From 3b4b5cfd760bdf8881ba6c65b9d25f090758251b Mon Sep 17 00:00:00 2001
From: Dominic Martinez <dmartinez@unicon.net>
Date: Fri, 29 Aug 2025 08:10:41 -0700
Subject: [PATCH] TIDO-575 Add support for eduGAIN export aggregation testing
 (#24)

* Add local import with unsigned output test
* Add data/test for edugain report
* Add testing for signing export aggregate
---
 build.xml                                     |  41 +++
 mdx/incommon/import_local.xml                 | 305 ++++++++++++++++++
 mdx/incommon/report_local.xml                 |  94 ++++++
 mdx/incommon/sign_localkey.xml                | 271 ++++++++++++++++
 tests/incommon/data/test-edugain-metadata.xml |  88 +++++
 tests/incommon/data/test-incommon-export.xml  |  81 +++++
 ...=> consolidateIncommonAndEdugainSigned.sh} |   6 +-
 .../consolidateIncommonAndEdugainUnsigned.sh  |  54 ++++
 tests/incommon/scripts/edugainReport.sh       |  16 +
 tests/incommon/scripts/signIncommonExport.sh  |  27 ++
 10 files changed, 978 insertions(+), 5 deletions(-)
 create mode 100644 mdx/incommon/import_local.xml
 create mode 100644 mdx/incommon/report_local.xml
 create mode 100644 mdx/incommon/sign_localkey.xml
 create mode 100644 tests/incommon/data/test-incommon-export.xml
 rename tests/incommon/scripts/{consolidateIncommonAndEdugain.sh => consolidateIncommonAndEdugainSigned.sh} (86%)
 create mode 100755 tests/incommon/scripts/consolidateIncommonAndEdugainUnsigned.sh
 create mode 100755 tests/incommon/scripts/edugainReport.sh
 create mode 100755 tests/incommon/scripts/signIncommonExport.sh

diff --git a/build.xml b/build.xml
index 861a6fb..462a2c3 100644
--- a/build.xml
+++ b/build.xml
@@ -3056,6 +3056,20 @@
         <echo>Generation complete.</echo>
     </target>
 
+    <!--
+        inc.generate.import_local
+
+        Generate the InCommon import aggregate for local testing
+    -->
+    <target name="inc.generate.import_local">
+        <echo>Generating InCommon import aggregate in ${mda.inc.imported.xml}</echo>
+        <echo>    (IdP-only aggregate in ${mda.inc.imported-idp.xml})</echo>
+        <echo>    from production aggregate in ${mda.inc.production.xml}</echo>
+        <echo>    and selected eduGAIN entities from ${mda.inc.edugain.xml}...</echo>
+        <CHANNEL.do channel="incommon" verb="import_local"/>
+        <echo>Generation complete.</echo>
+    </target>
+
     <!--
 	inc.generate.import_sign
 
@@ -3111,6 +3125,21 @@
         <echo>Generation complete.</echo>
     </target>
 
+    <!--
+        inc.generate.sign_localkey
+
+        Sign an aggregate using a local key
+    -->
+    <target name="inc.generate.sign_localkey">
+        <property name="mda.sign.keyPassword" value="${sign.uk.keyPassword}"/>
+
+        <echo>Generating signed aggregate in ${mda.inc.imported.xml}</echo>
+        <echo>    from aggregate in ${mda.inc.production.xml}</echo>
+        <echo>    signed using a local key</echo>
+        <CHANNEL.do channel="incommon" verb="sign_localkey"/>
+        <echo>Generation complete.</echo>
+    </target>
+
     <!--
         inc.mdq.generate.localkey
 
@@ -3231,4 +3260,16 @@
         <echo>Report complete.</echo>
     </target>
 
+    <!--
+        inc.edugain.report_local
+
+        Report on the eduGAIN entities filtered out because of errors detected.
+        Used for local testing only
+    -->
+    <target name="inc.edugain.report_local">
+        <echo>Looking for errors in eduGAIN entities from ${mda.inc.edugain.xml}...</echo>
+        <CHANNEL.do channel="incommon" verb="report_local"/>
+        <echo>Report complete.</echo>
+    </target>
+
 </project>
diff --git a/mdx/incommon/import_local.xml b/mdx/incommon/import_local.xml
new file mode 100644
index 0000000..1f3356c
--- /dev/null
+++ b/mdx/incommon/import_local.xml
@@ -0,0 +1,305 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Construct InCommon eduGAIN import aggregate.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+    default-lazy-init="true"
+    xmlns:c="http://www.springframework.org/schema/c"
+    xmlns:p="http://www.springframework.org/schema/p"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
+
+    <!--
+        Import commonly used beans.
+    -->
+    <import resource="classpath:common-beans.xml"/>
+
+    <!--
+        Import inc-mda beans.
+    -->
+    <import resource="classpath:uk/org/iay/incommon/mda/beans.xml"/>
+
+    <!--
+        Import channel-specific beans.
+    -->
+    <import resource="classpath:incommon/beans.xml"/>
+    <import resource="classpath:incommon/edugain-policy.xml"/>
+
+    <!--
+        Import eduGAIN channel beans.
