTioqM2WxE47K<FncP+jWZy#s>Cn?^*jru$=OrO<{WabIplOBqJK)@HMG3sox
zv@uzbU8X!)e3ha(OP)9uFF3o5>nvU-`yk>p`v@S_nF8n>XhaZ&9=N|MaI;iBocex=
zg_wa0wev?-FMhMlR&zexPPR+edP;*cyy&LXn(t3~O{&v|J4?SQty}|JtT_{D<~Aka
zg=3Vv`w=5$hkpf4AEAgkf}qa|##8-GtuYawS+^;w7uPkh^9sG&m$6cM=}MuOY;cBt
zgcD$OAxU-s3wnW^kuV}od2ANyUefz;d4V5YBcf9C@)@BfOOAHgpbV1sDZS!;sQf^p
zC5_LxP5svjf|}NdNv3^i^oD5KA5Ryf?Cd$_P8>4odlBFDS_(K#9oS1hjH|s-M4uFz
zsd~M3%8DW}(dc5TKjjV6!poDGZS9CYX)k~j$dzaLE*r=;*^XrsCKRzttmWM_KHEjr
ztQba%?#Tzi1mhRQ(Uf9!6hBwqFeZl5xhQow<VNdV6S#z%)xi{u^qW+Zec7N=mhU3P
zeYWhZ?gg{7z*9i-B+3j#9MSWyChBU0k1W8Wyc0gROM2P15LFkm{-RSS)K8Ij15!XN
zB_(HrMy=_5TUouckzRWlqt1cH8RvkmhoHegJgHdG9vPXer-EO9Rn8_e`=t+4&yqt3
z(7+dfR)|&9KwU|&cJW|8I<ZZHPq`81D4tlpMzsdBX8r`P&Gn3%l)w=)Co^|N^Whe0
z5{_auFW1ul!*O$ju~6u|hW%l2)fhku2|uau_1&19Li$7z^&=dokG25iPjo!8LcTC=
z<6Llo<9-Ees7d1$XK*i}s1PzK`r4+_h>}Te1fE@xEJqPqX9%ipf@y0%AXXJ~)nyZ2
zX&d?z<UcPdh~~A5{C`_2^nY6_EdSGW^{}(FNMSlc1^oXExSLu34+RctYEl@1T+I4t
z!6K@t;&mhrV!;fuRqeg%(R_<GrL88Jv^!kfcFoRiPMbX|3j_Parx}6s?Q=F(wL7_I
z3Dtsr=prPl-!^+ras`=Zh5UYg-d`6mgG`$-#(>@+uw}YAv&WcAb)}U7`jiM6%w_&e
z4_z``?Yco5@o1Y%e|wUUV~f@D96@gyd)6iDNN;4+pBT`iPU`*9pWt7j>naykeLSJD
zgB;63cOw=qw<YajeRvUcEtM}76h@00t~yr#tWHDI`E#%x_ccAWVHytjYah3)q60_O
zP9zWIn0_+jLZyc4v3v#yV9|%w-*bSitKH@-msdlr&XR4N0^i!5zarPk=mxLV!0sh#
zeF;!%FLfe<JK!p#%I(SwpCM^yLC}nI_9Bk<%uVHSYaC(m$qhp+qWvKq5F39><c@;P
zl~AVFy0NW<P%;_~`Fzm(#+5&6Lq=8i?rDz0^zcC97r}f5J1{f=sJoQzK+jmsX-Ump
zH#;?Q?PFS-D7N5G(?B%Jltwq&$&Ih<RBuFuKvZ%?({m5ahN0Y<Yp&NfIaF1$rdOxa
zLnOPLgq}2%*yEXLX-7d_vbeSTl1Xr+%P*fr^ygm4M!TIUPcJsaOgJ<}g2Zs+NiZ?J
zKZU7rTEFaH4*F>VKsg~`IB5)KhE+yh<<$p5h@E|Gj1FxPXx?H1=VZ=t>OY9RIOMPG
zy~6qXIRxyhbs29;ZSKZtlyE7<h%(?xJo)FS;xB`%J>?Nj)K@vz)Hy8f`}}^_+LUlj
z66e{>l<ZmHR81+PzKhw~@W^BQm}!lJ_0@n9Mh}GuXWXIyoSX@smw3S7;I(Oq`$j*2
z36V6wmkO41id-BmfUdex<dYc%h6N2IzVCrl4agnsBn3*o$;8e9GK+(7Uw23Xunu-R
zrPGrXkz!2|BFp4lK3tOTjT`DhLZ*=F6Zhx>kop8)5+N*|@;<SqT(RZK^<NRszRf+u
z(?)eR3Wf%l=_W*5AjMd)L|qt*)uh^<n^&v;q09|<D3Is8jaMh$Gh4qNqo(mxV;uQ(
ze*$BB8y5;odBv?dY>*b<Pg~6AjvLuE=th?x+n`K6@Cc{5;Q0ym^?#J7r4kbZ^k446
zAQslYy@z!i)PMO5+`%JC)qeps|LZewf}}K^lLJKD-Cb==J=`t+molZPU#j6t;Cx+D
z9wsM(K*eCR)-^GcM)i>ex5KWc1{ce`CXdH{>@!TH8+L74JYDI&YrW1W1-AW4pZ{68
zlY5(>TF^&8${NYz)zUNjcI~tFaWGo|0BsEQgY}O*q9|`n9)u8DxOG8O(FbUaAhxBZ
z))I`J^DN)U5O8~_Cyy{+bf%5)IbN(9OS{dc9LHZr@%?oi<R4i9!-z2(J(3|5PmWQ0
zzXNujrsG$+4BW=hFgH8}uCn4U*`^_(-k`48<GRf@`Yn?79ul7wq&z#NHe)tD!Vm~H
zxeOGUHV}S;iq+b$mv{VdrUY<Do29li&Y&20t%v$G+pZU1d3lD~(?!ssSB%y<Feykx
zOjkaSQ_RI^0A`&J>-Vk&F&s$!I{6(OTl3=g?&2-fk&;$k@)J|#mXP35TcO!xxCOS?
zYi=EP^WkdDQb_sr>wEN*qo@y+w|;nc*aZL^)A>=Sy3PD@Ra45sssXCL-AiyU`01xG
z8|3;?%SCW$m#O{gc>6Y|A$!vUo&5r<Vf_3F5>w<j<P1;_U+Xug50tmAQ*eHG6IFqf
z`0>nori<#AnMCz>8b{wvglc!vKMpg4rs9wYGzyR8WD4Vs$!WcNhKQq+<CWB25cFuL
z_wO+*Z?J&BQAZ~C5CD$SXVPWnr8iJ)w7Du%l=|iQHBG;6CEzrcVBU5yjQBLFaAUuC
zZTZe=H-`)+A1J08<$_>=OW&@c#BRSGaM88d0<S#@WzOW)vuED)I{NJ${S6wHPAxK#
zFM5@-ZI8E@oL~>~=|CSJ^{*hB&hH;s$t6_u_Z}DPxN+(W&H=^5fJf?t&I>F-S_F27
zy=>Lix4yEsvp<e3e#kdWeSvBZ-jazbaZo`Nbdqm5tybzg5k6`ywziS+Xo4{<b1YIz
z9j#K<MiT=d{NJCzlB_Zr-s5jqA_G0XHyQcm?t@Spc}HpYzo5O|gA57OxnV$ShsGn1
zKcm4t6dM8A0s!>hITYBwDmO?!L5I%#zbof4&B>I+3VXK=j0+T#*Bl7GicA<#i0Hzz
z^XuD`0udM{rT_dqhKG(^iDpO{|B75yl9m)1;X(CHc*$>V1#t+s|BfHpCC)k(YU}}G
z(VoB-LqD$4iX(%aNNooxX=Nfq4^bj)1!<NRigy|1zh}Z-YDgM@!H9L}BNWN9sCF(T
zT^RW+Lo}v=Q&e*#T%fFIwvS0wAd(OmVSNZKo}cidu7Mwt-Y<iUjj11nT?Hu^M!D<s
zpEA7ciCB^Km-61fGR*z|Q2xKPH%)y<3ts}`(-OUTqL~x}B8aZNwVhOi3*!vAC@mGL
zj_NFd<YX0lHc|d8ea3O~x9z*y;S9CW>w<03Id8jD{sD2>b`}GuZ0%S|ZdTXx&%WoL
zoxT>p=i|jS2$l<T7^FU%Gh7U<`3;~bo)X+eKYbXpOFymM4r=Rle2`5uxl<^T!}0WG
zmE@k2um&o+v&t;aq;VqTwZvn#BG07sJre+AjOf|WWV~_k^2;*03p|DLRI^`q@S8%F
zSa}2^TFu|E%v41pjCoGg{N=Va=Q7S(W~$|*#uA%<a@l^9w!zplL#rGTBnU8;u3fDs
z+%)dY6wLZ4we(CO?LX$Eu`IXmDaPaK2pu2=mwh+P<ImabC?lXf7$VOpWJ(7TPThCZ
zIiD0+!wkf<ukC6A?Q|Ws-D^#SdE1AD)hV3!)DT^?hLi+iab#D(40oz-(%}@<&pSt1
z+;WS1HmMtgU&cD|cI(pb2?0Ryb_Nsw9&N2Gxp-?hZtZ+ZCii(voFA{-q#r8DSN4Kf
zkM$MHv;<B@=4R6MOL>ud+M3N)OTBXqF&=u!>`%Tk_iUl@$x$Burlx2G+1~i*5N|A=
zw}okxJJ0?;HrpdSk_xfoM}IHaopG~~c<2S>QVf%%EGm*=R7FZA2mtu69$vm`s;gZl
zu`7jsmGJQ>lb6RR)6BQo%{J3AeRw^_S?Wr$(YUy`4yV8-mDg(B+Eg4xsf0o??xW6D
zy<VnTzh=vQ0N)!_%kQz&QwX63=svKrqg{!gpHqzwewDDd9^-`B9Bz69l4hNACnk@G
ziM&g7ybp%BKk$nk-T=k(7d&wQl=fdVf`dA*xw*v&s<E$%dC)*T3QB9@k^u4e5tpr-
z&|J#o0}3TmI6TFa2k=YQb>@@&pi42o@Kq+ZKi^nh@b`_b%yuob*uBJ4roKs$aX%Bh
zs)g+m>Q>Mo-+;PLtGUDbV4QY*r_>+rG3Q;J3AX8lu3W?oQwHS!T#x}G<k@`XY?|@?
zJmXOUC?{Q~kk(105!P~?sz4G(*UlS`A3Y~+jtc*lxw1O_gDrhI^g@(EL3u|WGBCJQ
z$l?1gHDadZyBdMfPA|Prhfqt?d$5%$*b8aSD(7Q`QNnt#NvAgGjy11GA<fGtC%rPE
z(_P{EM@#zJL|XB9LA^e-+UHd|UY%JgT04i_FWEacL6ouTZE0S`{E4L(Kj;g#se;;6
z)*gIrp$09bY&s0^f2!+}=RaV^f3c2%N(q`J`e!=ff5cnU#NOk7D|nu|p4*}%#^<tU
z?WzjX;W7v#<m716RwP%(0+q5j3nRN{=c+di^R%R4a3q6|W=-NJ<|jx)SiAXm+}%3%
z50$x=W@l-1Fkp=5><9l2?>b;d003)@HE?XaCr=de!W04O?_|scNI*DlWoh^Y5B>sb
zh4`LHJrf*MaHl<z9OQ-|rcZlTFDc8>g$)}%e;&|3#F+4Ar<o`JxlRTg!cS`0Y`5+%
z>N$tqcm^L$!+#+K7V#J_?hBT+p}hni`e5*Q21gVnHeFD1A7X5p8h79}%hg|3-y@)h
zZDCgAAY>gCN_d9@YU-Iai=V0!5ee&2p^%=l^}BTyQ*k|JDOuouS#QA|W@FavU^0^S
zc&{@$wgtCi-nCn;@#EFsdXU0e??`rh40Z4S^o{e{?-fr29rpIO`daBcbSMhl6cH!B
zcJJN6{fYeq*+lRXt)}Ga(p{ZLG|ku4zaQ0pgK09sd##THPz0DVh4(TOQSe4CA(sk0
z3ax2rUBgSE#v0ItFCAy)^~|+AF!LI+b-Rlo(-|R?okdR7=L46B9)6xOAVi>}HN4>a
z)vB00<DnudQc#k1;60b_*6|I{V<EoV?}OQ+A9PxqVwkCW;8%P&?$D`1sq$kgAegL<
zs1UF>+V7(QsBjbm(drP~3R;w)=%|<uu+MD=Zp;~6V1VOaUtr;PQZXx+x@|-rd_ko}
z2^(=g;^?uRxahpHJs&NPenuPApj^YY<Q!fvZif?I!Cbt;8QA1X!M$ZZdXGJ=QuuO<
z7U7wy*;Jd3-f+EJBn0|~Po%>b(CYR@%{7!2vl!+8Hh3hJ=1ByNXtPP;pv6ICboh`#
z$klx7DXgT4#vptYl1oqJ=l^)z!meVeDkTO+?k#-7@eZ1H(mVCjVEBmpZRRR-0RI}V
z3RZ{!zOzqa=^RQlNxLBLxtMr`g0h1&hSFckpXW4@$aa$^0=f=^Qwty4-zo{4tLI+s
zk!ETGfS0V(e}`YQI#nuqm)gvfWWn&8RyA{5+V$7}u;#AT3cwh<MYQ-iJOZ0rI{qvd
zzlz};ebs%~6&j@9^nlk@G47<buw>J?@p0sf>B<uaw)VyvXPRs)^i*+fhT{!)PZ~Q-
zZoU8@`|#FMoRK3|4Z%J&5vJwJh+3!zBHR!Y{HN|-kml6!{RMRXZ`ViQ|LE?&0sUX%
z`xjBCrN4+;I{oBR<eG_7SSS}R+JZMGQ7EK@br}w(b5J$TND~&dZsvzTZ|GY+;CN4a
z59&XpY*kp&w0#R-B8JSp%|;A@p&<I5#eQ-ZaKdl)^>y9=0GZy^#5!>{93x=@n41hP
zIjcy)Wu&_35Y9e`jXm>OvR3RxD~_?_)t|qBezWcTQP|OCFJ$9Pje!9CRpB3#gXG0M
zo&Dh86+%XJ6<*)EQEUSJ)J@K?@<@@<egcJ%qB7h*;TLh7ebQZYpu9hhO9U~TAnLRV
zT5*U4?l+j2)nTB=#1@MwB+kGEz)__)jCnb%Zl_-!e(Jutpfg~7$lkPZ-qG~*&rDXb
zCv$7VbIi^kFbU5|kdS*Z5W2+T)-&8d@ZMl$l)<?u!cYO$RD0~9|9a5W`W}>hI5VTM
z9YvR-jCYKyNUX8T_3Wc3y+@oxHp5SN!YkIVtU(Z%Wh2>$Db*TA-+);Ka8PhZJbzow
ze13TG`KYq?WJlk?PEe$NVttt5&eNVY7m=x0>78?m&S_V*yju-tuH?hRLSWeM4q|1%
z#TlY;`3BLr9bdoymfsK@4dsgSx16a!)Yhi5L8#qjKzz-##5opn!ozdKsobR!J2Qhc
z&E$zPIsNb(alT4{uwAwVv|)Mj<tzD1)%kv0DNQ|}r%55!_%_^G&*;{%$d79I=j<C~
z`_1hsm~88mFiw0kc!|`DGjkRj?_N!(&!;EXk%S*T=x>ho#&V6gQn{Mz+Mk0SVcA9t
zx{T3uqHve7z!3)r2p_PVvO}ZcXx@VYvCS>438BL8Y#Yrh#)*Ic9*H~>xrOY)$BPB{
zMsNy4lCBW_Ka{UulINeG3t#Dz0Fo9dQklauL3zmUWE`n1L2Tt`4eTP+2U~2JBN!-`
z{joIu5^n^nc5t%Rnaks#xusHO2Br_?ei(~BIExb*lhAXXiHcY0fl}q~)UP;CNn4k<
zIHj1Kp+frQJL{V^`~-J`NIw1{?5q(KnSl^q<7AsHty-P%td8yKpUAI5uU_PY_f3I?
zT*#o!g5MeXN4*ZO#eyi#(zE0CWhzl|-f&if(qA#F4xOa00+iKI<;YnZOL@}By#65m
zCwnc|xDw$1y7%%BPJ{o~R9)r8X*U5p2#7NQ2#EAQJkq5IlOhBDd*Z;v%Hm&**gkDo
zZ+#8SPb0Q0ZgwAq^;C%RFf`ewGk08BJ!|SVHU)H8ip7Oc(Hd<dOGB!LEFUNDYXxkS
zAxKD-LC7|`8d)8B^@Ub-Pzy{8HGOArNOg66l+<6|Kl3K0%q<rXZUO?0j<>yL`%X5$
z@-OoNIT4?JV|gIy()}Q0FTJtM5YD{)r&5^xhro=koim_T=a(&r5fF1z{|u-Bsvl=(
zu73es@wvkn@=tlYux)~0S=oo$9G_8ObF{o;1m!UGV(bsQu-Md%A#qG;qW<o5;F*tm
zXT}`fwRTdm7g)ZvHwNk-k#o&<sfgu<t+WXsENr;`bMv9Q8RD1aPt5&%zX|Ri4Q=s0
z7!d)c9ZEd;q5=|g+ZZbarak;o0?Gh1V<SS|g%J300bn?wMypn{R23D=u%QHcRs+t`
zoinoJZ8d8`X{!&keT|mqO>K1#B=nZ*Y<bG?CY+IHaAb5b^b0r%1nV5;9Qv5cBoF~W
zcXcUlM7?2zp+>>l?h)r{j#zs-iP*(4nQNB1)^q7fw<`Q4^>nVhYAUo=wFt*G#f|Uz
zveJoMtUm4r9p@v^9CE|I>pQcMs1?|=7KR_P$}eBl_23&?T0@Dn2;)2-pHF4PJeskh
z3|VP`vPJ0*a{GG_b@oa&HZ#t;T1kN1tUqR6czRO=0?QWGimOC(Z?Ds-#|WV<@%amc
z1}#9*Fi)-&R>lftRu@xu1`Y096+($O!kKdp_lh=U#;tP_;-|`}MlbU?9(aoKnUp%6
zwKPJ6d)Stc4_(m~SLp><4T6pt4uWB^dX^$AyfM8g&d~?c?!n&%Rf{&7Nwa{q=?#*h
zMN6u2xJQFlDTbV@#ahEO4BA}Q`f{$y^q&U;^9Km0rE8qfVfHm=7|7Po&ird*Yp8^f
zXqb*m2bD6OAyqOnQSr}LV!Fp^_t#aP6O%vE7sB?1!!z>*g~*nxu#zTH4+Ki9a0abG
zI54ld`A}KlpcdiQ?vvPNn92aZ>}MVky9pVi$l1Up7ThiAv+i5%_sRdzyh3!1EMt&!
zb%EZVv<)#4T`f3Nq?NsH{X#p|Jheote&98a1oO#5V&?W?+LfhvRAAgr!QkGu^E8(f
zw33)#m+i|Z^oQe>_ixmjfze^hPi$;{=}ntLkCw^2+-U1mmTy#6&&dMF+H}oX%&gcA
z0}MP>Tidth5pq5%68Xy0!K%5(6g27ad(4ft<`>W`F{$b9)YJB*EM_WrZ*RI;t!s~)
z6Db+^D=VYeZM<}X=y%dvHR{|`{`%Pl?e4P+lne(}Y=KM%T5N#|OiTTO^%mj~lP__h
z9!HN~p3jyow6G~^?e&22hZatgOHRBaj}-ZNuA<f0{CQRL&KujwpJWmWwe`XYS#A5e
z5kKn#4o74hQ48dU_;Tq?9{Fdp*aB;IX$9&EG3jZ?5P1}-(2y#A@ff5nlcndob%psm
zQ7PC(1bc<J2JqP7qN=rd@DIaI$Mf7uE4B8}yKWYnk@wQ7VLt(4da)*SyMt*oCtmV`
zcMfnNXZLwwrDEwZvk$80<*Qn|l<bcERDTd-yrTk&Yn5};DG3b9Cuy(>jXBBlIE9AN
z>TQ8|uH=xj2eYZL81Im<kbqHmwD>9-aGJ;>v7wzCFIN@V2;%7}jQ0>oCFTPtw$G|v
ziT9Yex8&Fi%y&S}=qI!RoZ(OnoFVXnZCm+<D&=eH5S6N9F)^B2W(dR`)@}2ED@Lx^
z=Zg2_r-P<idO4LRhn4G@L3%YtmF^u4PuNjynPhcRFC3G}fUcHKnpm0C4-RR(DzdMm
zACbyw_~~f6(Xok5)3KJk{Mm~-dYQpt<?f6_6&3E?-l~9=cr4855t@nL8BReesmx<q
zKUK65kAj#2rZz*S{b(<E)qVC0Yx*CaO8MLL^Hb&obU@{4EtBz*UFo~3D)A&2!$xtx
zqvbEyB(8Lnsc#(f`$<TMuvOGncHe3-!RDw_iV|Khu-C6~P0-ymiN);j5!&Xqif_DB
z)lMeSl*0pR1Y9DQeU1!esQWKTPA3#(G8>*xoM0K}`HizSHj{eVK|UuKG5eW*v}4>g
zyF|p`Xq9$0U|oEeJ!?4LFUGcJ&AmzBYG4i0IuQ<P_hyjr^t0(a$p1R{P4!0$4Ogzi
ztQ@^$iNVCDsA>7hffU+_QLQwCsTfVmtEANC0ah8H?>7lvO;~alW9L5~2Vm%Ie*frB
z8rPaDEtA<Pxu>g-?b9*KDYK+WkUxBJB--0(<5%)9h$RB)n#$8Bbv(m$*#_!PrsL|D
zD{@Fc>9N>QnL(KGcNENT5M7+<<6o?85?(s+R|N=eEgeKwuvE2|xCJO(AGfFQ^(;$U
z*U1CekD4KEYPc+#1MkyUHG(Lq0u%?p1=93<bjreXpYi$`^$DRj%=+^B@VTY@{8qf`
zh3Y!`gnvb(=b+;uyGx8=)OXg~*<c*V(cf(+ORX;LL&zx2g)V25$=W++X}Q@T#0l};
zm-iTp;(Qqa<-xW;s6paIG08yQt#@U!`l|t*Na3N+a~&D4=#Y%M;qBcBakh%{YPXV?
zexuJar_&9*I<Zw8ZYSL_$EMJGdi<n280Tk4!k4~yd9wFtkL+T=MA1c+HsoJoH=%g8
z;k$^O<6<{kRG|;b8z9JSV=6re9;M&KPC@#_Rb0uO@wk+k_uO-nu!+m_Pi#dyfPR1)
z`f>V5Ur@KWsb16^YfN@0Va@<hg`$9)MP`)j9pxV6$*oM$-Dne?rS%)q7)g7~<Q&&c
zpNaQJA(OD@#SVs}8InDDQ9X^|Wv$q!UN&p^OWHkfXbD5^=w9(6Y*jy0(t*rGfG^l#
z&J^jFvCiS+=s0r$MwhShp_)|E3O0azAbGt8<_~A+`#NmmbD9{DRB>#Cd`}n59|a3R
zaWOzXuVjtS03Y_{G^sqjq|9e*U#KhbpU+RQR1c;}K8lGn%HoClD2~DAh6+?S=F9<N
zM6_<~-(&8u{4Njy1Y~=T96zwoj?4Ra9s-xV9k)5}+&K@PBlB`#n4OU=cMSmqA#W_$
z$RwfAqgSN5>>-WzLnN1!2iB#DSdmzrkywM@Wg^+G{$#mg1?U8;en6SyJ|#7Dsa(ab
zG(~`!*j>?R{NjK^ao{FAY78#X7xYavw%-e!-fhT2Rhnx-j<_EA13lNtdW!o4H7VP8
zhG=>{g#5YChdDmlJ7ilhvkw{|)iUEbtaNBVvOtiZ8p4*8uomMb;a^nfgyZH_oJ5l!
zj^+9DBU3BRfc)f0bDlZ%<R1EiBb!+gUU7%h_1K}Fjoh4M*F<%lymVTs2_?adH@~p-
znSvLnR$6M+2tKPyA}A&DAW&a;@)qX}+A-&si@B{-VWb$nAqm$&S}z2!uV7}rZAafB
z$s!T+Ya9+3$zhKz@azV$Iv_Bqow^~-rH}Q<v#Z^zZ}L0<rV_dSur1f%wXsTSB{=yb
zK2`TBz5U&4D2II)2Da$4giT129G5u5B`8*Dj<{OlO9mG^el8H5;jS~rT>pVe)byna
zb=vev0DREUwMn@`9G41k!dy@^Pf7OG(y=2PZNj`E{tVLN@d2Lc3KGM`6&m64+n@+s
zyEjRVhx&&J0k?QM|948r(lRj^R2$rs^9YxB6pKV~9@206LZN@`f7+V-Tr0)dm016x
zT-vvoBy1>zY*@&9#oJPDSVX*$6xno|tXV^QS1s{Nlvpx6H#DzMIbm)#mNs=qJ4nKT
z<h(yqrvK4AjKC(?P?uDxm|U&Qtf7YEO~YXe_k?)-T=(<hg3Vv^p#aESg*=ySgmOpS
z_xb;LPB5hA|MHhM1l+Et{#M+~gdiYt|9{1uB6x}c_@~Gwu)q!c5@gGnp`a~N=wXzi
