diff --git a/.classpath b/.classpath
deleted file mode 100644
index 7cec603d..00000000
--- a/.classpath
+++ /dev/null
@@ -1,4 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<classpath>
-	<classpathentry kind="output" path="bin"/>
-</classpath>
diff --git a/.gitignore b/.gitignore
index fdb760c4..bf81465f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,10 +2,18 @@
 *~
 .*swp
 
+# Java heap dumps
+*.hprof
+
 # GUI metadata files
 .DS_Store
 Thumbs.db
 
+# Eclipse files
+.classpath
+.project
+.settings
+
 # /
 /private
 /build.properties
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 00000000..30f89b97
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,55 @@
+#
+# Continuous integration tests for the ukf-meta repository.
+#
+
+#
+# Default image for all steps is Amazon Corretto 17, which is based
+# on Amazon Linux (a variety of yum-based Linux derived from RHEL 7).
+#
+image: "amazoncorretto:17"
+
+stages:
+  - test
+
+perform-test:
+  stage: test
+  script:
+    #
+    # Install the tools we need that are not provided by the base image.
+    #
+    - yum -y --quiet install ant git libxslt
+
+    #
+    # Create work directories under the current one.
+    #
+    - mkdir -p work/build work/temp
+
+    #
+    # Fetch full UK federation inventory.
+    #
+    # The clone is made with a depth of 1 because we don't need any history.
+    #
+    - git clone --depth=1 https://gitlab-ci-token:$CI_JOB_TOKEN@$CI_SERVER_HOST/ukf/ukf-data.git work/ukf-data
+
+    #
+    # Thin UK federation inventory: retain 100 random entities.
+    #
+    - find work/ukf-data/entities -type f -name uk0\*.xml | sort -R | tail -n +101 | xargs rm
+
+    #
+    # Acquire a copy of the eduGAIN aggregate.
+    #
+    - ant -Denv=ci-download flow.edugain.download
+    - ls -lh work/temp
+
+    #
+    # Thin the eduGAIN aggregate into another file containing just 1% of the original
+    # entities.
+    #
+    - xsltproc -o work/temp/edugain-thin.xml utilities/thin_aggregate.xsl work/temp/edugain-download.xml
+    - ls -lh work/temp
+
+    #
+    # Run the full generate pipeline on the thinned input data.
+    #
+    - ant -Denv=ci-thin flow.aggregates.generate
diff --git a/.project b/.project
deleted file mode 100644
index dc47c5fc..00000000
--- a/.project
+++ /dev/null
@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<projectDescription>
-	<name>inc-meta</name>
-	<comment></comment>
-	<projects>
-	</projects>
-	<buildSpec>
-		<buildCommand>
-			<name>org.eclipse.jdt.core.javabuilder</name>
-			<arguments>
-			</arguments>
-		</buildCommand>
-	</buildSpec>
-	<natures>
-		<nature>org.eclipse.jdt.core.javanature</nature>
-	</natures>
-</projectDescription>
diff --git a/.settings/org.eclipse.wst.validation.prefs b/.settings/org.eclipse.wst.validation.prefs
deleted file mode 100644
index 609e9051..00000000
--- a/.settings/org.eclipse.wst.validation.prefs
+++ /dev/null
@@ -1,9 +0,0 @@
-DELEGATES_PREFERENCE=delegateValidatorList
-USER_BUILD_PREFERENCE=enabledBuildValidatorList
-USER_MANUAL_PREFERENCE=enabledManualValidatorList
-USER_PREFERENCE=overrideGlobalPreferencestruedisableAllValidationfalseversion1.2.500.v201303130500
-eclipse.preferences.version=1
-override=true
-suspend=false
-vals/org.eclipse.wst.xml.core.xml/groups=0107include05111contentType128org.eclipse.core.runtime.xmlT111contentType134org.eclipse.wst.xml.core.xmlsourceT111contentType134org.eclipse.wst.xml.core.xslsourceT111contentType134org.eclipse.jst.jsp.core.tldsourceT07fileext03xmlF0107exclude06113projectNature134org.eclipse.jst.j2ee.ejb.EJBNature113projectNature130org.eclipse.jst.j2ee.EARNature04file08.projectT0104file110.classpathT0104file110.settings/T0204file09build.xmlT01
-vf.version=3
diff --git a/build.xml b/build.xml
index cfb83032..574ff6a2 100644
--- a/build.xml
+++ b/build.xml
@@ -116,6 +116,12 @@
     <!-- Same value, as an ISO 8601 duration. -->
     <property name="validUntil.aggregate.duration" value="P${validUntil.aggregate.days}D"/>
 
+    <!--
+        The following properties establish a validity interval for per-entity
+        metadata. Note, however, that the current UK federation configuration (see
+        mdx/uk/mdq-multisign.xml) does not make use of these, instead inheriting
+        the validUntil instant from the aggregate metadata.
+    -->
     <!-- Specific validUntil duration for per-entity metadata, in days. -->
     <property name="validUntil.perEntity.days" value="${validUntil.default.days}"/>
     <!-- Same value, as an ISO 8601 duration. -->
@@ -188,6 +194,7 @@
     <property name="orchestrator.user" value="jenkins"/>
     <property name="orchestrator.hostname" value="orchestrator.infr.ukfederation.org.uk"/>
     <property name="orchestrator.path" value="${shared.ws.dir}/build"/>
+    <property name="orchestrator.port" value="22"/>
     <property name="orchestrator.url" value="${orchestrator.user}@${orchestrator.hostname}:${orchestrator.path}"/>
 
     <!--
@@ -212,7 +219,7 @@
         Repo properties.
     -->
     <property name="repo.user" value="mdscp"/>
-    <property name="repo.hostname" value="repo.infr.ukfederation.org.uk"/>
+    <property name="repo.hostname" value="jenkins.infr.ukfederation.org.uk"/>
     <property name="repo.path" value="/tmp"/>
     <property name="repo.url" value="${repo.user}@${repo.hostname}:${repo.path}"/>
 
@@ -272,10 +279,10 @@
     -->
     <property name="tools.dir" value="tools"/>
     <property name="tools.ant" value="${tools.dir}/ant"/>
-    <property name="tools.mda" value="${tools.dir}/aggregator-cli-0.9.2"/>
+    <property name="tools.mda" value="${tools.dir}/mda-distribution-0.10.0"/>
     <property name="tools.mdnorm" value="${tools.dir}/mdnorm"/>
     <property name="tools.slacktee" value="${tools.dir}/slacktee"/>
-    <property name="tools.xmlsectool" value="${tools.dir}/xmlsectool-2.0.0"/>
+    <property name="tools.xmlsectool" value="${tools.dir}/xmlsectool-3.0.0"/>
 
     <!--
         Location of configuration for externally supplied tool bundles.
@@ -329,9 +336,6 @@
     <property name="mdaggr.stats" value="ukfederation-stats.html"/>
     <property name="post-receive-githook" value="post-receive"/>
     <property name="md.githook.path" value="/var/git/ukf-products/.git/hooks" />
-    <property name="mdaggr.discofeed.filtered" value="discofeed.json"/>
-    <property name="mdaggr.discofeed.all" value="discofeed-all.json"/>
-    <property name="md.discofeed.path" value="/tmp" />
 
     <!--
         *************************************************
@@ -614,34 +618,34 @@
 
         Process:
             * SCP: Copy files from keymaster
-            * FS: Copy other files from output dir into aggregates.dir so it'll get checked in
-            * Git: Add newly created files
-            * Git: Commit
     -->
     <target name="process.create-mdq-cache.scp.and.push" depends="
         fs.scp.signed.files.from.keymaster,
-        fs.scp.mdqcache.from.keymaster,
-        fs.cp.other.files.to.aggregates.dir,
-        git.products.addallnewfiles,
-        git.products.commit.signed">
-        <echo>Stage 4.2 Success: Signed aggregates and stats file comitted to data repository.</echo>
+        fs.scp.mdqcache.from.keymaster">
+        <echo>Stage 4.2 Success: Signed products retrieved from keymaster.</echo>
     </target>
 
     <!--
         Stage 5 of md process: Create Tag on products repository, push all to repo (incl. SCPing mdq cache)
 
         Runs on: orchestrator
+            * FS: Copy other files from output dir into aggregates.dir so it'll get checked in
+            * Git: Add newly created files
+            * Git: Commit
             * Git: Create New Tag
             * Git: Push to origin
             * SCP: Copy mdq cache to repo
             * Jenkins: Trigger publish task
     -->
     <target name="process.bagandtag" depends="
+        fs.cp.other.files.to.aggregates.dir,
+        git.products.addallnewfiles,
+        git.products.commit.signed,
         git.products.masterbranch.pushtoorigin,
         git.products.createtagandpushtoorigin,
         fs.scp.mdqcache.to.repo,
         jenkins.triggerjob.publish">
-        <echo>Stage 5 Success: Master branch pushed to origin, new tag created and pushed, mdq cache sent to repo, message sent to start publication.</echo>
+        <echo>Stage 5 Success: Signed products committed and pushed to origin, new tag created and pushed, mdq cache sent to repo, message sent to start publication.</echo>
     </target>
 
     <!--
@@ -666,7 +670,6 @@
         git.data.allbranches.pushtoorigin,
         scp.githook,
         publish.mdqcache,
-        publish.json,
         publish.md,
         publish.otherfiles,
         samlmd.aggregates.verify.remote,
@@ -1253,7 +1256,10 @@
     -->
     <target name="jenkins.triggerjob.publish">
         <echo>Triggering Jenkins publication Job.</echo>
-        <get src="${jenkins.url.to.trigger.publication}" dest="${temp.dir}/get.out"/>
+        <!-- we do not use <get> here because it does not uses system proxy settings -->
+        <exec executable="curl" dir="${output.dir}" failonerror="true">
+            <arg value="${jenkins.url.to.trigger.publication}"/>
+        </exec>
     </target>
 
     <!--
@@ -1541,6 +1547,37 @@
     </target>
 
 
+    <!--
+        *******************************************************
+        ***                                                 ***
+        ***   e d u G A I N   D O W N L O A D / C A C H E   ***
+        ***                                                 ***
+        *******************************************************
+    -->
+
+    <!--
+        flow.edugain.download
+
+        Downloads the eduGAIN aggregate and writes it into a file if successful.
+    -->
+    <target name="flow.edugain.download">
+        <echo>Downloading eduGAIN aggregate.</echo>
+        <CHANNEL.do channel="int_edugain" verb="download"/>
+        <echo>Download to ${mda.output.edugain.download} completed.</echo>
+    </target>
+
+    <!--
+        edugain.download.clear
+
+        Removes any already-downloaded copy of the eduGAIN aggregate.
+        This can be used at the start of a sequence of download attempts
+        to ensure that a much older success doesn't hide subsequent failures.
+    -->
+    <target name="edugain.download.clear">
+        <echo>Removing previously downloaded eduGAIN aggregate.</echo>
+        <delete file="${mda.output.edugain.download}" quiet="true" verbose="false"/>
+    </target>
+
     <!--
         *************************************************
         ***                                           ***
@@ -1580,8 +1617,11 @@
 
     <!--
         Unsigned metadata generation for the UK Federation.
+
+        This target assumes that the eduGAIN aggregate has
+        already been downloaded. It will fail if this is not the case.
     -->
-    <target name="samlmd.aggregates.generate">
+    <target name="flow.aggregates.generate">
         <echo>Generating unsigned UKfed metadata files.</echo>
 
         <!--
@@ -1598,11 +1638,6 @@
         -->
         <CHANNEL.do channel="uk" verb="generate"/>
 
-        <!--
-            Generate discovery feeds.
-        -->
-        <CHANNEL.do channel="uk" verb="discofeeds"/>
-
         <!--
             Post-process mda-generated output files.
         -->
@@ -1619,6 +1654,18 @@
         <echo>Generated UK unsigned metadata.</echo>
     </target>
 
+    <!--
+        Unsigned metadata generation for the UK Federation.
+
+        This target removes any existing eduGAIN download, downloads a
+        new copy and then runs the aggregate generation flows.
+    -->
+    <target name="samlmd.aggregates.generate" depends="
+            edugain.download.clear,
+            flow.edugain.download,
+            flow.aggregates.generate
+        ">
+    </target>
 
     <!--
         ***************************
@@ -1647,6 +1694,7 @@
     <property name="mda.mdx.dir" value="${mdx.dir}"/>
     <property name="mda.members.dir" value="${members.dir}"/>
     <property name="mda.output.dir" value="${output.dir}"/>
+    <property name="mda.output.edugain.download" value="${output.dir}/edugain-download.xml"/>
     <property name="mda.sign.keyAlias" value="${sign.uk.keyAlias}"/>
     <property name="mda.sign.pkcs11Config" value="${sign.uk.pkcs11Config}"/>
     <property name="mda.mdq.output" value="${mdq.output.dir}"/>
@@ -1690,11 +1738,6 @@
                         <include name="*.jar"/>
                     </fileset>
 
-                    <!-- InCommon MDA beans. -->
-                    <fileset dir="${tools.dir}/inc-mda">
-                        <include name="*.jar"/>
-                    </fileset>
-
                     <!-- Support libraries for any of the above. -->
                     <fileset dir="${tools.dir}/lib">
                         <include name="*.jar"/>
@@ -1710,13 +1753,6 @@
                         <include name="*.jar"/>
                     </fileset>
 
-                    <!--
-                        Xalan-dependent UK federation classes.
-                    -->
-                    <fileset dir="${tools.dir}/xalan/lib">
-                        <include name="sdss-xalan-md-*.jar"/>
-                    </fileset>
-
                     <!-- Include a per-target directory if set. -->
                     <fileset dir="${mda.classpath.extra}" if:set="mda.classpath.extra">
                         <include name="*.jar"/>
@@ -1726,6 +1762,7 @@
                     <propertyset refid="mda.properties"/>
                 </syspropertyset>
                 <jvmarg value="-enableassertions"/>
+                <jvmarg if:set="java.heap.dump" value="-XX:+HeapDumpOnOutOfMemoryError"/>
                 <arg value="--logConfig"/>
                 <arg value="${tools.dir}/mda-logging.xml"/>
                 <arg value="@{config}"/>
@@ -1896,12 +1933,11 @@
                     <arg if:set="sign.uk.keystoreProvider" value="${sign.uk.keystoreProvider}"/>
 
                     <!--
-                        The "key" option can represent either a key file or a key alias.
-                        Different properties are used for the two cases (see XSTJ-67).
+                        Indicate a key file or key alias as appropriate.
                     -->
-                    <arg if:set="sign.uk.keyFile" value="--key"/>
+                    <arg if:set="sign.uk.keyFile" value="--keyFile"/>
                     <arg if:set="sign.uk.keyFile" value="${sign.uk.keyFile}"/>
-                    <arg if:set="sign.uk.keyAlias" value="--key"/>
+                    <arg if:set="sign.uk.keyAlias" value="--keyAlias"/>
                     <arg if:set="sign.uk.keyAlias" value="${sign.uk.keyAlias}"/>
 
                     <!--
@@ -2112,13 +2148,28 @@
     </target>
 
     <!--
-        Simple local test of per-entity metadata generation, based on a single
-        entity rather than the whole production aggregate, because dev environment
-        PKCS#11 tokens are not fast enough to sign everything.
+        Simple local test of per-entity metadata generation, based on a curated
+        selection of entities rather than the whole production aggregate, because
+        dev environment PKCS#11 tokens are not fast enough to sign everything.
+
+        Assumes that the unsigned production aggregate already exists;
+        does NOT rebuild it every time.
     -->
     <target name="samlmd.mdq.sign.test" depends="get.sign.uk.keyPassword">
-        <property name="mda.mdq.input" value="${entities.dir}/uk000006.xml"/>
+        <property name="mda.mdq.input" value="${temp.dir}/mdq-temp.xml"/>
         <property name="mda.sign.keyPassword" value="${sign.uk.keyPassword}"/>
+        <echo>Generating per-entity test selection aggregate in ${mda.mdq.input}</echo>
+        <echo>    from unsigned aggregate in ${output.dir}/${mdaggr.prod.unsigned}</echo>
+        <delete file="${mda.mdq.input}" quiet="true"/>
+        <exec executable="xsltproc" failonerror="true">
+            <!-- The OUTPUT of xsltproc is the INPUT for the signing process. -->
+            <arg value="--output"/>
+            <arg value="${mda.mdq.input}"/>
+            <!-- Transform. -->
+            <arg value="${mdx.dir}/uk/mdq-multisign-test-gen.xsl"/>
+            <!-- The INPUT to xsltproc is the unsigned production aggregate. -->
+            <arg value="${output.dir}/${mdaggr.prod.unsigned}"/>
+        </exec>
         <echo>Generating per-entity metadata in ${mda.mdq.output}</echo>
         <echo>    from test metadata in ${mda.mdq.input}</echo>
         <delete dir="${mdq.output.dir}" quiet="true"/>
@@ -2158,20 +2209,25 @@
     </target>
 
     <target name="fs.scp.unsigned.files.to.orchestrator">
-        <echo>SCPing unsigned files and stats file from output dir to orchestrator's build dir.</echo>
-        <scp failonerror="true" remoteTodir="${orchestrator.url}" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
-            <fileset dir="${output.dir}">
-                <include name="${mdaggr.prod.unsigned}"/>
-                <include name="${mdaggr.wayf.unsigned}"/>
-                <include name="${mdaggr.cdsall.unsigned}"/>
-                <include name="${mdaggr.test.unsigned}"/>
-                <include name="${mdaggr.back.unsigned}"/>
-                <include name="${mdaggr.export.unsigned}"/>
-                <include name="${mdaggr.export.preview.unsigned}"/>
-                <include name="${mdaggr.wugen.unsigned}"/>
-                <include name="${mdaggr.stats}"/>
-            </fileset>
-        </scp>
+        <echo>Copying unsigned files and stats file from output dir to orchestrator's build dir.</echo>
+        <exec executable="rsync" dir="${output.dir}" failonerror="true">
+            <arg value="-a"/>
+            <!-- use ssh with default identity and known_hosts -->
+            <arg value="-e"/>
+            <arg value="ssh -p ${orchestrator.port}"/>
+            <!-- the input files -->
+            <arg value="${mdaggr.prod.unsigned}"/>
+            <arg value="${mdaggr.wayf.unsigned}"/>
+            <arg value="${mdaggr.cdsall.unsigned}"/>
+            <arg value="${mdaggr.test.unsigned}"/>
+            <arg value="${mdaggr.back.unsigned}"/>
+            <arg value="${mdaggr.export.unsigned}"/>
+            <arg value="${mdaggr.export.preview.unsigned}"/>
+            <arg value="${mdaggr.wugen.unsigned}"/>
+            <arg value="${mdaggr.stats}"/>
+            <!-- remote directory must be last argument -->
+            <arg value="${orchestrator.url}"/>
+        </exec>
     </target>
 
     <target name="fs.scp.unsigned.files.to.keymaster">
@@ -2208,12 +2264,17 @@
     </target>
 
     <target name="fs.scp.mdqcache.to.repo">
-        <echo>SCPing mdq cache from orchestrator's build dir to a temp directory on repo.</echo>
-        <scp failonerror="true" remoteTodir="${repo.url}" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
-            <fileset dir="${output.dir}">
-                <include name="${mdq.cache}"/>
-            </fileset>
-        </scp>
+        <echo>Copying mdq cache from orchestrator's build dir to a temp directory on repo.</echo>
+        <exec executable="rsync" dir="${output.dir}" failonerror="true">
+            <arg value="-a"/>
+            <!-- use ssh with default identity and known_hosts -->
+            <arg value="-e"/>
+            <arg value="ssh"/>
+            <!-- the input files -->
+            <arg value="${mdq.cache}"/>
+            <!-- remote directory must be last argument -->
+            <arg value="${repo.url}"/>
+        </exec>
     </target>
 
     <target name="fs.scp.mdqcache.from.repo">
@@ -2370,42 +2431,6 @@
         </scp>
     </target>
 
-    <target name="publish.json">
-        <!--
-            Push 2 JSON files to the MD dist servers
-        -->
-        <echo>Pushing UK Federation JSON files to MD dist.</echo>
-        <echo>-> MD-NE-01</echo>
-        <scp failonerror="true" remoteTodir="${md.user}@${md.dist.host-ne-01.name}:${md.discofeed.path}" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
-            <fileset dir="${output.dir}">
-                <include name="${mdaggr.discofeed.filtered}"/>
-                <include name="${mdaggr.discofeed.all}"/>
-            </fileset>
-        </scp>
-        <echo>-> MD-NE-02</echo>
-        <scp failonerror="true" remoteTodir="${md.user}@${md.dist.host-ne-02.name}:${md.discofeed.path}" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
-            <fileset dir="${output.dir}">
-                <include name="${mdaggr.discofeed.filtered}"/>
-                <include name="${mdaggr.discofeed.all}"/>
-            </fileset>
-        </scp>
-        <echo>-> MD-WE-01</echo>
-        <scp failonerror="true" remoteTodir="${md.user}@${md.dist.host-we-01.name}:${md.discofeed.path}" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
-            <fileset dir="${output.dir}">
-                <include name="${mdaggr.discofeed.filtered}"/>
-                <include name="${mdaggr.discofeed.all}"/>
-            </fileset>
-        </scp>
-        <echo>-> MD-WE-02</echo>
-        <scp failonerror="true" remoteTodir="${md.user}@${md.dist.host-we-02.name}:${md.discofeed.path}" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
-            <fileset dir="${output.dir}">
-                <include name="${mdaggr.discofeed.filtered}"/>
-                <include name="${mdaggr.discofeed.all}"/>
-            </fileset>
-        </scp>
-    </target>
-
-
     <target name="publish.otherfiles">
         <!--
             Push other files for the UK Federation to the web server - but only when in prod env!
@@ -2420,11 +2445,6 @@
                             <include name="${mdaggr.stats}"/>
                         </fileset>
                     </scp>
-                    <scp failonerror="true" remoteTodir="${www.url.members}" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
-                        <fileset dir="${members.dir}">
-                            <include name="members.xml"/>
-                        </fileset>
-                    </scp>
                 </then>
         </if>
     </target>
@@ -2555,15 +2575,6 @@
         <CHANNEL.import channel="${channel}"/>
     </target>
 
-    <!--
-        flow.verify.cobweb
-
-        Verify the COBWEB metadata. Callable from Jenkins.
-    -->
-    <target name="flow.verify.cobweb">
-        <CHANNEL.do verb="verifyProduction" channel="int_cobweb"/>
-    </target>
-
     <!--
         flow.verifyEdugain.input
 
@@ -2586,16 +2597,28 @@
 
         The intention is that these targets be called from Jenkins.
     -->
-    <target name="flow.verifyEdugain.output">
+    <target name="flow.verifyEdugain.output" depends="
+		edugain.download.clear,
+		flow.edugain.download
+		">
         <CHANNEL.do verb="verify" channel="int_edugain"/>
     </target>
-    <target name="flow.verifyEdugain.output.new">
+    <target name="flow.verifyEdugain.output.new" depends="
+		edugain.download.clear,
+		flow.edugain.download
+		">
         <CHANNEL.do verb="verify.new" channel="int_edugain"/>
     </target>
-    <target name="flow.verifyEdugain.output.all">
+    <target name="flow.verifyEdugain.output.all" depends="
+		edugain.download.clear,
+		flow.edugain.download
+		">
         <CHANNEL.do verb="verify.all" channel="int_edugain"/>
     </target>
-    <target name="flow.verifyEdugain.output.recovered">
+    <target name="flow.verifyEdugain.output.recovered" depends="
+		edugain.download.clear,
+		flow.edugain.download
+		">
         <CHANNEL.do verb="verify.recovered" channel="int_edugain"/>
     </target>
 
@@ -2622,16 +2645,6 @@
         <fixcrlf file="${output.dir}/${mdaggr.stats}" eol="lf" encoding="UTF-8"/>
     </target>
 
-
-    <!--
-        This variant generates a much simpler file, intended for use when building the
-        monthly chart pack.
-    -->
-    <target name="stats.charting">
-        <CHANNEL.do channel="uk" verb="statistics.charting"/>
-        <fixcrlf file="${output.dir}/${mdaggr.stats}" eol="lf" encoding="UTF-8"/>
-    </target>
-
     <!--
         Check mailing list against current metadata
     -->
diff --git a/charting/Months.pm b/charting/Months.pm
deleted file mode 100755
index 86e605d7..00000000
--- a/charting/Months.pm
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/usr/bin/perl -w
-
-#
-# Months.pm
-#
-use File::stat;
-use Date::Manip::Date;
-use Date::Manip::Delta;
-
-@months = ( );
-
-$date = new Date::Manip::Date;
-$date->parse_date('2006-12-01') && die('could not parse base date');
-
-$now = new Date::Manip::Date;
-$now->parse('now') && die('could not parse now');
-
-$oneMonth =  new Date::Manip::Delta;
-$oneMonth->parse("1 month") && die('could not parse delta');
-
-#
-# Enumerate all month beginnings that have already happened, then stop.
-#
-while ($date->cmp($now) < 0) {
-	local $dateStr = $date->printf('%Y-%m');
-	# print "date string $dateStr\n";
-	push @months, $dateStr;
-	
-	# move on one month
-	$date = $date->calc($oneMonth);
-}
-
-1;
diff --git a/charting/by_registrar.py b/charting/by_registrar.py
deleted file mode 100755
index ff3428d0..00000000
--- a/charting/by_registrar.py
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/usr/bin/env python
-
-'''
-Analyse a SAML metadata file and build a histogram of entities binned against
-their registrar.
-'''
-
-from xml.dom.minidom import parse
-from urllib import urlopen
-from datetime import date
-import sys
-
-REGISTRAR_NAME = {
-
-	# eduGAIN participants
-	"http://eduid.at":                  "AT",
-	"http://federation.belnet.be/":     "BE",
-	"http://cafe.rnp.br":               "BR",
-	"http://www.canarie.ca":            "CA",
-	"http://cofre.reuna.cl/":           "CL",
-	"https://www.carsi.edu.cn":         "CN",
-	"http://www.srce.hr":               "HR",
-	"http://www.eduid.cz/":             "CZ",
-	"https://www.wayf.dk":              "DK",
-	"http://www.csc.fi/haka":           "FI",
-	"https://federation.renater.fr/":   "FR",
-	"https://www.aai.dfn.de":           "DE",
-	"http://aai.grnet.gr/":             "GR",
-	"http://eduid.hu":                  "HU",
-	"http://www.heanet.ie":             "IE",
-	"http://www.idem.garr.it/":         "IT",
-	"http://laife.lanet.lv/":           "LV",
-	"http://feide.no/":                 "NO",
-	"http://aai.arnes.si":              "SI",
-	"http://www.rediris.es/":           "ES",
-	"http://www.swamid.se/":            "SE",
-	"http://rr.aai.switch.ch/":         "CH",
-	"http://www.surfconext.nl/":        "NL",
-	"http://ukfederation.org.uk":       "UK",
-
-	# Joining eduGAIN
-	"http://aai.pionier.net.pl":        "PL",
-
-	# not yet eduGAIN members
-	"https://incommon.org":             "US",
-}
-
-def regAuth(uri):
-	'''
-	Returns a short registrar code, or the long authority URI if none is available.
-	'''
-	try:
-		return REGISTRAR_NAME[uri]
-	except KeyError:
-		return uri
-
-def display(infile, split):
-	doc = parse(infile)
-
-	# Pull out all of the RegistrationInfo elements, one per entity
-	registrationInfos = doc.getElementsByTagNameNS("urn:oasis:names:tc:SAML:metadata:rpi",
-		"RegistrationInfo")
-
-	counts = dict();
-
-	for info in registrationInfos:
-		auth = regAuth(info.getAttribute("registrationAuthority"))
-		try:
-			counts[auth] += 1
-		except KeyError:
-			counts[auth] = 1
-
-	counts = sorted(counts.items(), key=lambda item: item[1], reverse=True)
-
-	first_counts = counts[0:split]
-	rest_counts = counts[split:]
-	for e in first_counts:
-		print "%10s: %d" % (e[0], e[1])
-	print "%10s: %d" % ("other", sum([e[1] for e in rest_counts]))
-
-if len(sys.argv) == 2:
-	display(sys.argv[1], 9)
-else:
-	cache_file = date.today().strftime("cache/%Y-%m.xml")
-	print "Most recent monthly UK federation production aggregate (%s):" % (cache_file)
-	display(cache_file, 9)
-
-	print
-
-	print "Current eduGAIN production aggregate:"
-	display(urlopen("http://mds.edugain.org/"), 9)
diff --git a/charting/fetch.pl b/charting/fetch.pl
deleted file mode 100755
index 47d3e51e..00000000
--- a/charting/fetch.pl
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/usr/bin/env perl
-
-#
-# fetch.pl
-#
-use warnings;
-use File::stat;
-use Months;
-
-# Call git on the products directory
-my $git = "/usr/bin/env git --git-dir ../../ukf-products/.git";
-
-$fn1 = 'aggregates/ukfederation-metadata.xml';
-$fn2 = 'aggregates/ukfederation-stats.html';
-
-foreach $month (@months) {
-	print "Fetching $month...";
-
-	# Find the commit immediately prior to the start of that month.
-	my $instant = "$month-01T00:00:00Z";
-	my $commit = `$git rev-list -n 1 --before=$instant master`;
-	chomp $commit;
-	print "$commit";
-
-	my $dest1 = "cache/$month.xml";
-	if (!-e $dest1) {
-		system("$git show $commit:$fn1 >$dest1");
-	}
-
-	my $dest2 = "cache/$month.html";
-	if (!-e $dest2) {
-		system("$git show $commit:$fn2 >$dest2");
-	}
-
-	print "\n";
-}
diff --git a/charting/mdui.pl b/charting/mdui.pl
deleted file mode 100755
index 2651703b..00000000
--- a/charting/mdui.pl
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/usr/bin/env perl
-
-#
-# mdui.pl
-#
-use warnings;
-use lib '.';
-use Months;
-
-# Parse command line arguments
-use Getopt::Long;
-my $allMonths;
-my $oneYear;
-GetOptions('all' => \$allMonths, 'year' => \$oneYear);
-
-# By default, only show results for the most recent month
-if ($allMonths) {
-	# leave table intact
-} elsif ($oneYear) {
-	# reduce months table to just the last 12 entries
-	@months = @months[-12..-1];
-} else {
-	# reduce months table to one element
-	@months = @months[-1..-1];
-}
-
-# ingest files
-foreach $month (@months) {
-	print "Processing $month\n";
-
-	my $command = "xsltproc statistics_mdui.xsl cache/$month.xml";
-	# print "command is $command\n";
-	system($command); # || print "ignoring claimed failure in sub command\n";
-	# print "xsltproc run on $fn\n";
-	print "\n";
-}
diff --git a/charting/requestedattribute.pl b/charting/requestedattribute.pl
deleted file mode 100755
index 06ba6ce6..00000000
--- a/charting/requestedattribute.pl
+++ /dev/null
@@ -1,43 +0,0 @@
-#!/usr/bin/env perl
-
-#
-# requestedattribute.pl
-#
-# Extracts statistics about SPs with RequestedAttribute elements from the published metadata.
-#
-use warnings;
-use lib ".";
-use Months;
-
-# Parse command line arguments
-use Getopt::Long;
-my $allMonths;
-my $oneYear;
-GetOptions('all' => \$allMonths, 'year' => \$oneYear);
-
-# By default, only show results for the most recent month
-if ($allMonths) {
-	# leave table intact
-} elsif ($oneYear) {
-	# reduce months table to just the last 12 entries
-	@months = @months[-12..-1];
-} else {
-	# reduce months table to one element
-	@months = @months[-1..-1];
-}
-
-# print header. must be kept in sync with what comes out of requestedattribute.xsl
-print "# month, number of SPs, number with AttributeConsumingService, percent with ACS\n";
-
-# ingest files
-foreach $month (@months) {
-	my $fn = "cache/$month.xml";
-	open(TXT, "xsltproc requestedattribute.xsl $fn|") || die "could not open input file";
-	($sps, $acs) = split /\t/, <TXT>;
-	chomp $acs;
-	$proportion = 0;
-	if ( $sps > 0 ) { $proportion = int (100 * $acs / $sps) ; }
-	print "${month}\t${sps}\t${acs}\t${proportion}\n";
-	close TXT;
-}
-
diff --git a/charting/requestedattribute.xsl b/charting/requestedattribute.xsl
deleted file mode 100644
index c266f62a..00000000
--- a/charting/requestedattribute.xsl
+++ /dev/null
@@ -1,37 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-
-    requestedattribute.xsl
-
-    Takes a metadata aggregate and gives statistics about RequestedAttribute
-    elements in UKf-registered SPs.
-
-    Note that UKf metadata started using mdrpi:RegistrationInfo in 2012-09
-    so statistics before that date cannot be generated by this script.
-
--->
-<xsl:stylesheet
-    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    version="1.0">
-
-    <xsl:output method="text" omit-xml-declaration="yes"/>
-
-    <xsl:template match="/md:EntitiesDescriptor">
-
-        <xsl:variable name="sps" select="//md:EntityDescriptor
-        	[descendant::mdrpi:RegistrationInfo/@registrationAuthority='http://ukfederation.org.uk']
-		[md:SPSSODescriptor]
-		"/>
-        <xsl:variable name="ACS" select="count($sps[md:SPSSODescriptor/md:AttributeConsumingService])"/>
-
-	<xsl:value-of select="count($sps)"/>
-        <xsl:text>&#09;</xsl:text>
-	<xsl:value-of select="$ACS"/>
-        <xsl:text>&#10;</xsl:text>
-
-    </xsl:template>
-
-</xsl:stylesheet>
diff --git a/charting/saml2.pl b/charting/saml2.pl
deleted file mode 100755
index 0542f210..00000000
--- a/charting/saml2.pl
+++ /dev/null
@@ -1,68 +0,0 @@
-#!/usr/bin/env perl
-
-#
-# saml2.pl
-#
-# Extracts statistics about SAML 2 adoption from the published metadata.
-#
-use warnings;
-use lib ".";
-use Months;
-
-# Parse command line arguments
-use Getopt::Long;
-my $allMonths;
-GetOptions('all' => \$allMonths);
-
-# By default, only show results for the most recent month
-if (!$allMonths) {
-	# reduce months table to one element
-	my $oneMonth = pop @months;
-	@months = ( $oneMonth );
-}
-
-# ingest files
-foreach $month (@months) {
-	my $fn = "cache/$month.xml";
-	open(TXT, "xsltproc saml2.xsl $fn|") || die "could not open input file";
-	$_ = <TXT>;
-	chop;
-	# print "$month: $_\n";
-	my ($entities, $idps, $sps, $saml2total, $saml2idp, $saml2sp) = split;
-	if ($entities == 0) {
-		# print "skipping $month: $_\n";
-		next;
-	}
-	my $mPrefix = $allMonths ? "$month: " : '';
-	my $oRatio = $saml2total/$entities;
-	push @overallRatio, "$mPrefix$oRatio";
-	my $iRatio = $saml2idp/$idps;
-	push @idpRatio, "$mPrefix$iRatio";
-	my $sRatio = $saml2sp/$sps;
-	push @spRatio, "$mPrefix$sRatio";
-	my $p = ($saml2idp/$idps)*($saml2sp/$sps);
-	push @product, "$mPrefix$p";
-	close TXT;
-}
-
-print "idp\n";
-foreach $ratio (@idpRatio) {
-	print "$ratio\n";
-}
-
-print "sp\n";
-foreach $ratio (@spRatio) {
-	print "$ratio\n";
-}
-
-print "overall\n";
-foreach $ratio (@overallRatio) {
-	print "$ratio\n";
-}
-
-print "product\n";
-foreach $ratio (@product) {
-	print "$ratio\n";
-}
-
-1;
diff --git a/charting/saml2.xsl b/charting/saml2.xsl
deleted file mode 100644
index 04dd4455..00000000
--- a/charting/saml2.xsl
+++ /dev/null
@@ -1,52 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-
-    saml2.xsl
-
-    XSL stylesheet that takes a SAML 2.0 metadata file and extracts
-    statistics about the level of SAML 2 protocol support within the
-    included entities.
-
-    Author: Ian A. Young <ian@iay.org.uk>
-
--->
-<xsl:stylesheet version="1.0"
-    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    exclude-result-prefixes="md mdrpi">
-
-    <!-- Output is plain text -->
-    <xsl:output method="text"/>
-
-    <xsl:template match="md:EntitiesDescriptor">
-        <xsl:variable name="entities" select="//md:EntityDescriptor
-        [descendant::mdrpi:RegistrationInfo/@registrationAuthority='http://ukfederation.org.uk']"/>
-        <xsl:value-of select="count($entities)"/><xsl:text> </xsl:text>
-        <xsl:variable name="idps" select="$entities[md:IDPSSODescriptor]"/>
-        <xsl:value-of select="count($idps)"/><xsl:text> </xsl:text>
-        <xsl:variable name="sps" select="$entities[md:SPSSODescriptor]"/>
-        <xsl:value-of select="count($sps)"/><xsl:text> </xsl:text>
-
-        <xsl:variable name="entities.saml2"
-            select="$entities[
-            md:IDPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')] |
-            md:SPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-            ]"/>
-        <xsl:value-of select="count($entities.saml2)"/>
-        <xsl:text> </xsl:text>
-        <xsl:value-of select="count($entities[
-            md:IDPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-            ])"/>
-        <xsl:text> </xsl:text>
-        <xsl:value-of select="count($entities[
-            md:SPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-            ])"/>
-        <xsl:text>&#10;</xsl:text>
-    </xsl:template>
-
-    <xsl:template match="text()">
-        <!-- do nothing -->
-    </xsl:template>
-</xsl:stylesheet>
diff --git a/charting/scopes.pl b/charting/scopes.pl
deleted file mode 100755
index 8a8c6692..00000000
--- a/charting/scopes.pl
+++ /dev/null
@@ -1,50 +0,0 @@
-#!/usr/bin/env perl
-
-#
-# scopes.pl
-#
-# Extracts statistics about number of scopes from the published metadata.
-#
-use warnings;
-use lib ".";
-use Months;
-
-# Parse command line arguments
-use Getopt::Long;
-my $allMonths;
-my $oneYear;
-GetOptions('all' => \$allMonths, 'year' => \$oneYear);
-
-# By default, only show results for the most recent month
-if ($allMonths) {
-	# leave table intact
-} elsif ($oneYear) {
-	# reduce months table to just the last 12 entries
-	@months = @months[-12..-1];
-} else {
-	# reduce months table to one element
-	@months = @months[-1..-1];
-}
-
-# ingest files
-foreach $month (@months) {
-	my $fn = "cache/$month.xml";
-	my %scopes;
-	open(TXT, "xsltproc scopes.xsl $fn|") || die "could not open input file";
-	while (<TXT>) {
-		chop;
-		my $scope = $_;
-		$scopes{$scope} = 1;
-	}
-	my $prefix = scalar(@months) == 1 ? '' : "$month: ";
-	my $c = scalar(keys(%scopes));
-	push @count, "$prefix$c";
-	close TXT;
-}
-
-print "count\n";
-foreach $n (@count) {
-	print "$n\n";
-}
-
-1;
diff --git a/charting/scopes.xsl b/charting/scopes.xsl
deleted file mode 100644
index 76e808c2..00000000
--- a/charting/scopes.xsl
+++ /dev/null
@@ -1,46 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-
-    scopes.xsl
-
-    XSL stylesheet that takes a SAML 2.0 metadata file and extracts
-    a list of scopes used.  Regular expression scopes are ignored.
-    Duplicates are not removed, and the result is unsorted.
-
-    Author: Ian A. Young <ian@iay.org.uk>
-
--->
-<xsl:stylesheet version="1.0"
-    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-
-    <!-- Output is plain text -->
-    <xsl:output method="text"/>
-
-    <!--
-        Discard entities registered by other federations.
-    -->
-    <xsl:template match="md:EntityDescriptor
-        [descendant::mdrpi:RegistrationInfo/@registrationAuthority!='http://ukfederation.org.uk']">
-        <!-- do nothing -->
-    </xsl:template>
-
-    <!--
-        Discard regular expression scopes.
-    -->
-    <xsl:template match="//shibmd:Scope[@regex = 'true']">
-        <!-- do nothing -->
-    </xsl:template>
-
-    <xsl:template match="//shibmd:Scope">
-        <xsl:value-of select="."/>
-        <xsl:text>&#x0a;</xsl:text>
-    </xsl:template>
-
-    <xsl:template match="text()">
-        <!-- do nothing -->
-    </xsl:template>
-</xsl:stylesheet>
diff --git a/charting/sizes.pl b/charting/sizes.pl
deleted file mode 100755
index 7f9fa924..00000000
--- a/charting/sizes.pl
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/usr/bin/env perl
-
-#
-# sizes.pl
-#
-use warnings;
-use lib ".";
-use File::stat;
-use Months;
-
-# Parse command line arguments
-use Getopt::Long;
-my $allMonths;
-my $oneYear;
-GetOptions('all' => \$allMonths, 'year' => \$oneYear);
-
-# By default, only show results for the most recent month
-if ($allMonths) {
-	# leave table intact
-} elsif ($oneYear) {
-	# reduce months table to just the last 12 entries
-	@months = @months[-12..-1];
-} else {
-	# reduce months table to one element
-	@months = @months[-1..-1];
-}
-
-# ingest files
-foreach $month (@months) {
-	print "Processing $month\n";
-
-	#
-	# Process the archived file, representing all entities,
-	# including those imported from other federations.
-	#
-	my $fn = "cache/$month.xml";
-	my $stat = stat($fn);
-	my $all_size = $stat->size;
-	my $all_count = int(`grep '</Entity' $fn | wc -l`);
-	my $all_ratio = int($all_size/$all_count);
-	push @all_sizes,  $all_size;
-	push @all_counts, $all_count;
-	push @all_ratios, $all_ratio;
-
-	#
-	# Now generate a reduced version of the archived
-	# file that contains only UK federation registered entities.
-	#
-	my $command = "xsltproc --output temp.tmp just_ours.xsl $fn";
-	# print "command is $command\n";
-	system($command); # || print "ignoring claimed failure in sub command\n";
-	# print "xsltproc run on $fn\n";
-
-	#
-	# Process the reduced version of the archived file.
-	#
-	$fn = "temp.tmp";
-	$stat = stat($fn);
-	my $our_size = $stat->size;
-	my $our_count = int(`grep '</Entity' $fn | wc -l`);
-	my $our_ratio = int($our_size/$our_count);
-	push @our_sizes,  $our_size;
-	push @our_counts, $our_count;
-	push @our_ratios, $our_ratio;
-}
-
-print "months\n";
-foreach $month (@months) {
-	print "$month\n";
-}
-
-print "sizeM (all)\n";
-foreach $size (@all_sizes) {
-	$size /= 1000000;
-	print "$size\n";
-}
-
-print "sizeM (UK)\n";
-foreach $size (@our_sizes) {
-	$size /= 1000000;
-	print "$size\n";
-}
-
-print "entities (all)\n";
-foreach $count (@all_counts) {
-	print "$count\n";
-}
-
-print "entities (UK)\n";
-foreach $count (@our_counts) {
-	print "$count\n";
-}
-
-print "ratioK (all)\n";
-foreach $ratio (@all_ratios) {
-	$ratio /= 1000;
-	print "$ratio\n";
-}
-
-print "ratioK (UK)\n";
-foreach $ratio (@our_ratios) {
-	$ratio /= 1000;
-	print "$ratio\n";
-}
diff --git a/charting/statistics_mdui.xsl b/charting/statistics_mdui.xsl
deleted file mode 100644
index 15c37bf5..00000000
--- a/charting/statistics_mdui.xsl
+++ /dev/null
@@ -1,148 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-
-    statistics_mdui.xsl
-
-    XSL stylesheet taking a metadata aggregate and giving some statistics about MDUI
-    element use as textual output.
-
-    Author: Ian A. Young <ian@iay.org.uk>
-
--->
-<xsl:stylesheet
-    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xmlns:math="http://exslt.org/math"
-    xmlns:date="http://exslt.org/dates-and-times"
-    xmlns:dyn="http://exslt.org/dynamic"
-    xmlns:set="http://exslt.org/sets"
-    exclude-result-prefixes="xsl md mdui xsi math date dyn set"
-    version="1.0">
-
-    <xsl:output method="text" omit-xml-declaration="yes"/>
-
-    <xsl:template match="/md:EntitiesDescriptor">
-
-        <xsl:variable name="entities" select="//md:EntityDescriptor
-        [descendant::mdrpi:RegistrationInfo/@registrationAuthority='http://ukfederation.org.uk']"/>
-        <xsl:variable name="idps" select="$entities[md:IDPSSODescriptor]"/>
-        <xsl:variable name="sps" select="$entities[md:SPSSODescriptor]"/>
-
-        <xsl:call-template name="entities.category">
-            <xsl:with-param name="category">Total entities</xsl:with-param>
-            <xsl:with-param name="entities" select="$entities"/>
-        </xsl:call-template>
-
-        <xsl:call-template name="entities.category">
-            <xsl:with-param name="category">Identity providers</xsl:with-param>
-            <xsl:with-param name="entities" select="$idps"/>
-        </xsl:call-template>
-
-        <xsl:call-template name="entities.category">
-            <xsl:with-param name="category">Service providers</xsl:with-param>
-            <xsl:with-param name="entities" select="$sps"/>
-        </xsl:call-template>
-
-    </xsl:template>
-
-    <xsl:template name="entities.category">
-        <xsl:param name="entities"/>
-        <xsl:param name="category"/>
-        <xsl:variable name="entities.count" select="count($entities)"/>
-
-        <xsl:value-of select="$category"/>
-        <xsl:text>: </xsl:text>
-        <xsl:value-of select="$entities.count"/>
-        <xsl:text>&#10;</xsl:text>
-
-        <xsl:if test="$entities.count > 0">
-
-            <xsl:call-template name="mdui.element">
-                <xsl:with-param name="element">mdui:UIInfo</xsl:with-param>
-                <xsl:with-param name="has" select="$entities[descendant::mdui:UIInfo]"/>
-                <xsl:with-param name="total.count" select="$entities.count"/>
-            </xsl:call-template>
-
-            <xsl:call-template name="mdui.element">
-                <xsl:with-param name="element">mdui:Logo</xsl:with-param>
-                <xsl:with-param name="has" select="$entities[descendant::mdui:Logo]"/>
-                <xsl:with-param name="total.count" select="$entities.count"/>
-            </xsl:call-template>
-
-            <xsl:call-template name="mdui.element">
-                <xsl:with-param name="element">mdui:Description</xsl:with-param>
-                <xsl:with-param name="has" select="$entities[descendant::mdui:Description]"/>
-                <xsl:with-param name="total.count" select="$entities.count"/>
-            </xsl:call-template>
-
-            <xsl:call-template name="mdui.element">
-                <xsl:with-param name="element">mdui:DisplayName</xsl:with-param>
-                <xsl:with-param name="has" select="$entities[descendant::mdui:DisplayName]"/>
-                <xsl:with-param name="total.count" select="$entities.count"/>
-            </xsl:call-template>
-
-            <xsl:call-template name="mdui.element">
-                <xsl:with-param name="element">mdui:Keywords</xsl:with-param>
-                <xsl:with-param name="has" select="$entities[descendant::mdui:Keywords]"/>
-                <xsl:with-param name="total.count" select="$entities.count"/>
-            </xsl:call-template>
-
-            <xsl:call-template name="mdui.element">
-                <xsl:with-param name="element">mdui:InformationURL</xsl:with-param>
-                <xsl:with-param name="has" select="$entities[descendant::mdui:InformationURL]"/>
-                <xsl:with-param name="total.count" select="$entities.count"/>
-            </xsl:call-template>
-
-            <xsl:call-template name="mdui.element">
-                <xsl:with-param name="element">mdui:PrivacyStatementURL</xsl:with-param>
-                <xsl:with-param name="has" select="$entities[descendant::mdui:PrivacyStatementURL]"/>
-                <xsl:with-param name="total.count" select="$entities.count"/>
-            </xsl:call-template>
-
-            <xsl:call-template name="mdui.element">
-                <xsl:with-param name="element">mdui:DiscoHints</xsl:with-param>
-                <xsl:with-param name="has" select="$entities[descendant::mdui:DiscoHints]"/>
-                <xsl:with-param name="total.count" select="$entities.count"/>
-            </xsl:call-template>
-
-            <xsl:call-template name="mdui.element">
-                <xsl:with-param name="element">mdui:IPHint</xsl:with-param>
-                <xsl:with-param name="has" select="$entities[descendant::mdui:IPHint]"/>
-                <xsl:with-param name="total.count" select="$entities.count"/>
-            </xsl:call-template>
-
-            <xsl:call-template name="mdui.element">
-                <xsl:with-param name="element">mdui:DomainHint</xsl:with-param>
-                <xsl:with-param name="has" select="$entities[descendant::mdui:DomainHint]"/>
-                <xsl:with-param name="total.count" select="$entities.count"/>
-            </xsl:call-template>
-
-            <xsl:call-template name="mdui.element">
-                <xsl:with-param name="element">mdui:GeolocationHint</xsl:with-param>
-                <xsl:with-param name="has" select="$entities[descendant::mdui:GeolocationHint]"/>
-                <xsl:with-param name="total.count" select="$entities.count"/>
-            </xsl:call-template>
-
-        </xsl:if>
-    </xsl:template>
-
-    <xsl:template name="mdui.element">
-        <xsl:param name="element"/>
-        <xsl:param name="has"/>
-        <xsl:param name="total.count"/>
-        <xsl:variable name="has.count" select="count($has)"/>
-        <xsl:if test="$has.count > 0">
-            <xsl:text>   </xsl:text>
-            <xsl:value-of select="$element"/>
-            <xsl:text>: </xsl:text>
-            <xsl:value-of select="$has.count"/>
-            <xsl:text> (</xsl:text>
-            <xsl:value-of select="format-number($has.count div $total.count, '0.0%')"/>
-            <xsl:text>)&#10;</xsl:text>
-        </xsl:if>
-    </xsl:template>
-
-</xsl:stylesheet>
diff --git a/ci-download.properties b/ci-download.properties
new file mode 100644
index 00000000..287cb774
--- /dev/null
+++ b/ci-download.properties
@@ -0,0 +1,15 @@
+#
+# ci-download.properties
+#
+# Properties defined for the env=ci-download environment, the part of the
+# continuous integration job that downloads an eduGAIN aggregate.
+#
+
+# Shared workspace location is assumed to be under the current directory.
+shared.ws.dir=${basedir}/work
+
+#
+# Cached eduGAIN download goes into a different directory so that it
+# persists over comparison runs.
+#
+mda.output.edugain.download=${shared.ws.dir}/temp/edugain-download.xml
diff --git a/ci-thin.properties b/ci-thin.properties
new file mode 100644
index 00000000..67c9702a
--- /dev/null
+++ b/ci-thin.properties
@@ -0,0 +1,14 @@
+#
+# ci-thin.properties
+#
+# Properties defined for the env=ci-thin environment, the part of the
+# continuous integration job that runs the test on the thinned data.
+#
+
+# Shared workspace location is assumed to be under the current directory.
+shared.ws.dir=${basedir}/work
+
+#
+# Location of the thinned version of the downloaded eduGAIN aggregate.
+#
+mda.output.edugain.download=${shared.ws.dir}/temp/edugain-thin.xml
diff --git a/dev.properties b/dev.properties
index 392d0c43..f6cc2353 100644
--- a/dev.properties
+++ b/dev.properties
@@ -6,3 +6,9 @@
 
 # Shared workspace location is assumed to be the parent directory.
 shared.ws.dir=${basedir}/..
+
+#
+# Cached eduGAIN download goes into a different directory so that it
+# persists over comparison runs.
+#
+mda.output.edugain.download=${shared.ws.dir}/temp/edugain-download.xml
diff --git a/hv1-happ-001.properties b/hv1-happ-001.properties
new file mode 100644
index 00000000..5aca5a65
--- /dev/null
+++ b/hv1-happ-001.properties
@@ -0,0 +1,23 @@
+#
+# hv1-happ-001.properties
+#
+# Properties defined for the env=hv1-happ-001 deployment environment.
+#
+# This is testing the new HSM (installed in December 2021)
+#
+
+#
+# Location of the PKCS#11 configuration file for the Thales HSM.
+#
+sign.uk.pkcs11Config = ${basedir}/mdx/uk/nshield202112.cfg
+
+#
+# Signing key alias within the keystore.
+#
+sign.uk.keyAlias = UKAMF_Signing_Key
+
+#
+# Give Java processes plenty of headroom in production.
+# Update this whenever the value in build.xml is updated.
+#
+java.max.memory = 2048m
diff --git a/mdx/_rules/check_aggregate.xsl b/mdx/_rules/check_aggregate.xsl
deleted file mode 100644
index 44337a70..00000000
--- a/mdx/_rules/check_aggregate.xsl
+++ /dev/null
@@ -1,45 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-
-    check_aggregate.xsl
-
-    Checking ruleset containing aggregate-level checks.
-
-    Author: Ian A. Young <ian@iay.org.uk>
-
--->
-<xsl:stylesheet version="1.0"
-    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-    xmlns:set="http://exslt.org/sets"
-    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-    <!--
-        Common support functions.
-    -->
-    <xsl:import href="check_framework.xsl"/>
-
-    <xsl:variable name="entities" select="//md:EntityDescriptor"/>
-    <xsl:variable name="idps" select="$entities[md:IDPSSODescriptor]"/>
-
-    <!--
-        Checks across the whole of the document are defined here.
-    -->
-    <xsl:template match="/">
-
-        <!-- check for duplicate entityID values -->
-        <xsl:variable name="distinct.entityIDs" select="set:distinct($entities/@entityID)"/>
-        <xsl:variable name="dup.entityIDs"
-            select="set:distinct(set:difference($entities/@entityID, $distinct.entityIDs))"/>
-        <xsl:for-each select="$dup.entityIDs">
-            <xsl:variable name="dup.entityID" select="."/>
-            <xsl:for-each select="$entities[@entityID = $dup.entityID]">
-                <xsl:call-template name="error">
-                    <xsl:with-param name="m">duplicate entityID: <xsl:value-of select='$dup.entityID'/></xsl:with-param>
-                </xsl:call-template>
-            </xsl:for-each>
-        </xsl:for-each>
-
-    </xsl:template>
-
-</xsl:stylesheet>
diff --git a/mdx/_rules/check_algsupport.xsl b/mdx/_rules/check_algsupport.xsl
index b9a0962d..273b33f5 100644
--- a/mdx/_rules/check_algsupport.xsl
+++ b/mdx/_rules/check_algsupport.xsl
@@ -42,7 +42,7 @@
     <!--
         2.4 Check for misplaced SigningMethod or DigestMethod elements.
     -->
-    <xsl:template match="alg:*[not(parent::md:Extensions)]">
+    <xsl:template match="alg:*[count(parent::md:Extensions)=0]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">
                 <xsl:text>alg:</xsl:text>
diff --git a/mdx/_rules/check_coco_v2_support.xsl b/mdx/_rules/check_coco_v2_support.xsl
new file mode 100644
index 00000000..37f8531c
--- /dev/null
+++ b/mdx/_rules/check_coco_v2_support.xsl
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    check_coco_v2_support.xsl
+
+    Checking ruleset containing rules associated with the REFEDS
+    Data Protection Code of Conduct Entity Category category support, see:
+
+    https://refeds.org/category/code-of-conduct/v2
+
+    This ruleset reflects v2.0 published 28th March 2022
+
+-->
+<xsl:stylesheet version="1.0"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
+        Entity support category applies only to identity providers.
+    -->
+    <xsl:template match="md:EntityDescriptor
+        [
+            md:Extensions/mdattr:EntityAttributes/saml:Attribute
+                [@NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:uri']
+                [@Name='http://macedir.org/entity-category-support']
+                /saml:AttributeValue[.='https://refeds.org/category/code-of-conduct/v2']
+        ]
+        [not(md:IDPSSODescriptor)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">REFEDS Data Protection Code of Conduct support only applies to identity provider entities</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+</xsl:stylesheet>
diff --git a/mdx/_rules/check_entityid_prefix.xsl b/mdx/_rules/check_entityid_prefix.xsl
index bf53c54a..0d1ad36b 100644
--- a/mdx/_rules/check_entityid_prefix.xsl
+++ b/mdx/_rules/check_entityid_prefix.xsl
@@ -22,9 +22,10 @@
     <!--
         Entity IDs should start with one of "http://", "https://" or "urn:mace:".
     -->
-    <xsl:template match="md:EntityDescriptor[not(starts-with(@entityID, 'urn:mace:'))]
-        [not(starts-with(@entityID, 'http://'))]
-        [not(starts-with(@entityID, 'https://'))]">
+    <xsl:template match="md:EntityDescriptor[
+        not(starts-with(@entityID, 'urn:mace:')) and
+        not(starts-with(@entityID, 'http://')) and
+        not(starts-with(@entityID, 'https://'))]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">entity ID <xsl:value-of select="@entityID"/> does not start with acceptable prefix</xsl:with-param>
         </xsl:call-template>
diff --git a/mdx/_rules/check_future_1.xsl b/mdx/_rules/check_future_1.xsl
index c6d5d479..ed05b114 100644
--- a/mdx/_rules/check_future_1.xsl
+++ b/mdx/_rules/check_future_1.xsl
@@ -27,31 +27,4 @@
     -->
     <xsl:import href="check_framework.xsl"/>
 
-    <!--
-
-        It does not make sense for an IdP to have more than one SingleLogoutService
-        with any of a list of SAML 2.0 front-channel bindings.
-
-        See ukf/ukf-meta#155
-
-    -->
-    <xsl:template match="md:SingleLogoutService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'][position()>1]">
-        <xsl:call-template name="error">
-            <xsl:with-param name="m">more than one SingleLogoutService with SAML 2.0 HTTP-POST binding</xsl:with-param>
-        </xsl:call-template>
-    </xsl:template>
-
-    <xsl:template match="md:SingleLogoutService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign'][position()>1]">
-        <xsl:call-template name="error">
-            <xsl:with-param name="m">more than one SingleLogoutService with SAML 2.0 HTTP-POST-SimpleSign binding</xsl:with-param>
-        </xsl:call-template>
-    </xsl:template>
-
-    <xsl:template match="md:SingleLogoutService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'][position()>1]">
-        <xsl:call-template name="error">
-            <xsl:with-param name="m">more than one SingleLogoutService with SAML 2.0 HTTP-Redirect binding</xsl:with-param>
-        </xsl:call-template>
-    </xsl:template>
-
-
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_5.xsl b/mdx/_rules/check_future_5.xsl
index ca6bcd72..8ebfc25d 100644
--- a/mdx/_rules/check_future_5.xsl
+++ b/mdx/_rules/check_future_5.xsl
@@ -13,7 +13,6 @@
     xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
     xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-    xmlns:mdxURL="xalan://uk.ac.sdss.xalan.md.URLchecker"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
     xmlns:set="http://exslt.org/sets"
@@ -24,16 +23,4 @@
     -->
     <xsl:import href="check_framework.xsl"/>
 