+    -->
+    <import resource="classpath:int_edugain/beans.xml"/>
+
+    <!--
+        ***********************************************************
+        ***                                                     ***
+        ***   C O M M O N   O U T P U T   P R O C E S S I N G   ***
+        ***                                                     ***
+        ***********************************************************
+    -->
+
+    <bean id="common.output" parent="mda.CompositeStage">
+        <property name="stages">
+            <list>
+                <!-- Construct a new aggregate from the collection of entities. -->
+                <bean id="inc.assemble" parent="mda.EntitiesDescriptorAssemblerStage">
+                    <property name="itemOrderingStrategy">
+                        <bean parent="inc.InCommonEntityOrderingStrategy"
+                            c:_-ref="us_incommon_registrar"/>
+                    </property>
+                </bean>
+
+                <!-- Apply final tweaks to the aggregate. -->
+                <bean id="finalise" parent="incommon_finalise_parent">
+                    <property name="transformParameters">
+                        <map>
+                            <entry key="extraText" value="Contains InCommon and eduGAIN metadata"/>
+                            <entry key="publisher" value-ref="us_incommon_registrar"/>
+                            <entry key="validityDays" value="${validUntil.aggregate.days}"/>
+                            <entry key="now_ISO" value-ref="now_ISO"/>
+                            <entry key="now_local_ISO" value-ref="now_local_ISO"/>
+                            <entry key="valid_until_ISO" value-ref="validUntil_aggregate_ISO"/>
+                        </map>
+                    </property>
+                </bean>
+
+                <!-- Normalise the use of namespace prefixes in the resulting XML document. -->
+                <bean id="normalise" parent="mda.XSLTransformationStage"
+                    p:XSLResource="classpath:incommon/ns_norm_import.xsl"/>
+            </list>
+        </property>
+    </bean>
+
+
+    <!--
+        *****************************************
+        ***                                   ***
+        ***   I D P - O N L Y   O U T P U T   ***
+        ***                                   ***
+        *****************************************
+    -->
+
+    <!--
+        idp.serialize
+
+        Writes the IdP-only aggregate out to a file.
+    -->
+    <bean id="idp.serialize" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
+        <property name="outputFile">
+            <bean parent="File">
+                <constructor-arg value="${inc.imported-idp.xml}"/>
+            </bean>
+        </property>
+    </bean>
+
+    <!--
+        idp.selector
+
+        Entities in the IdP-only aggregate are restricted to identity providers.
+    -->
+    <bean id="idp.selector" parent="mda.XPathItemSelectionStrategy">
+        <constructor-arg value="/md:EntityDescriptor[md:IDPSSODescriptor]"/>
+        <constructor-arg ref="commonNamespaces"/>
+    </bean>
+
+    <!--
+        idp.pipeline
+
+        Generates the IdP-only aggregate. The selector has already taken care
+        of removing non-IdP entities.
+    -->
+    <bean id="idp.pipeline" parent="mda.SimplePipeline">
+        <property name="stages">
+            <list>
+                <!-- Perform common steps in constructing an output aggregate. -->
+                <ref bean="common.output"/>
+
+                <!-- Write the resulting aggregate out to a file. -->
+                <ref bean="idp.serialize"/>
+            </list>
+        </property>
+    </bean>
+
+
+    <!--
+        *************************************************
+        ***                                           ***
+        ***   A L L   E N T I T I E S   O U T P U T   ***
+        ***                                           ***
+        *************************************************
+    -->
+
+    <!--
+        serializeImported
+
+        Writes the import aggregate out to a file.
+    -->
+    <bean id="serializeImported" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
+        <property name="outputFile">
+            <bean parent="File">
+                <constructor-arg value="${inc.imported.xml}"/>
+            </bean>
+        </property>
+    </bean>
+
+
+    <!--
+        *************************************
+        ***                               ***
+        ***   E D U G A I N   I N P U T   ***
+        ***                               ***
+        *************************************
+    -->
+
+    <bean id="incommon_edugain_importPipeline" parent="mda.SimplePipeline">
+        <property name="stages">
+            <list>
+                <!--
+                    Load the saved eduGAIN aggregate from a file.
+                -->
+                <bean id="edugain_aggregate" parent="mda.DOMResourceSourceStage">
+                    <property name="parserPool" ref="parserPool"/>
+                    <property name="DOMResource">
+                        <bean parent="FileSystemResource" c:_0="${inc.edugain.xml}"/>
+                    </property>
+                </bean>
+
+                <!--
+                    Check for fatal errors at the aggregate level:
+                        missing or expired validUntil attribute
+                        invalid signature
+                    This is used for testing and as such we disable 
+                    signature and validUntil checks
+                -->
+                <!-- <ref bean="check_validUntil"/>
+                <ref bean="int_edugain_checkSignature"/> -->
+                <ref bean="errorTerminatingFilter"/>
+
+                <ref bean="disassemble"/>
+
+                <ref bean="int_edugain_removeBlacklistedEntities"/>
+
+                <!--
+                    All eduGAIN entities should have mdrpi:RegistrationInfo elements, but
+                    we can't check the actual values.
+                -->
+                <ref bean="check_hasreginfo"/>
+
+                <!-- Populate identifiers for future actions. -->
+                <ref bean="populateItemIds"/>
+                <ref bean="populateRegistrationAuthorities"/>
+
+                <!-- Apply policy. -->
+                <ref bean="edugainPolicy"/>
+
+                <!--
+                    Silently remove entities which are marked as
+                    having errors.
+                -->
+                <ref bean="errorRemover"/>
+            </list>
+        </property>
+    </bean>
+
+
+    <!--
+        *************************************
+        ***                               ***
+        ***   M A I N   P I P E L I N E   ***
+        ***                               ***
+        *************************************
+    -->
+
+    <!--
+        The main "import" pipeline is responsible for generating the
+        all-entities output aggregate.
+    -->
+    <bean id="import_local" parent="mda.SimplePipeline">
+        <property name="stages">
+            <list>
+                <!--
+                    Start with the InCommon production aggregate.
+
+                    In a production environment, this will be the *unsigned* aggregate,
+                    so we perform minimal checking on its contents.
+                -->
+                <bean id="production_aggregate" parent="mda.DOMResourceSourceStage">
+                    <property name="parserPool" ref="parserPool"/>
+                    <property name="DOMResource">
+                        <bean parent="FileSystemResource" c:_0="${inc.production.xml}"/>
+                    </property>
+                </bean>
+
+                <!-- Break down into individual entities. -->
+                <ref bean="disassemble"/>
+
+                <!--
+                    In case we are testing with InCommon production metadata
+                    that already includes imported entities, remove those
+                    before proceeding to avoid them overwriting the
+                    new imported version.