znJdp}r)Oj=Lo6dzAWbZlS}?tZNtvO@@?`e3+DMHi+Yf>!$uHDYNd?k5lyQJcs5^>4
zN}#5Si5%T%sv}*zeeq}6H!rq=AuDaHWqrN$Kl=?_eEIDFoVpMPMO6rYnEJ~D%S`mc
zr=|dVz%gJaSV5vwL280h*sYDfq>vE)aGHsJ*sRS<ul{`)-07-H5c9s=ol9Fdv(_$)
ze;JsYOI&zE_${YC{fa&{@k#_ME_dk7BOF0ko{2yB4#Ua84;D|8j&MQO7d<>jxDq5k
zpt`>s%p2X`!6;t07=6DQg3tENn>-Z96gR+5-QeYF(Vm~`$@9?z@}vv&6~Y12CgZnj
z*geCpuYS09ln!aV>y?}D-@heYVOQG7S-qKciSI<^m^z$&2D10alVr|NPv;Jnwk!O=
zB2VwA6R(|_T+5}qZhch?&zsE#)BB;o-9EZFp$*{MDqu15S14C&A|ki?v1~qLNbd+(
zwKUTUbd#r>cDiEso2fO?(@*)$Y1+4$#hwiN$7EwoTW+%bw}XOzo9|uwTCU>Sabcf5
z?-$Ie9yG&-ymDDuG2%W!P_rbx#oCmO=0`3fSkSRMGpc5X4s8p0!Ee?U14*S}^`{?k
zBT(da6HZnv#>m<n&krlnj%jI)GYm}t_jSnuneRopHVyR7-rgVHXq5fRlbh!Zm4q?Y
zdX^Bs+Hd)HC;}<_vo7xR6FIoGd1H*1adgOS7Jihg(>c&ri3=I*;m6`$8P}5M$sVD@
z%7_fei70&JE(qf>;QB8PQ?o61vT|uGx>+Se)eC>{k`rwhQ{1`Br={WdgtCqSP!RC5
z<V|zT+}u7cM(HG=%*ht;p)JBS|I{8pP+_~Q+sf71WX*kc3eq(0KZ>HA2C(~6C{Kt-
zJ2`T*(P47DOYg$`w215M`}v#t60%9b$B!hh3?&Hi(Sdd`{s^izKi_@071}gbD<m3W
zLd-P_-5!?w7x6`_MZK!RcSU(P00HN%W>9qP8ned)4W>57-kqd|atBi^y`LVM<$^qB
ztgaf`HFUDth&q?qsDMJbG#6>maunh>6apoo>Nj;#Hv=-1y5~)!Zk=-JG}h*MnN&Px
zO5KIV18_^`jp_8^X4-tdRl8Uf61C>-zy|jf_eRmC&G<itX+Kr*5%FVU0e^UVMsT+U
zZnX!0*6xjgu?tKR+U3P62iGw=b2C+1pmWNF4@=HV`8ai3%*E2vlaEpk@a9Qpx>QLu
z;ah@bR_PbX|B4OT7_yXtv4B))7M{N^*|12s#h{<N;&s^_&!s6fkB!iSI<S=drHc5?
zWZDn^K^Ie+XnaLBB`LAI2rvVkn$pBpJ4?&%iC2?iI|Z#c?QF$Y5I4odWOo_b7x1^Q
zH&&%hI(HYIi^U;Oc|iKEJ|?4Gyl2HnBpDH((xg5{t6jf$!WS4M<^GPA(5zmSqGLdn
z^D|S&PtRasRddX`_JZ}oeCO9qX1vkf3PMoRUfqF<K+%DWz^G~U0f1Y(;h@7?xA4mN
zQGbm6B`<#G02wT<p~Be4TXW3K+i(nC_08?2B>vmpZ0#_cn#VgN;MWZ|Az<vA`#U<b
z?Mp^H;NaV|4f5ETx6GA+Po>alYjRfT*_LbRH>2eyP^%i%0(qw*xAS(R!aYpFhW!D)
zr~7GI2*af&*qpx&EI?q8&6O;BRuR2^)h0PuHcYdX0>)7{4RDbU;lWyTQ6ds6#?>HH
zA}s!LmBIOe2l7BJhRI!}DvFLUW868G$d|4$FqH^hyXuFQT~G=#ojR<3io)28e!Sl1
zJ9Z}Dr)5+0C4Zj9diuS+HVzt3e}AP62X(A|eBZ=@BHL(9JYf8;YMj>n81rCm@>jY;
zR#)bF?vxeVSuNv%K#C%3B+Z1+1%o^+hjxIX2diHXRP$NgRYp(y_z1gP_O*xxozI_6
z#*J`#Rm^tu+J4P#69#gVylWbx0@-rEIw24C8wls+FXX{rD$&NbMHBm@^U*0isnag>
z63dfy`cmuZTL5KanI<u<XZzxc-k<PgF*x7<komzg<>~ka(DliMGH{36jp@@z#}BT5
zPr5K}ZrLtfnmzPYLJ;wYw(9lCBuzN{6>E^yf2l|X)2cF8#Aia`44<@}=13VKN$1#p
zg5ExQ&jgx#D><>>RG<wR|2Wx*hQvv~LdGtmyL~<}%>nQ!xfcqHJ6aGtKigDs&&<{M
z=0ec<c1+Y-?ZwsB(Z$QZ)rH65L-=v*U0^KusOWfpuDjy9{#u`Yg{a_gq1Vlyy{;#T
z92laWTYRejBQmF{O%<M-k(UE7F%$2K{X%iKC}2$Kn+KcTqIMyt<cVJS>}-x1=9z^0
zYt!5{{|F%RW{01|X}a*TKAn2T>33(3)k3Ywkt~ic*<D*@ujQg*dQZ>*?)a+`0GFR7
zucxK6wuyr!=YK`&{E*B#N>2mp(yTSGhs$5Eo}Jd!cB-sIbV+Za-!0VOaCT~YxxRXt
zy>Pbbx-WvP#daz+8Bgy-M{BGUWmSg&Zy+~MxCeNEy>f((rgDm>`|GkM9Z5yJI&o%Q
z5nW|*1R{(LMvQ{IS0;_=_5V4Xzyh0E@+1GcO`Lj$i@#N$u|gkMcGbV}l5{5)e{g;Y
z-`$B3c83}2qltlf65XhS$o*l32<FdpbdRB41gYi>mCaj>EpALXHu$W;lP6sI0{Z#-
zq6d%*BK@RK;93feP<G*WkKU;RNsu)Jp6G_o$xIl?x;mJ2kn8m46~)?mv`r>Su1vGL
zU;#LXg18{d2nmr=AyI6_XnfHp!<D<HIBVqN21>?L6H6LN+&P0VH8IWWNBJW9kbcU3
z*Qobl7l64qar@53U4)hsGhOXEQ(ZhUg$d|qs`WA-Bj^>`|K%AEZigL&$Y<(*r+;bR
zA7rHZ=x_6zrCNGq(?lI!KZ^W?O=j1VV41bS1cy^79ul0tVe2c^$QG7{u`Ly@7g}mx
zboz%MEA%x`U%$3hvg=s-JdmC%d7Z^_pP*L(mt%+1T4-BQRO&-r`%AI@T9f=!3k9(3
ze5Jxn3+BV-mFtc<@cy1BVIFZW6g<Ig79DCxUj#i`-}PxC|A;C`U4H3$ixt_Q3SlJq
zJHrgGURnDBZb4ta1x1SaR-FtiCFxKN2L3A1E#ON3+gP^-O{5l!LJ2thka1ibOF?hN
zjm*uy0AEG0*#^EX88GuoObUo%$pAp)_&tOw#^Y+kf~H=tt&2tLmfNJ*PwPa`rXFJr
z<jGzv(o^YRMa#y9o!*KtOHY>~KYC+vbMcnd4j-1#A{*Wjo@q+DGa)#U3fc7PMYb~P
z`3m1+B8MMmYXm>)#QW759;-h#>@0{5pay@Hl$>O`>&K`4J*2rAdf%kQnhq#}rSD`5
zqHr*Z^F5kyt#3G3KYDnU$yIX8`%&DY@~2-O@6xrG@We&4vV)=QrISB~VCP*t+4whA
zlndV4&qZ(%Zb>+DJsvWjZ%CgX>V-C|)h5co_M`#uSo~d!+KeXh0F^U0_Iv-Mq)T$5
zy^ocK!L~)nmeb&PA4q5jGEl%6Xv|^G!FOX0G>U^3@*&ctow%y#BVJ(S>$r<^=s}MZ
zZ@x_UU>)h^&}kR?y)!b_p5dJvab0&oA(3(}6Lq8xkLE4f2*on}M0V_|XGWW6@03a1
zmI>oX7W{bPjzuL)^XNpe?TgW9DHy37lCUJmwIx=~CK~m<*1iH;2Oc0APV`w?B$NIu
zOKX=5C9ebd9=AD2FcNW(k<IdY7<OJ-hoTdiT6_{iVvHslizeEff|;TN!R(K3F`3=i
z%Xfd2#aop4F(3nVLZg}BWUFs1g`nbtQsZ|)nZ<n5WWgC>AIYSS_`)7sPwZv{o6RmX
z?4(MN=Yrx$IMqo}2}1y`MS~{n)rssPqnu2}A;r|{sG?4?jFI+EMRaJc-?x))4MEEw
z)6={+HiU`a(5aYU#O~395icH58)Eo*M0oLVYwXV^^VZOns?7zIlP6hF%ou5xje70y
zY~NxNDt8h-k^i$HuT7i-2K9FY`u(pVCI$l1;>@i6?`gDgR+fK9@9bV+NdG*G+X_MX
zF!?vx1TrOvOBA4Pr-UwoA*d&7lp3Ki6kWVqgJB{8QR*N~m%ciuX>UhfkbUM!1HYxy
zoG0<FGYO3*^A7q+bCBmCfp{0W<!*Jg_Qqp%HSPa(`-uM?vR0fW_KYN%bUO5gBXkYM
zKNH>z#usIl493I|cQ!;j(zwvB7siw|k`i%m|H8gaw;qr|hi4jQ;5qofh0fSVMyS@h
zfCsf=Kc6H&j%U}C``d8PlD8xOtI&i)tNOS`&ja$<sITFe?oqWpbCKoBf`19QuAM1!
zl>cpd_q7L2f!5*OUYk|Vz%PZ~E|U(Yy{yB&=hrcx0;Aq3;_}{WIWVVus8klEK9g~%
z^a7<KO%4Fg2DxE#MvRTnCzIdB)zO)FrZLI>#7u@C{o~L_XT`uodJzl5U|^bB&H33~
zV`FRMSmBBV@?0~;N8H+hk{!}(;p7h9T;60-12G`#EF0=8dy8Te2pLV+r5VDnv25-3
zOJKwJ63<QE;#qiLla(JYota|ZWQmlm)ZN{d2@!zl1=#VV&_K3`^=t?%HSLKXT2W|N
zH;Q+wUR=6urZ2U*?d4(Nr$QZvGm&e+Ns@ke0_TUc84BIwLz4Mb!;fS&1GjN}MssBv
z>^a`GAtkopAwFqI*phPBUsjq_Z5|VrI!Z}S$xybGiKvx)FCDKvp|oZM;{xk`R4qHD
zvI!VeNV^NBJm)MOFKq($HD;*9n#QUd(Aq0OZvE&CAN@Lqh<XX&*x~Z*5}A|T|LxNU
zSKK}?z8}2EYXB73LIt|_J&?zv>VtdaG7!Ix_kTvz^)KGd|9@><2RxPE8^5kw_Ka}t
z8M3Y!k&wOOQpuJXq9Q4}8Ih9WCArrsD-m+7l--gU3Xzd<?UhK8|9gkk@Be;2_v3iZ
z_xYaZocEmf>_@fWOW1-n4^K|ya_ZNBiFstO@Mvm)x5x6yzoUqfw$!HJYk3$Na0kT3
z@KL5!$#l4wYC0l3GKWf$(y}J$z^^i=U<4|ElRZQbX3F^WcjyqJUiWq~SbI*~mwEcp
z-7bm0gG@-jSK=Z%=gECl>idh~?;wG~H`DgE3vBg~A{b$NDv>u$q8zOB8{l@a0e-S<
zgl$%<BQ=fK<2Q*Y;Yq&|Nf-ojff53d#iImKNDX5nq`$AP&m}+N23CTlHxhoD<wgNB
z8>78JbS^skp0|1X8{>@Utk3BX?I+3T?#i#+dns|cpYm1f+_$c@gf9#xQ%2QSvTJfX
zCtuQti@2Mo3=dphNye$-#s>bZ)}X5Q%iKTDGV)6#`m;vR-AKnwibYCKI8S6Ol^}}q
zU4R+wkUp&Y0nNzu(gM#9x+jk#?l^jhwq!@-n7!%K)DL_7xH+9;QnUK3Jp1=G-1@$5
zO#g+62tUbJFPdda#(Ppn%kmeprP=qB|7bB6!CZeQlPr~J_)^z;%&7E{lrwuaG@5)P
z{d1T10Q0~xrCWbX^sJ#6^YM>G=x?H|sE)CzQ=fX8^T&!`HlK@lAy;IeQsWQhXj47x
zc1PzzhPy?h+pK=}8<`ZPl!pVp$vVi15^v=)yOGp(C0ny{BPq*@+l~reQo)H=rK>s}
zh36~iHp&B$g@8-8*xCArO?lyR*JA1_@1UjyD)N0W9hbZ=<yAMi3eV3^ia)I>7er0f
zj~V2aPpLW_zm?cueCt&Z|BDdTrm|6SEtG(jBjs~te*=FZQ#<V%%L5mZy3v~cUl4)V
zdRxOrZWq0|vpfy`SwgBN_beop);EIRC$RXLbLk~wWF<Xx&R4TMdujFF`(on*qh%q?
zjKW!_8=<wn&vQ6qEfh7NwrQ5m3g`&b=(t_TJO!0UkJBU3wX%}4Pn-e|PIi>de&FLb
z@GF)>uUq7@ardoYjO)?I<}1L_l>zlCm*&;CURS7j6u1Tzw7-}qaLtOhCsS(z19eTk
z($`MvzczmB=hYct`|+&wd}U}iUA5rDa}{B2VqdMI6fB&6k@>A04DL2j?#I5iK>2o<
zcNmEY<WgK-MLzQ~xbAak!C<YdT-wO<J+r^K1#RE2Sa8qY%B3P$tP)3c`ct+@b{m@A
zyz`0ZCQAd$g{RZQqvw3VJ#wUnn-ph-$ux}(`c?hsh0C-xLlMvog^2r$RIKw={j1@e
z4LQG}hvznve9n*eW?tw@r9tKnaG{Px<f*+&pyhlreFhe}X!3pblj#b2TxRXcT+fRW
zZ9j^;$fttkr_P@#y46)>n|JCmT61nnzW;UW7^k+VUrEke_Q}e%ujPv^Z-kYCibJI*
zyg71|3>#ntBU<h8v0ZE*0NYF9r_fAaO@}h1f^UDpaI2MKmdl|V@{L`s$TdaO@5w|H
z3J>Nw&c+Ge3farBmFo_1nS-Lw)0O1HBOg7s&G!zs>d#ULz5Ym$Zy(<W^Ip5OsMRV>
z6z>ui<;cf#P5BS?X?DAgoWBrR6Ng$AWgOxJ!;GjRbYijWs9!%rdSvcF2GM?1ea9k{
z%ri$a`#AaIUklxBE&QFh`J)R>?SNcnt)JyV(IK-H2N~WA>fYvYDiVCJveb@<DBrC8
zz@)>lScmxTJv_z#&VuR;+o1CIm&bqFWX2~(O`4y4!ZO<zbn52jKZnbbHX4%Rz^>Yd
z66}EmfSPGutb=wkaYwyapNZtUhSdz9CvLLm+s~1<+f&a45MAV8IWG9^C&tG5<-v%d
z<AE)tFB(&jE=gu{vyy@s3%~71(m=&rCmmb=d;cB@cR#*>6sv)eBe7gfX(izd(pu?=
zEL_idNPNdiN=X{4mH8wmJ2|z@B%1@;6896nyi)I2d_6&r1We%97d!^fKL!WVQ>cLM
zWftt|FaBgOyk{Yxy<3bJ*yvUx29EV;Q(Y}OqBA>{V%h;j_o$<+eEJm`Z>$zN+=FP}
z)hkZ1ld*WLoeb3(QPlhXL?f+&`E=8xC$PBUDypTyqeA{CyA3#x-U}NSo*q_ec&XR=
zfSM+@M)-whImgHnuHl~fTMtI(Uua)mwj%?K>TDhh-`nmE9o_t(u2S-$(^{W%xuxYE
z>c^WQlbD#8uo~&q8Wi*$?e%!WTY*OO42<jKsYs9gsW`+bc^r+%3FK|-q%%+4e2=XM
zvvWU+s+TaO{BxI*>hcNKBeW{=<k%i4O?^TZyQcV3@exx2lXz(*ztWE!W*C{LlakCd
z+TBM^9WOC|J$=Y==%n?8zrvzEyUi<=a1FIh4Y#Ew1J23B)1GlCM#tpOowX_44t5WR
zhWlGy>;5(U%TV=FGIS*RL}E?G6@l<hiw7)uHtDQ&HW49YRzaH167G-Th~I;q$p}5c
zmgGXo192{9qv;H$W;!e;MfLZb>1@KTmhwN9TOH9Er8bP?tMzEk6QS3#;&YWeUW2i*
zSxZ1t7(`?_#F_|Gp<c$Dmx`Ufk?clxRm%N!4&tCOzX#naXQ;N{CBGo9{kCUWrO&AE
zBNL4B3#Ai-+v}IQz{ZC>(O=ehlm&}o>K))#Zjpk6aWJt<`gK!t$#j8z%+JO2GqF7f
z!kK)<dSaIu3p`H=yF>vi$MQpO0)6KD)6+wZO07i0p4cGZM^Pr8qxvy4FB=nPI$GF=
zufEk|evas@>_T1H2NPtjcWAB;#Cn<ql=t}u<qba~7e9@9y`e>>^`jvjL-lh?g3^@o
zzBT$WYAmow4;v~QYD2rE%Jzl!=QrhQvEM(PxO%ziFj(Hwrq74nHQ2|Tg9_!N=c@g?
z`pV%Cq8%@uc%guzDSo#;S>e@;t}>Qjb+M4H-KSXnw!0^9r79|HNHC!zvQAu@jPYD<
zNh$VYzEh8CK~;I<=f&04LL+}>`vVW(TX?fgbZQ>T`0D|sURsxLL-sg#G7FR(@1|Co
zFPWphPDY<Y#bxc*X=pTJ_t55(7tWxosQbh-{_KdE;Sk+<lneh5-^$_o$bC{pT&cYq
z7Y-HoQlX)?^O8;h?cGxs16*FkR@8Fkyc(&jeQGV>B(RF0z5`=mvly8Fy&-B$`#$hg
zQCs0%p-?BCL8goImCi<tNpeSgR_Kr|0rTRH5o>lI-6P&!Pt>~fkrGM&ve&jq_SS_~
ze&x|v6}Qo+McgPGVfXr&YRR&?JbIWY7wwPbCB>Pt2U7b^h25#EI}=rNr=;2M&sfSN
zwvR%06#AQ9{W0{b<1KA!e+Of=@X)HZBU1L`!b1LjGn<rs(Hm;?C30sReqMJsD{2sO
zXL`mS6!YPO`2z*k(Z2%Z$F9<64S&Dc^-H?Zb5_7+T<MbGca%9NqQlIOY-Hq137sDc
zQ+#+)uL0J2vIO>awpRWeTB}f2ZNMSDRosvJDayo<#`TS)e%yXc;xp0D96}CW@C>_a
z;TpU});0%V+Ql4qDSic3IQFjgVA8G^==F$Y&E>)U#p@%Z9(r2n6{Yd=MEALhqf;*Z
zZHvJiuDSAY4T|C}e=U-H+Cl$$1u||#UAGY2eG|5vS?@ZU*Owx|Rl{L<?8W=a9$VbE
z0@<v6%7@nVvg9oJj1rXFJLof2y$hb0=?Y#p9UMTW-MHIK730**?)N52*}C@%pO55H
zbN@H3#$?A-zTgpDfWw@3#HVTX^M~N)=CF?^`UljnsRv?Fn~!6zu0E>~^ls}Y6;b{)
zA8=s>damb1IC-lpEN=8?gn=`YeUshUTD@F*cZ(RIu2V3zyBv~28og8+aiSXwf@ZC~
zUvzQQ8nIDVV?^z-%;NUuH8VC757NzY&>}2m!c^9O!kjObq}`6f$iETCg<X=v+{Z{q
z7wEsf$8RQUgJN-LUw_x>CI5b<_abhtxTJ@UQ(G#ZhwXFKpJox~Z$G@UgL~c<`v%Nj
z+|Wr9aN;N&u4(w48XwqQ=4tNB+L8DuN9Z^1jrxss;{$Gn{S6Ci<LBeu%&-bW$)44f
zLq}l>Zx)wk5VR|lf}&@hee2-Zf2EnbzlqJ5eWqN>t?f7JiVttbl~nS`zH9y|IJ<92
zII|xx-k%KNH?kIF?hllmzuelnFRL$14f`ivoOT6KekVTbLys7uw4ncn15;hChr#E`
zxk8R0KF*Z$imM$~>Tg+3sB%*$T*}zo%woN!!l?3Y&|q+0>ux&YM|vKH3t54)M4w>s
z(Y0G?!HMG@p)!;La~Wn=ekAONPDU#SyM_InnOVPY&zoUrVyu(<{O_GHE6ufMER!O%
zDnlO1i3yVq%4DuHBR$fEl{1N9h5MEbhh8NEl+SLBmjj||)7+ueF-mE-Crm4zgzdi4
zjPDPtP3?6&!8@Hk;7=L+8Eac;0IvrP4zIMdAr}mqkutJKnW7R|g(6u6OW##GGZ|SK
z`7v=rN%7X^HmpKBwq0%nKny7nyHc+qIfCClAY<qlp%Vwjh9rrBgTn}7z;Kupb#GXc
zDCr#5AqKd=8xjLv-_41E`tQbDQE)(Vghb&qa*`-58@WOZ$c(xW14*OqRQRQbs+ef8
zW&knH3h<7pG2tb9obdtPW0GqB@x^!2kPON~j(0=&|9pvoV$zct!q0*C=C_N1<XP-r
zhP{rGw)7#8%#b85JOlHN4O?!L0HZl>KD@zueFN>*UE{{<Qjl~3rdbw(!rtrYyA_@v
z!Yfd3U)1&7*7^5t@0M0(NQF2d5t0tDFvUSEVTUm|R6`0M2cXCJh_Y%>W+hFK%^Va0
zs%L14a*1&`^fH1VcO56@YVTdet>o|}a$6QZ4W`|Fb8*|uy?38>Yu!@BYXN=Z0)#Ty
zxlI9qsO;cC`pYVKAk#Me*4>KjH1?kJ-qFnrIeZMSO21bXUm}Dg?=Z?d90Z4)mkItM
zck9(?fO_J9FE<q+1Lp)brbxv?hJ!;XwMlWjcsYS+@4?pHL_K;0FnG+B96aU<6wSa1
z3iFT@rTyT5Hv{~g*ujIDJ!?Ty-~xJZME1R#_&ey#kb284c5q9d^hO;g;LsIEygW{p
z9>|fV+qTl|vt?5!nBW4KWpD*>`^gNkbtd9Df$3#x0b&!XQBGz%03tcSwGM-AEdF)J
zx)RZ>K<Xs1Aa|AvA&{ecu(Tco3kwww?4su9bXZ1$w5zoL8Y1mQfS;c_L@1`cD>6I8
znIR*-An**auF_4zp-?}9V&idv?PA-zP_tV(;wlIhgyENMfPrN;QigYCT>oZ*JQ#R9
ztxrsB4oqzBCfG3GfT+G0V7%2}Y-iw5@+g8_&Ft__Luv)(=tP1XHp@@QRpVWCeQxku
z6~qRC9N)1EEZJxb0cbxfPXH#|meV>2)=h4@e`^UvHUX$U#|~IsU;)-<i8Td>Xi~HW
z3-&O`uDFL8l}}O-CuYNY4i1%iL6T7dzJY9j?HrNBb-W9p0Z9zO1ulU-B%4@*0_FTc
zf_X=IX<b~wi^~N}|F&3z3Ig!VJjtEwoq4d?)DmR1^RfhGXiIXIFjyH4!78S@Cl&8^
zBp?%@w!lj?*I@w;oq11?<0pn`3%mppj{s;R5-cEJuz)o7kOVhxgKOjYc3u-=5e}8^
z+>Y~IBz}CFLL{QYL2EvNGj6=2gsmqt#Pu@?%nqDfAQq5Qx>kcLm|{LB1Y)v<1pj7+
z9O>R>E?nXSOqO_v=KC(eq10o$;z(WV5Ga?J*_QMEAiW*qA8_c{(ze{EgaVL$MKFNK
z_X><p__Zf~u$C8ZATeHM8BXp(K?X1_i2(U+toZEn<2$Ck^XwhdGeaQsWB~scMX-_5
z5(fl-K#FPxGJyRj7e9Wuu>*!c1h@ZTgluk3gQ(4)LO}2^?SGJm_aG%0@kj~D-F@x$
z{2hFaEyDOE)tx6Z#Gjy{PT>7_z_W$R3`t}o1MF8c>2)AFkP$cpV#N-=O342JL=Y{^

