From 6c97760fe85fa8f603e01871ed8284248ed39408 Mon Sep 17 00:00:00 2001
From: Dominic Martinez <dmartinez@unicon.net>
Date: Tue, 12 Aug 2025 18:50:13 -0700
Subject: [PATCH] TIDO-576 Add devcontainer and test scripts (#23)

---
 .devcontainer/Dockerfile                      |  37 ++
 .devcontainer/devcontainer.json               |  10 +
 .gitignore                                    |   1 +
 build.xml                                     |  17 +
 mdx/incommon/import_sign_localkey.xml         | 329 ++++++++++++++++++
 tests/incommon/data/mda-signing.crt           |  22 ++
 tests/incommon/data/mda-signing.key           |  30 ++
 tests/incommon/data/test-cert.pem             |  15 +
 tests/incommon/data/test-edugain-metadata.xml | 216 ++++++++++++
 tests/incommon/data/test-metadata-signed.xml  | 220 ++++++++++++
 tests/incommon/data/test-metadata.xml         | 188 ++++++++++
 .../scripts/consolidateIncommonAndEdugain.sh  |  67 ++++
 tests/incommon/scripts/edugainDownload.sh     |  16 +
 tests/incommon/scripts/genMDFromSignedMD.sh   |  78 +++++
 tests/incommon/scripts/genMDFromUnsignedMD.sh |  60 ++++
 tests/incommon/scripts/metadataValidation.sh  |  33 ++
 16 files changed, 1339 insertions(+)
 create mode 100644 .devcontainer/Dockerfile
 create mode 100644 .devcontainer/devcontainer.json
 create mode 100644 mdx/incommon/import_sign_localkey.xml
 create mode 100644 tests/incommon/data/mda-signing.crt
 create mode 100644 tests/incommon/data/mda-signing.key
 create mode 100644 tests/incommon/data/test-cert.pem
 create mode 100644 tests/incommon/data/test-edugain-metadata.xml
 create mode 100644 tests/incommon/data/test-metadata-signed.xml
 create mode 100644 tests/incommon/data/test-metadata.xml
 create mode 100755 tests/incommon/scripts/consolidateIncommonAndEdugain.sh
 create mode 100755 tests/incommon/scripts/edugainDownload.sh
 create mode 100755 tests/incommon/scripts/genMDFromSignedMD.sh
 create mode 100755 tests/incommon/scripts/genMDFromUnsignedMD.sh
 create mode 100755 tests/incommon/scripts/metadataValidation.sh

diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
new file mode 100644
index 0000000..f0a1aae
--- /dev/null
+++ b/.devcontainer/Dockerfile
@@ -0,0 +1,37 @@
+FROM amazonlinux:2023.5.20240730.0
+
+# Install necessary packages
+RUN dnf -y install \
+    # these switches are used to force full java-17-corretto dependencies installation
+    ant -x java-22-amazon-corretto-headless -x java-21-amazon-corretto-headless \
+    # awscli \
+    tar \
+    gzip \
+    openssl \
+    unzip \
+    wget \
+    which \
+  && dnf clean all
+
+RUN mkdir -p /mda/inc/inc-meta
+COPY . /mda/inc/inc-meta
+
+# Set environment variables
+#
+# Note: XMLSECTOOL_PATH specifies the path to the xmlsectool installed with the
+#       metadata aggregator. We use xmlsectool in startup.sh, but that will no
+#       longer be required if we update the inc-meta MDA rules to check the
+#       signature of the source aggregate.