+                -->
+                <bean id="keepInCommonEntities" parent="mda.EntityRegistrationAuthorityFilterStage">
+                    <property name="designatedRegistrationAuthorities">
+                        <list>
+                            <ref bean="us_incommon_registrar"/>
+                        </list>
+                    </property>
+                    <property name="requiringRegistrationInformation" value="true"/>
+                    <property name="keepingRegistrationAuthorities" value="true"/>
+                </bean>
+
+                <!-- Include a default registrationAuthority for each entity. -->
+                <ref bean="us_incommon_default_regauth"/>
+
+                <!-- Populate identifiers for future actions. -->
+                <ref bean="populateItemIds"/>
+                <ref bean="populateRegistrationAuthorities"/>
+
+                <!-- Merge in selected entities from eduGAIN. -->
+                <bean id="mergeProductionMDXEntities" parent="mda.PipelineMergeStage"
+                    p:collectionMergeStrategy-ref="deduplicateMergeStrategy">
+                    <property name="mergedPipelines">
+                        <list>
+                            <ref bean="incommon_edugain_importPipeline"/>
+                        </list>
+                    </property>
+                </bean>
+
+                <!--
+                    Discard entities in the InCommon entity blacklist.
+
+                    Because this is done _after_ the eduGAIN merge, the
+                    named entities will be removed whatever their source.
+                -->
+                <ref bean="remove_blacklisted_incommon_entities"/>
+
+                <!-- Fork new pipelines to generate special aggregates. -->
+                <bean id="demux" parent="mda.PipelineDemultiplexerStage">
+                    <property name="pipelinesAndStrategies">
+                        <list>
+                            <!-- IdP-only aggregate. -->
+                            <bean parent="mda.PipelineAndStrategy">
+                                <constructor-arg ref="idp.pipeline"/>
+                                <constructor-arg ref="idp.selector"/>
+                            </bean>
+                        </list>
+                    </property>
+                    <property name="waitingForPipelines" value="true"/>
+                </bean>
+
+                <!-- Perform common steps in constructing an output aggregate. -->
+                <ref bean="common.output"/>
+
+                <!-- Write the resulting aggregate out to a file. -->
+                <ref bean="serializeImported"/>
+            </list>
+        </property>
+    </bean>
+
+</beans>
diff --git a/mdx/incommon/report_local.xml b/mdx/incommon/report_local.xml
new file mode 100644
index 0000000..4017113
--- /dev/null
+++ b/mdx/incommon/report_local.xml
@@ -0,0 +1,94 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Report on errors detected in eduGAIN metadata.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+    default-lazy-init="true"
+    xmlns:c="http://www.springframework.org/schema/c"
+    xmlns:p="http://www.springframework.org/schema/p"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
+
+    <!--
+        Import commonly used beans.
+    -->
+    <import resource="classpath:common-beans.xml"/>
+
+    <!--
+        Import inc-mda beans.
+    -->
+    <import resource="classpath:uk/org/iay/incommon/mda/beans.xml"/>
+
+    <!--
+        Import channel-specific beans.
+    -->
+    <import resource="classpath:incommon/beans.xml"/>
+    <import resource="classpath:incommon/edugain-policy.xml"/>
+
+    <!--
+        Import eduGAIN channel beans.
+    -->
+    <import resource="classpath:int_edugain/beans.xml"/>
+
+    <bean id="incommon_edugain_importPipeline" parent="mda.SimplePipeline">
+        <property name="stages">
+            <list>
+            </list>
+        </property>
+    </bean>
+
+    <!--
+        Report on errors detected in eduGAIN metadata.
+    -->
+    <bean id="report_local" parent="mda.SimplePipeline">
+        <property name="stages">
+            <list>
+                <!--
+                    Load the saved eduGAIN aggregate from a file.
+                -->
+                <bean id="edugain_aggregate" parent="mda.DOMResourceSourceStage">
+                    <property name="parserPool" ref="parserPool"/>
+                    <property name="DOMResource">
+                        <bean parent="FileSystemResource" c:_0="${inc.edugain.xml}"/>
+                    </property>
+                </bean>
+
+                <!--
+                    Check for fatal errors at the aggregate level:
+                        missing or expired validUntil attribute
+                        invalid signature
+                    Disable validUntil and signature check for local testing
+                -->
+                <!-- <ref bean="check_validUntil"/>
+                <ref bean="int_edugain_checkSignature"/> -->
+                <ref bean="errorTerminatingFilter"/>
+
+                <ref bean="disassemble"/>
+
+                <ref bean="int_edugain_removeBlacklistedEntities"/>
+
+                <!--
+                    All eduGAIN entities should have mdrpi:RegistrationInfo elements, but
+                    we can't check the actual values.
+                -->
+                <ref bean="check_hasreginfo"/>
+
+                <!-- Populate identifiers for future actions. -->
+                <ref bean="populateItemIds"/>
+                <ref bean="populateRegistrationAuthorities"/>
+
+                <!-- Apply policy. -->
+                <ref bean="edugainPolicy"/>
+
+                <!--
+                    Announce any entities marked as having errors or warnings.
+                -->
+                <ref bean="warningAndErrorAnnouncer"/>
+            </list>
+        </property>
+    </bean>
+
+</beans>
diff --git a/mdx/incommon/sign_localkey.xml b/mdx/incommon/sign_localkey.xml
new file mode 100644
index 0000000..a616296
--- /dev/null
+++ b/mdx/incommon/sign_localkey.xml
@@ -0,0 +1,271 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Construct InCommon eduGAIN import aggregate.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+    default-lazy-init="true"
+    xmlns:c="http://www.springframework.org/schema/c"
+    xmlns:p="http://www.springframework.org/schema/p"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
+
+    <!--
+        Import commonly used beans.
+    -->
+    <import resource="classpath:common-beans.xml"/>
+
+    <!--
+        Import inc-mda beans.
+    -->
+    <import resource="classpath:uk/org/iay/incommon/mda/beans.xml"/>
+
+    <!--
+        Import channel-specific beans.
+    -->
+    <import resource="classpath:incommon/beans.xml"/>
+    <import resource="classpath:incommon/edugain-policy.xml"/>
+
+    <!--
+        Import eduGAIN channel beans.