delta 8041
zcmZvB1y~ec)IPIxclQDkOQ$qQBVD3^NJ@i*k}e=hqp-k&q=dAjfOK~wASE3NlA?eh
z-@@Ye`}jZqeV*Al&pGdT@40u*%-l0)Y#pui2P%QiT~st2l*^xypNmo~0SlVp<yj;N
zP5<&dO3!(Dz5-nTVIt06j(o1}kNN&{z68N20p2Swm>M966rh0UwE*IP>(BtWux$Vf
zsW}GjAO#ta^goOwQfLCn5nmF{XpwE?f>2QQFi=o5V8oV;@DVxy3+_q>5Lc?8c7d+Y
zmBbjWNXp7df*N$BE|!cGKuX%YWY^MTK8kCPAOYfQ-JrY@DiTMbG;l518CU~X!?Uyg
zJPgA_LFr^bLAi?<UI6}@1;B;}vI1n#Mq^xWIz#fmt`#ZMPVengWNHYpc$~*`evBn1
zit@aa(ZkAlr#S}ZnC!K!NPcR*GgOUj%&62-6Py_w0RlfLs#aA)#p)@-YSNVl0CXkd
z_|QO|{EJ4(WT&U>_UJM)o7)2csol`O9z%_vb_Y{j(93k_=sN^WKP*KsHAR#{6SC3F
z376IV6`BI{Wj^36JD9RCF5oQAFf~PQ3Hz&jIB`Mu+%9bSU1lQFRJw#oP8H2)^hoBH
z-51)9qvKdpj~D*ixR%^5c$qbz@p9R~CY-sD6x3R!=NGqCHES^3Oi*et_etm8Eoq5A
zhrg<Skrd>&dKQGTQ_`aSBqQ~cEHp5qw>6`Gtr=?(?!JDH{8;3v{c*JL5+Hs)>wZSi
zOt>sB#VUJ2)WW#76AIbG+JS$NEnLzDJ=p5=(o9J)K`(q;O*I?kHlV85Uh;HCT@j8Q
zWt^sA?Zjf?Drk9MKT|j{sxP<KQ#du;i=mlqE<Q?mP#AtXKAn_IOqBqGK|hul*Y@^(
zN#%0=n1$Uw^q$kgr1j^)dsRV(m|L*XB<giXsbs7gT56#N8Rw_Q#O<PRF`JrKxoz8%
zT9xe@wAGy=`vfd=t!dOO3^2y(Gy*YJr~aM$z4wZw9aF02MeBdqK#ns4n;QEo2B{3k
zM1UvNa?|b*i)qNF(crcw2--B!OYq=!MX!3&;IwyrvWw7+)%yc6%MMX$`@7F2U&z$=
zXVvF57;a5I5SWeUubEN)oD&ojWnZ((Pp7Ysl~u*}hQCG<w~MekpMApBP<v_U8Me9o
zLRBI+WyheVQCF70R&*7y*teBFMX)`jpvph4qEynU_Qle=H8?i9lNE}lOBr1FcDhsX
zJ1>p@)Fvs-_8e1&vY`880!w)5`u5*2@nn5_8w@_?4b|4nSoKa{x{P~M4Q3{}su>!J
z$}43(BSj=z#zEyiNuo1)j(WE|?K^fTZlC;k%Q~{}(h>GCBAjfxZb-GjU}P_;g={D{
zI&9uj8QV{5yRUdYK|>!J))M^oeTaRikeQL6pP=oGnZ?0GCRkya$Xs-`i1n1Jqqar2
z-IY9FHAT1JZiT_4(XxJcQE**=h2qI9k<f}Qc;oXaxQURBov^^O567=gBi6|R6x}W<
z6EB|bt>Mo9)M{*?*gQp}8^2DvzDqwoFVj8SJh<idurr$Zhi|S>x$|*7p>yBV@Gk`s
z-}?ahk6$s!w&33$e0#9STB6JjHnYX7pRJzjsjU)AP^LQBsSKul=oUp+9LOnK#L@J1
z<S?}j7W9f8?UtW`PNKG&FIZRxQ(iv3r^$%|A3eI^^+AlaLJhTU{>y{<p6}M&w#qpS
z=z4GVMM;xQ*J$a&ptirX-|8fevpO>L3YVEx^JtfYwxrl!-TLFkonTMuv>B7cX_zi@
zmTbTJW5mRe=?T+AM-4${HI;jWoa{Ea#s{Rf-sHIH-+wA>_?C$zYpSfa$|devyv9Au
z5tGnrEdb%~_5h0Q=AKgFd7h~uFp)FE?u9b7ZuR1^(ZG*1>CnmjXJ-oCLdWby84}xu
zd1Jlt$<=;^E6Um;)5h~IM*T(~mhRIJFPZ1GJo4Q-7E7Pn2R*b7nA|5B8r^4X;MNJK
zrFgeO-cY#G?5+9eWVRrP=Hb*6BG*lCeFxbv1qtmJ!Fz<(g}myD1ufXqo>?;X*2NkD
z!5+!Jl6ri@{YOyTb^3dJ%n8{Zk`sxiPGFcIi&37<(=v*0ZR|FuIT~iiO35+8N&G^u
z$dh}CG!r-zAee?Yns#+qVeS+Zgugby90?`jdf=)D`vwC)U2<6y@<;ZcI~nnCr_U+B
zGRUY=Ag$w74pTRaBFpZ1{wyPgA+;!SG)w(aR()$!o@yjCNNG+&nbc}JF0}u)SyX$!
z1h>;@hqsvq5vd6ASSPE%{cfe(_ZBxn=r3)wDD^uGH0g3z1e0k#s-!0t+jQnJ84b26
zx4&!q%3Sud%r`#f=$m!NfOTyrk2Z)DXIIa0S_5Wpl;EEJ%0ppQQ}bc}19}$yFN)GG
z7Ap;Xsl_`u(9*g4tE(W#HHZG{0S#m4A#42t>zPFRB=uXWeCqCBA9(14yo~bn&jw<u
zKX|&=|5^Jm=&@gwwbEr_$mKH~##8?mqBk*rV)U5B)j5&4a>y&*Rigt&KOpt#%Xr}U
z1r*hkzLSDmM(}<Emq~0{om?J1ME-MMiH65m;^2cvYS8C$!*&a8sy=Dz5tOlk(^60m
z<}@RJ3+^UqbZ+?M3Z_}k0m1nLc&xoG^`md<`5EOR>7vIIjW7KV-4q_)QI4w@%$^cY
zW*SkHSD^`czPz6FHPOic8WNVYRUt6DjGcjzdaBjCtQ1;}qw%}142&lN8D|nw^ZmLR
zKA`9mdIXhWCFmNHK8{(A2^z0FrR^A?;o~Kv_w^97-6$*Eh@@5z2|Z;~d1Wp3Cv@C(
zPLMyD>)x~b<phtxm4$hOVSVZB7g?STn)~0%z63It41_kuMa=Z5OypQ|rR^-uo6yEm
zOBa^K#Vyj?`X%NDOzuUTayAz<o4my#M2E&6RyIPl`mMgrJb<K8qgjs*_F7%El-Q--
z%eNmjF12kr^bswW<_T}!R3*gQnpCy?WRcOcTV0(vh(G8Y?flp|aW}e1v|6N!z*LLX
z<TJo-qd2gKp@vQ4duBoCa=`uBT*x$l6pNVl4y$vnaW2il4r3mkN8_QWB?q30PPZ@1
z;A>MTMxW_X*kpd20No1`Zq&tgR_^X_BIDLl5`%1YhTI8B?NK`OlCM*HjD(;4r^LHR
zr81(=W?G)KF7$qEB>HHjQ^A<~XR&CW@Ioej;`EpNY!O;&*JJVt;O>bOb^@7TOm?0m
zm=mOF+-)9Yn;N9Y))d*yc1Euq1pI}RmK5PYcT_rmjBq|w=N*L2wLOM_zNq%5#INpu
znvbzQseUN_v2}t=WwO?#+D$fd-!59zrcW8CFS!Ecjx*NhuYnckROQ`XMH<nrLmq64
z90S<Wq`Oay)~wTCR?`1`D-OXg_MA`I29i2ADEgu-(3X8%4C`DBmm8y^t9Ao!cgNB{
zg>D~>KXiT;R6ctUbtGx2zPdj>-4JQ6cO>=AiIK}^Ds4P876iA#G53ydqR&p*m^^w{
z7-IE&VP}g#TDQ)G_`9%8X2$Sq3$CY@6hqxkrh($MI`$=NZwo%315_cRVfJ<^isHh<
zUUm!;kJdXmYnotN*$z2BnSyERVth4$9w@AaGzW5Q*td{e<%CyCPvytbr8eGucl_LP
zICV@$gX7&%YEo_YM={KwlvsP6Rp%rc9l3pz-&2LBJ|utX<LBQcvg9z*oy8ENbLU+e
zViTt@G$6th&{gPTZpXwFDpq`0Mz;cs*(d#8cqbsq;LZSHX0gKo!;GxbBW+-|^bS<~
z!~1GSew?ZG`;x66pMspM3-VLZreFOyp@<$Ekq%2lH`;&N!Cpc_&0DbeC8n;hAmDZ(
z+Tcg8#@lsY@7*&r^BQ=rQS>|XECPIF^G-07mFGaS+}gL1V(iq7I}cUNs_Xu{mbo{s
zT70&X@TpgQegck9+)Q=!JU7;`_NVR{LP@!H+qd;T_Xd2_$k-zIF|(!Y0Av$x=W2_M
z>^@8^O}Ve@V!`cV#l7>$eO^s;Ua4XCJt^iM^ITDx+Gx1pZD6DP3wmvZvOsa_R?#P0
z9-rEH8&}NzG5)mdIGD|tGvy#X!P|o$?eThT^P)0sHF^(7x>ZhY_1lLum@EDL?Ew`N
ztAMePoLlMohT#a~Z#W*;zQR4d(2gB$+4{mE&XX;W)lou4S(s${nUPfLZo*itE%ghD
zu1p^nUQpAU;qVsl$+}{TIqd=IfjINU^8x8VY@BtU04z9>HB`0-6GJXtIV=!!bMb}7
zLTFM9p_KrGg^G9l;cMbI-Q@WYyG|&#FH6wAm9S)Z$Y36qiLBG$aR{nOC9Vmoj2hyt
z5$4V!nf8+*d`ygABD5!td1P-%|Jak)wL|Z(y5EY%>B<4u#QI-#5%ac6rqGwAPhI#Z
z;wqcAo}4}Bj>~DpJakmBVTSTig!Yjsc5{Sj=@6-L@iAAgmiwC(w$xR;iPeS*4ryCp
zq}!(Xy?P|w|Lc^_<F60s2$a$jSzN+buGiRhx?cz?eW~nvYggvQaGZzGmzOdsnf`Oo
zEKr{|CoZ|SO?<$sLaAI+`?@2+onX4|jr)xuCeiL&q=gJUpCZL64Wok-U~^l(^sf|u
zk*vLJp-lVk$=S^7k@Ckq?-QmY-%F?U#(YLQ%>?yd@()gKwLjx1%|M%f9tS&N^S^)o
zd=2`qG{Zu<tfVT@EUm7KA4hBcYbnF_8R)9eQBB{--2qTgC{R&QBoT!U1g>}sAcdys
zX}XTf5e1~=gp=y&wcS&Am%BDng=vJv%vy5?hfOthjLCttAkSgNY25jTSJlINYmb=;
z66BUK_p*tstRi$e(M=A98j^inZKW5W{wElV;_1SRi}Lso0tN~1&vMvBUZ2a1+E-{M
zslWem^=*Q>2_I0+wCg|N_2&2)<u?iCke;<Lo{RLdd|7Qp{65a&6UXN3vmmH<{Pc?{
z#xt3T($yo%Gce94idc<x@SC&qFb#0w4p+%G<dyp~#{r$`$UMa<8ZI6cd*RqFN|=tV
zSw|37cU%4dUrU6vE_Qprg>RRY(8{;z@>F$};s}w~?}N2h!q|gDddnx>zQ++j`O=21
ztkmYG@!Re+FLf4RubLzjohKX%(*|OQt9~?$rQ7sK;Bd&y^K$YKaL6)=;`|`T&>^83
z9XsQG(V;4E)KNZXzkKTfUK;c(PWw}bD%wazHWvmD=SAPf^LMmr5Id43+wpug2Tq>?
zZL{gujSH%A*iOQu9pLuJi#lpB^!#vmK~u{{Zp8NYDcDq{y31QRWpyMyVMLxDpMS2W
zQSjumfeXCiZf1{O)9a{*k1YO>Z0j>LDJ?ibg1ijMf<*5Rnyb}DOL|Jw`YDyEiBFH8
zMvPh1&wVhpToNjzChspO^!dg`{I&nvuGJ?w$rkPZCugLc%FvL-@xB}Fb#YAO8F;ND
z4%oQXodptK7vRL<Fao4UK78le`Znbm4pK+{-V*~UMHd%cvq+T>US}hImCCiwxV8=x
ziKA$-xc2bt^1CkCPrIY9aghTbuC3DJLLh?6Jns+UjtW6!@+c~7go^<tw}uV(<^>2V
zt0rQu-Ib??@R8(HYYf-JNNj(^xN<KaP)^cAM?q=Bg+1ZBbjPpcIDCeFWpl>S;dLZH
zLE&V8F)1N!Uyk7fS2s|Txk8}=;v>ZgJ_?EiENFtYCI=I+MFv+xKmgPMXqR7C-~)sJ
zCsH~g1f-FY1QDQwEswCa7%O#;!o!FFS?H|GoG4Mi?|Ws+fmupM6=@hec!qYwd4Z#~
z_;Iy%BkUhKCIsJe1m!rn2A}zb=J0+tqm_()vCg)&l)N;jI`js|J+_f0_D&7w%E3l^
ziQY-UZr<@*H^PnEGbDVZ;TH$PxEGkaJ(3btJ>w>7jz0$nqn{miENaEX#GE(tJ#2tt
zbdi;Ez;O=4=opxeF{Sdx@EUr+#dckk8ev^THG<V039UYRzb(8U-NG5;zO~H<W*s1Y
zyVT-3iZ@{C!Hsn<(Gn}XC*n+sKwLL{ZtO_HO3@j$IZI5Hn{0kj6&O{&ZzhZFA37sf
z+8?eBx|o?@-YYsGd;p`oH=|lwJM#vbgtbx}gR!%XVv;McGi)~Ow|c%R{bRtHm@bdC
z;f!8{lsT0(nAO+@RD!)OxQE}fYz1bK_b`kcy-2r-lBcm>cd|-;!+juy8sHtQm*o~k
z{(;SL5u>AsN513};}m$xIF1U?vO-imoBbdGTHtivdbtmhHlr`dfrjhFr3UTE4JmXk
z|CPmk)avp4hjetg9gdn~?E(pR8!UTerNwo;&%5=s7n@2ghtx@RbW^>Mo`oNCVI-&T
z_Xu^67uoSj50@m}Ng}Iix*CpA%|>x={VO}oaD}u^h&&Yl52k;Dxm0Isrb8iVzuU^S
zC;o{ihY*LW#~|h9*l?ssb}V$I>OuPIZTPH4ujqUfam-Xy#}bB6$=##JCV{d{%zL5S
zsbcjcUeD^yy2WS+#4|mQ@@5w(N5o|JW|MVFhEn&E_VV9RpNbWcbB_t<MKMvnFoIAT
z5qiywH*oq+Skir=$4{wb6zTU$7*FNz>)m^3Pc<K~m0#&P!9?A<jKu<Vq_B=Y8GkbU
zM#L}0n4>TMVIZ!Pe`x7`;oNU!f?#a}bw-S>VidWM+_A|auF9B4hqVtIBTHj4zBUW4
zsrhRfQ|Nv)$<#)rk3QYN=IA+$<G%X{ril|a0y4Wh*DyW<*=D<)+U4ey7R@IR?Putw
zG~Sz#Z{Zqd5TJoR-H!SiD$`@yBEOvw@*3Clk+_lV?|S-PTXs7f&&Hatd3p1q?)d~~
zm1U4esz$e0kZz5lqT-Gf85uStRo|z1>o-hTfNsNnsHuTB4l9B>K)a)HD^5_}x@)mv
zT1<m{p|L20dfksRo0?+RjG&j3MMHem_SsMbTAg_4>Kn}OsX^Io(5G&>nZ%NH)n715
zrHC@!_y<<{XUk^q)DamUabaLuvHj(W15f;z`mT{N&u|+|I`Yh0fP91i!cCHo3i-}V
zwr$pBaUuv|DrmRbRrzAOy=#$~)(Yxh2#7qxhGi;oSnaWaS#ae=4c`2T#5-O@kAD@3
zs<+g9t5hV?EqS4b2O5s!+##njih=jqWW0JrH$;b|%@#7~k~>a9R)e|{rH0YickCS<
zBmtT7%KR(NJD5RS!>Z=sWR%~a^Y~3*tbLTkH{xTnma19_tcV;Tir;&OZtWGj<zlkG
zO=I~vbH5ikc&WE_$0j=Jgf(X{GDOYVa=ld(zj)j|m|zZbZ-U<G<|)PAAUD>7XsNrO
zZEPOxrPby{q-FS4)TNOv9S`OoBuh_rX{9~Ww^2uR*E$YTe_Sj_1@Xwt{h{V#WUiE*
zsJx!u^eIo~oFSQ%PAN%XGtA1Py24ERtFm>$r~1%1@lGk_)2?C1*11`{>?!DHt<PO^
zj}=Di8lgWee%eAWtjPC&8A9*Qq~|&+xo0i>nA=8IZnnbqO+CV5?M>lH=m9q+q*VpR
z-f14m$5YEM!SZDgczZW^j5L^4_jE}mE2=Urbcj3{OuCP!+hl=m(3Iml{b__*{)Lu^
zCP$V!N%g*O@3NgN38|QUnBfrWnyo0Km^sz_8#_w*teo4>;nvKP=)A9XF+VC-R(C3@
zzTi73@fI^st~LG{xMe+m=>I+-$?|?}{nOg#*&4*<QB!*h76GsO8XRXuxN7mfK?X=k
z{(3Ca%l`ckQ^~etaqRCQ(o>l~{r$<1h`I9~eK5_UozE{S48IWKRlW(AZ+Oy@>jXP%
zk+=4Ko4_j{2S6)p2z5<{gU+2B8-_eecLomgeS!(=G4Isqc_*p3>VFj9_!d0&qcwfn
zOr09zPm+mppPuz<eA0t^F0y4<7K_5~zI&cJVi5Ky=S2)QdQNIT5hor#y^}ll{Q_zq
zlKv}%U|($P_n(or(m^S^ty`gFJKhOh%$@Z?@PNZled6oTO=qJ`h58f!+*fiER$2?Q
zkECTKFIJ|yH{<kSx(<2GmOc#nO}vT~_-7Q}rb9ON62@AA)PA=QB8o)+*z7t2=Oo86
zE36?7@BaQ^Rqyr<%`9CRWCx#;e%M<y|8J9V`AW3t>`!n+G!$GBhdAQUR5Fm~f!9$2
zYLKUpK7+k}K7D>+U4G$@f`XNT0!D7X@pbtH`GuFb?(%RA4GdR`j8u*Yt-*Pz05Rn2
z)Se0ux@uv-GpPWXt2aG-nF`=RN~F|)08&z={%4J#zV1Z8N2md1q?L#kpn(h1`~%z5
z0D4G6GYz2mzmU5~$($C@K}wahz*D5eLkHL(r9?Ww4k>}?fqPfm1wGidLLXwX(ukc3
zKiq*H;DNg`0+{g6i~uzfy3YvEfGQ~9x{LrD>@6QXT$>5NLz>K)5T*et*gH`MScw2J
zT$3KaW4he?L=f>OE+D!k9+%w`1pB{VPS6rHT!0PWf@vvX!wBxs!kfVV$cDfOGA{am
zX2vVi727UKnivKmzHG#y_>T&4&IvkYx`gvzHA7&f2KaD#y6XsTG)!*zSc3oaxon^?
zU5#PPm;%B;M0|#*I}~o<_4zLGw_)m*`2U5ZJ7L&AjtFND;c^pRCvXYZy&`QEPo*S9
zAgIw$P}Fab?g(9?WMSL3|A+KO?Q;WeFM0{*x~zp5ub7!>AN|xvu>MB$gl>*sb{h#T
zxdpIaLE(%U+%<?G&Jml*n?YDhBcTlJ*Ud7x4m;u+ypX$6!&E)N|E*{8d3$mkVr^Wp
z5Ovv&*f5o@uD^5u<JI*?W=1Rrg6KdMVWEL{a{wY&+C)x-5>xk52@?;8{GUX6a%o97
zzp{+L$>9y0|FUA>((=aYiU`C72qWnwxDZ-g7kDfLpo7W2=Ypql{c|Y3G`;ZrXQF^R
zFaRV-FCqxSB<S<cgaOxr04!H)WV`+uhKpFvyNKC=Z_EzW{}RrBg_2~%v#~|A96t~v
zw$?XLT7mE-2%w4_hKCz53|<%vIAno4aRZ!JzM#R>TsB0)+(ldosT;meVlI)e;x1bF
zBHwlP>PuuZ$|B-XM6^SNZ=m;HU!fsAr2nDqpMiSy5qFv!V#_ao1056(58?r|uOh&W
z{hG6kh~PIO0<jw?p_EG$2b_u*pud9tSGph`3OAq*X;;%i6f(3|NXtxxc3Z@-#k43W
zS~rkV83-ghOmmGA7B@u#j}ZWHz{n2(xl+$2+7RIqAu5<VH+%?6u6^kLo19|J%uiDU
zIvX*H><u)36#~r#@8ttnkPE-ZhgkS;bqMX9D}SW+AwNQ!+yW~<R{M|jMwN7f)qWTr
zgb7H&_c;D#l%xQH0BsUM%L<nx07x(Af`@#<rz1?LZBr=ldI5kAsX{!Jsn9MicBkO6
zL;xF{PVgU=TM$9R|K(E6!>w}{0Fj|0t}Y4|%KsKzh*=J@p`Zxfh{xy3L->Zr|L<+}
f&nYM9?ZV|40&qbgfP_E-k*U%YC@7|jmw^8PQnHT6