-    <xsl:template match="md:IDPSSODescriptor/@errorURL[mdxURL:invalidURL(.)]">
-        <xsl:call-template name="error">
-            <xsl:with-param name="m">
-                <xsl:value-of select='local-name()'/>
-                <xsl:text> '</xsl:text>
-                <xsl:value-of select="."/>
-                <xsl:text>' is not a valid URL: </xsl:text>
-                <xsl:value-of select="mdxURL:whyInvalid(.)"/>
-            </xsl:with-param>
-        </xsl:call-template>
-    </xsl:template>
-
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_hoksso.xsl b/mdx/_rules/check_hoksso.xsl
index d3e50bc1..a581b914 100644
--- a/mdx/_rules/check_hoksso.xsl
+++ b/mdx/_rules/check_hoksso.xsl
@@ -55,7 +55,7 @@
         or on md:AssertionConsumerService.
     -->
     <xsl:template match="@hoksso:ProtocolBinding
-        [not(parent::md:SingleSignOnService)][not(parent::md:AssertionConsumerService)]">
+        [not(parent::md:SingleSignOnService or parent::md:AssertionConsumerService)]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">
                 <xsl:text>hoksso:ProtocolBinding may not appear on </xsl:text>
@@ -138,8 +138,8 @@
     -->
 
     <xsl:template match="md:IDPSSODescriptor
-        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
-        [md:*/@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']">
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')) and 
+        md:*/@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']">
         <xsl:call-template name="error">
             <xsl:with-param name="m">
                 <xsl:text>holder of key binding requires SAML 2.0 token in AttributeAuthorityDescriptor/@protocolSupportEnumeration</xsl:text>
@@ -148,8 +148,8 @@
     </xsl:template>
 
     <xsl:template match="md:SPSSODescriptor
-        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
-        [md:*/@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']">
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')) and 
+        md:*/@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']">
         <xsl:call-template name="error">
             <xsl:with-param name="m">
                 <xsl:text>holder of key binding requires SAML 2.0 token in SPSSODescriptor/@protocolSupportEnumeration</xsl:text>
diff --git a/mdx/_rules/check_incmd.xsl b/mdx/_rules/check_incmd.xsl
index 2af81047..570e9485 100644
--- a/mdx/_rules/check_incmd.xsl
+++ b/mdx/_rules/check_incmd.xsl
@@ -44,7 +44,7 @@
         </xsl:call-template>
     </xsl:template>
 
-    <xsl:template match="@incmd:contactType[not(starts-with(.,'http://'))][not(starts-with(.,'https://'))]">
+    <xsl:template priority="2" match="@incmd:contactType[not((starts-with(.,'http://')) or (starts-with(.,'https://')))]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">incmd:contactType must be an absolute URI</xsl:with-param>
         </xsl:call-template>
@@ -53,7 +53,7 @@
     <!--
         Check for specific values.  This test is probably over-specific in the long term.
     -->
-    <xsl:template match="@incmd:contactType
+    <xsl:template priority="1" match="@incmd:contactType
         [not(. = 'http://id.incommon.org/metadata/contactType/security')]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">
diff --git a/mdx/_rules/check_mdattr.xsl b/mdx/_rules/check_mdattr.xsl
index 3b0e6ad3..24a791f4 100644
--- a/mdx/_rules/check_mdattr.xsl
+++ b/mdx/_rules/check_mdattr.xsl
@@ -39,7 +39,7 @@
         </xsl:call-template>
     </xsl:template>
     <xsl:template match="md:Extensions[mdattr:EntityAttributes]
-        [not(parent::md:EntityDescriptor)][not(parent::md:EntitiesDescriptor)]">
+        [not(parent::md:EntityDescriptor or parent::md:EntitiesDescriptor)]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">EntityAttributes must only appear within Extensions of EntityDescriptor or EntitiesDescriptor</xsl:with-param>
         </xsl:call-template>
diff --git a/mdx/_rules/check_mdiop.xsl b/mdx/_rules/check_mdiop.xsl
index ee0ec366..42fb55d1 100644
--- a/mdx/_rules/check_mdiop.xsl
+++ b/mdx/_rules/check_mdiop.xsl
@@ -27,8 +27,7 @@
         Section 2.5.1: at least one representation must appear.
     -->
     <xsl:template match="md:KeyDescriptor
-        [not(ds:KeyInfo/ds:KeyValue)]
-        [not(ds:KeyInfo/ds:X509Data/ds:X509Certificate)]">
+        [not((ds:KeyInfo/ds:KeyValue) or (ds:KeyInfo/ds:X509Data/ds:X509Certificate))]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">KeyDescriptor does not contain a key representation</xsl:with-param>
         </xsl:call-template>
diff --git a/mdx/_rules/check_mdrpi.xsl b/mdx/_rules/check_mdrpi.xsl
index 0530f57a..00e38ae7 100644
--- a/mdx/_rules/check_mdrpi.xsl
+++ b/mdx/_rules/check_mdrpi.xsl
@@ -39,7 +39,7 @@
         </xsl:call-template>
     </xsl:template>
     <xsl:template match="md:Extensions[mdrpi:RegistrationInfo]
-        [not(parent::md:EntityDescriptor)][not(parent::md:EntitiesDescriptor)]">
+        [not((parent::md:EntityDescriptor) or (parent::md:EntitiesDescriptor))]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">RegistrationInfo must only appear within Extensions of EntityDescriptor or EntitiesDescriptor</xsl:with-param>
         </xsl:call-template>
@@ -74,7 +74,7 @@
 
         registrationInstant values MUST be expressed in the UTC timezone using the 'Z' timezone identifier.
     -->
-    <xsl:template match="mdrpi:RegistrationInfo[@registrationInstant]
+    <xsl:template match="mdrpi:RegistrationInfo[@registrationInstant] 
         [substring(@registrationInstant, string-length(@registrationInstant)) != 'Z']">
         <xsl:call-template name="error">
             <xsl:with-param name="m">
@@ -120,13 +120,13 @@
         PublicationInfo MUST appear within the Extensions of either
         EntitiesDescriptor or EntityDescriptor.
     -->
-    <xsl:template match="md:PublicationInfo[not(parent::md:Extensions)]">
+    <xsl:template match="mdrpi:PublicationInfo[not(parent::md:Extensions)]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">PublicationInfo must only appear within an Extensions element</xsl:with-param>
         </xsl:call-template>
     </xsl:template>
     <xsl:template match="md:Extensions[mdrpi:PublicationInfo]
-        [not(parent::md:EntityDescriptor)][not(parent::md:EntitiesDescriptor)]">
+        [not((parent::md:EntityDescriptor) or (parent::md:EntitiesDescriptor))]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">PublicationInfo must only appear within Extensions of EntityDescriptor or EntitiesDescriptor</xsl:with-param>
         </xsl:call-template>
@@ -162,8 +162,7 @@
         Restrict the elements in this namespace which can appear directly within md:Extensions
         to the two defined container elements.  This will catch mis-spelled containers.
     -->
-    <xsl:template match="md:Extensions/mdrpi:*
-        [not(local-name()='RegistrationInfo')][not(local-name()='PublicationInfo')]">
+    <xsl:template match="md:Extensions/mdrpi:*[not(local-name()='RegistrationInfo') and not(local-name()='PublicationInfo')]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">
                 <xsl:text>misspelled or misplaced mdrpi element within md:Extensions: </xsl:text>
diff --git a/mdx/_rules/check_mdui.xsl b/mdx/_rules/check_mdui.xsl
index 547a524e..5f989a35 100644
--- a/mdx/_rules/check_mdui.xsl
+++ b/mdx/_rules/check_mdui.xsl
@@ -18,7 +18,6 @@
     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
     xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-    xmlns:mdxURL="xalan://uk.ac.sdss.xalan.md.URLchecker"
     xmlns:set="http://exslt.org/sets"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
@@ -46,7 +45,7 @@
         to the two defined container elements.  This will catch mis-spelled containers.
     -->
     <xsl:template match="md:Extensions/mdui:*
-        [not(local-name()='UIInfo')][not(local-name()='DiscoHints')]">
+        [not(local-name()='UIInfo') and not(local-name()='DiscoHints')]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">
                 <xsl:text>misspelled or misplaced mdui element within md:Extensions: </xsl:text>
@@ -71,7 +70,7 @@
         </xsl:call-template>
     </xsl:template>
     <xsl:template match="md:Extensions[mdui:UIInfo]
-        [not(parent::md:IDPSSODescriptor)][not(parent::md:SPSSODescriptor)]">
+        [not(parent::md:IDPSSODescriptor or parent::md:SPSSODescriptor)]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">
                 <xsl:text>UIInfo appearing outside SSO descriptor element (</xsl:text>
@@ -131,103 +130,6 @@
         </xsl:if>
     </xsl:template>
 
-
-    <!--
-        Section 2.1.5 Element <mdui:Logo>
-    -->
-    <xsl:template match="mdui:Logo">
-        <!--
-            Logos must never include un-encoded line breaks. This makes them invalid
-            URLs, but also causes problems with the Shibboleth CDS.
-        -->
-        <xsl:if test="contains(., '&#10;')">
-            <xsl:call-template name="error">
-                <xsl:with-param name="m">mdui:Logo contains line break</xsl:with-param>
-            </xsl:call-template>
-        </xsl:if>
-
-        <xsl:if test="contains(., '&#xA0;')">
-            <xsl:call-template name="error">
-                <xsl:with-param name="m">mdui:Logo contains non-breaking space</xsl:with-param>
-            </xsl:call-template>
-        </xsl:if>
-
-        <!--
-            Require that the URL starts with https://
-
-            This is a SHOULD in the specification; we treat it as a MUST here.
-
-            Exception: allow data: URIs as well.  The spec is currently
-            ambiguous about this, clarification ticket is here:
-
-            https://tools.oasis-open.org/issues/browse/SECURITY-24
-        -->
-        <xsl:if test="not(starts-with(., 'https://'))">
-            <xsl:if test="not(starts-with(., 'data:'))">
-                <xsl:call-template name="error">
-                    <xsl:with-param name="m">mdui:Logo URL does not start with https://</xsl:with-param>
-                </xsl:call-template>
-            </xsl:if>
-        </xsl:if>
-
-        <!--
-            Check for <mdui:Logo> elements that aren't valid URLs.
-
-            Again, explicitly permit anything starting with 'data:', so that the
-            only validity test we're performing on data: URLs is the "no newline" rule.
-        -->
-        <xsl:if test="mdxURL:invalidURL(.)">
-            <xsl:if test="not(starts-with(., 'data:'))">
-                <xsl:call-template name="error">
-                    <xsl:with-param name="m">
-                        <xsl:text>mdui:</xsl:text>
-                        <xsl:value-of select='local-name()'/>
-                        <xsl:text> '</xsl:text>
-                        <xsl:value-of select="."/>
-                        <xsl:text>' is not a valid URL: </xsl:text>
-                        <xsl:value-of select="mdxURL:whyInvalid(.)"/>
-                    </xsl:with-param>
-                </xsl:call-template>
-            </xsl:if>
-        </xsl:if>
-    </xsl:template>
-
-    <!--
-        Section 2.1.6 Element <mdui:InformationURL>
-
-        Require that the URL is valid.
-    -->
-    <xsl:template match="mdui:InformationURL[mdxURL:invalidURL(.)]">
-        <xsl:call-template name="error">
-            <xsl:with-param name="m">
-                <xsl:text>mdui:</xsl:text>
-                <xsl:value-of select='local-name()'/>
-                <xsl:text> '</xsl:text>
-                <xsl:value-of select="."/>
-                <xsl:text>' is not a valid URL: </xsl:text>
-                <xsl:value-of select="mdxURL:whyInvalid(.)"/>
-            </xsl:with-param>
-        </xsl:call-template>
-    </xsl:template>
-
-    <!--
-        Section 2.1.7 Element <mdui:PrivacyStatementURL>
-
-        Require that the URL is valid.
-    -->
-    <xsl:template match="mdui:PrivacyStatementURL[mdxURL:invalidURL(.)]">
-        <xsl:call-template name="error">
-            <xsl:with-param name="m">
-                <xsl:text>mdui:</xsl:text>
-                <xsl:value-of select='local-name()'/>
-                <xsl:text> '</xsl:text>
-                <xsl:value-of select="."/>
-                <xsl:text>' is not a valid URL: </xsl:text>
-                <xsl:value-of select="mdxURL:whyInvalid(.)"/>
-            </xsl:with-param>
-        </xsl:call-template>
-    </xsl:template>
-
     <!--
         Section 2.2
 
diff --git a/mdx/_rules/check_mdui_logo_length.xsl b/mdx/_rules/check_mdui_logo_length.xsl
index 11ee3fcf..6d359b63 100644
--- a/mdx/_rules/check_mdui_logo_length.xsl
+++ b/mdx/_rules/check_mdui_logo_length.xsl
@@ -11,7 +11,6 @@
     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
     xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-    xmlns:mdxURL="xalan://uk.ac.sdss.xalan.md.URLchecker"
     xmlns:set="http://exslt.org/sets"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
diff --git a/mdx/_rules/check_saml1.xsl b/mdx/_rules/check_saml1.xsl
index 33325ed0..fc2ffc2f 100644
--- a/mdx/_rules/check_saml1.xsl
+++ b/mdx/_rules/check_saml1.xsl
@@ -33,8 +33,8 @@
         An IdP with a SAML 1.1 AttributeAuthority needs an AttributeService with an appropriate Binding.
     -->
     <xsl:template match="md:AttributeAuthorityDescriptor
-        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
-        [not(md:AttributeService[@Binding='urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding'])]
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol') and
+        not(md:AttributeService[@Binding='urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding'])]
         ">
         <xsl:call-template name="error">
             <xsl:with-param name="m">SAML 1.1 AttributeAuthority missing appropriately bound AttributeService</xsl:with-param>
@@ -45,8 +45,8 @@
         Use of SAML 1.0 bindings requires SAML 1.1 in protocolSupportEnumeration.
     -->
     <xsl:template match="md:IDPSSODescriptor
-        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol'))]
-        [md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:1.0:')]]">
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')) and
+        md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:1.0:')]]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">
                 <xsl:text>SAML 1.0 binding requires SAML 1.1 token in IDPSSODescriptor/@protocolSupportEnumeration</xsl:text>
@@ -58,8 +58,8 @@
         Use of SAML 1.0 bindings requires SAML 1.1 in protocolSupportEnumeration.
     -->
     <xsl:template match="md:AttributeAuthorityDescriptor
-        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol'))]
-        [md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:1.0:')]]">
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')) and
+        md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:1.0:')]]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">
                 <xsl:text>SAML 1.0 binding requires SAML 1.1 token in AttributeAuthorityDescriptor/@protocolSupportEnumeration</xsl:text>
@@ -71,8 +71,8 @@
         Use of SAML 1.0 bindings requires SAML 1.1 in protocolSupportEnumeration.
     -->
     <xsl:template match="md:SPSSODescriptor
-        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol'))]
-        [md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:1.0:')]]">
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')) and
+        md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:1.0:')]]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">
                 <xsl:text>SAML 1.0 binding requires SAML 1.1 token in SPSSODescriptor/@protocolSupportEnumeration</xsl:text>
diff --git a/mdx/_rules/check_saml2.xsl b/mdx/_rules/check_saml2.xsl
index 0f1fed85..b97520b8 100644
--- a/mdx/_rules/check_saml2.xsl
+++ b/mdx/_rules/check_saml2.xsl
@@ -47,9 +47,8 @@
         A SAML 2.0 IdP with an AttributeAuthority needs an AttributeService with an appropriate Binding.
     -->
     <xsl:template match="md:AttributeAuthorityDescriptor
-        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-        [not(md:AttributeService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:SOAP'])]
-        ">
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol') and 
+        not(md:AttributeService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:SOAP'])]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">SAML 2.0 AttributeAuthority missing appropriately bound AttributeService</xsl:with-param>
         </xsl:call-template>
@@ -61,8 +60,7 @@
     -->
     <xsl:template match="md:SPSSODescriptor
         [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-        [not(md:KeyDescriptor[descendant::ds:X509Data][@use='encryption'])]
-        [not(md:KeyDescriptor[descendant::ds:X509Data][not(@use)])]">
+        [not((md:KeyDescriptor[descendant::ds:X509Data and @use='encryption']) or ((md:KeyDescriptor[descendant::ds:X509Data and not(@use)])))]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">SAML 2.0 SP has no encryption key</xsl:with-param>
         </xsl:call-template>
@@ -72,8 +70,8 @@
         Use of SAML 2.0 bindings requires SAML 2.0 in protocolSupportEnumeration.
     -->
     <xsl:template match="md:IDPSSODescriptor
-        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
-        [md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:2.0:bindings:')]]">
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')) and 
+        md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:2.0:bindings:')]]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">
                 <xsl:text>SAML 2.0 binding requires SAML 2.0 token in IDPSSODescriptor/@protocolSupportEnumeration</xsl:text>
@@ -85,8 +83,8 @@
         Use of SAML 2.0 bindings requires SAML 2.0 in protocolSupportEnumeration.
     -->
     <xsl:template match="md:AttributeAuthorityDescriptor
-        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
-        [md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:2.0:bindings:')]]">
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')) and
+        md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:2.0:bindings:')]]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">
                 <xsl:text>SAML 2.0 binding requires SAML 2.0 token in AttributeAuthorityDescriptor/@protocolSupportEnumeration</xsl:text>
@@ -98,8 +96,8 @@
         Use of SAML 2.0 bindings requires SAML 2.0 in protocolSupportEnumeration.
     -->
     <xsl:template match="md:SPSSODescriptor
-        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
-        [md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:2.0:bindings:')]]">
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')) and
+        md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:2.0:bindings:')]]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">
                 <xsl:text>SAML 2.0 binding requires SAML 2.0 token in SPSSODescriptor/@protocolSupportEnumeration</xsl:text>
diff --git a/mdx/_rules/check_saml2int.xsl b/mdx/_rules/check_saml2int.xsl
index 42f30770..596c2faa 100644
--- a/mdx/_rules/check_saml2int.xsl
+++ b/mdx/_rules/check_saml2int.xsl
@@ -32,8 +32,10 @@
     <xsl:template match="md:SPSSODescriptor
         [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
         [md:NameIDFormat]
-        [not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'])]
-        [not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'])]">
+        [not(
+            (md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:persistent']) or 
+            (md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'])
+        )]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">SP excludes both SAML 2 name identifier formats</xsl:with-param>
         </xsl:call-template>
@@ -124,16 +126,14 @@
     -->
     <xsl:template match="md:IDPSSODescriptor
         [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-        [not(md:KeyDescriptor[descendant::ds:X509Data][@use='signing'])]
-        [not(md:KeyDescriptor[descendant::ds:X509Data][not(@use)])]">
+        [not((md:KeyDescriptor[descendant::ds:X509Data][@use='signing']) or (md:KeyDescriptor[descendant::ds:X509Data][not(@use)]))]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">SAML 2.0 IdP has no embedded signing key</xsl:with-param>
         </xsl:call-template>
     </xsl:template>
     <xsl:template match="md:AttributeAuthorityDescriptor
         [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-        [not(md:KeyDescriptor[descendant::ds:X509Data][@use='signing'])]
-        [not(md:KeyDescriptor[descendant::ds:X509Data][not(@use)])]">
+        [not((md:KeyDescriptor[descendant::ds:X509Data][@use='signing']) or (md:KeyDescriptor[descendant::ds:X509Data][not(@use)]))]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">SAML 2.0 AttributeAuthority has no embedded signing key</xsl:with-param>
         </xsl:call-template>
diff --git a/mdx/_rules/check_saml2meta.xsl b/mdx/_rules/check_saml2meta.xsl
index 42b5fad4..3a3cda52 100644
--- a/mdx/_rules/check_saml2meta.xsl
+++ b/mdx/_rules/check_saml2meta.xsl
@@ -11,7 +11,6 @@
 -->
 <xsl:stylesheet version="1.0"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-    xmlns:mdxURL="xalan://uk.ac.sdss.xalan.md.URLchecker"
     xmlns:set="http://exslt.org/sets"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
@@ -66,48 +65,4 @@
         <xsl:apply-templates/>
     </xsl:template>
 
-
-    <!--
-        Check for Location attributes that aren't valid URLs.
-    -->
-    <xsl:template match="md:*[@Location and mdxURL:invalidURL(@Location)]">
-        <xsl:call-template name="error">
-            <xsl:with-param name="m">
-                <xsl:value-of select='local-name()'/>
-                <xsl:text> Location is not a valid URL: </xsl:text>
-                <xsl:value-of select="mdxURL:whyInvalid(@Location)"/>
-            </xsl:with-param>
-        </xsl:call-template>
-    </xsl:template>
-
-
-    <!--
-        Check for ResponseLocation attributes that aren't valid URLs.
-    -->
-    <xsl:template match="md:*[@ResponseLocation and mdxURL:invalidURL(@ResponseLocation)]">
-        <xsl:call-template name="error">
-            <xsl:with-param name="m">
-                <xsl:value-of select='local-name()'/>
-                <xsl:text> ResponseLocation is not a valid URL: </xsl:text>
-                <xsl:value-of select="mdxURL:whyInvalid(@ResponseLocation)"/>
-            </xsl:with-param>
-        </xsl:call-template>
-    </xsl:template>
-
-
-    <!--
-        Check for OrganizationURLs that aren't valid URLs.
-    -->
-    <xsl:template match="md:OrganizationURL[mdxURL:invalidURL(.)]">
-        <xsl:call-template name="error">
-            <xsl:with-param name="m">
-                <xsl:text>OrganizationURL '</xsl:text>
-                <xsl:value-of select="."/>
-                <xsl:text>' is not a valid URL: </xsl:text>
-                <xsl:value-of select="mdxURL:whyInvalid(.)"/>
-            </xsl:with-param>
-        </xsl:call-template>
-    </xsl:template>
-
-
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_shibboleth.xsl b/mdx/_rules/check_shibboleth.xsl
index 12e87c7a..a1b83705 100644
--- a/mdx/_rules/check_shibboleth.xsl
+++ b/mdx/_rules/check_shibboleth.xsl
@@ -36,8 +36,10 @@
         We perform a very cursory test for this by insisting that they start with
         either "http://" or "https://".
     -->
-    <xsl:template match="md:OrganizationURL[not(starts-with(., 'http://'))]
-        [not(starts-with(., 'https://'))]">
+    <xsl:template match="md:OrganizationURL[not(
+            (starts-with(., 'http://')) or 
+            (starts-with(., 'https://'))
+        )]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">OrganizationURL '<xsl:value-of select="."/>' does not start with acceptable prefix</xsl:with-param>
         </xsl:call-template>
diff --git a/mdx/_rules/check_sirtfi2.xsl b/mdx/_rules/check_sirtfi2.xsl
new file mode 100644
index 00000000..ca01e9b5
--- /dev/null
+++ b/mdx/_rules/check_sirtfi2.xsl
@@ -0,0 +1,86 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    check_sirtfi2.xsl
+
+    Checking ruleset containing rules associated with the Sirtfi version 2.0 specification,
+    as described on the REFEDS page https://refeds.org/sirtfi and with specifcation at:
+
+        https://refeds.org/wp-content/uploads/2022/08/Sirtfi-v2.pdf
+
+-->
+<xsl:stylesheet version="1.0"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:remd="http://refeds.org/metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
+        Process only entities claiming Sirtfi version 2 compliance.
+    -->
+    <xsl:template match="md:EntityDescriptor[
+            md:Extensions/mdattr:EntityAttributes/saml:Attribute[@NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:uri']
+                [@Name='urn:oasis:names:tc:SAML:attribute:assurance-certification']
+            /saml:AttributeValue[.='https://refeds.org/sirtfi2']
+        ]">
+
+        <!--
+            Collect the REFEDS security contacts for this entity.
+        -->
+        <xsl:variable name="securityContacts"
+            select="md:ContactPerson
+            [@contactType='other']
+            [@remd:contactType='http://refeds.org/metadata/contactType/security']"/>
+
+        <!--
+            There must be at least one REFEDS security contact.
+        -->
+        <xsl:if test="count($securityContacts) = 0">
+            <xsl:call-template name="error">
+                <xsl:with-param name="m">Sirtfi version 2 requires a REFEDS security contact</xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+
+        <!--
+            REFEDS security contacts used in Sirtfi version 2 compliant entities need to have
+            GivenName and EmailAddress attributes.
+        -->
+        <xsl:for-each select="$securityContacts">
+            <xsl:if test="not(md:GivenName)">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">Sirtfi version 2 requires a REFEDS security contact to have a GivenName</xsl:with-param>
+                </xsl:call-template>
+            </xsl:if>
+            <xsl:if test="not(md:EmailAddress)">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">Sirtfi version 2 requires a REFEDS security contact to have an EmailAddress</xsl:with-param>
+                </xsl:call-template>
+            </xsl:if>
+        </xsl:for-each>
+
+        <!--
+            Sirtfi version 2 requires that the entity also asserts the original Sirtfi entity attribute
+        -->
+        <xsl:if test="not(
+                ./md:Extensions/mdattr:EntityAttributes/saml:Attribute
+                [@NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:uri']
+                [@Name='urn:oasis:names:tc:SAML:attribute:assurance-certification']
+                /saml:AttributeValue[.='https://refeds.org/sirtfi'])
+            ">
+            <xsl:call-template name="error">
+                <xsl:with-param name="m">Sirtfi version 2 requires the entity to also support the original Sirtfi entity attribute</xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+
+    </xsl:template>
+
+</xsl:stylesheet>
diff --git a/mdx/at_aconet/beans.xml b/mdx/at_aconet/beans.xml
index 5ab7a9fc..69040fb3 100644
--- a/mdx/at_aconet/beans.xml
+++ b/mdx/at_aconet/beans.xml
@@ -30,7 +30,7 @@
     <bean id="at_aconet_productionAggregate" parent="mda.DOMResourceSourceStage">
         <property name="parserPool" ref="parserPool"/>
         <property name="DOMResource">
-            <bean parent="HTTPResource">
+            <bean parent="mda.HTTPResource">
                 <constructor-arg name="client" ref="httpClient"/>
                 <constructor-arg name="url"    ref="at_aconet_registrarAggregate_url"/>
             </bean>
@@ -43,7 +43,7 @@
     <bean id="at_aconet_edugainAggregate" parent="mda.DOMResourceSourceStage">
         <property name="parserPool" ref="parserPool"/>
         <property name="DOMResource">
-            <bean parent="HTTPResource">
+            <bean parent="mda.HTTPResource">
                 <constructor-arg name="client" ref="httpClient"/>
                 <constructor-arg name="url"    ref="at_aconet_edugainAggregate_url"/>
             </bean>
@@ -53,7 +53,7 @@
     <!--
         Signing certificate.
     -->
-    <bean id="at_aconet_signingCertificate" parent="X509CertificateFactoryBean"
+    <bean id="at_aconet_signingCertificate" parent="mda.X509CertificateFactoryBean"
         p:resource="classpath:at_aconet/aconet-aai-metadata-signing.crt"/>
 
     <!--
@@ -98,7 +98,7 @@
         Fetch the production entities as a collection.
     -->
     <bean id="at_aconet_productionEntities" parent="mda.CompositeStage">
-        <property name="composedStages">
+        <property name="stages">
             <list>
                 <ref bean="at_aconet_productionAggregate"/>
 
@@ -120,7 +120,7 @@
         Fetch the eduGAIN export entities as a collection.
     -->
     <bean id="at_aconet_edugainEntities" parent="mda.CompositeStage">
-        <property name="composedStages">
+        <property name="stages">
             <list>
                 <ref bean="at_aconet_edugainAggregate"/>
 
diff --git a/mdx/at_aconet/verbs.xml b/mdx/at_aconet/verbs.xml
index f3db7439..b5bd033e 100644
--- a/mdx/at_aconet/verbs.xml
+++ b/mdx/at_aconet/verbs.xml
@@ -95,7 +95,7 @@
                     a while to resolve.
                 -->
                 <bean id="filterEntities" parent="mda.EntityFilterStage"
-                    p:whitelistingEntities="false">
+                    p:keepingEntities="false">
                     <property name="designatedEntities">
                         <set>
                         </set>
diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index 5be87f8a..1c982bbe 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -22,7 +22,7 @@
     <!--
         Pick up Shibboleth MDA beans.
     -->
-    <import resource="mda-beans.xml"/>
+    <import resource="classpath:net/shibboleth/metadata/beans.xml"/>
 
     <!--
         Pick up UK federation MDA beans.
@@ -53,12 +53,6 @@
     <bean id="FileSystemResource" abstract="true"
         class="org.springframework.core.io.FileSystemResource"/>
 
-    <!--
-        Shibboleth-defined Resource class parent bean.
-    -->
-    <bean id="HTTPResource" abstract="true"
-        class="net.shibboleth.ext.spring.resource.HTTPResource"/>
-
     <!--
         component_parent
 
@@ -73,7 +67,8 @@
 
         Parent for XML Signature validation stages.
 
-        Applies global algorithm blacklists. For values, see:
+        Applies global algorithm exclusions. For values, see:
+
             http://www.w3.org/TR/xmlsec-algorithms/
 
         Establishes a default of *not* permitting empty references
@@ -82,12 +77,12 @@
         require it.
     -->
     <bean id="XMLSignatureValidationStage" abstract="true" parent="mda.XMLSignatureValidationStage">
-        <property name="blacklistedDigests">
+        <property name="disallowedDigests">
             <list>
                 <value>http://www.w3.org/2001/04/xmldsig-more#md5</value>
             </list>
         </property>
-        <property name="blacklistedSignatureMethods">
+        <property name="disallowedSignatureMethods">
             <list>
                 <value>http://www.w3.org/2001/04/xmldsig-more#rsa-md5</value>
             </list>
@@ -103,13 +98,13 @@
     -->
     <bean id="XMLSignatureValidationStageSHA256" abstract="true"
         parent="XMLSignatureValidationStage">
-        <property name="blacklistedDigests">
+        <property name="disallowedDigests">
             <list>
                 <value>http://www.w3.org/2000/09/xmldsig#sha1</value>
                 <value>http://www.w3.org/2001/04/xmldsig-more#md5</value>
             </list>
         </property>
-        <property name="blacklistedSignatureMethods">
+        <property name="disallowedSignatureMethods">
             <list>
                 <value>http://www.w3.org/2000/09/xmldsig#rsa-sha1</value>
                 <value>http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1</value>
@@ -118,29 +113,31 @@
         </property>
     </bean>
 
-    <!-- *** Parent beans for Shibboleth spring-extensions factory beans. *** -->
-
-    <bean id="DOMDocumentFactoryBean" abstract="true"
-        class="net.shibboleth.ext.spring.factory.DOMDocumentFactoryBean"/>
-
-    <!-- PKCS11PrivateKeyFactoryBean is in MDA in V0.9.2. -->
-    <bean id="PKCS11PrivateKeyFactoryBean" abstract="true"
-        class="net.shibboleth.metadata.util.PKCS11PrivateKeyFactoryBean"/>
-
-    <bean id="PrivateKeyFactoryBean" abstract="true"
-        class="net.shibboleth.ext.spring.factory.PrivateKeyFactoryBean"/>
+    <!-- *** Default Shibboleth component bean id property from Spring bean id *** -->
+    <bean parent="mda.IdentifiableBeanPostProcessor" lazy-init="false"/>
 
-    <bean id="PublicKeyFactoryBean" abstract="true"
-        class="net.shibboleth.ext.spring.factory.PublicKeyFactoryBean"/>
 
-    <bean id="X509CertificateChainFactoryBean" abstract="true"
-        class="net.shibboleth.ext.spring.factory.X509CertificateChainFactoryBean"/>
+    <!--
+        *****************************
+        ***                       ***
+        ***   U T I L I T I E S   ***
+        ***                       ***
+        *****************************
+    -->
 
-    <bean id="X509CertificateFactoryBean" abstract="true"
-        class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean"/>
+    <!-- This bean MUST be called "conversionService" to work properly. -->
+    <bean id="conversionService" class="org.springframework.context.support.ConversionServiceFactoryBean">
+        <property name="converters">
+            <set>
+                <bean parent="mda.StringToDurationConverter"/>
+                <bean parent="mda.StringToIPRangeConverter"/>
+                <bean parent="mda.BooleanToPredicateConverter"/>
+                <bean parent="mda.StringBooleanToPredicateConverter"/>
+                <bean parent="mda.StringToResourceConverter"/>
+            </set>
+        </property>
+    </bean>
 
-    <!-- *** Default Shibboleth component bean id property from Spring bean id *** -->
-    <bean class="net.shibboleth.ext.spring.config.IdentifiableBeanPostProcessor" lazy-init="false"/>
 
     <!--
         *******************************************************
@@ -263,7 +260,7 @@
         A NamespaceContext that assigns the usual prefix for each of the commonly used XML namespaces.
         This is used in the evaluation of XPath expressions.
     -->
-    <bean id="commonNamespaces" class="net.shibboleth.utilities.java.support.xml.SimpleNamespaceContext">
+    <bean id="commonNamespaces" parent="mda.SimpleNamespaceContext">
         <constructor-arg>
             <util:map map-class="java.util.HashMap">
                 <entry key="alg"        value-ref="alg_namespace"/>
@@ -392,7 +389,7 @@
     <bean id="ch_switchaai_registrar"    parent="String" c:_="http://rr.aai.switch.ch/"/>
     <bean id="cl_cofre_registrar"        parent="String" c:_="http://cofre.reuna.cl"/>
     <bean id="cn_carsi_registrar"        parent="String" c:_="https://www.carsi.edu.cn"/>
-    <bean id="cn_cstcloud_registrar"     parent="String" c:_="https://cstcloud.net/"/>
+    <bean id="cn_cstcloud_registrar"     parent="String" c:_="https://www.cstcloud.net/"/>
     <bean id="co_colfire_registrar"      parent="String" c:_="http://colfire.co"/>
     <bean id="cy_cynet_registrar"        parent="String" c:_="https://cif.cynet.ac.cy"/>
     <bean id="cz_eduid_registrar"        parent="String" c:_="http://www.eduid.cz/"/>
@@ -433,6 +430,7 @@
     <bean id="mx_fenix_registrar"        parent="String" c:_="http://www.fenix.org.mx"/>
     <bean id="mz_cafmoz_registrar"       parent="String" c:_="http://cafmoz.morenet.ac.mz"/>
     <bean id="nl_surfconext_registrar"   parent="String" c:_="http://www.surfconext.nl/"/>
+    <bean id="ng_eduidng_registrar"      parent="String" c:_="https://www.eduid.ng"/>
     <bean id="no_feide_registrar"        parent="String" c:_="http://feide.no/"/>
     <bean id="nz_tuakiri_registrar"      parent="String" c:_="https://tuakiri.ac.nz/"/>
     <bean id="om_omankid_registrar"      parent="String" c:_="https://www.trc.gov.om/trcweb/"/>
@@ -449,6 +447,7 @@
     <bean id="sg_sgaf_registrar"         parent="String" c:_="https://www.singaren.net.sg"/>
     <bean id="si_arnes_registrar"        parent="String" c:_="http://aai.arnes.si"/>
     <bean id="sk_safeid_registrar"       parent="String" c:_="http://safeid.sk"/>
+    <bean id="th_thaiidf_registrar"      parent="String" c:_="http://idf.thairen.net.th"/>
     <bean id="tj_tarena_registrar"       parent="String" c:_="http://www.tidf.tj/"/>
     <bean id="tr_yetkim_registrar"       parent="String" c:_="https://yetkim.org.tr/"/>
     <bean id="ua_peano_registrar"        parent="String" c:_="https://peano.uran.ua"/>
@@ -501,6 +500,7 @@
         <entry key-ref="cz_eduid_registrar"           value="CZ"/>
         <entry key-ref="hu_eduid_registrar"           value="HU"/>
         <entry key-ref="lu_eduid_registrar"           value="LU"/>
+        <entry key-ref="ng_eduidng_registrar"         value="NG"/>
         <entry key-ref="ma_eduidm_registrar"          value="MA"/>
         <entry key-ref="by_febas_registrar"           value="BY"/>
         <entry key-ref="ru_fedurus_registrar"         value="RU-FEDURUS"/>
@@ -547,6 +547,7 @@
         <entry key-ref="se_swamid_registrar"          value="SE"/>
         <entry key-ref="ch_switchaai_registrar"       value="CH"/>
         <entry key-ref="ee_taat_registrar"            value="EE"/>
+        <entry key-ref="th_thaiidf_registrar"         value="TH"/>
         <entry key-ref="bd_tigerfed_registrar"        value="BD"/>
         <entry key-ref="nz_tuakiri_registrar"         value="NZ"/>
         <entry key-ref="uk_ukf_registrar"             value="UK"/>
@@ -675,7 +676,7 @@
         any items that had errors.  Items with just warnings are retained.
     -->
     <bean id="errorAnnouncingFilter" parent="mda.CompositeStage">
-        <property name="composedStages">
+        <property name="stages">
             <list>
                 <ref bean="warningAndErrorAnnouncer"/>
                 <ref bean="errorRemover"/>
@@ -691,7 +692,7 @@
         Warnings are not announced, and do not cause termination.
     -->
     <bean id="errorTerminatingFilter" parent="mda.CompositeStage">
-        <property name="composedStages">
+        <property name="stages">
             <list>
                 <ref bean="errorAnnouncer"/>
                 <ref bean="errorTerminator"/>
@@ -713,16 +714,26 @@
         QNames for SAML metadata elements.
     -->
     <bean id="md-AdditionalMetadataLocation"  parent="QName" c:_0-ref="md_namespace" c:_1="AdditionalMetadataLocation"/>
+    <bean id="md-ArtifactResolutionService"   parent="QName" c:_0-ref="md_namespace" c:_1="ArtifactResolutionService"/>
+    <bean id="md-AssertionConsumerService"    parent="QName" c:_0-ref="md_namespace" c:_1="AssertionConsumerService"/>
+    <bean id="md-AssertionIDRequestService"   parent="QName" c:_0-ref="md_namespace" c:_1="AssertionIDRequestService"/>
     <bean id="md-AttributeProfile"            parent="QName" c:_0-ref="md_namespace" c:_1="AttributeProfile"/>
+    <bean id="md-AttributeService"            parent="QName" c:_0-ref="md_namespace" c:_1="AttributeService"/>
+    <bean id="md-AuthnQueryService"           parent="QName" c:_0-ref="md_namespace" c:_1="AuthnQueryService"/>
+    <bean id="md-AuthzService"                parent="QName" c:_0-ref="md_namespace" c:_1="AuthzService"/>
     <bean id="md-Company"                     parent="QName" c:_0-ref="md_namespace" c:_1="Company"/>
     <bean id="md-EmailAddress"                parent="QName" c:_0-ref="md_namespace" c:_1="EmailAddress"/>
     <bean id="md-GivenName"                   parent="QName" c:_0-ref="md_namespace" c:_1="GivenName"/>
+    <bean id="md-ManageNameIDService"         parent="QName" c:_0-ref="md_namespace" c:_1="ManageNameIDService"/>
     <bean id="md-NameIDFormat"                parent="QName" c:_0-ref="md_namespace" c:_1="NameIDFormat"/>
+    <bean id="md-NameIDMappingService"        parent="QName" c:_0-ref="md_namespace" c:_1="NameIDMappingService"/>
     <bean id="md-OrganizationDisplayName"     parent="QName" c:_0-ref="md_namespace" c:_1="OrganizationDisplayName"/>
     <bean id="md-OrganizationName"            parent="QName" c:_0-ref="md_namespace" c:_1="OrganizationName"/>
     <bean id="md-OrganizationURL"             parent="QName" c:_0-ref="md_namespace" c:_1="OrganizationURL"/>
     <bean id="md-ServiceDescription"          parent="QName" c:_0-ref="md_namespace" c:_1="ServiceDescription"/>
     <bean id="md-ServiceName"                 parent="QName" c:_0-ref="md_namespace" c:_1="ServiceName"/>
+    <bean id="md-SingleLogoutService"         parent="QName" c:_0-ref="md_namespace" c:_1="SingleLogoutService"/>
+    <bean id="md-SingleSignOnService"         parent="QName" c:_0-ref="md_namespace" c:_1="SingleSignOnService"/>
     <bean id="md-SurName"                     parent="QName" c:_0-ref="md_namespace" c:_1="SurName"/>
     <bean id="md-TelephoneNumber"             parent="QName" c:_0-ref="md_namespace" c:_1="TelephoneNumber"/>
 
@@ -962,11 +973,10 @@
 
         These options can be removed once the underlying issue has been resolved.
     -->
-    <bean id="httpClientBuilder"
-        class="net.shibboleth.utilities.java.support.httpclient.HttpClientBuilder"
+    <bean id="httpClientBuilder" parent="mda.HttpClientBuilder"
         p:connectionDisregardTLSCertificate="true"
-        p:socketTimeout="100000"
-        p:connectionTimeout="100000"
+        p:socketTimeout="PT100S"
+        p:connectionTimeout="PT100S"
     />
 
     <!--
@@ -981,8 +991,7 @@
 
         A pre-configured parser pool for use by source stages.
     -->
-    <bean id="parserPool" parent="component_parent"
-        class="net.shibboleth.utilities.java.support.xml.BasicParserPool"
+    <bean id="parserPool" parent="mda.BasicParserPool"
         p:ignoreComments="false"
         p:ignoreElementContentWhitespace="false"/>
 
@@ -1200,7 +1209,7 @@
         that is left to the caller.
     -->
     <bean id="standardImportActions" parent="mda.CompositeStage">
-        <property name="composedStages">
+        <property name="stages">
             <list>
                 <ref bean="populateItemIds"/>
                 <ref bean="populateRegistrationAuthorities"/>
@@ -1210,7 +1219,7 @@
                     other than the ones we accept from partners.
                 -->
                 <bean id="whitelistImportedNamespaces" parent="mda.NamespacesStrippingStage"
-                    p:whitelisting="true">
+                    p:keeping="true">
                     <property name="namespaces">
                         <set>
                             <ref bean="alg_namespace"/>
@@ -1243,42 +1252,13 @@
                 <ref bean="trimImportElementWhitespace"/>
                 <ref bean="stripEmptyExtensions"/>
                 <ref bean="strip_mdui_logo_length"/>
+                <ref bean="uk_add_cbc_encryption"/>
 
                 <ref bean="checkSchemas"/>
                 <ref bean="CHECK_std"/>
                 <ref bean="check_namespaces"/>
 
-                <bean id="checkCertificates" parent="mda.X509ValidationStage">
-                    <property name="validators">
-                        <list>
-                            <!-- Error on DSA keys. -->
-                            <bean p:id="DSA" parent="ukf.X509DSADetector"/>
-
-                            <!-- Error on RSA key length less than 2048 bits. -->
-                            <bean p:id="RSAKeyLength" parent="mda.X509RSAKeyLengthValidator"
-                                p:warningBoundary="0" p:errorBoundary="2048"/>
-                            <!-- Error on small RSA public exponents. -->
-                            <bean p:id="RSAExponent" parent="mda.X509RSAExponentValidator"/>
-                            <!-- Error on keys vulnerable to ROCA. -->
-                            <bean p:id="ROCA" parent="ukf.X509ROCAValidator"/>
-
-                            <!--
-                                Debian weak key blacklists.
-
-                                Don't need to check for keys below our minimum key size.
-                            -->
-                            <ref bean="debian.2048"/>
-                            <ref bean="debian.4096"/>
-
-                            <!--
-                                Compromised key blacklists.
-
-                                Again, don't need to check for keys below our minimum key size.
-                            -->
-                            <ref bean="compromised.2048"/>
-                        </list>
-                    </property>
-                </bean>
+                <ref bean="check_standard_certificates"/>
 
             </list>
         </property>
@@ -1292,7 +1272,7 @@
         namespaces in the document ready for serialisation.
     -->
     <bean id="standardImportTail" parent="mda.CompositeStage">
-        <property name="composedStages">
+        <property name="stages">
             <list>
                 <!-- announce and remove any entities with errors -->
                 <ref bean="errorAnnouncingFilter"/>
diff --git a/mdx/int_cobweb/beans.xml b/mdx/int_cobweb/beans.xml
deleted file mode 100644
index a937917c..00000000
--- a/mdx/int_cobweb/beans.xml
+++ /dev/null
@@ -1,74 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-    Common beans for this channel.
--->
-<beans xmlns="http://www.springframework.org/schema/beans"
-    default-lazy-init="true"
-    xmlns:c="http://www.springframework.org/schema/c"
-    xmlns:p="http://www.springframework.org/schema/p"
-    xmlns:util="http://www.springframework.org/schema/util"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="
-        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
-        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
-
-    <!--
-        Location of various resources.
-    -->
-    <bean id="int_cobweb_productionAggregate_url" parent="String">
-        <constructor-arg value="https://cobweb.edina.ac.uk/metadata/cobweb-metadata.xml"/>
-    </bean>
-
-    <!--
-        Fetch the production aggregate.
-    -->
-    <bean id="int_cobweb_productionAggregate" parent="mda.DOMResourceSourceStage">
-        <property name="parserPool" ref="parserPool"/>
-        <property name="DOMResource">
-            <bean parent="HTTPResource">
-                <constructor-arg name="client" ref="httpClient"/>
-                <constructor-arg name="url"    ref="int_cobweb_productionAggregate_url"/>
-            </bean>
-        </property>
-    </bean>
-
-    <!--
-        Signing certificate.
-    -->
-    <bean id="int_cobweb_signingCertificate" parent="X509CertificateFactoryBean"
-        p:resource="classpath:int_cobweb/cobweb.pem"/>
-
-    <!--
-        Check signing signature.
-    -->
-    <bean id="int_cobweb_checkSignature" parent="XMLSignatureValidationStage">
-        <property name="verificationCertificate" ref="int_cobweb_signingCertificate"/>
-    </bean>
-
-    <!--
-        Fetch the production entities as a collection.
-    -->
-    <bean id="int_cobweb_productionEntities" parent="mda.CompositeStage">
-        <property name="composedStages">
-            <list>
-                <ref bean="int_cobweb_productionAggregate"/>
-
-                <!--
-                    Check for fatal errors at the aggregate level:
-                        missing or expired validUntil attribute
-                        invalid signature
-                -->
-                <ref bean="check_validUntil"/>
-                <ref bean="errorTerminatingFilter"/>
-
-                <ref bean="disassemble"/>
-            </list>
-        </property>
-    </bean>
-
-    <!--
-        Select primary export aggregate.
-    -->
-    <alias alias="int_cobweb_exportedAggregate" name="int_cobweb_productionAggregate"/>
-    <alias alias="int_cobweb_exportedEntities"  name="int_cobweb_productionEntities"/>
-</beans>
diff --git a/mdx/int_cobweb/cobweb.pem b/mdx/int_cobweb/cobweb.pem
deleted file mode 100644
index b515a826..00000000
--- a/mdx/int_cobweb/cobweb.pem
+++ /dev/null
@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDwTCCAqmgAwIBAgIJANQTFZkwy3GRMA0GCSqGSIb3DQEBBQUAMHcxCzAJBgNV
-BAYTAkdCMREwDwYDVQQIDAhTY290bGFuZDESMBAGA1UEBwwJRWRpbmJ1cmdoMSAw
-HgYDVQQKDBdVbml2ZXJzaXR5IG9mIEVkaW5idXJnaDEOMAwGA1UECwwFRURJTkEx
-DzANBgNVBAMMBmNvYndlYjAeFw0xMzA2MDQxMjIxMDdaFw0yMzA2MDIxMjIxMDda
-MHcxCzAJBgNVBAYTAkdCMREwDwYDVQQIDAhTY290bGFuZDESMBAGA1UEBwwJRWRp
-bmJ1cmdoMSAwHgYDVQQKDBdVbml2ZXJzaXR5IG9mIEVkaW5idXJnaDEOMAwGA1UE
-CwwFRURJTkExDzANBgNVBAMMBmNvYndlYjCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAMG2jx3EtN1qg0GmHkJMv3dhe1+VwTwc5hhWyEF7uNmSXHgsLqr/
-tqcwGU44ZkItsfyuwpLos7EVB4Yjwr/acoj7J9Rpr9nhpmJHT3Bdz/hruNCskBv7
-5euEKnz7avoiC/tuPBDw5WFvZnFvmX0WitdYkneF/TglzlXHj17+t0aW5m5Jpmnt
-txh3Ei5Bgc1IpWUDfoiBmAIDxsGY9WtZw8jFqfeJ9Mqx3nL/4RthxybWlABsc/OG
-Kttn0RwMwEWbxyKju2E+tlvAuzD6S51f3isZVTRg2vq9pQpNa0psFQUIGXaetJC2
-iHsvtrRh2J1ZZGdwMDw2Cm6et0SPkb3JcAUCAwEAAaNQME4wHQYDVR0OBBYEFJ1f
-LUWCtlexZlUN1TYKSufHDX6AMB8GA1UdIwQYMBaAFJ1fLUWCtlexZlUN1TYKSufH
-DX6AMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAF9jSeYRG88AQTuV
-yN82Jr2NWwACesZ/x6eQp/UznAlx2M8mqqPBtdWpFG3Qwwl/sds6kFZTMBgCBX8R
-tr2CUPMoLGJJv36GXvnc4EHXaQ21SIL6Qqs4UzzBX5KevQ8Gs7rK6UWWOsG7mmsx
-jlDrX1bfKd97yLZesDoZ7uoaLUM6ll6HrChBDPIhju6GcfGxcNgSe7EwHho/Uj23
-ntdXeYamcn4bgh3ZOBmm/d+AjjEZpKFsS5qF2j155nV+h5jZB3ZIpFlVWrW0Bmlk
-mhrM4/yu4l8QWjzkRwKJahD0gJLiwP2gyXH9BCpYFD3biG94wtmMqk2wDiXdjIJd
-R55Ymss=
------END CERTIFICATE-----
diff --git a/mdx/int_cobweb/verbs.xml b/mdx/int_cobweb/verbs.xml
deleted file mode 100644
index 5cb06d8b..00000000
--- a/mdx/int_cobweb/verbs.xml
+++ /dev/null
@@ -1,68 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-    Verb definitions for this channel.
--->
-<beans xmlns="http://www.springframework.org/schema/beans"
-    default-lazy-init="true"
-    xmlns:c="http://www.springframework.org/schema/c"
-    xmlns:p="http://www.springframework.org/schema/p"
-    xmlns:util="http://www.springframework.org/schema/util"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="
-        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
-        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
-
-    <!--
-        Import commonly used beans.
-    -->
-    <import resource="classpath:common-beans.xml"/>
-
-    <!--
-        Import channel-specific beans.
-    -->
-    <import resource="classpath:int_cobweb/beans.xml"/>
-
-    <bean id="serializeImported" parent="mda.SerializationStage">
-        <property name="serializer" ref="serializer"/>
-        <property name="outputFile">
-            <bean parent="File">
-                <constructor-arg value="${mdx.dir}/int_cobweb/imported.xml"/>
-            </bean>
-        </property>
-    </bean>
-
-    <bean id="importProduction" parent="mda.SimplePipeline">
-        <property name="stages">
-            <list>
-                <ref bean="int_cobweb_productionEntities"/>
-                <ref bean="standardImportActions"/>
-                <ref bean="check_shib_regscope"/>
-                <ref bean="standardImportTail"/>
-                <ref bean="serializeImported"/>
-            </list>
-        </property>
-    </bean>
-
-    <bean id="verifyProduction" parent="mda.SimplePipeline">
-        <property name="stages">
-            <list>
-                <ref bean="int_cobweb_productionEntities"/>
-                <ref bean="standardImportActions"/>
-                <ref bean="check_shib_regscope"/>
-                <ref bean="errorTerminatingFilter"/>
-            </list>
-        </property>
-    </bean>
-
-    <bean id="importProductionRaw" parent="mda.SimplePipeline">
-        <property name="stages">
-            <list>
-                <ref bean="int_cobweb_productionAggregate"/>
-                <ref bean="serializeImported"/>
-            </list>
-        </property>
-    </bean>
-
-    <alias alias="import"    name="importProduction"/>
-    <alias alias="importRaw" name="importProductionRaw"/>
-</beans>
diff --git a/mdx/int_edugain/beans.xml b/mdx/int_edugain/beans.xml
index 78a0412f..5229e2f0 100644
--- a/mdx/int_edugain/beans.xml
+++ b/mdx/int_edugain/beans.xml
@@ -29,9 +29,13 @@
     <bean id="int_edugain_betaAggregate_url" parent="String">
         <constructor-arg value="http://mds.edugain.org/edugain-v1-beta.xml"/>
     </bean>
+    <!-- Downloaded copy of production aggregate. -->
+    <bean id="int_edugain_productionAggregate_file" parent="File">
+        <constructor-arg value="${output.edugain.download}"/>
+    </bean>
 
     <!--
-        Fetches the eduGAIN production aggregate.
+        Fetches the eduGAIN production aggregate from its designated URL.
 