+ENV INC_MD_VERIFIED_PATH=/metadata/inc-metadata.xml \
+  XMLSECTOOL_PATH=/mda/inc/inc-meta/tools/xmlsectool-3.0.0/xmlsectool.sh \
+  JAVA_HOME=/ \
+  JVMOPTS=-Xmx2048m \
+  MDQ_HOME=/mda/inc/inc-meta/ \
+  WWW_HOME=/mdqwww \
+  CERTGEN_MDQSIGN_SUBJECT=/C=US/ST=State/L=City/O=OrgName/CN=mdqsigning.example.org \
+  CERTGEN_WWW_SUBJECT=/C=US/ST=State/L=City/O=OrgName/CN=mdqweb.example.org
+
+# Create metadata output directory
+RUN mkdir /metadata
+
+# CMD ["/usr/local/bin/startup.sh"]
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
new file mode 100644
index 0000000..bb193d8
--- /dev/null
+++ b/.devcontainer/devcontainer.json
@@ -0,0 +1,10 @@
+{
+    "build": {
+        "dockerfile": "Dockerfile"
+    },
+    "settings": {
+        "terminal.integrated.cwd": "/mda/inc/inc-meta/tests/incommon/scripts"
+    },
+    "workspaceMount": "source=${localWorkspaceFolder},target=/mda/inc/inc-meta,type=bind",
+    "workspaceFolder": "/mda/inc/inc-meta"
+}
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
index bf81465..affa2ec 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,6 +25,7 @@ Thumbs.db
 /build/uai.html
 /build/dml.html
 /build/locations_noports.txt
+/build/mdq
 
 # /charting/
 /charting/cache
diff --git a/build.xml b/build.xml
index 9e96ff3..861a6fb 100644
--- a/build.xml
+++ b/build.xml
@@ -3076,6 +3076,23 @@
         <echo>Generation complete.</echo>
     </target>
 
+    <!--
+	inc.generate.import_sign_localkey
+
+	Generate the InCommon import aggregate signed using a local key
+    -->
+    <target name="inc.generate.import_sign_localkey">
+        <property name="mda.sign.keyPassword" value="${sign.uk.keyPassword}"/>
+
+        <echo>Generating InCommon signed import aggregate in ${mda.inc.imported.xml}</echo>
+        <echo>    (IdP-only aggregate in ${mda.inc.imported-idp.xml})</echo>
+        <echo>    from production aggregate in ${mda.inc.production.xml}</echo>
+        <echo>    and selected eduGAIN entities from ${mda.inc.edugain.xml}</echo>
+        <echo>    signed using a local key</echo>
+        <CHANNEL.do channel="incommon" verb="import_sign_localkey"/>
+        <echo>Generation complete.</echo>
+    </target>
+
     <!--
         inc.generate.sign
 
diff --git a/mdx/incommon/import_sign_localkey.xml b/mdx/incommon/import_sign_localkey.xml
new file mode 100644
index 0000000..7a97406
--- /dev/null
+++ b/mdx/incommon/import_sign_localkey.xml
@@ -0,0 +1,329 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Construct InCommon eduGAIN import aggregate.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+    default-lazy-init="true"
+    xmlns:c="http://www.springframework.org/schema/c"
+    xmlns:p="http://www.springframework.org/schema/p"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
+
+    <!--
+        Import commonly used beans.
+    -->
+    <import resource="classpath:common-beans.xml"/>
+
+    <!--
+        Import inc-mda beans.
+    -->
+    <import resource="classpath:uk/org/iay/incommon/mda/beans.xml"/>
+
+    <!--
+        Import channel-specific beans.
+    -->
+    <import resource="classpath:incommon/beans.xml"/>
+    <import resource="classpath:incommon/edugain-policy.xml"/>
+
+    <!--
+        Import eduGAIN channel beans.