From 59211f7568878252e4860362a4a5dcabe4023646 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 26 Jan 2015 10:14:03 +0000
Subject: [PATCH 36/56] Provide EntityAttributeAddingStage shorthand.

---
 mdx/common-beans.xml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index 4f0cbf0b..fb504204 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -278,6 +278,9 @@
 
     <bean id="EntityAttributeFilteringStage" abstract="true" parent="stage_parent"
         class="uk.org.ukfederation.mda.dom.saml.mdattr.EntityAttributeFilteringStage"/>
+        
+    <bean id="EntityAttributeAddingStage" abstract="true" parent="stage_parent"
+        class="uk.org.ukfederation.mda.dom.saml.mdattr.EntityAttributeAddingStage"/>
 
     <bean id="EntityCategoryMatcher" abstract="true"
         class="uk.org.ukfederation.mda.dom.saml.mdattr.EntityCategoryMatcher"/>

From e15b0403e0d8577654aee22c88b8ab00813cc078 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 26 Jan 2015 10:15:41 +0000
Subject: [PATCH 37/56] Use EntityAttributeAddingStage for hide from discovery.

The old XSLT-based translation from wayf:HideFromWAYF to the new hide-from-discovery category didn't interact properly with explicit entity attributes present in the fragment files. Fix this by using EntityAttributeAddingStage instead.
---
 mdx/uk/add_hide_category.xsl | 66 ------------------------------------
 mdx/uk/beans.xml             | 42 ++++++++++++++++++++---
 2 files changed, 37 insertions(+), 71 deletions(-)
 delete mode 100644 mdx/uk/add_hide_category.xsl

diff --git a/mdx/uk/add_hide_category.xsl b/mdx/uk/add_hide_category.xsl
deleted file mode 100644
index 164ffd88..00000000
--- a/mdx/uk/add_hide_category.xsl
+++ /dev/null
@@ -1,66 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-
-	add_hide_category.xsl
-
-	Adds the REFEDS "Hide from Discovery" entity category to IdPs which are already
-	labelled with the UK federation's "HideFromWAYF" marker element.
-	
-	Assumes that the IdP in question has an Extensions element already, but no
-	entity attributes. This is currently true for UKf-registered entities, but
-	a longer term solution will require the ability to add a new value into
-	an existing collection of entity attributes.
-
--->
-<xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	exclude-result-prefixes="md">
-
-	<!--Force UTF-8 encoding for the output.-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
-
-	<xsl:template match="md:EntityDescriptor[md:IDPSSODescriptor]/md:Extensions[wayf:HideFromWAYF]">
-		<xsl:copy>
-			<xsl:text>&#10;</xsl:text>
-			<xsl:text>        </xsl:text>
-			<xsl:element name="mdattr:EntityAttributes">
-				<xsl:text>&#10;</xsl:text>
-				<xsl:text>            </xsl:text>
-				<xsl:element name="saml:Attribute">
-					<xsl:attribute name="Name">http://macedir.org/entity-category</xsl:attribute>
-					<xsl:attribute name="NameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:uri</xsl:attribute>
-					<xsl:text>&#10;</xsl:text>
-					<xsl:text>                </xsl:text>
-					<xsl:element name="saml:AttributeValue">
-						<xsl:text>http://refeds.org/category/hide-from-discovery</xsl:text>
-					</xsl:element>
-					<xsl:text>&#10;</xsl:text>
-					<xsl:text>            </xsl:text>
-				</xsl:element>
-				<xsl:text>&#10;</xsl:text>
-				<xsl:text>        </xsl:text>
-			</xsl:element>
-			<xsl:apply-templates select="node()"/>
-		</xsl:copy>
-	</xsl:template>
-	
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-	
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
-	
-</xsl:stylesheet>
diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
index 2989b872..581c3953 100644
--- a/mdx/uk/beans.xml
+++ b/mdx/uk/beans.xml
@@ -444,12 +444,44 @@
                     Add REFEDS Hide from Discovery category as a standardised
                     equivalent to our HideFromWAYF element.
                 -->
-                <bean p:id="uk_addHideFromDiscovery" parent="XSLTransformationStage">
-                    <property name="XSLResource">
-                        <bean parent="ClassPathResource">
-                            <constructor-arg value="uk/add_hide_category.xsl"/>
+                <bean p:id="uk_addHideFromDiscovery" parent="SplitMergeStage">
+                    <!-- select entities with HideFromWayf label -->
+                    <property name="selectionStrategy">
+                        <bean parent="XPathItemSelectionStrategy">
+                            <constructor-arg value="/md:EntityDescriptor[md:Extensions/wayf:HideFromWAYF]"/>
+                            <constructor-arg ref="commonNamespaces"/>
                         </bean>
-                    </property>                    
+                    </property>
+                    
+                    <!--
+                        Pipeline for selected items.
+                    -->
+                    <property name="selectedItemPipeline">
+                        <bean p:id="selectedItemPipeline" parent="SimplePipeline">
+                            <property name="stages">
+                                <bean p:id="addHideFromDiscovery" parent="EntityAttributeAddingStage"
+                                    p:attributeValue="http://refeds.org/category/hide-from-discovery"
+                                    p:addingFirstChild="true"/>
+                            </property>
+                        </bean>
+                    </property>
+                    
+                    <!--
+                        Pipeline for unselected items.
+                        
+                        This is only required because of MDA-140, and can be removed when
+                        we move to MDA 0.9.0.
+                    -->
+                    <property name="nonselectedItemPipeline">
+                        <bean p:id="nonselectedItemPipeline" parent="SimplePipeline">
+                            <property name="stages">
+                                <list>
+                                    <!-- nothing required -->
+                                </list>
+                            </property>
+                        </bean>
+                    </property>
+
                 </bean>
                 
                 <ref bean="checkSchemas"/>

From f6745bded8d23e298c5b3e76d0368c6aabfd908e Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Wed, 28 Jan 2015 16:59:48 +0000
Subject: [PATCH 38/56] Classify and report Shibboleth 3.x entities.

---
 mdx/uk/statistics.xsl | 29 +++++++++++++++++++++++------
 1 file changed, 23 insertions(+), 6 deletions(-)

diff --git a/mdx/uk/statistics.xsl b/mdx/uk/statistics.xsl
index a5909989..2caa9d1c 100644
--- a/mdx/uk/statistics.xsl
+++ b/mdx/uk/statistics.xsl
@@ -1734,10 +1734,21 @@
             <xsl:variable name="entities.openathens.out"
                 select="set:difference($entities.openathens.in, $entities.openathens)"/>
             
+            <!--
+                Classify Shibboleth 3 IdPs entities.
+            -->
+            <xsl:variable name="entities.shib.3.in" select="$entities.openathens.out"/>
+            <xsl:variable name="entities.shib.3"
+                select="$entities.shib.3.in[
+                md:Extensions/ukfedlabel:Software[@name='Shibboleth'][@version = '3']
+                ]"/>
+            <xsl:variable name="entities.shib.3.out"
+                select="set:difference($entities.shib.3.in, $entities.shib.3)"/>
+            
             <!--
                 Classify Shibboleth 2.0 IdPs and SPs.
             -->
-            <xsl:variable name="entities.shib.2.in" select="$entities.openathens.out"/>
+            <xsl:variable name="entities.shib.2.in" select="$entities.shib.3.out"/>
             <xsl:variable name="entities.shib.2"
                 select="$entities.shib.2.in[
                     md:IDPSSODescriptor/md:SingleSignOnService[contains(@Location, '/profile/Shibboleth/SSO')] |
@@ -1816,19 +1827,25 @@
             -->
             
             <xsl:call-template name="entity.breakdown.by.software.line">
-                <xsl:with-param name="entities" select="$entities.shib.13"/>
-                <xsl:with-param name="name">Shibboleth 1.3</xsl:with-param>
+                <xsl:with-param name="entities" select="$entities.shib.3"/>
+                <xsl:with-param name="name">Shibboleth 3.x</xsl:with-param>
                 <xsl:with-param name="total" select="$entityCount"/>
-                <xsl:with-param name="show.max" select="10"/>
             </xsl:call-template>
-
+            
             <xsl:call-template name="entity.breakdown.by.software.line">
                 <xsl:with-param name="entities" select="$entities.shib.2"/>
                 <xsl:with-param name="name">Shibboleth 2.x</xsl:with-param>
                 <xsl:with-param name="total" select="$entityCount"/>
             </xsl:call-template>
             
-            <xsl:variable name="entities.shib" select="$entities.shib.13 | $entities.shib.2"/>
+            <xsl:call-template name="entity.breakdown.by.software.line">
+                <xsl:with-param name="entities" select="$entities.shib.13"/>
+                <xsl:with-param name="name">Shibboleth 1.3</xsl:with-param>
+                <xsl:with-param name="total" select="$entityCount"/>
+                <xsl:with-param name="show.max" select="10"/>
+            </xsl:call-template>
+
+            <xsl:variable name="entities.shib" select="$entities.shib.13 | $entities.shib.2 | $entities.shib.3"/>
             <xsl:call-template name="entity.breakdown.by.software.line">
                 <xsl:with-param name="entities" select="$entities.shib"/>
                 <xsl:with-param name="name">Shibboleth combined</xsl:with-param>

From 6b0e6bdb10be58a8b22784619697e15a004ed739 Mon Sep 17 00:00:00 2001
From: Alex Stuart <Alex.Stuart@ed.ac.uk>
Date: Tue, 10 Feb 2015 16:50:00 +0000
Subject: [PATCH 39/56] Allow encryption method agility metadata to be
 published in the production aggregate.

---
 mdx/uk/generate.xml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index a31c63fc..19fcee87 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -335,14 +335,12 @@
                 <ref bean="errorTerminatingFilter"/>
                 
                 <ref bean="uk_assemble"/>
-                <ref bean="fixup_EncryptionMethod"/>
                 <ref bean="performOtherFixups"/>
                 <ref bean="uk_finaliseProduction"/>
                 <ref bean="uk_normaliseNamespaces"/>
                 
                 <!-- production aggregate MUST pass publishability test -->
                 <ref bean="checkPublishable"/>
-                <ref bean="check_fixup_encmethod"/>
                 <ref bean="errorTerminatingFilter"/>
                 
                 <ref bean="serializeUnsignedProductionAggregate"/>

From dca957ee9146628d83008eafbe5377b36f135100 Mon Sep 17 00:00:00 2001
From: Alex Stuart <Alex.Stuart@ed.ac.uk>
Date: Fri, 13 Feb 2015 13:00:54 +0000
Subject: [PATCH 40/56] Added option to filter by OrganizationName

---
 build/query-entities.pl | 30 +++++++++++++++++++++++-------
 1 file changed, 23 insertions(+), 7 deletions(-)

diff --git a/build/query-entities.pl b/build/query-entities.pl
index 917d4b35..1c31b422 100755
--- a/build/query-entities.pl
+++ b/build/query-entities.pl
@@ -14,7 +14,7 @@
 sub help {
 	print<<'EOF';
 
-usage: query-entities.pl [--help] [--head] [--idonly] [--idp] [--sp] [--reg <registrationAuthority>] [--notreg <registrationAuthority>] <file>
+usage: query-entities.pl [--help] [--head] [--idonly] [--idp] [--sp] [--reg <registrationAuthority>] [--notreg <registrationAuthority>] [--org <OrganizationName>] <file>
 
 Outputs the entityID, display name(s) and other information about entities in the given SAML metadata aggregate file.
 
@@ -32,6 +32,8 @@ sub help {
 --notreg <registrationAuthority>	- outputs those entities NOT registered by registrationAuthority
 	(By default the script outputs all entities; can only have one of --reg or --notreg)
 	
+--org <OrganizationName>    - outputs entities with this OrganizationName (xml:lang="en" only in this version))
+	
 Example 1:
 To output all SPs in the UK federation metadata which have been imported (i.e. are not registered by the UKAMF registrationAuthority http://ukfederation.org.uk), and to include a header on the CSV file:
 
@@ -42,6 +44,11 @@ sub help {
 
 query-entities.pl --head --idp -reg http://ukfederation.org.uk ukfederation-export.xml
 
+Example 3:
+To output all entities with OrganizationName 'University of Edinburgh'
+
+query-entities.pl --org 'University of Edinburgh' ukfederation-metadata.xml
+
 EOF
 }
 
@@ -52,6 +59,7 @@ sub help {
 my $help;
 my $head;
 my $idonly;
+my $org;
 
 my $result = GetOptions(
 		"idp" => \$idp,
@@ -60,7 +68,8 @@ sub help {
 		"notreg=s" => \$notreg,
 		"help" => \$help,
 		"head" => \$head,
-		"idonly" => \$idonly
+		"idonly" => \$idonly,
+		"org=s" => \$org
 		);
 
 if ($help) {
@@ -111,6 +120,7 @@ sub help {
 	if ($sp) { print "sp: $sp\n"; }
 	if ($reg) { print "reg: $reg\n"; }
 	if ($notreg) { print "notreg: $notreg\n"; }
+	if ($org) { print "org: $org\n"; }
 }
 
 #
@@ -129,7 +139,7 @@ sub help {
 #
 # print header
 #
-if ($head) { print "# type, entityID, registrationAuthority, OrganizationDisplayName, OrganizationURL\n"; }
+if ($head) { print "# type, entityID, registrationAuthority, OrganizationName, OrganizationDisplayName, OrganizationURL\n"; }
 
 #
 # Workhorse
@@ -145,11 +155,12 @@ sub help {
 
 sub is_entity () {
 	my ($t, $section)= @_;
-	my ($entityID, $ODN, $URL, $registrationAuthority, $type, $temp);
+	my ($entityID, $OrganizationName, $ODN, $URL, $registrationAuthority, $type, $temp);
 
 	$entityID = "No entityID found";
 	$entityID = $section->{'att'}->{'entityID'};
 
+    $OrganizationName = "No OrganizationName found";
 	$ODN = "No OrganizationDisplayName found";
 	$URL = "No URL found";	
 	# Turns out the Organization element is optional
@@ -159,12 +170,18 @@ ()
 				$ODN = $temp;
 			}
 		}
+		if ( $section->first_child('Organization')->first_child('OrganizationName[@xml:lang="en"]') ) {
+			if ( $temp = $section->first_child('Organization')->first_child('OrganizationName[@xml:lang="en"]')->text) {
+				$OrganizationName = $temp;
+			}
+		}
 		if ( $section->first_child('Organization')->first_child('OrganizationURL') ) {
 			if ( $temp = $section->first_child('Organization')->first_child('OrganizationURL')->text) {
 				$URL = $temp;
 			}
 		}	
 	}
+	if ( $org && $org ne $OrganizationName ) { return; }
 	
 	$registrationAuthority = "No registrationAuthority found";
 	# Even though eduGAIN Metadata profile says entities MUST have MDRPI, turns out the eduGAIN aggregate does not enforce this rule. However, the eduGAIN site allows people to validate federations' incoming aggregates. See http://www.edugain.org/technical/status.php and go to countries' entry 'validate this metadata set'
@@ -176,8 +193,7 @@ ()
 				}
 			}
 		}
-	}
-	
+	}	
 	if ( $notreg && $notreg eq $registrationAuthority ) { return; }
 	if ( $reg && $reg ne $registrationAuthority ) { return; }
 
@@ -189,7 +205,7 @@ ()
 		if ($idonly) {
 			print "$entityID\n";
 		} else {	
-			print "$type, $entityID, $registrationAuthority, \"$ODN\", $URL\n"
+			print "$type, $entityID, $registrationAuthority, \"$OrganizationName\", \"$ODN\", $URL\n"
 		}
 	}
 }

From c11dff38cd01cf80526b83f4d4868a9681acdca2 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 24 Feb 2015 10:42:14 +0000
Subject: [PATCH 41/56] Stop adding trust roots to fallback aggregate.

---
 mdx/uk/generate.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index 19fcee87..f1ae44ef 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -578,7 +578,6 @@
                 <ref bean="fixup_EncryptionMethod"/>
                 <ref bean="performOtherFixups"/>
                 <ref bean="removeEmptyExtensions"/>
-                <ref bean="uk_addTrustRoots"/>
                 <ref bean="uk_finaliseFallback"/>
                 <ref bean="uk_normaliseFallback"/>
                 

From fdf75836841658ce03019230e4b246a0c79bedf0 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Fri, 6 Mar 2015 16:03:43 +0000
Subject: [PATCH 42/56] Remove check authorities script and target.

We no longer have any authorities.
---
 build.xml                   |  11 ---
 mdx/uk/check_authorities.pl | 160 ------------------------------------
 2 files changed, 171 deletions(-)
 delete mode 100755 mdx/uk/check_authorities.pl

diff --git a/build.xml b/build.xml
index 1ce4089d..94097691 100644
--- a/build.xml
+++ b/build.xml
@@ -1272,17 +1272,6 @@
             x="${mdx.dir}/uk/extract_authorities.xsl"/>
     </target>
 
-    <!--
-        Check authorities
-    -->
-    <target name="check.authorities">
-        <echo>Checking authority certificates</echo>
-        <exec executable="perl" dir="${mdx.dir}/uk"
-            input="${mdx.dir}/uk/authorities.pem">
-            <arg value="${mdx.dir}/uk/check_authorities.pl"/>
-        </exec>
-    </target>
-
     <!--
         Utility to fold overlong embedded certificates.
     -->
diff --git a/mdx/uk/check_authorities.pl b/mdx/uk/check_authorities.pl
deleted file mode 100755
index 2d5f1ee2..00000000
--- a/mdx/uk/check_authorities.pl
+++ /dev/null
@@ -1,160 +0,0 @@
-#!/usr/bin/perl -w
-use File::Temp qw(tempfile);
-use Date::Parse;
-use Digest::SHA1 qw(sha1 sha1_hex sha1_base64);
-
-sub error {
-	my($s) = @_;
-	print '   *** ' . $s . ' ***' . "\n";
-}
-
-sub warning {
-	my ($s) = @_;
-	print '   ' . $s . "\n";
-}
-
-sub comment {
-	my($s) = @_;
-	print '   (' . $s . ')' . "\n";
-}
-
-while (<>) {
-
-	#
-	# Handle certificate header line.
-	#
-	if (/BEGIN CERTIFICATE/) {
-		
-		#
-		# Create a temporary file for this certificate in PEM format.
-		#
-		($fh, $filename) = tempfile(UNLINK => 1);
-		#print "temp file is: $filename\n";
-
-		# do not buffer output to the temporary file
-		select((select($fh), $|=1)[0]);
-	}
-	
-	#
-	# Put all lines into a temporary file.
-	#
-	print $fh $_;
-	
-	#
-	# If this is the last line of the certificate, actually do
-	# something with it.
-	#
-	if (/END CERTIFICATE/) {
-		#
-		# Don't close the temporary file yet, because that would cause it
-		# to be deleted.  We've already arranged for buffering to be
-		# disabled, so the file can simply be passed to other applications
-		# as input, perhaps multiple times.
-		#
-		
-		#
-		# Use openssl to convert the certificate to text
-		#
-		my(@lines, $issuer, $issuerCN, $subject, $subjectCN, $pubSize);
-		$cmd = "openssl x509 -in $filename -noout -text -nameopt RFC2253 -modulus |";
-		open(SSL, $cmd) || die "could not open openssl subcommand";
-		while (<SSL>) {
-			push @lines, $_;
-
-			#
-			# Extract the issuer and subject names.
-			#
-			if (/^\s*Issuer:\s*(.*)$/) {
-				$issuer = $1;
-				next;
-			} elsif (/^\s*Subject:\s*(.*)$/) {
-				$subject = $1;
-				next;
-			}
-			
-			#
-			# Extract the public key size.  This is displayed differently
-			# in different versions of OpenSSL.
-			#
-			if (/RSA Public Key: \((\d+) bit\)/) { # OpenSSL 0.9x
-				$pubSize = $1;
-				next;
-			} elsif (/^\s*Public-Key: \((\d+) bit\)/) { # OpenSSL 1.0
-				$pubSize = $1;
-				next;
-			}
-			
-			#
-			# Extract best-before date/time.
-			#
-			if (/Not After : (.*)$/) {
-				$notAfter = $1;
-				next;
-			}
-			
-			#
-			# Extract the public key exponent.
-			#
-			if (/Exponent: (\d+)/) {
-				$exponent = $1;
-				# print "   exponent: $exponent\n";
-				next;
-			}
-
-		}
-		close SSL;
-		#print "   text lines: $#lines\n";
-
-		#
-		# Close the temporary file, which will also cause
-		# it to be deleted.
-		#
-		close $fh;
-
-		#
-		# Print a header, distinguishing the role of the certificate.
-		#		
-		if ($subject eq $issuer) {
-			# self-signed certificate, i.e., root
-			print " \n"; # force blank line in Ant output
-			print "Root certificate:\n";
-			print "   Issuer: $issuer\n";
-		} else {
-			# not self signed, must be intermediate
-			print "Intermediate certificate:\n";
-			print "   Issuer: $issuer\n";
-			print "   Subject: $subject\n";
-		}
-
-		if ($pubSize < 1024) {
-			error('PUBLIC KEY TOO SHORT');
-		} elsif ($pubSize < 2048) {
-			warning("short public key of $pubSize bits");
-		}
-
-		#print "   not after $notAfter\n";
-		$days = (str2time($notAfter)-time())/86400.0;
-		if ($days < 0) {
-			print "   *** EXPIRED ***\n";
-		} elsif ($days < 365) {
-			$days = int($days);
-			print "   *** expires in $days days at $notAfter\n";
-		} elsif ($days < (365*2)) {
-			$days = int($days);
-			print "   expires in $days days at $notAfter\n";
-		}
-
-		#
-		# Look for reasonable public exponent values.
-		#
-		if (($exponent & 1) == 0) {
-			error("RSA public exponent $exponent is even");
-		} elsif ($exponent <= 3) {
-			error("insecure RSA public exponent $exponent");
-		} elsif ($exponent < 65537) {
-			warning("small RSA public exponent $exponent")
-		}
-			
-		print "\n";
-	}
-}

From 8d186450ce18e46001db1d3c1e9c92cfb787b977 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Wed, 11 Mar 2015 11:10:59 +0000
Subject: [PATCH 43/56] Update to ukf-mda 0.8.7 to get access to
 SAMLStringElementCheckingStage.