         Other aggregates may be substituted if their location exists as a bean
         named "int_edugain_<ID>Aggregate_url" above, and the property
@@ -46,18 +50,29 @@
     <bean id="int_edugain_productionAggregate" parent="mda.DOMResourceSourceStage">
         <property name="parserPool" ref="parserPool"/>
         <property name="DOMResource">
-            <bean parent="HTTPResource">
+            <bean parent="mda.HTTPResource">
                 <constructor-arg name="client" ref="httpClient"/>
                 <constructor-arg name="url"
-                	ref="int_edugain_${int.edugain.aggregate.name:production}Aggregate_url"/>
+                    ref="int_edugain_${int.edugain.aggregate.name:production}Aggregate_url"/>
             </bean>
         </property>
     </bean>
 
+    <!--
+        Fetches the downloaded copy of the eduGAIN production aggregate.
+    -->
+    <bean id="int_edugain_productionAggregate_fromFile" parent="mda.DOMResourceSourceStage">
+        <property name="parserPool" ref="parserPool"/>
+        <property name="DOMResource">
+            <bean parent="FileSystemResource"
+                c:_-ref="int_edugain_productionAggregate_file"/>
+        </property>
+    </bean>
+
     <!--
         eduGAIN signing certificate.
     -->
-    <bean id="int_edugain_signingCertificate" parent="X509CertificateFactoryBean"
+    <bean id="int_edugain_signingCertificate" parent="mda.X509CertificateFactoryBean"
         p:resource="classpath:int_edugain/mds-v2.cer"/>
 
     <!--
@@ -71,24 +86,25 @@
         Remove blacklisted entities.
     -->
     <bean id="int_edugain_removeBlacklistedEntities" parent="mda.EntityFilterStage"
-        p:whitelistingEntities="false"
+        p:keepingEntities="false"
         p:designatedEntities-ref="int_edugain_entity_blacklist"/>
 
     <!--
         Fetch the production entities as a collection.
     -->
     <bean id="int_edugain_productionEntities" parent="mda.CompositeStage">
-        <property name="composedStages">
+        <property name="stages">
             <list>
-                <ref bean="int_edugain_productionAggregate"/>
+                <ref bean="int_edugain_productionAggregate_fromFile"/>
 
                 <!--
                     Check for fatal errors at the aggregate level:
                         missing or expired validUntil attribute
-                        invalid signature
+
+                    Signature was checked when the file was downloaded,
+                    so we don't need to do it again here.
                 -->
                 <ref bean="check_validUntil"/>
-                <ref bean="int_edugain_checkSignature"/>
                 <ref bean="errorTerminatingFilter"/>
 
                 <ref bean="disassemble"/>
diff --git a/mdx/int_edugain/download.xml b/mdx/int_edugain/download.xml
new file mode 100644
index 00000000..844f12f9
--- /dev/null
+++ b/mdx/int_edugain/download.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Download eduGAIN aggregate.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+    default-lazy-init="true"
+    xmlns:c="http://www.springframework.org/schema/c"
+    xmlns:p="http://www.springframework.org/schema/p"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
+
+    <!--
+        Import commonly used beans.
+    -->
+    <import resource="classpath:common-beans.xml"/>
+
+    <!--
+        Import eduGAIN channel beans.
+    -->
+    <import resource="classpath:int_edugain/beans.xml"/>
+
+    <!--
+        Download eduGAIN aggregate.
+    -->
+    <bean id="download" parent="mda.SimplePipeline">
+        <property name="stages">
+            <list>
+                <ref bean="int_edugain_productionAggregate"/>
+
+                <!--
+                    Check for fatal errors at the aggregate level:
+                        missing or expired validUntil attribute
+                        invalid signature
+                -->
+                <ref bean="check_validUntil"/>
+                <ref bean="int_edugain_checkSignature"/>
+                <ref bean="errorTerminatingFilter"/>
+
+                <!-- Write the downloaded aggregate out to a file. -->
+                <bean id="serializeImported" parent="mda.SerializationStage"
+                    p:serializer-ref="serializer"
+                    p:outputFile-ref="int_edugain_productionAggregate_file"/>
+            </list>
+        </property>
+    </bean>
+
+</beans>
diff --git a/mdx/int_edugain/verbs.xml b/mdx/int_edugain/verbs.xml
index de8ca005..bc936b1b 100644
--- a/mdx/int_edugain/verbs.xml
+++ b/mdx/int_edugain/verbs.xml
@@ -22,11 +22,6 @@
     -->
     <import resource="classpath:int_edugain/beans.xml"/>
 
-    <!--
-        Import inc-mda beans.
-    -->
-    <import resource="classpath:uk/org/iay/incommon/mda/beans.xml"/>
-
     <!--
         Import ukf channel beans, for uk_assemble.
     -->
@@ -95,7 +90,7 @@
                 <ref bean="int_edugain_productionEntities"/>
                 <ref bean="removeUKEntities"/>
                 <bean id="removeBlacklistedEntities" parent="mda.EntityFilterStage"
-                    p:whitelistingEntities="false"
+                    p:keepingEntities="false"
                     p:designatedEntities-ref="int_edugain_verify_blacklist"/>
 
                 <!--
@@ -132,7 +127,7 @@
                 <ref bean="int_edugain_productionEntities"/>
                 <ref bean="removeUKEntities"/>
                 <bean id="removeBlacklistedEntities" parent="mda.EntityFilterStage"
-                    p:whitelistingEntities="false"
+                    p:keepingEntities="false"
                     p:designatedEntities-ref="int_edugain_verify_blacklist"/>
 
                 <ref bean="standardImportActions"/>
@@ -161,7 +156,7 @@
 
                 <!-- remove all entities *other* than the ones in the blacklist -->
                 <bean id="removeAllButBlacklistedEntities" parent="mda.EntityFilterStage"
-                    p:whitelistingEntities="true"
+                    p:keepingEntities="true"
                     p:designatedEntities-ref="int_edugain_verify_blacklist"/>
 
                 <!-- flag up any remaining entities -->
diff --git a/mdx/int_reep/readme.md b/mdx/int_reep/readme.md
deleted file mode 100644
index 9059b91d..00000000
--- a/mdx/int_reep/readme.md
+++ /dev/null
@@ -1,5 +0,0 @@
-# `int_reep` Channel
-
-REEP (RE:EP) is at <https://reep.refeds.org>.
-
-Ian Young's blog post authenticating the key is at <http://iay.org.uk/blog/2014/05/reep-key-ceremony>.
diff --git a/mdx/int_reep/reep.pem b/mdx/int_reep/reep.pem
deleted file mode 100644
index 6627d0ab..00000000
--- a/mdx/int_reep/reep.pem
+++ /dev/null
@@ -1,29 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIE5DCCAswCCQCX5/wCyztEuTANBgkqhkiG9w0BAQsFADA0MRQwEgYDVQQDEwtS
-RUVQIFNpZ25lcjEPMA0GA1UEChMGVGVyZW5hMQswCQYDVQQGEwJOTDAeFw0xNDA1
-MTgxNjU0NTVaFw0zNDA1MTMxNjU0NTVaMDQxFDASBgNVBAMTC1JFRVAgU2lnbmVy
-MQ8wDQYDVQQKEwZUZXJlbmExCzAJBgNVBAYTAk5MMIICIjANBgkqhkiG9w0BAQEF
-AAOCAg8AMIICCgKCAgEAraN3xmgiLsThsSSopG8j4dc3HHGSlhN8o0dZrmbkXUlt
-Amp/xjUesSRAguNgxETM42Cpr9A/YBqOJy7IVODsDolsXMvxY1Nyo7ddplEdskaw
-Tj2llNmGbeeznlUem5WCDO+1KQqHHtm4SLumquXVswmWIbQNK6rIJ4NJsHAK7N4P
-gTanVz/YPRbFt6z/zRH4Ck+Bc1aF2/koryQLMygVDkHAokIl0S9FZ6oI0gWePrtt
-7LzvSCoB/yP3JIjCWoheyI7O9iCfkpcPv2c5H0aWVigWF3uPsEFAhnbCn/PI00L5
-lc8/00REu7MNjGarNoYdy2/E4nE4R4vgw4g04fWlDpbKVoeOOyOZSZMfSsIe/UkN
-R7B9zFbWE80laL6dy4WPMS1amovWWVOrZ0fY8EXJ5mEzbtLk6/LBd3dnhrx5BH6g
-0xTUWQl2sodm/e0xn7M5pRESLhGNPXG88fT4yzgIj5vlE0OCLGUFs7EhNCz+UJ1o
-1va8EdpnN8HG3RwNOTd0S1a9N9Q30VLUBjKK3bP/Mi0PcIKphgpfykIgStziIa59
-aqyVFSztSJiICiSvfWGDDOW4NneS+2iuNhq89lBxXdIE1mvdBZBcMUe7DQm/EGRw
-AFlvqrXdnxtMHzgRW9Fp/vQEeuWbiFnvmpzcMja2Pn4jPg/RhgzLXyXIPYMm69EC
-AwEAATANBgkqhkiG9w0BAQsFAAOCAgEASmjLZdqxm1OA4xCV/iDJp5h3rFG71VfO
-3HIBH8pywUuygd90+MogvmMwUTWGeFqltHmSNM8qMtqzd6lLA9fu+BRnNt7ZLTSt
-r9auetvNtZ/637njRXVKeJnf2HWjI7B0uO1FjStjS2/CQ5DnAhaxlkbomGEQL4Jq
-sEijx6MB+fibNfkYibbDNjaFVMPtGQChbmudhQ7e3GjAoRVR5SLZncJQcXREwxhU
-D9BOhtLEBnnhBX+h12PUyJ16PvkRiysxldltYZ5Ai+lAIlq+I6xwsuyALpZSKKVl
-QfwcQh0j1PZKNF6cw315Zj/5h5HeV7ORCdSsgec9Pp8a1sguvNl6SnjqZzrli5ni
-vyrkStaYMuCS09QIfi3OtafZUw5T0i8OjS3oCETAIyYuGQHRP9M5zG9ViuOvuUPD
-I7Q0KHbFzHb+9NBTSZsuusE9FYojcb43XR/r2/vBQF7RcSqlbjqtVZW9+pZtRBxf
-p8b7s3/eSqhEgqdVR0szXkEMrbx2UxbwFD19CnLn2wbmtRqlPwzX9zfdD4GUeko3
-WiG1NLAsc9vgApu0+n3km+CrizXOI/4qWMGA1dY7cOExaBkuFFavs/iI+rjSFg/I
-MlRaKTd4WBSuPjMoHrH+1KGsu/2TWK0iQ3VuoJchMnuEMocVPqRU4E8xw/8K+BYW
-j2BnINSs6EE=
------END CERTIFICATE-----
diff --git a/mdx/int_reep/reep.pem.asc b/mdx/int_reep/reep.pem.asc
deleted file mode 100644
index e4c478e7..00000000
--- a/mdx/int_reep/reep.pem.asc
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Comment: GPGTools - https://gpgtools.org
-
-iQIcBAABCAAGBQJTfgP4AAoJEJqATpfXB5x31X8QAJavS8CTMQu34J+6ihQGbnjj
-VheO8XUK8iMVe0aI4dT8T94ot3jnR7w6StfeGy3G0ASP9OrAPzlN5rqbkqE75wnu
-/s0oiFrGbY+TWhY2ptNkozWuE27jMTJmjJGbgmHejrQDiyIR7mTuZf5K+U8a2hZV
-DlqYfSjzlLeuVh/H+ygnMHSn/UZZRQ7rqz7DPwF1SAXHBiW+Q1PsuOgKTTrZQa2X
-PMQG3vSfZPWdoEB3pRApAXZsUqhxe3wLvJWkgCQ0mMhXvO1J5CvaISnDjuUm2klt
-qCeOhGaAlWumL1Xr8Y6Gi/p5ATn/SRjlg3uDa4f3uVpYRGmqZwoQEvq6JkGqhDyE
-mEoVGD4Ud4MfUtZkgLXOJ22RODjckkJbBySFYJjosuQ9w5rviJwPMBBjTZw4lNBS
-58VGy6puzEkCcJzlVynzjQi9bn83EDVNKD00Q8cOSJxRjqwQ0YYIM22EypDNmgiV
-ZS7xxmClwp9QS+r7x+0+xkNnG4IQHRZXvJglIMh0PyrjkDloGw6AUUOYNyHQOnqw
-URwjR5cpYZ2rZ3fRUFtCgaZ+tvdfbVxTBG8ZuqGw6zzPho3AEXwqW/PtJTej1aQr
-Mxm7xBc21URhXYkSr98qxsQyIJikNRHS2DkEWybDnNBc4SBbl4SjmThRNnxjUiC8
-UBnJ48ZYrmFMumowGqoO
-=wDWv
------END PGP SIGNATURE-----
diff --git a/mdx/mda-beans.xml b/mdx/mda-beans.xml
deleted file mode 100644
index ea592084..00000000
--- a/mdx/mda-beans.xml
+++ /dev/null
@@ -1,272 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
-    xmlns:context="http://www.springframework.org/schema/context"
-    xmlns:util="http://www.springframework.org/schema/util"
-    xmlns:p="http://www.springframework.org/schema/p"
-    xmlns:c="http://www.springframework.org/schema/c"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="
-        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
-        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
-        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
-
-    <!--
-        Bean definitions for simplified access to components in the
-        Shibboleth Metadata Aggregator's aggregator-pipeline artifact.
-
-        All defined bean names are prefixed with "mda.".
-    -->
-
-    <!--
-        Parent for anything based on the Shibboleth component system.
-        These all require initialization before use.
-    -->
-    <bean id="mda.component_parent" abstract="true"
-        init-method="initialize" destroy-method="destroy"/>
-
-    <!--
-        Parent for all stages.
-    -->
-    <bean id="mda.stage_parent" abstract="true" parent="mda.component_parent"/>
-
-    <!--
-        net.shibboleth.metadata
-    -->
-
-    <bean id="mda.DeduplicatingItemIdMergeStrategy" abstract="true"
-        class="net.shibboleth.metadata.DeduplicatingItemIdMergeStrategy"/>
-
-    <bean id="mda.FirstItemIdItemIdentificationStrategy" abstract="true"
-        class="net.shibboleth.metadata.FirstItemIdItemIdentificationStrategy"/>
-
-    <bean id="mda.SimpleCollectionMergeStrategy" abstract="true"
-        class="net.shibboleth.metadata.SimpleCollectionMergeStrategy"/>
-
-    <bean id="mda.SimpleItemCollectionSerializer" abstract="true"
-        class="net.shibboleth.metadata.SimpleItemCollectionSerializer"/>
-
-    <!--
-        net.shibboleth.metadata.dom
-    -->
-
-    <bean id="mda.CRDetectionStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.CRDetectionStage"/>
-
-    <bean id="mda.DOMElementSerializer" abstract="true"
-        class="net.shibboleth.metadata.dom.DOMElementSerializer"/>
-
-    <bean id="mda.DOMFilesystemSourceStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.DOMFilesystemSourceStage"/>
-
-    <bean id="mda.DOMResourceSourceStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.DOMResourceSourceStage"/>
-
-    <bean id="mda.ElementStrippingStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.ElementStrippingStage"/>
-
-    <bean id="mda.ElementWhitespaceTrimmingStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.ElementWhitespaceTrimmingStage"/>
-
-    <bean id="mda.EmptyContainerStrippingStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.EmptyContainerStrippingStage"/>
-
-    <bean id="mda.MultiOutputXSLTransformationStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.MultiOutputXSLTransformationStage"/>
-
-    <bean id="mda.NamespacesStrippingStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.NamespacesStrippingStage"/>
-
-    <bean id="mda.NamespaceStrippingStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.NamespaceStrippingStage"/>
-
-    <bean id="mda.XMLSchemaValidationStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSchemaValidationStage"/>
-
-    <bean id="mda.XMLSignatureSigningStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureSigningStage"/>
-
-    <bean id="mda.XMLSignatureValidationStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"/>
-
-    <bean id="mda.XPathFilteringStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.XPathFilteringStage"/>
-
-    <bean id="mda.XPathItemSelectionStrategy" abstract="true"
-        class="net.shibboleth.metadata.dom.XPathItemSelectionStrategy"/>
-
-    <bean id="mda.XSLTransformationStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.XSLTransformationStage"/>
-
-    <bean id="mda.XSLValidationStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.XSLValidationStage"/>
-
-    <!--
-        net.shibboleth.metadata.dom.ds
-    -->
-
-    <bean id="mda.X509ValidationStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.ds.X509ValidationStage"/>
-
-    <!--
-        net.shibboleth.metadata.dom.saml
-    -->
-
-    <bean id="mda.ContactPersonFilterStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.saml.ContactPersonFilterStage"/>
-
-    <bean id="mda.EntitiesDescriptorAssemblerStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.saml.EntitiesDescriptorAssemblerStage"/>
-
-    <bean id="mda.EntitiesDescriptorDisassemblerStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.saml.EntitiesDescriptorDisassemblerStage"/>
-
-    <bean id="mda.EntityDescriptorItemIdPopulationStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.saml.EntityDescriptorItemIdPopulationStage"/>
-
-    <bean id="mda.EntityFilterStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.saml.EntityFilterStage"/>
-
-    <bean id="mda.EntityRoleFilterStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.saml.EntityRoleFilterStage"/>
-
-    <bean id="mda.GenerateIdStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.saml.GenerateIdStage"/>
-
-    <bean id="mda.PullUpCacheDurationStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.saml.PullUpCacheDurationStage"/>
-
-    <bean id="mda.PullUpValidUntilStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.saml.PullUpValidUntilStage"/>
-
-    <bean id="mda.RemoveOrganizationStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.saml.RemoveOrganizationStage"/>
-
-    <bean id="mda.SetCacheDurationStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.saml.SetCacheDurationStage"/>
-
-    <bean id="mda.SetValidUntilStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.saml.SetValidUntilStage"/>
-
-    <bean id="mda.ValidateValidUntilStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.saml.ValidateValidUntilStage"/>
-
-    <!--
-        net.shibboleth.metadata.dom.saml.mdattr
-    -->
-
-    <bean id="mda.EntityAttributeFilteringStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.saml.mdattr.EntityAttributeFilteringStage"/>
-
-    <bean id="mda.EntityCategoryMatcher" abstract="true"
-        class="net.shibboleth.metadata.dom.saml.mdattr.EntityCategoryMatcher"/>
-
-    <bean id="mda.EntityCategorySupportMatcher" abstract="true"
-        class="net.shibboleth.metadata.dom.saml.mdattr.EntityCategorySupportMatcher"/>
-
-    <bean id="mda.MultiPredicateMatcher" abstract="true"
-        class="net.shibboleth.metadata.dom.saml.mdattr.MultiPredicateMatcher"/>
-
-    <bean id="mda.RegistrationAuthorityMatcher" abstract="true"
-        class="net.shibboleth.metadata.dom.saml.mdattr.RegistrationAuthorityMatcher"/>
-
-    <!--
-        net.shibboleth.metadata.dom.saml.mdrpi
-    -->
-
-    <bean id="mda.EntityRegistrationAuthorityFilterStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.saml.mdrpi.EntityRegistrationAuthorityFilterStage"/>
-
-    <bean id="mda.RegistrationAuthorityItemIdentificationStrategy" abstract="true"
-        class="net.shibboleth.metadata.dom.saml.mdrpi.RegistrationAuthorityItemIdentificationStrategy"/>
-
-    <bean id="mda.RegistrationAuthorityPopulationStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.dom.saml.mdrpi.RegistrationAuthorityPopulationStage"/>
-
-    <!--
-        net.shibboleth.metadata.pipeline
-    -->
-
-    <bean id="mda.AtLeastCollectionPredicate" abstract="true"
-        class="net.shibboleth.metadata.pipeline.AtLeastCollectionPredicate"/>
-
-    <bean id="mda.CompositeStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.pipeline.CompositeStage"/>
-
-    <bean id="mda.FilesInDirectoryMultiOutputStrategy" abstract="true" parent="mda.component_parent"
-        class="net.shibboleth.metadata.pipeline.FilesInDirectoryMultiOutputStrategy"/>
-
-    <bean id="mda.ItemIdTransformStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.pipeline.ItemIdTransformStage"/>
-
-    <bean id="mda.ItemMetadataAddingStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.pipeline.ItemMetadataAddingStage"/>
-
-    <bean id="mda.ItemMetadataFilterStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.pipeline.ItemMetadataFilterStage"/>
-
-    <bean id="mda.ItemMetadataTerminationStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.pipeline.ItemMetadataTerminationStage"/>
-
-    <bean id="mda.MDQueryMD5ItemIdTransformer" abstract="true"
-        class="net.shibboleth.metadata.pipeline.MDQueryMD5ItemIdTransformer"/>
-
-    <bean id="mda.MDQuerySHA1ItemIdTransformer" abstract="true"
-        class="net.shibboleth.metadata.pipeline.MDQuerySHA1ItemIdTransformer"/>
-
-    <bean id="mda.MultiOutputSerializationStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.pipeline.MultiOutputSerializationStage"/>
-
-    <bean id="mda.PipelineDemultiplexerStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.pipeline.PipelineDemultiplexerStage"/>
-
-    <bean id="mda.PipelineMergeStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.pipeline.PipelineMergeStage"/>
-
-    <bean id="mda.ScriptletStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.pipeline.ScriptletStage"/>
-
-    <bean id="mda.SerializationStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.pipeline.SerializationStage"/>
-
-    <bean id="mda.SimplePipeline" abstract="true" parent="mda.component_parent"
-        class="net.shibboleth.metadata.pipeline.SimplePipeline"/>
-
-    <bean id="mda.SplitMergeStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.pipeline.SplitMergeStage"/>
-
-    <bean id="mda.StaticItemSourceStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.pipeline.StaticItemSourceStage"/>
-
-    <bean id="mda.StatusMetadataLoggingStage" abstract="true" parent="mda.stage_parent"
-        class="net.shibboleth.metadata.pipeline.StatusMetadataLoggingStage"/>
-
-    <!--
-        net.shibboleth.metadata.util
-    -->
-
-    <bean id="mda.PathSegmentStringTransformer" abstract="true"
-        class="net.shibboleth.metadata.util.PathSegmentStringTransformer"/>
-
-    <bean id="mda.SHA1StringTransformer" abstract="true"
-        class="net.shibboleth.metadata.util.SHA1StringTransformer"/>
-
-    <!--
-        net.shibboleth.metadata.validate
-    -->
-
-    <bean id="mda.validator_parent" abstract="true" parent="mda.component_parent"/>
-
-    <!--
-        net.shibboleth.metadata.validate.x509
-    -->
-
-    <bean id="mda.X509RSAExponentValidator" abstract="true" parent="mda.validator_parent"
-        class="net.shibboleth.metadata.validate.x509.X509RSAExponentValidator"/>
-
-    <bean id="mda.X509RSAKeyLengthValidator" abstract="true" parent="mda.validator_parent"
-        class="net.shibboleth.metadata.validate.x509.X509RSAKeyLengthValidator"/>
-
-    <bean id="mda.X509RSAOpenSSLBlacklistValidator" abstract="true" parent="mda.validator_parent"
-        class="net.shibboleth.metadata.validate.x509.X509RSAOpenSSLBlacklistValidator"/>
-
-</beans>
diff --git a/mdx/strip-mdui-logo-length.xsl b/mdx/strip-mdui-logo-length.xsl
index 18544d73..ad387030 100644
--- a/mdx/strip-mdui-logo-length.xsl
+++ b/mdx/strip-mdui-logo-length.xsl
@@ -11,7 +11,6 @@
     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
     xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-    xmlns:mdxURL="xalan://uk.ac.sdss.xalan.md.URLchecker"
     xmlns:set="http://exslt.org/sets"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
diff --git a/mdx/test/beans.xml b/mdx/test/beans.xml
index e3a8f5a0..19367897 100644
--- a/mdx/test/beans.xml
+++ b/mdx/test/beans.xml
@@ -23,7 +23,7 @@
         Fetch and process the entities as a collection.
     -->
     <bean id="test_entities" parent="mda.CompositeStage">
-        <property name="composedStages">
+        <property name="stages">
             <list>
                 <ref bean="test_aggregate"/>
                 <ref bean="disassemble"/>
diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
index 4ae862cf..3bc5b5fa 100644
--- a/mdx/uk/beans.xml
+++ b/mdx/uk/beans.xml
@@ -42,7 +42,7 @@
                 <value>administrative</value>
             </list>
         </property>
-        <property name="whitelistingTypes" value="false"/>
+        <property name="keepingTypes" value="false"/>
     </bean>
 
 
@@ -107,7 +107,7 @@
     <bean id="uk_exportAggregate" parent="mda.DOMResourceSourceStage">
         <property name="parserPool" ref="parserPool"/>
         <property name="DOMResource">
-            <bean parent="HTTPResource">
+            <bean parent="mda.HTTPResource">
                 <constructor-arg name="client" ref="httpClient"/>
                 <constructor-arg name="url" ref="uk_exportAggregate_url"/>
             </bean>
@@ -121,7 +121,7 @@
     <bean id="uk_productionAggregate" parent="mda.DOMResourceSourceStage">
         <property name="parserPool" ref="parserPool"/>
         <property name="DOMResource">
-            <bean parent="HTTPResource">
+            <bean parent="mda.HTTPResource">
                 <constructor-arg name="client" ref="httpClient"/>
                 <constructor-arg name="url" ref="uk_productionAggregate_url"/>
             </bean>
@@ -132,7 +132,7 @@
     <!--
         Metadata signing certificate.
     -->
-    <bean id="uk_signingCertificate" parent="X509CertificateFactoryBean"
+    <bean id="uk_signingCertificate" parent="mda.X509CertificateFactoryBean"
         p:resource="classpath:uk/ukfederation-2014.pem"/>
 
 
@@ -177,7 +177,7 @@
 
         This bean contains the contents of the members.xml file as a DOM Document.
     -->
-    <bean id="uk_membersDocument" parent="DOMDocumentFactoryBean">
+    <bean id="uk_membersDocument" parent="mda.DOMDocumentFactoryBean">
         <property name="resource">
             <bean parent="FileSystemResource" c:_="${members.dir}/members.xml"/>
         </property>
@@ -190,7 +190,7 @@
 
         This bean loads the schema for the members.xml file as a DOM Document.
     -->
-    <bean id="uk_membersSchemaDocument" parent="DOMDocumentFactoryBean">
+    <bean id="uk_membersSchemaDocument" parent="mda.DOMDocumentFactoryBean">
         <property name="resource">
             <bean parent="FileSystemResource" c:_="${members.dir}/ukfederation-members.xsd"/>
         </property>
@@ -238,9 +238,9 @@
 
         Check against UKf-specific list of compromised RSA keys.
     -->
-    <bean id="compromised.ukf" parent="mda.X509RSAOpenSSLBlacklistValidator"
+    <bean id="compromised.ukf" parent="mda.X509RSAOpenSSLKeylistValidator"
         p:id="compromised.ukf">
-        <property name="blacklistResource">
+        <property name="keylistResource">
             <bean parent="FileSystemResource" c:_="${blocklists.dir}/compromised-keys.txt"/>
         </property>
     </bean>
@@ -271,7 +271,7 @@
         described by the EmailAddressStringValidator. In particular,
         this requires the "mailto:" scheme."
     -->
-    <bean id="check_uk_email" parent="ukf.StringElementValidationStage"
+    <bean id="check_uk_email" parent="mda.StringElementValidationStage"
         p:elementName-ref="md-EmailAddress">
         <property name="validators">
             <bean id="format" parent="ukf.EmailAddressStringValidator"/>
@@ -335,6 +335,14 @@
     <bean id="check_uk_rands" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:uk/check_uk_rands.xsl"/>
 
+    <!--
+        check_ukfedlabel
+
+        Check use of elements from the ukfedlabel namespace.
+    -->
+    <bean id="check_ukfedlabel" parent="mda.XSLValidationStage"
+        p:XSLResource="classpath:uk/check_ukfedlabel.xsl"/>
+
     <!--
         ***************************************
         ***                                 ***
@@ -369,7 +377,7 @@
             </bean>
         </property>
         <property name="sourceFileFilter">
-            <bean parent="ukf.RegexFileFilter">
+            <bean parent="mda.RegexFileFilter">
                 <constructor-arg value="uk\d{6}.xml"/>
             </bean>
         </property>
@@ -380,7 +388,7 @@
         Fetch and process the registered entities as a collection.
     -->
     <bean id="uk_registeredEntities" parent="mda.CompositeStage">
-        <property name="composedStages">
+        <property name="stages">
             <list>
                 <ref bean="uk_fetchFragmentFiles"/>
                 <ref bean="uk_processFragment"/>
@@ -398,6 +406,15 @@
                 <bean id="scopes_inject" parent="ukf.ScopeInjectionStage"
                     p:members-ref="uk_members"/>
 
+                <ref bean="uk_add_cbc_encryption"/>
+
+                <!--
+                    Remove entity-level Scope elements, leaving only the ones associated
+                    with role descriptors.
+                -->
+                <bean id="stripEntityScopes" parent="mda.XSLTransformationStage"
+                    p:XSLResource="classpath:uk/entity_scopes.xsl"/>
+
                 <ref bean="populateItemIds"/>
                 <ref bean="uk_populateIds"/>
                 <bean id="uk_populateFlowConstraints"
@@ -407,8 +424,7 @@
 
                 <ref bean="checkSchemas"/>
                 <ref bean="CHECK_std"/>
-                <bean id="check_ukfedlabel" parent="mda.XSLValidationStage"
-                    p:XSLResource="classpath:uk/check_ukfedlabel.xsl"/>
+                <ref bean="check_ukfedlabel"/>
                 <ref bean="check_ukreg"/>
                 <ref bean="check_uk_email"/>
                 <ref bean="check_owner"/>
@@ -426,7 +442,7 @@
                     <property name="validators">
                         <list>
                             <!-- Error on DSA keys. -->
-                            <bean p:id="DSA" parent="ukf.X509DSADetector"/>
+                            <bean p:id="DSA" parent="mda.X509DSADetector"/>
 
                             <!-- Error on RSA key length less than 2048 bits. -->
                             <bean p:id="RSAKeyLength" parent="mda.X509RSAKeyLengthValidator"
@@ -434,10 +450,10 @@
                             <!-- Error on small RSA public exponents. -->
                             <bean p:id="RSAExponent" parent="mda.X509RSAExponentValidator"/>
                             <!-- Error on keys vulnerable to ROCA. -->
-                            <bean p:id="ROCA" parent="ukf.X509ROCAValidator"/>
+                            <bean p:id="ROCA" parent="mda.X509ROCAValidator"/>
 
                             <!--
-                                Debian weak key blacklists.
+                                Debian weak key lists.
 
                                 Don't need to check for keys below our minimum key size.
                             -->
@@ -445,7 +461,7 @@
                             <ref bean="debian.4096"/>
 
                             <!--
-                                Compromised key blacklists.
+                                Compromised key lists.
 
                                 Again, don't need to check for keys below our minimum key size.
                             -->
@@ -601,7 +617,7 @@
         Fetch the export entities as a collection.
     -->
     <bean id="uk_exportedEntities" parent="mda.CompositeStage">
-        <property name="composedStages">
+        <property name="stages">
             <list>
                 <ref bean="uk_exportAggregate"/>
 
diff --git a/mdx/uk/check_uk_mdattr.xsl b/mdx/uk/check_uk_mdattr.xsl
index cd00198b..0184e9c7 100644
--- a/mdx/uk/check_uk_mdattr.xsl
+++ b/mdx/uk/check_uk_mdattr.xsl
@@ -98,6 +98,7 @@
         /saml:AttributeValue
         [. != 'http://refeds.org/category/research-and-scholarship']
         [. != 'http://www.geant.net/uri/dataprotection-code-of-conduct/v1']
+        [. != 'https://refeds.org/category/code-of-conduct/v2']
         ">
         <xsl:call-template name="error">
             <xsl:with-param name="m">
diff --git a/mdx/uk/check_uk_rands.xsl b/mdx/uk/check_uk_rands.xsl
index 331aa9d5..dd33eb9c 100644
--- a/mdx/uk/check_uk_rands.xsl
+++ b/mdx/uk/check_uk_rands.xsl
@@ -37,7 +37,7 @@
 			[not(md:Extensions/mdrpi:RegistrationInfo/mdrpi:RegistrationPolicy)]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">
-                <xsl:text>SP asserts R&amp;S entity category but has no RegistrationPolicy element.</xsl:text>
+                <xsl:text>SP asserts Research and Scholarship entity category but has no RegistrationPolicy element.</xsl:text>
             </xsl:with-param>
         </xsl:call-template>
     </xsl:template>
@@ -57,7 +57,7 @@
                         [not(md:Extensions/mdrpi:RegistrationInfo/mdrpi:RegistrationPolicy)]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">
-                <xsl:text>IdP supports R&amp;S entity category but has no RegistrationPolicy element.</xsl:text>
+                <xsl:text>IdP supports Research and Scholarship entity category but has no RegistrationPolicy element.</xsl:text>
             </xsl:with-param>
         </xsl:call-template>
     </xsl:template>
diff --git a/mdx/uk/discofeeds.xml b/mdx/uk/discofeeds.xml
deleted file mode 100644
index 05a7c983..00000000
--- a/mdx/uk/discofeeds.xml
+++ /dev/null
@@ -1,138 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-    Verb to generate EDS-format JSON discovery feeds corresponding to
-    the (previously generated) unsigned production aggregate.
-
-    Two such feeds are generated:
-
-    * discofeed-all.json includes all IdPs in the production aggregate.
-
-    * discofeed.json includes only those IdPs not marked as hidden.
--->
-<beans xmlns="http://www.springframework.org/schema/beans"
-    default-lazy-init="true"
-    xmlns:c="http://www.springframework.org/schema/c"
-    xmlns:p="http://www.springframework.org/schema/p"
-    xmlns:util="http://www.springframework.org/schema/util"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="
-        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
-        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
-
-    <!--
-        Import commonly used beans.
-    -->
-    <import resource="classpath:common-beans.xml"/>
-
-    <!--
-        Import channel-specific beans.
-    -->
-    <import resource="classpath:uk/beans.xml"/>
-
-    <!--
-        *****************************
-        ***                       ***
-        ***   U T I L I T I E S   ***
-        ***                       ***
-        *****************************
-    -->
-
-    <!-- This bean MUST be called "conversionService" to work properly. -->
-    <bean id="conversionService" class="org.springframework.context.support.ConversionServiceFactoryBean">
-        <property name="converters">
-            <set>
-                <bean class="net.shibboleth.ext.spring.config.DurationToLongConverter" />
-                <bean class="net.shibboleth.ext.spring.config.StringToIPRangeConverter" />
-                <bean class="net.shibboleth.ext.spring.config.BooleanToPredicateConverter" />
-                <bean class="net.shibboleth.ext.spring.config.StringBooleanToPredicateConverter" />
-                <bean class="net.shibboleth.ext.spring.config.StringToResourceConverter" />
-            </set>
-        </property>
-    </bean>
-
-
-    <!--
-        ***************************************************
-        ***                                             ***
-        ***   P R O D U C T I O N   A G G R E G A T E   ***
-        ***                                             ***
-        ***************************************************
-    -->
-
-    <bean id="serializeUnsignedProductionAggregate" parent="mda.SerializationStage">
-        <property name="serializer" ref="serializer"/>
-        <property name="outputFile">
-            <bean parent="File">
-                <constructor-arg value="${output.dir}/ukfederation-metadata-unsigned.xml"/>
-            </bean>
-        </property>
-    </bean>
-
-
-    <!--
-        *************************************
-        ***                               ***
-        ***   M A I N   P I P E L I N E   ***
-        ***                               ***
-        *************************************
-    -->
-
-    <bean id="discoFeedSerializer" parent="ukf.DiscoFeedCollectionSerializer"
-        p:prettyPrinting="true" p:includingLegacyDisplayNames="true"/>
-
-    <bean id="discofeeds" parent="mda.SimplePipeline">
-        <property name="stages">
-            <list>
-                <!--
-                    Acquire the production aggregate and split it into
-                    individual entities.
-                -->
-                <bean id="productionAggregate" parent="mda.DOMResourceSourceStage"
-                    p:parserPool-ref="parserPool">
-                    <property name="DOMResource">
-                        <bean parent="FileSystemResource">
-                            <constructor-arg value="${output.dir}/ukfederation-metadata-unsigned.xml"/>
-                        </bean>
-                    </property>
-                </bean>
-                <ref bean="disassemble"/>
-
-                <!--
-                    Serialize all IdPs in the collection into a feed.
-                -->
-                <bean id="discoFeedAll" parent="mda.SerializationStage"
-                    p:serializer-ref="discoFeedSerializer">
-                    <property name="outputFile">
-                        <bean parent="File">
-                            <constructor-arg value="${output.dir}/discofeed-all.json"/>
-                        </bean>
-                    </property>
-                </bean>
-
-                <!--
-                    Remove all "hidden from discovery" IdPs.
-                -->
-                <bean id="removeHidden" parent="mda.XPathFilteringStage"
-                    p:namespaceContext-ref="commonNamespaces"
-                    p:XPathExpression="//mdattr:EntityAttributes/saml:Attribute
-                        [@Name = 'http://macedir.org/entity-category']
-                        [@NameFormat = 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri']
-                        [saml:AttributeValue[.='http://refeds.org/category/hide-from-discovery']]"/>
-
-                <!--
-                    Serialize all IdPs that remain into a second feed.
-                -->
-                <bean id="discoFeed" parent="mda.SerializationStage"
-                    p:serializer-ref="discoFeedSerializer">
-                    <property name="outputFile">
-                        <bean parent="File">
-                            <constructor-arg value="${output.dir}/discofeed.json"/>
-                        </bean>
-                    </property>
-                </bean>
-
-            </list>
-        </property>
-    </bean>
-
-</beans>
diff --git a/mdx/uk/edugain-policy.xml b/mdx/uk/edugain-policy.xml
index 9136b0e4..5edc6683 100644
--- a/mdx/uk/edugain-policy.xml
+++ b/mdx/uk/edugain-policy.xml
@@ -43,7 +43,7 @@
 
     -->
     <bean id="edugainPolicy" parent="mda.CompositeStage">
-        <property name="composedStages">
+        <property name="stages">
             <list>
 
                 <!--
@@ -67,69 +67,7 @@
 
                     Perform detailed scope checking.
                 -->
-                <bean id="checkScopes" parent="inc.stage_parent"
-                    class="uk.org.iay.incommon.mda.dom.saml.shib.ScopeValidationStage">
-                    <property name="validators">
-                        <list>
-                            <bean p:id="empty" parent="inc.RejectStringRegexValidator"
-                                p:regex="" p:message="scope element must not be empty"/>
-                            <bean p:id="whiteSpace" parent="inc.RejectStringRegexValidator"
-                                p:regex=".*\s.*" p:message="scope '%s' includes white space"/>
-
-                            <!--
-                                Explicitly accept domains which, although they
-                                fall afoul of the public suffic heuristic, are
-                                nevertheless known to be legitimately used as
-                                security domains.
-                            -->
-                            <bean p:id="mil.no" parent="inc.AcceptStringValueValidator"
-                                p:value="mil.no"/>
-
-                            <bean p:id="domainName" parent="inc.AsDomainNameStringValidator"
-                                p:message="scope is not a valid domain name: %s">
-                                <property name="validators">
-                                    <list>
-                                        <!-- DNS name validators -->
-                                        <bean p:id="publicSuffix" parent="inc.RejectDomainNamePublicSuffixValidator"
-                                            p:message="scope is a public suffix: '%s'"/>
-                                        <bean p:id="noPublicSuffix" parent="inc.RejectDomainNameNotUnderPublicSuffixValidator"
-                                            p:message="scope is not under a public suffix: '%s'"/>
-                                    </list>
-                                </property>
-                            </bean>
-                        </list>
-                    </property>
-                    <property name="regexpValidators">
-                        <list>
-                            <bean p:id="empty" parent="inc.RejectStringRegexValidator"
-                                p:regex="" p:message="regex scope element must not be empty"/>
-                            <bean p:id="whiteSpace" parent="inc.RejectStringRegexValidator"
-                                p:regex=".*\s.*" p:message="regex scope '%s' includes white space"/>
-                            <bean p:id="endAnchor" parent="inc.RejectStringRegexValidator"
-                                p:regex=".*[^$]" p:message="regex scope '%s' does not end with an anchor ('$')"/>
-                            <bean p:id="literalTail" parent="inc.AsLiteralTailStringValidator"
-                                p:message="regular expression '%s' does not end with a literal tail">
-                                <property name="validators">
-                                    <!-- validators to apply to the literal tail -->
-                                    <list>
-                                        <bean p:id="domainName" parent="inc.AsDomainNameStringValidator"
-                                            p:message="literal tail is not a valid domain name: %s">
-                                            <property name="validators">
-                                                <list>
-                                                    <!-- DNS name validators for the literal tail -->
-                                                    <bean p:id="publicSuffix" parent="inc.RejectDomainNamePublicSuffixValidator"
-                                                        p:message="literal tail is a public suffix: '%s'"/>
-                                                    <bean p:id="noPublicSuffix" parent="inc.RejectDomainNameNotUnderPublicSuffixValidator"
-                                                        p:message="literal tail is not under a public suffix: '%s'"/>
-                                                </list>
-                                            </property>
-                                        </bean>
-                                    </list>
-                                </property>
-                            </bean>
-                        </list>
-                    </property>
-                </bean>
+                <ref bean="check_edugain_scopes"/>
 
                 <!--
                     ***************************************************
@@ -154,7 +92,75 @@
                     Checks against the UKf-specific list of compromised RSA keys.
                 -->
                 <ref bean="check_ukf_compromised"/>
-                    
+
+            </list>
+        </property>
+    </bean>
+
+    <!--
+        check_edugain_scopes
+
+        eduGAIN-specific rules for Scope elements.
+    -->
+    <bean id="check_edugain_scopes" p:id="checkScopes" parent="mda.ScopeValidationStage">
+        <property name="validators">
+            <list>
+                <bean p:id="empty" parent="mda.RejectStringRegexValidator"
+                    p:regex="" p:message="scope element must not be empty"/>
+                <bean p:id="whiteSpace" parent="mda.RejectStringRegexValidator"
+                    p:regex=".*\s.*" p:message="scope '%s' includes white space"/>
+
+                <!--
+                    Explicitly accept domains which, although they
+                    fall afoul of the public suffic heuristic, are
+                    nevertheless known to be legitimately used as
+                    security domains.
+                -->
+                <bean p:id="mil.no" parent="mda.AcceptStringValueValidator"
+                    p:value="mil.no"/>
+
+                <bean p:id="domainName" parent="mda.AsDomainNameStringValidator"
+                    p:message="scope is not a valid domain name: %s">
+                    <property name="validators">
+                        <list>
+                            <!-- DNS name validators -->
+                            <bean p:id="publicSuffix" parent="mda.RejectDomainNamePublicSuffixValidator"
+                                p:message="scope is a public suffix: '%s'"/>
+                            <bean p:id="noPublicSuffix" parent="mda.RejectDomainNameNotUnderPublicSuffixValidator"
+                                p:message="scope is not under a public suffix: '%s'"/>
+                        </list>
+                    </property>
+                </bean>
+            </list>
+        </property>
+        <property name="regexpValidators">
+            <list>
+                <bean p:id="empty" parent="mda.RejectStringRegexValidator"
+                    p:regex="" p:message="regex scope element must not be empty"/>
+                <bean p:id="whiteSpace" parent="mda.RejectStringRegexValidator"
+                    p:regex=".*\s.*" p:message="regex scope '%s' includes white space"/>
+                <bean p:id="endAnchor" parent="mda.RejectStringRegexValidator"
+                    p:regex=".*[^$]" p:message="regex scope '%s' does not end with an anchor ('$')"/>
+                <bean p:id="literalTail" parent="mda.AsLiteralTailStringValidator"
+                    p:message="regular expression '%s' does not end with a literal tail">
+                    <property name="validators">
+                        <!-- validators to apply to the literal tail -->
+                        <list>
+                            <bean p:id="domainName" parent="mda.AsDomainNameStringValidator"
+                                p:message="literal tail is not a valid domain name: %s">
+                                <property name="validators">
+                                    <list>
+                                        <!-- DNS name validators for the literal tail -->
+                                        <bean p:id="publicSuffix" parent="mda.RejectDomainNamePublicSuffixValidator"
+                                            p:message="literal tail is a public suffix: '%s'"/>
+                                        <bean p:id="noPublicSuffix" parent="mda.RejectDomainNameNotUnderPublicSuffixValidator"
+                                            p:message="literal tail is not under a public suffix: '%s'"/>
+                                    </list>
+                                </property>
+                            </bean>
+                        </list>
+                    </property>
+                </bean>
             </list>
         </property>
     </bean>
diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index 4e4feae4..22117bf9 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -33,11 +33,6 @@
     -->
     <import resource="file:${blocklists.dir}/fallback-blocklist.xml"/>
 
-    <!--
-        Import inc-mda beans.
-    -->
-    <import resource="classpath:uk/org/iay/incommon/mda/beans.xml"/>
-
     <!--
         Import UK federation ingress policy for eduGAIN.
     -->
@@ -51,28 +46,6 @@
         *****************************
     -->
 
-    <!-- This bean MUST be called "conversionService" to work properly. -->
-    <bean id="conversionService" class="org.springframework.context.support.ConversionServiceFactoryBean">
-        <property name="converters">
-            <set>
-                <bean class="net.shibboleth.ext.spring.config.DurationToLongConverter" />
-                <bean class="net.shibboleth.ext.spring.config.StringToIPRangeConverter" />
-                <bean class="net.shibboleth.ext.spring.config.BooleanToPredicateConverter" />
-                <bean class="net.shibboleth.ext.spring.config.StringBooleanToPredicateConverter" />
-                <bean class="net.shibboleth.ext.spring.config.StringToResourceConverter" />
-            </set>
-        </property>
-    </bean>
-
-    <!--
-        stripEntityScopes
-
-        Remove entity-level Scope elements, leaving only the ones associated
-        with role descriptors.
-    -->
-    <bean id="stripEntityScopes" parent="mda.XSLTransformationStage"
-        p:XSLResource="classpath:uk/entity_scopes.xsl"/>
-
     <!--
         finalise_parent
 
@@ -88,7 +61,7 @@
         Assemble a UK-style aggregate with an appropriate ID.
     -->
     <bean id="assembleAggregate" parent="mda.CompositeStage">
-        <property name="composedStages">
+        <property name="stages">
             <list>
                 <ref bean="uk_assemble"/>
                 <!--
@@ -97,9 +70,9 @@
                     Set the item's ID attribute to the static string "_".
                 -->
                 <bean id="setStaticID" parent="mda.GenerateIdStage">
-                    <constructor-arg>
-                        <bean parent="ukf.FixedStringIdentifierGenerationStrategy" c:_="_"/>
-                    </constructor-arg>
+                    <property name="generator">
+                        <bean parent="mda.FixedStringIdentifierGenerationStrategy" c:_="_"/>
+                    </property>
                 </bean>
             </list>
         </property>
@@ -114,7 +87,7 @@
         the registered metadata.
     -->
     <bean id="checkPublishable" parent="mda.CompositeStage">
-        <property name="composedStages">
+        <property name="stages">
             <list>
                 <ref bean="checkSchemas"/>
                 <ref bean="check_aggregate"/>
@@ -136,26 +109,8 @@
     <!--
         Entity attribute matcher for the SIRTFI assurance certification.
     -->
-    <bean id="SIRTFI.entity.attribute.matcher" parent="mda.MultiPredicateMatcher">
-        <property name="nameFormatPredicate">
-            <bean class="com.google.common.base.Predicates"
-                factory-method="equalTo"
-                c:_="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
-            />
-        </property>
-        <property name="namePredicate">
-            <bean class="com.google.common.base.Predicates"
-                factory-method="equalTo"
-                c:_="urn:oasis:names:tc:SAML:attribute:assurance-certification"
-            />
-        </property>
-        <property name="valuePredicate">
-            <bean class="com.google.common.base.Predicates"
-                factory-method="equalTo"
-                c:_="https://refeds.org/sirtfi"
-            />
-        </property>
-    </bean>
+    <bean id="SIRTFI.entity.attribute.matcher" parent="mda.AssuranceCertificationMatcher"
+        c:_="https://refeds.org/sirtfi"/>
 
     <!--
         Remove the REFEDS metadata namespace.
@@ -167,7 +122,7 @@
         Strip SIRTFI information.
     -->
     <bean id="strip.SIRTFI" parent="mda.CompositeStage">
-        <property name="composedStages">
+        <property name="stages">
             <list>
                 <!-- remove REFEDS contacts associated with SIRTFI -->
                 <bean id="strip.SIRTFI.contacts" parent="mda.XSLTransformationStage"
@@ -178,7 +133,7 @@
 
                 <!-- remove the SIRTFI entity attribute -->
                 <bean id="entityAttributes" parent="mda.EntityAttributeFilteringStage"
-                    p:whitelisting="false">
+                    p:keeping="false">
                     <property name="rules">
                         <list>
                             <ref bean="SIRTFI.entity.attribute.matcher"/>
@@ -212,7 +167,7 @@
             </list>
         </property>
         <property name="requiringRegistrationInformation" value="true"/>
-        <property name="whitelistingRegistrationAuthorities" value="false"/>
+        <property name="keepingRegistrationAuthorities" value="false"/>
     </bean>
 
     <!--
@@ -221,11 +176,11 @@
         Filter out entities which are included in our global import blacklist.
     -->
     <bean id="removeBlacklistedEntities" parent="mda.EntityFilterStage"
-        p:whitelistingEntities="false"
+        p:keepingEntities="false"
         p:designatedEntities-ref="importEntityBlacklist"/>
 
     <bean id="entityAttributes.blacklist" parent="mda.EntityAttributeFilteringStage">
-        <property name="whitelisting" value="false"/>
+        <property name="keeping" value="false"/>
         <property name="rules">
             <list>
                 <!-- Deny "InCommon registration" attribute (duplicates mdrpi:registrationAuthority) -->
@@ -305,9 +260,6 @@
                 <ref bean="assembleAggregate"/>
                 <bean parent="mda.SetCacheDurationStage"
                     p:cacheDuration="${cacheDuration.aggregate.duration}"/>
-                <ref bean="stripEntityScopes"/>
-
-                <ref bean="uk_add_cbc_encryption"/>
 
                 <ref bean="uk_finaliseProduction"/>
                 <ref bean="uk_normaliseNamespaces"/>
@@ -369,7 +321,6 @@
                 <ref bean="assembleAggregate"/>
                 <bean parent="mda.SetCacheDurationStage"
                     p:cacheDuration="${cacheDuration.aggregate.duration}"/>
-                <ref bean="stripEntityScopes"/>
 
                 <!--
                     Remove embedded images used in mdui:Logo elements.
@@ -407,7 +358,7 @@
         removes everything it does not need.
     -->
     <bean id="CDSStripUnwanted" parent="mda.CompositeStage">
-        <property name="composedStages">
+        <property name="stages">
             <list>
                 <ref bean="stripComments"/>
 
@@ -611,13 +562,12 @@
                     p:flowName="fallback"/>
 
                 <bean id="removeFallbackBlocklist" parent="mda.EntityFilterStage"
-                    p:whitelistingEntities="false"
+                    p:keepingEntities="false"
                     p:designatedEntities-ref="fallbackEntityBlocklist"/>
 
                 <ref bean="assembleAggregate"/>
                 <bean parent="mda.SetCacheDurationStage"
                     p:cacheDuration="${cacheDuration.aggregate.duration}"/>
-                <ref bean="stripEntityScopes"/>
                 <ref bean="stripEmptyExtensions"/>
                 <ref bean="uk_finaliseFallback"/>
                 <ref bean="uk_normaliseFallback"/>
@@ -665,7 +615,7 @@
     </bean>
 
     <bean id="uk_testPipeline" parent="mda.CompositeStage">
-        <property name="composedStages">
+        <property name="stages">
             <list>
                 <!-- Apply flow constraints for this flow. -->
                 <bean id="flowConstraints" parent="ukf.FlowConstraintApplyingStage"
@@ -674,9 +624,6 @@
                 <ref bean="assembleAggregate"/>
                 <bean parent="mda.SetCacheDurationStage"
                     p:cacheDuration="${cacheDuration.aggregate.duration}"/>
-                <ref bean="stripEntityScopes"/>
-
-                <ref bean="uk_add_cbc_encryption"/>
 
                 <ref bean="uk_finaliseTest"/>
                 <ref bean="uk_normaliseTest"/>
@@ -789,11 +736,8 @@
                 <ref bean="assembleAggregate"/>
                 <bean parent="mda.SetCacheDurationStage"
                     p:cacheDuration="${cacheDuration.aggregate.duration}"/>
-                <ref bean="stripEntityScopes"/>
                 <ref bean="stripEmptyExtensions"/>
 
-                <ref bean="uk_add_cbc_encryption"/>
-
                 <ref bean="uk_finaliseExport"/>
 
                 <bean id="uk_normaliseExport" parent="mda.XSLTransformationStage"
@@ -892,11 +836,8 @@
                 <ref bean="assembleAggregate"/>
                 <bean parent="mda.SetCacheDurationStage"
                     p:cacheDuration="${cacheDuration.aggregate.duration}"/>
-                <ref bean="stripEntityScopes"/>
                 <ref bean="stripEmptyExtensions"/>
 
-                <ref bean="uk_add_cbc_encryption"/>
-
                 <ref bean="uk_finaliseExport"/>
 
                 <bean id="uk_normaliseExportPreview" parent="mda.XSLTransformationStage"
@@ -960,9 +901,9 @@
                     Fork a new output pipeline for the registrar statistics.
                 -->
                 <bean id="rawRegistrarDemux" parent="mda.PipelineDemultiplexerStage">
-                    <property name="pipelineAndSelectionStrategies">
+                    <property name="pipelinesAndStrategies">
                         <list>
-                            <bean class="net.shibboleth.utilities.java.support.collection.Pair">
+                            <bean parent="mda.PipelineAndStrategy">
                                 <constructor-arg ref="uk_statisticsPipeline"/>
                                 <constructor-arg ref="everythingSelector"/>
                             </bean>
@@ -1009,13 +950,13 @@
                     too many UK-specific transformations are performed.
                 -->
                 <bean id="registrarDemux" parent="mda.PipelineDemultiplexerStage">
-                    <property name="pipelineAndSelectionStrategies">
+                    <property name="pipelinesAndStrategies">
                         <list>
-                            <bean class="net.shibboleth.utilities.java.support.collection.Pair">
+                            <bean parent="mda.PipelineAndStrategy">
                                 <constructor-arg ref="uk_exportPipeline"/>
                                 <constructor-arg ref="uk_exportSelector"/>
                             </bean>
-                            <bean class="net.shibboleth.utilities.java.support.collection.Pair">
+                            <bean parent="mda.PipelineAndStrategy">
                                 <constructor-arg ref="uk_exportPreviewPipeline"/>
                                 <constructor-arg ref="uk_exportPreviewSelector"/>
                             </bean>
@@ -1081,17 +1022,17 @@
                     Fork into new pipelines for the production, fallback and WAYF aggregates.
                 -->
                 <bean id="productionDemux" parent="mda.PipelineDemultiplexerStage">
-                    <property name="pipelineAndSelectionStrategies">
+                    <property name="pipelinesAndStrategies">
                         <list>
-                            <bean class="net.shibboleth.utilities.java.support.collection.Pair">
+                            <bean parent="mda.PipelineAndStrategy">
                                 <constructor-arg ref="uk_productionPipeline"/>
                                 <constructor-arg ref="everythingSelector"/>
                             </bean>
-                            <bean class="net.shibboleth.utilities.java.support.collection.Pair">
+                            <bean parent="mda.PipelineAndStrategy">
                                 <constructor-arg ref="uk_fallbackPipeline"/>
                                 <constructor-arg ref="everythingSelector"/>
                             </bean>
-                            <bean class="net.shibboleth.utilities.java.support.collection.Pair">
+                            <bean parent="mda.PipelineAndStrategy">
                                 <constructor-arg ref="uk_wayfPipeline"/>
                                 <constructor-arg ref="uk_wayfSelector"/>
                             </bean>
@@ -1155,13 +1096,13 @@
                     Fork into new pipelines for additional aggregates.
                 -->
                 <bean id="preProductionDemux" parent="mda.PipelineDemultiplexerStage">
-                    <property name="pipelineAndSelectionStrategies">
+                    <property name="pipelinesAndStrategies">
                         <list>
-                            <bean class="net.shibboleth.utilities.java.support.collection.Pair">
+                            <bean parent="mda.PipelineAndStrategy">
                                 <constructor-arg ref="CDSAllPipeline"/>
                                 <constructor-arg ref="CDSAllSelector"/>
                             </bean>
-                            <bean class="net.shibboleth.utilities.java.support.collection.Pair">
+                            <bean parent="mda.PipelineAndStrategy">
                                 <constructor-arg ref="WugenPipeline"/>
                                 <constructor-arg ref="WugenSelector"/>
                             </bean>
diff --git a/mdx/uk/import.xsl b/mdx/uk/import.xsl
index 06fc13ee..020898ae 100644
--- a/mdx/uk/import.xsl
+++ b/mdx/uk/import.xsl
@@ -54,9 +54,7 @@
     <!--
         Force UTF-8 encoding for the output.
     -->
-    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"
-        indent="yes" xalan:indent-amount="4"
-    />
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
 
     <!--
         Parameters passed in from verbs.xml.
diff --git a/mdx/uk/mdq-multisign-test-gen.xsl b/mdx/uk/mdq-multisign-test-gen.xsl
new file mode 100644
index 00000000..16838fcd
--- /dev/null
+++ b/mdx/uk/mdq-multisign-test-gen.xsl
@@ -0,0 +1,77 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    mdq-multisign-test-gen.xsl
+
+    XSL stylesheet to produce the test data for the mdq-multisign pipeline, which
+    generates signed per-entity metadata.
+
+    This works by filtering the unsigned production aggregate (which is used as
+    input to the per-entity signing process in production) and removing all
+    but a curated selection of entities, chosen to be representative.
+
+    Note that the resulting test file will contain large numbers of blank lines,
+    because the newline _after_ each entity in the input aggregate is not
+    part of the element being stripped out. This is fine.
+-->
+<xsl:stylesheet version="1.0"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    exclude-result-prefixes="xsi xsl">
+
+    <!--Force UTF-8 encoding for the output.-->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+
+    <!--
+        Filter out entities we don't want.
+
+        Use De Morgan here:
+
+            (NOT entity-a) AND (NOT entity-b)
+
+        is the same as
+
+            NOT (entity-a OR entity-b)
+
+        We negate this again by filtering out _matching_
+        entities, so we are left with:
+
+            entity-a OR entity-b
+
+        The selection process won't notice if you mistype an
+        entityID, or if the entity in question is removed from
+        the UK federation aggregate; it will simply no longer
+        appear in the test data.
+    -->
+    <xsl:template match="//md:EntityDescriptor
+            [@entityID!='https://idp2.iay.org.uk/idp/shibboleth']
+            [@entityID!='https://test.ukfederation.org.uk/entity']
+            [@entityID!='https://test-idp.ukfederation.org.uk/idp/shibboleth']
+            [@entityID!='https://terena.org/sp']
+        ">
+        <!-- do nothing, we're filtering these out -->
+    </xsl:template>
+
+    <!--
+        *********************************************
+        ***                                       ***
+        ***   D E F A U L T   T E M P L A T E S   ***
+        ***                                       ***
+        *********************************************
+    -->
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
+
+</xsl:stylesheet>
diff --git a/mdx/uk/mdq-multisign.xml b/mdx/uk/mdq-multisign.xml
index 7fd2b581..376bf0a5 100644
--- a/mdx/uk/mdq-multisign.xml
+++ b/mdx/uk/mdq-multisign.xml
@@ -22,19 +22,6 @@
     -->
     <import resource="classpath:uk/beans.xml"/>
 
-    <!-- This bean MUST be called "conversionService" to work properly. -->
-    <bean id="conversionService" class="org.springframework.context.support.ConversionServiceFactoryBean">
-        <property name="converters">
-            <set>
-                <bean class="net.shibboleth.ext.spring.config.DurationToLongConverter" />
-                <bean class="net.shibboleth.ext.spring.config.StringToIPRangeConverter" />
-                <bean class="net.shibboleth.ext.spring.config.BooleanToPredicateConverter" />
-                <bean class="net.shibboleth.ext.spring.config.StringBooleanToPredicateConverter" />
-                <bean class="net.shibboleth.ext.spring.config.StringToResourceConverter" />
-            </set>
-        </property>
-    </bean>
-
     <!--
         Generate per-entity metadata.
     -->
@@ -60,20 +47,26 @@
                 -->
                 <ref bean="stripXsiNamespace"/>
 
+                <!--
+                    Propagate the validUntil attribute from the aggregate
+                    down to the individual entity descriptors.
+                -->
+                <bean parent="mda.XSLTransformationStage"
+                    p:XSLResource="classpath:uk/mdq_validity.xsl"/>
+
                 <!-- Break down into individual entities. -->
                 <ref bean="disassemble"/>
 
                 <!-- Populate ItemId with the entityID. -->
                 <ref bean="populateItemIds"/>
 
-                <!-- Set ID, cacheDuration and validUntil attributes. -->
+                <!-- Set ID and cacheDuration attributes. -->
                 <bean parent="mda.GenerateIdStage">
-                    <constructor-arg>
-                        <bean parent="ukf.FixedStringIdentifierGenerationStrategy" c:_="_"/>
-                    </constructor-arg>
+                    <property name="generator">
+                        <bean parent="mda.FixedStringIdentifierGenerationStrategy" c:_="_"/>
+                    </property>
                 </bean>
                 <bean parent="mda.SetCacheDurationStage" p:cacheDuration="${cacheDuration.perEntity.duration}"/>
-                <bean parent="mda.SetValidUntilStage" p:validityDuration="${validUntil.perEntity.duration}"/>
 