+    -->
+    <import resource="classpath:int_edugain/beans.xml"/>
+
+    <!--
+        ***********************************************************
+        ***                                                     ***
+        ***   C O M M O N   O U T P U T   P R O C E S S I N G   ***
+        ***                                                     ***
+        ***********************************************************
+    -->
+
+    <bean id="common.output" parent="mda.CompositeStage">
+        <property name="stages">
+            <list>
+                <!-- Construct a new aggregate from the collection of entities. -->
+                <bean id="inc.assemble" parent="mda.EntitiesDescriptorAssemblerStage">
+                    <property name="itemOrderingStrategy">
+                        <bean parent="inc.InCommonEntityOrderingStrategy"
+                            c:_-ref="us_incommon_registrar"/>
+                    </property>
+                </bean>
+
+                <!-- Apply final tweaks to the aggregate. -->
+                <bean id="finalise" parent="incommon_finalise_parent">
+                    <property name="transformParameters">
+                        <map>
+                            <entry key="extraText" value="Contains InCommon and eduGAIN metadata"/>
+                            <entry key="publisher" value-ref="us_incommon_registrar"/>
+                            <entry key="validityDays" value="${validUntil.aggregate.days}"/>
+                            <entry key="now_ISO" value-ref="now_ISO"/>
+                            <entry key="now_local_ISO" value-ref="now_local_ISO"/>
+                            <entry key="valid_until_ISO" value-ref="validUntil_aggregate_ISO"/>
+                        </map>
+                    </property>
+                </bean>
+
+                <!-- Normalise the use of namespace prefixes in the resulting XML document. -->
+                <bean id="normalise" parent="mda.XSLTransformationStage"
+                    p:XSLResource="classpath:incommon/ns_norm_import.xsl"/>
+            </list>
+        </property>
+    </bean>
+
+
+    <!--
+        *****************************************
+        ***                                   ***
+        ***   I D P - O N L Y   O U T P U T   ***
+        ***                                   ***
+        *****************************************
+    -->
+
+    <!--
+        idp.serialize
+
+        Writes the IdP-only aggregate out to a file.
+    -->
+    <bean id="idp.serialize" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
+        <property name="outputFile">
+            <bean parent="File">
+                <constructor-arg value="${inc.imported-idp.xml}"/>
+            </bean>
+        </property>
+    </bean>
+
+    <!--
+        idp.selector
+
+        Entities in the IdP-only aggregate are restricted to identity providers.
+    -->
+    <bean id="idp.selector" parent="mda.XPathItemSelectionStrategy">
+        <constructor-arg value="/md:EntityDescriptor[md:IDPSSODescriptor]"/>
+        <constructor-arg ref="commonNamespaces"/>
+    </bean>
+
+    <!--
+        idp.pipeline
+
+        Generates the IdP-only aggregate. The selector has already taken care
+        of removing non-IdP entities.
+    -->
+    <bean id="idp.pipeline" parent="mda.SimplePipeline">
+        <property name="stages">
+            <list>
+                <!-- Perform common steps in constructing an output aggregate. -->
+                <ref bean="common.output"/>
+
+                <!-- Sign the aggregate -->
+                <ref bean="signItems" />
+
+                <!-- Write the resulting aggregate out to a file. -->
+                <ref bean="idp.serialize"/>
+            </list>
+        </property>
+    </bean>
+
+
+    <!--
+        *************************************************
+        ***                                           ***
+        ***   A L L   E N T I T I E S   O U T P U T   ***
+        ***                                           ***
+        *************************************************
+    -->
+
+    <!--
+        serializeImported
+
+        Writes the import aggregate out to a file.
+    -->
+    <bean id="serializeImported" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
+        <property name="outputFile">
+            <bean parent="File">
+                <constructor-arg value="${inc.imported.xml}"/>
+            </bean>
+        </property>
+    </bean>
+
+
+    <!--
+        *************************************
+        ***                               ***
+        ***   E D U G A I N   I N P U T   ***
+        ***                               ***
+        *************************************
+    -->
+
+    <bean id="incommon_edugain_importPipeline" parent="mda.SimplePipeline">
+        <property name="stages">
+            <list>
+                <!--
+                    Load the saved eduGAIN aggregate from a file.
+                -->
+                <bean id="edugain_aggregate" parent="mda.DOMResourceSourceStage">
+                    <property name="parserPool" ref="parserPool"/>
+                    <property name="DOMResource">
+                        <bean parent="FileSystemResource" c:_0="${inc.edugain.xml}"/>
+                    </property>
+                </bean>
+
+                <!--
+                    Check for fatal errors at the aggregate level:
+                        missing or expired validUntil attribute
+                        invalid signature
+                -->
+                <ref bean="check_validUntil"/>
+                <ref bean="int_edugain_checkSignature"/>
+                <ref bean="errorTerminatingFilter"/>
+
+                <ref bean="disassemble"/>
+
+                <ref bean="int_edugain_removeBlacklistedEntities"/>
+
+                <!--
+                    All eduGAIN entities should have mdrpi:RegistrationInfo elements, but
+                    we can't check the actual values.
+                -->
+                <ref bean="check_hasreginfo"/>
+
+                <!-- Populate identifiers for future actions. -->
+                <ref bean="populateItemIds"/>
+                <ref bean="populateRegistrationAuthorities"/>
+
+                <!-- Apply policy. -->
+                <ref bean="edugainPolicy"/>
+
+                <!--
+                    Silently remove entities which are marked as
+                    having errors.
+                -->
+                <ref bean="errorRemover"/>
+            </list>
+        </property>
+    </bean>
+
+
+
+    <!-- MD SIGNING MOVE TO AWS (TIO-118) -->
+
+    <!-- Define a private key factory (based on a local key) -->
+    <bean id="privateKeyFactory" parent="mda.PrivateKeyFactoryBean"
+        p:resource="${sign.keyResource}"
+        p:privateKeyPassword="${sign.keyPassword}" />
+
+    <!-- Signs items using a provided privateKeyFactory -->
+    <bean id="signItems" parent="mda.XMLSignatureSigningStage">
+        <property name="privateKey">
+            <ref bean="privateKeyFactory" />
+        </property>
+        <property name="certificates">
+            <list>
+                <bean id="us_incommon_signingCertificate" parent="mda.X509CertificateFactoryBean"
+                    p:resource="classpath:us_incommon/inc-md-cert.pem"/>
+            </list>
+        </property>
+    </bean>
+
+
+
+    <!--
+        *************************************
+        ***                               ***
+        ***   M A I N   P I P E L I N E   ***
+        ***                               ***
+        *************************************
+    -->
+
+    <!--
+        The main "sign" pipeline is responsible for generating the
+        signed output aggregate.