---
 .../{ukf-mda-0.8.6.jar => ukf-mda-0.8.7.jar}  | Bin 78674 -> 80091 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename tools/ukf-mda/{ukf-mda-0.8.6.jar => ukf-mda-0.8.7.jar} (82%)

diff --git a/tools/ukf-mda/ukf-mda-0.8.6.jar b/tools/ukf-mda/ukf-mda-0.8.7.jar
similarity index 82%
rename from tools/ukf-mda/ukf-mda-0.8.6.jar
rename to tools/ukf-mda/ukf-mda-0.8.7.jar
index 10840649fc46966aca2d3f3136a29b9d6d631e8c..39f3d9c519de0e842c1250e8835c0b68dd24a5cf 100644
GIT binary patch
delta 7908
zcmZu$2RK&Y+kcO}vw7`ouf4L#mc2#D-mAzeUL@JYi-XL}j7pR}LX<s|QKX2H5g`@d
zan!%h|NGwSI@fc*_wRS#&;5*ZKjVxo<IHa1kQ(Y>;}9W^fBRQGQb;+m_n<-|3wswT
zMp)oti~YF3&;r76sRf9`WjG*pQeyFeh715PW(^>K6?=dxTq<BG{vpW2Wh<8Qaajvs
zlVHOFIbJ6L8KlvuMWPvkaS#YgBFqAr8amh9(_&VGyj2X(k)z<fnW~$J9>cE!BNK*#
z%rSB{(m2sG*o5u}7yA>Y)iSIt^$Xe`u+I2rV@rJ6!Qatbax$mv!BfTDn4a`-U2hea
zlN&?(9{r%}zzN1_%}idnG!Q*{v(9=*W0QIL<7SxLx`xP|>t_Yj$a@^*GK#<cCJ#ri
zbYKhgzqiN94W5W3F;{sR^SI*t5}xpt@mEhMAMvgX$-4??nO}=8Tx!6WlMlt+f0a`)
zNRueFKGf77=H2e(R=OiBp6mIA5~ZN|@Ft_#I0aXmAd200Gi1DuX_=s(^Zwa+aMISp
zvR|SyMmgELwv&1&Cn_V@;gYi7bCll$v|gtCCBdb})>i}u$_71SSv7-RXQvMP3u<{{
z?YK?C3M~VTD%;*H;rd)>D#02jGQV(d*n;Wa>QE|OtLX|sZKnUll>P$Z*X%sRUn1NR
zesvER7)#`p>vTss(_4cpAA>(dRUhe?1uY4@vTKpKt*ceJI!$8D=~y5tiob;UsEfXl
z*7R!GN+<}UqU2i@A?Y%n*Y!2Vc*P^p=K0fot_~mN%!h9$bq1)_E;f1*yiJf}7=CFL
zELqsxyD?ruWkADQ_jW!2+zsc*$uWC+E&Q@p&S*c;r;M~B2LcP#izYS6q%>hG7NV&6
zkEUJ@Ixo(#@Y6qR53He-i#1Yl2w}mXrP!i*P=V)X9_Ez(1}fJ^b1|Dzd^@s7wd<(x
zZgErrF@~zs02SUNj0#WhBELuwLL*B=RI0T5+VE@poiB@@`$`9GuQqp*%s*<k^ft1o
z+cut-DahnILps&xsT-uX?v}2QGJFXyXm?I9wTnO7)AB(^f5un0CNtC}?gw0c=p(*Q
z-h5hdHb>dpoy&RNtrgWC&vbsu3hO8nvGj<uYOgMuUDKqsCmj=fKkE>b6`Ergv;UT7
zUQEYad9BIf*@Fm8R-uBPE4I%+{<KG$8?B_tndIe*@Oj!By|U8JKqd9P*dW0ZPnhvI
zlwr1QTGtz@d7wBJx2=I=QYh$<k%G4I#qvMwzJAZz_>q#U0nrUlM@!|)@>guJ!#=+p
z`I=x0A`|kZJlJ!^Ca2k=iA?HsZ(miGoSE0%A79`NE4aQ|S<S{Khe*P%BU&&~bN4CQ
zyLqTP7}aBMH8|3yQkyLwohq-gAZc}YwN<f5R7KnmTRHK4cHK8G(J1;s<!J}>jT}o>
zo>WtU$d0HoUK_W<D@@f5>PG}t%*NfC_w$mzIB}(vx^eAw7MDu?kg__I=WvaWE&Fo5
zQ!$oqEh)y1=0@Z_#m9Q#W9T=yiYk{Xcmkq#dtXTrY!s7GY^nNQX~feKTAAXGz3$eF
z)l{SPT&S@Hn<aUeKfi~Z=b@S&27Lol%wu2@ABC@?tv3Ot#YOOcMh;R6grX|CXwqe)
zX8dUL3d|_$G@@Q#7{SZ+dZ=$$$IYv4c^Dte;C8bi=~0-K27d@Ihwn%uMplFFX^CS1
zzjQYbzu4-B-UiAJR#)Sr=+7R#&WR!Gl06g$7QbR*4@M&8x|yXJzZDZpekUXQn-mEU
z$NB0mH8lX|t1_DClf)&2ymlg#GTEF!cq}!9FsF%!-~@Vsia8PVg=hdc%c&O>E9hb&
z5SMW=SA;dt)u!GCRLbPx&lIG2Z&wSK7dV6%%^J&4-4|8SBGBfP*}7HQ<LmRtv-xVh
z>+bH|cIW$)l3V!uMT!2JXCubQyTIJHuLiaUhQyoO!_h~CcEBDHy~=ctDIk+}+upG$
zLUbU}j<()w?%9>w&);R#NTj%wUw@UsxSD*=tCh;T5Z#!Pa<%JR(5%slBB2^@n)|xC
zuvlWdc3MiImO}OUDqfl_0WO!!&3D`0Z6Cg2mo-!HrQ-lxWI`9X2E|m{jJ?G!RvKLr
zp;ma%twH%L+Q+Zcv0*`7@l3XL|IVDhRVja*-KxaXwsmce#WQnsq=H?B6+@-(nU%Rn
zoWN&B&b(+ziFsPt<>wy7iEl(nhMJ639^uI+<6dd44(1#0#XS<)cbF$Kx2hSPle&|y
zB-b(g()G@`V5x##Ky3~B$=&mZ;Wh@t@u~I)<-x)Y%Y`B;tVT7Dkz6x$o?_m=bdO4h
z%A(}xU&zG#{N49Uu3gHQEXK&suq!92>1K1LYw*qy8YM0-uUAiY=X-bsDQN%ID^%~`
zTC}AUyA!WPMIL2OQuC9^cr5!SA<5kO#`iu9%1smcM>y{KwS4O#NR}LtvM|2!)i0G(
zaTYJA!+2G9Mn`n?N;u?H%9NjwO*2_$<5?vHSZU-1o`3L+*!*YY+&!C*?Hvbc>KSf&
zN4yIR0yesf@?UdWgFD-_UUza?m&8(k;j&+PMeCVwKRDU$u)v77Elnn=`mq*i8Y0|+
zpT6EBn(~}3Zc|o$zTmgpLyI5bzcJIHR2E`dp#|j&VpU3~CvAi%<;l!U7dybFI9_C5
z2a=X$VIvSNcnE|PhQfgpv_1>a*3O(OI+>>tvQJM0X~mQiVL(~qM4(Y0JQ0?((8TaG
zcQtiBaX)M(N&;)J9h|UW!NW=PM96aqJ`s@aY$xXOUNtx{XVZ`AL~|w}5(kbhMX+y=
z3>Se&fHouQn8IK_bih@2A6IoRXK!bp097|<M^EUlNr1hpvyh{gy}y68xwi?G1$DR(
zp+F2SXPd*NByB;Q4_4$Q_Z<>z#<*j-Z&mQV<D7DGu4N3`U_VSdz?U6grMt#GBRd|x
zri(T$`}8gv)OM1szP!7xAhVbAN&ZtF&(BYn+Yj;VD2E;C(LHM{OdV#}tMu%dU%Moo
z(w0I=Eazh1d(I_}1`c&dweFvbp}#8nQS{L}pYIOJ)%EGUx%6#n%H9bcKXW5r&}VFh
z39nZe?vc#7N~aAinP>P6(bV$ax)s3P{N%0>ZEespGREIvpP^pGT`oho!r`sef-%v2
zuKgRS&YS1=$9B<k3r)<MsT?ShH5S!juGyzcG%+t%-mt4md@#f5vKtC~apR&eVS9NF
za#7~dK(6}wtjGL04d+2J`msj8$#1_ZXdWuk(!BRi@2#+CFx&cU-ti^bOzV?B?&_?M
z<d@hcKj%{JzREg5EnAxC$IU~|jXi#L5@qZP_XNIlZR5DQpcDNVJOk}?ZppTdM;02y
zU(4FEzEGH+P}=$4XVSx&i%!**Je;TWTXp`+%6vq+#dgc6&{lWuNP3`+fN`jpfM5O;
zZcTQejlpM?xCjo}g{Bu$Nzwh+RC|rm-9O^7h^z@7+|b(xf+QxcMR^Q0KHL;f{(MF~
zbZ7Y6tkd9{wja8QS}Px1`hMxh;C}Y&l)dr6a@yK4ZtPitCfXT&b@35ZLhm0rR-+U|
zxNKI5-!uRzCE9Z_?{u8Y!WbQKg?IWFW2!^_uI|nHYfL&U@+N2PQ|F5^y+aALUin(v
zw($dxCHvxY4l2#fI6zh+IW_W098q-K@RfMHHS7U$`B80jo?#;kV|jM@^K)A`l_Z$B
zQ2LkA_ixSmMD<5=NF(JfIIV~E6e>r*k}|XiP%bf8q!C<ZzNS0zK6`USWXn`}TY1lJ
z7p<QLxU=J=1Z}?m-TlOR7ks<)ef7bT-{M;L&drapagy?mnTJw?o;-#eZ1t2?;&c1b
z)n(6v(ZxtSbcG6S{h9BFqc!@DVJp}bnu5r;%lT)=h!@>?=fnv6gs>iS*oLc~o57-V
zt8OVP@xW)1wEJXpwz|Lt)Xw8@((7ekRI_v6WAl=bzijnoqI-6`nEO^nWL<=|`3q0}
zo0AuaX0?mRnm?BKn(`+y*t~Ni042npGS5_xQ5j{3%b}-dvwxVD83%5$E~q)ODJadp
zjvvpx=DCJV>0nsmZ#;pdoS59(XAfJV5o#=vPZQ93l%8)JQgWXsE5J2i&p-EConseX
zy$uytw}b=@#hbQruReSmYb2i4-e*!l?PkN*Tf)Jgl?I8D$H5MfFwcM#rxZ8f`WgNd
z4jpP;cNVk)Rb8!{b6p_Md_?O6e)4#&CZoY3j>2FD_E!zJB)&!t;cNRc)f83+ttwN*
zB-}^m=jGJa+mv_qJ_@h6ylhn&4yMvL44`UN!nmqw-k~C}gSHD;A<14QvL^RwNH5!^
zy|&+RB)QNRp7Z3+2MK4LReFJB@f`==l?<U(0d;q@{Xtyd+d5l%bb^AC-6FF?(1$Qz
zyP>j|WAoh|#wf)%-S0{`&oVaA>rp=2_mi0HZsXo<pTh~E##3-z2_aN%&=s&f`%^%<
zIevSmrWBE1WU8w6lG>7eryn6?XGIrOs0W7rjQ7%Qw<!+3r=ByVz7zB`!A;>h->io3
z*a5YlniDIT#Fb6l#Faa-8n#9J;VXh<?Ha@8T@G~>F{Bh>d~Y8<JgiJi1fTZPI9SPu
z9++BlFBhS)PcH+Q;LwwdOAgH;IQ9OFpoEWUwd8SWWU!_T+&F=<?gbOU8tT$(c(9OI
zRdr%6S2J{y%Sr0APBaz`&G;~fro-Wc9NKf^WKH<dn|#8FA9!>E$&X85!F!<oNP)y?
z0D&0A#*Cm?Fz1&D!C)caOl{p{@`<hb)G#URmTrml#J|kiGd$R~W<Vp;7+NAaiJ|?|
zu`OvW?{*L_jCm6o3VD(t5PU2cHuV$i%|1v5FD-4CRV!4XMeheG0wIfuoaC%8#s^&B
z!0JiKfMx(2I{JeBX8;r|?4JP?VL^r*&>&QXR?gk%NvRPqmK;z*&-%=rBM;lNc&rg|
zU!8MWKY=y|B@t`V;WmeN!CGR4%3{$2X_9u{_?eXQVXLY!-REaxJ^CLCLSBUiyGTo=
ziWhgPeB98g8u9LF__gF$WO{`G2ie9w*NdAh)jh1v(DG}WegC=Aw>xBl-*(K$@WTB4
zKg`REHeia1J}hh`(4ikiigvLq8QZg9y0CGMB0iaBN798P(hUBHA{?b&H0RD(LFSx6
zvufbG+!yJm>O5pu>10YllHDX5>=1a?5#{I17jrkhMPLXMOSRNbYEykxV}hH+BQ&8~
zWmGbmhP;}3<KP0l^aO3FjouAPys3v|_J+ggk*t=MF^z+z$!s*I8oldx2|ri-Opq&B
zI!JsY<*4?^#MdWbL7HQ9X`?)s;JpM5=L-~_o4N>SZ+D(HpBzbSRj!eExF_IBGNvW|
z$+JJ&$&y-TrOPCZ;uckvABQFO6q~I#!RLYB4HS)?shk9U4BJg{U52!=mc%0)+;kS<
zOB0c)_IwwMO)j8Sgi1`k`_frISt9a?88+M#)lIalx_)QaQRFf)v))z)&0i3|Hc;-+
zV$ZcxjqkBA_C`j^>}Qu=YttMes45c4)ObDp{$)L<a=f+i<0d&*)pyU-JhdrT1$J@l
zajb~~ITfP6WSd>ETr6%qQ^~gQ@mU(cTh3<UP1{$%YmwN4P9A3nN&TSWbCs((KwLxG
zRy0-3bD&P>d%g|uJT_W{zSi&En$^VHuYt_-9@5JZeUte<M}{3EzeHACR9a<;JE=N9
zWVo!%2eSx_RTU(%(cP3Ez9p#|7L@E8AKpr@8K~K{yr%i}>USb5at#^eJU?ksvoG`a
z-D*5e$BRrxUg*K7Dp9no5M!;2FO`lua+26DGHGK|a<?MPcad#htz^gkai0#N`y$Hw
zYn50f{kc1y8#Y(3{rd2m-z2wtDtbxOY!>&RZsb)tIxiwhUTJWf`rLF~G=bpA)6PM;
z>gG<{s4jP`-q+JRl;aH+Tow|ujg*pWq$wV;56)f>UKmB=TM|ge{*K?g5=ks@+cmI#
zHqI+Bs`UKS^@KOfJ5NLBY^HrUg+zK+*BgXHK4-*cz6?u@Vt?L+o4(f^u5^K_>q;KY
zTK^aJxPr{lJ+--JAtaUBGRe@rurAZ>x6Rs__HCe8w*A(-rMo#|ooT8*fpk^6h4=im
z$U=&TkTNJQG`<C4_TwVo1n<oXY=8*AOTM**v{|rNCvvjD!B50|(Ih1!%cs3XJS_0%
zLag=q`S(1g=jEy%YZa1JJ-BW7cn{gT)ZY?aoSb}Z*z7k8{tQy!@qt1e?;Cr{Is!A2
zHZ><FzL(iVSJ5c|YfHqK-<9(ozotGu4Wtm-W^ClT@&KJgzslPbv313B22VDgKwIUF
zSIKmBfK}9Dpk21;V4+18i?4{GD@_yGgi=`vuJ~dG=Y^YtI%a8~Nhn3mB^e1TbQYX>
zBlwUoihVlq1@<rbxyNhQ*9M0bEI8NFjQ7lvWNF@iQ0tdOalRQobEd~zoMup8=E${o
zF#WRJ(v4fm=u5U#L;R16&FA=DZRHnDbp<V^q5{J|=T3grr%0YpMCDIA+N?d?_OZws
zi^`!2FCNQ6k(c%{xw+#T=Sf<OmKUWomicZxFlg6Y#?cgYA(36|&Z+j2yIW5i;<CP8
z=rkl^aJOx1TTW!}T-VBX)~8fSqI=VZ0X`e7VVNz{N9c>1E!QXKQ=Yl5T48cl_T;3l
zM~bdp>;zoJu`YabQRR9P>+38mXjeQTEP>Lb^x%)m>rJFhEm(_YyO0*XpThge>r0XU
zt%8?o@|tOnED6(vA6yO;3eXxUH_@YtFHeoG{;m8(dd8r;TaUpZeOtLPYp{2aPGgGm
zUC&)!q!1BW#4Y@T`?+k#pKA^NL6%l)F-h!n=64c4zYBArda@p(IIg(nVA;^T+Ynx)
zOHq?JwK;DeX3*E-IV;K6K(xv~U_$xZf00$`@L^mn*Sh`w4S&hL+VW`zzah!XHk-^*
z42!`byYzV1qbaBbCVf^(u;rG?)|V2vNp>%RwXR{!==wWGa>J2b-mOhT{*TrNw#!4J
z?i}E&v>OL!YWiM!D)VVIYV7Otyy-A)8oZyGm(=@=oz~Jatt@<$9>>}(NR)gI*qb6z
zyqlyidGGpaRsJFodmia6?Z(lgqZuLvW&-99z9k!bh3X@jAtRG|$$WF$C_VQ0dJf^A
z%l_&91Ec8KmWkVeKYwUrM+WrdwADWk4G%o*9q(O9HNhBpRJJ>W<QcZ1)SC!zk_B50
zIXlZ<)Q>>^l-}*H6#BWe;0gSu+*ka>8Rb#<<1453aOmxVM;``x*bk^4t}I;sw{d{3
zfHknvFFkdKZiRiJM+SQI)J>HIFM!Q-fR-Z}pB}DQ0yPOKHHltTVq&%K0QFp$Ds>_W
ziC$x$aYDTK_O=)4j=;`9<5<Es9b$PCFP+-&-x9{YYuAn&o19+;%>1}$)16AWxWR~$
z@c@4l%0`5t4uD0C{hym?(2X9DIKGPp^XUPl;|&4$o*oc_1xh3!1`C?VKTsU<<jNTw
zMgp2JbcPXN1SJ>%QTU%517HFRZ47|^UtAX!Y#9L~Sa`w+1i^v;6W{{xDgNC`g9S{0
zEerz803%io6{heU3#OHt0@Py$;Nvf7eGJr69|NEs3qXW<M}rTRLnzzv*?SI)%0v)4
zdmlpE5J9Ln|Ne?2W$FK80{&tKs9<_hr%X0Bv`gxO9;Lrrs4R|r!uXdCU&e!I7N}ZE
z=D$ipu!{wtgnd*y$-QldZks+rJ0_u1K6<!8BUXS1v&lmU&Yb-dA*oZ9z8n-GKNO+J
zDf%eiF<lXMYK&P^?SoJSD6rEkE5TzH7dXKRAYtmi+b#s+{3(Z5g<vWsTbLO%VEfa5
zwro&Cm_&~of~gk$Ume?c42X(BfDnjt7NCKLf$1!y6gmefWxzJ}KQ1DVl}xgbQUKE|
zOAeAkZG+jX$H0UF4EQTj!WM9h@#G>I^H3l8Lyguw6{DLnD9Qz(F#76*7%~;cf0Ycf
zL%wR%{-Uh^oRxoBX<{NqApDpR2(44jBDId`BH$ekfE%uN1Cc9*2X$c)^r)SpVw?Vl
zN{D%6N(wSF{b>Y>6ROzL>>mt9Z~|<wyNj&%u<)Q}{DQ_$^_07O`(wT|M%#fD4wUtH
zG8#>q^^Zd}Z$c)g>3E<B7hnvN+GTR+s2~Co`YfY;%BL(?$OTx!9s8RLis`A_aUCd7
zjT>Nv!#T@nw_^gC?UDSq|2Li|)M{>k2d09o`2zJ&Ex(~jdb*ZGzY{78&!4y6fCs9p
z(jV4hv;x@So`Id5x;i=)s&Ftg<{Y#p%6hsc|K~ahRAvJhU<X{Q0d;~<z&->BgxDzu
z1!2byKzv?+8D?hv?#fDqdf69Z%AH~|M?p*$j6xXeznpNF7Ydmm1_BtsUS2>F?z5v~
zC3Etz5+f7G|L+a(<AZ>@92gh@X}}h~KO^6N43rkYZm>{LT0G8%GAKxSwh~O?2beHQ
zr6@25^@m=0jAYgPMQA|}C?&u)XZRsR>)Brf57g%eIN)}<EKgvFp&rnI+QojVUC72`
zx(LjYV<mBR!ABq-Qa}f(Q!J-e@I61E1=k`V0M)|&0t0MwfL;OsA8d*>m{Y<9%{d)t
zu;ovg-tIqUVyb!=!3E(z$;d>uh*b#+M-5sJBu=sM24Ob;OR9ft_aLlSCeRz~2c7Sf
zPqD#KFj5dOfFmGIc~`s$MX(1&Aa#m$;mt9N7o->ZGs^!CssEkjB4*%bK}S|b*r`K-
zYL^RCZ51N|p?}J$@f^hD!RRf~VN$0k!DLZ@h#mf%piv?pG}#G-OAZ}ZRZiJ(e*R;_
z{I79p^)oxx5W5Jf<@8dZu?4YF;45K(1Mc??VW{7a_8_GSYz`}JL?Gp(-<X>H3$XI+
zaRNAXAU+iVngjs11OavsIw2#$P2N9KN>&tL#AcxSgDH^#)W;1XfltY~5Qg=J8f+2;
zm|+F9#v*Z!j&NzfLNRDTU=sU7<QId88n9MS;NNmjfcVc58*1ht*MGl)cVLV2Z2#Y;
d<ZtZ7k&l=_Kpapd(?n<@%%Q>XWrl_t@joBP{pkPz