+    -->
+    <import resource="classpath:int_edugain/beans.xml"/>
+
+    <!--
+        ***********************************************************
+        ***                                                     ***
+        ***   C O M M O N   O U T P U T   P R O C E S S I N G   ***
+        ***                                                     ***
+        ***********************************************************
+    -->
+
+    <bean id="common.output" parent="mda.CompositeStage">
+        <property name="stages">
+            <list>
+                <!-- Construct a new aggregate from the collection of entities. -->
+                <bean id="inc.assemble" parent="mda.EntitiesDescriptorAssemblerStage">
+                    <property name="itemOrderingStrategy">
+                        <bean parent="inc.InCommonEntityOrderingStrategy"
+                            c:_-ref="us_incommon_registrar"/>
+                    </property>
+                </bean>
+
+                <!-- Apply final tweaks to the aggregate. -->
+                <bean id="finalise" parent="incommon_finalise_parent">
+                    <property name="transformParameters">
+                        <map>
+                            <entry key="extraText" value="Contains InCommon and eduGAIN metadata"/>
+                            <entry key="publisher" value-ref="us_incommon_registrar"/>
+                            <entry key="validityDays" value="${validUntil.aggregate.days}"/>
+                            <entry key="now_ISO" value-ref="now_ISO"/>
+                            <entry key="now_local_ISO" value-ref="now_local_ISO"/>
+                            <entry key="valid_until_ISO" value-ref="validUntil_aggregate_ISO"/>
+                        </map>
+                    </property>
+                </bean>
+
+                <!-- Normalise the use of namespace prefixes in the resulting XML document. -->
+                <bean id="normalise" parent="mda.XSLTransformationStage"
+                    p:XSLResource="classpath:incommon/ns_norm_import.xsl"/>
+            </list>
+        </property>
+    </bean>
+
+
+    <!--
+        *****************************************
+        ***                                   ***
+        ***   I D P - O N L Y   O U T P U T   ***
+        ***                                   ***
+        *****************************************
+    -->
+
+    <!--
+        idp.serialize
+
+        Writes the IdP-only aggregate out to a file.
+    -->
+    <bean id="idp.serialize" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
+        <property name="outputFile">
+            <bean parent="File">
+                <constructor-arg value="${inc.imported-idp.xml}"/>
+            </bean>
+        </property>
+    </bean>
+
+    <!--
+        idp.selector
+
+        Entities in the IdP-only aggregate are restricted to identity providers.
+    -->
+    <bean id="idp.selector" parent="mda.XPathItemSelectionStrategy">
+        <constructor-arg value="/md:EntityDescriptor[md:IDPSSODescriptor]"/>
+        <constructor-arg ref="commonNamespaces"/>
+    </bean>
+
+    <!--
+        idp.pipeline
+
+        Generates the IdP-only aggregate. The selector has already taken care
+        of removing non-IdP entities.
+    -->
+    <bean id="idp.pipeline" parent="mda.SimplePipeline">
+        <property name="stages">
+            <list>
+                <!-- Perform common steps in constructing an output aggregate. -->
+                <ref bean="common.output"/>
+
+                <!-- Sign the aggregate -->
+                <ref bean="signItems" />
+
+                <!-- Write the resulting aggregate out to a file. -->
+                <ref bean="idp.serialize"/>
+            </list>
+        </property>
+    </bean>
+
+
+    <!--
+        *************************************************
+        ***                                           ***
+        ***   A L L   E N T I T I E S   O U T P U T   ***
+        ***                                           ***
+        *************************************************
+    -->
+
+    <!--
+        serializeImported
+
+        Writes the import aggregate out to a file.
+    -->
+    <bean id="serializeImported" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
+        <property name="outputFile">
+            <bean parent="File">
+                <constructor-arg value="${inc.imported.xml}"/>
+            </bean>
+        </property>
+    </bean>
+
+
+    <!--
+        *************************************
+        ***                               ***
+        ***   E D U G A I N   I N P U T   ***
+        ***                               ***
+        *************************************
+    -->
+
+    <bean id="incommon_edugain_importPipeline" parent="mda.SimplePipeline">
+        <property name="stages">
+            <list>
+                <!--
+                    Load the saved eduGAIN aggregate from a file.
+                -->
+                <bean id="edugain_aggregate" parent="mda.DOMResourceSourceStage">
+                    <property name="parserPool" ref="parserPool"/>
+                    <property name="DOMResource">
+                        <bean parent="FileSystemResource" c:_0="${inc.edugain.xml}"/>
+                    </property>
+                </bean>
+
+                <!--
+                    Check for fatal errors at the aggregate level:
+                        missing or expired validUntil attribute
+                        invalid signature
+                    For local key testing, we disable validUntil & signature check in order to use test file
+                -->
+                <!-- <ref bean="check_validUntil"/> -->
+                <!-- <ref bean="int_edugain_checkSignature"/> -->
+                <ref bean="errorTerminatingFilter"/>
+
+                <ref bean="disassemble"/>
+
+                <ref bean="int_edugain_removeBlacklistedEntities"/>
+
+                <!--
+                    All eduGAIN entities should have mdrpi:RegistrationInfo elements, but
+                    we can't check the actual values.