+    -->
+    <bean id="sign_localkey" parent="mda.SimplePipeline">
+        <property name="stages">
+            <list>
+                <!--
+                    Start with the InCommon production aggregate.
+
+                    In a production environment, this will be the *unsigned* aggregate,
+                    so we perform minimal checking on its contents.
+                -->
+                <bean id="production_aggregate" parent="mda.DOMResourceSourceStage">
+                    <property name="parserPool" ref="parserPool"/>
+                    <property name="DOMResource">
+                        <bean parent="FileSystemResource" c:_0="${inc.production.xml}"/>
+                    </property>
+                </bean>
+
+                <!-- Sign the aggregate -->
+                <ref bean="signItems" />
+
+                <!-- Write the resulting aggregate out to a file. -->
+                <ref bean="serializeImported"/>
+            </list>
+        </property>
+    </bean>
+
+</beans>
diff --git a/tests/incommon/data/test-edugain-metadata.xml b/tests/incommon/data/test-edugain-metadata.xml
index 9d501a6..61035d6 100644
--- a/tests/incommon/data/test-edugain-metadata.xml
+++ b/tests/incommon/data/test-edugain-metadata.xml
@@ -213,4 +213,92 @@ rCQ5wiQlCiUdMUTWlNVfhJR1n5Pp
       <EmailAddress>mailto:admin@sp.example.edugain.edu</EmailAddress>
     </ContactPerson>
   </EntityDescriptor>
+  <md:EntityDescriptor entityID="https://erroneous.edugain.example/auth/saml2/sp/metadata.php">
+    <md:Extensions>
+      <mdrpi:RegistrationInfo registrationAuthority="erroneous.edugain.example" registrationInstant="2025-07-08T19:08:09Z">
+        <mdrpi:RegistrationPolicy xml:lang="en">https://gif.erroneous.edugain.example/pdf/statement.pdf</mdrpi:RegistrationPolicy>
+      </mdrpi:RegistrationInfo>
+    </md:Extensions>
+    <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
+      <md:Extensions>
+        <mdui:UIInfo>
+          <mdui:DisplayName xml:lang="en">eduGAIN Error Example</mdui:DisplayName>
+          <mdui:Description xml:lang="en">eduGAIN Error Example Description</mdui:Description>
+          <mdui:InformationURL xml:lang="en">https://learn.erroneous.edugain.example</mdui:InformationURL>
+          <mdui:Logo height="80" width="80">https://logo.erroneous.edugain.example/images/logo.png</mdui:Logo>
+        </mdui:UIInfo>
+      </md:Extensions>
+      <md:KeyDescriptor use="signing">
+        <ds:KeyInfo>
+          <ds:X509Data>
+            <ds:X509Certificate>
+MIIEGjCCAwKgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBpTEMMAoGA1UEAwwDR09M
+MQswCQYDVQQGEwJHSDEgMB4GCSqGSIb3DQEJARYRbm9jQGdhcm5ldC5lZHUuZ2gx
+DjAMBgNVBAcMBUxlZ29uMS0wKwYDVQQKDCRHaGFuYWlhbiBBY2FkZW1pYyAmIFJl
+c2VhcmNoIE5ldHdvcmsxFjAUBgNVBAgMDUdyZWF0ZXIgQWNjcmExDzANBgNVBAsM
+BkdBUk5FVDAeFw0yNTA3MDgxODM0MTNaFw0zNTA3MDYxODM0MTNaMIGlMQwwCgYD
+VQQDDANHT0wxCzAJBgNVBAYTAkdIMSAwHgYJKoZIhvcNAQkBFhFub2NAZ2FybmV0
+LmVkdS5naDEOMAwGA1UEBwwFTGVnb24xLTArBgNVBAoMJEdoYW5haWFuIEFjYWRl
+bWljICYgUmVzZWFyY2ggTmV0d29yazEWMBQGA1UECAwNR3JlYXRlciBBY2NyYTEP
+MA0GA1UECwwGR0FSTkVUMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+uaAlMu6fdqp8+R9O3uvuV/ZiHkpqiLK/nV+eBhK43HPzdjp+OF1EYM6Dums4HaJK
+MmmmKaIY9hajhC6kV9Gzkql7/FXVdN9VR/aeP7uw2wX3gq4QHHLCy6IsUVuOls7e
+89pGroOakOxrD/Vlc/MYCi5/+mhGuBm6s5o+tRnAfZbjdmFyq1yStVJVGyNpDZOR
+pa/5yZm7v9ISFIL5Ff/jI1FUyHvbr807KgXsKOb6uQuD5rUU5EvLP/3Dmx3OBMgB
+QWnsNfyMBEj210hKHo81xRZiM2OEuNUWKvQ6TXJ7ffRaVKltqSqlzKGp8hQyhcnB
+FqYIOBRYOq/RY2Aid/nZSwIDAQABo1MwUTAdBgNVHQ4EFgQUv7X6mRnIyzF0rsEy
+mLZbO7m8Kz4wHwYDVR0jBBgwFoAUv7X6mRnIyzF0rsEymLZbO7m8Kz4wDwYDVR0T
+AQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAcjxsyzB8OOoLpmfowGBWwtA7
+FDP8EspxAENkB73rsXcGlla2FrWcts5JTM1QaXXV3gp2yHQsf3bnQojMuyOhlEN9
+4g2D3hMIe0ii7D6EySf/0+30eVk2Gm4baTkU4iC6AAG6fCGdbV/S35W/LNoUNa43
+w6VZlf3Bm5Ll1DT4tKakA14LLisEYgrHUXTmaHO6ClgKMQSQ4TMLuMsaF7loS7ic
+eOm0U96yXmqMKDqHnI3z1m+nQMSQHALGkRy04ixJTZLaKK6vdUUFMS3RIIYtCIkY
+ZpU3r74KB02RD1kzRTCsK2SkD202ZjKQVC970TgiMyRMl4H1lF+H9RQ5PoU3KQ==
+</ds:X509Certificate>
+          </ds:X509Data>
+        </ds:KeyInfo>
+      </md:KeyDescriptor>
+      <md:KeyDescriptor use="encryption">
+        <ds:KeyInfo>
+          <ds:X509Data>
+            <ds:X509Certificate>
+MIIEGjCCAwKgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBpTEMMAoGA1UEAwwDR09M
+MQswCQYDVQQGEwJHSDEgMB4GCSqGSIb3DQEJARYRbm9jQGdhcm5ldC5lZHUuZ2gx
+DjAMBgNVBAcMBUxlZ29uMS0wKwYDVQQKDCRHaGFuYWlhbiBBY2FkZW1pYyAmIFJl
+c2VhcmNoIE5ldHdvcmsxFjAUBgNVBAgMDUdyZWF0ZXIgQWNjcmExDzANBgNVBAsM
+BkdBUk5FVDAeFw0yNTA3MDgxODM0MTNaFw0zNTA3MDYxODM0MTNaMIGlMQwwCgYD
+VQQDDANHT0wxCzAJBgNVBAYTAkdIMSAwHgYJKoZIhvcNAQkBFhFub2NAZ2FybmV0
+LmVkdS5naDEOMAwGA1UEBwwFTGVnb24xLTArBgNVBAoMJEdoYW5haWFuIEFjYWRl
+bWljICYgUmVzZWFyY2ggTmV0d29yazEWMBQGA1UECAwNR3JlYXRlciBBY2NyYTEP
+MA0GA1UECwwGR0FSTkVUMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+uaAlMu6fdqp8+R9O3uvuV/ZiHkpqiLK/nV+eBhK43HPzdjp+OF1EYM6Dums4HaJK
+MmmmKaIY9hajhC6kV9Gzkql7/FXVdN9VR/aeP7uw2wX3gq4QHHLCy6IsUVuOls7e
+89pGroOakOxrD/Vlc/MYCi5/+mhGuBm6s5o+tRnAfZbjdmFyq1yStVJVGyNpDZOR
+pa/5yZm7v9ISFIL5Ff/jI1FUyHvbr807KgXsKOb6uQuD5rUU5EvLP/3Dmx3OBMgB
+QWnsNfyMBEj210hKHo81xRZiM2OEuNUWKvQ6TXJ7ffRaVKltqSqlzKGp8hQyhcnB
+FqYIOBRYOq/RY2Aid/nZSwIDAQABo1MwUTAdBgNVHQ4EFgQUv7X6mRnIyzF0rsEy
+mLZbO7m8Kz4wHwYDVR0jBBgwFoAUv7X6mRnIyzF0rsEymLZbO7m8Kz4wDwYDVR0T
+AQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAcjxsyzB8OOoLpmfowGBWwtA7
+FDP8EspxAENkB73rsXcGlla2FrWcts5JTM1QaXXV3gp2yHQsf3bnQojMuyOhlEN9
+4g2D3hMIe0ii7D6EySf/0+30eVk2Gm4baTkU4iC6AAG6fCGdbV/S35W/LNoUNa43
+w6VZlf3Bm5Ll1DT4tKakA14LLisEYgrHUXTmaHO6ClgKMQSQ4TMLuMsaF7loS7ic
+eOm0U96yXmqMKDqHnI3z1m+nQMSQHALGkRy04ixJTZLaKK6vdUUFMS3RIIYtCIkY
+ZpU3r74KB02RD1kzRTCsK2SkD202ZjKQVC970TgiMyRMl4H1lF+H9RQ5PoU3KQ==
+</ds:X509Certificate>
+          </ds:X509Data>
+        </ds:KeyInfo>
+      </md:KeyDescriptor>
+      <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://erroneous.edugain.example/auth/saml2/sp/saml2-logout.php/erroneous.edugain.example"/>
+      <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
+      <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://erroneous.edugain.example/auth/saml2/sp/saml2-acs.php/erroneous.edugain.example" index="0"/>
+    </md:SPSSODescriptor>
+    <md:Organization>
+      <md:OrganizationName xml:lang="en">eduGAIN Error Example</md:OrganizationName>
+      <md:OrganizationDisplayName xml:lang="en">eduGAIN Error Example</md:OrganizationDisplayName>
+      <md:OrganizationURL xml:lang="en">https://erroneous.edugain.example</md:OrganizationURL>
+    </md:Organization>
+    <md:ContactPerson contactType="technical">
+      <md:EmailAddress>mailto:noc@erroneous.edugain.example</md:EmailAddress>
+    </md:ContactPerson>
+  </md:EntityDescriptor>
 </md:EntitiesDescriptor>
diff --git a/tests/incommon/data/test-incommon-export.xml b/tests/incommon/data/test-incommon-export.xml
new file mode 100644
index 0000000..90fdee2
--- /dev/null
+++ b/tests/incommon/data/test-incommon-export.xml
@@ -0,0 +1,81 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_20250630T203049" validUntil="2025-07-14T20:30:49Z">
+<md:Extensions xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi">
+<mdrpi:PublicationInfo creationInstant="2025-06-30T20:30:49Z" publisher="https://incommon.org"/>
+</md:Extensions>
+
+<!-- Example exported entity -->
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://incommon.export.example.com/Saml2">
+  <Extensions xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi">
+    <mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/>
+    <mdattr:EntityAttributes xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
+      <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
+        <saml:AttributeValue>https://refeds.org/sirtfi</saml:AttributeValue>
+      </saml:Attribute>
+      <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://macedir.org/entity-category">
+        <saml:AttributeValue>http://id.incommon.org/category/registered-by-incommon</saml:AttributeValue>
+      </saml:Attribute>
+    </mdattr:EntityAttributes>
+  </Extensions>
+  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:Extensions xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
+      <DiscoveryResponse xmlns="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://mfa-auth.dev2.phenoapp.com/Saml2/disco" index="1"/>
+      <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
+        <mdui:DisplayName xml:lang="en">Incommon Export Example</mdui:DisplayName>