delta 6613
zcmZWu2|Sc*7oT^GHDt}c@5_vR&%Q=>lI*f1gtC@QStC>iuYGHiU1KZB-i8zvBH2Y!
z%`GI$_s%=+?YiI0&pc<&|9{STmNU<Lp2zri)X)No&dQ7oMS~!|oGsLE&<T?{L5*TA
znIqJ^;)R><g2V=Q2#|qW6F>oOV*nLWi<H3eBdKxA01f<o9ngncO{CTyei&}skh;Vc
z50KH4!2$zC7Zp9EF*;B)5$8sZK={$&rsxf@)eeCU%*HG+%E_4cEOE~iQ<29F3x*#m
zvQFq%vow@3^zy%p5PN>TDj<AzHIZ$6=Vna#;v3}8f}Kk{<wcXZF4@AU3SMp5vBC%I
zT7!qzUw)V_#_n!%br^1O8Z)WPY%r=^2%)m|Y!O*F^HeU4LyqNquvmI)j(vzsx@wAM
z4wjjI-M)W)8i--)?pEFWUViY}cj5HP$oEOUku@_3G<S4d<ej_mJmkK2@~=MpV)t`l
z23Z@N6qOjb^pj>-D%_?03_-p5QPfBE+Np1Ccjh_5Fg~WDe9hA1I805f(6G!HlhbQQ
z)q89KeW&w8)lN?ww094)XrlJ3RMG5yb9DkM6gOFB-Iy~H+QR>~N&OJY^<Mr%ku9#O
z{-2JFlGrTg^>mKxX&3vFyV_nVxl!cx)U93QJl!)1K5adPYDT|pWMu=vT(v=N{YR8I
zxmq8FUsA1Qsi5<qhj%UOKwX95HG8!iY3Pw0<MHZITmkJDd-B%}B^l)e^J1M_rJ;AQ
zhF7S^6{8$=tTW9tq_>OhsGFJRf*)!mmNYyi1ZHTwHfgGCct2{lJY!tX_2s2^go^GD
zgA0z6-t^T`6MmJ0J8NxHs@anwbyf6c?|DA-9@Q;S;=E(Mwyv33bSR-dx_;tB$gh4O
zavC(>@<UVqT9be%QTt4mmEv=wOcBmL7TD43rw-+=4HA7bFXNv(J9y0*Mii_|_CME9
z@Q8NIx~o1txA2xAx;9|Rn%yJ$-u!NV5W8O0Y%5RJIlXgqLMD~s{^ghaRZ~3Ziakua
z{p8w8N>lPE$YfY)o0W6y3ajsk|GdX!nM`rZ(>gBsVJw*wc{uKY(lQ1)D=qS%w|yAv
z5=Wk&{vzGGq^xwBm7A`H-AE@Y;PmmX`-!Yo6_M4`zFTEegs0*3>IA+l6uF9)IiWnV
zwa~nxm)A8YvhtSjz43S1TTfyJW{OtdrP@4Ke&B#JYmix89vTW%=4_f>@@}21L%&xh
zKUkEqlM!1`&!A}Lnp>&1c6Q^?dsjCJ>|crex2BGr-_#fIe&jR8oTN%CVc8jV(j!F+
zL!pp10&HBYJmZi`K1O)R)UrK|(o6k9YxGej+s`3Q-p@BVo-=!+hy6_F8jW4MU4*W$
zQm*~mubHkk1Oi&YaIjRb&$o%onjOrha$H&Q0%gY)V(QHN3GG1%11HbzPG-h-Vncm2
zC{KrZiMLC|fLeu<XWk^JOElJ|QL*0n<bI3%?WfW+J@+Ik<CW$^PSZ*V4wouk)H|LK
zb(HOpf%NYk@WA_ofW_%m<A_tEt$IESCnX;4h%9-scV7AwU4k(Py0El<rQmk9$?PKG
z*YWW@Q>>85>+z8DdAEO3ZSy{>(S2Tn6(SsZ9k7b_47&B1nv;^@=J&&Cjz6Z6Yr}y*
zga?E#8W(i2U5ehcVM<QMaL4lraV5meIvS!}yNjw@wyz9Da$E=|Z+q64lNZF(V|QJk
zzdZE^U0ZUatKb8b-;`zTNtb6bo}mECCe#vL>;~uDd&QDU;g=Mbc?irq-SXem-(V+n
z2G!5=d3_Yvk!?=Y62zDoiyX`NgjATbMYuHIDEYl+Z4+X4ecI}}M?sv$akqqmp8lxw
z1T`0a0SP`+lVyMBGC$qrBiFM_(KdO)Sx!$MU$VND@am-Ck9aCg5xv23{-S0EP8w=D
z54+`23a*<h(Oez!=b4XiL?!JcJ)jfDmOnk?-X5#Oox@mGJl3IuY7aAU>*Q}SIQnZ<
zV1{a5*-|IYPVHno&r;70{VcF1{eWf>HQjU8cc-V5j@Ib=9WwtL%TEG2P2-OzBg_tO
z>&#D`{Bkv(uqk%ZCVeEtJkjnGwnX@`@rw4}dp{L|xC^(Xr%Log&jI{><^uq{L3gmk
zlXhxj_Arvr&gDXa_;~86Va~896$zS@NF)iqXjXuc=<qbRVCy3Qfp|@ZK<MD6MMXgq
z5r79<nBio`rOWbk7gu>^q}6CVviYE#-d!u2GQleimb&7mJx`zeq}r|vw&F9c*%u=Z
zZ30_Xy$bm8lt9i~zk|auySvxUy(~y7Ue`uMcZ^Fe)3ayuq<Zwm+cUpAdc4;2W{P>@
zi_0`wT3+JHP2;q;XUnBH?wpX!6!Uv^<9qI>4Q#0Vc*^1FX2Ys}Ep6!~sVrIUh9Q66
zUd<v`w-+_33CFCT#nnuG5T7cJ=6GgR>?VQ6aZNwRA1A*|bK&lZA9GsWUV>p5bw<F$
zfvdW9=Gc!Y?Qc;g#_yiA=Zs&(d6(`Mm1^l3upUmb$*xt9v}`2&3Yq&oq!4w&J#d57
z<2)AYnaw%A%cODFn)3nyFW)xC>9VfT?Y^N}aSrP=E@`cv;*#1e=h4@z=;Pdfva?q(
zn|*C(SAsp<IQN=*a(cpgC698Jm{iasFDk;;y~R<Ttc6$6B6-#oNi$OKzm%Ftbp*yx
zwz8MV>U>XMBX42h*(3|I!JO<Wmq&}rksswdntNtzfu*WxXo92Uhe7%Ar)6Oy@`ejd
zm5%+F8Iw5GQ*C3^?)s?x5LHVW{;2w50FeBc=y~7sg<7KMyNb!f$bCtJmyly3C4`pz
zCTaOKls}UM3H3&jFs*rmB!uZ2k%Y$v10*5c1bcu~3)p#+{6yNz(ZZT44=*HK9az7$
z?;D2F=o=FE%^!oi<im>h@R}vDjeR1KaIQ6=M1H(LA`l)>8KHp_@RGv+KDCI19nJgK
zqhKL7n41)}<=kbGruyP}k{}uTi3G7GGEu=~$@ENmSm-SHN`mkuk#K>7$5e(<z|fug
zDiqws$tewnXec@#InHC07aWuY`0#~IiKO_V4@^iwLfTp>VLO>#Pm+VozG%`om<Q5H
zp8O(^&uu9Xh+sM#e<Ckv#SBp6z9Px-<F6x0CdWn<Np92L50Y%%CI;zXw{pvTB>%SG
zn@D8ZjcRfjdbB+NkES`57RZ6IW-(@<6(EC(K5(7|kYt1eBe)FQ`w#*>SOHO-22|7$
zIkv2T5o2VXs?nF_Ldzkjg99Q6gglXh!3GBfVj=?r=1({VO(-+Otk=4yAq=mY+%I&M
zwJS9&KpM>|o6MBy7Pl}t^yQSHGVZrg6FzDPhgpr7a%rT+Er@)cR_T6V^71;(fg9~2
z^?J=5vxLR&G@D*O2Ct30U_Lh0Nd|2;zi%^xSEn>~pJ}T%JR5d8!u4ZdAPxIh&lJ`o
zJv}|HU8blV`GodDrWy1oqCd#6MOI|%M^UsWcT92dfT)4(6{p<eWxl~$TNl}Ra+15G
zEvbHArJ_D(;G;^bu1JO-MIPwNy3MX9Nw}|SDQJ-?qY~Qqg2OsrwtNZAbii;#^_WhB
z&7;p^9#d9MpTd;BA7OWHRgc%z+|~8P5(uVTOQ3^)27^bz+u@Ev9(UL5sp*M<N5(sr
zI|thypkrrK4Z!xB;ezqQcGp=dol96dof9tuj?sEv(x*x}<u*SK7s#0i4HVR(nKQht
z=SmJ*S{t!g)ODqK(K*LOHVTw0tj`+F(U@iMclh;Jiqh*l^8285+Vh>Ae`VQXDNPe^
zyWg-7p?;8Q(<tE(Q{W3kVop7}D|g6Tz>jX7E7madY-lt$h06(6nd92zfKYO1ES&_W
z+mS|Z)WVd1-n(DCYC?7CUGAKYzDYtKGf)y|k901t7SKhFGgV6*xrHBPj%N&(7`^d>
zp~nB1h<7q>O{*&Q5^mgvqNF7DD7Mj2Jg&@Hj#I<Jf9^>7fd|jCR)z-Hrz3k!n5yN5
zAHKnclcR)~y4?G_qVWFK5zXUa(UsFVWRecpN89><{$JfC`P4s`rKv2bt~uqEV&|jk
zOz^StvCg!F!))(pe|}JVEV231lY5MZE+5a=*!NcIlrH<cS9Gmn>gwaLH{;l5&g-cj
zAqMqI2kt-FT51XC&ucT6X7#p{=^$5r+&eN_xz?5(Hzkxcl+-CH12CMt*U*T6QRO*$
zxTdZ7`P=X7>$OM2nB17NpV|eoeHzviySd|sq#<l64%&`-4KoQg=#0>)d~H~zxd71L
zrRH|>9X2~U>zeKSI$+WCP2GqAwnE@e;>z@8<FDQVQ~YaET}kAaI_{#e?K5Kc$Efp=
zE??1}5wAv;Ln6FeZ?tr9-))_J*ir5z=qb1^N0Wj&$YwYBb#q(Xoc3wdvAV(9tHQCK
zMjshNzCQFi%8;v|8ni}dI}q_z(j)Pg>x)x~y%#|JvoEM@=^u=_)X68Dc`1NZo4cXz
zJ6B%E<1BKjEB!ILsk4$ECC*Lz*AIg7O4D@=`LVc^&d%e>?I{iYp}*$~m+<41#&gI`
zdhJr=dyfP|nlN{B&G^{1K~;>~f{1Wf=*lkDc<Qz$eS^Yr_n#L|S=V(7pJJ?Fk4}H~
z%;vfh>)ehYnN}qI?dh3IZ#HC}WBtDfIxnc4HJh>Fk{hxP1!ia8HPD5!FlNTrjhW(|
zmKspKUpf>|=IPhUYfieCyp#;(DaTrv9q{QvAIYG|2P?$iatONzaNcx1AFs<-=j6<c
zGQ7`mm2xAh#ba!JG{5*ljmfCQ?bS-oFv+f@<ZORCle%I)-qdj)$-Kg|JJ`YWe5v;E
z7r&4^&5uM29Ndpox7cRPY8%%keeDskU)g%2Q8`{H$lcCiuT}r_;i${vhZ_0Y<Z5DD
zCbt#r`HyC)y&9swbvUr5%-UG!oaM(!+v1q3{nY86{p_JV$!bnx;ru~pLjS}E{pST9
zMf?|M7bDzP0~23=);=x9d2$txE&VhxseN8M3cp*L9=Tr8E)+O8)F`U<`fJ3QHRQ?B
z`gpRJKB$bjpNXbkjBb6dCpt{-xt+307k+aLrFoSDEv!36t(zgf{Y}XF<=8vpMH<~3
z$&u;eZg?h1H=Fhq=TFy5tncQDvRI2yJN=IH3TY_5lAN#DBe@uNRw4gdz6>_C=E$Qo
z0c&|@7WY?MPlf{&pRSFCEUw;f7^UMf#8mOJy>0v5FY5K-uYfxjM|<xFM|=s{Hp&(B
z<fxr)@7^rRj2db3w+Ut)0(0&PZ!Y#|$84E1`<hL3fBUs?I@8x0uQXNQ|M=mQ21=>t
zJ7GnRc8y9%{CLHOAr6Z0ex8XwESov|N;AfHa5FrJ?`C)rS<?9Vu);;x54nrhf1&t(
z9*mE<{Z01TWYg($FNeu*kH=}^e`iY4uE{m0WZr%@Dk0ZcGZEv?*xBJ{`gUoxmLr;<
ztMIh)`jDe`FRQ^}9-6GPH+Oe$vz}LHP=E5#^y63kt0i)Ol~m?)+qNv)=NYhIgN$9*
z1{Nh3b8f0c-8=YY?XN5f<Wj2IMc=reD=S;q-1u&qS(qE$tKLbOchvh;!LlSut3KtY
z24*d}s{uYMv!gP#4_CmrTJj%eQ>_I!s)~e#W}LX@XP(%{=_<unK3TSu#bJRzbr11T
z`PkCU$RB!C1|bkggc|%D1UI+=A@8+;LECSp{kF35wz72%@=A5`O7_9)bk?%+vWoMP
zW@yQm{eyU=SNK;7v!*gHWYFJ^)}sgB^~soyNDWw+nFG0$cAZ(r?J{z+bDWXc7Q+MP
zN9K?SD>DGeLiW!+4H&}%C=zdKz(yWGoA`tW*LeU8EQs?0^045-y9X8Xl5S+cd0xO6
zhGh7Fqp%Re2iU^G8$Q6|Z-@)j;Rod4Z=w8vH7q>i2O?lWPXO@w&!r96BmlVb|N97m
zfyy=Xzp9B_m*ZG)uTSyf-Z3+RG#G#uX7iWGQ6GlR2Aq`tW#_RH+2AW7fEsKP1X$q6
z1A+h-Qh?(h1b3003gi&lbC%YnmPZDK?S}re_l3^o{>KCi5CTN`h&|ozs{iIsjX<<>
zAP`df=)b^vAwV6DxGDritQI4hXNWO@8o~fvnu4ankiJEdq^Abcg#k8rKsLA){TGlk
zO{fpD`<&`xNMuS}KAP^&4D350?K5zc*)t%XnIzyYS8Y(ABzph<$vp>N7Xjc)HgHe`
z>e>}~$XEy$EYAY>8SdM=aJsv>&}2V?YB!aAp%Rq$*ayIiqI)B`x&9034zaI7Z1sKY
zbLx9+YH&&v;D+aER}=~=rS)%s60{Tp*kII83_{y=Ayg8q69Z)7?yNf;%k+l=ltOE7
zye|Ni;onT^48ud<q}1L5mw*2Bkoy2s8FM2LCi^T#O^6oI!GHp1X-5s#hyy%u;Fsc1
z;1hQL0uO;NrT5lQM*;%7?EeK)<2vkFz;^LH!UG~<&4WnDmITCLkCKv*&c$obh!yme
z0+?VRp9tLW*#iXs^m^a9WM8jo{UEj`7zm9Ib`dQFxsVBflu|gp08ZEi416I1v%y5)
zprSN@f#*-|m@gYQ3W1P@a@cgAUt}oEtb&-ZxfL2RPmF|=Lg01u-qh3)m1GwoB`^3H
z4M@RE4h*DRy#y&aK`RWP1P9W}*ep|~M<6Kp5eWT#fyk0!W;=#-4-Ebyn&*MAQdR~K
zfX$y@)jq-l?OV}o&>g@&^VEDWL<X>cSy@*U^bbL)#zTid80=$F-T|#;0eM_dC5!Z*
zO^|e9u_)K4>;%n$6y#rdpB1)>Xk`HZZ2p|h{+sw1&`K5%0!N?^c>LS4&;WMvL{n~1
zS#EFJF_(k1rY*1*SJ1`}uFCFZB;6^L4mH&4@Pi11*1q^u9pDXq$n{S-Kmv9xAP+eS
zd;)86Px`n(2F1N)ze+?_o|5=|@&F&q|3cJW>?dl)apSMKKy!sXzOw>^$PAN^v{A-C
z3DikMeBP2`w7)<2CkCG)gs6^?Vz?;+YH*BvqLya<A1xOyW|`uT(E%k0mR=#b)7qfK
zrG96FQFz7b`;BsJptE)t^o!KlH}-kL-zI#2=z%m=7=I{>BzXV(bI;l!(O0)c|HO7u
z2Dr$)DFK}BvM5-r43KgO^MobXAKF?Op_8`KzL*Gla7r1_clqxj7Fw9S7XxB<_whjh
zVQy%ri#}puBopWn?tMn)PfEf6|1kQSPHct#`9d`Qd=PxC0*L%83IE^X&x3?$A<aOv
zP~-o<Q}aK55r|ut!(bK~bWjDD`TtW{Ak_9zK{ld8G_lU0KV)S_4y7IfVFbNrIS~j)
Jc4%f0{{w)XBvt?b


From 052b2fe417c7f9ec0f709ba5d6ce664351b255c8 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Wed, 11 Mar 2015 12:20:36 +0000
Subject: [PATCH 44/56] Check SAML elements with string type have some
 non-whitespace characters.

Remove similarly motivated XSLT checks.
Remove an explicitly blacklisted entity which had this problem.
---
 build/extract_locs.pl     |  2 +-
 mdx/_rules/check_mdui.xsl | 36 ------------------------------------
 mdx/common-beans.xml      | 22 +++++++++++++++++++---
 mdx/validation-beans.xml  | 27 +++++++++++++++++++++++++++
 4 files changed, 47 insertions(+), 40 deletions(-)

diff --git a/build/extract_locs.pl b/build/extract_locs.pl
index a516194d..94b360a1 100755
--- a/build/extract_locs.pl
+++ b/build/extract_locs.pl
@@ -2,7 +2,7 @@
 
 use Xalan;
 
-open(XML, xalanCall . " -IN ../mdx/uk/collected.xml -XSL extract_locs.xsl|") || die "could not open input file";
+open(XML, xalanCall . " -IN edugain.xml -XSL extract_locs.xsl|") || die "could not open input file";
 while (<XML>) {
 	chop;
 	if (/^https:\/\/([^\/:]+(:\d+)?)(\/|$)/) {
diff --git a/mdx/_rules/check_mdui.xsl b/mdx/_rules/check_mdui.xsl
index 47f789b1..796c1d3f 100644
--- a/mdx/_rules/check_mdui.xsl
+++ b/mdx/_rules/check_mdui.xsl
@@ -28,42 +28,6 @@
 	-->
 	<xsl:import href="check_framework.xsl"/>
 	
-	<!--
-		General SAML constraint that xs:string elements must contain at least one
-		non-whitespace character.  That's actually too hard to do in XSLT so we'll
-		restrict ourselves to a check for empty elements for now.
-	-->
-	<xsl:template match="mdui:DisplayName[. = '']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">mdui:DisplayName must not be empty</xsl:with-param>
-		</xsl:call-template>        
-	</xsl:template>
-	<xsl:template match="mdui:Description[. = '']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">mdui:Description must not be empty</xsl:with-param>
-		</xsl:call-template>        
-	</xsl:template>
-	<xsl:template match="mdui:Keywords[. = '']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">mdui:Keywords must not be empty</xsl:with-param>
-		</xsl:call-template>        
-	</xsl:template>
-	<xsl:template match="mdui:IPHint[. = '']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">mdui:IPHint must not be empty</xsl:with-param>
-		</xsl:call-template>        
-	</xsl:template>
-	<xsl:template match="mdui:DomainHint[. = '']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">mdui:DomainHint must not be empty</xsl:with-param>
-		</xsl:call-template>        
-	</xsl:template>
-	<xsl:template match="mdui:GeolocationHint[. = '']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">mdui:GeolocationHint must not be empty</xsl:with-param>
-		</xsl:call-template>        
-	</xsl:template>
-	
 	<!--
 		Section 2.1
 		
diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index fb504204..85d5f657 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -294,6 +294,9 @@
     <bean id="RegistrationAuthorityMatcher" abstract="true"
         class="uk.org.ukfederation.mda.dom.saml.mdattr.RegistrationAuthorityMatcher"/>
     
+    <bean id="SAMLStringElementCheckingStage" abstract="true" parent="stage_parent"
+        class="uk.org.ukfederation.mda.dom.saml.SAMLStringElementCheckingStage"/>
+
     <bean id="validator_parent" abstract="true" parent="component_parent"/>
 
     <bean id="X509ConsistentNameValidator" abstract="true" parent="validator_parent"
@@ -638,10 +641,17 @@
     <!--
         QNames for SAML metadata elements.
     -->
+    <bean id="md-Company"                 parent="QName" c:_0-ref="md_namespace" c:_1="Company"/>
     <bean id="md-EmailAddress"            parent="QName" c:_0-ref="md_namespace" c:_1="EmailAddress"/>
+    <bean id="md-GivenName"               parent="QName" c:_0-ref="md_namespace" c:_1="GivenName"/>
     <bean id="md-NameIDFormat"            parent="QName" c:_0-ref="md_namespace" c:_1="NameIDFormat"/>
     <bean id="md-OrganizationDisplayName" parent="QName" c:_0-ref="md_namespace" c:_1="OrganizationDisplayName"/>
+    <bean id="md-OrganizationName"        parent="QName" c:_0-ref="md_namespace" c:_1="OrganizationName"/>
     <bean id="md-OrganizationURL"         parent="QName" c:_0-ref="md_namespace" c:_1="OrganizationURL"/>
+    <bean id="md-ServiceDescription"      parent="QName" c:_0-ref="md_namespace" c:_1="ServiceDescription"/>
+    <bean id="md-ServiceName"             parent="QName" c:_0-ref="md_namespace" c:_1="ServiceName"/>
+    <bean id="md-SurName"                 parent="QName" c:_0-ref="md_namespace" c:_1="SurName"/>
+    <bean id="md-TelephoneNumber"         parent="QName" c:_0-ref="md_namespace" c:_1="TelephoneNumber"/>
 
     <!--
         Basic EntitiesDescriptor disassembler pipeline stage.
@@ -768,9 +778,15 @@
         ***                                         ***
         ***********************************************
     -->
-    
-    <bean id="mdui-InformationURL" parent="QName" c:_0-ref="mdui_namespace" c:_1="InformationURL"/>
-    <bean id="mdui-Logo"           parent="QName" c:_0-ref="mdui_namespace" c:_1="Logo"/>
+
+    <bean id="mdui-Description"     parent="QName" c:_0-ref="mdui_namespace" c:_1="Description"/>
+    <bean id="mdui-DisplayName"     parent="QName" c:_0-ref="mdui_namespace" c:_1="DisplayName"/>
+    <bean id="mdui-DomainHint"      parent="QName" c:_0-ref="mdui_namespace" c:_1="DomainHint"/>
+    <bean id="mdui-GeolocationHint" parent="QName" c:_0-ref="mdui_namespace" c:_1="GeolocationHint"/>
+    <bean id="mdui-InformationURL"  parent="QName" c:_0-ref="mdui_namespace" c:_1="InformationURL"/>
+    <bean id="mdui-IPHint"          parent="QName" c:_0-ref="mdui_namespace" c:_1="IPHint"/>
+    <bean id="mdui-Keywords"        parent="QName" c:_0-ref="mdui_namespace" c:_1="Keywords"/>
+    <bean id="mdui-Logo"            parent="QName" c:_0-ref="mdui_namespace" c:_1="Logo"/>
 
     <bean id="stripMDUIDiscoHints" parent="ElementStrippingStage"
         p:id="stripMDUIDiscoHints"
diff --git a/mdx/validation-beans.xml b/mdx/validation-beans.xml
index 294a2836..465ad91d 100644
--- a/mdx/validation-beans.xml
+++ b/mdx/validation-beans.xml
@@ -580,6 +580,32 @@
         </property>
     </bean>
     
+    <!--
+        check_saml_strings
+    -->
+    <bean id="check_saml_strings" parent="SAMLStringElementCheckingStage"
+        p:id="check_saml_strings">
+        <property name="elementNames">
+            <set>
+                <ref bean="md-Company"/>
+                <ref bean="md-GivenName"/>
+                <ref bean="md-OrganizationDisplayName"/>
+                <ref bean="md-OrganizationName"/>
+                <ref bean="md-ServiceDescription"/>
+                <ref bean="md-ServiceName"/>
+                <ref bean="md-SurName"/>
+                <ref bean="md-TelephoneNumber"/>
+
+                <ref bean="mdui-Description"/>
+                <ref bean="mdui-DisplayName"/>
+                <ref bean="mdui-DomainHint"/>
+                <ref bean="mdui-GeolocationHint"/>
+                <ref bean="mdui-IPHint"/>
+                <ref bean="mdui-Keywords"/>
+            </set>
+        </property>
+    </bean>
+
     <!--
         check_shibboleth
     -->
@@ -815,6 +841,7 @@
                 <ref bean="check_saml2"/>
                 <ref bean="check_saml2int"/>
                 <ref bean="check_saml2meta"/>
+                <ref bean="check_saml_strings"/>
                 <ref bean="check_shibboleth"/>
                 <ref bean="check_uk_algorithms"/>
                 <ref bean="check_uk_trust"/>

From 33649362e8d8c434cc64cfbe43fb0c5cec553a1c Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Wed, 11 Mar 2015 14:13:19 +0000
Subject: [PATCH 45/56] Revert inadvertent checkin.

---
 build/extract_locs.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build/extract_locs.pl b/build/extract_locs.pl
index 94b360a1..a516194d 100755
--- a/build/extract_locs.pl
+++ b/build/extract_locs.pl
@@ -2,7 +2,7 @@
 
 use Xalan;
 
-open(XML, xalanCall . " -IN edugain.xml -XSL extract_locs.xsl|") || die "could not open input file";
+open(XML, xalanCall . " -IN ../mdx/uk/collected.xml -XSL extract_locs.xsl|") || die "could not open input file";
 while (<XML>) {
 	chop;
 	if (/^https:\/\/([^\/:]+(:\d+)?)(\/|$)/) {

From 7bda88df411dbb75ea405f0a5ff9887bd39df055 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Thu, 16 Apr 2015 12:53:06 +0000
Subject: [PATCH 46/56] Add a schema for the SDSS/UKf WAYF namespace.

This won't actually detect issues in most cases, because the HideFromWAYF element normally appears in locations with "lax" schema validation such as md:Extensions. However, we can use a concrete schema to help XML-aware editors.
---
 mdx/common-beans.xml   |  4 ++++
 mdx/schema/uk-wayf.xsd | 39 +++++++++++++++++++++++++++++++++++++++
 xml/uk-wayf.xsd        | 39 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 82 insertions(+)
 create mode 100644 mdx/schema/uk-wayf.xsd
 create mode 100644 xml/uk-wayf.xsd

diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index 85d5f657..4e13a575 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -978,6 +978,10 @@
             <!-- no imports -->
             <constructor-arg value="schema/uk-fed-label.xsd"/>
         </bean>
+        <bean parent="ClassPathResource">
+            <!-- no imports -->
+            <constructor-arg value="schema/uk-wayf.xsd"/>
+        </bean>
         <bean parent="ClassPathResource">
             <!-- imports xenc-schema.xsd -->
             <constructor-arg value="schema/ws-authorization.xsd"/>
diff --git a/mdx/schema/uk-wayf.xsd b/mdx/schema/uk-wayf.xsd
new file mode 100644
index 00000000..1139a62c
--- /dev/null
+++ b/mdx/schema/uk-wayf.xsd
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema xmlns="http://www.w3.org/2001/XMLSchema"
+    xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
+    targetNamespace="http://sdss.ac.uk/2006/06/WAYF"
+    version="2015-04-16"
+    elementFormDefault="qualified">
+    
+    <annotation>
+        <documentation>
+            This schema describes the WAYF namespace, used internally by the
+            UK federation for the "HideFromWAYF" label.
+            
+            For additional information, see the Federation Technical Specification.
+        </documentation>
+    </annotation>
+    
+    <complexType name="basicLabel">
+        <annotation>
+            <documentation>
+                Basic labels are empty elements whose presence or absence
+                is all that is important.
+            </documentation>
+        </annotation>
+        <!--
+            No content elements are defined, so a basicLabel may contain
+            neither text nor nested elements.
+        -->
+    </complexType>
+    
+    <element name="HideFromWAYF" type="wayf:basicLabel">
+        <annotation>
+            <documentation>
+                Indicates an entity which should be hidden from the
+                Central Discovery Service.
+            </documentation>
+        </annotation>
+    </element>
+
+</schema>
diff --git a/xml/uk-wayf.xsd b/xml/uk-wayf.xsd
new file mode 100644
index 00000000..1139a62c
--- /dev/null
+++ b/xml/uk-wayf.xsd
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema xmlns="http://www.w3.org/2001/XMLSchema"
+    xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
+    targetNamespace="http://sdss.ac.uk/2006/06/WAYF"
+    version="2015-04-16"
+    elementFormDefault="qualified">
+    
+    <annotation>
+        <documentation>
+            This schema describes the WAYF namespace, used internally by the
+            UK federation for the "HideFromWAYF" label.
+            
+            For additional information, see the Federation Technical Specification.
+        </documentation>
+    </annotation>
+    
+    <complexType name="basicLabel">
+        <annotation>
+            <documentation>
+                Basic labels are empty elements whose presence or absence
+                is all that is important.
+            </documentation>
+        </annotation>
+        <!--
+            No content elements are defined, so a basicLabel may contain
+            neither text nor nested elements.
+        -->
+    </complexType>
+    
+    <element name="HideFromWAYF" type="wayf:basicLabel">
+        <annotation>
+            <documentation>
+                Indicates an entity which should be hidden from the
+                Central Discovery Service.
+            </documentation>
+        </annotation>
+    </element>
+
+</schema>

From 6579450276b3fca4564224c111642607d296530d Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Thu, 16 Apr 2015 13:19:24 +0000
Subject: [PATCH 47/56] Check spelling and positioning of wayf:HideFromWAYF
 element.