                 <!-- Identity transform fixes signing issues. -->
                 <bean parent="mda.XSLTransformationStage"
@@ -82,7 +75,7 @@
                 <!-- Sign each item. -->
                 <bean id="perform.signature" parent="mda.XMLSignatureSigningStage">
                     <property name="privateKey">
-                        <bean parent="PKCS11PrivateKeyFactoryBean"
+                        <bean parent="mda.PKCS11PrivateKeyFactoryBean"
                             p:pkcs11Config="${sign.pkcs11Config}"
                             p:keyPassword="${sign.keyPassword}"
                             p:keyAlias="${sign.keyAlias}"
diff --git a/mdx/uk/mdq_validity.xsl b/mdx/uk/mdq_validity.xsl
new file mode 100644
index 00000000..f53b475a
--- /dev/null
+++ b/mdx/uk/mdq_validity.xsl
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    mdq_validity.xsl
+
+    Operates on an aggregate, propagating the validUntil attribute from the
+    EntitiesDescriptor down to each EntityDescriptor.
+
+-->
+<xsl:stylesheet version="1.0"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    exclude-result-prefixes="md">
+
+    <!--Force UTF-8 encoding for the output.-->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+
+    <!--
+        Copy validUntil down from the aggregate.
+
+        Has no effect if the aggregate is not present.
+    -->
+    <xsl:template match="md:EntitiesDescriptor/md:EntityDescriptor">
+        <xsl:copy>
+            <xsl:attribute name="validUntil">
+                <xsl:value-of select="../@validUntil"/>
+            </xsl:attribute>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
+
+</xsl:stylesheet>
diff --git a/mdx/uk/nshield202112.cfg b/mdx/uk/nshield202112.cfg
new file mode 100644
index 00000000..ab7a284e
--- /dev/null
+++ b/mdx/uk/nshield202112.cfg
@@ -0,0 +1,4 @@
+library=/opt/nfast/toolkits/pkcs11/libcknfast.so
+name=nShield
+description=nShield Token
+slotListIndex=1
diff --git a/mdx/uk/statistics-charting.xsl b/mdx/uk/statistics-charting.xsl
deleted file mode 100644
index 04ae4dc4..00000000
--- a/mdx/uk/statistics-charting.xsl
+++ /dev/null
@@ -1,567 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-
-    statistics-charting.xsl
-
-    XSL stylesheet taking a UK Federation metadata file and resulting in an HTML document
-    giving statistics.
-
-    Author: Ian A. Young <ian@iay.org.uk>
-
--->
-<xsl:stylesheet
-    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
-    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
-    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xmlns:members="http://ukfederation.org.uk/2007/01/members"
-    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-    xmlns:math="http://exslt.org/math"
-    xmlns:date="http://exslt.org/dates-and-times"
-    xmlns:dyn="http://exslt.org/dynamic"
-    xmlns:set="http://exslt.org/sets"
-    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-    exclude-result-prefixes="xsl alg ds init md mdattr mdui saml xsi members ukfedlabel math date dyn set idpdisc"
-    version="1.0">
-
-    <xsl:output method="xml" omit-xml-declaration="yes" indent="no"/>
-
-    <!--
-        memberDocument
-
-        The members.xml file, as a DOM document, is passed as a parameter.
-    -->
-    <xsl:param name="memberDocument"/>
-
-    <xsl:template match="md:EntitiesDescriptor">
-
-        <!--
-            Break down the "members" document.
-        -->
-        <!-- federation members -->
-        <xsl:variable name="members" select="$memberDocument//members:Member"/>
-        <xsl:variable name="memberCount" select="count($members)"/>
-        <xsl:variable name="memberNames" select="$members/members:Name"/>
-
-        <xsl:variable name="entities" select="//md:EntityDescriptor"/>
-        <xsl:variable name="entityCount" select="count($entities)"/>
-
-        <xsl:variable name="idps" select="$entities[md:IDPSSODescriptor]"/>
-        <xsl:variable name="idps.saml1"
-            select="$idps[contains(md:IDPSSODescriptor/@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]"/>
-
-        <xsl:variable name="idpCount" select="count($idps)"/>
-        <xsl:variable name="idps.saml1.count" select="count($idps.saml1)"/>
-
-        <xsl:variable name="sps" select="$entities[md:SPSSODescriptor]"/>
-        <xsl:variable name="sps.saml1"
-            select="$sps[contains(md:SPSSODescriptor/@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]"/>
-
-        <xsl:variable name="spCount" select="count($sps)"/>
-        <xsl:variable name="sps.saml1.count" select="count($sps.saml1)"/>
-
-        <xsl:variable name="entities.saml1" select="set:distinct($idps.saml1 | $sps.saml1)"/>
-        <xsl:variable name="entities.saml1.count" select="count($entities.saml1)"/>
-
-        <xsl:variable name="dualEntities" select="$entities[md:IDPSSODescriptor][md:SPSSODescriptor]"/>
-        <xsl:variable name="dualEntityCount" select="count($dualEntities)"/>
-
-        <xsl:variable name="memberEntities"
-            select="dyn:closure($members/members:Name, '$entities[md:Organization/md:OrganizationName = current()]')"/>
-        <xsl:variable name="memberEntityCount"
-            select="dyn:sum($memberNames, 'count($entities[md:Organization/md:OrganizationName = current()])')"/>
-
-        <xsl:variable name="idps.artifact"
-            select="$idps[md:IDPSSODescriptor[md:ArtifactResolutionService]]"/>
-        <xsl:variable name="idps.artifact.count" select="count($idps.artifact)"/>
-        <xsl:variable name="idps.artifact.saml1"
-            select="$idps[md:IDPSSODescriptor
-            [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
-            [md:ArtifactResolutionService]]"/>
-        <xsl:variable name="idps.artifact.saml1.count" select="count($idps.artifact.saml1)"/>
-        <xsl:variable name="sps.artifact.saml1"
-            select="$sps[md:SPSSODescriptor/md:AssertionConsumerService/@Binding='urn:oasis:names:tc:SAML:1.0:profiles:artifact-01']"/>
-        <xsl:variable name="sps.artifact.saml1.count" select="count($sps.artifact.saml1)"/>
-        <xsl:variable name="entities.artifact.saml1" select="set:distinct($idps.artifact.saml1 | $sps.artifact.saml1)"/>
-        <xsl:variable name="entities.artifact.saml1.count" select="count($entities.artifact.saml1)"/>
-
-        <pre>
-
-            <!--
-                ***************************
-                ***                     ***
-                ***   C H A R T I N G   ***
-                ***                     ***
-                ***************************
-            -->
-            <xsl:text>&#10;</xsl:text>
-
-            <xsl:text>Members: </xsl:text>
-            <xsl:value-of select="$memberCount"/>
-            <xsl:text>&#10;</xsl:text>
-
-            <xsl:text>Entities: </xsl:text>
-            <xsl:value-of select="$entityCount"/>
-            <xsl:text>&#10;</xsl:text>
-
-            <xsl:text>   IdPs: </xsl:text>
-            <xsl:value-of select="$idpCount"/>
-            <xsl:text>&#10;</xsl:text>
-
-            <xsl:text>   SPs: </xsl:text>
-            <xsl:value-of select="$spCount"/>
-            <xsl:text>&#10;</xsl:text>
-
-            <xsl:text>Entities per member: </xsl:text>
-            <xsl:value-of select="format-number($entityCount div $memberCount, '0.000000')"/>
-            <xsl:text>&#10;</xsl:text>
-
-            <xsl:variable name="charting.entities.algsupport" select="$entities[descendant::alg:* or descendant::md:EncryptionMethod]"/>
-            <xsl:variable name="charting.entities.algsupport.count" select="count($charting.entities.algsupport)"/>
-            <xsl:text>Algorithm support: </xsl:text>
-            <xsl:value-of select="format-number($charting.entities.algsupport.count div $entityCount, '0.00%')"/>
-            <xsl:text> of all entities</xsl:text>
-            <xsl:text>&#10;</xsl:text>
-
-            <xsl:variable name="charting.entities.algsupport.gcm"
-                select="$charting.entities.algsupport[
-                descendant::md:EncryptionMethod/@Algorithm='http://www.w3.org/2009/xmlenc11#aes128-gcm' or
-                descendant::md:EncryptionMethod/@Algorithm='http://www.w3.org/2009/xmlenc11#aes192-gcm' or
-                descendant::md:EncryptionMethod/@Algorithm='http://www.w3.org/2009/xmlenc11#aes256-gcm']"/>
-            <xsl:variable name="charting.entities.algsupport.gcm.count" select="count($charting.entities.algsupport.gcm)"/>
-            <xsl:text>GCM support: </xsl:text>
-            <xsl:value-of select="format-number($charting.entities.algsupport.gcm.count div $entityCount, '0.00%')"/>
-            <xsl:text> of all entities</xsl:text>
-            <xsl:text>&#10;</xsl:text>
-
-            <xsl:variable name="charting.sps.algsupport" select="$sps[descendant::alg:* or descendant::md:EncryptionMethod]"/>
-            <xsl:variable name="charting.sps.algsupport.count" select="count($charting.sps.algsupport)"/>
-            <xsl:text>Algorithm support: </xsl:text>
-            <xsl:value-of select="format-number($charting.sps.algsupport.count div $spCount, '0.00%')"/>
-            <xsl:text> of SP entities</xsl:text>
-            <xsl:text>&#10;</xsl:text>
-
-            <xsl:variable name="charting.sps.algsupport.gcm"
-                select="$charting.sps.algsupport[
-                descendant::md:EncryptionMethod/@Algorithm='http://www.w3.org/2009/xmlenc11#aes128-gcm' or
-                descendant::md:EncryptionMethod/@Algorithm='http://www.w3.org/2009/xmlenc11#aes192-gcm' or
-                descendant::md:EncryptionMethod/@Algorithm='http://www.w3.org/2009/xmlenc11#aes256-gcm']"/>
-            <xsl:variable name="charting.sps.algsupport.gcm.count" select="count($charting.sps.algsupport.gcm)"/>
-            <xsl:text>GCM support: </xsl:text>
-            <xsl:value-of select="format-number($charting.sps.algsupport.gcm.count div $spCount, '0.00%')"/>
-            <xsl:text> of SP entities</xsl:text>
-            <xsl:text>&#10;</xsl:text>
-
-            <xsl:variable name="charting.idp4" select="$idps[
-                md:Extensions/ukfedlabel:Software[@name='Shibboleth'][@version = '4']
-                ]"/>
-            <xsl:variable name="charting.idp4.count" select="count($charting.idp4)"/>
-            <xsl:text>Shibboleth IdP v4: </xsl:text>
-            <xsl:value-of select="$charting.idp4.count"/>
-            <xsl:text> (</xsl:text>
-            <xsl:value-of select="format-number($charting.idp4.count div $idpCount, '0.0%')"/>
-            <xsl:text> of IdPs)</xsl:text>
-            <xsl:text>&#10;</xsl:text>
-
-            <xsl:variable name="charting.idp3" select="$idps[
-                md:Extensions/ukfedlabel:Software[@name='Shibboleth'][@version = '3']
-                ]"/>
-            <xsl:variable name="charting.idp3.count" select="count($charting.idp3)"/>
-            <xsl:text>Shibboleth IdP v3: </xsl:text>
-            <xsl:value-of select="$charting.idp3.count"/>
-            <xsl:text> (</xsl:text>
-            <xsl:value-of select="format-number($charting.idp3.count div $idpCount, '0.0%')"/>
-            <xsl:text> of IdPs)</xsl:text>
-            <xsl:text>&#10;</xsl:text>
-
-            <xsl:variable name="nosaml2.sps" select="$sps[md:SPSSODescriptor[not(contains(@protocolSupportEnumeration,
-                'urn:oasis:names:tc:SAML:2.0:protocol'))]]"/>
-            <xsl:variable name="nosaml2.sps.count" select="count($nosaml2.sps)"/>
-            <xsl:text>&#10;</xsl:text>
-            <xsl:text>SPs without SAML 2.0 support: </xsl:text>
-            <xsl:value-of select="$nosaml2.sps.count"/>
-            <xsl:text>&#10;</xsl:text>
-
-            <xsl:for-each select="$nosaml2.sps">
-                <xsl:sort select="descendant::md:OrganizationName"/>
-                <xsl:text>   </xsl:text>
-                <xsl:value-of select="@ID"/>
-                <xsl:text>: </xsl:text>
-                <xsl:value-of select="descendant::md:OrganizationName"/>
-                <xsl:text>: </xsl:text>
-                <xsl:choose>
-                    <xsl:when test="descendant::mdui:DisplayName">
-                        <xsl:value-of select="descendant::mdui:DisplayName"/>
-                    </xsl:when>
-                    <xsl:otherwise>
-                        <xsl:text>(</xsl:text>
-                        <xsl:value-of select="descendant::md:OrganizationDisplayName"/>
-                        <xsl:text>)</xsl:text>
-                    </xsl:otherwise>
-                </xsl:choose>
-                <xsl:apply-templates select="md:Extensions/ukfedlabel:Software" mode="short"/>
-                <xsl:text>&#10;</xsl:text>
-            </xsl:for-each>
-
-            <xsl:call-template name="entity.breakdown.by.software">
-                <xsl:with-param name="entities" select="$sps[md:SPSSODescriptor[not(contains(@protocolSupportEnumeration,
-                    'urn:oasis:names:tc:SAML:2.0:protocol'))]]"/>
-            </xsl:call-template>
-
-            <xsl:variable name="nosaml2.idps" select="$idps[md:IDPSSODescriptor[not(contains(@protocolSupportEnumeration,
-                'urn:oasis:names:tc:SAML:2.0:protocol'))]]"/>
-            <xsl:variable name="nosaml2.idps.count" select="count($nosaml2.idps)"/>
-
-            <xsl:text>&#10;</xsl:text>
-            <xsl:text>IdPs without SAML 2.0 support: </xsl:text>
-            <xsl:value-of select="$nosaml2.idps.count"/>
-            <xsl:text>&#10;</xsl:text>
-
-            <xsl:call-template name="entity.breakdown.by.software">
-                <xsl:with-param name="entities" select="$nosaml2.idps"/>
-            </xsl:call-template>
-
-            <!-- MDUI statistics -->
-            <xsl:text>&#10;</xsl:text>
-
-            <xsl:variable name="entities.mdui" select="$entities[descendant::mdui:UIInfo]"/>
-            <xsl:variable name="entities.mdui.count" select="count($entities.mdui)"/>
-            <xsl:text>Entities with mdui:UIInfo: </xsl:text>
-            <xsl:value-of select="$entities.mdui.count"/>
-            <xsl:text> (</xsl:text>
-            <xsl:value-of select="format-number($entities.mdui.count div $entityCount, '0.0%')"/>
-            <xsl:text>)</xsl:text>
-            <xsl:text>&#10;</xsl:text>
-
-            <xsl:variable name="idps.mdui" select="$idps[descendant::mdui:UIInfo]"/>
-            <xsl:variable name="idps.mdui.count" select="count($idps.mdui)"/>
-            <xsl:text>IdPs with mdui:UIInfo: </xsl:text>
-            <xsl:value-of select="$idps.mdui.count"/>
-            <xsl:text> (</xsl:text>
-            <xsl:value-of select="format-number($idps.mdui.count div $idpCount, '0.0%')"/>
-            <xsl:text>)</xsl:text>
-            <xsl:text>&#10;</xsl:text>
-
-            <xsl:variable name="sps.mdui" select="$sps[descendant::mdui:UIInfo]"/>
-            <xsl:variable name="sps.mdui.count" select="count($sps.mdui)"/>
-            <xsl:text>SPs with mdui:UIInfo: </xsl:text>
-            <xsl:value-of select="$sps.mdui.count"/>
-            <xsl:text> (</xsl:text>
-            <xsl:value-of select="format-number($sps.mdui.count div $spCount, '0.0%')"/>
-            <xsl:text>)</xsl:text>
-            <xsl:text>&#10;</xsl:text>
-
-            <xsl:text>&#10;</xsl:text>
-        </pre>
-    </xsl:template>
-
-
-    <!--
-        Break down a set of entities by the software used.
-    -->
-    <xsl:template name="entity.breakdown.by.software">
-        <xsl:param name="entities"/>
-        <xsl:variable name="entityCount" select="count($entities)"/>
-        <xsl:text>Breakdown by software used:</xsl:text>
-        <xsl:text>&#10;</xsl:text>
-
-        <!--
-            *********************************************************************
-            ***                                                               ***
-            ***   C L A S S I F Y   E N T I T I E S   B Y   S O F T W A R E   ***
-            ***                                                               ***
-            *********************************************************************
-
-            The classification algorithms used here are chained together so that
-            each classification step works only on those entities not already
-            classified.  This means that entities won't be counted twice, but
-            means that the order of classification blocks is important and
-            shouldn't be changed without careful thought.  In general, more
-            specific algorithms should appear before more general ones.
-        -->
-
-        <!--
-            Classify miscellaneous entities.
-
-            Here we pull off a list of entities labelled with explicit
-            Software labels that aren't for the software we address
-            in more detail below.  The result is, as it were, a list of
-            "known unknowns" that we can re-integrate later with those
-            entities we fail to classify altogether.
-        -->
-        <xsl:variable name="entities.misc.in" select="$entities"/>
-        <xsl:variable name="entities.misc"
-            select="$entities.misc.in[
-                md:Extensions/ukfedlabel:Software
-                    [@name != 'Shibboleth']
-                    [@name != 'EZproxy']
-                    [@name != 'OpenAthens']
-                    [@name != 'Guanxi']
-                    [@name != 'simpleSAMLphp']
-                    [@name != 'Atypon SAML SP 1.1/2.0']
-                    [@name != 'AthensIM']
-                    [@name != 'Eduserv Gateway']
-            ]"/>
-        <xsl:variable name="entities.misc.out"
-            select="set:difference($entities.misc.in, $entities.misc)"/>
-
-        <!--
-            Classify EZproxy SPs
-        -->
-        <xsl:variable name="entities.ezproxy.in" select="$entities.misc.out"/>
-        <xsl:variable name="entities.ezproxy"
-            select="$entities.ezproxy.in[md:Extensions/ukfedlabel:Software/@name='EZproxy']"/>
-        <xsl:variable name="entities.ezproxy.out"
-            select="set:difference($entities.ezproxy.in, $entities.ezproxy)"/>
-
-        <!--
-            Classify simpleSAMLphp entities.
-        -->
-        <xsl:variable name="entities.simplesamlphp.in" select="$entities.ezproxy.out"/>
-        <xsl:variable name="entities.simplesamlphp"
-            select="$entities.simplesamlphp.in[md:Extensions/ukfedlabel:Software/@name='simpleSAMLphp']"/>
-        <xsl:variable name="entities.simplesamlphp.out"
-            select="set:difference($entities.simplesamlphp.in, $entities.simplesamlphp)"/>
-
-        <!--
-            Classify Atypon SAML SP entities.
-        -->
-        <xsl:variable name="entities.atyponsamlsp.in" select="$entities.simplesamlphp.out"/>
-        <xsl:variable name="entities.atyponsamlsp"
-            select="$entities.atyponsamlsp.in[md:Extensions/ukfedlabel:Software/@name='Atypon SAML SP 1.1/2.0']"/>
-        <xsl:variable name="entities.atyponsamlsp.out"
-            select="set:difference($entities.atyponsamlsp.in, $entities.atyponsamlsp)"/>
-
-        <!--
-            Classify OpenAthens entities.
-        -->
-        <xsl:variable name="entities.openathens.in" select="$entities.atyponsamlsp.out"/>
-        <xsl:variable name="entities.openathens"
-            select="$entities.openathens.in[md:Extensions/ukfedlabel:Software/@name='OpenAthens']"/>
-        <xsl:variable name="entities.openathens.out"
-            select="set:difference($entities.openathens.in, $entities.openathens)"/>
-
-        <!--
-            Classify Shibboleth 4 entities.
-        -->
-        <xsl:variable name="entities.shib.4.in" select="$entities.openathens.out"/>
-        <xsl:variable name="entities.shib.4"
-            select="$entities.shib.4.in[
-            md:Extensions/ukfedlabel:Software[@name='Shibboleth'][@version = '4']
-            ]"/>
-        <xsl:variable name="entities.shib.4.out"
-            select="set:difference($entities.shib.4.in, $entities.shib.4)"/>
-
-        <!--
-            Classify Shibboleth 3 entities.
-        -->
-        <xsl:variable name="entities.shib.3.in" select="$entities.shib.4.out"/>
-        <xsl:variable name="entities.shib.3"
-            select="$entities.shib.3.in[
-            md:Extensions/ukfedlabel:Software[@name='Shibboleth'][@version = '3']
-            ]"/>
-        <xsl:variable name="entities.shib.3.out"
-            select="set:difference($entities.shib.3.in, $entities.shib.3)"/>
-
-        <!--
-            Classify Shibboleth 2.0 IdPs and SPs.
-        -->
-        <xsl:variable name="entities.shib.2.in" select="$entities.shib.3.out"/>
-        <xsl:variable name="entities.shib.2"
-            select="$entities.shib.2.in[
-                md:IDPSSODescriptor/md:SingleSignOnService[contains(@Location, '/profile/Shibboleth/SSO')] |
-                md:SPSSODescriptor/md:AssertionConsumerService[contains(@Location, '/Shibboleth.sso/SAML2/POST')] |
-                md:Extensions/ukfedlabel:Software[@name='Shibboleth'][@version = '2']
-            ]"/>
-        <xsl:variable name="entities.shib.2.out"
-            select="set:difference($entities.shib.2.in, $entities.shib.2)"/>
-
-        <!--
-            Classify Athens Gateway entities
-        -->
-        <xsl:variable name="entities.gateways.in" select="$entities.shib.2.out"/>
-        <xsl:variable name="entities.gateways"
-            select="$entities.gateways.in[md:Extensions/ukfedlabel:Software/@name='Eduserv Gateway']"/>
-        <xsl:variable name="entities.gateways.out"
-            select="set:difference($entities.gateways.in, $entities.gateways)"/>
-
-        <!--
-            Classify OpenAthens virtual IdPs.
-        -->
-        <xsl:variable name="entities.openathens.virtual.in" select="$entities.gateways.out"/>
-        <xsl:variable name="entities.openathens.virtual"
-            select="$entities.openathens.virtual.in[
-                descendant::md:AttributeService/@Location=
-                    'https://gateway.athensams.net:5057/services/SAML11AttributeAuthority' or
-                descendant::md:SingleSignOnService[starts-with(@Location,
-                    'https://login.openathens.net/saml/')]
-                ]"/>
-        <xsl:variable name="entities.openathens.virtual.out"
-            select="set:difference($entities.openathens.virtual.in, $entities.openathens.virtual)"/>
-
-        <!--
-            Classify Guanxi entities.
-        -->
-        <xsl:variable name="entities.guanxi.in" select="$entities.openathens.virtual.out"/>
-        <xsl:variable name="entities.guanxi"
-            select="$entities.guanxi.in[md:Extensions/ukfedlabel:Software/@name='Guanxi']"/>
-        <xsl:variable name="entities.guanxi.out"
-            select="set:difference($entities.guanxi.in, $entities.guanxi)"/>
-
-        <!--
-            Classify AthensIM entities.
-        -->
-        <xsl:variable name="entities.athensim.in" select="$entities.guanxi.out"/>
-        <xsl:variable name="entities.athensim"
-            select="$entities.athensim.in[md:Extensions/ukfedlabel:Software/@name='AthensIM']"/>
-        <xsl:variable name="entities.athensim.out"
-            select="set:difference($entities.athensim.in, $entities.athensim)"/>
-
-        <!--
-            Remaining entities are unknown.
-        -->
-        <xsl:variable name="entities.unclassified" select="$entities.athensim.out"/>
-        <xsl:variable name="unknownSoftwareEntities"
-            select="$entities.unclassified | $entities.misc"/>
-
-        <!--
-            ***************************************************************
-            ***                                                         ***
-            ***   R E P O R T   C L A S S I F I E D   E N T I T I E S   ***
-            ***                                                         ***
-            ***************************************************************
-        -->
-
-        <xsl:call-template name="entity.breakdown.by.software.line">
-            <xsl:with-param name="entities" select="$entities.shib.4"/>
-            <xsl:with-param name="name">Shibboleth 4.x</xsl:with-param>
-            <xsl:with-param name="total" select="$entityCount"/>
-        </xsl:call-template>
-
-        <xsl:call-template name="entity.breakdown.by.software.line">
-            <xsl:with-param name="entities" select="$entities.shib.3"/>
-            <xsl:with-param name="name">Shibboleth 3.x</xsl:with-param>
-            <xsl:with-param name="total" select="$entityCount"/>
-        </xsl:call-template>
-
-        <xsl:call-template name="entity.breakdown.by.software.line">
-            <xsl:with-param name="entities" select="$entities.shib.2"/>
-            <xsl:with-param name="name">Shibboleth 2.x</xsl:with-param>
-            <xsl:with-param name="total" select="$entityCount"/>
-        </xsl:call-template>
-
-        <xsl:variable name="entities.shib" select="$entities.shib.2 | $entities.shib.3"/>
-        <xsl:call-template name="entity.breakdown.by.software.line">
-            <xsl:with-param name="entities" select="$entities.shib"/>
-            <xsl:with-param name="name">Shibboleth combined</xsl:with-param>
-            <xsl:with-param name="total" select="$entityCount"/>
-        </xsl:call-template>
-
-        <xsl:variable name="entities.not.shib" select="set:difference($entities, $entities.shib)"/>
-        <xsl:call-template name="entity.breakdown.by.software.line">
-            <xsl:with-param name="entities" select="$entities.not.shib"/>
-            <xsl:with-param name="name">Other than Shibboleth</xsl:with-param>
-            <xsl:with-param name="total" select="$entityCount"/>
-        </xsl:call-template>
-
-        <xsl:call-template name="entity.breakdown.by.software.line">
-            <xsl:with-param name="entities" select="$entities.ezproxy"/>
-            <xsl:with-param name="name">EZproxy</xsl:with-param>
-            <xsl:with-param name="total" select="$entityCount"/>
-        </xsl:call-template>
-
-        <xsl:call-template name="entity.breakdown.by.software.line">
-            <xsl:with-param name="entities" select="$entities.simplesamlphp"/>
-            <xsl:with-param name="name">simpleSAMLphp</xsl:with-param>
-            <xsl:with-param name="total" select="$entityCount"/>
-        </xsl:call-template>
-
-        <xsl:call-template name="entity.breakdown.by.software.line">
-            <xsl:with-param name="entities" select="$entities.atyponsamlsp"/>
-            <xsl:with-param name="name">Atypon SAML SP</xsl:with-param>
-            <xsl:with-param name="total" select="$entityCount"/>
-        </xsl:call-template>
-
-        <xsl:call-template name="entity.breakdown.by.software.line">
-            <xsl:with-param name="entities" select="$entities.athensim"/>
-            <xsl:with-param name="name">AthensIM</xsl:with-param>
-            <xsl:with-param name="total" select="$entityCount"/>
-        </xsl:call-template>
-
-        <xsl:call-template name="entity.breakdown.by.software.line">
-            <xsl:with-param name="entities" select="$entities.guanxi"/>
-            <xsl:with-param name="name">Guanxi</xsl:with-param>
-            <xsl:with-param name="total" select="$entityCount"/>
-        </xsl:call-template>
-
-        <xsl:call-template name="entity.breakdown.by.software.line">
-            <xsl:with-param name="entities" select="$entities.gateways"/>
-            <xsl:with-param name="name">Athens/Shibboleth gateway</xsl:with-param>
-            <xsl:with-param name="total" select="$entityCount"/>
-        </xsl:call-template>
-
-        <xsl:call-template name="entity.breakdown.by.software.line">
-            <xsl:with-param name="entities" select="$entities.openathens.virtual"/>
-            <xsl:with-param name="name">OpenAthens Virtual IdP</xsl:with-param>
-            <xsl:with-param name="total" select="$entityCount"/>
-        </xsl:call-template>
-
-        <xsl:call-template name="entity.breakdown.by.software.line">
-            <xsl:with-param name="entities" select="$entities.openathens"/>
-            <xsl:with-param name="name">OpenAthens</xsl:with-param>
-            <xsl:with-param name="total" select="$entityCount"/>
-        </xsl:call-template>
-
-        <xsl:call-template name="entity.breakdown.by.software.line">
-            <xsl:with-param name="entities" select="$unknownSoftwareEntities"/>
-            <xsl:with-param name="name">Unknown or other</xsl:with-param>
-            <xsl:with-param name="total" select="$entityCount"/>
-            <xsl:with-param name="show" select="1"/>
-            <xsl:with-param name="show.software" select="1"/>
-        </xsl:call-template>
-
-    </xsl:template>
-
-    <xsl:template name="entity.breakdown.by.software.line">
-        <xsl:param name="entities"/>
-        <xsl:param name="name"/>
-        <xsl:param name="total"/>
-        <xsl:param name="show">0</xsl:param>
-        <xsl:param name="show.software">0</xsl:param>
-        <xsl:param name="show.max">8</xsl:param>
-        <xsl:variable name="n" select="count($entities)"/>
-        <xsl:if test="$n != 0">
-            <xsl:text>   </xsl:text>
-            <xsl:value-of select="$name"/>
-            <xsl:text>: </xsl:text>
-            <xsl:value-of select="$n"/>
-            <xsl:text> (</xsl:text>
-            <xsl:value-of select="format-number($n div $total, '0.0%')"/>
-            <xsl:text>)</xsl:text>
-            <xsl:text>&#10;</xsl:text>
-             <xsl:if test="($show != 0) or ($n &lt;= $show.max)">
-                <xsl:for-each select="$entities">
-                    <xsl:sort select="@ID"/>
-                    <xsl:text>      </xsl:text>
-                    <xsl:value-of select="@ID"/>
-                    <xsl:text>: </xsl:text>
-                    <xsl:value-of select="@entityID"/>
-                    <xsl:if test="$show.software != 0">
-                        <xsl:choose>
-                            <xsl:when test="md:Extensions/ukfedlabel:Software">
-                                (<xsl:value-of select="md:Extensions/ukfedlabel:Software/@name"/>)
-                            </xsl:when>
-                        </xsl:choose>
-                    </xsl:if>
-                    <xsl:text>&#10;</xsl:text>
-                </xsl:for-each>
-            </xsl:if>
-        </xsl:if>
-    </xsl:template>
-
-</xsl:stylesheet>
diff --git a/mdx/uk/statistics.xsl b/mdx/uk/statistics.xsl
index 7222b3b6..9aae8d0d 100644
--- a/mdx/uk/statistics.xsl
+++ b/mdx/uk/statistics.xsl
@@ -23,10 +23,9 @@
     xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
     xmlns:math="http://exslt.org/math"
     xmlns:date="http://exslt.org/dates-and-times"
-    xmlns:dyn="http://exslt.org/dynamic"
     xmlns:set="http://exslt.org/sets"
     xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-    exclude-result-prefixes="xsl alg ds init md mdattr mdui saml xsi members ukfedlabel math date dyn set idpdisc"
+    exclude-result-prefixes="xsl alg ds init md mdattr mdui saml xsi members ukfedlabel math date set idpdisc"
     version="1.0">
 
     <xsl:output method="html" omit-xml-declaration="yes"/>
@@ -84,11 +83,6 @@
         <xsl:variable name="federationMemberEntityCount"
             select="count($entities[md:Extensions/ukfedlabel:UKFederationMember])"/>
 
-        <xsl:variable name="memberEntities"
-            select="dyn:closure($members/members:Name, '$entities[md:Organization/md:OrganizationName = current()]')"/>
-        <xsl:variable name="memberEntityCount"
-            select="dyn:sum($memberNames, 'count($entities[md:Organization/md:OrganizationName = current()])')"/>
-
         <xsl:variable name="idps.artifact"
             select="$idps[md:IDPSSODescriptor[md:ArtifactResolutionService]]"/>
         <xsl:variable name="idps.artifact.count" select="count($idps.artifact)"/>
@@ -1542,7 +1536,7 @@
                         [@name != 'EZproxy']
                         [@name != 'OpenAthens']
                         [@name != 'Guanxi']
-                        [@name != 'simpleSAMLphp']
+                        [@name != 'SimpleSAMLphp']
                         [@name != 'Atypon SAML SP 1.1/2.0']
                         [@name != 'AthensIM']
                         [@name != 'Eduserv Gateway']
@@ -1560,11 +1554,11 @@
                 select="set:difference($entities.ezproxy.in, $entities.ezproxy)"/>
 
             <!--
-                Classify simpleSAMLphp entities.
+                Classify SimpleSAMLphp entities.
             -->
             <xsl:variable name="entities.simplesamlphp.in" select="$entities.ezproxy.out"/>
             <xsl:variable name="entities.simplesamlphp"
-                select="$entities.simplesamlphp.in[md:Extensions/ukfedlabel:Software/@name='simpleSAMLphp']"/>
+                select="$entities.simplesamlphp.in[md:Extensions/ukfedlabel:Software/@name='SimpleSAMLphp']"/>
             <xsl:variable name="entities.simplesamlphp.out"
                 select="set:difference($entities.simplesamlphp.in, $entities.simplesamlphp)"/>
 
@@ -1717,7 +1711,7 @@
 
             <xsl:call-template name="entity.breakdown.by.software.line">
                 <xsl:with-param name="entities" select="$entities.simplesamlphp"/>
-                <xsl:with-param name="name">simpleSAMLphp</xsl:with-param>
+                <xsl:with-param name="name">SimpleSAMLphp</xsl:with-param>
                 <xsl:with-param name="total" select="$entityCount"/>
             </xsl:call-template>
 
diff --git a/mdx/uk/verbs.xml b/mdx/uk/verbs.xml
index 05f5c51d..8fea7470 100644
--- a/mdx/uk/verbs.xml
+++ b/mdx/uk/verbs.xml
@@ -59,41 +59,6 @@
         </property>
     </bean>
 
-    <!--
-        statistics.charting
-
-        Stand-alone statistics generation for charting.
-    -->
-    <bean id="statistics.charting" parent="mda.SimplePipeline">
-        <property name="stages">
-            <list>
-                <ref bean="uk_registeredEntities"/>
-
-                <!-- Apply flow constraints for this flow. -->
-                <bean id="flowConstraints" parent="ukf.FlowConstraintApplyingStage"
-                    p:flowName="statistics"/>
-
-                <ref bean="assemble"/>
-                <bean parent="mda.XSLTransformationStage"
-                    p:XSLResource="classpath:uk/statistics-charting.xsl">
-                    <property name="transformParameters">
-                        <map>
-                            <entry key="memberDocument" value-ref="uk_membersDocument"/>
-                        </map>
-                    </property>
-                </bean>
-                <bean parent="mda.SerializationStage">
-                    <property name="serializer" ref="serializer"/>
-                    <property name="outputFile">
-                        <bean parent="File">
-                            <constructor-arg value="${output.dir}/statistics-charting.html"/>
-                        </bean>
-                    </property>
-                </bean>
-            </list>
-        </property>
-    </bean>
-
     <!--
         sp_mdui_test
 
@@ -290,7 +255,7 @@
                     we don't accept from registrants.
                 -->
                 <bean id="whitelistImportedNamespaces" parent="mda.NamespacesStrippingStage"
-                    p:whitelisting="true">
+                    p:keeping="true">
                     <property name="namespaces">
                         <set>
                             <ref bean="alg_namespace"/>
@@ -374,7 +339,7 @@
                     <property name="validators">
                         <list>
                             <!-- Error on DSA keys. -->
-                            <bean p:id="DSA" parent="ukf.X509DSADetector"/>
+                            <bean p:id="DSA" parent="mda.X509DSADetector"/>
 
                             <!-- Error on RSA key length less than 2048 bits. -->
                             <bean p:id="RSAKeyLength" parent="mda.X509RSAKeyLengthValidator"
@@ -382,10 +347,10 @@
                             <!-- Error on small RSA public exponents. -->
                             <bean p:id="RSAExponent" parent="mda.X509RSAExponentValidator"/>
                             <!-- Error on keys vulnerable to ROCA. -->
-                            <bean p:id="ROCA" parent="ukf.X509ROCAValidator"/>
+                            <bean p:id="ROCA" parent="mda.X509ROCAValidator"/>
 
                             <!--
-                                Debian weak key blacklists.
+                                Debian weak key lists.
 
                                 Don't need to check for keys below our minimum key size.
                             -->
@@ -393,7 +358,7 @@
                             <ref bean="debian.4096"/>
 
                             <!--
-                                Compromised key blacklists.
+                                Compromised key lists.
 
                                 Again, don't need to check for keys below our minimum key size.
                             -->
diff --git a/mdx/us_incommon/beans.xml b/mdx/us_incommon/beans.xml
index 8d99949b..8bda14eb 100644
--- a/mdx/us_incommon/beans.xml
+++ b/mdx/us_incommon/beans.xml
@@ -34,7 +34,7 @@
     <bean id="us_incommon_productionAggregate" parent="mda.DOMResourceSourceStage">
         <property name="parserPool" ref="parserPool"/>
         <property name="DOMResource">
-            <bean parent="HTTPResource">
+            <bean parent="mda.HTTPResource">
                 <constructor-arg name="client" ref="httpClient"/>
                 <constructor-arg name="url"    ref="us_incommon_productionAggregate_url"/>
             </bean>
@@ -44,7 +44,7 @@
     <!--
         InCommon signing certificate.
     -->
-    <bean id="us_incommon_signingCertificate" parent="X509CertificateFactoryBean"
+    <bean id="us_incommon_signingCertificate" parent="mda.X509CertificateFactoryBean"
         p:resource="classpath:us_incommon/inc-md-cert.pem"/>
 
     <!--
@@ -86,7 +86,7 @@
         Fetch the production entities as a collection.
     -->
     <bean id="us_incommon_productionEntities" parent="mda.CompositeStage">
-        <property name="composedStages">
+        <property name="stages">
             <list>
                 <ref bean="us_incommon_productionAggregate"/>
 
@@ -108,7 +108,7 @@
         Synthesise an export collection by filtering the production entities.
     -->
     <bean id="us_incommon_exportedEntities" parent="mda.CompositeStage">
-        <property name="composedStages">
+        <property name="stages">
             <list>
                 <ref bean="us_incommon_productionAggregate"/>
 
@@ -135,7 +135,7 @@
                     Filter out all entities not involved in the pilot.
                 -->
                 <bean id="us_incommon_pilot_filterEntities" parent="mda.EntityFilterStage"
-                    p:whitelistingEntities="true">
+                    p:keepingEntities="true">
                     <property name="designatedEntities">
                         <set>
                             <value>https://ligo.org/ligovirgo/cbcnote/shibboleth-sp</value>
@@ -148,10 +148,10 @@
                     Remove all contact information.
                 -->
                 <bean id="us_incommon_remove_contacts" parent="mda.ContactPersonFilterStage"
-                    p:whitelistingTypes="true">
+                    p:keepingTypes="true">
                     <property name="designatedTypes">
                         <set>
-                            <!-- no whitelisted types implies remove everything -->
+                            <!-- no kept types implies remove everything -->
                         </set>
                     </property>
                 </bean>
@@ -175,7 +175,7 @@
         Fake an export aggregate by aggregating the exported entities.
     -->
     <bean id="us_incommon_exportedAggregate" parent="mda.CompositeStage">
-        <property name="composedStages">
+        <property name="stages">
             <list>
                 <ref bean="us_incommon_exportedEntities"/>
                 <ref bean="assemble"/>
diff --git a/mdx/validation-beans.xml b/mdx/validation-beans.xml
index 51ba8502..248e0ff7 100644
--- a/mdx/validation-beans.xml
+++ b/mdx/validation-beans.xml
@@ -12,6 +12,63 @@
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
 
+    <!--
+        ***************************************
+        ***                                 ***
+        ***   U R L   V A L I D A T I O N   ***
+        ***                                 ***
+        ***************************************
+    -->
+
+    <!--
+        Shared validator beans.
+
+        The beans in this section have both "id" values by which they can
+        be referenced in Spring configuration, but also simpler "p:id"
+        values to simplify their contributions to error messages
+        composed from a series of component ID values.
+    -->
+
+    <!-- Reject "https://host:/xxx" because libxml2 has issues with that. -->
+    <bean id="validate_url_port" p:id="port" parent="mda.EmptyPortURLValidator"/>
+
+    <!-- Reject "https:///xxx" because it lacks an authority entirely. -->
+    <bean id="validate_url_host" p:id="host" parent="mda.MissingHostURLValidator"/>
+
+    <!-- Reject URLs which don't have an https:// protocol. -->
+    <bean id="validate_url_https" p:id="https" parent="mda.HTTPSProtocolURLValidator"/>
+
+    <!--
+        validate_url
+
+        Validate a string as a URL. Includes checking for port and host
+        issues.
+    -->
+    <bean id="validate_url" p:id="url" parent="mda.AsURLStringValidator">
+        <property name="validators">
+            <list>
+                <ref bean="validate_url_port"/>
+                <ref bean="validate_url_host"/>
+            </list>
+        </property>
+    </bean>
+
+    <!--
+        validate_https_url
+
+        Validate a string as a https:// URL. Includes checking for port and host
+        issues.
+    -->
+    <bean id="validate_https_url" p:id="url" parent="mda.AsURLStringValidator">
+        <property name="validators">
+            <list>
+                <ref bean="validate_url_https"/>
+                <ref bean="validate_url_port"/>
+                <ref bean="validate_url_host"/>
+            </list>
+        </property>
+    </bean>
+
     <!--
         ***********************************
         ***                             ***
@@ -100,7 +157,7 @@
         Combines all check_future_N stages.
     -->
     <bean id="check_future" parent="mda.CompositeStage">
-        <property name="composedStages">
+        <property name="stages">
             <list>
                 <ref bean="check_future_0"/>
                 <ref bean="check_future_1"/>
@@ -169,7 +226,7 @@
         Composite check for the MDRPI specification.
     -->
     <bean id="check_mdrpi" parent="mda.CompositeStage">
-        <property name="composedStages">
+        <property name="stages">
             <list>
                 <ref bean="check_mdrpi_xslt"/>
             </list>
@@ -209,7 +266,7 @@
 
         Checks for the mdui:IPHint element.
     -->
-    <bean id="check_mdui_iphint" parent="ukf.IPHintValidationStage"
+    <bean id="check_mdui_iphint" parent="mda.IPHintValidationStage"
         p:checkingNetworks="true"/>
 
     <!--
@@ -220,6 +277,29 @@
     <bean id="check_mdui_xslt" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_mdui.xsl"/>
 
+    <!--
+        check_mdui_logo_url
+
+        Section 2.1.5: Check the URL value of mdui:Logo elements.
+    -->
+    <bean id="check_mdui_logo_url" parent="mda.StringElementValidationStage">
+        <property name="elementName" ref="mdui-Logo"/>
+        <property name="validators">
+            <list>
+                <bean p:id="newline" parent="mda.RejectStringRegexValidator"
+                    p:regex=".*\n.*"
+                    p:message="mdui:Logo contains line break" />
+                <bean p:id="nbs" parent="mda.RejectStringRegexValidator"
+                    p:regex=".*\u00a0.*"
+                    p:message="mdui:Logo contains non-breaking space" />
+                <!-- Accept data: URLs with no further scrutiny. -->
+                <bean parent="mda.AcceptStringRegexValidator"
+                    p:regex="data:.*"/>
+                <ref bean="validate_https_url"/>
+            </list>
+        </property>
+    </bean>
+
     <!--
         check_mdui_logo_length
 
@@ -235,17 +315,34 @@
         </property>
     </bean>
 
+    <!--
+        check_mdui_urls
+
+        Check URL values of mdui:* elements other than mdui:Logo.
+    -->
+    <bean id="check_mdui_urls" parent="mda.StringElementValidationStage"
+        p:validators-ref="validate_url">
+        <property name="elementNames">
+            <set>
+                <ref bean="mdui-InformationURL"/>
+                <ref bean="mdui-PrivacyStatementURL"/>
+            </set>
+        </property>
+    </bean>
+
     <!--
         check_mdui
 
         Composite check for the MDUI specification.
     -->
     <bean id="check_mdui" parent="mda.CompositeStage">
-        <property name="composedStages">
+        <property name="stages">
             <list>
                 <ref bean="check_mdui_iphint"/>
                 <ref bean="check_mdui_xslt"/>
                 <ref bean="check_mdui_logo_length"/>
+                <ref bean="check_mdui_logo_url"/>
+                <ref bean="check_mdui_urls"/>
             </list>
         </property>
     </bean>
@@ -281,7 +378,7 @@
         p:XSLResource="classpath:_rules/check_rands_support.xsl"/>
 
     <bean id="check_rands" parent="mda.CompositeStage">
-        <property name="composedStages">
+        <property name="stages">
             <list>
                 <ref bean="check_rands_member"/>
                 <ref bean="check_rands_support"/>
@@ -289,6 +386,25 @@
         </property>
     </bean>
 
+    <!--
+        ******************************************************************
+        ***                                                            ***
+        ***   R E F E D S   C o C o   v2   S P E C I F I C A T I O N   ***
+        ***                                                            ***
+        ******************************************************************
+    -->
+
+    <bean id="check_coco_v2_support" parent="mda.XSLValidationStage"
+        p:XSLResource="classpath:_rules/check_coco_v2_support.xsl"/>
+
+    <bean id="check_coco_v2" parent="mda.CompositeStage">
+        <property name="stages">
+            <list>
+                <ref bean="check_coco_v2_support"/>
+            </list>
+        </property>
+    </bean>
+
 
     <!--
         ***********************************************************
@@ -380,8 +496,7 @@
 
         It is assumed that the entities are wrapped in a single EntitiesDescriptor.
     -->
-    <bean id="check_aggregate" parent="mda.XSLValidationStage"
-        p:XSLResource="classpath:_rules/check_aggregate.xsl"/>
+    <bean id="check_aggregate" parent="mda.DuplicateEntityInAggregateCheckingStage"/>
 
     <!--
         check_dup_display
@@ -404,37 +519,73 @@
     -->
 
     <!--
-        Debian weak key blacklists.
+        Debian weak key lists.
     -->
 
-    <bean id="debian.1024" parent="mda.X509RSAOpenSSLBlacklistValidator"
+    <bean id="debian.1024" parent="mda.X509RSAOpenSSLKeylistValidator"
         p:keySize="1024"
-        p:blacklistResource="classpath:net/shibboleth/metadata/validate/x509/debian-1024.txt"/>
+        p:keylistResource="classpath:net/shibboleth/metadata/keylists/rsa/legacy/debian-1024.txt"/>
 
-    <bean id="debian.2048" parent="mda.X509RSAOpenSSLBlacklistValidator"
+    <bean id="debian.2048" parent="mda.X509RSAOpenSSLKeylistValidator"
         p:keySize="2048"
-        p:blacklistResource="classpath:net/shibboleth/metadata/validate/x509/debian-2048.txt"/>
+        p:KeylistResource="classpath:net/shibboleth/metadata/keylists/rsa/debian-2048.txt"/>
 
-    <bean id="debian.4096" parent="mda.X509RSAOpenSSLBlacklistValidator"
+    <bean id="debian.4096" parent="mda.X509RSAOpenSSLKeylistValidator"
         p:keySize="4096"
-        p:blacklistResource="classpath:net/shibboleth/metadata/validate/x509/debian-4096.txt"/>
+        p:keylistResource="classpath:net/shibboleth/metadata/keylists/rsa/debian-4096.txt"/>
 
     <!--
-        Blacklist of known compromised 1024-bit keys, e.g., "dummy" keys shipped with
+        List of known compromised 1024-bit keys, e.g., "dummy" keys shipped with
         SAML products that are sometimes deployed by accident.
     -->
-    <bean id="compromised.1024" parent="mda.X509RSAOpenSSLBlacklistValidator"
+    <bean id="compromised.1024" parent="mda.X509RSAOpenSSLKeylistValidator"
         p:keySize="1024"
-        p:blacklistResource="classpath:net/shibboleth/metadata/validate/x509/compromised-1024.txt"/>
+        p:keylistResource="classpath:net/shibboleth/metadata/keylists/rsa/legacy/compromised-1024.txt"/>
 
     <!--
-        Blacklist of known compromised 2048-bit keys, e.g., "dummy" keys shipped with
+        List of known compromised 2048-bit keys, e.g., "dummy" keys shipped with
         SAML products that are sometimes deployed by accident.
     -->
-    <bean id="compromised.2048" parent="mda.X509RSAOpenSSLBlacklistValidator"
+    <bean id="compromised.2048" parent="mda.X509RSAOpenSSLKeylistValidator"
         p:keySize="2048"
-        p:blacklistResource="classpath:net/shibboleth/metadata/validate/x509/compromised-2048.txt"/>
+        p:keylistResource="classpath:net/shibboleth/metadata/keylists/rsa/compromised-2048.txt"/>
 
+    <!--
+        check_standard_certificates
+
+        Perform a group of standard checks on X.509 certificates.
+    -->
+    <bean id="check_standard_certificates" parent="mda.X509ValidationStage">
+        <property name="validators">
+            <list>
+                <!-- Error on DSA keys. -->
+                <bean p:id="DSA" parent="mda.X509DSADetector"/>
+
+                <!-- Error on RSA key length less than 2048 bits. -->
+                <bean p:id="RSAKeyLength" parent="mda.X509RSAKeyLengthValidator"
+                    p:warningBoundary="0" p:errorBoundary="2048"/>
+                <!-- Error on small RSA public exponents. -->
+                <bean p:id="RSAExponent" parent="mda.X509RSAExponentValidator"/>
+                <!-- Error on keys vulnerable to ROCA. -->
+                <bean p:id="ROCA" parent="mda.X509ROCAValidator"/>
+
+                <!--
+                    Debian weak key blacklists.
+
+                    Don't need to check for keys below our minimum key size.
+                -->
+                <ref bean="debian.2048"/>
+                <ref bean="debian.4096"/>
+
+                <!--
+                    Compromised key blacklists.
+
+                    Again, don't need to check for keys below our minimum key size.
+                -->
+                <ref bean="compromised.2048"/>
+            </list>
+        </property>
+    </bean>
 
     <!--
         ****************************************************
@@ -576,10 +727,49 @@
     <bean id="check_saml2meta" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_saml2meta.xsl"/>
 
+    <!--
+        check_saml2meta_urlattrs
+
+        Check URL values of various attributes on md:* elements.
+    -->
+    <bean id="check_saml2meta_urlattrs" parent="mda.StringAttributeValidationStage"
+        p:id="saml2meta" p:validators-ref="validate_url">
+        <property name="elementNames">
+            <set>
+                <ref bean="md-AdditionalMetadataLocation"/>
+                <ref bean="md-AssertionConsumerService"/>
+                <ref bean="md-AssertionIDRequestService"/>
+                <ref bean="md-ArtifactResolutionService"/>
+                <ref bean="md-AttributeService"/>
+                <ref bean="md-AuthnQueryService"/>
+                <ref bean="md-AuthzService"/>
+                <ref bean="md-ManageNameIDService"/>
+                <ref bean="md-NameIDMappingService"/>
+                <ref bean="md-SingleLogoutService"/>
+                <ref bean="md-SingleSignOnService"/>
+            </set>
+        </property>
+        <property name="attributeNames">
+            <set>
+                <bean parent="QName" c:_0="Location"/>
+                <bean parent="QName" c:_0="ResponseLocation"/>
+            </set>
+        </property>
+    </bean>
+
+    <!--
+        check_saml2meta_urls
+
+        Check URL values of md:* elements.
+    -->
+    <bean id="check_saml2meta_urls" parent="mda.StringElementValidationStage"
+        p:id="saml2meta" p:validators-ref="validate_url"
+        p:elementName-ref="md-OrganizationURL"/>
+
     <!--
         check_saml_strings
     -->
-    <bean id="check_saml_strings" parent="ukf.SAMLStringElementCheckingStage">
+    <bean id="check_saml_strings" parent="mda.SAMLStringElementCheckingStage">
         <property name="elementNames">
             <set>
                 <ref bean="md-Company"/>
@@ -640,7 +830,7 @@
         CHECK_std
     -->
     <bean id="CHECK_std" parent="mda.CompositeStage">
-        <property name="composedStages">
+        <property name="stages">
             <list>
                 <ref bean="check_adfs"/>
                 <ref bean="check_algsupport"/>
@@ -658,12 +848,15 @@
                 <ref bean="check_mdui"/>
                 <ref bean="check_misc"/>
                 <ref bean="check_rands"/>
+                <ref bean="check_coco_v2"/>
                 <ref bean="check_reqattr"/>
                 <ref bean="check_saml1"/>
                 <ref bean="check_saml2"/>
                 <ref bean="check_saml2_lang"/>
                 <ref bean="check_saml2int"/>
                 <ref bean="check_saml2meta"/>
+                <ref bean="check_saml2meta_urlattrs"/>
+                <ref bean="check_saml2meta_urls"/>
                 <ref bean="check_saml_strings"/>
                 <ref bean="check_shib_noregscope"/>
                 <ref bean="check_shibboleth"/>
diff --git a/orchestration.xml b/orchestration.xml
new file mode 100644
index 00000000..c9d1cdbf
--- /dev/null
+++ b/orchestration.xml
@@ -0,0 +1,289 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<project default="echoproperties">
+
+    <!--
+        *******************************************
+        ***                                     ***
+        ***   P R O P E R T Y   S O U R C E S   ***
+        ***                                     ***
+        *******************************************
+    -->
+
+    <!--
+        os.family
+
+        Distinguish between the general kind of operating systems
+        we could be executing on.
+
+        Values: windows, macosx, linux, other.
+    -->
+    <condition property="os.family" value="windows">
+        <os family="windows"/>
+    </condition>
+    <condition property="os.family" value="macosx">
+        <os family="mac"/>
+    </condition>
+    <condition property="os.family" value="linux">
+        <os family="unix" name="Linux"/>
+    </condition>
+    <property name="os.family" value="other"/>
+
+    <!--
+        env
+
+        Distinguish between different classes of deployment,
+        e.g., development vs. production.
+
+        Values: dev, preprod, prod, prod-old
+
+        Defaults to "dev" here, but that can be overridden from the command
+        line, a Jenkins job, or in build.properties.
+    -->
+    <property name="env" value="dev"/>
+
+    <!--
+        External property files.
+
+        Pull in properties from external files. Because Ant properties are
+        immutable, amy properties declared in this file should be regarded as
+        defaults, and will be overridden by any definitions in the following
+        locations:
+
+        * on the command line
+        * in a Jenkins job definition
+        * in any of the external files listed below
+
+        The first location specifying a particular property sets the final value.
+
+        The build.properties file is not source controlled, and should be used
+        to override properties for a particular deployment, or to include
+        credentials.
+    -->
+    <property file="build.properties"/>
+    <property file="${os.family}.properties"/>
+    <property file="${env}.properties"/>
+    <property file="default.properties"/>
+
+    <!--
+        *******************************
+        ***                         ***
+        ***   P R O P E R T I E S   ***
+        ***                         ***
+        *******************************
+    -->
+
+    <!--
+        When invoking the targets related to orchestration, a production deployment
+        MUST define the following properties:
+
+        * shared.ws.dir              - the full path the to the shared workspace on the orchestration machine
+        * node.fqdn                  - the fully-qualified domain name of the remote (signing) node
+        * compare.ws.dir             - workspace where the compare jobs get their input
+        * node.to.publish            - node from which we take signed products to publish
+
+        The following properties MUST be provided as arguments when invoking the targets that make use of them:
+
+        * jenkins.url.to.trigger.signing     - full URL to trigger the Jenkins task responsible for signing
+        * jenkins.url.to.trigger.publication - full URL to trigger the Jenkins task responsible for publication
+    -->
+
+    <!-- git config -->
+    <property name="git.repo.project.products" value="ukf-products"/>
+
+    <!-- directories on the orchestration machine -->
+    <property name="build.dir" value="${shared.ws.dir}/build"/>
+    <property name="tooling.dir" value="${shared.ws.dir}/ukf-meta"/>
+    <property name="aggregates.dir" value="${shared.ws.dir}/${git.repo.project.products}/aggregates"/>
+    <property name="select.dir" value="${compare.ws.dir}/${node.to.publish}"/>
+
+    <!-- remote working directory may not be the same as the orchestrator (they are the same in production) -->
+    <property name="remote.ws.dir" value="${shared.ws.dir}"/>
+    <property name="remote.build.dir" value="${remote.ws.dir}/build"/>
+    <property name="remote.tooling.dir" value="${remote.ws.dir}/ukf-meta"/>
+
+    <!-- properties relating to the remote node -->
+    <property name="node.user" value="ukf-signing"/>
+    <property name="node.build.dir.url" value="${node.user}@${node.fqdn}:${remote.build.dir}"/>
+    <property name="node.tooling.dir.url" value="${node.user}@${node.fqdn}:${remote.tooling.dir}"/>
+
+    <!-- filenames of the unsigned aggregates -->
+    <property name="md.prod.unsigned"   value="ukfederation-metadata-unsigned.xml"/>
+    <property name="md.test.unsigned"   value="ukfederation-test-unsigned.xml"/>
+    <property name="md.export.unsigned" value="ukfederation-export-unsigned.xml"/>
+    <property name="md.export.preview.unsigned"
+                                        value="ukfederation-export-preview-unsigned.xml"/>
+    <property name="md.back.unsigned"   value="ukfederation-back-unsigned.xml"/>
+    <property name="md.wayf.unsigned"   value="ukfederation-wayf-unsigned.xml"/>
+    <property name="md.cdsall.unsigned" value="ukfederation-cdsall-unsigned.xml"/>
+    <property name="md.wugen.unsigned"  value="ukfederation-wugen-unsigned.xml"/>
+
+    <!-- filenames of the signed aggregates -->
+    <property name="md.prod.signed"   value="ukfederation-metadata.xml"/>
+    <property name="md.test.signed"   value="ukfederation-test.xml"/>
+    <property name="md.export.signed" value="ukfederation-export.xml"/>
+    <property name="md.export.preview.signed"
+                                        value="ukfederation-export-preview.xml"/>
+    <property name="md.back.signed"   value="ukfederation-back.xml"/>
+    <property name="md.wayf.signed"   value="ukfederation-wayf.xml"/>
+    <property name="md.cdsall.signed" value="ukfederation-cdsall.xml"/>
+    <property name="md.wugen.signed"  value="ukfederation-wugen.xml"/>
+
+    <!-- other files -->
+    <property name="mdq.cache" value="mdqcache.tar.gz"/>
+
+    <!--
+        *************************************
+        ***                               ***
+        ***   O R C H E S T R A T I O N   ***
+        ***                               ***
+        *************************************
+    -->
+
+    <!--
+        Some conventions:
+
+        * targets whose names start "process." are expected to be run by Jenkins
+        * run git.pull.all in a separate "invoke ant" step before each of Jenkins targets are run
+        * inline targets as much as possible
+    -->
+
+    <!-- Step 3.0 runs on node -->
+    <target name="process.clear.build.dir">
+        <echo>Clearing build directory on node.</echo>
+        <delete includeemptydirs="true">
+            <fileset dir="${remote.build.dir}" includes="**/*"/>
+        </delete>
+        <echo>Output directory on node cleared.</echo>
+    </target>
+
+    <!-- Step 3.1 runs on orchestrator -->
+    <target name="process.transfer.files.to.node" depends="
+        fs.copy.tooling.to.node,
+        fs.copy.unsigned.aggregates.to.node">
+        <echo>Files transferred to node.</echo>
+    </target>
+
+    <target name="fs.copy.tooling.to.node">
+        <echo>Copying tooling from orchestrator ${tooling.dir} to ${node.tooling.dir.url}</echo>
+        <exec executable="rsync" dir="${tooling.dir}" failonerror="true">
+            <arg value="-a"/>
+            <arg value="--delete"/>
+            <arg value="--delete-excluded"/>
+            <!-- use ssh with default identity and known_hosts -->
+            <arg value="-e"/>
+            <arg value="ssh"/>
+            <!-- exclude .files and .direectories -->
+            <arg value="--exclude"/>
+            <arg value=".git"/>
+            <arg value="--exclude"/>
+            <arg value="charting"/>
+            <!-- the input files -->
+            <arg value="${tooling.dir}/"/>
+            <!-- remote directory must be last argument -->
+            <arg value="${node.tooling.dir.url}"/>
+        </exec>
+    </target>
+
+    <target name="fs.copy.unsigned.aggregates.to.node">
+        <echo>Copying unsigned aggregates from orchestrator ${build.dir} to ${node.build.dir.url}</echo>
+        <exec executable="rsync" dir="${build.dir}" failonerror="true">
+            <arg value="-a"/>
+            <!-- use ssh with default identity and known_hosts -->
+            <arg value="-e"/>
+            <arg value="ssh"/>
+            <!-- the input files -->
+            <arg value="${md.prod.unsigned}"/>
+            <arg value="${md.test.unsigned}"/>
+            <arg value="${md.export.unsigned}"/>
+            <arg value="${md.export.preview.unsigned}"/>
+            <arg value="${md.back.unsigned}"/>
+            <arg value="${md.wayf.unsigned}"/>
+            <arg value="${md.cdsall.unsigned}"/>
+            <arg value="${md.wugen.unsigned}"/>
+            <!-- remote directory must be last argument -->
+            <arg value="${node.build.dir.url}"/>
+        </exec>
+    </target>
+
+    <!-- Step 3.2 sign and verify is not orchestration -->
+
+    <!-- Step 4.1.1 create MDQ cache is not orchestration -->
+
+    <!-- Step 4.1.2 sign MDQ all entities is not orchestration -->
+
+    <!-- Step 4.1.3 create tarfile of signed MDQ products is no orchestration -->
+
+    <!-- Step 4.2 collates products (signed and otherwise) on orchestrator -->
+    <target name="process.collate.products.on.orchestrator" depends="
+        fs.rsync.products.from.node,
+        fs.rsync.mdqcache.from.node">
+        <echo>Collated products on orchestrator</echo>
+    </target>
+
+    <target name="fs.rsync.products.from.node">
+        <echo>Copying signed products from node</echo>
+            <exec executable="rsync" dir="${aggregates.dir}" failonerror="true">
+            <arg value="-a"/>
+            <!-- use ssh with default identity and known_hosts -->
+            <arg value="-e"/>
+            <arg value="ssh"/>
+            <!-- source files on remote node -->
+            <arg value="${node.build.dir.url}/${md.prod.signed}"/>
+            <arg value="${node.build.dir.url}/${md.test.signed}"/>
+            <arg value="${node.build.dir.url}/${md.export.signed}"/>
+            <arg value="${node.build.dir.url}/${md.export.preview.signed}"/>
+            <arg value="${node.build.dir.url}/${md.back.signed}"/>
+            <arg value="${node.build.dir.url}/${md.wayf.signed}"/>
+            <arg value="${node.build.dir.url}/${md.cdsall.signed}"/>
+            <arg value="${node.build.dir.url}/${md.wugen.signed}"/>
+            <!-- bring them back to orchestrator working directory -->
+            <arg value="${aggregates.dir}"/>
+        </exec>
+    </target>
+
+    <target name="fs.rsync.mdqcache.from.node">
+        <echo>Copying mdqcache from node</echo>
+            <exec executable="rsync" dir="${build.dir}" failonerror="true">
+            <arg value="-a"/>
+            <!-- use ssh with default identity and known_hosts -->
+            <arg value="-e"/>
+            <arg value="ssh"/>
+            <!-- source files on remote node -->
+            <arg value="${node.build.dir.url}/${mdq.cache}"/>
+            <!-- bring them back to orchestrator working directory -->
+            <arg value="${build.dir}"/>
+        </exec>
+    </target>
+
+    <!-- Step SELECT copies the signed products to the appropriate directories -->
+    <target name="fs.select.signed.products">
+        <echo>Copying mdqcache to output directory in orchestrator's workspace</echo>
+        <copy todir="${build.dir}" file="${select.dir}/${mdq.cache}"/>
+        <echo>Copying signed aggregates to orchestrator's ukf-products repository</echo>
+        <copy todir="${aggregates.dir}" file="${select.dir}/${md.prod.signed}"/>
+        <copy todir="${aggregates.dir}" file="${select.dir}/${md.test.signed}"/>
+        <copy todir="${aggregates.dir}" file="${select.dir}/${md.export.signed}"/>
+        <copy todir="${aggregates.dir}" file="${select.dir}/${md.export.preview.signed}"/>
+        <copy todir="${aggregates.dir}" file="${select.dir}/${md.back.signed}"/>
+        <copy todir="${aggregates.dir}" file="${select.dir}/${md.wayf.signed}"/>
+        <copy todir="${aggregates.dir}" file="${select.dir}/${md.cdsall.signed}"/>
+        <copy todir="${aggregates.dir}" file="${select.dir}/${md.wugen.signed}"/>
+    </target>
+
+    <!-- Step 5 transfer files back to repo uses the original build.xml -->
+
+    <!--
+        *******************************
+        ***                         ***
+        ***   M I S C E L L A N Y   ***
+        ***                         ***
+        *******************************
+    -->
+
+    <target name="echoproperties">
+        <echo>All properties:</echo>
+        <echoproperties/>
+    </target>
+
+</project>
diff --git a/preprod.properties b/preprod.properties
index c71ba326..e91a0140 100644
--- a/preprod.properties
+++ b/preprod.properties
@@ -4,11 +4,6 @@
 # Properties defined for the env=preprod deployment environment.
 #
 