+        <mdui:Description xml:lang="en">Incommon Export Example Description.</mdui:Description>
+        <mdui:InformationURL xml:lang="en">https://incommon.export.example.com/info.html</mdui:InformationURL>
+        <mdui:PrivacyStatementURL xml:lang="en">https://incommon.export.example.com/privacy_statement.html</mdui:PrivacyStatementURL>
+        <mdui:Logo xml:lang="en" width="100" height="100">https://incommon.export.example.com/logo.png</mdui:Logo>
+      </mdui:UIInfo>
+    </md:Extensions>
+    <md:KeyDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <!-- Serial No. 13726033993109987567, expires on Sat May 28 18:01:40 2022 GMT -->
+          <ds:X509Certificate>
+MIIDqjCCApICCQC+fKsxbkHg7zANBgkqhkiG9w0BAQsFADCBljELMAkGA1UEBhMC
+VVMxDTALBgNVBAgMBE9oaW8xETAPBgNVBAcMCENvbHVtYnVzMSEwHwYDVQQKDBhT
+cGluZSBSZXNlYXJjaCBJbnN0aXR1dGUxHTAbBgNVBAsMFFNvZnR3YXJlIEVuZ2lu
+ZWVyaW5nMSMwIQYDVQQDDBptZmEtYXV0aC5kZXYyLnBoZW5vYXBwLmNvbTAeFw0y
+MTA1MjgxODAxNDBaFw0yMjA1MjgxODAxNDBaMIGWMQswCQYDVQQGEwJVUzENMAsG
+A1UECAwET2hpbzERMA8GA1UEBwwIQ29sdW1idXMxITAfBgNVBAoMGFNwaW5lIFJl
+c2VhcmNoIEluc3RpdHV0ZTEdMBsGA1UECwwUU29mdHdhcmUgRW5naW5lZXJpbmcx
+IzAhBgNVBAMMGm1mYS1hdXRoLmRldjIucGhlbm9hcHAuY29tMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy3fRJcWRUu7tAiyNhxV+qAwhWf1UqbqaAygD
+pXyyt9evvBLjRzaDV0oRwrxFQBy/BbXw3iqFi7dzCFdApJ6f6YmIoyc7MoO1hXmj
+hxGIwQMhYjgC24zHLXZHRPoVER4bKZhhjluFQe1pcSQOIRvn+ddtmHIrjARWdu2H
+d3Vq+PsRup2xkhUmOtO0hK3ouBvjKRbmimJczAjBuLPcwpFUcvssska2PSMTuWcR
+ngSzkeGALiHvKq0mbGpMlIjmbnPiXi3UORJLKbivtDIoljN6vPibhzC0XBS7QKdW
+jwMUqEPgxoAVUkh3w5cFeGEs8cfGps4GImQDRio/HKMWaLe8bQIDAQABMA0GCSqG
+SIb3DQEBCwUAA4IBAQDIwxlpxNoL97+/RjjYuBNh2cCwjUgMX8B4hcTnXUJxstla
+sVLEzV0f4jAWw9uCxQ7MAZVnVF2qJJr0QO8oa0PUNogAjf2am0iNC9hP4wW35gbX
+OUltpjUzuA1uDFaoOaBTJm6K0dnGQPXJu0LHUq3cYP2usTC/Inanpa2Vrg/Yd9/7
+YYCNkyTNk7BZMmoOCQOmxnZ9EIVoagQlLFOioZm6wH3NkJ/ryLA1BzSzzc4aLcHW
+llqKDN+r3+7V6EhFHi+mdLL0b2hx+WEAD9OsnpnnEK+G9SYufC8bVRLj7zIvPpMX
+H+cY2/VLXuYdr7snyziAlZ6eUgKSeJWDM5axlz/a
+          </ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+    </md:KeyDescriptor>
+    <md:AssertionConsumerService xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://incommon.export.example.com/Saml2/acs/post"/>
+  </SPSSODescriptor>
+  <Organization>
+    <OrganizationName xml:lang="en">Incommon Export Example Org</OrganizationName>
+    <OrganizationDisplayName xml:lang="en">Incommon Export Example Org Display Name</OrganizationDisplayName>
+    <OrganizationURL xml:lang="en">http://incommon.export.example.com/</OrganizationURL>
+  </Organization>
+  <ContactPerson contactType="administrative">
+    <GivenName>Example Person1</GivenName>
+    <EmailAddress>mailto:example1@incommon.export.example.com</EmailAddress>
+  </ContactPerson>
+  <ContactPerson contactType="technical">
+    <GivenName>Example Person2</GivenName>
+    <EmailAddress>mailto:example2@incommon.export.example.com</EmailAddress>
+  </ContactPerson>
+  <ContactPerson xmlns:remd="http://refeds.org/metadata" contactType="other" remd:contactType="http://refeds.org/metadata/contactType/security">
+    <GivenName>Incommon Export Example Security Team</GivenName>
+    <EmailAddress>mailto:security@incommon.export.example.com</EmailAddress>
+  </ContactPerson>
+</EntityDescriptor>
+</EntitiesDescriptor>
diff --git a/tests/incommon/scripts/consolidateIncommonAndEdugain.sh b/tests/incommon/scripts/consolidateIncommonAndEdugainSigned.sh
similarity index 86%
rename from tests/incommon/scripts/consolidateIncommonAndEdugain.sh
rename to tests/incommon/scripts/consolidateIncommonAndEdugainSigned.sh
index 56837ee..a94ac73 100755
--- a/tests/incommon/scripts/consolidateIncommonAndEdugain.sh
+++ b/tests/incommon/scripts/consolidateIncommonAndEdugainSigned.sh
@@ -34,7 +34,7 @@ info "Starting at $(date)"
 debug "Using local key"
 
 # The inc.generate.import_sign_localkey target erroneously depends on sign.uk.keyPassword
-# The mda.inc.imported-idp.xml is  the parameter for the unsigned idp-only aggregate output file
+# The mda.inc.imported-idp.xml is the parameter for the unsigned idp-only aggregate output file
 # The mda.inc.imported.xml is the parameter for the unsigned aggregate output file
 ANT_OPTS=(inc.generate.import_sign_localkey \
   "-Dedugain.dir=/mda/inc/inc-meta/mdx/int_edugain" \