---
 mdx/_rules/check_uk_wayf.xsl | 46 ++++++++++++++++++++++++++++++++++++
 mdx/validation-beans.xml     | 13 ++++++++++
 2 files changed, 59 insertions(+)
 create mode 100644 mdx/_rules/check_uk_wayf.xsl

diff --git a/mdx/_rules/check_uk_wayf.xsl b/mdx/_rules/check_uk_wayf.xsl
new file mode 100644
index 00000000..c2e443cd
--- /dev/null
+++ b/mdx/_rules/check_uk_wayf.xsl
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_uk_wayf.xsl
+	
+	Checking ruleset for the SDSS/UK federation WAYF namespace.
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="check_framework.xsl"/>
+
+	<!--
+		Check for misspelled elements.
+		
+		This covers the case where elements from this namespace are used in a context
+		where lax validation applies.
+	-->
+	<xsl:template match="wayf:*[local-name()!='HideFromWAYF']">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">
+				<xsl:text>unknown element name wayf:</xsl:text>
+				<xsl:value-of select="local-name()"/>
+			</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+	<!--
+		Check for misplaced HideFromWAYF elements.
+	-->
+	<xsl:template match="wayf:HideFromWAYF[not(parent::md:Extensions) or not(parent::*/parent::md:EntityDescriptor)]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">misplaced wayf:HideFromWAYF element</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+</xsl:stylesheet>
diff --git a/mdx/validation-beans.xml b/mdx/validation-beans.xml
index 465ad91d..d99e7cd6 100644
--- a/mdx/validation-beans.xml
+++ b/mdx/validation-beans.xml
@@ -702,6 +702,18 @@
         </property>
     </bean>
     
+    <!--
+        check_uk_wayf
+    -->
+    <bean id="check_uk_wayf" parent="XSLValidationStage"
+        p:id="check_uk_wayf">
+        <property name="XSLResource">
+            <bean parent="FileSystemResource">
+                <constructor-arg value="${rulesdir}/check_uk_wayf.xsl"/>
+            </bean>
+        </property>
+    </bean>
+
     <!--
         *******************************************************
         ***                                                 ***
@@ -845,6 +857,7 @@
                 <ref bean="check_shibboleth"/>
                 <ref bean="check_uk_algorithms"/>
                 <ref bean="check_uk_trust"/>
+                <ref bean="check_uk_wayf"/>
             </list>
         </property>
     </bean>

From d1b8267598204184cfc64b31b7bfec9a338b45db Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Thu, 16 Apr 2015 13:33:08 +0000
Subject: [PATCH 48/56] Reference WAYF schema to assist XML-aware editors.

---
 build/normalise_fragment | 3 ++-
 mdx/uk/import.xsl        | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/build/normalise_fragment b/build/normalise_fragment
index 5b9bd582..06f58582 100755
--- a/build/normalise_fragment
+++ b/build/normalise_fragment
@@ -11,7 +11,7 @@ file:
 
    * arranges for all appropriate namespaces to appear on the EntityDescriptor
 
-   * arranges for an appropriate collection on schemaLocation values
+   * arranges for an appropriate collection of schemaLocation values
 
    * puts any ID and entityID attributes in the right place
 
@@ -66,6 +66,7 @@ ED_TEMPLATE = Template('''<?xml version="1.0" encoding="UTF-8"?>
         urn:oasis:names:tc:SAML:2.0:assertion ../xml/saml-schema-assertion-2.0.xsd
         urn:mace:shibboleth:metadata:1.0 ../xml/shibboleth-metadata-1.0.xsd
         http://ukfederation.org.uk/2006/11/label ../xml/uk-fed-label.xsd
+        http://sdss.ac.uk/2006/06/WAYF ../xml/uk-wayf.xsd
         http://www.w3.org/2001/04/xmlenc# ../xml/xenc-schema.xsd
         http://www.w3.org/2009/xmlenc11# ../xml/xenc-schema-11.xsd
         http://www.w3.org/2000/09/xmldsig# ../xml/xmldsig-core-schema.xsd"
diff --git a/mdx/uk/import.xsl b/mdx/uk/import.xsl
index 0acc045d..7e6bd0b5 100644
--- a/mdx/uk/import.xsl
+++ b/mdx/uk/import.xsl
@@ -73,6 +73,7 @@
 			urn:oasis:names:tc:SAML:2.0:assertion ../xml/saml-schema-assertion-2.0.xsd
 			urn:mace:shibboleth:metadata:1.0 ../xml/shibboleth-metadata-1.0.xsd
 			http://ukfederation.org.uk/2006/11/label ../xml/uk-fed-label.xsd
+			http://sdss.ac.uk/2006/06/WAYF ../xml/uk-wayf.xsd
 			http://www.w3.org/2001/04/xmlenc# ../xml/xenc-schema.xsd
 			http://www.w3.org/2009/xmlenc11# ../xml/xenc-schema-11.xsd
 			http://www.w3.org/2000/09/xmldsig# ../xml/xmldsig-core-schema.xsd">

From 9b080f5290fcbc292d774279a9a0460f7869b819 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Thu, 23 Apr 2015 10:11:03 +0000
Subject: [PATCH 49/56] Switch back to canonical eduGAIN aggregate location.

The feed-sha256 location was put in place for a transition which has now completed.
---
 mdx/int_edugain/beans.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mdx/int_edugain/beans.xml b/mdx/int_edugain/beans.xml
index 998dc5e9..e74b8bbf 100644
--- a/mdx/int_edugain/beans.xml
+++ b/mdx/int_edugain/beans.xml
@@ -28,7 +28,7 @@
     -->
     <!-- production aggregate -->
     <bean id="int_edugain_productionAggregate_url" class="java.lang.String">
-        <constructor-arg value="http://mds.edugain.org/feed-sha256.xml"/>
+        <constructor-arg value="http://mds.edugain.org/"/>
     </bean>
     <!-- test aggregate -->
     <bean id="int_edugain_testAggregate_url" class="java.lang.String">

From 8572ec546fdb8d90682aaa078ac603b48287fdd6 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 5 May 2015 10:07:52 +0000
Subject: [PATCH 50/56] Remove UKf PKIX trust root handling.

---
 build.xml                      |  11 --
 build/check_embedded.pl        |  84 +------------
 mdx/uk/authorities.pem         |  77 ------------
 mdx/uk/beans.xml               |  70 -----------
 mdx/uk/collect.xml             |   1 -
 mdx/uk/extract_authorities.xsl |  38 ------
 mdx/uk/trust-dummy.xml         |  84 -------------
 mdx/uk/trust-roots.xml         | 224 ---------------------------------
 mdx/uk/trust-roots.xsl         |  61 ---------
 9 files changed, 3 insertions(+), 647 deletions(-)
 delete mode 100644 mdx/uk/authorities.pem
 delete mode 100644 mdx/uk/extract_authorities.xsl
 delete mode 100644 mdx/uk/trust-dummy.xml
 delete mode 100644 mdx/uk/trust-roots.xml
 delete mode 100644 mdx/uk/trust-roots.xsl

diff --git a/build.xml b/build.xml
index 94097691..68ae0f2c 100644
--- a/build.xml
+++ b/build.xml
@@ -1261,17 +1261,6 @@
         </exec>
     </target>
 
-    <!--
-        Extract authorities
-    -->
-    <target name="extract.authorities">
-        <echo>Extracting key authorities</echo>
-        <XALAN
-            i="${mdx.dir}/uk/trust-roots.xml"
-            o="${mdx.dir}/uk/authorities.pem"
-            x="${mdx.dir}/uk/extract_authorities.xsl"/>
-    </target>
-
     <!--
         Utility to fold overlong embedded certificates.
     -->
diff --git a/build/check_embedded.pl b/build/check_embedded.pl
index 3fe5485e..f356636c 100755
--- a/build/check_embedded.pl
+++ b/build/check_embedded.pl
@@ -41,12 +41,10 @@
 #
 my %issuerMark;
 
-# From the UK federation trust roots document.
-$issuerMark{'AddTrust External CA Root'} = 'R';
-$issuerMark{'UTN-USERFirst-Hardware'} = 'i';
-$issuerMark{'TERENA SSL CA'} = 'i';
-
 # ex-roots
+$issuerMark{'AddTrust External CA Root'} = 'X';
+$issuerMark{'UTN-USERFirst-Hardware'} = 'x';
+$issuerMark{'TERENA SSL CA'} = 'x';
 $issuerMark{'GlobalSign Root CA'} = 'X';
 $issuerMark{'GlobalSign Organization Validation CA'} = 'x';
 $issuerMark{'GlobalSign Primary Secure Server CA'} = 'x';
@@ -366,74 +364,6 @@ sub comment {
 		}
 
 
-		#
-		# Use openssl to ask whether this matches our trust fabric or not.
-		#
-		my $error = '';
-		$serverOK = 1;
-		$cmd = "openssl verify -CAfile ../mdx/uk/authorities.pem -purpose sslserver $filename |";
-		open(SSL, $cmd) || die "could not open openssl subcommand 2";
-		while (<SSL>) {
-			chomp;
-			if (/error/) {
-				$error = $_;
-				$serverOK = 0;
-			}
-		}
-		close SSL;
-		$clientOK = 1;
-		$cmd = "openssl verify -CAfile ../mdx/uk/authorities.pem -purpose sslclient $filename |";
-		open(SSL, $cmd) || die "could not open openssl subcommand 3";
-		while (<SSL>) {
-			chomp;
-			if (/error/) {
-				$error = $_;
-				$clientOK = 0;
-			}
-		}
-		close SSL;
-		
-		#
-		# Irrespective of what went wrong, client and server results should match.
-		#
-		if ($clientOK != $serverOK) {
-			error("client/server purpose result mismatch: $clientOK != $serverOK");
-		}
-		
-		#
-		# Reduce error if possible.
-		#
-		if ($error =~ m/^error \d+ at \d+ depth lookup:\s*(.*)$/) {
-			$error = $1;
-		}
-		
-		#
-		# Now, adjust for our expectations.
-		#
-		if (!$hasKeyName) {
-			#
-			# Pretty much any certificate is fine if we don't have a KeyName.
-			#
-			if ($error eq 'self signed certificate') {
-				$error = '';
-				comment("self signed certificate");
-			} elsif ($error eq 'unable to get local issuer certificate') {
-				$error = '';
-				comment("unknown issuer: $issuerCN");
-			} elsif ($clientOK) {
-				# $error = "certificate matches trust fabric; add KeyName?";
-			}
-		}
-
-		if ($error eq 'certificate has expired' && $days < 0) {
-			# an equivalent message has already been issued
-			$error = '';
-		}
-
-		if ($error ne '') {
-			error($error);
-		}
-		
 		#
 		# Handle public key size.
 		#
@@ -446,14 +376,6 @@ sub comment {
 		#
 		close $fh;
 
-		#if ($issuer eq $subject) {
-		#	# self-signed
-		#} elsif ($issuerCN eq 'TERENA SSL CA') {
-		#	# this one we know about
-		#} else {
-		#	warning("issuer is '$issuerCN'");
-		#}
-
 		#
 		# Add a warning for certain issuers.
 		#
diff --git a/mdx/uk/authorities.pem b/mdx/uk/authorities.pem
deleted file mode 100644
index b4267583..00000000
--- a/mdx/uk/authorities.pem
+++ /dev/null
@@ -1,77 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
-MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
-IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
-MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
-FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
-bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
-dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
-H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
-uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
-mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
-a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
-E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
-WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
-VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
-Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
-cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
-IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
-AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
-YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
-6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
-Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
-c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
-mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIEPDCCAySgAwIBAgIQSEus8arH1xND0aJ0NUmXJTANBgkqhkiG9w0BAQUFADBv
-MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
-ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
-eHRlcm5hbCBDQSBSb290MB4XDTA1MDYwNzA4MDkxMFoXDTIwMDUzMDEwNDgzOFow
-gZcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtl
-IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMY
-aHR0cDovL3d3dy51c2VydHJ1c3QuY29tMR8wHQYDVQQDExZVVE4tVVNFUkZpcnN0
-LUhhcmR3YXJlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsffDOD+0
-qH/POYJRZ9Btn9L/WPPnnyvsDYlUmbk4mRb34CF5SMK7YXQSlh08anLVPBBnOjnt
-KxPNZuuVCTOkbJex6MbswXV5nEZejavQav25KlUXEFSzGfCa9vGxXbanbfvgcRdr
-ooj7AN/+GjF3DJoBerEy4ysBBzhuw6VeI7xFm3tQwckwj9vlK3rTW/szQB6g1ZgX
-vIuHw4nTXaCOsqqq9o5piAbF+okh8widaS4JM5spDUYPjMxJNLBpUb35Bs1orWZM
-vD6sYb0KiA7I3z3ufARMnQpea5HW7sftKI2rTYeJc9BupNAeFosU4XZEA39jrOTN
-SZzFkvSrMqFIWwIDAQABo4GqMIGnMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8D
-veAky1QaMB0GA1UdDgQWBBShcl8mGyiYQ5VdBzfVhZadS9LDRTAOBgNVHQ8BAf8E
-BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8v
-Y3JsLnVzZXJ0cnVzdC5jb20vQWRkVHJ1c3RFeHRlcm5hbENBUm9vdC5jcmwwDQYJ
-KoZIhvcNAQEFBQADggEBADzse+Cuow6WbTDXhcbSaFtFWoKmNA+wyZIjXhFtCBGy
-dAkjOjUlc1heyrl8KPpH7PmgA1hQtlPvjNs55Gfp2MooRtSn4PU4dfjny1y/HRE8
-akCbLURW0/f/BSgyDBXIZEWT6CEkjy3aeoR7T8/NsiV8dxDTlNEEkaglHAkiD31E
-NREU768A/l7qX46w2ZJZuvwTlqAYAVbO2vYoC7Gv3VxPXLLzj1pxz+0YrWOIHY6V
-9+qV5x+tkLiECEeFfyIvGh1IMNZMCNg3GWcyK+tc0LL8blefBDVekAB+EcfeEyrN
-pG1FJseIVqDwavfY5/wnfmcI0L36tsNhAgFlubgvz1o=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIEmDCCA4CgAwIBAgIQS8gUAy8H+mqk8Nop32F5ujANBgkqhkiG9w0BAQUFADCB
-lzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug
-Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho
-dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3Qt
-SGFyZHdhcmUwHhcNMDkwNTE4MDAwMDAwWhcNMjAwNTMwMTA0ODM4WjA2MQswCQYD
-VQQGEwJOTDEPMA0GA1UEChMGVEVSRU5BMRYwFAYDVQQDEw1URVJFTkEgU1NMIENB
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw+NIxC9cwcupmf0booNd
-ij2tOtDipEMfTQ7+NSUwpWkbxOjlwY9UfuFqoppcXN49/ALOlrhfj4NbzGBAkPjk
-tjolnF8UUeyx56+eUKExVccCvaxSin81joL6hK0V/qJ/gxA6VVOULAEWdJRUYyij
-8lspPZSIgCDiFFkhGbSkmOFg5vLrooCDQ+CtaPN5GYtoQ1E/iptBhQw1jF218bbl
-p8ODtWsjb9Sl61DllPFKX+4nSxQSFSRMDc9ijbcAIa06Mg9YC18em9HfnY6pGTVQ
-L0GprTvG4EWyUzl/Ib8iGodcNK5Sbwd9ogtOnyt5pn0T3fV/g3wvWl13eHiRoBS/
-fQIDAQABo4IBPjCCATowHwYDVR0jBBgwFoAUoXJfJhsomEOVXQc31YWWnUvSw0Uw
-HQYDVR0OBBYEFAy9k2gM896ro0lrKzdXR+qQ47ntMA4GA1UdDwEB/wQEAwIBBjAS
-BgNVHRMBAf8ECDAGAQH/AgEAMBgGA1UdIAQRMA8wDQYLKwYBBAGyMQECAh0wRAYD
-VR0fBD0wOzA5oDegNYYzaHR0cDovL2NybC51c2VydHJ1c3QuY29tL1VUTi1VU0VS
-Rmlyc3QtSGFyZHdhcmUuY3JsMHQGCCsGAQUFBwEBBGgwZjA9BggrBgEFBQcwAoYx
-aHR0cDovL2NydC51c2VydHJ1c3QuY29tL1VUTkFkZFRydXN0U2VydmVyX0NBLmNy
-dDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG
-9w0BAQUFAAOCAQEATiPuSJz2hYtxxApuc5NywDqOgIrZs8qy1AGcKM/yXA4hRJML
-thoh45gBlA5nSYEevj0NTmDa76AxTpXv8916WoIgQ7ahY0OzUGlDYktWYrA0irkT
-Q1mT7BR5iPNIk+idyfqHcgxrVqDDFY1opYcfcS3mWm08aXFABFXcoEOUIEU4eNe9
-itg5xt8Jt1qaqQO4KBB4zb8BG1oRPjj02Bs0ec8z0gH9rJjNbUcRkEy7uVvYcOfV
-r7bMxIbmdcCeKbYrDyqlaQIN4+mitF3A884saoU4dmHGSYKrUbOCprlBmCiY+2v+
-ihb/MX5UR6g83EMmqZsFt57ANEORMNQywxFa4Q==
------END CERTIFICATE-----
diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
index 581c3953..c734fe79 100644
--- a/mdx/uk/beans.xml
+++ b/mdx/uk/beans.xml
@@ -286,76 +286,6 @@
     </bean>
     
 
-    <!--
-        uk_trustRootsDocument
-        
-        This bean contains the contents of the trust roots file as a DOM Document.
-    -->
-    <bean id="uk_trustRootsDocument" parent="DOMDocumentFactoryBean">
-        <property name="parserPool" ref="parserPool"/>
-        <property name="documentResource">
-            <bean parent="FileSystemResource">
-                <constructor-arg value="${basedir}/mdx/uk/trust-roots.xml"/>
-            </bean>
-        </property>
-    </bean>    
-    
-    
-    <!--
-        uk_addTrustRoots
-        
-        This stage adds the UK federation trust roots to an EntitiesDescriptor.
-    -->
-    <bean id="uk_addTrustRoots" parent="XSLTransformationStage"
-        p:id="uk_addTrustRoots">
-        <property name="XSLResource">
-            <bean parent="ClassPathResource">
-                <constructor-arg value="uk/trust-roots.xsl"/>
-            </bean>
-        </property>
-        <property name="transformParameters">
-            <map>
-                <entry key="trustRootsDocument" value-ref="uk_trustRootsDocument"/>
-            </map>
-        </property>
-    </bean>
-    
-
-    <!--
-        uk_dummyTrustRootsDocument
-        
-        This bean contains the contents of the dummy trust roots file as a DOM Document.
-    -->
-    <bean id="uk_dummyTrustRootsDocument" parent="DOMDocumentFactoryBean">
-        <property name="parserPool" ref="parserPool"/>
-        <property name="documentResource">
-            <bean parent="FileSystemResource">
-                <constructor-arg value="${basedir}/mdx/uk/trust-dummy.xml"/>
-            </bean>
-        </property>
-    </bean>    
-    
-    
-    <!--
-        uk_addDummyTrustRoots
-        
-        This stage adds the dummy UK federation trust roots to an EntitiesDescriptor.
-    -->
-    <bean id="uk_addDummyTrustRoots" parent="XSLTransformationStage"
-        p:id="uk_addDummyTrustRoots">
-        <property name="XSLResource">
-            <bean parent="ClassPathResource">
-                <constructor-arg value="uk/trust-roots.xsl"/>
-            </bean>
-        </property>
-        <property name="transformParameters">
-            <map>
-                <entry key="trustRootsDocument" value-ref="uk_dummyTrustRootsDocument"/>
-            </map>
-        </property>
-    </bean>
-    
-    
     <!--
         uk_processFragment
         