+                -->
+                <ref bean="check_hasreginfo"/>
+
+                <!-- Populate identifiers for future actions. -->
+                <ref bean="populateItemIds"/>
+                <ref bean="populateRegistrationAuthorities"/>
+
+                <!-- Apply policy. -->
+                <ref bean="edugainPolicy"/>
+
+                <!--
+                    Silently remove entities which are marked as
+                    having errors.
+                -->
+                <ref bean="errorRemover"/>
+            </list>
+        </property>
+    </bean>
+
+    <!-- Define a private key factory (based on a local key) -->
+    <bean id="privateKeyFactory" parent="mda.PrivateKeyFactoryBean"
+        p:resource="${sign.keyResource}"
+        p:privateKeyPassword="${sign.keyPassword}" />
+
+    <!-- Signs items using a provided privateKeyFactory -->
+    <bean id="signItems" parent="mda.XMLSignatureSigningStage">
+        <property name="privateKey">
+            <ref bean="privateKeyFactory" />
+        </property>
+        <property name="certificates">
+            <list>
+                <bean id="us_incommon_signingCertificate" parent="mda.X509CertificateFactoryBean"
+                    p:resource="classpath:us_incommon/inc-md-cert.pem"/>
+            </list>
+        </property>
+    </bean>
+
+
+
+    <!--
+        *************************************
+        ***                               ***
+        ***   M A I N   P I P E L I N E   ***
+        ***                               ***
+        *************************************
+    -->
+
+    <!--
+        The main "import_sign_localkey" pipeline is responsible for generating the
+        all-entities signed output aggregate using a local key.
+    -->
+    <bean id="import_sign_localkey" parent="mda.SimplePipeline">
+        <property name="stages">
+            <list>
+                <!--
+                    Start with the InCommon production aggregate.
+
+                    In a production environment, this will be the *unsigned* aggregate,
+                    so we perform minimal checking on its contents.
+                -->
+                <bean id="production_aggregate" parent="mda.DOMResourceSourceStage">
+                    <property name="parserPool" ref="parserPool"/>
+                    <property name="DOMResource">
+                        <bean parent="FileSystemResource" c:_0="${inc.production.xml}"/>
+                    </property>
+                </bean>
+
+                <!-- Break down into individual entities. -->
+                <ref bean="disassemble"/>
+
+                <!--
+                    In case we are testing with InCommon production metadata
+                    that already includes imported entities, remove those
+                    before proceeding to avoid them overwriting the
+                    new imported version.
+                -->
+                <bean id="keepInCommonEntities" parent="mda.EntityRegistrationAuthorityFilterStage">
+                    <property name="designatedRegistrationAuthorities">
+                        <list>
+                            <ref bean="us_incommon_registrar"/>
+                        </list>
+                    </property>
+                    <property name="requiringRegistrationInformation" value="true"/>
+                    <property name="keepingRegistrationAuthorities" value="true"/>
+                </bean>
+
+                <!-- Include a default registrationAuthority for each entity. -->
+                <ref bean="us_incommon_default_regauth"/>
+
+                <!-- Populate identifiers for future actions. -->
+                <ref bean="populateItemIds"/>
+                <ref bean="populateRegistrationAuthorities"/>
+
+                <!-- Merge in selected entities from eduGAIN. -->
+                <bean id="mergeProductionMDXEntities" parent="mda.PipelineMergeStage"
+                    p:collectionMergeStrategy-ref="deduplicateMergeStrategy">
+                    <property name="mergedPipelines">
+                        <list>
+                            <ref bean="incommon_edugain_importPipeline"/>
+                        </list>
+                    </property>
+                </bean>
+
+                <!--
+                    Discard entities in the InCommon entity blacklist.
+
+                    Because this is done _after_ the eduGAIN merge, the
+                    named entities will be removed whatever their source.