-#
-# Use the PKCS#11 provider for signatures.
-#
-sign.uk.keystoreProvider = sun.security.pkcs11.SunPKCS11
-
 #
 # Location of the PKCS#11 configuration file for the Thales HSM.
 #
diff --git a/prod.properties b/prod.properties
index 3a1090b6..41f3b326 100644
--- a/prod.properties
+++ b/prod.properties
@@ -4,11 +4,6 @@
 # Properties defined for the env=prod deployment environment.
 #
 
-#
-# Use the PKCS#11 provider for signatures.
-#
-sign.uk.keystoreProvider = sun.security.pkcs11.SunPKCS11
-
 #
 # Location of the PKCS#11 configuration file for the Thales HSM.
 #
diff --git a/tests/manual/ukf-meta-352/README.md b/tests/manual/ukf-meta-352/README.md
new file mode 100644
index 00000000..b1636678
--- /dev/null
+++ b/tests/manual/ukf-meta-352/README.md
@@ -0,0 +1,8 @@
+
+Manual tests for checking Sirtfi version 2 conformance
+
+Run the following bash command in this directory to see the thrown errors
+
+```bash
+for i in *.xml; do echo $i; xsltproc ../../../mdx/_rules/check_sirtfi2.xsl $i; done
+```
diff --git a/tests/manual/ukf-meta-352/both-entity-attributes-as-spec.xml b/tests/manual/ukf-meta-352/both-entity-attributes-as-spec.xml
new file mode 100644
index 00000000..9dfb6ece
--- /dev/null
+++ b/tests/manual/ukf-meta-352/both-entity-attributes-as-spec.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:remd="http://refeds.org/metadata"
+    entityID="https://example.ac.uk/both-entity-attributes-as-spec">
+    <Extensions>
+        <mdattr:EntityAttributes>
+            <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+                <saml:AttributeValue>https://refeds.org/sirtfi2</saml:AttributeValue>
+                <saml:AttributeValue>https://refeds.org/sirtfi</saml:AttributeValue>
+            </saml:Attribute>
+        </mdattr:EntityAttributes>
+    </Extensions>
+</EntityDescriptor>
diff --git a/tests/manual/ukf-meta-352/both-entity-attributes-separate-attributes.xml b/tests/manual/ukf-meta-352/both-entity-attributes-separate-attributes.xml
new file mode 100644
index 00000000..b659e1cf
--- /dev/null
+++ b/tests/manual/ukf-meta-352/both-entity-attributes-separate-attributes.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:remd="http://refeds.org/metadata"
+    entityID="https://example.ac.uk/both-entity-attributes-separate-attributes">
+    <Extensions>
+        <mdattr:EntityAttributes>
+            <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+                <saml:AttributeValue>https://refeds.org/sirtfi2</saml:AttributeValue>
+            </saml:Attribute>
+            <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+                <saml:AttributeValue>https://refeds.org/sirtfi</saml:AttributeValue>
+            </saml:Attribute>
+        </mdattr:EntityAttributes>
+    </Extensions>
+</EntityDescriptor>
diff --git a/tests/manual/ukf-meta-352/correctly-specified.xml b/tests/manual/ukf-meta-352/correctly-specified.xml
new file mode 100644
index 00000000..8f94a096
--- /dev/null
+++ b/tests/manual/ukf-meta-352/correctly-specified.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:remd="http://refeds.org/metadata"
+    entityID="https://example.ac.uk/correctly-specified">
+    <Extensions>
+        <mdattr:EntityAttributes>
+            <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+                <saml:AttributeValue>https://refeds.org/sirtfi2</saml:AttributeValue>
+                <saml:AttributeValue>https://refeds.org/sirtfi</saml:AttributeValue>
+            </saml:Attribute>
+        </mdattr:EntityAttributes>
+    </Extensions>
+    <ContactPerson contactType="other"
+        remd:contactType="http://refeds.org/metadata/contactType/security">
+       <GivenName>Name of the security contact</GivenName>
+       <EmailAddress>mailto:csirt@example.ac.uk</EmailAddress>
+    </ContactPerson>
+</EntityDescriptor>
diff --git a/tests/manual/ukf-meta-352/entity-attribute-contact-with-email.xml b/tests/manual/ukf-meta-352/entity-attribute-contact-with-email.xml
new file mode 100644
index 00000000..c4e31921
--- /dev/null
+++ b/tests/manual/ukf-meta-352/entity-attribute-contact-with-email.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:remd="http://refeds.org/metadata"
+    entityID="https://example.ac.uk/entity-attribute-contact-with-email">
+    <Extensions>
+        <mdattr:EntityAttributes>
+            <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+                <saml:AttributeValue>https://refeds.org/sirtfi2</saml:AttributeValue>
+            </saml:Attribute>
+        </mdattr:EntityAttributes>
+    </Extensions>
+    <ContactPerson contactType="other"
+        remd:contactType="http://refeds.org/metadata/contactType/security">
+       <EmailAddress>mailto:csirt@example.ac.uk</EmailAddress>
+    </ContactPerson>
+</EntityDescriptor>
diff --git a/tests/manual/ukf-meta-352/entity-attribute-contact-with-givenname.xml b/tests/manual/ukf-meta-352/entity-attribute-contact-with-givenname.xml
new file mode 100644
index 00000000..4463e155
--- /dev/null
+++ b/tests/manual/ukf-meta-352/entity-attribute-contact-with-givenname.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:remd="http://refeds.org/metadata"
+    entityID="https://example.ac.uk/entity-attribute-contact-with-givenname">
+    <Extensions>
+        <mdattr:EntityAttributes>
+            <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+                <saml:AttributeValue>https://refeds.org/sirtfi2</saml:AttributeValue>
+            </saml:Attribute>
+        </mdattr:EntityAttributes>
+    </Extensions>
+    <ContactPerson contactType="other"
+        remd:contactType="http://refeds.org/metadata/contactType/security">
+       <GivenName>Name of the security contact</GivenName>
+    </ContactPerson>
+</EntityDescriptor>
diff --git a/tests/manual/ukf-meta-352/no-sirtfi-v1.xml b/tests/manual/ukf-meta-352/no-sirtfi-v1.xml
new file mode 100644
index 00000000..5cc6f845
--- /dev/null
+++ b/tests/manual/ukf-meta-352/no-sirtfi-v1.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:remd="http://refeds.org/metadata"
+    entityID="https://example.ac.uk/no-sirtfi-v1">
+    <Extensions>
+        <mdattr:EntityAttributes>
+            <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+                <saml:AttributeValue>https://refeds.org/sirtfi2</saml:AttributeValue>
+            </saml:Attribute>
+        </mdattr:EntityAttributes>
+    </Extensions>
+    <ContactPerson contactType="other"
+        remd:contactType="http://refeds.org/metadata/contactType/security">
+       <GivenName>Name of the security contact</GivenName>
+       <EmailAddress>mailto:csirt@example.ac.uk</EmailAddress>
+    </ContactPerson>
+</EntityDescriptor>
diff --git a/tests/manual/ukf-meta-352/only-entity-attribute.xml b/tests/manual/ukf-meta-352/only-entity-attribute.xml
new file mode 100644
index 00000000..9b140613
--- /dev/null
+++ b/tests/manual/ukf-meta-352/only-entity-attribute.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:remd="http://refeds.org/metadata"
+    entityID="https://example.ac.uk/only-entity-attribute">
+    <Extensions>
+        <mdattr:EntityAttributes>
+            <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+                <saml:AttributeValue>https://refeds.org/sirtfi2</saml:AttributeValue>
+            </saml:Attribute>
+        </mdattr:EntityAttributes>
+    </Extensions>
+</EntityDescriptor>
diff --git a/tools/aggregator-cli-0.9.2/lib/aggregator-cli-0.9.2.jar b/tools/aggregator-cli-0.9.2/lib/aggregator-cli-0.9.2.jar
deleted file mode 100644
index 8b607aa9..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/aggregator-cli-0.9.2.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/aggregator-pipeline-0.9.2.jar b/tools/aggregator-cli-0.9.2/lib/aggregator-pipeline-0.9.2.jar
deleted file mode 100644
index b08c5cbd..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/aggregator-pipeline-0.9.2.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/aopalliance-1.0.jar b/tools/aggregator-cli-0.9.2/lib/aopalliance-1.0.jar
deleted file mode 100644
index 578b1a0c..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/aopalliance-1.0.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/bcprov-jdk15on-1.53.jar b/tools/aggregator-cli-0.9.2/lib/bcprov-jdk15on-1.53.jar
deleted file mode 100644
index c9fbafba..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/bcprov-jdk15on-1.53.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/commons-codec-1.10.jar b/tools/aggregator-cli-0.9.2/lib/commons-codec-1.10.jar
deleted file mode 100644
index 1d7417c4..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/commons-codec-1.10.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/cryptacular-1.0.jar b/tools/aggregator-cli-0.9.2/lib/cryptacular-1.0.jar
deleted file mode 100644
index 0b8abab6..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/cryptacular-1.0.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/guava-29.0-jre.jar b/tools/aggregator-cli-0.9.2/lib/guava-29.0-jre.jar
deleted file mode 100644
index e1fc1791..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/guava-29.0-jre.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/httpclient-4.3.6.jar b/tools/aggregator-cli-0.9.2/lib/httpclient-4.3.6.jar
deleted file mode 100644
index 091498c9..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/httpclient-4.3.6.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/httpclient-cache-4.3.6.jar b/tools/aggregator-cli-0.9.2/lib/httpclient-cache-4.3.6.jar
deleted file mode 100644
index 16acbece..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/httpclient-cache-4.3.6.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/httpcore-4.3.3.jar b/tools/aggregator-cli-0.9.2/lib/httpcore-4.3.3.jar
deleted file mode 100644
index a8747b0c..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/httpcore-4.3.3.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/java-support-7.2.0.jar b/tools/aggregator-cli-0.9.2/lib/java-support-7.2.0.jar
deleted file mode 100644
index f4be76a1..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/java-support-7.2.0.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/jcl-over-slf4j-1.7.12.jar b/tools/aggregator-cli-0.9.2/lib/jcl-over-slf4j-1.7.12.jar
deleted file mode 100644
index 64ec66f2..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/jcl-over-slf4j-1.7.12.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/jcommander-1.48.jar b/tools/aggregator-cli-0.9.2/lib/jcommander-1.48.jar
deleted file mode 100644
index ad0a12c9..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/jcommander-1.48.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/joda-time-2.9.jar b/tools/aggregator-cli-0.9.2/lib/joda-time-2.9.jar
deleted file mode 100644
index 340af06a..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/joda-time-2.9.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/jsr305-3.0.1.jar b/tools/aggregator-cli-0.9.2/lib/jsr305-3.0.1.jar
deleted file mode 100644
index 021df892..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/jsr305-3.0.1.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/logback-classic-1.1.3.jar b/tools/aggregator-cli-0.9.2/lib/logback-classic-1.1.3.jar
deleted file mode 100644
index c5ecdeb5..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/logback-classic-1.1.3.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/logback-core-1.1.3.jar b/tools/aggregator-cli-0.9.2/lib/logback-core-1.1.3.jar
deleted file mode 100644
index c776e4a0..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/logback-core-1.1.3.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/slf4j-api-1.7.12.jar b/tools/aggregator-cli-0.9.2/lib/slf4j-api-1.7.12.jar
deleted file mode 100644
index 51e2fad1..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/slf4j-api-1.7.12.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/spring-aop-4.2.3.RELEASE.jar b/tools/aggregator-cli-0.9.2/lib/spring-aop-4.2.3.RELEASE.jar
deleted file mode 100644
index 99e8d0b0..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/spring-aop-4.2.3.RELEASE.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/spring-beans-4.2.3.RELEASE.jar b/tools/aggregator-cli-0.9.2/lib/spring-beans-4.2.3.RELEASE.jar
deleted file mode 100644
index 801c67b5..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/spring-beans-4.2.3.RELEASE.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/spring-context-4.2.3.RELEASE.jar b/tools/aggregator-cli-0.9.2/lib/spring-context-4.2.3.RELEASE.jar
deleted file mode 100644
index 3dd244e8..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/spring-context-4.2.3.RELEASE.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/spring-core-4.2.3.RELEASE.jar b/tools/aggregator-cli-0.9.2/lib/spring-core-4.2.3.RELEASE.jar
deleted file mode 100644
index c38bc9a3..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/spring-core-4.2.3.RELEASE.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/spring-expression-4.2.3.RELEASE.jar b/tools/aggregator-cli-0.9.2/lib/spring-expression-4.2.3.RELEASE.jar
deleted file mode 100644
index 54baeb37..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/spring-expression-4.2.3.RELEASE.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/spring-extensions-5.2.0.jar b/tools/aggregator-cli-0.9.2/lib/spring-extensions-5.2.0.jar
deleted file mode 100644
index 9267fded..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/spring-extensions-5.2.0.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/stax-api-1.0-2.jar b/tools/aggregator-cli-0.9.2/lib/stax-api-1.0-2.jar
deleted file mode 100644
index 015169dc..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/stax-api-1.0-2.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/stax2-api-3.1.4.jar b/tools/aggregator-cli-0.9.2/lib/stax2-api-3.1.4.jar
deleted file mode 100644
index dded0369..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/stax2-api-3.1.4.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/woodstox-core-asl-4.4.1.jar b/tools/aggregator-cli-0.9.2/lib/woodstox-core-asl-4.4.1.jar
deleted file mode 100644
index d8b4e8cf..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/woodstox-core-asl-4.4.1.jar and /dev/null differ
diff --git a/tools/aggregator-cli-0.9.2/lib/xmlsec-2.0.5.jar b/tools/aggregator-cli-0.9.2/lib/xmlsec-2.0.5.jar
deleted file mode 100644
index 9bc7db6c..00000000
Binary files a/tools/aggregator-cli-0.9.2/lib/xmlsec-2.0.5.jar and /dev/null differ
diff --git a/tools/inc-mda/inc-mda-0.9.1.jar b/tools/inc-mda/inc-mda-0.9.1.jar
deleted file mode 100644
index 2a5f3b8d..00000000
Binary files a/tools/inc-mda/inc-mda-0.9.1.jar and /dev/null differ
diff --git a/tools/lib/jakarta.activation-2.0.1.jar b/tools/lib/jakarta.activation-2.0.1.jar
new file mode 100644
index 00000000..521c7c49
Binary files /dev/null and b/tools/lib/jakarta.activation-2.0.1.jar differ
diff --git a/tools/lib/jakarta.xml.bind-api-2.3.2.jar b/tools/lib/jakarta.xml.bind-api-2.3.2.jar
deleted file mode 100644
index b16236d5..00000000
Binary files a/tools/lib/jakarta.xml.bind-api-2.3.2.jar and /dev/null differ
diff --git a/tools/lib/jakarta.xml.bind-api-3.0.1.jar b/tools/lib/jakarta.xml.bind-api-3.0.1.jar
new file mode 100644
index 00000000..f890cba5
Binary files /dev/null and b/tools/lib/jakarta.xml.bind-api-3.0.1.jar differ
diff --git a/tools/lib/jaxb-core-3.0.1.jar b/tools/lib/jaxb-core-3.0.1.jar
new file mode 100644
index 00000000..cf41ede9
Binary files /dev/null and b/tools/lib/jaxb-core-3.0.1.jar differ
diff --git a/tools/lib/jaxb-runtime-2.3.2.jar b/tools/lib/jaxb-runtime-2.3.2.jar
deleted file mode 100644
index 62f87196..00000000
Binary files a/tools/lib/jaxb-runtime-2.3.2.jar and /dev/null differ
diff --git a/tools/lib/jaxb-runtime-3.0.2.jar b/tools/lib/jaxb-runtime-3.0.2.jar
new file mode 100644
index 00000000..6f869c4a
Binary files /dev/null and b/tools/lib/jaxb-runtime-3.0.2.jar differ
diff --git a/tools/aggregator-cli-0.9.2/cpappend.bat b/tools/mda-distribution-0.10.0/cpappend.bat
similarity index 96%
rename from tools/aggregator-cli-0.9.2/cpappend.bat
rename to tools/mda-distribution-0.10.0/cpappend.bat
index bafe1398..5e7ef33f 100755
--- a/tools/aggregator-cli-0.9.2/cpappend.bat
+++ b/tools/mda-distribution-0.10.0/cpappend.bat
@@ -1,17 +1,17 @@
-rem ---------------------------------------------------------------------------
-rem Append to CLASSPATH
-rem ---------------------------------------------------------------------------
-
-rem Process the first argument
-if ""%1"" == """" goto end
-set LOCALCLASSPATH=%LOCALCLASSPATH%;%1
-shift
-
-rem Process the remaining arguments
-:setArgs
-if ""%1"" == """" goto doneSetArgs
-set LOCALCLASSPATH=%LOCALCLASSPATH% %1
-shift
-goto setArgs
-:doneSetArgs
-:end
+rem ---------------------------------------------------------------------------
+rem Append to CLASSPATH
+rem ---------------------------------------------------------------------------
+
+rem Process the first argument
+if ""%1"" == """" goto end
+set LOCALCLASSPATH=%LOCALCLASSPATH%;%1
+shift
+
+rem Process the remaining arguments
+:setArgs
+if ""%1"" == """" goto doneSetArgs
+set LOCALCLASSPATH=%LOCALCLASSPATH% %1
+shift
+goto setArgs
+:doneSetArgs
+:end
diff --git a/tools/aggregator-cli-0.9.2/doc/LICENSE.txt b/tools/mda-distribution-0.10.0/doc/LICENSE.txt
similarity index 100%
rename from tools/aggregator-cli-0.9.2/doc/LICENSE.txt
rename to tools/mda-distribution-0.10.0/doc/LICENSE.txt
diff --git a/tools/mda-distribution-0.10.0/doc/wiki/README.md b/tools/mda-distribution-0.10.0/doc/wiki/README.md
new file mode 100644
index 00000000..0ad9343c
--- /dev/null
+++ b/tools/mda-distribution-0.10.0/doc/wiki/README.md
@@ -0,0 +1,31 @@
+# Wiki Configuration Examples
+
+This directory contains copies of the [configuration examples][wiki:examples]
+provided on the wiki. The intention is to make it easier to keep them up to date
+with new releases by having test data available alongside them.
+
+[wiki:examples]: https://wiki.shibboleth.net/confluence/display/MA1/Configuration+Examples
+
+- [Aggregate and Sign](https://shibboleth.atlassian.net/wiki/spaces/MA1/pages/1501823071/Aggregate+and+Sign)
+
+    `.../mda.sh aggregate-and-sign.xml main`
+
+- [Filter Aggregate](https://shibboleth.atlassian.net/wiki/spaces/MA1/pages/1501823090/Filter+Aggregate)
+
+    `.../mda.sh filter-aggregate.xml main`
+
+- [Aggregate and Republish](https://shibboleth.atlassian.net/wiki/spaces/MA1/pages/1501823098/Aggregate+and+Republish)
+
+    `.../mda.sh aggregate-and-republish.xml main`
+
+- [Sign Using PKCS#11 Token](https://shibboleth.atlassian.net/wiki/spaces/MA1/pages/1502216280/Sign+using+PKCS%2311+token)
+
+    `.../mda.sh sign-using-token.xml main`
+
+- [Per-entity Output](https://shibboleth.atlassian.net/wiki/spaces/MA1/pages/1502216310/Per-entity+Output)
+
+    `.../mda.sh per-entity.xml main`
+
+- [Generate Discovery Feed](https://shibboleth.atlassian.net/wiki/spaces/MA1/pages/1552614062/Generate+Discovery+Feed):
+
+    `.../mda.sh discofeed.xml main`
diff --git a/tools/mda-distribution-0.10.0/doc/wiki/aggregate-and-republish.xml b/tools/mda-distribution-0.10.0/doc/wiki/aggregate-and-republish.xml
new file mode 100644
index 00000000..b2627345
--- /dev/null
+++ b/tools/mda-distribution-0.10.0/doc/wiki/aggregate-and-republish.xml
@@ -0,0 +1,441 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Note we define a default initialization method at this level just so we don't have to define it
+    on almost every single bean.
+-->
+<beans default-init-method="initialize"
+       xmlns="http://www.springframework.org/schema/beans" xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:util="http://www.springframework.org/schema/util" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd">
+
+    <!-- Import the Standard bean definition resource. -->
+    <!-- See https://shibboleth.atlassian.net/wiki/spaces/MA1/pages/3162439683/Standard+bean+definition+resource -->
+    <import resource="classpath:net/shibboleth/metadata/beans.xml"/>
+
+    <!-- This bean MUST be called "conversionService" to work properly. -->
+    <bean id="conversionService" class="org.springframework.context.support.ConversionServiceFactoryBean">
+        <property name="converters">
+            <set>
+                <bean parent="mda.StringToDurationConverter"/>
+                <bean parent="mda.StringToIPRangeConverter"/>
+                <bean parent="mda.BooleanToPredicateConverter"/>
+                <bean parent="mda.StringBooleanToPredicateConverter"/>
+                <bean parent="mda.StringToResourceConverter"/>
+            </set>
+        </property>
+    </bean>
+
+    <!-- Define files/URLs we'll use in this config -->
+
+    <!-- Schema files for the schemas we wish to validate against. -->
+    <bean id="xml-schemaFile" class="java.lang.String">
+        <constructor-arg value="path/to/schema/xml.xsd"/>
+    </bean>
+    <bean id="xml-dsig-core-schemaFile" class="java.lang.String">
+        <constructor-arg value="path/to/schema/xmldsig-core-schema.xsd"/>
+    </bean>
+    <bean id="xenc-schemaFile" class="java.lang.String">
+        <constructor-arg value="path/to/schema/xenc-schema.xsd"/>
+    </bean>
+    <bean id="saml-assertion-schemaFile" class="java.lang.String">
+        <constructor-arg value="path/to/schema/saml-schema-assertion-2.0.xsd"/>
+    </bean>
+    <bean id="saml-md-schemaFile" class="java.lang.String">
+        <constructor-arg value="path/to/schema/saml-schema-metadata-2.0.xsd"/>
+    </bean>
+
+    <bean id="incommonMdUrl" class="java.lang.String">
+        <constructor-arg value="https://mdq.incommon.org/entities"/>
+    </bean>
+    <bean id="incommonCertFile" class="java.io.File">
+        <constructor-arg value="path/to/input/inc-md-cert-mdq.pem"/>
+    </bean>
+    <bean id="ukMdUrl" class="java.lang.String">
+        <constructor-arg value="http://metadata.ukfederation.org.uk/ukfederation-metadata.xml"/>
+    </bean>
+    <bean id="ukCertFile" class="java.io.File">
+        <constructor-arg value="path/to/input/ukfederation-2014.pem"/>
+    </bean>
+    <bean id="localMetadataDirectory" class="java.io.File">
+        <constructor-arg value="path/to/input/entities"/>
+    </bean>
+    <bean id="signingKeyFile" class="java.io.File">
+        <constructor-arg value="path/to/secrets/private-key.pem"/>
+    </bean>
+    <bean id="allEntitiesOutputFile" class="java.io.File">
+        <constructor-arg value="path/to/output/all-metadata.xml"/>
+    </bean>
+    <bean id="idpEntitiesOutputFile" class="java.io.File">
+        <constructor-arg value="path/to/output/idp-metadata.xml"/>
+    </bean>
+    <bean id="spEntitiesOutputFile" class="java.io.File">
+        <constructor-arg value="path/to/output/sp-metadata.xml"/>
+    </bean>
+
+    <!-- Define some beans we'll use throughout this config -->
+
+    <bean id="parserPool" parent="mda.BasicParserPool"/>
+    <bean id="httpClientBuilder" parent="mda.HttpClientBuilder"
+          p:connectionDisregardTLSCertificate="true"/>
+    <bean id="httpClient" factory-bean="httpClientBuilder" factory-method="buildClient"/>
+    <bean id="domSerializer" parent="mda.DOMElementSerializer"/>
+    <util:list id="errorStatusClass">
+        <value>#{T(net.shibboleth.metadata.ErrorStatus)}</value>
+    </util:list>
+
+    <bean id="logItemErrors" parent="mda.StatusMetadataLoggingStage"
+          p:id="logItemErrors" p:selectionRequirements-ref="errorStatusClass"/>
+
+    <bean id="removeErrorItems" parent="mda.ItemMetadataFilterStage"
+          p:id="removeErrorItems" p:selectionRequirements-ref="errorStatusClass"/>
+
+    <!--
+        Define a composite stage that is going to be used to check validUntil, disassemble the
+        EntitiesDescriptor, and schema validate each EntityDescriptor.
+    -->
+    <bean id="terminateOnInvalidSignature" parent="mda.ItemMetadataTerminationStage"
+        p:id="terminateOnInvalidSignature" p:selectionRequirements-ref="errorStatusClass"/>
+
+    <bean id="validateValidUntil" parent="mda.ValidateValidUntilStage"
+        p:id="validateValidUntil"/>
+
+    <bean id="disassembleEntitiesDescriptor" parent="mda.EntitiesDescriptorDisassemblerStage"
+        p:id="disassembleEntitiesDescriptor"/>
+
+    <bean id="validateSchema" parent="mda.XMLSchemaValidationStage"
+        p:id="validateSchema">
+        <property name="schemaResources">
+            <util:list>
+                <!--
+                    List schemas in order so that schemas used by others
+                    appear before them in the list.
+                -->
+                <bean class="org.springframework.core.io.FileSystemResource">
+                    <constructor-arg>
+                        <bean class="java.io.File">
+                            <constructor-arg ref="xml-schemaFile"/>
+                        </bean>
+                    </constructor-arg>
+                </bean>
+                <bean class="org.springframework.core.io.FileSystemResource">
+                    <constructor-arg>
+                        <bean class="java.io.File">
+                            <constructor-arg ref="xml-dsig-core-schemaFile"/>
+                        </bean>
+                    </constructor-arg>
+                </bean>
+                <bean class="org.springframework.core.io.FileSystemResource">
+                    <constructor-arg>
+                        <bean class="java.io.File">
+                            <constructor-arg ref="xenc-schemaFile"/>
+                        </bean>
+                    </constructor-arg>
+                </bean>
+                <bean class="org.springframework.core.io.FileSystemResource">
+                    <constructor-arg>
+                        <bean class="java.io.File">
+                            <constructor-arg ref="saml-assertion-schemaFile"/>
+                        </bean>
+                    </constructor-arg>
+                </bean>
+                <bean class="org.springframework.core.io.FileSystemResource">
+                    <constructor-arg>
+                        <bean class="java.io.File">
+                            <constructor-arg ref="saml-md-schemaFile"/>
+                        </bean>
+                    </constructor-arg>
+                </bean>
+            </util:list>
+        </property>
+    </bean>
+
+    <bean id="commonProcessing" parent="mda.CompositeStage"
+        p:id="commonProcessing">
+        <property name="stages">
+            <util:list>
+                <ref bean="logItemErrors"/>
+                <ref bean="terminateOnInvalidSignature"/>
+                <ref bean="validateValidUntil"/>
+                <ref bean="disassembleEntitiesDescriptor"/>
+                <ref bean="validateSchema"/>
+                <!--
+                    Extract entityID attributes as ItemIDs so that we can
+                    remove duplicates when we merge.
+                -->
+                <bean id="extractIDs"
+                    p:id="extractIDs"
+                    parent="mda.EntityDescriptorItemIdPopulationStage"/>
+            </util:list>
+        </property>
+    </bean>
+
+    <!-- Define the pipeline for reading in and performing initial processing on InCommon metadata -->
+
+    <bean id="readIncommonMetadta" parent="mda.DOMResourceSourceStage"
+        p:id="readIncommonMetadta" p:parserPool-ref="parserPool">
+        <property name="DOMResource">
+            <bean parent="mda.HTTPResource">
+                <constructor-arg ref="httpClient"/>
+                <constructor-arg ref="incommonMdUrl"/>
+            </bean>
+        </property>
+    </bean>
+
+    <bean id="validateIncommonSignature" parent="mda.XMLSignatureValidationStage"
+        p:id="validateIncommonSignature">
+        <property name="verificationCertificate">
+            <bean parent="mda.X509CertificateFactoryBean">
+                <property name="resource">
+                    <bean class="org.springframework.core.io.FileSystemResource">
+                        <constructor-arg ref="incommonCertFile"/>
+                    </bean>
+                </property>
+            </bean>
+        </property>
+    </bean>
+
+    <bean id="incommonInput" parent="mda.SimplePipeline"
+        p:id="incommonInput">
+        <property name="stages">
+            <util:list>
+                <ref bean="readIncommonMetadta"/>
+                <ref bean="validateIncommonSignature"/>
+                <ref bean="commonProcessing"/>
+            </util:list>
+        </property>
+    </bean>
+
+    <!-- Define the pipeline for reading in and performing initial processing on UK metadata -->
+
+    <bean id="readUkMetadata" parent="mda.DOMResourceSourceStage"
+        p:id="readUkMetadata" p:parserPool-ref="parserPool">
+        <property name="DOMResource">
+            <bean parent="mda.HTTPResource">
+                <constructor-arg ref="httpClient"/>
+                <constructor-arg ref="ukMdUrl"/>
+            </bean>
+        </property>
+    </bean>
+
+    <bean id="validateUkSignature" parent="mda.XMLSignatureValidationStage"
+        p:id="validateUkSignature">
+        <property name="verificationCertificate">
+            <bean parent="mda.X509CertificateFactoryBean">
+                <property name="resource">
+                    <bean class="org.springframework.core.io.FileSystemResource">
+                        <constructor-arg ref="ukCertFile"/>
+                    </bean>
+                </property>
+            </bean>
+        </property>
+    </bean>
+
+    <bean id="ukInput" parent="mda.SimplePipeline"
+        p:id="ukInput">
+        <property name="stages">
+            <util:list>
+                <ref bean="readUkMetadata"/>
+                <ref bean="validateUkSignature"/>
+                <ref bean="commonProcessing"/>
+            </util:list>
+        </property>
+    </bean>
+
+    <!-- Define the pipeline for reading in local metadata and performing initial processing on it-->
+
+    <bean id="readLocalMetadata" parent="mda.DOMFilesystemSourceStage"
+        p:id="readLocalMetadata" p:parserPool-ref="parserPool" p:source-ref="localMetadataDirectory"/>
+
+    <bean id="localInput" parent="mda.SimplePipeline"
+        p:id="localInput">
+        <property name="stages">
+            <util:list>
+                <ref bean="readLocalMetadata"/>
+                <ref bean="commonProcessing"/>
+            </util:list>
+        </property>
+    </bean>
+
+    <!--
+        Pipeline that will produce an EntitiesDescriptor containing all entities, add a valid until
+        restriction to it, sign it, and write it out to a file.
+    -->
+
+    <bean id="buildEntitiesDecriptor" parent="mda.EntitiesDescriptorAssemblerStage"
+        p:id="buildEntitiesDecriptor"/>
+
+    <bean id="addValidUntil" parent="mda.SetValidUntilStage"
+        p:id="addValidUntil" p:validityDuration="P28D"/>
+
+    <bean id="generateContentReferenceId" parent="mda.GenerateIdStage">
+        <property name="id" value="generateContentReferenceId"/>
+    </bean>
+
+    <bean id="signEntitiesDescriptor" parent="mda.XMLSignatureSigningStage"
+        p:id="signEntitiesDescriptor">
+        <property name="privateKey">
+            <bean parent="mda.PrivateKeyFactoryBean">
+                <property name="resource">
+                    <bean class="org.springframework.core.io.FileSystemResource">
+                        <constructor-arg ref="signingKeyFile"/>
+                    </bean>
+                </property>
+            </bean>
+        </property>
+    </bean>
+
+    <bean id="serializeAll" parent="mda.SerializationStage"
+        p:id="serializeAll" p:outputFile-ref="allEntitiesOutputFile" p:serializer-ref="domSerializer"/>
+
+    <bean id="outputAll" parent="mda.SimplePipeline"
+        p:id="outputAll" >
+        <property name="stages">
+            <util:list>
+                <ref bean="buildEntitiesDecriptor"/>
+                <ref bean="addValidUntil"/>
+                <ref bean="generateContentReferenceId"/>
+                <ref bean="signEntitiesDescriptor"/>
+                <ref bean="serializeAll"/>
+            </util:list>
+        </property>
+    </bean>
+
+    <!--
+        Pipeline that will produce an EntitiesDescriptor containing IdP entities, add a valid until
+        restriction to it, sign it, and write it out to a file.
+    -->
+
+    <bean id="retainIdPs" parent="mda.EntityRoleFilterStage"
+        p:id="retainIdPs" p:keepingRoles="true">
+        <property name="designatedRoles">
+            <util:list>
+                <bean class="javax.xml.namespace.QName">
+                    <constructor-arg value="urn:oasis:names:tc:SAML:2.0:metadata"/>
+                    <constructor-arg value="IDPSSODescriptor"/>
+                </bean>
+                <bean class="javax.xml.namespace.QName">
+                    <constructor-arg value="urn:oasis:names:tc:SAML:2.0:metadata"/>
+                    <constructor-arg value="AttributeAuthorityDescriptor"/>
+                </bean>
+            </util:list>
+        </property>
+    </bean>
+
+    <bean id="serializeIdPs" parent="mda.SerializationStage"
+        p:id="serializeIdPs" p:outputFile-ref="idpEntitiesOutputFile" p:serializer-ref="domSerializer"/>
+
+    <bean id="outputIdPs" parent="mda.SimplePipeline"
+        p:id="outputIdPs">
+        <property name="stages">
+            <util:list>
+                <ref bean="retainIdPs"/>
+                <ref bean="buildEntitiesDecriptor"/>
+                <ref bean="addValidUntil"/>
+                <ref bean="generateContentReferenceId"/>
+                <ref bean="signEntitiesDescriptor"/>
+                <ref bean="serializeIdPs"/>
+            </util:list>
+        </property>
+    </bean>
+
+    <!--
+        Pipeline that will produce an EntitiesDescriptor containing SP entities, add a valid until
+        restriction to it, sign it, and write it out to a file.
+    -->
+    <bean id="retainSPs" parent="mda.EntityRoleFilterStage"
+        p:id="retainSPs" p:keepingRoles="true">
+        <property name="designatedRoles">
+            <util:list>
+                <bean class="javax.xml.namespace.QName">
+                    <constructor-arg value="urn:oasis:names:tc:SAML:2.0:metadata"/>
+                    <constructor-arg value="SPSSODescriptor"/>
+                </bean>
+            </util:list>
+        </property>
+    </bean>
+
+    <bean id="serializeSPs" parent="mda.SerializationStage"
+        p:id="serializeSPs" p:outputFile-ref="spEntitiesOutputFile" p:serializer-ref="domSerializer"/>
+
+    <bean id="outputSPs" parent="mda.SimplePipeline"
+        p:id="outputSPs">
+        <property name="stages">
+            <util:list>
+                <ref bean="retainSPs"/>
+                <ref bean="buildEntitiesDecriptor"/>
+                <ref bean="addValidUntil"/>
+                <ref bean="generateContentReferenceId"/>
+                <ref bean="signEntitiesDescriptor"/>
+                <ref bean="serializeSPs"/>
+            </util:list>
+        </property>
+    </bean>
+
+    <!--
+        Merge the entities collected from each input source using a merge
+        strategy which removes duplicates.
+    -->
+    <bean id="mergeInputs" parent="mda.PipelineMergeStage"
+        p:id="mergeInputs">
+        <property name="collectionMergeStrategy">
+            <bean parent="mda.DeduplicatingItemIdMergeStrategy"/>
+        </property>
+        <property name="mergedPipelines">
+            <util:list>
+                <!--
+                    The order of pipelines in this list determines precedence
+                    for the DeduplicatingItemIdMergeStrategy; sources earlier
+                    in the list take precedence. Duplicate entities from later
+                    sources are discarded.
+                -->
+                <ref bean="localInput"/>
+                <ref bean="ukInput"/>
+                <ref bean="incommonInput"/>
+            </util:list>
+        </property>
+    </bean>
+
+    <!--
+        A predicate for matching everything.
+    -->
+    <bean id="matchEverything" class="com.google.common.base.Predicates" factory-method="alwaysTrue"/>
+
+    <bean id="generateOutputs" parent="mda.PipelineDemultiplexerStage"
+        p:id="generateOutputs" p:waitingForPipelines="true">
+        <property name="pipelinesAndStrategies">
+            <util:list>
+                <bean parent="mda.PipelineAndStrategy">
+                    <constructor-arg ref="outputAll"/>
+                    <constructor-arg ref="matchEverything"/>
+                </bean>
+                <bean parent="mda.PipelineAndStrategy">
+                    <constructor-arg ref="outputIdPs"/>
+                    <constructor-arg ref="matchEverything"/>
+                </bean>
+                <bean parent="mda.PipelineAndStrategy">
+                    <constructor-arg ref="outputSPs"/>
+                    <constructor-arg ref="matchEverything"/>
+                </bean>
+            </util:list>
+        </property>
+    </bean>
+
+    <!--
+        Main pipeline that merges all our sources together, logs and removes any items with errors,
+        then outputs three files: one containing everything, one containing only IdPs, and one
+        containing only SPs.  Each file has a validUntil restriction placed on it and is signed.
+    -->
+    <bean id="main" parent="mda.SimplePipeline"
+        p:id="main">
+        <property name="stages">
+            <util:list>
+                <ref bean="mergeInputs"/>
+                <ref bean="logItemErrors"/>
+                <ref bean="removeErrorItems"/>
+                <ref bean="generateOutputs"/>
+            </util:list>
+        </property>
+    </bean>
+
+</beans>
diff --git a/tools/mda-distribution-0.10.0/doc/wiki/aggregate-and-sign.xml b/tools/mda-distribution-0.10.0/doc/wiki/aggregate-and-sign.xml
new file mode 100644
index 00000000..68eafdd3
--- /dev/null
+++ b/tools/mda-distribution-0.10.0/doc/wiki/aggregate-and-sign.xml
@@ -0,0 +1,86 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans default-init-method="initialize"
+       xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
+
+    <!-- Import the Standard bean definition resource. -->
+    <!-- See https://shibboleth.atlassian.net/wiki/spaces/MA1/pages/3162439683/Standard+bean+definition+resource -->
+    <import resource="classpath:net/shibboleth/metadata/beans.xml"/>
+
+    <!-- First, we define the stages for our pipeline. -->
+
+    <!-- Import each XML document in the given directory as a separate item for processing. -->
+    <bean id="source" parent="mda.DOMFilesystemSourceStage">
+        <property name="id" value="source"/>
+        <property name="parserPool">
+            <bean parent="mda.BasicParserPool"/>
+        </property>
+        <property name="source">
+            <bean class="java.io.File">
+                <constructor-arg value="path/to/input/entities"/>
+            </bean>
+        </property>
+    </bean>
+
+    <bean id="removeInvalidContactPerson" parent="mda.ContactPersonFilterStage">
+        <property name="id" value="removeInvalidContactPerson"/>
+        <property name="keepingTypes" value="false"/>
+    </bean>
+
+    <bean id="removeOrganization" parent="mda.RemoveOrganizationStage">
+        <property name="id" value="removeOrganization"/>
+    </bean>
+
+    <bean id="createEntitiesDescriptor" parent="mda.EntitiesDescriptorAssemblerStage">
+        <property name="id" value="createEntitiesDescriptor"/>
+    </bean>
+
+    <bean id="generateContentReferenceId" parent="mda.GenerateIdStage">
+        <property name="id" value="generateContentReferenceId" />
+    </bean>
+
+    <bean id="signMetadata" parent="mda.XMLSignatureSigningStage">
+        <property name="id" value="signMetadata"/>
+        <property name="privateKey">
+            <bean parent="mda.PrivateKeyFactoryBean">
+                <property name="resource">
+                    <bean class="org.springframework.core.io.FileSystemResource">
+                        <constructor-arg>
+                            <bean class="java.io.File">
+                                <constructor-arg value="path/to/secrets/private-key.pem"/>
+                            </bean>
+                        </constructor-arg>
+                    </bean>
+                </property>
+            </bean>
+        </property>
+    </bean>
+
+    <bean id="serialize" parent="mda.SerializationStage">
+        <property name="id" value="serializeIdPs"/>
+        <property name="outputFile">
+            <bean class="java.io.File">
+                <constructor-arg value="path/to/output/aggregate-signed.xml"/>
+            </bean>
+        </property>
+        <property name="serializer">
+            <bean id="domSerializer" parent="mda.DOMElementSerializer" />
+        </property>
+    </bean>
+
+    <!-- Next we define a pipeline with all the stages in it -->
+    <bean id="main" parent="mda.SimplePipeline">
+        <property name="id" value="main"/>
+        <property name="stages">
+            <list>
+                <ref bean="source"/>
+                <ref bean="removeInvalidContactPerson"/>
+                <ref bean="removeOrganization"/>
+                <ref bean="createEntitiesDescriptor"/>
+                <ref bean="generateContentReferenceId"/>
+                <ref bean="signMetadata"/>
+                <ref bean="serialize"/>
+            </list>
+        </property>
+    </bean>
+</beans>
diff --git a/tools/mda-distribution-0.10.0/doc/wiki/discofeed.xml b/tools/mda-distribution-0.10.0/doc/wiki/discofeed.xml
new file mode 100644
index 00000000..5c8c4dc5
--- /dev/null
+++ b/tools/mda-distribution-0.10.0/doc/wiki/discofeed.xml
@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+    default-lazy-init="true"
+    xmlns:c="http://www.springframework.org/schema/c"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:p="http://www.springframework.org/schema/p"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
+
+    <!-- Import the Standard bean definition resource. -->
+    <!-- See https://shibboleth.atlassian.net/wiki/spaces/MA1/pages/3162439683/Standard+bean+definition+resource -->
+    <import resource="classpath:net/shibboleth/metadata/beans.xml"/>
+
+    <!-- Default Shibboleth component bean id property from Spring bean id -->
+    <bean parent="mda.IdentifiableBeanPostProcessor" lazy-init="false"/>
+
+    <bean id="main" parent="mda.SimplePipeline">
+        <property name="stages">
+            <list>
+
+                <!-- Acquire the metadata aggregate. -->
+                <bean id="source" parent="mda.DOMFilesystemSourceStage">
+                    <property name="parserPool">
+                        <bean parent="mda.BasicParserPool"/>
+                    </property>
+                    <property name="source">
+                        <bean class="java.io.File">
+                            <constructor-arg value="path/to/input/aggregate.xml"/>
+                        </bean>
+                    </property>
+                </bean>
+
+                <!-- Disassemble into individual entities. -->
+                <bean id="disassemble" parent="mda.EntitiesDescriptorDisassemblerStage"/>
+
+                <!-- Manipulate the entities being processed: for example, remove some. -->
+                <bean id="removeEntities" parent="mda.EntityFilterStage">
+                    <property name="designatedEntities">
+                        <list>
+                            <value>https://idp.shibboleth.net/idp/shibboleth</value>
+                            <value>https://example.com/idp</value>
+                        </list>
+                    </property>
+                </bean>
+
+                <!-- Serialise as a discovery feed into an output file. -->
+                <bean id="serialize" parent="mda.SerializationStage">
+                    <property name="serializer">
+                        <bean id="discogen" parent="mda.DiscoFeedCollectionSerializer"
+                            p:prettyPrinting="true"
+                            p:includingLegacyDisplayNames="true"/>
+                    </property>
+                    <property name="outputFile">
+                        <bean class="java.io.File">
+                            <constructor-arg value="path/to/output/discofeed.json"/>
+                        </bean>
+                    </property>
+                </bean>
+
+            </list>
+        </property>
+    </bean>
+
+</beans>
diff --git a/tools/mda-distribution-0.10.0/doc/wiki/filter-aggregate.xml b/tools/mda-distribution-0.10.0/doc/wiki/filter-aggregate.xml
new file mode 100644
index 00000000..d6e6cf79
--- /dev/null
+++ b/tools/mda-distribution-0.10.0/doc/wiki/filter-aggregate.xml
@@ -0,0 +1,151 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans default-init-method="initialize"
+       xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
+
+    <bean id="httpClientBuilder" parent="mda.HttpClientBuilder"/>
+    <bean id="httpClient" factory-bean="httpClientBuilder" factory-method="buildClient"/>
+
+    <!-- Import the Standard bean definition resource. -->
+    <!-- See https://shibboleth.atlassian.net/wiki/spaces/MA1/pages/3162439683/Standard+bean+definition+resource -->
+    <import resource="classpath:net/shibboleth/metadata/beans.xml"/>
+
+    <!-- First, we define the stages for our pipeline -->
+
+    <bean id="source" parent="mda.DOMResourceSourceStage">
+        <property name="id" value="source"/>
+        <property name="parserPool">
+            <bean parent="mda.BasicParserPool"/>
+        </property>
+        <property name="DOMResource">
+            <bean parent="mda.HTTPResource">
+                <constructor-arg ref="httpClient"/>
+                <constructor-arg
+                    value="http://metadata.ukfederation.org.uk/ukfederation-metadata.xml"/>
+            </bean>
+        </property>
+    </bean>
+
+    <!--
+        Validate the signature on an aggregate. If the signature is not
+        present or cannot be validated, this will add an Error status to
+        the item. This will not by itself result in processing being
+        terminated.
+    -->
+    <bean id="validateSignature" parent="mda.XMLSignatureValidationStage">
+        <property name="id" value="validateSignature"/>
+        <property name="verificationCertificate">
+            <bean parent="mda.X509CertificateFactoryBean">
+                <property name="resource">
+                    <bean class="org.springframework.core.io.FileSystemResource">
+                        <constructor-arg>
+                            <bean class="java.io.File">
+                                <constructor-arg value="path/to/input/ukfederation-2014.pem"/>
+                            </bean>
+                        </constructor-arg>
+                    </bean>
+                </property>
+            </bean>
+        </property>
+    </bean>
+
+    <!--
+        errorAnnouncer
+
+        A pipeline stage that logs any errors present,
+        but takes no action on them.
+    -->
+    <bean id="errorAnnouncer" parent="mda.StatusMetadataLoggingStage">
+        <property name="id" value="errorAnnouncer"/>
+        <property name="selectionRequirements">
+            <list>
+                <value>#{T(net.shibboleth.metadata.ErrorStatus)}</value>
+            </list>
+        </property>
+    </bean>
+
+    <!--
+        errorTerminator
+
+        This pipeline stage causes CLI termination if any item is marked with an error status.
+    -->
+    <bean id="errorTerminator" parent="mda.ItemMetadataTerminationStage">
+        <property name="id" value="errorTerminator"/>
+        <property name="selectionRequirements">
+            <list>
+                <value>#{T(net.shibboleth.metadata.ErrorStatus)}</value>
+            </list>
+        </property>
+    </bean>
+
+    <bean id="removeEntities" parent="mda.EntityFilterStage">
+        <property name="id" value="removeEntities"/>
+        <property name="designatedEntities">
+            <list>
+                <value>https://idp.example.com/idp/shibboleth</value>
+                <value>https://issues.example.com/shibboleth</value>
+                <value>https://wiki.example.com/shibboleth</value>
+            </list>
+        </property>
+    </bean>
+
+    <bean id="removeRoles" parent="mda.EntityRoleFilterStage">
+        <property name="id" value="removeRoles"/>
+        <property name="keepingRoles" value="true"/>
+        <property name="designatedRoles">
+            <list>
+                <bean class="javax.xml.namespace.QName">
+                    <constructor-arg value="urn:oasis:names:tc:SAML:2.0:metadata"/>
+                    <constructor-arg value="IDPSSODescriptor"/>
+                </bean>
+                <bean class="javax.xml.namespace.QName">
+                    <constructor-arg value="urn:oasis:names:tc:SAML:2.0:metadata"/>
+                    <constructor-arg value="AttributeAuthorityDescriptor"/>
+                </bean>
+                <bean class="javax.xml.namespace.QName">
+                    <constructor-arg value="urn:oasis:names:tc:SAML:2.0:metadata"/>
+                    <constructor-arg value="SPSSODescriptor"/>
+                </bean>
+            </list>
+        </property>
+    </bean>
+
+    <bean id="removeInvalidContactPerson" parent="mda.ContactPersonFilterStage">
+        <property name="id" value="removeInvalidContactPerson"/>
+        <property name="keepingTypes" value="false"/>
+    </bean>
+
+    <bean id="removeOrganization" parent="mda.RemoveOrganizationStage">
+        <property name="id" value="removeOrganization"/>
+    </bean>
+
+    <bean id="serialize" parent="mda.SerializationStage">
+        <property name="id" value="serializeIdPs"/>
+        <property name="outputFile">
+            <bean class="java.io.File">
+                <constructor-arg value="path/to/output/output.xml"/>
+            </bean>
+        </property>
+        <property name="serializer">
+            <bean id="domSerializer" parent="mda.DOMElementSerializer"/>
+        </property>
+    </bean>
+
+    <!-- Next we define a pipeline with all the stages in it -->
+    <bean id="main" parent="mda.SimplePipeline">
+        <property name="id" value="main"/>
+        <property name="stages">
+            <list>
+                <ref bean="source"/>
+                <ref bean="validateSignature"/>
+                <ref bean="errorAnnouncer"/>
+                <ref bean="errorTerminator"/>
+                <ref bean="removeEntities"/>
+                <ref bean="removeRoles"/>
+                <ref bean="removeInvalidContactPerson"/>
+                <ref bean="removeOrganization"/>
+                <ref bean="serialize"/>
+            </list>
+        </property>
+    </bean>
+</beans>
diff --git a/tools/mda-distribution-0.10.0/doc/wiki/make-keys.sh b/tools/mda-distribution-0.10.0/doc/wiki/make-keys.sh
new file mode 100755
index 00000000..25e439b1
--- /dev/null
+++ b/tools/mda-distribution-0.10.0/doc/wiki/make-keys.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/sh
+
+KEYFILE=path/to/secrets/private-key.pem
+CERTFILE=path/to/secrets/self-signed.pem
+P12FILE=path/to/secrets/self-signed.p12
+
+# Generate an RSA private key
+openssl genrsa >$KEYFILE
+chmod 600 $KEYFILE
+
+# Generate a self-signed certificate based on that key
+openssl req -key $KEYFILE -new -x509 -days 365 -out $CERTFILE \
+    -subj "/CN=test-self-signed"
+
+# Create PKCS12 keystore from private key and public certificate.
+openssl pkcs12 -export -name key10 -passout pass:password -in $CERTFILE -inkey $KEYFILE -out $P12FILE
diff --git a/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/aggregate.xml b/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/aggregate.xml
new file mode 100644
index 00000000..be311555
--- /dev/null
+++ b/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/aggregate.xml
@@ -0,0 +1,458 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:remd="http://refeds.org/metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_" Name="http://ukfederation.org.uk" validUntil="2019-11-07T15:04:35.377Z">
+
+<EntityDescriptor ID="uk000006" entityID="https://idp2.iay.org.uk/idp/shibboleth">
+	<!--
+		This is an "Ian A. Young" IdP for Ian A. Young.
+	-->
+	<Extensions>
+		<ukfedlabel:UKFederationMember/>
+		<shibmd:Scope regexp="false">iay.org.uk</shibmd:Scope>
+
+
+		<mdrpi:RegistrationInfo registrationAuthority="http://ukfederation.org.uk" registrationInstant="2007-03-30T16:36:00Z">
+			<mdrpi:RegistrationPolicy xml:lang="en">http://ukfederation.org.uk/doc/mdrps-20130902</mdrpi:RegistrationPolicy>
+		</mdrpi:RegistrationInfo>
+		<mdattr:EntityAttributes>
+			<saml:Attribute Name="http://macedir.org/entity-category-support" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+				<saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
+			</saml:Attribute>
+		</mdattr:EntityAttributes>
+	</Extensions>
+	<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:2.0:protocol">
+		<Extensions>
+			<mdui:UIInfo>
+				<mdui:DisplayName xml:lang="en">Ian A. Young</mdui:DisplayName>
+				<mdui:Description xml:lang="en">This is the identity provider for the iay.org.uk domain.</mdui:Description>
+				<mdui:Logo height="80" width="80">https://idp2.iay.org.uk/images/heads_80x80.jpg</mdui:Logo>
+				<mdui:Logo height="43" width="100">https://idp2.iay.org.uk/images/heads_100x43.jpg</mdui:Logo>
+				<mdui:Logo height="104" width="240">https://idp2.iay.org.uk/images/heads_240x104.jpg</mdui:Logo>
+			</mdui:UIInfo>
+			<mdui:DiscoHints>
+				<mdui:IPHint>217.155.173.104/29</mdui:IPHint>
+				<mdui:DomainHint>iay.org.uk</mdui:DomainHint>
+				<mdui:GeolocationHint>geo:55.9328,-3.17905</mdui:GeolocationHint>
+			</mdui:DiscoHints>
+			<shibmd:Scope regexp="false">iay.org.uk</shibmd:Scope>
+		</Extensions>
+		<KeyDescriptor>
+			<ds:KeyInfo>
+				<ds:X509Data>
+					<ds:X509Certificate>
+						MIIDSTCCAjGgAwIBAgIhAMSPOSGN+3UUTXSKV+2EBOuF3x/pwPX/TD9GfyEkzLp+
+						MA0GCSqGSIb3DQEBBQUAMFgxGDAWBgNVBAMMD2lkcDIuaWF5Lm9yZy51azETMBEG
+						CgmSJomT8ixkARkWA2lheTETMBEGCgmSJomT8ixkARkWA29yZzESMBAGCgmSJomT
+						8ixkARkWAnVrMB4XDTA4MDIyNTEwMzAxNFoXDTI4MDIyNTEwMzAxNFowWDEYMBYG
+						A1UEAwwPaWRwMi5pYXkub3JnLnVrMRMwEQYKCZImiZPyLGQBGRYDaWF5MRMwEQYK
+						CZImiZPyLGQBGRYDb3JnMRIwEAYKCZImiZPyLGQBGRYCdWswggEiMA0GCSqGSIb3
+						DQEBAQUAA4IBDwAwggEKAoIBAQCb6ts48g10XHTnpy+23huzR184aahkrG0AoeUl
+						FVlomPjoFDk6czq0S3Qyd+ceF7tMRu3XzS7cMmtVH53O9d+wCs8aPQcPXxHQ5gLk
+						L7Gu6eJ+3N3jXhpt7/DDPhnzFPNW3EVMueHJ/0IzyspTvq2LPbNWXJ86NKJ+gesZ
+						QftskwXScOjpoJEIP0EA890QYd4WdYtQPqVV+LPKtnYBoGOnuRhSAM1D/EhCbeb0
+						lCmRGcdGbDFBchiPO4VLGl85sLa0EhjxMIPAOKXcj8bBlO9Ww9kkG06kQp6eLHwm
+						Jmt7VNKveCGhyF2QH/CvmdUaPv3gcp1UjrlqFN9LBVSaTIL/AgMBAAEwDQYJKoZI
+						hvcNAQEFBQADggEBAG+jDBAtlKoHaEBB+l6PpW5zuiDjyHG4zZZYqX77mZ9xP/xe
+						Kn0yJ18ZLjS3b9WztGLYyC4SJHSF2okq1K02bqsCv9YeP+UWpw2uRR8jt96lLWxZ
+						jTjoko2v8jBtzDk8LZsqw58m4vZ0AGNZjKeGIywKhxnepwREguyj3bjBpZAGgl0M
+						HQuXoO/BDC9yKyZslE5CpWp5xP4XzY2/LrorrkwOJLnFuk1sox4/gvkDQukUx/jr
+						YRbrWfOjcNBx3LE/HI6RNLINicK7yUwerDE86nix5Zc3hskVcCykW+r6HbY6bx7P
+						YmNKYMZhQAgDtXIjFHOy+WbyVTidmJvxM9UeYCY=
+					</ds:X509Certificate>
+				</ds:X509Data>
+			</ds:KeyInfo>
+		</KeyDescriptor>
+		<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp2.iay.org.uk:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/>
+		<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp2.iay.org.uk:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/>
+		<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+		<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+		<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://idp2.iay.org.uk/idp/profile/Shibboleth/SSO"/>
+		<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp2.iay.org.uk/idp/profile/SAML2/POST/SSO"/>
+		<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp2.iay.org.uk/idp/profile/SAML2/POST-SimpleSign/SSO"/>
+		<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp2.iay.org.uk/idp/profile/SAML2/Redirect/SSO"/>
+	</IDPSSODescriptor>
+	<AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+		<Extensions>
+			<shibmd:Scope regexp="false">iay.org.uk</shibmd:Scope>
+		</Extensions>
+		<KeyDescriptor>
+			<ds:KeyInfo>
+				<ds:X509Data>
+					<ds:X509Certificate>
+						MIIDSTCCAjGgAwIBAgIhAMSPOSGN+3UUTXSKV+2EBOuF3x/pwPX/TD9GfyEkzLp+
+						MA0GCSqGSIb3DQEBBQUAMFgxGDAWBgNVBAMMD2lkcDIuaWF5Lm9yZy51azETMBEG
+						CgmSJomT8ixkARkWA2lheTETMBEGCgmSJomT8ixkARkWA29yZzESMBAGCgmSJomT
+						8ixkARkWAnVrMB4XDTA4MDIyNTEwMzAxNFoXDTI4MDIyNTEwMzAxNFowWDEYMBYG
+						A1UEAwwPaWRwMi5pYXkub3JnLnVrMRMwEQYKCZImiZPyLGQBGRYDaWF5MRMwEQYK
+						CZImiZPyLGQBGRYDb3JnMRIwEAYKCZImiZPyLGQBGRYCdWswggEiMA0GCSqGSIb3
+						DQEBAQUAA4IBDwAwggEKAoIBAQCb6ts48g10XHTnpy+23huzR184aahkrG0AoeUl
+						FVlomPjoFDk6czq0S3Qyd+ceF7tMRu3XzS7cMmtVH53O9d+wCs8aPQcPXxHQ5gLk
+						L7Gu6eJ+3N3jXhpt7/DDPhnzFPNW3EVMueHJ/0IzyspTvq2LPbNWXJ86NKJ+gesZ
+						QftskwXScOjpoJEIP0EA890QYd4WdYtQPqVV+LPKtnYBoGOnuRhSAM1D/EhCbeb0
+						lCmRGcdGbDFBchiPO4VLGl85sLa0EhjxMIPAOKXcj8bBlO9Ww9kkG06kQp6eLHwm
+						Jmt7VNKveCGhyF2QH/CvmdUaPv3gcp1UjrlqFN9LBVSaTIL/AgMBAAEwDQYJKoZI
+						hvcNAQEFBQADggEBAG+jDBAtlKoHaEBB+l6PpW5zuiDjyHG4zZZYqX77mZ9xP/xe
+						Kn0yJ18ZLjS3b9WztGLYyC4SJHSF2okq1K02bqsCv9YeP+UWpw2uRR8jt96lLWxZ
+						jTjoko2v8jBtzDk8LZsqw58m4vZ0AGNZjKeGIywKhxnepwREguyj3bjBpZAGgl0M
+						HQuXoO/BDC9yKyZslE5CpWp5xP4XzY2/LrorrkwOJLnFuk1sox4/gvkDQukUx/jr
+						YRbrWfOjcNBx3LE/HI6RNLINicK7yUwerDE86nix5Zc3hskVcCykW+r6HbY6bx7P
+						YmNKYMZhQAgDtXIjFHOy+WbyVTidmJvxM9UeYCY=
+					</ds:X509Certificate>
+				</ds:X509Data>
+			</ds:KeyInfo>
+		</KeyDescriptor>
+		<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp2.iay.org.uk:8443/idp/profile/SAML1/SOAP/AttributeQuery"/>
+		<AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp2.iay.org.uk:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>
+		<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+		<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+	</AttributeAuthorityDescriptor>
+	<Organization>
+		<OrganizationName xml:lang="en">Ian A. Young</OrganizationName>
+		<OrganizationDisplayName xml:lang="en">Ian A. Young</OrganizationDisplayName>
+		<OrganizationURL xml:lang="en">http://iay.org.uk/</OrganizationURL>
+	</Organization>
+	<ContactPerson contactType="support">
+		<GivenName>Ian</GivenName>
+		<SurName>Young</SurName>
+		<EmailAddress>mailto:ukfed+fc2ee77e@iay.org.uk</EmailAddress>
+	</ContactPerson>
+	<ContactPerson contactType="technical">
+		<GivenName>Ian</GivenName>
+		<SurName>Young</SurName>
+		<EmailAddress>mailto:ukfed+fc2ee77e@iay.org.uk</EmailAddress>
+	</ContactPerson>
+
+</EntityDescriptor>
+
+<EntityDescriptor ID="uk001480" entityID="https://idp.shibboleth.net/idp/shibboleth">
+	<!--
+		This is a shibboleth.net Shibboleth IdP for Jisc Services Limited. 
+	-->
+	<Extensions>
+		<shibmd:Scope regexp="false">shibboleth.net</shibmd:Scope>
+		<ukfedlabel:UKFederationMember/>
+
+
+		<DigestMethod xmlns="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
+		<DigestMethod xmlns="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
+		<DigestMethod xmlns="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+		<DigestMethod xmlns="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+		<SigningMethod xmlns="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
+		<SigningMethod xmlns="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
+		<SigningMethod xmlns="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+		<SigningMethod xmlns="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+		<mdrpi:RegistrationInfo registrationAuthority="http://ukfederation.org.uk" registrationInstant="2011-01-06T16:22:29Z">
+			<mdrpi:RegistrationPolicy xml:lang="en">http://ukfederation.org.uk/doc/mdrps-20130902</mdrpi:RegistrationPolicy>
+		</mdrpi:RegistrationInfo>
+	</Extensions>
+	<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+		<Extensions>
+			<shibmd:Scope regexp="false">shibboleth.net</shibmd:Scope>
+			<mdui:UIInfo>
+				<mdui:DisplayName xml:lang="en">Shibboleth.net</mdui:DisplayName>
+				<mdui:Description xml:lang="en">An identity provider hosted and used by the
+					developers of Shibboleth.</mdui:Description>
+				<mdui:Logo height="82" width="64">https://shibboleth.net/images/gryphon_64x82.png</mdui:Logo>
+			</mdui:UIInfo>
+		</Extensions>
+		<KeyDescriptor>
+			<ds:KeyInfo>
+				<ds:X509Data>
+					<ds:X509Certificate>
+						MIIDNDCCAhygAwIBAgIVAKyBWnv1/h1U11C7kHvV33FIrEsJMA0GCSqGSIb3DQEB
+						BQUAMB0xGzAZBgNVBAMTEmlkcC5zaGliYm9sZXRoLm5ldDAeFw0xMDEyMjkwMDA5
+						MTlaFw0zMDEyMjkwMDA5MTlaMB0xGzAZBgNVBAMTEmlkcC5zaGliYm9sZXRoLm5l
+						dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKjWAdpUx/82FUzrRMfA
+						M63PkZZYCm3RnT3eiL+DeJcbGdcEJx/o+32vgHXJgJOBt14YdVam5GErIYgk4SGq
+						5Z5RYl0PpQn6HQG/9prGnYCu6p5zfb0557o51Eh8TcVehS6Y2ruyCjAF0jgVMwh5
+						/0Oh8EE9wG93pSpm70DAiiaTVCb8WoT1aZYtxbBmmuH10bU+wge/NMmaHuVAe599
+						pyezFIL4FoI2g+1Q6nG4Yl1Z07I81tTApXKVMWRt/4/M3m2D7PUMOQ9qsxthp2L/
+						LovIeNo0bTyeW290T2Y/JRZhKOgeDqkhuu82DPri2Vm5G/unB69KfRB7CF9QWIc3
+						y80CAwEAAaNrMGkwSAYDVR0RBEEwP4ISaWRwLnNoaWJib2xldGgubmV0hilodHRw
+						czovL2lkcC5zaGliYm9sZXRoLm5ldC9pZHAvc2hpYmJvbGV0aDAdBgNVHQ4EFgQU
+						3uZ32tKXJBzPCTp2dtHSLV0FvGgwDQYJKoZIhvcNAQEFBQADggEBAAYXYuzp0UTj
+						3yLRvUCbEtaw9b80+weOELkVv3WFY3QAG8pIKEblrMMtzrzLFWZwYwwMZDab/HnH
+						egmgjZBthrOedEmoJ+OHRmIiS8zdZxVGEadJhTUaeIkO6kwK7Ht3nQePoiXV7TI5
+						+A9SpmZGoukC85Za4wGDw4xWGs5t5l6tBuuV+1s0oC6T8ih5n/NyThfpbihSW0d7
+						iBfSUickgpoM2BLM3FCnbO8HOsX1rGV4ypG9ZGDDvr2jrzalXXmc05gSlL2qd9ce
+						Q1M+9vavusPCqlj2zZf2/HfzhyiFcb/OgA0oTFWW2ynXji6UarIV5QaPoi/XmGmx
+						BXD36HfGBXk=
+					</ds:X509Certificate>
+				</ds:X509Data>
+			</ds:KeyInfo>
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+		</KeyDescriptor>
+		<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+		<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shibboleth.net/idp/profile/SAML2/POST/SSO"/>
+		<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://shibboleth.net/idp/profile/SAML2/POST-SimpleSign/SSO"/>
+		<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://shibboleth.net/idp/profile/SAML2/Redirect/SSO"/>
+	</IDPSSODescriptor>
+	<Organization>
+		<OrganizationName xml:lang="en">Jisc Services Limited</OrganizationName>
+		<OrganizationDisplayName xml:lang="en">Shibboleth.net</OrganizationDisplayName>
+		<OrganizationURL xml:lang="en">http://www.shibboleth.net/</OrganizationURL>
+	</Organization>
+	<ContactPerson contactType="support">
+		<GivenName>Shibboleth.Net Technical Support</GivenName>
+		<EmailAddress>mailto:contact@shibboleth.net</EmailAddress>
+	</ContactPerson>
+	<ContactPerson contactType="technical">
+		<GivenName>Scott</GivenName>
+		<SurName>Cantor</SurName>
+		<EmailAddress>mailto:cantor.2@osu.edu</EmailAddress>
+	</ContactPerson>
+	<ContactPerson contactType="technical">
+		<GivenName>Ian</GivenName>
+		<SurName>Young</SurName>
+		<EmailAddress>mailto:ukfed@iay.org.uk</EmailAddress>
+	</ContactPerson>
+
+
+</EntityDescriptor>
+
+<EntityDescriptor entityID="https://issues.shibboleth.net/shibboleth">
+	<Extensions>
+	<mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/>
+
+	</Extensions>
+	<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+	<Extensions>
+		<idpdisc:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://issues.shibboleth.net/jira/Shibboleth.sso/Login" index="1"/>
+		<mdui:UIInfo>
+		<mdui:DisplayName xml:lang="en">Shibboleth.net Issue Tracking</mdui:DisplayName>
+		<mdui:Description xml:lang="en">The issue (improvements, bugs, tasks) tracking system used by the Shibboleth project. Unauthenticated users may view submitted issues.  Authenticated users may submit new issues and comment on existing ones.</mdui:Description>
+		<mdui:PrivacyStatementURL xml:lang="en">https://wiki.shibboleth.net/confluence/display/DEV/Infrastructure+Information</mdui:PrivacyStatementURL>
+		<mdui:Logo height="82" width="64" xml:lang="en">https://shibboleth.net/images/gryphon_64x82.png</mdui:Logo>
+		</mdui:UIInfo>
+	</Extensions>
+	<KeyDescriptor>
+		<ds:KeyInfo>
+		<ds:X509Data>
+			<ds:X509Certificate>
+MIIDRjCCAi6gAwIBAgIJAPjZ6g1hwfvPMA0GCSqGSIb3DQEBBQUAMFExEzARBgoJ
+kiaJk/IsZAEZFgNuZXQxGjAYBgoJkiaJk/IsZAEZFgpzaGliYm9sZXRoMR4wHAYD
+VQQDExVpc3N1ZXMuc2hpYmJvbGV0aC5uZXQwHhcNMTMxMTI1MTQ1ODA4WhcNMzcw
+MzA0MTQ1ODA4WjBRMRMwEQYKCZImiZPyLGQBGRYDbmV0MRowGAYKCZImiZPyLGQB
+GRYKc2hpYmJvbGV0aDEeMBwGA1UEAxMVaXNzdWVzLnNoaWJib2xldGgubmV0MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtb4jIloWGvHJsSeq0PMjkWDA
++hseZ6/6/cEJKPk245f6hktC2k3z0AqJL8Kw9OudOjDx2op2jKm45TuIA46ti6VP
+f4stLIi7mO1B4A6jTWThCwU0DjMCwBXLhANdBQloyUYJU/usN8RBXlPnWZAV1dVb
+ygb7GUorkMON+wnFd7nhBePmQdJfbsqvKN8MykWfQ56chS+0lCYhyT7qql2bskJ4
+y621WSo47php2NyyU1KNcaFBLoao+UTH7KZ9qHOWJyGJGuWKwgZmCiVd0LQhWywP
+3M/JxZvpTr2Bs/J5d8BzZGSFUaHrVcPzIX+5c3sdK4d1wXUur1XE++bh9F9TjwID
+AQABoyEwHzAdBgNVHQ4EFgQUHtV8GWr64AIUV634b9YBlMEpHOwwDQYJKoZIhvcN
+AQEFBQADggEBAI0BSqXoyw5bUVQJKNCnxB3hUwHIOXeoS77jqgv2lesyTqz5U4NV
+v4Cdz7icwYzt+c6ZSZqem4pqmi3/6COZnf/+l29J/XwWkva32P6tfoO4af3qywF+
+TvuZiRMXdt1KE7GTlYOSxOsnxaRmXVc6MWfxPT6oTOt5z15aTdfEzK+wVfeUkIf1
+1soEmMHgjDaa/HQdGgXGq/fStDc0Mcm2W7y50+aNwqIMNiQQiwQYSUgpBatSfKy1
+umh6DHEyznDZAAHBtatzvQu1YAJHUg6AeimuhminaM5tyBCW6Y6YMywFYSP+VqPU
+PxCBrPWcCAwOw80Ey/FLVlAdW1FuwUmMejA=
+</ds:X509Certificate>
+		</ds:X509Data>
+		</ds:KeyInfo>
+	</KeyDescriptor>
+	<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://issues.shibboleth.net/jira/Shibboleth.sso/SAML/Artifact" index="1"/>
+	<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://issues.shibboleth.net/jira/Shibboleth.sso/SAML/POST" index="2"/>
+	<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://issues.shibboleth.net/jira/Shibboleth.sso/SAML2/Artifact" index="3"/>
+	<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://issues.shibboleth.net/jira/Shibboleth.sso/SAML2/POST" index="4"/>
+	<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://issues.shibboleth.net/jira/Shibboleth.sso/SAML2/POST-SimpleSign" index="5"/>
+	<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://issues.shibboleth.net/jira/Shibboleth.sso/SAML2/ECP" index="6"/>
+	<AttributeConsumingService index="1">
+		<ServiceName xml:lang="en">Shibboleth.net Issue Tracking</ServiceName>
+		<ServiceDescription xml:lang="en">The issue (improvements, bugs, tasks) tracking system used by the Shibboleth project. Unauthenticated users may view submitted issues.  Authenticated users may submit new issues and comment on existing ones.</ServiceDescription>
+		<RequestedAttribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+		<RequestedAttribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+		<RequestedAttribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+		<RequestedAttribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+	</AttributeConsumingService>
+	</SPSSODescriptor>
+	<Organization>
+	<OrganizationName xml:lang="en">The Ohio State University</OrganizationName>
+	<OrganizationDisplayName xml:lang="en">Ohio State University</OrganizationDisplayName>
+	<OrganizationURL xml:lang="en">http://www.osu.edu/</OrganizationURL>
+	</Organization>
+	<ContactPerson contactType="support">
+	<GivenName>Shibboleth Contact</GivenName>
+	<EmailAddress>mailto:contact@shibboleth.net</EmailAddress>
+	</ContactPerson>
+	<ContactPerson contactType="technical">
+	<GivenName>Shibboleth Contact</GivenName>
+	<EmailAddress>mailto:contact@shibboleth.net</EmailAddress>
+	</ContactPerson>
+	<ContactPerson contactType="administrative">
+	<GivenName>Shibboleth Contact</GivenName>
+	<EmailAddress>mailto:contact@shibboleth.net</EmailAddress>
+	</ContactPerson>
+	<ContactPerson contactType="other" remd:contactType="http://refeds.org/metadata/contactType/security">
+	<GivenName>Shibboleth Contact</GivenName>
+	<EmailAddress>mailto:contact@shibboleth.net</EmailAddress>
+	</ContactPerson>
+</EntityDescriptor>
+
+<EntityDescriptor entityID="https://wiki.shibboleth.net/shibboleth">
+	<Extensions>
+	<mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/>
+
+	</Extensions>
+	<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+	<Extensions>
+		<idpdisc:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://wiki.shibboleth.net/confluence/Shibboleth.sso/Login" index="1"/>
+		<mdui:UIInfo>
+		<mdui:DisplayName xml:lang="en">Shibboleth.net Wiki</mdui:DisplayName>
+		<mdui:Description xml:lang="en">The wiki hosting the documentation for Shibboleth. Unauthenticated user may view the existing documentation. Authenticated users may create new documentation pages and edit existing ones.</mdui:Description>
+		<mdui:PrivacyStatementURL xml:lang="en">https://wiki.shibboleth.net/confluence/display/DEV/Infrastructure+Information</mdui:PrivacyStatementURL>
+		<mdui:Logo height="82" width="64" xml:lang="en">https://shibboleth.net/images/gryphon_64x82.png</mdui:Logo>
+		</mdui:UIInfo>
+	</Extensions>
+	<KeyDescriptor>
+		<ds:KeyInfo>
+		<ds:X509Data>
+			<ds:X509Certificate>
+MIIDQjCCAiqgAwIBAgIJAMI1r/DZzTEJMA0GCSqGSIb3DQEBBQUAME8xEzARBgoJ
+kiaJk/IsZAEZFgNuZXQxGjAYBgoJkiaJk/IsZAEZFgpzaGliYm9sZXRoMRwwGgYD
+VQQDExN3aWtpLnNoaWJib2xldGgubmV0MB4XDTEzMTEyNTE0NTcyOFoXDTM3MDMw
+NDE0NTcyOFowTzETMBEGCgmSJomT8ixkARkWA25ldDEaMBgGCgmSJomT8ixkARkW
+CnNoaWJib2xldGgxHDAaBgNVBAMTE3dpa2kuc2hpYmJvbGV0aC5uZXQwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1viMiWhYa8cmxJ6rQ8yORYMD6Gx5n
+r/r9wQko+Tbjl/qGS0LaTfPQCokvwrD06506MPHainaMqbjlO4gDjq2LpU9/iy0s
+iLuY7UHgDqNNZOELBTQOMwLAFcuEA10FCWjJRglT+6w3xEFeU+dZkBXV1VvKBvsZ
+SiuQw437CcV3ueEF4+ZB0l9uyq8o3wzKRZ9DnpyFL7SUJiHJPuqqXZuyQnjLrbVZ
+KjjumGnY3LJTUo1xoUEuhqj5RMfspn2oc5YnIYka5YrCBmYKJV3QtCFbLA/cz8nF
+m+lOvYGz8nl3wHNkZIVRoetVw/Mhf7lzex0rh3XBdS6vVcT75uH0X1OPAgMBAAGj
+ITAfMB0GA1UdDgQWBBQe1XwZavrgAhRXrfhv1gGUwSkc7DANBgkqhkiG9w0BAQUF
+AAOCAQEADCGhWJ+oZ8ltcjJ7D66rMg1HOZT6GFCVeZ7MfhY/KFrvsnITNbTA+SgZ
+tCJt/BLlZXxpzmix19bD9bNwqEMo7WSqBy77X7SS97ZXti6y6vwAz8h78vzQopOd
+rnn8XXyWxtrtRRCK4RMpZGrVm3sfBPW68j9hiPHZqewE4nLavjCki/I9rCMe5dJE
+3+ZRf4Ip/9hYqM+a5Chcvbo2zJEOtw+EUQqNTZ51j33H/2qF9UoSpt74UFh+Jd5y
+L2GoFSt/gCld78j/7cU3ObGQEme+hVVZ8/uGa/cCYvFt75vNBdnlj4icZ6fgFe9R
+9h5hlBTGD3PULSFmCdkgxtwIyd855Q==
+</ds:X509Certificate>
+		</ds:X509Data>
+		</ds:KeyInfo>
+	</KeyDescriptor>
+	<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://wiki.shibboleth.net/confluence/Shibboleth.sso/SAML/Artifact" index="1"/>
+	<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://wiki.shibboleth.net/confluence/Shibboleth.sso/SAML/POST" index="2"/>
+	<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://wiki.shibboleth.net/confluence/Shibboleth.sso/SAML2/Artifact" index="3"/>
+	<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://wiki.shibboleth.net/confluence/Shibboleth.sso/SAML2/ECP" index="4"/>
+	<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://wiki.shibboleth.net/confluence/Shibboleth.sso/SAML2/POST" index="5"/>
+	<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://wiki.shibboleth.net/confluence/Shibboleth.sso/SAML2/POST-SimpleSign" index="6"/>
+	<AttributeConsumingService index="1">
+		<ServiceName xml:lang="en">Shibboleth.net Wiki</ServiceName>
+		<ServiceDescription xml:lang="en">The wiki hosting the documentation for Shibboleth. Unauthenticated user may view the existing documentation. Authenticated users may create new documentation pages and edit existing ones.</ServiceDescription>
+		<RequestedAttribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+		<RequestedAttribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+		<RequestedAttribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+		<RequestedAttribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+	</AttributeConsumingService>
+	</SPSSODescriptor>
+	<Organization>
+	<OrganizationName xml:lang="en">The Ohio State University</OrganizationName>
+	<OrganizationDisplayName xml:lang="en">Ohio State University</OrganizationDisplayName>
+	<OrganizationURL xml:lang="en">http://www.osu.edu/</OrganizationURL>
+	</Organization>
+	<ContactPerson contactType="technical">
+	<GivenName>Shibboleth Contact</GivenName>
+	<EmailAddress>mailto:contact@shibboleth.net</EmailAddress>
+	</ContactPerson>
+	<ContactPerson contactType="support">
+	<GivenName>Shibboleth Contact</GivenName>
+	<EmailAddress>mailto:contact@shibboleth.net</EmailAddress>
+	</ContactPerson>
+	<ContactPerson contactType="administrative">
+	<GivenName>Shibboleth Contact</GivenName>
+	<EmailAddress>mailto:contact@shibboleth.net</EmailAddress>
+	</ContactPerson>
+	<ContactPerson contactType="other" remd:contactType="http://refeds.org/metadata/contactType/security">
+	<GivenName>Shibboleth Contact</GivenName>
+	<EmailAddress>mailto:contact@shibboleth.net</EmailAddress>
+	</ContactPerson>
+</EntityDescriptor>
+
+<EntityDescriptor entityID="urn:mace:incommon:osu.edu">
+	<Extensions>
+	<mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/>
+	<mdattr:EntityAttributes>
+		<saml:Attribute Name="http://macedir.org/entity-category-support" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+		<saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
+		</saml:Attribute>
+		<saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+		<saml:AttributeValue>https://refeds.org/sirtfi</saml:AttributeValue>
+		</saml:Attribute>
+
+	</mdattr:EntityAttributes>
+	</Extensions>
+	<IDPSSODescriptor errorURL="https://webauth.service.ohio-state.edu/support.html" protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+	<Extensions>
+		<shibmd:Scope regexp="false">osu.edu</shibmd:Scope>
+		<mdui:UIInfo>
+		<mdui:DisplayName xml:lang="en">Ohio State University</mdui:DisplayName>
+		<mdui:InformationURL xml:lang="en">https://webauth.service.ohio-state.edu/info.html</mdui:InformationURL>
+		<mdui:PrivacyStatementURL xml:lang="en">https://it.osu.edu/sites/default/files/files-1477502394/disclosurepolicy.pdf</mdui:PrivacyStatementURL>
+		<mdui:Logo height="83" width="83" xml:lang="en">https://webauth.service.ohio-state.edu/images/osu_mdui.png</mdui:Logo>
+		</mdui:UIInfo>
+	</Extensions>
+	<KeyDescriptor use="signing">
+		<ds:KeyInfo>
+		<ds:X509Data>
+			<ds:X509Certificate>
+MIIEUDCCArigAwIBAgIJAOTP/syONHwnMA0GCSqGSIb3DQEBCwUAMCkxJzAlBgNV
+BAMMHndlYmF1dGguc2VydmljZS5vaGlvLXN0YXRlLmVkdTAeFw0xOTAyMjIxOTE3
+MjJaFw00NjA3MTAxOTE3MjJaMCkxJzAlBgNVBAMMHndlYmF1dGguc2VydmljZS5v
+aGlvLXN0YXRlLmVkdTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJle
+1C2GVPJkD+fXHBxGMZSLVFsEClJNFbI2Rp5feo8QNvV5CYIMU+bNqovkMZhONAbz
+3v63v/HNNr3tFk6ZBWk7fQ+VZE7NyHGrpKn1XiWbFMBokEsMXah3tDHq5clxCWHi
+dg8J9knnLt71h2j7SvSowxF8TwEmIGQmymNs1TeW2kVxKZWChk+UzRk3VNMPxoUz
+lEdAiqBSl/J3E+W1lCzYxs/r9cTTeQwAJkwg/gjewCTcNlXGtt9ykf4Csja2NFtO
+hh7bys3VzAI0nsHFTxQq3rxbbmeCmLdLGvu83h2iI0JrT6HYmo0ksXVqTXIOPS+D
+ZJmCYLL4PKJQb6fAcQhE4NgZMEEJdtToe8mt34/UPGutRz0ja/fgV6ec3AJq9wQF
+jQ20iPpDh/aVuLpSQYmEhuMQOXvBI8ILv/wKSPQ2A63FSr4adoNFlBCsOFoTW9uu
+y7Kxc8Qo+ZzEF39WWBnc3UcBSxk9Z9zsCFCAbfBt+SVrbNUA4L4lU/8x9DpRpwID
+AQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVy
+YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUML3nKeprDqx0PFVahBwqvu2s5y4w
+HwYDVR0jBBgwFoAUML3nKeprDqx0PFVahBwqvu2s5y4wDQYJKoZIhvcNAQELBQAD
+ggGBADSfQwfmSPjrXGdWsCqngcEmN1ksnSCcNm8qdp+YO0luZO0MiJsM0cIvka1e
+/9MeP7VMbeBTOpSlr1RzN6h0bFWo9vwLbIuYsLc63Vt4B1R7DzUMQwWc7LekfV/A
+8IIdendOvCLpxvrm3dj32VgA5jNlJ+M7fDzFh5vHouLEAD45F/qn50N1XyZYX86C
+zLpL7rCfmnMGrzAYBUgj9d6CU8xkf0XoiCsyMsuku0ZNFEzUCKZKHvle9HCYmwA1
+/FtgnWK+vhjsnEH4dApxP2D4YbP3mGSCpkOKBuNFbJd8sjhIpGCTCwxp8jNl61xE
+S6PJeJfcTU8ztIsGhug80jySah6mEmIyQ47YbG25Lt5AuTAZDTPf84QpD6qdMCvJ
+KjK/sp1LPbN0WZBdzQup9e8WhdMt2sN6UsxM7+WNlJLZ+Fn3xFHkiWvgXp53jiT2
+KITPlARNryCA9e7et3E05ZxtCocCh+y7eEGV7/+g4CjhqniVsshTcVzrKicYN6oC
+O8tLIQ==
+</ds:X509Certificate>
+		</ds:X509Data>
+		</ds:KeyInfo>
+	</KeyDescriptor>
+	<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://webauth.service.ohio-state.edu/idp/profile/Shibboleth/SSO"/>
+	<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://webauth.service.ohio-state.edu/idp/profile/SAML2/Redirect/SSO"/>
+	<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://webauth.service.ohio-state.edu/idp/profile/SAML2/POST/SSO"/>
+	<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://webauth.service.ohio-state.edu/idp/profile/SAML2/POST-SimpleSign/SSO"/>
+	<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://webauth.service.ohio-state.edu/idp/profile/SAML2/SOAP/ECP"/>
+	</IDPSSODescriptor>
+	<Organization>
+	<OrganizationName xml:lang="en">The Ohio State University</OrganizationName>
+	<OrganizationDisplayName xml:lang="en">Ohio State University</OrganizationDisplayName>
+	<OrganizationURL xml:lang="en">http://www.osu.edu/</OrganizationURL>
+	</Organization>
+	<ContactPerson contactType="support">
+	<GivenName>IT Service Desk</GivenName>
+	<EmailAddress>mailto:8help@osu.edu</EmailAddress>
+	</ContactPerson>
+	<ContactPerson contactType="technical">
+	<GivenName>Authentication Support</GivenName>
+	<EmailAddress>mailto:webauth-admin@lists.service.ohio-state.edu</EmailAddress>
+	</ContactPerson>
+	<ContactPerson contactType="administrative">
+	<GivenName>Authentication Support</GivenName>
+	<EmailAddress>mailto:webauth-admin@lists.service.ohio-state.edu</EmailAddress>
+	</ContactPerson>
+	<ContactPerson contactType="other" remd:contactType="http://refeds.org/metadata/contactType/security">
+	<GivenName>Security Response Team</GivenName>
+	<EmailAddress>mailto:security@osu.edu</EmailAddress>
+	</ContactPerson>
+</EntityDescriptor>
+
+</EntitiesDescriptor>
diff --git a/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/entities/entity1.xml b/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/entities/entity1.xml
new file mode 100644
index 00000000..6f9d411f
--- /dev/null
+++ b/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/entities/entity1.xml
@@ -0,0 +1,134 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<EntityDescriptor
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:remd="http://refeds.org/metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    ID="entity1" entityID="https://idp2.iay.org.uk/idp/shibboleth">
+	<!--
+		This is an "Ian A. Young" IdP for Ian A. Young.
+	-->
+	<Extensions>
+		<ukfedlabel:UKFederationMember/>
+		<shibmd:Scope regexp="false">iay.org.uk</shibmd:Scope>
+
+
+		<mdrpi:RegistrationInfo registrationAuthority="http://ukfederation.org.uk" registrationInstant="2007-03-30T16:36:00Z">
+			<mdrpi:RegistrationPolicy xml:lang="en">http://ukfederation.org.uk/doc/mdrps-20130902</mdrpi:RegistrationPolicy>
+		</mdrpi:RegistrationInfo>
+		<mdattr:EntityAttributes>
+			<saml:Attribute Name="http://macedir.org/entity-category-support" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+				<saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
+			</saml:Attribute>
+		</mdattr:EntityAttributes>
+	</Extensions>
+	<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:2.0:protocol">
+		<Extensions>
+			<mdui:UIInfo>
+				<mdui:DisplayName xml:lang="en">Ian A. Young</mdui:DisplayName>
+				<mdui:Description xml:lang="en">This is the identity provider for the iay.org.uk domain.</mdui:Description>
+				<mdui:Logo height="80" width="80">https://idp2.iay.org.uk/images/heads_80x80.jpg</mdui:Logo>
+				<mdui:Logo height="43" width="100">https://idp2.iay.org.uk/images/heads_100x43.jpg</mdui:Logo>
+				<mdui:Logo height="104" width="240">https://idp2.iay.org.uk/images/heads_240x104.jpg</mdui:Logo>
+			</mdui:UIInfo>
+			<mdui:DiscoHints>
+				<mdui:IPHint>217.155.173.104/29</mdui:IPHint>
+				<mdui:DomainHint>iay.org.uk</mdui:DomainHint>
+				<mdui:GeolocationHint>geo:55.9328,-3.17905</mdui:GeolocationHint>
+			</mdui:DiscoHints>
+			<shibmd:Scope regexp="false">iay.org.uk</shibmd:Scope>
+		</Extensions>
+		<KeyDescriptor>
+			<ds:KeyInfo>
+				<ds:X509Data>
+					<ds:X509Certificate>
+						MIIDSTCCAjGgAwIBAgIhAMSPOSGN+3UUTXSKV+2EBOuF3x/pwPX/TD9GfyEkzLp+
+						MA0GCSqGSIb3DQEBBQUAMFgxGDAWBgNVBAMMD2lkcDIuaWF5Lm9yZy51azETMBEG
+						CgmSJomT8ixkARkWA2lheTETMBEGCgmSJomT8ixkARkWA29yZzESMBAGCgmSJomT
+						8ixkARkWAnVrMB4XDTA4MDIyNTEwMzAxNFoXDTI4MDIyNTEwMzAxNFowWDEYMBYG
+						A1UEAwwPaWRwMi5pYXkub3JnLnVrMRMwEQYKCZImiZPyLGQBGRYDaWF5MRMwEQYK
+						CZImiZPyLGQBGRYDb3JnMRIwEAYKCZImiZPyLGQBGRYCdWswggEiMA0GCSqGSIb3
+						DQEBAQUAA4IBDwAwggEKAoIBAQCb6ts48g10XHTnpy+23huzR184aahkrG0AoeUl
+						FVlomPjoFDk6czq0S3Qyd+ceF7tMRu3XzS7cMmtVH53O9d+wCs8aPQcPXxHQ5gLk
+						L7Gu6eJ+3N3jXhpt7/DDPhnzFPNW3EVMueHJ/0IzyspTvq2LPbNWXJ86NKJ+gesZ
+						QftskwXScOjpoJEIP0EA890QYd4WdYtQPqVV+LPKtnYBoGOnuRhSAM1D/EhCbeb0
+						lCmRGcdGbDFBchiPO4VLGl85sLa0EhjxMIPAOKXcj8bBlO9Ww9kkG06kQp6eLHwm
+						Jmt7VNKveCGhyF2QH/CvmdUaPv3gcp1UjrlqFN9LBVSaTIL/AgMBAAEwDQYJKoZI
+						hvcNAQEFBQADggEBAG+jDBAtlKoHaEBB+l6PpW5zuiDjyHG4zZZYqX77mZ9xP/xe
+						Kn0yJ18ZLjS3b9WztGLYyC4SJHSF2okq1K02bqsCv9YeP+UWpw2uRR8jt96lLWxZ
+						jTjoko2v8jBtzDk8LZsqw58m4vZ0AGNZjKeGIywKhxnepwREguyj3bjBpZAGgl0M
+						HQuXoO/BDC9yKyZslE5CpWp5xP4XzY2/LrorrkwOJLnFuk1sox4/gvkDQukUx/jr
+						YRbrWfOjcNBx3LE/HI6RNLINicK7yUwerDE86nix5Zc3hskVcCykW+r6HbY6bx7P
+						YmNKYMZhQAgDtXIjFHOy+WbyVTidmJvxM9UeYCY=
+					</ds:X509Certificate>
+				</ds:X509Data>
+			</ds:KeyInfo>
+		</KeyDescriptor>
+		<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp2.iay.org.uk:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/>
+		<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp2.iay.org.uk:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/>
+		<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+		<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+		<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://idp2.iay.org.uk/idp/profile/Shibboleth/SSO"/>
+		<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp2.iay.org.uk/idp/profile/SAML2/POST/SSO"/>
+		<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp2.iay.org.uk/idp/profile/SAML2/POST-SimpleSign/SSO"/>
+		<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp2.iay.org.uk/idp/profile/SAML2/Redirect/SSO"/>
+	</IDPSSODescriptor>
+	<AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+		<Extensions>
+			<shibmd:Scope regexp="false">iay.org.uk</shibmd:Scope>
+		</Extensions>
+		<KeyDescriptor>
+			<ds:KeyInfo>
+				<ds:X509Data>
+					<ds:X509Certificate>
+						MIIDSTCCAjGgAwIBAgIhAMSPOSGN+3UUTXSKV+2EBOuF3x/pwPX/TD9GfyEkzLp+
+						MA0GCSqGSIb3DQEBBQUAMFgxGDAWBgNVBAMMD2lkcDIuaWF5Lm9yZy51azETMBEG
+						CgmSJomT8ixkARkWA2lheTETMBEGCgmSJomT8ixkARkWA29yZzESMBAGCgmSJomT
+						8ixkARkWAnVrMB4XDTA4MDIyNTEwMzAxNFoXDTI4MDIyNTEwMzAxNFowWDEYMBYG
+						A1UEAwwPaWRwMi5pYXkub3JnLnVrMRMwEQYKCZImiZPyLGQBGRYDaWF5MRMwEQYK
+						CZImiZPyLGQBGRYDb3JnMRIwEAYKCZImiZPyLGQBGRYCdWswggEiMA0GCSqGSIb3
+						DQEBAQUAA4IBDwAwggEKAoIBAQCb6ts48g10XHTnpy+23huzR184aahkrG0AoeUl
+						FVlomPjoFDk6czq0S3Qyd+ceF7tMRu3XzS7cMmtVH53O9d+wCs8aPQcPXxHQ5gLk
+						L7Gu6eJ+3N3jXhpt7/DDPhnzFPNW3EVMueHJ/0IzyspTvq2LPbNWXJ86NKJ+gesZ
+						QftskwXScOjpoJEIP0EA890QYd4WdYtQPqVV+LPKtnYBoGOnuRhSAM1D/EhCbeb0
+						lCmRGcdGbDFBchiPO4VLGl85sLa0EhjxMIPAOKXcj8bBlO9Ww9kkG06kQp6eLHwm
+						Jmt7VNKveCGhyF2QH/CvmdUaPv3gcp1UjrlqFN9LBVSaTIL/AgMBAAEwDQYJKoZI
+						hvcNAQEFBQADggEBAG+jDBAtlKoHaEBB+l6PpW5zuiDjyHG4zZZYqX77mZ9xP/xe
+						Kn0yJ18ZLjS3b9WztGLYyC4SJHSF2okq1K02bqsCv9YeP+UWpw2uRR8jt96lLWxZ
+						jTjoko2v8jBtzDk8LZsqw58m4vZ0AGNZjKeGIywKhxnepwREguyj3bjBpZAGgl0M
+						HQuXoO/BDC9yKyZslE5CpWp5xP4XzY2/LrorrkwOJLnFuk1sox4/gvkDQukUx/jr
+						YRbrWfOjcNBx3LE/HI6RNLINicK7yUwerDE86nix5Zc3hskVcCykW+r6HbY6bx7P
+						YmNKYMZhQAgDtXIjFHOy+WbyVTidmJvxM9UeYCY=
+					</ds:X509Certificate>
+				</ds:X509Data>
+			</ds:KeyInfo>
+		</KeyDescriptor>
+		<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp2.iay.org.uk:8443/idp/profile/SAML1/SOAP/AttributeQuery"/>
+		<AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp2.iay.org.uk:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>
+		<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+		<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+	</AttributeAuthorityDescriptor>
+	<Organization>
+		<OrganizationName xml:lang="en">Ian A. Young</OrganizationName>
+		<OrganizationDisplayName xml:lang="en">Ian A. Young</OrganizationDisplayName>
+		<OrganizationURL xml:lang="en">http://iay.org.uk/</OrganizationURL>
+	</Organization>
+	<ContactPerson contactType="support">
+		<GivenName>Ian</GivenName>
+		<SurName>Young</SurName>
+		<EmailAddress>mailto:ukfed+fc2ee77e@iay.org.uk</EmailAddress>
+	</ContactPerson>
+	<ContactPerson contactType="technical">
+		<GivenName>Ian</GivenName>
+		<SurName>Young</SurName>
+		<EmailAddress>mailto:ukfed+fc2ee77e@iay.org.uk</EmailAddress>
+	</ContactPerson>
+
+</EntityDescriptor>
diff --git a/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/entities/entity2.xml b/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/entities/entity2.xml
new file mode 100644
index 00000000..84d80b8f
--- /dev/null
+++ b/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/entities/entity2.xml
@@ -0,0 +1,98 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<EntityDescriptor
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:remd="http://refeds.org/metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	ID="entity2" entityID="https://idp.shibboleth.net/idp/shibboleth">
+		<!--
+			This is a shibboleth.net Shibboleth IdP for Jisc Services Limited. 
+		-->
+		<Extensions>
+			<shibmd:Scope regexp="false">shibboleth.net</shibmd:Scope>
+			<ukfedlabel:UKFederationMember/>
+			<DigestMethod xmlns="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
+			<DigestMethod xmlns="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
+			<DigestMethod xmlns="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+			<DigestMethod xmlns="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+			<SigningMethod xmlns="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
+			<SigningMethod xmlns="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
+			<SigningMethod xmlns="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+			<SigningMethod xmlns="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+			<mdrpi:RegistrationInfo registrationAuthority="http://ukfederation.org.uk" registrationInstant="2011-01-06T16:22:29Z">
+				<mdrpi:RegistrationPolicy xml:lang="en">http://ukfederation.org.uk/doc/mdrps-20130902</mdrpi:RegistrationPolicy>
+			</mdrpi:RegistrationInfo>
+		</Extensions>
+		<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+			<Extensions>
+				<shibmd:Scope regexp="false">shibboleth.net</shibmd:Scope>
+				<mdui:UIInfo>
+					<mdui:DisplayName xml:lang="en">Shibboleth.net</mdui:DisplayName>
+					<mdui:Description xml:lang="en">An identity provider hosted and used by the
+						developers of Shibboleth.</mdui:Description>
+					<mdui:Logo height="82" width="64">https://shibboleth.net/images/gryphon_64x82.png</mdui:Logo>
+				</mdui:UIInfo>
+			</Extensions>
+			<KeyDescriptor>
+				<ds:KeyInfo>
+					<ds:X509Data>
+						<ds:X509Certificate>
+							MIIDNDCCAhygAwIBAgIVAKyBWnv1/h1U11C7kHvV33FIrEsJMA0GCSqGSIb3DQEB
+							BQUAMB0xGzAZBgNVBAMTEmlkcC5zaGliYm9sZXRoLm5ldDAeFw0xMDEyMjkwMDA5
+							MTlaFw0zMDEyMjkwMDA5MTlaMB0xGzAZBgNVBAMTEmlkcC5zaGliYm9sZXRoLm5l
+							dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKjWAdpUx/82FUzrRMfA
+							M63PkZZYCm3RnT3eiL+DeJcbGdcEJx/o+32vgHXJgJOBt14YdVam5GErIYgk4SGq
+							5Z5RYl0PpQn6HQG/9prGnYCu6p5zfb0557o51Eh8TcVehS6Y2ruyCjAF0jgVMwh5
+							/0Oh8EE9wG93pSpm70DAiiaTVCb8WoT1aZYtxbBmmuH10bU+wge/NMmaHuVAe599
+							pyezFIL4FoI2g+1Q6nG4Yl1Z07I81tTApXKVMWRt/4/M3m2D7PUMOQ9qsxthp2L/
+							LovIeNo0bTyeW290T2Y/JRZhKOgeDqkhuu82DPri2Vm5G/unB69KfRB7CF9QWIc3
+							y80CAwEAAaNrMGkwSAYDVR0RBEEwP4ISaWRwLnNoaWJib2xldGgubmV0hilodHRw
+							czovL2lkcC5zaGliYm9sZXRoLm5ldC9pZHAvc2hpYmJvbGV0aDAdBgNVHQ4EFgQU
+							3uZ32tKXJBzPCTp2dtHSLV0FvGgwDQYJKoZIhvcNAQEFBQADggEBAAYXYuzp0UTj
+							3yLRvUCbEtaw9b80+weOELkVv3WFY3QAG8pIKEblrMMtzrzLFWZwYwwMZDab/HnH
+							egmgjZBthrOedEmoJ+OHRmIiS8zdZxVGEadJhTUaeIkO6kwK7Ht3nQePoiXV7TI5
+							+A9SpmZGoukC85Za4wGDw4xWGs5t5l6tBuuV+1s0oC6T8ih5n/NyThfpbihSW0d7
+							iBfSUickgpoM2BLM3FCnbO8HOsX1rGV4ypG9ZGDDvr2jrzalXXmc05gSlL2qd9ce
+							Q1M+9vavusPCqlj2zZf2/HfzhyiFcb/OgA0oTFWW2ynXji6UarIV5QaPoi/XmGmx
+							BXD36HfGBXk=
+						</ds:X509Certificate>
+					</ds:X509Data>
+				</ds:KeyInfo>
+				<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+				<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
+				<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+				<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+				<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+			</KeyDescriptor>
+			<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+			<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shibboleth.net/idp/profile/SAML2/POST/SSO"/>
+			<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://shibboleth.net/idp/profile/SAML2/POST-SimpleSign/SSO"/>
+			<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://shibboleth.net/idp/profile/SAML2/Redirect/SSO"/>
+		</IDPSSODescriptor>
+		<Organization>
+			<OrganizationName xml:lang="en">Jisc Services Limited</OrganizationName>
+			<OrganizationDisplayName xml:lang="en">Shibboleth.net</OrganizationDisplayName>
+			<OrganizationURL xml:lang="en">http://www.shibboleth.net/</OrganizationURL>
+		</Organization>
+		<ContactPerson contactType="support">
+			<GivenName>Shibboleth.Net Technical Support</GivenName>
+			<EmailAddress>mailto:contact@shibboleth.net</EmailAddress>
+		</ContactPerson>
+		<ContactPerson contactType="technical">
+			<GivenName>Scott</GivenName>
+			<SurName>Cantor</SurName>
+			<EmailAddress>mailto:cantor.2@osu.edu</EmailAddress>
+		</ContactPerson>
+		<ContactPerson contactType="technical">
+			<GivenName>Ian</GivenName>
+			<SurName>Young</SurName>
+			<EmailAddress>mailto:ukfed@iay.org.uk</EmailAddress>
+		</ContactPerson>
+	</EntityDescriptor>
diff --git a/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/entities/entity3.xml b/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/entities/entity3.xml
new file mode 100644
index 00000000..757300c9
--- /dev/null
+++ b/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/entities/entity3.xml
@@ -0,0 +1,91 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<EntityDescriptor
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:remd="http://refeds.org/metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	ID="entity3" entityID="https://issues.shibboleth.net/shibboleth">
+		<Extensions>
+		<mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/>
+	
+		</Extensions>
+		<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+		<Extensions>
+			<idpdisc:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://issues.shibboleth.net/jira/Shibboleth.sso/Login" index="1"/>
+			<mdui:UIInfo>