diff --git a/mdx/uk/collect.xml b/mdx/uk/collect.xml
index 2f5a99d9..0ea376b7 100644
--- a/mdx/uk/collect.xml
+++ b/mdx/uk/collect.xml
@@ -37,7 +37,6 @@
             <list>
                 <ref bean="uk_registeredEntities"/>
                 <ref bean="uk_assemble"/>
-                <ref bean="uk_addTrustRoots"/>
                 <ref bean="normaliseNamespaces"/>
                 <ref bean="errorTerminatingFilter"/>
                 <ref bean="serializeCollected"/>
diff --git a/mdx/uk/extract_authorities.xsl b/mdx/uk/extract_authorities.xsl
deleted file mode 100644
index cba4a198..00000000
--- a/mdx/uk/extract_authorities.xsl
+++ /dev/null
@@ -1,38 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-
-	extract_authorities.xsl
-	
-	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
-	the certificate authorities in the form of a series of
-	PEM certificate blocks.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
-
--->
-<xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-
-    xmlns:mdxTextUtils="xalan://uk.ac.sdss.xalan.md.TextUtils"
-	extension-element-prefixes="mdxTextUtils"
-
-	exclude-result-prefixes="shibmd md ds wayf">
-
-	<!-- Output is plain text -->
-	<xsl:output method="text"/>
-
-	<xsl:template match="//md:EntitiesDescriptor/md:Extensions/shibmd:KeyAuthority//ds:X509Certificate">
-		<xsl:text>-----BEGIN CERTIFICATE-----&#x0a;</xsl:text>
-		<xsl:value-of select="mdxTextUtils:wrapBase64(.)"/>
-		<xsl:text>&#x0a;-----END CERTIFICATE-----&#x0a;</xsl:text>
-	</xsl:template>
-	
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
-</xsl:stylesheet>
diff --git a/mdx/uk/trust-dummy.xml b/mdx/uk/trust-dummy.xml
deleted file mode 100644
index 8a65fc78..00000000
--- a/mdx/uk/trust-dummy.xml
+++ /dev/null
@@ -1,84 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<EntitiesDescriptor
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	Name="http://ukfederation.org.uk"
-	xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata ../../xml/saml-schema-metadata-2.0.xsd
-		urn:mace:shibboleth:metadata:1.0 ../../xml/shibboleth-metadata-1.0.xsd
-		http://www.w3.org/2001/04/xmlenc# ../../xml/xenc-schema.xsd
-		http://www.w3.org/2000/09/xmldsig# ../../xml/xmldsig-core-schema.xsd">
-
-	<Extensions>
-
-		<shibmd:KeyAuthority VerifyDepth="3">
-            <!--
-		          Authorities accepted for the federation.
-		          
-		          The KeyAuthority element's VerifyDepth attribute must be at least as
-		          large as the verification depth required by each root certificate below.
-            -->
-              
-		    <ds:KeyInfo>
-		        <!--
-		            Dummy Trust Root
-		            
-		            This trust root is included because the schema for KeyAuthority
-		            requires at least one KeyInfo element to be present. The private
-		            key for this certificate has been destroyed and will never be
-		            used for signing.
-
-		            Subject and issuer:
-		                C=GB
-		                O=UK Access Management Federation for Education and Research
-		                CN=UK Federation Dummy Trust Root
-
-		            Validity
-		                Not Before: Sep 11 11:12:46 2014 GMT
-		                Not After : Dec 31 11:12:46 2037 GMT
-		        -->
-		        <ds:X509Data>
-		            <ds:X509Certificate>
-		            	MIIDyTCCArGgAwIBAgIJANzhVoorjiDkMA0GCSqGSIb3DQEBCwUAMHsxCzAJBgNV
-		            	BAYTAkdCMUMwQQYDVQQKDDpVSyBBY2Nlc3MgTWFuYWdlbWVudCBGZWRlcmF0aW9u
-		            	IGZvciBFZHVjYXRpb24gYW5kIFJlc2VhcmNoMScwJQYDVQQDDB5VSyBGZWRlcmF0
-		            	aW9uIER1bW15IFRydXN0IFJvb3QwHhcNMTQwOTExMTExMjQ2WhcNMzcxMjMxMTEx
-		            	MjQ2WjB7MQswCQYDVQQGEwJHQjFDMEEGA1UECgw6VUsgQWNjZXNzIE1hbmFnZW1l
-		            	bnQgRmVkZXJhdGlvbiBmb3IgRWR1Y2F0aW9uIGFuZCBSZXNlYXJjaDEnMCUGA1UE
-		            	AwweVUsgRmVkZXJhdGlvbiBEdW1teSBUcnVzdCBSb290MIIBIjANBgkqhkiG9w0B
-		            	AQEFAAOCAQ8AMIIBCgKCAQEAveglhNmpxkFYOK3eDy5klZFRONJOojXnrbNftFQc
-		            	9FLZdKfC2dEj4DoOl34dc0x958NO5xNr2TpVrjbrW0rC2WV0b3J9e1essclcazFy
-		            	BECiKyvKBQRlwDQDaO24b5UCSmmdpuEk5bj0PDDArox06xDDEc3xiKH46EX2yrvS
-		            	mvQSBPR7l2vJGMbUkL6SkD9K2VbBP6rqoK7FdN/zpV/U5cM3fFcpIZGUfVPkP55P
-		            	F+/pUQ9RhL5SZfo5hWgYKecVRimLmK7hIIQ6ykzJwOk95NwuNXFhinZMkjV+ECr4
-		            	uoUNDnBPZdoVy8TxuYVqqs+orQ94yrp/BdKj5paQTZwNZwIDAQABo1AwTjAdBgNV
-		            	HQ4EFgQUD2aE2xpdeqknmgnSY+JCXJ4187kwHwYDVR0jBBgwFoAUD2aE2xpdeqkn
-		            	mgnSY+JCXJ4187kwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAKjoq
-		            	8ORqQF8W4ZuEMaQsTOJxfgeRHgk1DvY1YzCt0VqMPnvbsMLI2vC1YIGVKEuds6ZA
-		            	VxIt+yng7WZOcAmHDdUjUczXRxoYrwJt1QpF+kFCnjHOD+Ra4GjryIIkCHYU5wDp
-		            	o8EVbWM5KiwUhkekjBeL/WyIyk3tHLWwr9qz0Idye0w3FczOLqkb4NgXC54miXeS
-		            	pLfExLaTc4OvsJy/DYeda8GAars4m3Q7agQxdd+0F3xiKWB60L+xoOQ3xgW4QYwS
-		            	uBMMvnRdg8I5SHquBAFXHcXhKeC/onN9J8sZIRD/vUWWasiyMNGQeh4dWcbz7PM6
-		            	h0ok321gwSmdcL+svA==
-		            </ds:X509Certificate>
-		        </ds:X509Data>
-		    </ds:KeyInfo>
-				
-		</shibmd:KeyAuthority>
-	</Extensions>
-	
-	<EntityDescriptor entityID="dummy">
-		<!--
-			Dummy entity, present simply because the schema for EntitiesDescriptor
-			requires at least one.  Removed by applications that read this file.
-			
-			*** DO NOT REMOVE THIS ENTITY FROM THE MASTER FILE ***
-		-->
-		<SPSSODescriptor protocolSupportEnumeration="dummy">
-			<AssertionConsumerService index="0" Binding="dummy" Location="dummy"/>
-		</SPSSODescriptor>
-	</EntityDescriptor>
-	
-</EntitiesDescriptor>
-
diff --git a/mdx/uk/trust-roots.xml b/mdx/uk/trust-roots.xml
deleted file mode 100644
index f32a3431..00000000
--- a/mdx/uk/trust-roots.xml
+++ /dev/null
@@ -1,224 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<EntitiesDescriptor
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	Name="http://ukfederation.org.uk"
-	xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata ../../xml/saml-schema-metadata-2.0.xsd
-		urn:mace:shibboleth:metadata:1.0 ../../xml/shibboleth-metadata-1.0.xsd
-		http://www.w3.org/2001/04/xmlenc# ../../xml/xenc-schema.xsd
-		http://www.w3.org/2000/09/xmldsig# ../../xml/xmldsig-core-schema.xsd">
-
-	<Extensions>
-
-		<shibmd:KeyAuthority VerifyDepth="3">
-            <!--
-		          Authorities accepted for the federation.
-		          
-		          The KeyAuthority element's VerifyDepth attribute must be at least as
-		          large as the verification depth required by each root certificate below.
-            -->
-              
-		    <!--
-		        *******************************
-		        ***                         ***
-		        ***   T E R E N A   T C S   ***
-		        ***                         ***
-		        *******************************
-		        
-		        The following root and intermediate certificates support PKIX use of
-		        end entity certificates issued by the TERENA Certificate Service (TCS).
-		        
-		        These certificates are supplied under an arrangement with Comodo
-		        originally set to run from July 2009 to June 2012 but later
-		        extended until June 2013.
-		        
-		        Note that certificates issued under the TCS share a root certificate
-		        with certain Comodo commercial certificate products, but the
-		        intermediate certificates used are different.  In addition, the chain of
-		        intermediates is longer than the VerifyDepth declared above allows for.
-		    -->
-		    
-		    <ds:KeyInfo>
-		        <!--
-		            
-		            AddTrust External CA Root
-		            
-		            Subject and issuer:
-		                C=SE
-		                O=AddTrust AB
-		                OU=AddTrust External TTP Network
-		                CN=AddTrust External CA Root
-
-                    This is used to sign:
-		                UTN-USERFirst-Hardware intermediate, below
-		                which signs TERENA SSL CA intermediate, below
-		                which signs end entity certificates
-		            
-		            Two intermediate CAs below the root, so requires a verification depth of at least 3.
-		            
-		            Validity
-		                Not Before: May 30 10:48:38 2000 GMT
-		                Not After : May 30 10:48:38 2020 GMT
-		            
-		        -->
-		        <ds:X509Data>
-		            <ds:X509Certificate>
-		                MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
-		                MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
-		                IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
-		                MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
-		                FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
-		                bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
-		                dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
-		                H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
-		                uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
-		                mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
-		                a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
-		                E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
-		                WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
-		                VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
-		                Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
-		                cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
-		                IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
-		                AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
-		                YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
-		                6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
-		                Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
-		                c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
-		                mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-		            </ds:X509Certificate>
-		        </ds:X509Data>
-		    </ds:KeyInfo>
-
-		    <ds:KeyInfo>
-		        <!--
-		            
-		            UTN-USERFirst-Hardware intermediate
-		            
-		            Subject:
-		                C=US
-		                ST=UT
-		                L=Salt Lake City
-		                O=The USERTRUST Network
-		                OU=http://www.usertrust.com, 
-		                CN=UTN-USERFirst-Hardware
-		            
-		            Issuer:
-		                C=SE
-		                O=AddTrust AB
-		                OU=AddTrust External TTP Network
-		                CN=AddTrust External CA Root
-		            
-		            This is used to sign:
-    		            TERENA SSL CA intermediate, below
-	    	            which signs end entity certificates
-		            
-                    Validity
-                        Not Before: Jun  7 08:09:10 2005 GMT
-                        Not After : May 30 10:48:38 2020 GMT
-                    
-		        -->
-		        <ds:X509Data>
-		            <ds:X509Certificate>
-		                MIIEPDCCAySgAwIBAgIQSEus8arH1xND0aJ0NUmXJTANBgkqhkiG9w0BAQUFADBv
-		                MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
-		                ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
-		                eHRlcm5hbCBDQSBSb290MB4XDTA1MDYwNzA4MDkxMFoXDTIwMDUzMDEwNDgzOFow
-		                gZcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtl
-		                IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMY
-		                aHR0cDovL3d3dy51c2VydHJ1c3QuY29tMR8wHQYDVQQDExZVVE4tVVNFUkZpcnN0
-		                LUhhcmR3YXJlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsffDOD+0
-		                qH/POYJRZ9Btn9L/WPPnnyvsDYlUmbk4mRb34CF5SMK7YXQSlh08anLVPBBnOjnt
-		                KxPNZuuVCTOkbJex6MbswXV5nEZejavQav25KlUXEFSzGfCa9vGxXbanbfvgcRdr
-		                ooj7AN/+GjF3DJoBerEy4ysBBzhuw6VeI7xFm3tQwckwj9vlK3rTW/szQB6g1ZgX
-		                vIuHw4nTXaCOsqqq9o5piAbF+okh8widaS4JM5spDUYPjMxJNLBpUb35Bs1orWZM
-		                vD6sYb0KiA7I3z3ufARMnQpea5HW7sftKI2rTYeJc9BupNAeFosU4XZEA39jrOTN
-		                SZzFkvSrMqFIWwIDAQABo4GqMIGnMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8D
-		                veAky1QaMB0GA1UdDgQWBBShcl8mGyiYQ5VdBzfVhZadS9LDRTAOBgNVHQ8BAf8E
-		                BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8v
-		                Y3JsLnVzZXJ0cnVzdC5jb20vQWRkVHJ1c3RFeHRlcm5hbENBUm9vdC5jcmwwDQYJ
-		                KoZIhvcNAQEFBQADggEBADzse+Cuow6WbTDXhcbSaFtFWoKmNA+wyZIjXhFtCBGy
-		                dAkjOjUlc1heyrl8KPpH7PmgA1hQtlPvjNs55Gfp2MooRtSn4PU4dfjny1y/HRE8
-		                akCbLURW0/f/BSgyDBXIZEWT6CEkjy3aeoR7T8/NsiV8dxDTlNEEkaglHAkiD31E
-		                NREU768A/l7qX46w2ZJZuvwTlqAYAVbO2vYoC7Gv3VxPXLLzj1pxz+0YrWOIHY6V
-		                9+qV5x+tkLiECEeFfyIvGh1IMNZMCNg3GWcyK+tc0LL8blefBDVekAB+EcfeEyrN
-		                pG1FJseIVqDwavfY5/wnfmcI0L36tsNhAgFlubgvz1o=
-		            </ds:X509Certificate>
-		        </ds:X509Data>
-		    </ds:KeyInfo>
-		    
-		    <ds:KeyInfo>
-		        <!--
-		            
-		            TERENA SSL CA intermediate
-		            
-		            Subject:
-		                C=NL
-		                O=TERENA
-		                CN=TERENA SSL CA
-		            
-		            Issuer:
-		                C=US
-		                ST=UT
-		                L=Salt Lake City
-		                O=The USERTRUST Network
-		                OU=http://www.usertrust.com, 
-		                CN=UTN-USERFirst-Hardware
-		            
-		            This is used to sign end entity certificates.
-		            
-		            Validity
-		                Not Before: May 18 00:00:00 2009 GMT
-		                Not After : May 30 10:48:38 2020 GMT
-		            
-		        -->
-		        <ds:X509Data>
-		            <ds:X509Certificate>
-		                MIIEmDCCA4CgAwIBAgIQS8gUAy8H+mqk8Nop32F5ujANBgkqhkiG9w0BAQUFADCB
-		                lzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug
-		                Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho
-		                dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3Qt
-		                SGFyZHdhcmUwHhcNMDkwNTE4MDAwMDAwWhcNMjAwNTMwMTA0ODM4WjA2MQswCQYD
-		                VQQGEwJOTDEPMA0GA1UEChMGVEVSRU5BMRYwFAYDVQQDEw1URVJFTkEgU1NMIENB
-		                MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw+NIxC9cwcupmf0booNd
-		                ij2tOtDipEMfTQ7+NSUwpWkbxOjlwY9UfuFqoppcXN49/ALOlrhfj4NbzGBAkPjk
-		                tjolnF8UUeyx56+eUKExVccCvaxSin81joL6hK0V/qJ/gxA6VVOULAEWdJRUYyij
-		                8lspPZSIgCDiFFkhGbSkmOFg5vLrooCDQ+CtaPN5GYtoQ1E/iptBhQw1jF218bbl
-		                p8ODtWsjb9Sl61DllPFKX+4nSxQSFSRMDc9ijbcAIa06Mg9YC18em9HfnY6pGTVQ
-		                L0GprTvG4EWyUzl/Ib8iGodcNK5Sbwd9ogtOnyt5pn0T3fV/g3wvWl13eHiRoBS/
-		                fQIDAQABo4IBPjCCATowHwYDVR0jBBgwFoAUoXJfJhsomEOVXQc31YWWnUvSw0Uw
-		                HQYDVR0OBBYEFAy9k2gM896ro0lrKzdXR+qQ47ntMA4GA1UdDwEB/wQEAwIBBjAS
-		                BgNVHRMBAf8ECDAGAQH/AgEAMBgGA1UdIAQRMA8wDQYLKwYBBAGyMQECAh0wRAYD
-		                VR0fBD0wOzA5oDegNYYzaHR0cDovL2NybC51c2VydHJ1c3QuY29tL1VUTi1VU0VS
-		                Rmlyc3QtSGFyZHdhcmUuY3JsMHQGCCsGAQUFBwEBBGgwZjA9BggrBgEFBQcwAoYx
-		                aHR0cDovL2NydC51c2VydHJ1c3QuY29tL1VUTkFkZFRydXN0U2VydmVyX0NBLmNy
-		                dDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG
-		                9w0BAQUFAAOCAQEATiPuSJz2hYtxxApuc5NywDqOgIrZs8qy1AGcKM/yXA4hRJML
-		                thoh45gBlA5nSYEevj0NTmDa76AxTpXv8916WoIgQ7ahY0OzUGlDYktWYrA0irkT
-		                Q1mT7BR5iPNIk+idyfqHcgxrVqDDFY1opYcfcS3mWm08aXFABFXcoEOUIEU4eNe9
-		                itg5xt8Jt1qaqQO4KBB4zb8BG1oRPjj02Bs0ec8z0gH9rJjNbUcRkEy7uVvYcOfV
-		                r7bMxIbmdcCeKbYrDyqlaQIN4+mitF3A884saoU4dmHGSYKrUbOCprlBmCiY+2v+
-		                ihb/MX5UR6g83EMmqZsFt57ANEORMNQywxFa4Q==
-		            </ds:X509Certificate>
-		        </ds:X509Data>
-		    </ds:KeyInfo>
-				
-		</shibmd:KeyAuthority>
-	</Extensions>
-	
-	<EntityDescriptor entityID="dummy">
-		<!--
-			Dummy entity, present simply because the schema for EntitiesDescriptor
-			requires at least one.  Removed by applications that read this file.
-			
-			*** DO NOT REMOVE THIS ENTITY FROM THE MASTER FILE ***
-		-->
-		<SPSSODescriptor protocolSupportEnumeration="dummy">
-			<AssertionConsumerService index="0" Binding="dummy" Location="dummy"/>
-		</SPSSODescriptor>
-	</EntityDescriptor>
-	
-</EntitiesDescriptor>
-
diff --git a/mdx/uk/trust-roots.xsl b/mdx/uk/trust-roots.xsl
deleted file mode 100644
index 88e2bf6c..00000000
--- a/mdx/uk/trust-roots.xsl
+++ /dev/null
@@ -1,61 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-
-	trust-roots.xsl
-	
-	XSL stylesheet that adds the UK federation's trust roots in to an
-	EntitiesDescriptor aggregate.
-	
--->
-<xsl:stylesheet version="1.0"
-    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	exclude-result-prefixes="md">
-
-	<!--Force UTF-8 encoding for the output.-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
-
-    <!--
-        The trust roots document is passed in as a parameter.  This is an EntitiesDescriptor
-        with the KeyAuthority list in a child Extensions element.
-    -->
-    <xsl:param name="trustRootsDocument"/>
-
-	<!--
-		Inject the trust roots into the document's EntitiesDescriptor document element.
-	-->
-	<xsl:template match="/md:EntitiesDescriptor">
-		<xsl:copy>
-			<xsl:apply-templates select="@*"/>
-			<xsl:text>&#10;&#10;&#10;    </xsl:text>
-			<xsl:apply-templates select="$trustRootsDocument//md:Extensions"/>
-			<xsl:text>&#10;</xsl:text>
-			<xsl:apply-templates select="node()"/>
-		</xsl:copy>
-	</xsl:template>
-	
-	
-	<!--
-        *********************************************
-        ***                                       ***
-        ***   D E F A U L T   T E M P L A T E S   ***
-        ***                                       ***
-        *********************************************
-    -->
-    
-    
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-	
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
-	
-</xsl:stylesheet>

From 07570f7c0e0e102337dee81f380008f15c625582 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Thu, 14 May 2015 15:43:57 +0000
Subject: [PATCH 51/56] Trim unused namespaces.

---
 mdx/_rules/check_saml2int.xsl | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/mdx/_rules/check_saml2int.xsl b/mdx/_rules/check_saml2int.xsl
index 66340acd..8e00e073 100644
--- a/mdx/_rules/check_saml2int.xsl
+++ b/mdx/_rules/check_saml2int.xsl
@@ -15,14 +15,7 @@
 	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
 	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
 	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:set="http://exslt.org/sets"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-
-	xmlns:mdxURL="xalan://uk.ac.sdss.xalan.md.URLchecker"
-
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
 	<!--

From 5e167da002b9d65090680c97c9a292ed05ea64fe Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Thu, 14 May 2015 15:44:24 +0000
Subject: [PATCH 52/56] Add proposed saml2int SSO binding rule as a future
 test.

---
 mdx/_rules/check_future_0.xsl | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/mdx/_rules/check_future_0.xsl b/mdx/_rules/check_future_0.xsl
index fe932075..f43d4697 100644
--- a/mdx/_rules/check_future_0.xsl
+++ b/mdx/_rules/check_future_0.xsl
@@ -30,4 +30,21 @@
 	-->
 	<xsl:import href="check_framework.xsl"/>
 
+    <!--
+        Section 6.1.
+        
+        "The <saml2p:AuthnRequest> message issued by a Service Provider MUST be
+        communicated to the Identity Provider using the HTTP-REDIRECT binding
+        [SAML2Bind]."
+        
+        Therefore, metadata for this binding MUST be present.
+    -->
+    <xsl:template match="md:IDPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [not(md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 2.0 IDPSSODescriptor does not support HTTP-Redirect SSO binding</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
 </xsl:stylesheet>

From cec6931683ef4613705e1f449701d1d4500ff389 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 19 May 2015 11:07:22 +0000
Subject: [PATCH 53/56] Revise Shibboleth 1.3 EOL wording.

---
 mdx/uk/statistics.xsl | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/mdx/uk/statistics.xsl b/mdx/uk/statistics.xsl
index 2caa9d1c..406a6987 100644
--- a/mdx/uk/statistics.xsl
+++ b/mdx/uk/statistics.xsl
@@ -1043,8 +1043,9 @@
                 <h2><a name="shib13">Shibboleth 1.3 Remnants</a></h2>
                 <p>
                     The following lists show entities that are believed to be running the
-                    Shibboleth 1.3 software, which is now beyond its official end of life
-                    date.  As heuristics have been used to create these lists, they may
+                    Shibboleth 1.3 software, which reached its official end of life
+                    date on 30-June-2010.
+                    As heuristics have been used to create these lists, they may
                     not be completely accurate.
                 </p>
 

From 4ddd7539840af487898af1a7ea3ce63a53d243e3 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 19 May 2015 11:17:27 +0000
Subject: [PATCH 54/56] Add breakdown by software of non-SAML-2 SPs.

---
 mdx/uk/statistics.xsl | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/mdx/uk/statistics.xsl b/mdx/uk/statistics.xsl
index 406a6987..6485d03c 100644
--- a/mdx/uk/statistics.xsl
+++ b/mdx/uk/statistics.xsl
@@ -1211,6 +1211,10 @@
                         </li>
                     </xsl:for-each>
                 </ul>
+                <xsl:call-template name="entity.breakdown.by.software">
+                    <xsl:with-param name="entities" select="$sps[md:SPSSODescriptor[not(contains(@protocolSupportEnumeration,
+                        'urn:oasis:names:tc:SAML:2.0:protocol'))]]"/>
+                </xsl:call-template>
 
 
             </body>

From f63653a950220ccd0c5d298a5b7f763470403ebe Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 19 May 2015 11:24:42 +0000
Subject: [PATCH 55/56] Add breakdown by software of non-SAML-2 IdPs.

---
 mdx/uk/statistics.xsl | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/mdx/uk/statistics.xsl b/mdx/uk/statistics.xsl
index 6485d03c..ee396fa7 100644
--- a/mdx/uk/statistics.xsl
+++ b/mdx/uk/statistics.xsl
@@ -1216,7 +1216,12 @@
                         'urn:oasis:names:tc:SAML:2.0:protocol'))]]"/>
                 </xsl:call-template>
 
-
+                <h3>Identity Providers Without SAML 2.0 Support</h3>
+                <xsl:call-template name="entity.breakdown.by.software">
+                    <xsl:with-param name="entities" select="$idps[md:IDPSSODescriptor[not(contains(@protocolSupportEnumeration,
+                        'urn:oasis:names:tc:SAML:2.0:protocol'))]]"/>
+                </xsl:call-template>
+                
             </body>
         </html>
     </xsl:template>

From 63c86df3f429a6c9c4541b2b855f9b1f206b8bc8 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Fri, 22 May 2015 09:08:45 +0000
Subject: [PATCH 56/56] Promote check for saml2int section 6.1.

Look for metadata for a SingleSignOnService with HTTP-Redirect binding
on a SAML 2 IdP.
---
 mdx/_rules/check_future_0.xsl | 17 -----------------
 mdx/_rules/check_saml2int.xsl | 17 +++++++++++++++++
 2 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/mdx/_rules/check_future_0.xsl b/mdx/_rules/check_future_0.xsl
index f43d4697..fe932075 100644
--- a/mdx/_rules/check_future_0.xsl
+++ b/mdx/_rules/check_future_0.xsl
@@ -30,21 +30,4 @@
 	-->
 	<xsl:import href="check_framework.xsl"/>
 
-    <!--
-        Section 6.1.
-        
-        "The <saml2p:AuthnRequest> message issued by a Service Provider MUST be
-        communicated to the Identity Provider using the HTTP-REDIRECT binding
-        [SAML2Bind]."
-        
-        Therefore, metadata for this binding MUST be present.
-    -->
-    <xsl:template match="md:IDPSSODescriptor
-        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-        [not(md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'])]">
-        <xsl:call-template name="error">
-            <xsl:with-param name="m">SAML 2.0 IDPSSODescriptor does not support HTTP-Redirect SSO binding</xsl:with-param>
-        </xsl:call-template>
-    </xsl:template>
-
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_saml2int.xsl b/mdx/_rules/check_saml2int.xsl
index 8e00e073..812fe87e 100644
--- a/mdx/_rules/check_saml2int.xsl
+++ b/mdx/_rules/check_saml2int.xsl
@@ -61,6 +61,23 @@
 		</xsl:call-template>
 	</xsl:template>
 	
+	<!--
+        Section 6.1.
+        
+        "The <saml2p:AuthnRequest> message issued by a Service Provider MUST be
+        communicated to the Identity Provider using the HTTP-REDIRECT binding
+        [SAML2Bind]."
+        
+        Therefore, metadata for this binding MUST be present.
+    -->
+	<xsl:template match="md:IDPSSODescriptor
+		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+		[not(md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'])]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">SAML 2.0 IDPSSODescriptor does not support HTTP-Redirect SSO binding</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
 	<!--
 		Section 7.