+                -->
+                <ref bean="remove_blacklisted_incommon_entities"/>
+
+                <!-- Fork new pipelines to generate special aggregates. -->
+                <bean id="demux" parent="mda.PipelineDemultiplexerStage">
+                    <property name="pipelinesAndStrategies">
+                        <list>
+                            <!-- IdP-only aggregate. -->
+                            <bean parent="mda.PipelineAndStrategy">
+                                <constructor-arg ref="idp.pipeline"/>
+                                <constructor-arg ref="idp.selector"/>
+                            </bean>
+                        </list>
+                    </property>
+                    <property name="waitingForPipelines" value="true"/>
+                </bean>
+
+                <!-- Perform common steps in constructing an output aggregate. -->
+                <ref bean="common.output"/>
+
+                <!-- Sign the aggregate -->
+                <ref bean="signItems" />
+
+                <!-- Write the resulting aggregate out to a file. -->
+                <ref bean="serializeImported"/>
+            </list>
+        </property>
+    </bean>
+
+</beans>
diff --git a/tests/incommon/data/mda-signing.crt b/tests/incommon/data/mda-signing.crt
new file mode 100644
index 0000000..cf4a28a
--- /dev/null
+++ b/tests/incommon/data/mda-signing.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDnzCCAoegAwIBAgIUEzalCDbvJJYJ7Zm1p/6gfHy9cuMwDQYJKoZIhvcNAQEL
+BQAwXzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5
+MRAwDgYDVQQKDAdPcmdOYW1lMR8wHQYDVQQDDBZtZHFzaWduaW5nLmV4YW1wbGUu
+b3JnMB4XDTI1MDUwODE2MzQwMloXDTM1MDUwNjE2MzQwMlowXzELMAkGA1UEBhMC
+VVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRAwDgYDVQQKDAdPcmdO
+YW1lMR8wHQYDVQQDDBZtZHFzaWduaW5nLmV4YW1wbGUub3JnMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEArE6DLEYQ4Aw6UV4rE7BLkqsgPjqvnJf2ZXAt
+n2tzSUjrqDpzFmBxcx8gnPHo9bm4VpOko3NkW3mdjFmWeF1Q7v0tWKNBpC8/s6Pr
+5EudPsamfbHNMJAd9E9UaCKko6BmNdc2+BQBwU5DFRDSmedebT7CW7SLoabQPrqx
+RUXzgFeJQ+MR9LnTq2zVyzR+BU0fU7lgXDgcPN0sfI43vlGYdkTzwSgZ0Tcd8UY9
+DaMPgPpju6wbufv7GfQQVTAGdO/Y456dyRmlUKF1J0rIvxtw0VHMBd0Ox8/cmYZS
+u+3llXBFoVK6NisS9dCr0MH78AsdeDxh6PBwJPVUTnU/2rvSjwIDAQABo1MwUTAd
+BgNVHQ4EFgQUZdLMKhHzOVQ3n5lyyxsM/iH1ojcwHwYDVR0jBBgwFoAUZdLMKhHz
+OVQ3n5lyyxsM/iH1ojcwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
+AQEARX8WEYXdqw0o+ROe2tpeaFYODontvTs1Ee5mD17EN6SCGX2EUnx88KvhQ0cE