+			<mdui:DisplayName xml:lang="en">Shibboleth.net Issue Tracking</mdui:DisplayName>
+			<mdui:Description xml:lang="en">The issue (improvements, bugs, tasks) tracking system used by the Shibboleth project. Unauthenticated users may view submitted issues.  Authenticated users may submit new issues and comment on existing ones.</mdui:Description>
+			<mdui:PrivacyStatementURL xml:lang="en">https://wiki.shibboleth.net/confluence/display/DEV/Infrastructure+Information</mdui:PrivacyStatementURL>
+			<mdui:Logo height="82" width="64" xml:lang="en">https://shibboleth.net/images/gryphon_64x82.png</mdui:Logo>
+			</mdui:UIInfo>
+		</Extensions>
+		<KeyDescriptor>
+			<ds:KeyInfo>
+			<ds:X509Data>
+				<ds:X509Certificate>
+	MIIDRjCCAi6gAwIBAgIJAPjZ6g1hwfvPMA0GCSqGSIb3DQEBBQUAMFExEzARBgoJ
+	kiaJk/IsZAEZFgNuZXQxGjAYBgoJkiaJk/IsZAEZFgpzaGliYm9sZXRoMR4wHAYD
+	VQQDExVpc3N1ZXMuc2hpYmJvbGV0aC5uZXQwHhcNMTMxMTI1MTQ1ODA4WhcNMzcw
+	MzA0MTQ1ODA4WjBRMRMwEQYKCZImiZPyLGQBGRYDbmV0MRowGAYKCZImiZPyLGQB
+	GRYKc2hpYmJvbGV0aDEeMBwGA1UEAxMVaXNzdWVzLnNoaWJib2xldGgubmV0MIIB
+	IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtb4jIloWGvHJsSeq0PMjkWDA
+	+hseZ6/6/cEJKPk245f6hktC2k3z0AqJL8Kw9OudOjDx2op2jKm45TuIA46ti6VP
+	f4stLIi7mO1B4A6jTWThCwU0DjMCwBXLhANdBQloyUYJU/usN8RBXlPnWZAV1dVb
+	ygb7GUorkMON+wnFd7nhBePmQdJfbsqvKN8MykWfQ56chS+0lCYhyT7qql2bskJ4
+	y621WSo47php2NyyU1KNcaFBLoao+UTH7KZ9qHOWJyGJGuWKwgZmCiVd0LQhWywP
+	3M/JxZvpTr2Bs/J5d8BzZGSFUaHrVcPzIX+5c3sdK4d1wXUur1XE++bh9F9TjwID
+	AQABoyEwHzAdBgNVHQ4EFgQUHtV8GWr64AIUV634b9YBlMEpHOwwDQYJKoZIhvcN
+	AQEFBQADggEBAI0BSqXoyw5bUVQJKNCnxB3hUwHIOXeoS77jqgv2lesyTqz5U4NV
+	v4Cdz7icwYzt+c6ZSZqem4pqmi3/6COZnf/+l29J/XwWkva32P6tfoO4af3qywF+
+	TvuZiRMXdt1KE7GTlYOSxOsnxaRmXVc6MWfxPT6oTOt5z15aTdfEzK+wVfeUkIf1
+	1soEmMHgjDaa/HQdGgXGq/fStDc0Mcm2W7y50+aNwqIMNiQQiwQYSUgpBatSfKy1
+	umh6DHEyznDZAAHBtatzvQu1YAJHUg6AeimuhminaM5tyBCW6Y6YMywFYSP+VqPU
+	PxCBrPWcCAwOw80Ey/FLVlAdW1FuwUmMejA=
+	</ds:X509Certificate>
+			</ds:X509Data>
+			</ds:KeyInfo>
+		</KeyDescriptor>
+		<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://issues.shibboleth.net/jira/Shibboleth.sso/SAML/Artifact" index="1"/>
+		<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://issues.shibboleth.net/jira/Shibboleth.sso/SAML/POST" index="2"/>
+		<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://issues.shibboleth.net/jira/Shibboleth.sso/SAML2/Artifact" index="3"/>
+		<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://issues.shibboleth.net/jira/Shibboleth.sso/SAML2/POST" index="4"/>
+		<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://issues.shibboleth.net/jira/Shibboleth.sso/SAML2/POST-SimpleSign" index="5"/>
+		<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://issues.shibboleth.net/jira/Shibboleth.sso/SAML2/ECP" index="6"/>
+		<AttributeConsumingService index="1">
+			<ServiceName xml:lang="en">Shibboleth.net Issue Tracking</ServiceName>
+			<ServiceDescription xml:lang="en">The issue (improvements, bugs, tasks) tracking system used by the Shibboleth project. Unauthenticated users may view submitted issues.  Authenticated users may submit new issues and comment on existing ones.</ServiceDescription>
+			<RequestedAttribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+			<RequestedAttribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+			<RequestedAttribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+			<RequestedAttribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+		</AttributeConsumingService>
+		</SPSSODescriptor>
+		<Organization>
+		<OrganizationName xml:lang="en">The Ohio State University</OrganizationName>
+		<OrganizationDisplayName xml:lang="en">Ohio State University</OrganizationDisplayName>
+		<OrganizationURL xml:lang="en">http://www.osu.edu/</OrganizationURL>
+		</Organization>
+		<ContactPerson contactType="support">
+		<GivenName>Shibboleth Contact</GivenName>
+		<EmailAddress>mailto:contact@shibboleth.net</EmailAddress>
+		</ContactPerson>
+		<ContactPerson contactType="technical">
+		<GivenName>Shibboleth Contact</GivenName>
+		<EmailAddress>mailto:contact@shibboleth.net</EmailAddress>
+		</ContactPerson>
+		<ContactPerson contactType="administrative">
+		<GivenName>Shibboleth Contact</GivenName>
+		<EmailAddress>mailto:contact@shibboleth.net</EmailAddress>
+		</ContactPerson>
+		<ContactPerson contactType="other" remd:contactType="http://refeds.org/metadata/contactType/security">
+		<GivenName>Shibboleth Contact</GivenName>
+		<EmailAddress>mailto:contact@shibboleth.net</EmailAddress>
+		</ContactPerson>
+	</EntityDescriptor>
diff --git a/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/entities/entity4.xml b/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/entities/entity4.xml
new file mode 100644
index 00000000..4a9917f2
--- /dev/null
+++ b/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/entities/entity4.xml
@@ -0,0 +1,91 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<EntityDescriptor
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:remd="http://refeds.org/metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	ID="entity4" entityID="https://wiki.shibboleth.net/shibboleth">
+		<Extensions>
+		<mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/>
+	
+		</Extensions>
+		<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+		<Extensions>
+			<idpdisc:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://wiki.shibboleth.net/confluence/Shibboleth.sso/Login" index="1"/>
+			<mdui:UIInfo>
+			<mdui:DisplayName xml:lang="en">Shibboleth.net Wiki</mdui:DisplayName>
+			<mdui:Description xml:lang="en">The wiki hosting the documentation for Shibboleth. Unauthenticated user may view the existing documentation. Authenticated users may create new documentation pages and edit existing ones.</mdui:Description>
+			<mdui:PrivacyStatementURL xml:lang="en">https://wiki.shibboleth.net/confluence/display/DEV/Infrastructure+Information</mdui:PrivacyStatementURL>
+			<mdui:Logo height="82" width="64" xml:lang="en">https://shibboleth.net/images/gryphon_64x82.png</mdui:Logo>
+			</mdui:UIInfo>
+		</Extensions>
+		<KeyDescriptor>
+			<ds:KeyInfo>
+			<ds:X509Data>
+				<ds:X509Certificate>
+	MIIDQjCCAiqgAwIBAgIJAMI1r/DZzTEJMA0GCSqGSIb3DQEBBQUAME8xEzARBgoJ
+	kiaJk/IsZAEZFgNuZXQxGjAYBgoJkiaJk/IsZAEZFgpzaGliYm9sZXRoMRwwGgYD
+	VQQDExN3aWtpLnNoaWJib2xldGgubmV0MB4XDTEzMTEyNTE0NTcyOFoXDTM3MDMw
+	NDE0NTcyOFowTzETMBEGCgmSJomT8ixkARkWA25ldDEaMBgGCgmSJomT8ixkARkW
+	CnNoaWJib2xldGgxHDAaBgNVBAMTE3dpa2kuc2hpYmJvbGV0aC5uZXQwggEiMA0G
+	CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1viMiWhYa8cmxJ6rQ8yORYMD6Gx5n
+	r/r9wQko+Tbjl/qGS0LaTfPQCokvwrD06506MPHainaMqbjlO4gDjq2LpU9/iy0s
+	iLuY7UHgDqNNZOELBTQOMwLAFcuEA10FCWjJRglT+6w3xEFeU+dZkBXV1VvKBvsZ
+	SiuQw437CcV3ueEF4+ZB0l9uyq8o3wzKRZ9DnpyFL7SUJiHJPuqqXZuyQnjLrbVZ
+	KjjumGnY3LJTUo1xoUEuhqj5RMfspn2oc5YnIYka5YrCBmYKJV3QtCFbLA/cz8nF
+	m+lOvYGz8nl3wHNkZIVRoetVw/Mhf7lzex0rh3XBdS6vVcT75uH0X1OPAgMBAAGj
+	ITAfMB0GA1UdDgQWBBQe1XwZavrgAhRXrfhv1gGUwSkc7DANBgkqhkiG9w0BAQUF
+	AAOCAQEADCGhWJ+oZ8ltcjJ7D66rMg1HOZT6GFCVeZ7MfhY/KFrvsnITNbTA+SgZ
+	tCJt/BLlZXxpzmix19bD9bNwqEMo7WSqBy77X7SS97ZXti6y6vwAz8h78vzQopOd
+	rnn8XXyWxtrtRRCK4RMpZGrVm3sfBPW68j9hiPHZqewE4nLavjCki/I9rCMe5dJE
+	3+ZRf4Ip/9hYqM+a5Chcvbo2zJEOtw+EUQqNTZ51j33H/2qF9UoSpt74UFh+Jd5y
+	L2GoFSt/gCld78j/7cU3ObGQEme+hVVZ8/uGa/cCYvFt75vNBdnlj4icZ6fgFe9R
+	9h5hlBTGD3PULSFmCdkgxtwIyd855Q==
+	</ds:X509Certificate>
+			</ds:X509Data>
+			</ds:KeyInfo>
+		</KeyDescriptor>
+		<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://wiki.shibboleth.net/confluence/Shibboleth.sso/SAML/Artifact" index="1"/>
+		<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://wiki.shibboleth.net/confluence/Shibboleth.sso/SAML/POST" index="2"/>
+		<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://wiki.shibboleth.net/confluence/Shibboleth.sso/SAML2/Artifact" index="3"/>
+		<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://wiki.shibboleth.net/confluence/Shibboleth.sso/SAML2/ECP" index="4"/>
+		<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://wiki.shibboleth.net/confluence/Shibboleth.sso/SAML2/POST" index="5"/>
+		<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://wiki.shibboleth.net/confluence/Shibboleth.sso/SAML2/POST-SimpleSign" index="6"/>
+		<AttributeConsumingService index="1">
+			<ServiceName xml:lang="en">Shibboleth.net Wiki</ServiceName>
+			<ServiceDescription xml:lang="en">The wiki hosting the documentation for Shibboleth. Unauthenticated user may view the existing documentation. Authenticated users may create new documentation pages and edit existing ones.</ServiceDescription>
+			<RequestedAttribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+			<RequestedAttribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+			<RequestedAttribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+			<RequestedAttribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+		</AttributeConsumingService>
+		</SPSSODescriptor>
+		<Organization>
+		<OrganizationName xml:lang="en">The Ohio State University</OrganizationName>
+		<OrganizationDisplayName xml:lang="en">Ohio State University</OrganizationDisplayName>
+		<OrganizationURL xml:lang="en">http://www.osu.edu/</OrganizationURL>
+		</Organization>
+		<ContactPerson contactType="technical">
+		<GivenName>Shibboleth Contact</GivenName>
+		<EmailAddress>mailto:contact@shibboleth.net</EmailAddress>
+		</ContactPerson>
+		<ContactPerson contactType="support">
+		<GivenName>Shibboleth Contact</GivenName>
+		<EmailAddress>mailto:contact@shibboleth.net</EmailAddress>
+		</ContactPerson>
+		<ContactPerson contactType="administrative">
+		<GivenName>Shibboleth Contact</GivenName>
+		<EmailAddress>mailto:contact@shibboleth.net</EmailAddress>
+		</ContactPerson>
+		<ContactPerson contactType="other" remd:contactType="http://refeds.org/metadata/contactType/security">
+		<GivenName>Shibboleth Contact</GivenName>
+		<EmailAddress>mailto:contact@shibboleth.net</EmailAddress>
+		</ContactPerson>
+	</EntityDescriptor>
diff --git a/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/entities/entity5.xml b/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/entities/entity5.xml
new file mode 100644
index 00000000..d9be629a
--- /dev/null
+++ b/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/entities/entity5.xml
@@ -0,0 +1,96 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<EntityDescriptor
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:remd="http://refeds.org/metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	ID="entity5" entityID="urn:mace:incommon:osu.edu">
+	<Extensions>
+	<mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/>
+	<mdattr:EntityAttributes>
+		<saml:Attribute Name="http://macedir.org/entity-category-support" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+		<saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
+		</saml:Attribute>
+		<saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+		<saml:AttributeValue>https://refeds.org/sirtfi</saml:AttributeValue>
+		</saml:Attribute>
+
+	</mdattr:EntityAttributes>
+	</Extensions>
+	<IDPSSODescriptor errorURL="https://webauth.service.ohio-state.edu/support.html" protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+	<Extensions>
+		<shibmd:Scope regexp="false">osu.edu</shibmd:Scope>
+		<mdui:UIInfo>
+		<mdui:DisplayName xml:lang="en">Ohio State University</mdui:DisplayName>
+		<mdui:InformationURL xml:lang="en">https://webauth.service.ohio-state.edu/info.html</mdui:InformationURL>
+		<mdui:PrivacyStatementURL xml:lang="en">https://it.osu.edu/sites/default/files/files-1477502394/disclosurepolicy.pdf</mdui:PrivacyStatementURL>
+		<mdui:Logo height="83" width="83" xml:lang="en">https://webauth.service.ohio-state.edu/images/osu_mdui.png</mdui:Logo>
+		</mdui:UIInfo>
+	</Extensions>
+	<KeyDescriptor use="signing">
+		<ds:KeyInfo>
+		<ds:X509Data>
+			<ds:X509Certificate>
+MIIEUDCCArigAwIBAgIJAOTP/syONHwnMA0GCSqGSIb3DQEBCwUAMCkxJzAlBgNV
+BAMMHndlYmF1dGguc2VydmljZS5vaGlvLXN0YXRlLmVkdTAeFw0xOTAyMjIxOTE3
+MjJaFw00NjA3MTAxOTE3MjJaMCkxJzAlBgNVBAMMHndlYmF1dGguc2VydmljZS5v
+aGlvLXN0YXRlLmVkdTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJle
+1C2GVPJkD+fXHBxGMZSLVFsEClJNFbI2Rp5feo8QNvV5CYIMU+bNqovkMZhONAbz
+3v63v/HNNr3tFk6ZBWk7fQ+VZE7NyHGrpKn1XiWbFMBokEsMXah3tDHq5clxCWHi
+dg8J9knnLt71h2j7SvSowxF8TwEmIGQmymNs1TeW2kVxKZWChk+UzRk3VNMPxoUz
+lEdAiqBSl/J3E+W1lCzYxs/r9cTTeQwAJkwg/gjewCTcNlXGtt9ykf4Csja2NFtO
+hh7bys3VzAI0nsHFTxQq3rxbbmeCmLdLGvu83h2iI0JrT6HYmo0ksXVqTXIOPS+D
+ZJmCYLL4PKJQb6fAcQhE4NgZMEEJdtToe8mt34/UPGutRz0ja/fgV6ec3AJq9wQF
+jQ20iPpDh/aVuLpSQYmEhuMQOXvBI8ILv/wKSPQ2A63FSr4adoNFlBCsOFoTW9uu
+y7Kxc8Qo+ZzEF39WWBnc3UcBSxk9Z9zsCFCAbfBt+SVrbNUA4L4lU/8x9DpRpwID
+AQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVy
+YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUML3nKeprDqx0PFVahBwqvu2s5y4w
+HwYDVR0jBBgwFoAUML3nKeprDqx0PFVahBwqvu2s5y4wDQYJKoZIhvcNAQELBQAD
+ggGBADSfQwfmSPjrXGdWsCqngcEmN1ksnSCcNm8qdp+YO0luZO0MiJsM0cIvka1e
+/9MeP7VMbeBTOpSlr1RzN6h0bFWo9vwLbIuYsLc63Vt4B1R7DzUMQwWc7LekfV/A
+8IIdendOvCLpxvrm3dj32VgA5jNlJ+M7fDzFh5vHouLEAD45F/qn50N1XyZYX86C
+zLpL7rCfmnMGrzAYBUgj9d6CU8xkf0XoiCsyMsuku0ZNFEzUCKZKHvle9HCYmwA1
+/FtgnWK+vhjsnEH4dApxP2D4YbP3mGSCpkOKBuNFbJd8sjhIpGCTCwxp8jNl61xE
+S6PJeJfcTU8ztIsGhug80jySah6mEmIyQ47YbG25Lt5AuTAZDTPf84QpD6qdMCvJ
+KjK/sp1LPbN0WZBdzQup9e8WhdMt2sN6UsxM7+WNlJLZ+Fn3xFHkiWvgXp53jiT2
+KITPlARNryCA9e7et3E05ZxtCocCh+y7eEGV7/+g4CjhqniVsshTcVzrKicYN6oC
+O8tLIQ==
+</ds:X509Certificate>
+		</ds:X509Data>
+		</ds:KeyInfo>
+	</KeyDescriptor>
+	<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://webauth.service.ohio-state.edu/idp/profile/Shibboleth/SSO"/>
+	<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://webauth.service.ohio-state.edu/idp/profile/SAML2/Redirect/SSO"/>
+	<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://webauth.service.ohio-state.edu/idp/profile/SAML2/POST/SSO"/>
+	<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://webauth.service.ohio-state.edu/idp/profile/SAML2/POST-SimpleSign/SSO"/>
+	<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://webauth.service.ohio-state.edu/idp/profile/SAML2/SOAP/ECP"/>
+	</IDPSSODescriptor>
+	<Organization>
+	<OrganizationName xml:lang="en">The Ohio State University</OrganizationName>
+	<OrganizationDisplayName xml:lang="en">Ohio State University</OrganizationDisplayName>
+	<OrganizationURL xml:lang="en">http://www.osu.edu/</OrganizationURL>
+	</Organization>
+	<ContactPerson contactType="support">
+	<GivenName>IT Service Desk</GivenName>
+	<EmailAddress>mailto:8help@osu.edu</EmailAddress>
+	</ContactPerson>
+	<ContactPerson contactType="technical">
+	<GivenName>Authentication Support</GivenName>
+	<EmailAddress>mailto:webauth-admin@lists.service.ohio-state.edu</EmailAddress>
+	</ContactPerson>
+	<ContactPerson contactType="administrative">
+	<GivenName>Authentication Support</GivenName>
+	<EmailAddress>mailto:webauth-admin@lists.service.ohio-state.edu</EmailAddress>
+	</ContactPerson>
+	<ContactPerson contactType="other" remd:contactType="http://refeds.org/metadata/contactType/security">
+	<GivenName>Security Response Team</GivenName>
+	<EmailAddress>mailto:security@osu.edu</EmailAddress>
+	</ContactPerson>
+</EntityDescriptor>
diff --git a/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/inc-md-cert-mdq.pem b/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/inc-md-cert-mdq.pem
new file mode 100644
index 00000000..178dcf85
--- /dev/null
+++ b/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/inc-md-cert-mdq.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEvjCCAyagAwIBAgIJANpi9/mkU/zoMA0GCSqGSIb3DQEBCwUAMHQxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJNSTESMBAGA1UEBwwJQW5uIEFyYm9yMRYwFAYDVQQK
+DA1JbnRlcm5ldDIuZWR1MREwDwYDVQQLDAhJbkNvbW1vbjEZMBcGA1UEAwwQbWRx
+LmluY29tbW9uLm9yZzAeFw0xODExMTMxNDI5NDNaFw0zODExMTAxNDI5NDNaMHQx
+CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNSTESMBAGA1UEBwwJQW5uIEFyYm9yMRYw
+FAYDVQQKDA1JbnRlcm5ldDIuZWR1MREwDwYDVQQLDAhJbkNvbW1vbjEZMBcGA1UE
+AwwQbWRxLmluY29tbW9uLm9yZzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoC
+ggGBAJ0+fUTzYVSP6ZOutOEhNdp3WPCPOYqnB4sQFz7IeGbFL1o0lZjx5Izm4Yho
+4wNDd0h486iSkHxNf5dDhCqgz7ZRSmbusOl98SYn70PrUQj/Nzs3w47dPg9Tpb/x
+y44PvNLS/rE56hPgCz/fbHoTTiJt5eosysa1ZebQ3LEyW3jGm+LGtLbdIfkynKVQ
+vpp1FVeCamzdeB3ZRICAvqTYQKE1JQDGlWrEsSW0VVEGNjfbzMzr/g4l8JRdMabQ
+Jig8tj3UIXnu7A2CKSMJSy3WZ3HX+85oHEbL+EV4PtpQz765c69tUIdNTJax9jQ2
+1c3wL0K27HE8jSRlrXImD50R3dXQBKH+iiynBWxRPdyMBa1YfK+zZEWPbLHshSTc
+9hkylQv3awmPR/+Plz5AtTpe5yss/Ifyp01wz1jt42R+6jDE+WbUjp5XDBCAjGEE
+0FPaYtxjZLkmNl367bdTN12OIn/ixPNH+Z/S/4skdBB9Gc4lb2fEBywJQY0OYNOd
+WOxmPwIDAQABo1MwUTAdBgNVHQ4EFgQUMHZuwMaYSJM5mlu3Wc4Ts5xq4/swHwYD
+VR0jBBgwFoAUMHZuwMaYSJM5mlu3Wc4Ts5xq4/swDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQsFAAOCAYEAMr4wfLrSoPTzfpXtvL+2vrKBJNnRfuJpOYTbPKUc
+DOP2QfzRlczi7suYJvd5rLiRonq8rjyPUyM8gvTfbTps+JhJ6S9mS6dTBxOV1qPZ
+3Ab+XKmq8LUtguGRabKgJgmJH0+inR/wVoal7EVHcWXfij9AT8DZOXW88shc6grh
+jUaFZBu/2+q8c8ee0e4ip8B+CVEnCwDKI0d+nTcSmPvAE34CNa33F+QGpXawv5yv
+VvIpSaLAeFQhc/jKcnNHfy+Zi7JmSnKZiMvQCbWANQmDjHg7pGmBW9nyQcm6P2/B
+0AVcEj1YTpAR8Mbh1pUdIhoB+chaNnFEIZsXeRsdbbAFpxodInlJ7WekfuvSQ6sU
+EXpoyBGOeuuTmR1va8k3QeL8Wc4yNu/g5LwjmtvPrh2jBF8xujc4J6VzP8K2BjA4
+xk4LnXgjHOT93dBAJhVYJkykDHwyvHUvsBHoP6lfjrt5P8zunK2mdP/AZKik+Rdt
+1GGlErV2AyWShTOaDLW6NxdP
+-----END CERTIFICATE-----
diff --git a/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/pkcs11-softhsm.cfg b/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/pkcs11-softhsm.cfg
new file mode 100644
index 00000000..d569459f
--- /dev/null
+++ b/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/pkcs11-softhsm.cfg
@@ -0,0 +1,3 @@
+# PKCS#11 provider configuration for softhsm running under Amazon Linux
+name = softhsm
+library = /usr/lib64/pkcs11/libsofthsm2.so
diff --git a/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/ukfederation-2014.pem b/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/ukfederation-2014.pem
new file mode 100644
index 00000000..bee705cd
--- /dev/null
+++ b/tools/mda-distribution-0.10.0/doc/wiki/path/to/input/ukfederation-2014.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDxzCCAq+gAwIBAgIJAOwuoY8tsvYGMA0GCSqGSIb3DQEBCwUAMHoxCzAJBgNV
+BAYTAkdCMUMwQQYDVQQKDDpVSyBBY2Nlc3MgTWFuYWdlbWVudCBGZWRlcmF0aW9u
+IGZvciBFZHVjYXRpb24gYW5kIFJlc2VhcmNoMSYwJAYDVQQDDB1VSyBGZWRlcmF0
+aW9uIE1ldGFkYXRhIFNpZ25lcjAeFw0xNDA4MjYxMjIwMjhaFw0zNzEyMzExMjIw
+MjhaMHoxCzAJBgNVBAYTAkdCMUMwQQYDVQQKDDpVSyBBY2Nlc3MgTWFuYWdlbWVu
+dCBGZWRlcmF0aW9uIGZvciBFZHVjYXRpb24gYW5kIFJlc2VhcmNoMSYwJAYDVQQD
+DB1VSyBGZWRlcmF0aW9uIE1ldGFkYXRhIFNpZ25lcjCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAOqtfMvCmBuQudC4/jZFPYkHDNHFyp1FA3KJihIUXppF
+vrecrO2wG5CpyqB1mZ+MlKf4jKcTMGBIXC2klD+FyrEdJMBhO6vRmJnNphg3uNZM
+ks0NqIaZmtgc7e8435nMhqLHV95UK2oCLcT4gZrTaXa2vt9kukTOijB0KqDIfEG5
+369EHXPItApAEeMlHebbWndl5n2I16nya/LeaoiU9qJ6sVz4xd1UtUesewrmYVKg
+PA2JYEpovmnr13sTnGssai5Db/FkrE2NJ4Q4drbPYcwincUo/UXzrtuPclr+l3JE
+gjtvDzPrBxxvK0S/gARrbKz5tk4LDLkYsj4PKlwVS+UCAwEAAaNQME4wHQYDVR0O
+BBYEFE9HhBuMxrzBYOj1Kj/3gtzAgtUEMB8GA1UdIwQYMBaAFE9HhBuMxrzBYOj1
+Kj/3gtzAgtUEMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALJkjT3K
+QL3w3xNfVe27nEOY44K2AZiu4IhqmRSslcyMnhnxrovEhLL3ieKFXQ+QFIkzVdR5
+BcO3NrSIz5V6b+mHtr5IjqLFHzOzzjw/3i8LddGOsApJiav+JrU1CGJXCU4cwYDN
+hAyfuAlrrEEL2lWMU1L1ZTzHsG1yWTfukfuvTftY5BwZ/dgANgIWwLDhvL6CAQZ3
+g5XteFPyChU0Z7b3XAHdVNHDa2VzWSsSUDtSQZ9DyTuqSjZH1q2/qtdMcrbJpdMB
+cndOf1pZRLzb6a+akIYi//1qO48HpB4wouH9gS3ZER+rNBhVWu301UYxoVI7o8mG
+Yq7dENJce7lO9yE=
+-----END CERTIFICATE-----
diff --git a/tools/mda-distribution-0.10.0/doc/wiki/path/to/output/.gitkeep b/tools/mda-distribution-0.10.0/doc/wiki/path/to/output/.gitkeep
new file mode 100644
index 00000000..e69de29b
diff --git a/tools/mda-distribution-0.10.0/doc/wiki/path/to/schema/saml-schema-assertion-2.0.xsd b/tools/mda-distribution-0.10.0/doc/wiki/path/to/schema/saml-schema-assertion-2.0.xsd
new file mode 100644
index 00000000..a1ef536c
--- /dev/null
+++ b/tools/mda-distribution-0.10.0/doc/wiki/path/to/schema/saml-schema-assertion-2.0.xsd
@@ -0,0 +1,283 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<schema
+    targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns="http://www.w3.org/2001/XMLSchema"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+    elementFormDefault="unqualified"
+    attributeFormDefault="unqualified"
+    blockDefault="substitution"
+    version="2.0">
+    <import namespace="http://www.w3.org/2000/09/xmldsig#"
+        schemaLocation="xmldsig-core-schema.xsd"/>
+    <import namespace="http://www.w3.org/2001/04/xmlenc#"
+        schemaLocation="xenc-schema.xsd"/>
+    <annotation>
+        <documentation>
+            Document identifier: saml-schema-assertion-2.0
+            Location: http://docs.oasis-open.org/security/saml/v2.0/
+            Revision history:
+            V1.0 (November, 2002):
+              Initial Standard Schema.
+            V1.1 (September, 2003):
+              Updates within the same V1.0 namespace.
+            V2.0 (March, 2005):
+              New assertion schema for SAML V2.0 namespace.
+        </documentation>
+    </annotation>
+    <attributeGroup name="IDNameQualifiers">
+        <attribute name="NameQualifier" type="string" use="optional"/>
+        <attribute name="SPNameQualifier" type="string" use="optional"/>
+    </attributeGroup>
+    <element name="BaseID" type="saml:BaseIDAbstractType"/>
+    <complexType name="BaseIDAbstractType" abstract="true">
+        <attributeGroup ref="saml:IDNameQualifiers"/>
+    </complexType>
+    <element name="NameID" type="saml:NameIDType"/>
+    <complexType name="NameIDType">
+        <simpleContent>
+            <extension base="string">
+                <attributeGroup ref="saml:IDNameQualifiers"/>
+                <attribute name="Format" type="anyURI" use="optional"/>
+                <attribute name="SPProvidedID" type="string" use="optional"/>
+            </extension>
+        </simpleContent>
+    </complexType>
+    <complexType name="EncryptedElementType">
+        <sequence>
+            <element ref="xenc:EncryptedData"/>
+            <element ref="xenc:EncryptedKey" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+    </complexType>
+    <element name="EncryptedID" type="saml:EncryptedElementType"/>
+    <element name="Issuer" type="saml:NameIDType"/>
+    <element name="AssertionIDRef" type="NCName"/>
+    <element name="AssertionURIRef" type="anyURI"/>
+    <element name="Assertion" type="saml:AssertionType"/>
+    <complexType name="AssertionType">
+        <sequence>
+            <element ref="saml:Issuer"/>
+            <element ref="ds:Signature" minOccurs="0"/>
+            <element ref="saml:Subject" minOccurs="0"/>
+            <element ref="saml:Conditions" minOccurs="0"/>
+            <element ref="saml:Advice" minOccurs="0"/>
+            <choice minOccurs="0" maxOccurs="unbounded">
+                <element ref="saml:Statement"/>
+                <element ref="saml:AuthnStatement"/>
+                <element ref="saml:AuthzDecisionStatement"/>
+                <element ref="saml:AttributeStatement"/>
+            </choice>
+        </sequence>
+        <attribute name="Version" type="string" use="required"/>
+        <attribute name="ID" type="ID" use="required"/>
+        <attribute name="IssueInstant" type="dateTime" use="required"/>
+    </complexType>
+    <element name="Subject" type="saml:SubjectType"/>
+    <complexType name="SubjectType">
+        <choice>
+            <sequence>
+                <choice>
+                    <element ref="saml:BaseID"/>
+                    <element ref="saml:NameID"/>
+                    <element ref="saml:EncryptedID"/>
+                </choice>
+                <element ref="saml:SubjectConfirmation" minOccurs="0" maxOccurs="unbounded"/>
+            </sequence>
+            <element ref="saml:SubjectConfirmation" maxOccurs="unbounded"/>
+        </choice>
+    </complexType>
+    <element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/>
+    <complexType name="SubjectConfirmationType">
+        <sequence>
+            <choice minOccurs="0">
+                <element ref="saml:BaseID"/>
+                <element ref="saml:NameID"/>
+                <element ref="saml:EncryptedID"/>
+            </choice>
+            <element ref="saml:SubjectConfirmationData" minOccurs="0"/>
+        </sequence>
+        <attribute name="Method" type="anyURI" use="required"/>
+    </complexType>
+    <element name="SubjectConfirmationData" type="saml:SubjectConfirmationDataType"/>
+    <complexType name="SubjectConfirmationDataType" mixed="true">
+        <complexContent>
+            <restriction base="anyType">
+                <sequence>
+                    <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+                </sequence>
+                <attribute name="NotBefore" type="dateTime" use="optional"/>
+                <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+                <attribute name="Recipient" type="anyURI" use="optional"/>
+                <attribute name="InResponseTo" type="NCName" use="optional"/>
+                <attribute name="Address" type="string" use="optional"/>
+                <anyAttribute namespace="##other" processContents="lax"/>
+            </restriction>
+        </complexContent>
+    </complexType>
+    <complexType name="KeyInfoConfirmationDataType" mixed="false">
+        <complexContent>
+            <restriction base="saml:SubjectConfirmationDataType">
+                <sequence>
+                    <element ref="ds:KeyInfo" maxOccurs="unbounded"/>
+                </sequence>
+            </restriction>
+        </complexContent>
+    </complexType>
+    <element name="Conditions" type="saml:ConditionsType"/>
+    <complexType name="ConditionsType">
+        <choice minOccurs="0" maxOccurs="unbounded">
+            <element ref="saml:Condition"/>
+            <element ref="saml:AudienceRestriction"/>
+            <element ref="saml:OneTimeUse"/>
+            <element ref="saml:ProxyRestriction"/>
+        </choice>
+        <attribute name="NotBefore" type="dateTime" use="optional"/>
+        <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+    </complexType>
+    <element name="Condition" type="saml:ConditionAbstractType"/>
+    <complexType name="ConditionAbstractType" abstract="true"/>
+    <element name="AudienceRestriction" type="saml:AudienceRestrictionType"/>
+    <complexType name="AudienceRestrictionType">
+        <complexContent>
+            <extension base="saml:ConditionAbstractType">
+                <sequence>
+                    <element ref="saml:Audience" maxOccurs="unbounded"/>
+                </sequence>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="Audience" type="anyURI"/>
+    <element name="OneTimeUse" type="saml:OneTimeUseType" />
+    <complexType name="OneTimeUseType">
+        <complexContent>
+            <extension base="saml:ConditionAbstractType"/>
+        </complexContent>
+    </complexType>
+    <element name="ProxyRestriction" type="saml:ProxyRestrictionType"/>
+    <complexType name="ProxyRestrictionType">
+    <complexContent>
+        <extension base="saml:ConditionAbstractType">
+            <sequence>
+                <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
+            </sequence>
+            <attribute name="Count" type="nonNegativeInteger" use="optional"/>
+        </extension>
+    </complexContent>
+    </complexType>
+    <element name="Advice" type="saml:AdviceType"/>
+    <complexType name="AdviceType">
+        <choice minOccurs="0" maxOccurs="unbounded">
+            <element ref="saml:AssertionIDRef"/>
+            <element ref="saml:AssertionURIRef"/>
+            <element ref="saml:Assertion"/>
+            <element ref="saml:EncryptedAssertion"/>
+            <any namespace="##other" processContents="lax"/>
+        </choice>
+    </complexType>
+    <element name="EncryptedAssertion" type="saml:EncryptedElementType"/>
+    <element name="Statement" type="saml:StatementAbstractType"/>
+    <complexType name="StatementAbstractType" abstract="true"/>
+    <element name="AuthnStatement" type="saml:AuthnStatementType"/>
+    <complexType name="AuthnStatementType">
+        <complexContent>
+            <extension base="saml:StatementAbstractType">
+                <sequence>
+                    <element ref="saml:SubjectLocality" minOccurs="0"/>
+                    <element ref="saml:AuthnContext"/>
+                </sequence>
+                <attribute name="AuthnInstant" type="dateTime" use="required"/>
+                <attribute name="SessionIndex" type="string" use="optional"/>
+                <attribute name="SessionNotOnOrAfter" type="dateTime" use="optional"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="SubjectLocality" type="saml:SubjectLocalityType"/>
+    <complexType name="SubjectLocalityType">
+        <attribute name="Address" type="string" use="optional"/>
+        <attribute name="DNSName" type="string" use="optional"/>
+    </complexType>
+    <element name="AuthnContext" type="saml:AuthnContextType"/>
+    <complexType name="AuthnContextType">
+        <sequence>
+            <choice>
+                <sequence>
+                    <element ref="saml:AuthnContextClassRef"/>
+                    <choice minOccurs="0">
+                        <element ref="saml:AuthnContextDecl"/>
+                        <element ref="saml:AuthnContextDeclRef"/>
+                    </choice>
+                </sequence>
+                <choice>
+                    <element ref="saml:AuthnContextDecl"/>
+                    <element ref="saml:AuthnContextDeclRef"/>
+                </choice>
+            </choice>
+            <element ref="saml:AuthenticatingAuthority" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+    </complexType>
+    <element name="AuthnContextClassRef" type="anyURI"/>
+    <element name="AuthnContextDeclRef" type="anyURI"/>
+    <element name="AuthnContextDecl" type="anyType"/>
+    <element name="AuthenticatingAuthority" type="anyURI"/>
+    <element name="AuthzDecisionStatement" type="saml:AuthzDecisionStatementType"/>
+    <complexType name="AuthzDecisionStatementType">
+        <complexContent>
+            <extension base="saml:StatementAbstractType">
+                <sequence>
+                    <element ref="saml:Action" maxOccurs="unbounded"/>
+                    <element ref="saml:Evidence" minOccurs="0"/>
+                </sequence>
+                <attribute name="Resource" type="anyURI" use="required"/>
+                <attribute name="Decision" type="saml:DecisionType" use="required"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <simpleType name="DecisionType">
+        <restriction base="string">
+            <enumeration value="Permit"/>
+            <enumeration value="Deny"/>
+            <enumeration value="Indeterminate"/>
+        </restriction>
+    </simpleType>
+    <element name="Action" type="saml:ActionType"/>
+    <complexType name="ActionType">
+        <simpleContent>
+            <extension base="string">
+                <attribute name="Namespace" type="anyURI" use="required"/>
+            </extension>
+        </simpleContent>
+    </complexType>
+    <element name="Evidence" type="saml:EvidenceType"/>
+    <complexType name="EvidenceType">
+        <choice maxOccurs="unbounded">
+            <element ref="saml:AssertionIDRef"/>
+            <element ref="saml:AssertionURIRef"/>
+            <element ref="saml:Assertion"/>
+            <element ref="saml:EncryptedAssertion"/>
+        </choice>
+    </complexType>
+    <element name="AttributeStatement" type="saml:AttributeStatementType"/>
+    <complexType name="AttributeStatementType">
+        <complexContent>
+            <extension base="saml:StatementAbstractType">
+                <choice maxOccurs="unbounded">
+                    <element ref="saml:Attribute"/>
+                    <element ref="saml:EncryptedAttribute"/>
+                </choice>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="Attribute" type="saml:AttributeType"/>
+    <complexType name="AttributeType">
+        <sequence>
+            <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="Name" type="string" use="required"/>
+        <attribute name="NameFormat" type="anyURI" use="optional"/>
+        <attribute name="FriendlyName" type="string" use="optional"/>
+        <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+    <element name="AttributeValue" type="anyType" nillable="true"/>
+    <element name="EncryptedAttribute" type="saml:EncryptedElementType"/>
+</schema>
diff --git a/tools/mda-distribution-0.10.0/doc/wiki/path/to/schema/saml-schema-metadata-2.0.xsd b/tools/mda-distribution-0.10.0/doc/wiki/path/to/schema/saml-schema-metadata-2.0.xsd
new file mode 100644
index 00000000..f052721c
--- /dev/null
+++ b/tools/mda-distribution-0.10.0/doc/wiki/path/to/schema/saml-schema-metadata-2.0.xsd
@@ -0,0 +1,337 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+    targetNamespace="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns="http://www.w3.org/2001/XMLSchema"
+    elementFormDefault="unqualified"
+    attributeFormDefault="unqualified"
+    blockDefault="substitution"
+    version="2.0">
+    <import namespace="http://www.w3.org/2000/09/xmldsig#"
+        schemaLocation="xmldsig-core-schema.xsd"/>
+    <import namespace="http://www.w3.org/2001/04/xmlenc#"
+        schemaLocation="xenc-schema.xsd"/>
+    <import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+        schemaLocation="saml-schema-assertion-2.0.xsd"/>
+    <import namespace="http://www.w3.org/XML/1998/namespace"
+        schemaLocation="xml.xsd"/>
+    <annotation>
+        <documentation>
+            Document identifier: saml-schema-metadata-2.0
+            Location: http://docs.oasis-open.org/security/saml/v2.0/
+            Revision history:
+              V2.0 (March, 2005):
+                Schema for SAML metadata, first published in SAML 2.0.
+        </documentation>
+    </annotation>
+
+    <simpleType name="entityIDType">
+        <restriction base="anyURI">
+            <maxLength value="1024"/>
+        </restriction>
+    </simpleType>
+    <complexType name="localizedNameType">
+        <simpleContent>
+            <extension base="string">
+                <attribute ref="xml:lang" use="required"/>
+            </extension>
+        </simpleContent>
+    </complexType>
+    <complexType name="localizedURIType">
+        <simpleContent>
+            <extension base="anyURI">
+                <attribute ref="xml:lang" use="required"/>
+            </extension>
+        </simpleContent>
+    </complexType>
+
+    <element name="Extensions" type="md:ExtensionsType"/>
+    <complexType final="#all" name="ExtensionsType">
+        <sequence>
+            <any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
+        </sequence>
+    </complexType>
+
+    <complexType name="EndpointType">
+        <sequence>
+            <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="Binding" type="anyURI" use="required"/>
+        <attribute name="Location" type="anyURI" use="required"/>
+        <attribute name="ResponseLocation" type="anyURI" use="optional"/>
+        <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+
+    <complexType name="IndexedEndpointType">
+        <complexContent>
+            <extension base="md:EndpointType">
+                <attribute name="index" type="unsignedShort" use="required"/>
+                <attribute name="isDefault" type="boolean" use="optional"/>
+            </extension>
+        </complexContent>
+    </complexType>
+
+    <element name="EntitiesDescriptor" type="md:EntitiesDescriptorType"/>
+    <complexType name="EntitiesDescriptorType">
+        <sequence>
+            <element ref="ds:Signature" minOccurs="0"/>
+            <element ref="md:Extensions" minOccurs="0"/>
+            <choice minOccurs="1" maxOccurs="unbounded">
+                <element ref="md:EntityDescriptor"/>
+                <element ref="md:EntitiesDescriptor"/>
+            </choice>
+        </sequence>
+        <attribute name="validUntil" type="dateTime" use="optional"/>
+        <attribute name="cacheDuration" type="duration" use="optional"/>
+        <attribute name="ID" type="ID" use="optional"/>
+        <attribute name="Name" type="string" use="optional"/>
+    </complexType>
+
+    <element name="EntityDescriptor" type="md:EntityDescriptorType"/>
+    <complexType name="EntityDescriptorType">
+        <sequence>
+            <element ref="ds:Signature" minOccurs="0"/>
+            <element ref="md:Extensions" minOccurs="0"/>
+            <choice>
+                <choice maxOccurs="unbounded">
+                    <element ref="md:RoleDescriptor"/>
+                    <element ref="md:IDPSSODescriptor"/>
+                    <element ref="md:SPSSODescriptor"/>
+                    <element ref="md:AuthnAuthorityDescriptor"/>
+                    <element ref="md:AttributeAuthorityDescriptor"/>
+                    <element ref="md:PDPDescriptor"/>
+                </choice>
+                <element ref="md:AffiliationDescriptor"/>
+            </choice>
+            <element ref="md:Organization" minOccurs="0"/>
+            <element ref="md:ContactPerson" minOccurs="0" maxOccurs="unbounded"/>
+            <element ref="md:AdditionalMetadataLocation" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="entityID" type="md:entityIDType" use="required"/>
+        <attribute name="validUntil" type="dateTime" use="optional"/>
+        <attribute name="cacheDuration" type="duration" use="optional"/>
+        <attribute name="ID" type="ID" use="optional"/>
+        <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+
+    <element name="Organization" type="md:OrganizationType"/>
+    <complexType name="OrganizationType">
+        <sequence>
+            <element ref="md:Extensions" minOccurs="0"/>
+            <element ref="md:OrganizationName" maxOccurs="unbounded"/>
+            <element ref="md:OrganizationDisplayName" maxOccurs="unbounded"/>
+            <element ref="md:OrganizationURL" maxOccurs="unbounded"/>
+        </sequence>
+        <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+    <element name="OrganizationName" type="md:localizedNameType"/>
+    <element name="OrganizationDisplayName" type="md:localizedNameType"/>
+    <element name="OrganizationURL" type="md:localizedURIType"/>
+    <element name="ContactPerson" type="md:ContactType"/>
+    <complexType name="ContactType">
+        <sequence>
+            <element ref="md:Extensions" minOccurs="0"/>
+            <element ref="md:Company" minOccurs="0"/>
+            <element ref="md:GivenName" minOccurs="0"/>
+            <element ref="md:SurName" minOccurs="0"/>
+            <element ref="md:EmailAddress" minOccurs="0" maxOccurs="unbounded"/>
+            <element ref="md:TelephoneNumber" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="contactType" type="md:ContactTypeType" use="required"/>
+        <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+    <element name="Company" type="string"/>
+    <element name="GivenName" type="string"/>
+    <element name="SurName" type="string"/>
+    <element name="EmailAddress" type="anyURI"/>
+    <element name="TelephoneNumber" type="string"/>
+    <simpleType name="ContactTypeType">
+        <restriction base="string">
+            <enumeration value="technical"/>
+            <enumeration value="support"/>
+            <enumeration value="administrative"/>
+            <enumeration value="billing"/>
+            <enumeration value="other"/>
+        </restriction>
+    </simpleType>
+
+    <element name="AdditionalMetadataLocation" type="md:AdditionalMetadataLocationType"/>
+    <complexType name="AdditionalMetadataLocationType">
+        <simpleContent>
+            <extension base="anyURI">
+                <attribute name="namespace" type="anyURI" use="required"/>
+            </extension>
+        </simpleContent>
+    </complexType>
+
+    <element name="RoleDescriptor" type="md:RoleDescriptorType"/>
+    <complexType name="RoleDescriptorType" abstract="true">
+        <sequence>
+            <element ref="ds:Signature" minOccurs="0"/>
+            <element ref="md:Extensions" minOccurs="0"/>
+            <element ref="md:KeyDescriptor" minOccurs="0" maxOccurs="unbounded"/>
+            <element ref="md:Organization" minOccurs="0"/>
+            <element ref="md:ContactPerson" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="ID" type="ID" use="optional"/>
+        <attribute name="validUntil" type="dateTime" use="optional"/>
+        <attribute name="cacheDuration" type="duration" use="optional"/>
+        <attribute name="protocolSupportEnumeration" type="md:anyURIListType" use="required"/>
+        <attribute name="errorURL" type="anyURI" use="optional"/>
+        <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+    <simpleType name="anyURIListType">
+        <list itemType="anyURI"/>
+    </simpleType>
+
+    <element name="KeyDescriptor" type="md:KeyDescriptorType"/>
+    <complexType name="KeyDescriptorType">
+        <sequence>
+            <element ref="ds:KeyInfo"/>
+            <element ref="md:EncryptionMethod" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="use" type="md:KeyTypes" use="optional"/>
+    </complexType>
+    <simpleType name="KeyTypes">
+        <restriction base="string">
+            <enumeration value="encryption"/>
+            <enumeration value="signing"/>
+        </restriction>
+    </simpleType>
+    <element name="EncryptionMethod" type="xenc:EncryptionMethodType"/>
+
+    <complexType name="SSODescriptorType" abstract="true">
+        <complexContent>
+            <extension base="md:RoleDescriptorType">
+                <sequence>
+                    <element ref="md:ArtifactResolutionService" minOccurs="0" maxOccurs="unbounded"/>
+                    <element ref="md:SingleLogoutService" minOccurs="0" maxOccurs="unbounded"/>
+                    <element ref="md:ManageNameIDService" minOccurs="0" maxOccurs="unbounded"/>
+                    <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+                </sequence>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="ArtifactResolutionService" type="md:IndexedEndpointType"/>
+    <element name="SingleLogoutService" type="md:EndpointType"/>
+    <element name="ManageNameIDService" type="md:EndpointType"/>
+    <element name="NameIDFormat" type="anyURI"/>
+
+    <element name="IDPSSODescriptor" type="md:IDPSSODescriptorType"/>
+    <complexType name="IDPSSODescriptorType">
+        <complexContent>
+            <extension base="md:SSODescriptorType">
+                <sequence>
+                    <element ref="md:SingleSignOnService" maxOccurs="unbounded"/>
+                    <element ref="md:NameIDMappingService" minOccurs="0" maxOccurs="unbounded"/>
+                    <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+                    <element ref="md:AttributeProfile" minOccurs="0" maxOccurs="unbounded"/>
+                    <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+                </sequence>
+                <attribute name="WantAuthnRequestsSigned" type="boolean" use="optional"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="SingleSignOnService" type="md:EndpointType"/>
+    <element name="NameIDMappingService" type="md:EndpointType"/>
+    <element name="AssertionIDRequestService" type="md:EndpointType"/>
+    <element name="AttributeProfile" type="anyURI"/>
+
+    <element name="SPSSODescriptor" type="md:SPSSODescriptorType"/>
+    <complexType name="SPSSODescriptorType">
+        <complexContent>
+            <extension base="md:SSODescriptorType">
+                <sequence>
+                    <element ref="md:AssertionConsumerService" maxOccurs="unbounded"/>
+                    <element ref="md:AttributeConsumingService" minOccurs="0" maxOccurs="unbounded"/>
+                </sequence>
+                <attribute name="AuthnRequestsSigned" type="boolean" use="optional"/>
+                <attribute name="WantAssertionsSigned" type="boolean" use="optional"/>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="AssertionConsumerService" type="md:IndexedEndpointType"/>
+    <element name="AttributeConsumingService" type="md:AttributeConsumingServiceType"/>
+    <complexType name="AttributeConsumingServiceType">
+        <sequence>
+            <element ref="md:ServiceName" maxOccurs="unbounded"/>
+            <element ref="md:ServiceDescription" minOccurs="0" maxOccurs="unbounded"/>
+            <element ref="md:RequestedAttribute" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="index" type="unsignedShort" use="required"/>
+        <attribute name="isDefault" type="boolean" use="optional"/>
+    </complexType>
+    <element name="ServiceName" type="md:localizedNameType"/>
+    <element name="ServiceDescription" type="md:localizedNameType"/>
+    <element name="RequestedAttribute" type="md:RequestedAttributeType"/>
+    <complexType name="RequestedAttributeType">
+        <complexContent>
+            <extension base="saml:AttributeType">
+                <attribute name="isRequired" type="boolean" use="optional"/>
+            </extension>
+        </complexContent>
+    </complexType>
+
+    <element name="AuthnAuthorityDescriptor" type="md:AuthnAuthorityDescriptorType"/>
+    <complexType name="AuthnAuthorityDescriptorType">
+        <complexContent>
+            <extension base="md:RoleDescriptorType">
+                <sequence>
+                    <element ref="md:AuthnQueryService" maxOccurs="unbounded"/>
+                    <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+                    <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+                </sequence>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="AuthnQueryService" type="md:EndpointType"/>
+
+    <element name="PDPDescriptor" type="md:PDPDescriptorType"/>
+    <complexType name="PDPDescriptorType">
+        <complexContent>
+            <extension base="md:RoleDescriptorType">
+                <sequence>
+                    <element ref="md:AuthzService" maxOccurs="unbounded"/>
+                    <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+                    <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+                </sequence>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="AuthzService" type="md:EndpointType"/>
+
+    <element name="AttributeAuthorityDescriptor" type="md:AttributeAuthorityDescriptorType"/>
+    <complexType name="AttributeAuthorityDescriptorType">
+        <complexContent>
+            <extension base="md:RoleDescriptorType">
+                <sequence>
+                    <element ref="md:AttributeService" maxOccurs="unbounded"/>
+                    <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+                    <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+                    <element ref="md:AttributeProfile" minOccurs="0" maxOccurs="unbounded"/>
+                    <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+                </sequence>
+            </extension>
+        </complexContent>
+    </complexType>
+    <element name="AttributeService" type="md:EndpointType"/>
+
+    <element name="AffiliationDescriptor" type="md:AffiliationDescriptorType"/>
+    <complexType name="AffiliationDescriptorType">
+        <sequence>
+            <element ref="ds:Signature" minOccurs="0"/>
+            <element ref="md:Extensions" minOccurs="0"/>
+            <element ref="md:AffiliateMember" maxOccurs="unbounded"/>
+            <element ref="md:KeyDescriptor" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="affiliationOwnerID" type="md:entityIDType" use="required"/>
+        <attribute name="validUntil" type="dateTime" use="optional"/>
+        <attribute name="cacheDuration" type="duration" use="optional"/>
+        <attribute name="ID" type="ID" use="optional"/>
+        <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+    <element name="AffiliateMember" type="md:entityIDType"/>
+</schema>
diff --git a/tools/mda-distribution-0.10.0/doc/wiki/path/to/schema/xenc-schema.xsd b/tools/mda-distribution-0.10.0/doc/wiki/path/to/schema/xenc-schema.xsd
new file mode 100644
index 00000000..82f7be4b
--- /dev/null
+++ b/tools/mda-distribution-0.10.0/doc/wiki/path/to/schema/xenc-schema.xsd
@@ -0,0 +1,171 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!--
+#
+# Copyright ©[2011] World Wide Web Consortium
+# (Massachusetts Institute of Technology,
+#  European Research Consortium for Informatics and Mathematics,
+#  Keio University). All Rights Reserved.
+# This work is distributed under the W3C® Software License [1] in the
+# hope that it will be useful, but WITHOUT ANY WARRANTY; without even
+# the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+# PURPOSE.
+# [1] http://www.w3.org/Consortium/Legal/2002/copyright-software-20021231
+#
+-->
+
+<schema xmlns='http://www.w3.org/2001/XMLSchema' version='1.0'
+        xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'
+        xmlns:ds='http://www.w3.org/2000/09/xmldsig#'
+        targetNamespace='http://www.w3.org/2001/04/xmlenc#'
+        elementFormDefault='qualified'>
+
+  <import namespace='http://www.w3.org/2000/09/xmldsig#' schemaLocation='xmldsig-core-schema.xsd'/>
+
+  <complexType name='EncryptedType' abstract='true'>
+    <sequence>
+      <element name='EncryptionMethod' type='xenc:EncryptionMethodType'
+       minOccurs='0'/>
+      <element ref='ds:KeyInfo' minOccurs='0'/>
+      <element ref='xenc:CipherData'/>
+      <element ref='xenc:EncryptionProperties' minOccurs='0'/>
+    </sequence>
+    <attribute name='Id' type='ID' use='optional'/>
+    <attribute name='Type' type='anyURI' use='optional'/>
+    <attribute name='MimeType' type='string' use='optional'/>
+    <attribute name='Encoding' type='anyURI' use='optional'/>
+  </complexType>
+
+  <complexType name='EncryptionMethodType' mixed='true'>
+    <sequence>
+      <element name='KeySize' minOccurs='0' type='xenc:KeySizeType'/>
+      <element name='OAEPparams' minOccurs='0' type='base64Binary'/>
+      <!-- note that optional xenc11:MGF element may be used here for
+           RSA-OAEP, when appropriate -->
+      <any namespace='##other' minOccurs='0' maxOccurs='unbounded'/>
+    </sequence>
+    <attribute name='Algorithm' type='anyURI' use='required'/>
+  </complexType>
+
+    <simpleType name='KeySizeType'>
+      <restriction base="integer"/>
+    </simpleType>
+
+  <element name='CipherData' type='xenc:CipherDataType'/>
+  <complexType name='CipherDataType'>
+     <choice>
+       <element name='CipherValue' type='base64Binary'/>
+       <element ref='xenc:CipherReference'/>
+     </choice>
+    </complexType>
+
+   <element name='CipherReference' type='xenc:CipherReferenceType'/>
+   <complexType name='CipherReferenceType'>
+       <choice>
+         <element name='Transforms' type='xenc:TransformsType' minOccurs='0'/>
+       </choice>
+       <attribute name='URI' type='anyURI' use='required'/>
+   </complexType>
+
+     <complexType name='TransformsType'>
+       <sequence>
+         <element ref='ds:Transform' maxOccurs='unbounded'/>
+       </sequence>
+     </complexType>
+
+
+  <element name='EncryptedData' type='xenc:EncryptedDataType'/>
+  <complexType name='EncryptedDataType'>
+    <complexContent>
+      <extension base='xenc:EncryptedType'>
+       </extension>
+    </complexContent>
+  </complexType>
+
+  <!-- Children of ds:KeyInfo -->
+
+  <element name='EncryptedKey' type='xenc:EncryptedKeyType'/>
+  <complexType name='EncryptedKeyType'>
+    <complexContent>
+      <extension base='xenc:EncryptedType'>
+        <sequence>
+          <element ref='xenc:ReferenceList' minOccurs='0'/>
+          <element name='CarriedKeyName' type='string' minOccurs='0'/>
+        </sequence>
+        <attribute name='Recipient' type='string'
+         use='optional'/>
+      </extension>
+    </complexContent>
+  </complexType>
+
+    <element name="AgreementMethod" type="xenc:AgreementMethodType"/>
+    <complexType name="AgreementMethodType" mixed="true">
+      <sequence>
+        <element name="KA-Nonce" minOccurs="0" type="base64Binary"/>
+        <!-- <element ref="ds:DigestMethod" minOccurs="0"/> -->
+        <any namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
+        <element name="OriginatorKeyInfo" minOccurs="0" type="ds:KeyInfoType"/>
+        <element name="RecipientKeyInfo" minOccurs="0" type="ds:KeyInfoType"/>
+      </sequence>
+      <attribute name="Algorithm" type="anyURI" use="required"/>
+    </complexType>
+
+  <!-- End Children of ds:KeyInfo -->
+
+  <element name='ReferenceList'>
+    <complexType>
+      <choice minOccurs='1' maxOccurs='unbounded'>
+        <element name='DataReference' type='xenc:ReferenceType'/>
+        <element name='KeyReference' type='xenc:ReferenceType'/>
+      </choice>
+    </complexType>
+  </element>
+
+  <complexType name='ReferenceType'>
+    <sequence>
+      <any namespace='##other' minOccurs='0' maxOccurs='unbounded'/>
+    </sequence>
+    <attribute name='URI' type='anyURI' use='required'/>
+  </complexType>
+
+
+  <element name='EncryptionProperties' type='xenc:EncryptionPropertiesType'/>
+  <complexType name='EncryptionPropertiesType'>
+    <sequence>
+      <element ref='xenc:EncryptionProperty' maxOccurs='unbounded'/>
+    </sequence>
+    <attribute name='Id' type='ID' use='optional'/>
+  </complexType>
+
+  <element name='EncryptionProperty' type='xenc:EncryptionPropertyType'/>
+  <complexType name='EncryptionPropertyType' mixed='true'>
+    <choice maxOccurs='unbounded'>
+      <any namespace='##other' processContents='lax'/>
+    </choice>
+    <attribute name='Target' type='anyURI' use='optional'/>
+    <attribute name='Id' type='ID' use='optional'/>
+    <anyAttribute namespace="http://www.w3.org/XML/1998/namespace"/>
+  </complexType>
+
+  <!-- Children of ds:KeyValue -->
+
+  <element name="DHKeyValue" type="xenc:DHKeyValueType"/>
+  <complexType name="DHKeyValueType">
+    <sequence>
+      <sequence minOccurs="0">
+        <element name="P" type="ds:CryptoBinary"/>
+        <element name="Q" type="ds:CryptoBinary"/>
+        <element name="Generator" type="ds:CryptoBinary"/>
+      </sequence>
+      <element name="Public" type="ds:CryptoBinary"/>
+      <sequence minOccurs="0">
+        <element name="seed" type="ds:CryptoBinary"/>
+        <element name="pgenCounter" type="ds:CryptoBinary"/>
+      </sequence>
+    </sequence>
+  </complexType>
+
+  <!-- End Children of ds:KeyValue -->
+
+</schema>
+
diff --git a/tools/mda-distribution-0.10.0/doc/wiki/path/to/schema/xml.xsd b/tools/mda-distribution-0.10.0/doc/wiki/path/to/schema/xml.xsd
new file mode 100644
index 00000000..f10e6abb
--- /dev/null
+++ b/tools/mda-distribution-0.10.0/doc/wiki/path/to/schema/xml.xsd
@@ -0,0 +1,80 @@
+<?xml version='1.0'?>
+<xs:schema targetNamespace="http://www.w3.org/XML/1998/namespace" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="en">
+
+ <xs:annotation>
+  <xs:documentation>
+   See http://www.w3.org/XML/1998/namespace.html and
+   http://www.w3.org/TR/REC-xml for information about this namespace.
+  </xs:documentation>
+ </xs:annotation>
+
+ <xs:annotation>
+  <xs:documentation>This schema defines attributes and an attribute group
+        suitable for use by
+        schemas wishing to allow xml:base, xml:lang or xml:space attributes
+        on elements they define.
+
+        To enable this, such a schema must import this schema
+        for the XML namespace, e.g. as follows:
+        &lt;schema . . .>
+         . . .
+         &lt;import namespace="http://www.w3.org/XML/1998/namespace"
+                    schemaLocation="http://www.w3.org/2001/03/xml.xsd"/>
+
+        Subsequently, qualified reference to any of the attributes
+        or the group defined below will have the desired effect, e.g.
+
+        &lt;type . . .>
+         . . .
+         &lt;attributeGroup ref="xml:specialAttrs"/>
+
+         will define a type which will schema-validate an instance
+         element with any of those attributes</xs:documentation>
+ </xs:annotation>
+
+ <xs:annotation>
+  <xs:documentation>In keeping with the XML Schema WG's standard versioning
+   policy, this schema document will persist at
+   http://www.w3.org/2001/03/xml.xsd.
+   At the date of issue it can also be found at
+   http://www.w3.org/2001/xml.xsd.
+   The schema document at that URI may however change in the future,
+   in order to remain compatible with the latest version of XML Schema
+   itself.  In other words, if the XML Schema namespace changes, the version
+   of this document at
+   http://www.w3.org/2001/xml.xsd will change
+   accordingly; the version at
+   http://www.w3.org/2001/03/xml.xsd will not change.
+  </xs:documentation>
+ </xs:annotation>
+
+ <xs:attribute name="lang" type="xs:language">
+  <xs:annotation>
+   <xs:documentation>In due course, we should install the relevant ISO 2- and 3-letter
+         codes as the enumerated possible values . . .</xs:documentation>
+  </xs:annotation>
+ </xs:attribute>
+
+ <xs:attribute name="space" default="preserve">
+  <xs:simpleType>
+   <xs:restriction base="xs:NCName">
+    <xs:enumeration value="default"/>
+    <xs:enumeration value="preserve"/>
+   </xs:restriction>
+  </xs:simpleType>
+ </xs:attribute>
+
+ <xs:attribute name="base" type="xs:anyURI">
+  <xs:annotation>
+   <xs:documentation>See http://www.w3.org/TR/xmlbase/ for
+                     information about this attribute.</xs:documentation>
+  </xs:annotation>
+ </xs:attribute>
+
+ <xs:attributeGroup name="specialAttrs">
+  <xs:attribute ref="xml:base"/>
+  <xs:attribute ref="xml:lang"/>
+  <xs:attribute ref="xml:space"/>
+ </xs:attributeGroup>
+
+</xs:schema>
diff --git a/tools/mda-distribution-0.10.0/doc/wiki/path/to/schema/xmldsig-core-schema.xsd b/tools/mda-distribution-0.10.0/doc/wiki/path/to/schema/xmldsig-core-schema.xsd
new file mode 100644
index 00000000..ebcd6a42
--- /dev/null
+++ b/tools/mda-distribution-0.10.0/doc/wiki/path/to/schema/xmldsig-core-schema.xsd
@@ -0,0 +1,308 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Schema for XML Signatures
+    http://www.w3.org/2000/09/xmldsig#
+    $Revision: 1.1 $ on $Date: 2005/03/16 17:40:08 $ by $Author: iay $
+
+    Copyright 2001 The Internet Society and W3C (Massachusetts Institute
+    of Technology, Institut National de Recherche en Informatique et en
+    Automatique, Keio University). All Rights Reserved.
+    http://www.w3.org/Consortium/Legal/
+
+    This document is governed by the W3C Software License [1] as described
+    in the FAQ [2].
+
+    [1] http://www.w3.org/Consortium/Legal/copyright-software-19980720
+    [2] http://www.w3.org/Consortium/Legal/IPR-FAQ-20000620.html#DTD
+-->
+
+
+<schema xmlns="http://www.w3.org/2001/XMLSchema"
+        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+        targetNamespace="http://www.w3.org/2000/09/xmldsig#"
+        version="0.1" elementFormDefault="qualified">
+
+<!-- Basic Types Defined for Signatures -->
+
+<simpleType name="CryptoBinary">
+  <restriction base="base64Binary">
+  </restriction>
+</simpleType>
+
+<!-- Start Signature -->
+
+<element name="Signature" type="ds:SignatureType"/>
+<complexType name="SignatureType">
+  <sequence>
+    <element ref="ds:SignedInfo"/>
+    <element ref="ds:SignatureValue"/>
+    <element ref="ds:KeyInfo" minOccurs="0"/>
+    <element ref="ds:Object" minOccurs="0" maxOccurs="unbounded"/>
+  </sequence>
+  <attribute name="Id" type="ID" use="optional"/>
+</complexType>
+
+  <element name="SignatureValue" type="ds:SignatureValueType"/>
+  <complexType name="SignatureValueType">
+    <simpleContent>
+      <extension base="base64Binary">
+        <attribute name="Id" type="ID" use="optional"/>
+      </extension>
+    </simpleContent>
+  </complexType>
+
+<!-- Start SignedInfo -->
+
+<element name="SignedInfo" type="ds:SignedInfoType"/>
+<complexType name="SignedInfoType">
+  <sequence>
+    <element ref="ds:CanonicalizationMethod"/>
+    <element ref="ds:SignatureMethod"/>
+    <element ref="ds:Reference" maxOccurs="unbounded"/>
+  </sequence>
+  <attribute name="Id" type="ID" use="optional"/>
+</complexType>
+
+  <element name="CanonicalizationMethod" type="ds:CanonicalizationMethodType"/>
+  <complexType name="CanonicalizationMethodType" mixed="true">
+    <sequence>
+      <any namespace="##any" minOccurs="0" maxOccurs="unbounded"/>
+      <!-- (0,unbounded) elements from (1,1) namespace -->
+    </sequence>
+    <attribute name="Algorithm" type="anyURI" use="required"/>
+  </complexType>
+
+  <element name="SignatureMethod" type="ds:SignatureMethodType"/>
+  <complexType name="SignatureMethodType" mixed="true">
+    <sequence>
+      <element name="HMACOutputLength" minOccurs="0" type="ds:HMACOutputLengthType"/>
+      <any namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
+      <!-- (0,unbounded) elements from (1,1) external namespace -->
+    </sequence>
+    <attribute name="Algorithm" type="anyURI" use="required"/>
+  </complexType>
+
+<!-- Start Reference -->
+
+<element name="Reference" type="ds:ReferenceType"/>
+<complexType name="ReferenceType">
+  <sequence>
+    <element ref="ds:Transforms" minOccurs="0"/>
+    <element ref="ds:DigestMethod"/>
+    <element ref="ds:DigestValue"/>
+  </sequence>
+  <attribute name="Id" type="ID" use="optional"/>
+  <attribute name="URI" type="anyURI" use="optional"/>
+  <attribute name="Type" type="anyURI" use="optional"/>
+</complexType>
+
+  <element name="Transforms" type="ds:TransformsType"/>
+  <complexType name="TransformsType">
+    <sequence>
+      <element ref="ds:Transform" maxOccurs="unbounded"/>
+    </sequence>
+  </complexType>
+
+  <element name="Transform" type="ds:TransformType"/>
+  <complexType name="TransformType" mixed="true">
+    <choice minOccurs="0" maxOccurs="unbounded">
+      <any namespace="##other" processContents="lax"/>
+      <!-- (1,1) elements from (0,unbounded) namespaces -->
+      <element name="XPath" type="string"/>
+    </choice>
+    <attribute name="Algorithm" type="anyURI" use="required"/>
+  </complexType>
+
+<!-- End Reference -->
+
+<element name="DigestMethod" type="ds:DigestMethodType"/>
+<complexType name="DigestMethodType" mixed="true">
+  <sequence>
+    <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+  </sequence>
+  <attribute name="Algorithm" type="anyURI" use="required"/>
+</complexType>
+
+<element name="DigestValue" type="ds:DigestValueType"/>
+<simpleType name="DigestValueType">
+  <restriction base="base64Binary"/>
+</simpleType>
+
+<!-- End SignedInfo -->
+
+<!-- Start KeyInfo -->
+
+<element name="KeyInfo" type="ds:KeyInfoType"/>
+<complexType name="KeyInfoType" mixed="true">
+  <choice maxOccurs="unbounded">
+    <element ref="ds:KeyName"/>
+    <element ref="ds:KeyValue"/>
+    <element ref="ds:RetrievalMethod"/>
+    <element ref="ds:X509Data"/>
+    <element ref="ds:PGPData"/>
+    <element ref="ds:SPKIData"/>
+    <element ref="ds:MgmtData"/>
+    <any processContents="lax" namespace="##other"/>
+    <!-- (1,1) elements from (0,unbounded) namespaces -->
+  </choice>
+  <attribute name="Id" type="ID" use="optional"/>
+</complexType>
+
+  <element name="KeyName" type="string"/>
+  <element name="MgmtData" type="string"/>
+
+  <element name="KeyValue" type="ds:KeyValueType"/>
+  <complexType name="KeyValueType" mixed="true">
+   <choice>
+     <element ref="ds:DSAKeyValue"/>
+     <element ref="ds:RSAKeyValue"/>
+     <any namespace="##other" processContents="lax"/>
+   </choice>
+  </complexType>
+
+  <element name="RetrievalMethod" type="ds:RetrievalMethodType"/>
+  <complexType name="RetrievalMethodType">
+    <sequence>
+      <element ref="ds:Transforms" minOccurs="0"/>
+    </sequence>
+    <attribute name="URI" type="anyURI"/>
+    <attribute name="Type" type="anyURI" use="optional"/>
+  </complexType>
+
+<!-- Start X509Data -->
+
+<element name="X509Data" type="ds:X509DataType"/>
+<complexType name="X509DataType">
+  <sequence maxOccurs="unbounded">
+    <choice>
+      <element name="X509IssuerSerial" type="ds:X509IssuerSerialType"/>
+      <element name="X509SKI" type="base64Binary"/>
+      <element name="X509SubjectName" type="string"/>
+      <element name="X509Certificate" type="base64Binary"/>
+      <element name="X509CRL" type="base64Binary"/>
+      <any namespace="##other" processContents="lax"/>
+    </choice>
+  </sequence>
+</complexType>
+
+<complexType name="X509IssuerSerialType">
+  <sequence>
+    <element name="X509IssuerName" type="string"/>
+    <element name="X509SerialNumber" type="integer"/>
+  </sequence>
+</complexType>
+
+<!-- End X509Data -->
+
+<!-- Begin PGPData -->
+
+<element name="PGPData" type="ds:PGPDataType"/>
+<complexType name="PGPDataType">
+  <choice>
+    <sequence>
+      <element name="PGPKeyID" type="base64Binary"/>
+      <element name="PGPKeyPacket" type="base64Binary" minOccurs="0"/>
+      <any namespace="##other" processContents="lax" minOccurs="0"
+       maxOccurs="unbounded"/>
+    </sequence>
+    <sequence>
+      <element name="PGPKeyPacket" type="base64Binary"/>
+      <any namespace="##other" processContents="lax" minOccurs="0"
+       maxOccurs="unbounded"/>
+    </sequence>
+  </choice>
+</complexType>
+
+<!-- End PGPData -->
+
+<!-- Begin SPKIData -->
+
+<element name="SPKIData" type="ds:SPKIDataType"/>
+<complexType name="SPKIDataType">
+  <sequence maxOccurs="unbounded">
+    <element name="SPKISexp" type="base64Binary"/>
+    <any namespace="##other" processContents="lax" minOccurs="0"/>
+  </sequence>
+</complexType>
+
+<!-- End SPKIData -->
+
+<!-- End KeyInfo -->
+
+<!-- Start Object (Manifest, SignatureProperty) -->
+
+<element name="Object" type="ds:ObjectType"/>
+<complexType name="ObjectType" mixed="true">
+  <sequence minOccurs="0" maxOccurs="unbounded">
+    <any namespace="##any" processContents="lax"/>
+  </sequence>
+  <attribute name="Id" type="ID" use="optional"/>
+  <attribute name="MimeType" type="string" use="optional"/> <!-- add a grep facet -->
+  <attribute name="Encoding" type="anyURI" use="optional"/>
+</complexType>
+
+<element name="Manifest" type="ds:ManifestType"/>
+<complexType name="ManifestType">
+  <sequence>
+    <element ref="ds:Reference" maxOccurs="unbounded"/>
+  </sequence>
+  <attribute name="Id" type="ID" use="optional"/>
+</complexType>
+
+<element name="SignatureProperties" type="ds:SignaturePropertiesType"/>
+<complexType name="SignaturePropertiesType">
+  <sequence>
+    <element ref="ds:SignatureProperty" maxOccurs="unbounded"/>
+  </sequence>
+  <attribute name="Id" type="ID" use="optional"/>
+</complexType>
+
+   <element name="SignatureProperty" type="ds:SignaturePropertyType"/>
+   <complexType name="SignaturePropertyType" mixed="true">
+     <choice maxOccurs="unbounded">
+       <any namespace="##other" processContents="lax"/>
+       <!-- (1,1) elements from (1,unbounded) namespaces -->
+     </choice>
+     <attribute name="Target" type="anyURI" use="required"/>
+     <attribute name="Id" type="ID" use="optional"/>
+   </complexType>
+
+<!-- End Object (Manifest, SignatureProperty) -->
+
+<!-- Start Algorithm Parameters -->
+
+<simpleType name="HMACOutputLengthType">
+  <restriction base="integer"/>
+</simpleType>
+
+<!-- Start KeyValue Element-types -->
+
+<element name="DSAKeyValue" type="ds:DSAKeyValueType"/>
+<complexType name="DSAKeyValueType">
+  <sequence>
+    <sequence minOccurs="0">
+      <element name="P" type="ds:CryptoBinary"/>
+      <element name="Q" type="ds:CryptoBinary"/>
+    </sequence>
+    <element name="G" type="ds:CryptoBinary" minOccurs="0"/>
+    <element name="Y" type="ds:CryptoBinary"/>
+    <element name="J" type="ds:CryptoBinary" minOccurs="0"/>
+    <sequence minOccurs="0">
+      <element name="Seed" type="ds:CryptoBinary"/>
+      <element name="PgenCounter" type="ds:CryptoBinary"/>
+    </sequence>
+  </sequence>
+</complexType>
+
+<element name="RSAKeyValue" type="ds:RSAKeyValueType"/>
+<complexType name="RSAKeyValueType">
+  <sequence>
+    <element name="Modulus" type="ds:CryptoBinary"/>
+    <element name="Exponent" type="ds:CryptoBinary"/>
+  </sequence>
+</complexType>
+
+<!-- End KeyValue Element-types -->
+
+<!-- End Signature -->
+
+</schema>
diff --git a/tools/mda-distribution-0.10.0/doc/wiki/per-entity.xml b/tools/mda-distribution-0.10.0/doc/wiki/per-entity.xml
new file mode 100644
index 00000000..b1e218ad
--- /dev/null
+++ b/tools/mda-distribution-0.10.0/doc/wiki/per-entity.xml
@@ -0,0 +1,87 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans default-init-method="initialize"
+       xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
+
+    <!-- Import the Standard bean definition resource. -->
+    <!-- See https://shibboleth.atlassian.net/wiki/spaces/MA1/pages/3162439683/Standard+bean+definition+resource -->
+    <import resource="classpath:net/shibboleth/metadata/beans.xml"/>
+
+    <!-- First, we define the stages for our pipeline -->
+    <bean id="source" parent="mda.DOMFilesystemSourceStage">
+        <property name="id" value="source"/>
+        <property name="parserPool">
+            <bean parent="mda.BasicParserPool"/>
+        </property>
+        <property name="source">
+            <bean class="java.io.File">
+                <constructor-arg value="path/to/input/aggregate.xml"/>
+            </bean>
+        </property>
+    </bean>
+
+    <bean id="disassembleEntitiesDescriptor" parent="mda.EntitiesDescriptorDisassemblerStage">
+        <property name="id" value="disassembleEntitiesDescriptor"/>
+    </bean>
+
+    <bean id="populateItemIds" parent="mda.EntityDescriptorItemIdPopulationStage">
+        <property name="id" value="populateItemIds"/>
+    </bean>
+
+    <bean id="generateContentReferenceId" parent="mda.GenerateIdStage">
+        <property name="id" value="generateContentReferenceId" />
+    </bean>
+
+    <bean id="signMetadata" parent="mda.XMLSignatureSigningStage">
+        <property name="id" value="signMetadata"/>
+        <property name="privateKey">
+            <bean parent="mda.PrivateKeyFactoryBean">
+                <property name="resource">
+                    <bean class="org.springframework.core.io.FileSystemResource">
+                        <constructor-arg>
+                            <bean class="java.io.File">
+                                <constructor-arg value="path/to/secrets/private-key.pem"/>
+                            </bean>
+                        </constructor-arg>
+                    </bean>
+                </property>
+            </bean>
+        </property>
+    </bean>
+
+    <bean id="serialize" parent="mda.MultiOutputSerializationStage">
+        <property name="id" value="serializeIdPs"/>
+        <property name="serializer">
+            <bean id="domSerializer" parent="mda.DOMElementSerializer"/>
+        </property>
+        <property name="outputStrategy">
+            <bean parent="mda.FilesInDirectoryMultiOutputStrategy">
+                <property name="nameSuffix" value=".xml"/>
+                <property name="namePrefix" value="_"/>
+                <property name="directory">
+                    <bean class="java.io.File">
+                        <constructor-arg value="path/to/output"/>
+                    </bean>
+                </property>
+                <property name="nameTransformer">
+                    <bean parent="mda.SHA1StringTransformer"/>
+                </property>
+            </bean>
+        </property>
+    </bean>
+
+    <!-- Next we define a pipeline with all the stages in it -->
+    <bean id="main" parent="mda.SimplePipeline">
+        <property name="id" value="main"/>
+        <property name="stages">
+            <list>
+                <ref bean="source"/>
+                <ref bean="disassembleEntitiesDescriptor"/>
+                <ref bean="populateItemIds"/>
+                <ref bean="generateContentReferenceId"/>
+                <ref bean="signMetadata"/>
+                <ref bean="serialize"/>
+            </list>
+        </property>
+    </bean>
+</beans>
diff --git a/tools/mda-distribution-0.10.0/doc/wiki/run-all-examples.sh b/tools/mda-distribution-0.10.0/doc/wiki/run-all-examples.sh
new file mode 100755
index 00000000..ee88515c
--- /dev/null
+++ b/tools/mda-distribution-0.10.0/doc/wiki/run-all-examples.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/sh
+
+set -e
+
+./make-keys.sh
+
+rm -rf softhsm/*
+source ./setup-softhsm.sh
+
+echo Aggregate and Sign...
+mda.sh aggregate-and-sign.xml main
+echo Filter Aggregate...
+mda.sh filter-aggregate.xml main
+echo Aggregate and Republish...
+mda.sh aggregate-and-republish.xml main
+echo Sign Using Token...
+mda.sh sign-using-token.xml main
+echo Per-entity metadata...
+mda.sh per-entity.xml main
+echo Discovery feed...
+mda.sh discofeed.xml main
diff --git a/tools/mda-distribution-0.10.0/doc/wiki/setup-softhsm.sh b/tools/mda-distribution-0.10.0/doc/wiki/setup-softhsm.sh
new file mode 100755
index 00000000..19e59fbe
--- /dev/null
+++ b/tools/mda-distribution-0.10.0/doc/wiki/setup-softhsm.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/sh
+
+# Clear any previous softhsm setup
+rm -rf softhsm
+mkdir -p softhsm/tokens
+
+# Create configuration file
+export SOFTHSM2_CONF=$PWD/softhsm/softhsm2.conf
+echo "directories.tokendir = $PWD/softhsm/tokens" >$SOFTHSM2_CONF
+
+# Initialise the token
+softhsm2-util --init-token --slot 0 --label "test" \
+    --so-pin 1234 \
+    --pin 12341234
+
+# Load the credential
+keytool -importkeystore --addprovider SunPKCS11 -providerarg path/to/input/pkcs11-softhsm.cfg \
+    -srcstoretype pkcs12 -srckeystore path/to/secrets/self-signed.p12 -srcstorepass password \
+    -deststoretype PKCS11 -destkeystore NONE -deststorepass 12341234
+
+keytool -list --addprovider SunPKCS11 -providerarg path/to/input/pkcs11-softhsm.cfg \
+    -storetype PKCS11 -keystore NONE -storepass 12341234
diff --git a/tools/mda-distribution-0.10.0/doc/wiki/sign-using-token.xml b/tools/mda-distribution-0.10.0/doc/wiki/sign-using-token.xml
new file mode 100644
index 00000000..2c0f9095
--- /dev/null
+++ b/tools/mda-distribution-0.10.0/doc/wiki/sign-using-token.xml
@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans default-init-method="initialize"
+       xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
+
+    <!-- Import the Standard bean definition resource. -->
+    <!-- See https://shibboleth.atlassian.net/wiki/spaces/MA1/pages/3162439683/Standard+bean+definition+resource -->
+    <import resource="classpath:net/shibboleth/metadata/beans.xml"/>
+
+    <!-- First, we define the stages for our pipeline -->
+    <bean id="source" parent="mda.DOMFilesystemSourceStage">
+        <property name="id" value="source"/>
+        <property name="parserPool">
+            <bean parent="mda.BasicParserPool"/>
+        </property>
+        <property name="source">
+            <bean class="java.io.File">
+                <constructor-arg value="path/to/input/aggregate.xml"/>
+            </bean>
+        </property>
+    </bean>
+
+    <bean id="generateContentReferenceId" parent="mda.GenerateIdStage">
+        <property name="id" value="generateContentReferenceId" />
+    </bean>
+
+    <bean id="signMetadata" parent="mda.XMLSignatureSigningStage">
+        <property name="id" value="signMetadata"/>
+        <property name="certificates">
+            <bean parent="mda.X509CertificateFactoryBean">
+                <property name="resource" value="file:path/to/secrets/self-signed.pem"/>
+            </bean>
+        </property>
+        <property name="privateKey">
+            <bean parent="mda.PKCS11PrivateKeyFactoryBean">
+                <property name="pkcs11Config" value="path/to/input/pkcs11-softhsm.cfg"/>
+                <property name="keyPassword" value="12341234"/>
+                <property name="keyAlias" value="key10"/>
+            </bean>
+        </property>
+    </bean>
+
+    <bean id="serialize" parent="mda.SerializationStage">
+        <property name="id" value="serializeIdPs"/>
+        <property name="outputFile">
+            <bean class="java.io.File">
+                <constructor-arg value="path/to/output/signed-with-token.xml"/>
+            </bean>
+        </property>
+        <property name="serializer">
+            <bean id="domSerializer" parent="mda.DOMElementSerializer"/>
+        </property>
+    </bean>
+
+    <!-- Next we define a pipeline with all the stages in it -->
+    <bean id="main" parent="mda.SimplePipeline">
+        <property name="id" value="main"/>
+        <property name="stages">
+            <list>
+                <ref bean="source"/>
+                <ref bean="generateContentReferenceId" />
+                <ref bean="signMetadata"/>
+                <ref bean="serialize" />
+            </list>
+        </property>
+    </bean>
+
+</beans>
diff --git a/tools/mda-distribution-0.10.0/lib/bcpkix-jdk18on-1.77.jar b/tools/mda-distribution-0.10.0/lib/bcpkix-jdk18on-1.77.jar
new file mode 100644
index 00000000..e8b6021a
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/bcpkix-jdk18on-1.77.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/bcprov-jdk18on-1.77.jar b/tools/mda-distribution-0.10.0/lib/bcprov-jdk18on-1.77.jar
new file mode 100644
index 00000000..651d2fba
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/bcprov-jdk18on-1.77.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/bcutil-jdk18on-1.77.jar b/tools/mda-distribution-0.10.0/lib/bcutil-jdk18on-1.77.jar
new file mode 100644
index 00000000..4c154e27
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/bcutil-jdk18on-1.77.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/checker-qual-3.41.0.jar b/tools/mda-distribution-0.10.0/lib/checker-qual-3.41.0.jar
new file mode 100644
index 00000000..17a85a13
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/checker-qual-3.41.0.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/commons-codec-1.16.1.jar b/tools/mda-distribution-0.10.0/lib/commons-codec-1.16.1.jar
new file mode 100644
index 00000000..f8966497
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/commons-codec-1.16.1.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/cryptacular-1.2.6.jar b/tools/mda-distribution-0.10.0/lib/cryptacular-1.2.6.jar
new file mode 100644
index 00000000..2a30d708
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/cryptacular-1.2.6.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/error_prone_annotations-2.23.0.jar b/tools/mda-distribution-0.10.0/lib/error_prone_annotations-2.23.0.jar
new file mode 100644
index 00000000..c0f20d8a
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/error_prone_annotations-2.23.0.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/failureaccess-1.0.2.jar b/tools/mda-distribution-0.10.0/lib/failureaccess-1.0.2.jar
new file mode 100644
index 00000000..d73ab80b
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/failureaccess-1.0.2.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/guava-33.0.0-jre.jar b/tools/mda-distribution-0.10.0/lib/guava-33.0.0-jre.jar
new file mode 100644
index 00000000..e42ef633
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/guava-33.0.0-jre.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/httpclient5-5.3.1.jar b/tools/mda-distribution-0.10.0/lib/httpclient5-5.3.1.jar
new file mode 100644
index 00000000..1cf795c4
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/httpclient5-5.3.1.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/httpclient5-cache-5.3.1.jar b/tools/mda-distribution-0.10.0/lib/httpclient5-cache-5.3.1.jar
new file mode 100644
index 00000000..5df65899
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/httpclient5-cache-5.3.1.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/httpcore5-5.2.4.jar b/tools/mda-distribution-0.10.0/lib/httpcore5-5.2.4.jar
new file mode 100644
index 00000000..da9c6e5f
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/httpcore5-5.2.4.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/httpcore5-h2-5.2.4.jar b/tools/mda-distribution-0.10.0/lib/httpcore5-h2-5.2.4.jar
new file mode 100644
index 00000000..5b598dd0
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/httpcore5-h2-5.2.4.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/j2objc-annotations-2.8.jar b/tools/mda-distribution-0.10.0/lib/j2objc-annotations-2.8.jar
new file mode 100644
index 00000000..3595c4f9
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/j2objc-annotations-2.8.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/jakarta.json-2.0.1.jar b/tools/mda-distribution-0.10.0/lib/jakarta.json-2.0.1.jar
new file mode 100644
index 00000000..e6d094a3
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/jakarta.json-2.0.1.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/jcommander-1.81.jar b/tools/mda-distribution-0.10.0/lib/jcommander-1.81.jar
new file mode 100644
index 00000000..699c543e
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/jcommander-1.81.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/jsr305-3.0.2.jar b/tools/mda-distribution-0.10.0/lib/jsr305-3.0.2.jar
new file mode 100644
index 00000000..59222d9c
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/jsr305-3.0.2.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar b/tools/mda-distribution-0.10.0/lib/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
new file mode 100644
index 00000000..45832c05
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/logback-classic-1.5.3.jar b/tools/mda-distribution-0.10.0/lib/logback-classic-1.5.3.jar
new file mode 100644
index 00000000..9bfbe41d
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/logback-classic-1.5.3.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/logback-core-1.5.3.jar b/tools/mda-distribution-0.10.0/lib/logback-core-1.5.3.jar
new file mode 100644
index 00000000..3c82e610
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/logback-core-1.5.3.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/mda-cli-0.10.0.jar b/tools/mda-distribution-0.10.0/lib/mda-cli-0.10.0.jar
new file mode 100644
index 00000000..f5bb18d8
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/mda-cli-0.10.0.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/mda-framework-0.10.0.jar b/tools/mda-distribution-0.10.0/lib/mda-framework-0.10.0.jar
new file mode 100644
index 00000000..a7d38482
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/mda-framework-0.10.0.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/mda-keylists-rsa-0.10.0.jar b/tools/mda-distribution-0.10.0/lib/mda-keylists-rsa-0.10.0.jar
new file mode 100644
index 00000000..a3df0063
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/mda-keylists-rsa-0.10.0.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/mda-keylists-rsa-legacy-0.10.0.jar b/tools/mda-distribution-0.10.0/lib/mda-keylists-rsa-legacy-0.10.0.jar
new file mode 100644
index 00000000..1b6fe85b
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/mda-keylists-rsa-legacy-0.10.0.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/micrometer-commons-1.12.5.jar b/tools/mda-distribution-0.10.0/lib/micrometer-commons-1.12.5.jar
new file mode 100644
index 00000000..27a96a91
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/micrometer-commons-1.12.5.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/micrometer-observation-1.12.5.jar b/tools/mda-distribution-0.10.0/lib/micrometer-observation-1.12.5.jar
new file mode 100644
index 00000000..c6deecb7
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/micrometer-observation-1.12.5.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/shib-networking-9.1.2.jar b/tools/mda-distribution-0.10.0/lib/shib-networking-9.1.2.jar
new file mode 100644
index 00000000..e48ea98a
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/shib-networking-9.1.2.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/shib-networking-spring-9.1.2.jar b/tools/mda-distribution-0.10.0/lib/shib-networking-spring-9.1.2.jar
new file mode 100644
index 00000000..588d8ab5
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/shib-networking-spring-9.1.2.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/shib-security-9.1.2.jar b/tools/mda-distribution-0.10.0/lib/shib-security-9.1.2.jar
new file mode 100644
index 00000000..1a07e28a
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/shib-security-9.1.2.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/shib-security-spring-9.1.2.jar b/tools/mda-distribution-0.10.0/lib/shib-security-spring-9.1.2.jar
new file mode 100644
index 00000000..b8bd72b0
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/shib-security-spring-9.1.2.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/shib-spring-9.1.2.jar b/tools/mda-distribution-0.10.0/lib/shib-spring-9.1.2.jar
new file mode 100644
index 00000000..45efad9a
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/shib-spring-9.1.2.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/shib-support-9.1.2.jar b/tools/mda-distribution-0.10.0/lib/shib-support-9.1.2.jar
new file mode 100644
index 00000000..3063efc8
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/shib-support-9.1.2.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/slf4j-api-2.0.12.jar b/tools/mda-distribution-0.10.0/lib/slf4j-api-2.0.12.jar
new file mode 100644
index 00000000..bfa1de39
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/slf4j-api-2.0.12.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/spring-aop-6.1.6.jar b/tools/mda-distribution-0.10.0/lib/spring-aop-6.1.6.jar
new file mode 100644
index 00000000..2cbe8904
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/spring-aop-6.1.6.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/spring-beans-6.1.6.jar b/tools/mda-distribution-0.10.0/lib/spring-beans-6.1.6.jar
new file mode 100644
index 00000000..bcfa3c6e
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/spring-beans-6.1.6.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/spring-context-6.1.6.jar b/tools/mda-distribution-0.10.0/lib/spring-context-6.1.6.jar
new file mode 100644
index 00000000..750b3a69
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/spring-context-6.1.6.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/spring-core-6.1.6.jar b/tools/mda-distribution-0.10.0/lib/spring-core-6.1.6.jar
new file mode 100644
index 00000000..c6b70253
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/spring-core-6.1.6.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/spring-expression-6.1.6.jar b/tools/mda-distribution-0.10.0/lib/spring-expression-6.1.6.jar
new file mode 100644
index 00000000..a649814b
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/spring-expression-6.1.6.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/spring-jcl-6.1.6.jar b/tools/mda-distribution-0.10.0/lib/spring-jcl-6.1.6.jar
new file mode 100644
index 00000000..14c446a7
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/spring-jcl-6.1.6.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/spring-web-6.1.6.jar b/tools/mda-distribution-0.10.0/lib/spring-web-6.1.6.jar
new file mode 100644
index 00000000..67f06e02
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/spring-web-6.1.6.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/spring-webmvc-6.1.6.jar b/tools/mda-distribution-0.10.0/lib/spring-webmvc-6.1.6.jar
new file mode 100644
index 00000000..b55874a0
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/spring-webmvc-6.1.6.jar differ
diff --git a/tools/mda-distribution-0.10.0/lib/xmlsec-3.0.3.jar b/tools/mda-distribution-0.10.0/lib/xmlsec-3.0.3.jar
new file mode 100644
index 00000000..8ffd06e4
Binary files /dev/null and b/tools/mda-distribution-0.10.0/lib/xmlsec-3.0.3.jar differ
diff --git a/tools/aggregator-cli-0.9.2/mda.bat b/tools/mda-distribution-0.10.0/mda.bat
similarity index 91%
rename from tools/aggregator-cli-0.9.2/mda.bat
rename to tools/mda-distribution-0.10.0/mda.bat
index 4a45a12f..8dcfdab3 100755
--- a/tools/aggregator-cli-0.9.2/mda.bat
+++ b/tools/mda-distribution-0.10.0/mda.bat
@@ -1,49 +1,49 @@
-@echo off
-setlocal
-
-REM We need a JVM
-if not defined JAVA_HOME  (
-  echo Error: JAVA_HOME is not defined.
-  exit /b
-)
-
-if not defined JAVACMD (
-  set JAVACMD="%JAVA_HOME%\bin\java.exe"
-)
-
-if not exist %JAVACMD% (
-  echo Error: JAVA_HOME is not defined correctly.
-  echo Cannot execute %JAVACMD%
-  exit /b
-)
-
-if defined CLASSPATH (
-  set LOCALCLASSPATH=%CLASSPATH%
-)
-
-if not defined MDA_HOME  (
-  echo Error: MDA_HOME is not defined.
-  exit /b
-)
-
-if not exist "%MDA_HOME%" (
-  echo Error: MDA_HOME is not defined correctly.
-  exit /b
-)
-
-REM add in the dependency .jar files
-for %%i in ("%MDA_HOME%\lib\*.jar") do (
-    call "%MDA_HOME%\cpappend.bat" %%i
-)
-
-if exist %JAVA_HOME%\lib\tools.jar (
-    set LOCALCLASSPATH=%LOCALCLASSPATH%;%JAVA_HOME%\lib\tools.jar
-)
-
-if exist %JAVA_HOME%\lib\classes.zip (
-    set LOCALCLASSPATH=%LOCALCLASSPATH%;%JAVA_HOME%\lib\classes.zip
-)
-
-REM Go to it !
-
-%JAVACMD% -classpath "%LOCALCLASSPATH%" %JVMOPTS% net.shibboleth.metadata.cli.SimpleCommandLine %*
\ No newline at end of file
+@echo off
+setlocal
+
+REM We need a JVM
+if not defined JAVA_HOME  (
+  echo Error: JAVA_HOME is not defined.
+  exit /b
+)
+
+if not defined JAVACMD (
+  set JAVACMD="%JAVA_HOME%\bin\java.exe"
+)
+
+if not exist %JAVACMD% (
+  echo Error: JAVA_HOME is not defined correctly.
+  echo Cannot execute %JAVACMD%
+  exit /b
+)
+
+if defined CLASSPATH (
+  set LOCALCLASSPATH=%CLASSPATH%
+)
+
+if not defined MDA_HOME  (
+  echo Error: MDA_HOME is not defined.
+  exit /b
+)
+
+if not exist "%MDA_HOME%" (
+  echo Error: MDA_HOME is not defined correctly.
+  exit /b
+)
+
+REM add in the dependency .jar files
+for %%i in ("%MDA_HOME%\lib\*.jar") do (
+    call "%MDA_HOME%\cpappend.bat" %%i
+)
+
+if exist %JAVA_HOME%\lib\tools.jar (
+    set LOCALCLASSPATH=%LOCALCLASSPATH%;%JAVA_HOME%\lib\tools.jar
+)
+
+if exist %JAVA_HOME%\lib\classes.zip (
+    set LOCALCLASSPATH=%LOCALCLASSPATH%;%JAVA_HOME%\lib\classes.zip
+)
+
+REM Go to it !
+
+%JAVACMD% -classpath "%LOCALCLASSPATH%" %JVMOPTS% net.shibboleth.metadata.cli.SimpleCommandLine %*
diff --git a/tools/aggregator-cli-0.9.2/mda.sh b/tools/mda-distribution-0.10.0/mda.sh
similarity index 96%
rename from tools/aggregator-cli-0.9.2/mda.sh
rename to tools/mda-distribution-0.10.0/mda.sh
index 3313ad9e..bd8abdce 100755
--- a/tools/aggregator-cli-0.9.2/mda.sh
+++ b/tools/mda-distribution-0.10.0/mda.sh
@@ -41,4 +41,4 @@ do
     fi
 done
 