@@ -46,10 +46,6 @@ ANT_OPTS=(inc.generate.import_sign_localkey \
   "-Dshared.ws.dir=/mda/inc/inc-meta" \
   "-Dsign.uk.keyPassword=dummypassword")
 
-# Set source for signed InCommon metadata aggregate
-MD_SOURCE_FILE=$MDQ_HOME/tests/incommon/data/test-metadata.xml
-MD_SOURCE_CERT=/$MDQ_HOME/tests/incommon/data/test-cert.pem
-
 # Create temp local signing key/cert
 SGNPWD=dummypassword
 export SGNPWD
diff --git a/tests/incommon/scripts/consolidateIncommonAndEdugainUnsigned.sh b/tests/incommon/scripts/consolidateIncommonAndEdugainUnsigned.sh
new file mode 100755
index 0000000..22aec1b
--- /dev/null
+++ b/tests/incommon/scripts/consolidateIncommonAndEdugainUnsigned.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+# Generate metadata files required for the MDQ service
+
+# TODO:
+#   * Wrap mda output in debug function
+#   * Count files
+
+set -euo pipefail
+
+# Get script name
+PROG=`basename $0`
+
+# Get metadata validation funtions
+source /$MDQ_HOME/tests/incommon/scripts/metadataValidation.sh
+
+# Print debug output
+function debug {
+  echo [DEBUG] $PROG: "$@"
+}
+
+# Print error output
+function error {
+  echo [ERROR] $PROG: "$@"
+}
+
+# Print informational output
+function info {
+  echo [INFO] $PROG: "$@"
+}
+
+info "Starting at $(date)"
+
+# Use local key
+debug "Using local key"
+
+# The inc.generate.import_sign_localkey target erroneously depends on sign.uk.keyPassword
+# The mda.inc.imported-idp.xml is the parameter for the unsigned idp-only aggregate output file
+# The mda.inc.imported.xml is the parameter for the unsigned aggregate output file
+ANT_OPTS=(inc.generate.import_local \
+  "-Dedugain.dir=/mda/inc/inc-meta/mdx/int_edugain" \
+  "-Dmda.inc.edugain.xml=tests/incommon/data/test-edugain-metadata.xml" \
+  "-Dmda.inc.imported.xml=/tmp/incommon-and-edugain-metadata.xml" \
+  "-Dmda.inc.imported-idp.xml=/tmp/incommon-and-edugain-idp-metadata.xml" \
+  "-Dmda.inc.production.xml=tests/incommon/data/test-metadata.xml" \
+  "-Dshared.ws.dir=/mda/inc/inc-meta")
+
+# Generate all required metadata for the MDQ service
+debug "Generating metadata"
+cd "$MDQ_HOME" || exit 1
+if ! /usr/bin/ant "${ANT_OPTS[@]}"
+then
+  error "Metadata generation failed"
+  exit 1
+fi
diff --git a/tests/incommon/scripts/edugainReport.sh b/tests/incommon/scripts/edugainReport.sh
new file mode 100755
index 0000000..d50aa43
--- /dev/null
+++ b/tests/incommon/scripts/edugainReport.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+# Report on the eduGAIN entities filtered out because of errors detected.
+
+ANT_OPTS=(inc.edugain.report_local \
+  "-Dshared.ws.dir=/mda/inc/inc-meta" \
+  "-Dedugain.dir=/mda/inc/inc-meta/mdx/int_edugain" \
+  "-Dmda.inc.edugain.xml=tests/incommon/data/test-edugain-metadata.xml")
+
+# Download eduGAIN metadata for the MDQ service
+echo "Running ant to report on the eduGAIN metadata file."
+cd "$MDQ_HOME" || exit 1
+if ! /usr/bin/ant "${ANT_OPTS[@]}"
+then
+  echo "Download failed"
+  exit 1
+fi
diff --git a/tests/incommon/scripts/signIncommonExport.sh b/tests/incommon/scripts/signIncommonExport.sh
new file mode 100755
index 0000000..03a51bb
--- /dev/null
+++ b/tests/incommon/scripts/signIncommonExport.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+# Sign an input aggregate (e.g. Incommon or eduGAIN)
+# but this specifically will test signing the Incommon Export aggregate
+
+ANT_OPTS=(inc.generate.sign_localkey \
+  "-Dedugain.dir=/mda/inc/inc-meta/mdx/int_edugain" \
+  "-Dmda.inc.imported.xml=/tmp/incommon-export-signed-metadata.xml" \
+  "-Dmda.inc.production.xml=tests/incommon/data/test-incommon-export.xml" \
+  "-Dmda.sign.keyResource=file:///keys/mda-signing.key" \
+  "-Dshared.ws.dir=/mda/inc/inc-meta" \
+  "-Dsign.uk.keyPassword=dummypassword")
+
+# Create temp local signing key/cert
+SGNPWD=dummypassword
+export SGNPWD
+mkdir -p /keys
+[ ! -L /keys/mda-signing.crt ] && ln -s /$MDQ_HOME/tests/incommon/data/mda-signing.crt /keys/mda-signing.crt
+[ ! -L /keys/mda-signing.key ] && ln -s /$MDQ_HOME/tests/incommon/data/mda-signing.key /keys/mda-signing.key
+
+# Download eduGAIN metadata for the MDQ service
+echo "Running ant to sign the input metadata file."
+cd "$MDQ_HOME" || exit 1
+if ! /usr/bin/ant "${ANT_OPTS[@]}"
+then
+  echo "Download failed"
+  exit 1
+fi