-"$JAVACMD" '-classpath' "$LOCALCLASSPATH" $JVMOPTS 'net.shibboleth.metadata.cli.SimpleCommandLine' "$@"
\ No newline at end of file
+"$JAVACMD" '-classpath' "$LOCALCLASSPATH" $JVMOPTS 'net.shibboleth.metadata.cli.SimpleCommandLine' "$@"
diff --git a/tools/ukf-mda/jakarta.json-1.1.6.jar b/tools/ukf-mda/jakarta.json-1.1.6.jar
deleted file mode 100644
index 1f330765..00000000
Binary files a/tools/ukf-mda/jakarta.json-1.1.6.jar and /dev/null differ
diff --git a/tools/ukf-mda/ukf-mda-0.10.0.jar b/tools/ukf-mda/ukf-mda-0.10.0.jar
new file mode 100644
index 00000000..e22bfac0
Binary files /dev/null and b/tools/ukf-mda/ukf-mda-0.10.0.jar differ
diff --git a/tools/ukf-mda/ukf-mda-0.9.11.jar b/tools/ukf-mda/ukf-mda-0.9.11.jar
deleted file mode 100644
index b1d4025a..00000000
Binary files a/tools/ukf-mda/ukf-mda-0.9.11.jar and /dev/null differ
diff --git a/tools/ukf-mda/ukf-members-1.5.0.jar b/tools/ukf-mda/ukf-members-1.5.0.jar
deleted file mode 100644
index d56bb28d..00000000
Binary files a/tools/ukf-mda/ukf-members-1.5.0.jar and /dev/null differ
diff --git a/tools/ukf-mda/ukf-members-2.0.0.jar b/tools/ukf-mda/ukf-members-2.0.0.jar
new file mode 100644
index 00000000..1268dfc2
Binary files /dev/null and b/tools/ukf-mda/ukf-members-2.0.0.jar differ
diff --git a/tools/xalan/impl/serializer-2.11.0.jar b/tools/xalan/impl/serializer-2.11.0.jar
deleted file mode 100644
index de9b007b..00000000
Binary files a/tools/xalan/impl/serializer-2.11.0.jar and /dev/null differ
diff --git a/tools/xalan/impl/serializer-2.7.3.jar b/tools/xalan/impl/serializer-2.7.3.jar
new file mode 100644
index 00000000..47f75d3a
Binary files /dev/null and b/tools/xalan/impl/serializer-2.7.3.jar differ
diff --git a/tools/xalan/impl/xalan-2.7.1.jar b/tools/xalan/impl/xalan-2.7.1.jar
deleted file mode 100644
index 458fa73d..00000000
Binary files a/tools/xalan/impl/xalan-2.7.1.jar and /dev/null differ
diff --git a/tools/xalan/impl/xalan-2.7.3.jar b/tools/xalan/impl/xalan-2.7.3.jar
new file mode 100644
index 00000000..70854808
Binary files /dev/null and b/tools/xalan/impl/xalan-2.7.3.jar differ
diff --git a/tools/xalan/impl/xercesImpl-2.11.0.jar b/tools/xalan/impl/xercesImpl-2.11.0.jar
deleted file mode 100644
index 0aaa990f..00000000
Binary files a/tools/xalan/impl/xercesImpl-2.11.0.jar and /dev/null differ
diff --git a/tools/xalan/impl/xml-apis-2.11.0.jar b/tools/xalan/impl/xml-apis-2.11.0.jar
deleted file mode 100644
index 46733464..00000000
Binary files a/tools/xalan/impl/xml-apis-2.11.0.jar and /dev/null differ
diff --git a/tools/xalan/impl/xml-resolver-1.2.jar b/tools/xalan/impl/xml-resolver-1.2.jar
deleted file mode 100644
index e535bdc0..00000000
Binary files a/tools/xalan/impl/xml-resolver-1.2.jar and /dev/null differ
diff --git a/tools/xalan/lib/joda-time-1.6.jar b/tools/xalan/lib/joda-time-1.6.jar
deleted file mode 100644
index 68068a4b..00000000
Binary files a/tools/xalan/lib/joda-time-1.6.jar and /dev/null differ
diff --git a/tools/xalan/lib/sdss-xalan-md-1.1.5.jar b/tools/xalan/lib/sdss-xalan-md-1.1.5.jar
deleted file mode 100644
index eba7cfdd..00000000
Binary files a/tools/xalan/lib/sdss-xalan-md-1.1.5.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/lib/bcprov-jdk15on-1.53.jar b/tools/xmlsectool-2.0.0/lib/bcprov-jdk15on-1.53.jar
deleted file mode 100644
index c9fbafba..00000000
Binary files a/tools/xmlsectool-2.0.0/lib/bcprov-jdk15on-1.53.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/lib/commons-codec-1.10.jar b/tools/xmlsectool-2.0.0/lib/commons-codec-1.10.jar
deleted file mode 100644
index 1d7417c4..00000000
Binary files a/tools/xmlsectool-2.0.0/lib/commons-codec-1.10.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/lib/cryptacular-1.0.jar b/tools/xmlsectool-2.0.0/lib/cryptacular-1.0.jar
deleted file mode 100644
index 0b8abab6..00000000
Binary files a/tools/xmlsectool-2.0.0/lib/cryptacular-1.0.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/lib/guava-18.0.jar b/tools/xmlsectool-2.0.0/lib/guava-18.0.jar
deleted file mode 100644
index 8f89e490..00000000
Binary files a/tools/xmlsectool-2.0.0/lib/guava-18.0.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/lib/httpclient-4.3.6.jar b/tools/xmlsectool-2.0.0/lib/httpclient-4.3.6.jar
deleted file mode 100644
index 091498c9..00000000
Binary files a/tools/xmlsectool-2.0.0/lib/httpclient-4.3.6.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/lib/httpcore-4.3.3.jar b/tools/xmlsectool-2.0.0/lib/httpcore-4.3.3.jar
deleted file mode 100644
index a8747b0c..00000000
Binary files a/tools/xmlsectool-2.0.0/lib/httpcore-4.3.3.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/lib/java-support-7.2.0.jar b/tools/xmlsectool-2.0.0/lib/java-support-7.2.0.jar
deleted file mode 100644
index f4be76a1..00000000
Binary files a/tools/xmlsectool-2.0.0/lib/java-support-7.2.0.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/lib/jcl-over-slf4j-1.7.12.jar b/tools/xmlsectool-2.0.0/lib/jcl-over-slf4j-1.7.12.jar
deleted file mode 100644
index 64ec66f2..00000000
Binary files a/tools/xmlsectool-2.0.0/lib/jcl-over-slf4j-1.7.12.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/lib/jcommander-1.48.jar b/tools/xmlsectool-2.0.0/lib/jcommander-1.48.jar
deleted file mode 100644
index ad0a12c9..00000000
Binary files a/tools/xmlsectool-2.0.0/lib/jcommander-1.48.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/lib/joda-time-2.9.jar b/tools/xmlsectool-2.0.0/lib/joda-time-2.9.jar
deleted file mode 100644
index 340af06a..00000000
Binary files a/tools/xmlsectool-2.0.0/lib/joda-time-2.9.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/lib/jsr305-3.0.1.jar b/tools/xmlsectool-2.0.0/lib/jsr305-3.0.1.jar
deleted file mode 100644
index 021df892..00000000
Binary files a/tools/xmlsectool-2.0.0/lib/jsr305-3.0.1.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/lib/logback-classic-1.1.3.jar b/tools/xmlsectool-2.0.0/lib/logback-classic-1.1.3.jar
deleted file mode 100644
index c5ecdeb5..00000000
Binary files a/tools/xmlsectool-2.0.0/lib/logback-classic-1.1.3.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/lib/logback-core-1.1.3.jar b/tools/xmlsectool-2.0.0/lib/logback-core-1.1.3.jar
deleted file mode 100644
index c776e4a0..00000000
Binary files a/tools/xmlsectool-2.0.0/lib/logback-core-1.1.3.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/lib/opensaml-core-3.2.0.jar b/tools/xmlsectool-2.0.0/lib/opensaml-core-3.2.0.jar
deleted file mode 100644
index 5de45828..00000000
Binary files a/tools/xmlsectool-2.0.0/lib/opensaml-core-3.2.0.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/lib/opensaml-messaging-api-3.2.0.jar b/tools/xmlsectool-2.0.0/lib/opensaml-messaging-api-3.2.0.jar
deleted file mode 100644
index 07e4689a..00000000
Binary files a/tools/xmlsectool-2.0.0/lib/opensaml-messaging-api-3.2.0.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/lib/opensaml-security-api-3.2.0.jar b/tools/xmlsectool-2.0.0/lib/opensaml-security-api-3.2.0.jar
deleted file mode 100644
index 9f0bc71f..00000000
Binary files a/tools/xmlsectool-2.0.0/lib/opensaml-security-api-3.2.0.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/lib/opensaml-security-impl-3.2.0.jar b/tools/xmlsectool-2.0.0/lib/opensaml-security-impl-3.2.0.jar
deleted file mode 100644
index 59af529a..00000000
Binary files a/tools/xmlsectool-2.0.0/lib/opensaml-security-impl-3.2.0.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/lib/opensaml-xmlsec-api-3.2.0.jar b/tools/xmlsectool-2.0.0/lib/opensaml-xmlsec-api-3.2.0.jar
deleted file mode 100644
index 85673b9c..00000000
Binary files a/tools/xmlsectool-2.0.0/lib/opensaml-xmlsec-api-3.2.0.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/lib/opensaml-xmlsec-impl-3.2.0.jar b/tools/xmlsectool-2.0.0/lib/opensaml-xmlsec-impl-3.2.0.jar
deleted file mode 100644
index 2e8afc5c..00000000
Binary files a/tools/xmlsectool-2.0.0/lib/opensaml-xmlsec-impl-3.2.0.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/lib/slf4j-api-1.7.12.jar b/tools/xmlsectool-2.0.0/lib/slf4j-api-1.7.12.jar
deleted file mode 100644
index 51e2fad1..00000000
Binary files a/tools/xmlsectool-2.0.0/lib/slf4j-api-1.7.12.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/lib/stax-api-1.0-2.jar b/tools/xmlsectool-2.0.0/lib/stax-api-1.0-2.jar
deleted file mode 100644
index 015169dc..00000000
Binary files a/tools/xmlsectool-2.0.0/lib/stax-api-1.0-2.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/lib/stax2-api-3.1.4.jar b/tools/xmlsectool-2.0.0/lib/stax2-api-3.1.4.jar
deleted file mode 100644
index dded0369..00000000
Binary files a/tools/xmlsectool-2.0.0/lib/stax2-api-3.1.4.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/lib/woodstox-core-asl-4.4.1.jar b/tools/xmlsectool-2.0.0/lib/woodstox-core-asl-4.4.1.jar
deleted file mode 100644
index d8b4e8cf..00000000
Binary files a/tools/xmlsectool-2.0.0/lib/woodstox-core-asl-4.4.1.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/lib/xmlsec-2.0.5.jar b/tools/xmlsectool-2.0.0/lib/xmlsec-2.0.5.jar
deleted file mode 100644
index 9bc7db6c..00000000
Binary files a/tools/xmlsectool-2.0.0/lib/xmlsec-2.0.5.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/lib/xmlsectool-2.0.0.jar b/tools/xmlsectool-2.0.0/lib/xmlsectool-2.0.0.jar
deleted file mode 100644
index e163552d..00000000
Binary files a/tools/xmlsectool-2.0.0/lib/xmlsectool-2.0.0.jar and /dev/null differ
diff --git a/tools/xmlsectool-2.0.0/doc/LICENSE.txt b/tools/xmlsectool-3.0.0/doc/LICENSE.txt
similarity index 100%
rename from tools/xmlsectool-2.0.0/doc/LICENSE.txt
rename to tools/xmlsectool-3.0.0/doc/LICENSE.txt
diff --git a/tools/xmlsectool-2.0.0/doc/xmlsectool.patch b/tools/xmlsectool-3.0.0/doc/xmlsectool.patch
similarity index 100%
rename from tools/xmlsectool-2.0.0/doc/xmlsectool.patch
rename to tools/xmlsectool-3.0.0/doc/xmlsectool.patch
diff --git a/tools/xmlsectool-2.0.0/doc/xmlsectool.spec b/tools/xmlsectool-3.0.0/doc/xmlsectool.spec
similarity index 100%
rename from tools/xmlsectool-2.0.0/doc/xmlsectool.spec
rename to tools/xmlsectool-3.0.0/doc/xmlsectool.spec
diff --git a/tools/xmlsectool-3.0.0/lib/bcpkix-jdk15on-1.67.jar b/tools/xmlsectool-3.0.0/lib/bcpkix-jdk15on-1.67.jar
new file mode 100644
index 00000000..402d108c
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/bcpkix-jdk15on-1.67.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/bcprov-jdk15on-1.67.jar b/tools/xmlsectool-3.0.0/lib/bcprov-jdk15on-1.67.jar
new file mode 100644
index 00000000..94aae290
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/bcprov-jdk15on-1.67.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/checker-qual-3.5.0.jar b/tools/xmlsectool-3.0.0/lib/checker-qual-3.5.0.jar
new file mode 100644
index 00000000..f98cde8b
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/checker-qual-3.5.0.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/commons-codec-1.15.jar b/tools/xmlsectool-3.0.0/lib/commons-codec-1.15.jar
new file mode 100644
index 00000000..f14985ac
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/commons-codec-1.15.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/cryptacular-1.2.4.jar b/tools/xmlsectool-3.0.0/lib/cryptacular-1.2.4.jar
new file mode 100644
index 00000000..06214161
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/cryptacular-1.2.4.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/error_prone_annotations-2.3.4.jar b/tools/xmlsectool-3.0.0/lib/error_prone_annotations-2.3.4.jar
new file mode 100644
index 00000000..c9bea2ab
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/error_prone_annotations-2.3.4.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/failureaccess-1.0.1.jar b/tools/xmlsectool-3.0.0/lib/failureaccess-1.0.1.jar
new file mode 100644
index 00000000..9b56dc75
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/failureaccess-1.0.1.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/guava-30.0-jre.jar b/tools/xmlsectool-3.0.0/lib/guava-30.0-jre.jar
new file mode 100644
index 00000000..f3a78184
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/guava-30.0-jre.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/httpclient-4.5.13.jar b/tools/xmlsectool-3.0.0/lib/httpclient-4.5.13.jar
new file mode 100644
index 00000000..218ee25f
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/httpclient-4.5.13.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/httpcore-4.4.13.jar b/tools/xmlsectool-3.0.0/lib/httpcore-4.4.13.jar
new file mode 100644
index 00000000..163dc438
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/httpcore-4.4.13.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/istack-commons-runtime-3.0.11.jar b/tools/xmlsectool-3.0.0/lib/istack-commons-runtime-3.0.11.jar
new file mode 100644
index 00000000..c6aa5d2b
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/istack-commons-runtime-3.0.11.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/j2objc-annotations-1.3.jar b/tools/xmlsectool-3.0.0/lib/j2objc-annotations-1.3.jar
new file mode 100644
index 00000000..a429c721
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/j2objc-annotations-1.3.jar differ
diff --git a/tools/lib/jakarta.activation-1.2.2.jar b/tools/xmlsectool-3.0.0/lib/jakarta.activation-1.2.2.jar
similarity index 100%
rename from tools/lib/jakarta.activation-1.2.2.jar
rename to tools/xmlsectool-3.0.0/lib/jakarta.activation-1.2.2.jar
diff --git a/tools/xmlsectool-3.0.0/lib/jakarta.xml.bind-api-2.3.3.jar b/tools/xmlsectool-3.0.0/lib/jakarta.xml.bind-api-2.3.3.jar
new file mode 100644
index 00000000..b8c7dc1e
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/jakarta.xml.bind-api-2.3.3.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/java-support-8.1.0.jar b/tools/xmlsectool-3.0.0/lib/java-support-8.1.0.jar
new file mode 100644
index 00000000..0f497ab0
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/java-support-8.1.0.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/jaxb-runtime-2.3.3.jar b/tools/xmlsectool-3.0.0/lib/jaxb-runtime-2.3.3.jar
new file mode 100644
index 00000000..f950209c
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/jaxb-runtime-2.3.3.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/jcl-over-slf4j-1.7.30.jar b/tools/xmlsectool-3.0.0/lib/jcl-over-slf4j-1.7.30.jar
new file mode 100644
index 00000000..44e9f639
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/jcl-over-slf4j-1.7.30.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/jcommander-1.78.jar b/tools/xmlsectool-3.0.0/lib/jcommander-1.78.jar
new file mode 100644
index 00000000..1d586730
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/jcommander-1.78.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/jsr305-3.0.2.jar b/tools/xmlsectool-3.0.0/lib/jsr305-3.0.2.jar
new file mode 100644
index 00000000..59222d9c
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/jsr305-3.0.2.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar b/tools/xmlsectool-3.0.0/lib/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
new file mode 100644
index 00000000..45832c05
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/logback-classic-1.2.3.jar b/tools/xmlsectool-3.0.0/lib/logback-classic-1.2.3.jar
new file mode 100644
index 00000000..bed00c0a
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/logback-classic-1.2.3.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/logback-core-1.2.3.jar b/tools/xmlsectool-3.0.0/lib/logback-core-1.2.3.jar
new file mode 100644
index 00000000..487b3956
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/logback-core-1.2.3.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/metrics-core-4.1.14.jar b/tools/xmlsectool-3.0.0/lib/metrics-core-4.1.14.jar
new file mode 100644
index 00000000..23026b9a
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/metrics-core-4.1.14.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/opensaml-core-4.0.1.jar b/tools/xmlsectool-3.0.0/lib/opensaml-core-4.0.1.jar
new file mode 100644
index 00000000..8477e567
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/opensaml-core-4.0.1.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/opensaml-messaging-api-4.0.1.jar b/tools/xmlsectool-3.0.0/lib/opensaml-messaging-api-4.0.1.jar
new file mode 100644
index 00000000..2764fbcb
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/opensaml-messaging-api-4.0.1.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/opensaml-security-api-4.0.1.jar b/tools/xmlsectool-3.0.0/lib/opensaml-security-api-4.0.1.jar
new file mode 100644
index 00000000..ea158a8b
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/opensaml-security-api-4.0.1.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/opensaml-security-impl-4.0.1.jar b/tools/xmlsectool-3.0.0/lib/opensaml-security-impl-4.0.1.jar
new file mode 100644
index 00000000..8835bcbf
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/opensaml-security-impl-4.0.1.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/opensaml-xmlsec-api-4.0.1.jar b/tools/xmlsectool-3.0.0/lib/opensaml-xmlsec-api-4.0.1.jar
new file mode 100644
index 00000000..39724a7c
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/opensaml-xmlsec-api-4.0.1.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/opensaml-xmlsec-impl-4.0.1.jar b/tools/xmlsectool-3.0.0/lib/opensaml-xmlsec-impl-4.0.1.jar
new file mode 100644
index 00000000..b9fb346a
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/opensaml-xmlsec-impl-4.0.1.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/slf4j-api-1.7.30.jar b/tools/xmlsectool-3.0.0/lib/slf4j-api-1.7.30.jar
new file mode 100644
index 00000000..29ac26fb
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/slf4j-api-1.7.30.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/txw2-2.3.3.jar b/tools/xmlsectool-3.0.0/lib/txw2-2.3.3.jar
new file mode 100644
index 00000000..363dd1b6
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/txw2-2.3.3.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/xmlsec-2.1.5.jar b/tools/xmlsectool-3.0.0/lib/xmlsec-2.1.5.jar
new file mode 100644
index 00000000..aca83b6d
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/xmlsec-2.1.5.jar differ
diff --git a/tools/xmlsectool-3.0.0/lib/xmlsectool-3.0.0.jar b/tools/xmlsectool-3.0.0/lib/xmlsectool-3.0.0.jar
new file mode 100644
index 00000000..37889268
Binary files /dev/null and b/tools/xmlsectool-3.0.0/lib/xmlsectool-3.0.0.jar differ
diff --git a/tools/xmlsectool-2.0.0/xmlsectool.sh b/tools/xmlsectool-3.0.0/xmlsectool.sh
similarity index 80%
rename from tools/xmlsectool-2.0.0/xmlsectool.sh
rename to tools/xmlsectool-3.0.0/xmlsectool.sh
index 3738e3ee..6abfca8a 100755
--- a/tools/xmlsectool-2.0.0/xmlsectool.sh
+++ b/tools/xmlsectool-3.0.0/xmlsectool.sh
@@ -1,7 +1,7 @@
 #! /bin/bash
 
 #
-# See the Javadoc for the XmlSecTool main class for documentation
+# See the Javadoc for the XMLSecTool main class for documentation
 # of non-zero exit codes.
 #
 
@@ -46,4 +46,4 @@ do
     fi
 done
 
-"$JAVACMD" '-Xmx256m' '-classpath' "$LOCALCLASSPATH" $JVMOPTS '-Dnet.shibboleth.tool.xmlsectool.XMLSecTool.home='"$LOCATION" 'net.shibboleth.tool.xmlsectool.XMLSecTool' "$@"
+"$JAVACMD" '-classpath' "$LOCALCLASSPATH" $JVMOPTS '-Dnet.shibboleth.tool.xmlsectool.XMLSecTool.home='"$LOCATION" 'net.shibboleth.tool.xmlsectool.XMLSecTool' "$@"
diff --git a/utilities/githooks/post-receive b/utilities/githooks/post-receive
index 52303df1..946104f4 100755
--- a/utilities/githooks/post-receive
+++ b/utilities/githooks/post-receive
@@ -11,11 +11,6 @@ apachemdqdir=/var/www/html/mdq.uou/entities
 # Set the location of the temporary mdq cache dir
 mdqcachedir=/tmp/mdqcache
 
-# Set the location of JSON discofeed files
-jsontempdir=/tmp
-discofeed=discofeed.json
-discofeedall=discofeed-all.json
-
 # This Git repo has had the latest stuff pushed to it, but it hasn't checked it out yet. So let's do it.
 git --work-tree=$gitdir --git-dir=$gitdir/.git checkout -f
 
@@ -27,12 +22,6 @@ do
 done
 echo "Done."
 
-# The JSON files should have been SCPed to /tmp and be sitting there happily.
-echo -n "Gzipping 2 JSON discofeed files..."
-gzip -9 < "${jsontempdir}/$discofeed" > "${jsontempdir}/${discofeed}.gz"
-gzip -9 < "${jsontempdir}/$discofeedall" > "${jsontempdir}/${discofeedall}.gz"
-echo "Done."
-
 # The MDQ cache should have been SCPed to /tmp and be sitting there happily.
 # First, we should untar it.
 echo -n "Untarring mdq cache... "
@@ -88,14 +77,12 @@ mtime=$(git --work-tree=$gitdir --git-dir=$gitdir/.git show $newrev --quiet --pr
 echo -n "Setting the timestamp on each file to that of the commit... "
 find $gitdir -regextype posix-extended -regex '.*\.(xml|gz)' -exec touch -d @$mtime {} \;
 find $mdqcachedir -exec touch -d @$mtime {} \;
-touch -d @$mtime ${jsontempdir}/$discofeed ${jsontempdir}/${discofeed}.gz ${jsontempdir}/$discofeedall ${jsontempdir}/${discofeedall}.gz
 echo "Done."
 
 # Put files into the correct directory
 echo -n "Rsyncing files to the appropriate apache directory... "
 rsync -at $gitdir/aggregates/*.{xml,gz} $apacheaggrdir
 rsync -at --delete $mdqcachedir/ $apachemdqdir
-rsync -at ${jsontempdir}/$discofeed ${jsontempdir}/${discofeed}.gz ${jsontempdir}/$discofeedall ${jsontempdir}/${discofeedall}.gz $apacheaggrdir
 echo "Done."
 
 # Remove the temporary files
diff --git a/utilities/stats-generate.sh b/utilities/stats-generate.sh
index 7017fed2..56824859 100755
--- a/utilities/stats-generate.sh
+++ b/utilities/stats-generate.sh
@@ -596,19 +596,6 @@ fi
 
 # ukf-meta issue 338: These have been removed and will be re-implemented in Splunk. See ukf-systems, issue 669
 
-
-# =====
-# Wugen stats
-# =====
-
-# Total WAYFless URLs generated
-#wugencount=$(grep $date $logslocation/wugen/urlgenerator-audit.* $logslocation/wugen/wayfless-url-generator-audit.* | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
-wugencount=$(grep -s $date $logslocation/wugen/wayfless-url-generator-process.* | grep "Returning wayfless url" | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
-
-# New subscribers to WAYFless URLs
-wugennewsubs=$(grep -s $date $logslocation/wugen/urlgenerator-process.* $logslocation/wugen/wayfless-url-generator-process.* | grep "Subscribing user and service provider" | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
-
-
 # =====
 # Test IdP stats
 # =====
@@ -695,7 +682,6 @@ if [[ "$timeperiod" == "day" ]]; then
     msg+=">-> $mdqminqueriesperip/$mdqavgqueriesperip/$mdqmaxqueriesperip min/avg/max queries per querying IP\n"
     msg+=">-> $mdqcountallentities queries for collection of all entities\n"
     msg+=">*CDS:* These have been removed and will be re-implemented in Splunk. See ukf-systems, issue 669\n"
-    msg+=">*Wugen:* $wugencount WAYFless URLs generated, $wugennewsubs new subscriptions.\n"
     msg+=">*Test IdP:* $testidplogincount logins to $testidpspcount SPs.\n"
     msg+=">*Test SP:* $testsplogincount logins from $testspidpcount IdPs.\n"
     msg+=">*Website:* $wwwaccesscountfriendly hits from $wwwaccessipcount unique IPs."
@@ -747,10 +733,6 @@ else
     msg+="Central Discovery Service:\n"
     msg+="These stats have been removed and will be re-implemented in Splunk. See ukf-systems, issue 669\n"
     msg+="\n-----\n"
-    msg+="Wugen:\n"
-    msg+="-> $wugencount WAYFless URLs generated\n"
-    msg+="-> $wugennewsubs new subscriptions.\n"
-    msg+="\n-----\n"
     msg+="Test IdP usage:\n"
     msg+="-> $testidplogincount logins to $testidpspcount SPs.\n"
     msg+="\n-> Logins per test user:\n"
diff --git a/utilities/stats-sync.sh b/utilities/stats-sync.sh
index be55d972..edfad417 100755
--- a/utilities/stats-sync.sh
+++ b/utilities/stats-sync.sh
@@ -15,30 +15,17 @@ rsync -at --exclude modsec* stats@md-ne-02:/var/log/httpd/* $logslocation/md/md-
 rsync -at --exclude modsec* stats@md-we-01:/var/log/httpd/* $logslocation/md/md-we-01/
 rsync -at --exclude modsec* stats@md-we-02:/var/log/httpd/* $logslocation/md/md-we-02/
 
-# Logs from CDS servers
-rsync -at --exclude modsec* stats@shibcds-ne-01:/var/log/httpd/* $logslocation/cds/shibcds-ne-01/
-rsync -at --exclude modsec* stats@shibcds-ne-02:/var/log/httpd/* $logslocation/cds/shibcds-ne-02/
-rsync -at --exclude modsec* stats@shibcds-we-01:/var/log/httpd/* $logslocation/cds/shibcds-we-01/
-rsync -at --exclude modsec* stats@shibcds-we-02:/var/log/httpd/* $logslocation/cds/shibcds-we-02/
-
 # Logs from websites
 rsync -at --exclude modsec* stats@www-ne-01:/var/log/httpd/* $logslocation/www/www-ne-01/
 rsync -at --exclude modsec* stats@www-we-01:/var/log/httpd/* $logslocation/www/www-we-01/
 
-# Logs from Wugen
-rsync -at stats@dockerpub-ne-01:./wugen/wayfless-* $logslocation/wugen/
-
 # Logs from Test IdP
 rsync -at --exclude modsec* stats@test-idp:/var/log/httpd/* $logslocation/test-idp/
 rsync -at stats@test-idp:/opt/shibboleth-idp/logs/idp-audit* $logslocation/test-idp/
 
-# Logs from Test SP
+# Logs from Test SP inaccessible once the Test SP migrated to 2024 infrastructure
 #
 # The Test SP has a cronjob to remove logs with PII > 30 days old, we replicate that in this script
-#
-rsync -at --exclude modsec* stats@test-sp:/var/log/httpd/* $logslocation/test-sp/
-rsync -at stats@test-sp:/var/log/shibboleth/shibd* $logslocation/test-sp/
-rsync -at stats@test-sp:/var/log/shibboleth/transaction* $logslocation/test-sp/
 find $logslocation/test-sp/ -type f -mtime +90 -delete
 
 # Exit happily
diff --git a/charting/just_ours.xsl b/utilities/thin_aggregate.xsl
similarity index 50%
rename from charting/just_ours.xsl
rename to utilities/thin_aggregate.xsl
index 3324d60f..eb10c24f 100644
--- a/charting/just_ours.xsl
+++ b/utilities/thin_aggregate.xsl
@@ -1,32 +1,21 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
+    thin_aggregate.xsl
 
-    just_ours.xsl
-
-    Remove SAML entities registered other than by the UK federation.
-
-    Leave in entities without registrationAuthority so that this still does
-    the right thing with older aggregates which don't have MDRPI metadata.
-
-    Author: Ian A. Young <ian@iay.org.uk>
-
+    Thins the input aggregate so that only 1% of the entities remain.
 -->
-<xsl:stylesheet version="1.0"
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-    xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+    xmlns:math="http://exslt.org/math">
 
     <!--
         Force UTF-8 encoding for the output.
     -->
     <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
 
-    <!--
-        Discard entities not registered by the UK federation.
-    -->
-    <xsl:template match="md:EntityDescriptor
-        [not(descendant::mdrpi:RegistrationInfo/@registrationAuthority='http://ukfederation.org.uk')]">
-        <!-- do nothing -->
+    <!-- Discard most entities. -->
+    <xsl:template match="md:EntityDescriptor[math:random()>0.01]">
+        <!-- discard -->
     </xsl:template>
 
     <!--By default, copy text blocks, comments and attributes unchanged.-->