+z4NltOBZr1PqXSVP66Ci6zibDZvIGQLHQ6luWeX1M5OEVSwUBprN1CT3LZgQEBR/
+VLwWKYTNAFooO/MynuLlCrtUNVc8OWmXd8jQ7GxD4B8rhVkIkC3J3HsSHq9/Di6o
++SkZVb+Qc14U6KNYmhdbnONHx3Y2m7d7l6bdfwkvXCzP8LJH3RGZAvQHV7I/Y6E2
+KweQEIQ+0rZD0t8Sv24vjZPWoNLKsQ1I1QCFFQHozt48ynbOhB492sOLcWBxlwie
+5aF2XSbrY506ihuDqUJ7ub17rg==
+-----END CERTIFICATE-----
diff --git a/tests/incommon/data/mda-signing.key b/tests/incommon/data/mda-signing.key
new file mode 100644
index 0000000..7f7e703
--- /dev/null
+++ b/tests/incommon/data/mda-signing.key
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,936CC9FA7554348A97B0D5D26FE96EEE
+
+VvadNjFoGmpsvpu5dV2KWBwSo/QTCZ+1NxWSpN0H+jPa9540T3rQ1a4egwQaHl9K
+NOUg7hERj1n0WLjxPXAWrx3BO5X6ECQFjHGQiIsXakfIF23uPLYqLAKEVsk0u6Ft
+KOZUDRlPM3jd0wH43shlCSKM0CzggVwxCXrP0Unyk2Ttzr/lIRUAC9o6qsPN1O35
+cdyR/ykt4ec61SS6KaJtfvKEUdOZx9GbnmU5qzxQMr6+PM4p5ITfjInFpNbu6HVg
+AXLV8X3ojP6tqiNGa9UjzUNsNDtSLI0MCh2AIt4Sf+4uV5+HoT6ePjuBQUEmH5G+
+8aMCCF8baLPxDEd7VWQD9Bh4l+R/xETAH2BGGq6++4pAqKR7S56tAXzGkUqDj7WY
+qlrNr2uGynQ8KK5G/xBjnkJ/BmeM+Vp5JdxFCXDNXtLfeQchmKGPA+2zgBOoXYyT
+AtMs95vWWFOGQ2xl4YqMJ2R51FTNuHOAHFDUKOKy5frzAH3t55ycmpp7xepMWala
+z/fp18nfBBTDDZqcD+Lclv7JD5i80SoSCo07G32VlvQiFE5s7BZ/8CPKahisSHHM
+RPC9hVmS8IaPwEWnBKCvGx1CQRYVhW1YXQ1bK6/HzYwN3bmqwBxI3sNN54Ek9KUR
+Jea4Ky8x0TR5Fh9sq+nyTEm4ZCfLZeu6b8mo9aIKQca0GCFdQl4eMIqzxsBig9+P
+qTe4LgkGUgeI8q0j4p8+SorktMR3oRlXLCeAswf8Qh3DGiAmi/faaQQg7RsRjgnR
+jyhajrxnwQosWl1/dY1+HjSISNX655/Xz37H+wQvuu9em12kRDrc8f5PfZI7af2a
+ZQX93KQcpxNymMM64FdXxiEo3+9OVyZTMH99PbDmxxHGxmJWwkmUqPXT2x0UoX+/
+Apwuk4Kp7QhbWjdAxarQYMIRmv44L6yZ0EfJyIfMz3ALTWqGekgGO2Vr5BRp0sNN
+CezLiNEG77N1hXydf2mIKFAkdRgopiqYHUkSZjKy6Xd9kUtvyODbMP4kJLROzTGl
+L63u0IV+8zu301uS8VGovKAv/mAYQX5C+fKW+jYXnxSPWQvAk7A/q/H9gb7nGK7t
+4rZiFhRjPmBgdMtjlsiO1AOPp4Ngfks5wjAGP00JqzYz9Ldfv9teUXqPma/Wanu+
+6r89uPicwrJCo8C587M6SdGDWBQ74c75MbhP5T/0Xev2h4VTeAOjkkrVUCM59rxH
+r38FNnZd1Xk/DOhdVHSmX8Gm/FFR0ibS0My6flDklfCoX1pn2JuzpXnZqoNocG2J
+RytaJUktplxyNci1Ljh2ifijvbUFHOhBDCIPn9yKtHyY6BhkWLY08/OHUJXYdC0j
+LmVGisgIRwAk/HV97z2oIxMfHf+LCvCN0xAirGBAeETiYqluW6BSbaqw7sT+ATpK
+nHLok5nhPYz+RfHl+SV5a3Cb7VKTpiUutwF6DkurvbJ+xSxiFxCgNDtXN0uz51b7
+4QO2kuB48AzUgJtm3/TvJ4E4Bf8RIcKiuC8jcqExDeJ5r+XrIapN8GrbP7DWLL9v
+Iy00z+4QJhLBPQ148fwmxVgU5xg955zBwDbnqdpa4PjgpQDi3rsYPjsG9zIJq/Uv
+-----END RSA PRIVATE KEY-----
diff --git a/tests/incommon/data/test-cert.pem b/tests/incommon/data/test-cert.pem
new file mode 100644
index 0000000..2cd50be
--- /dev/null
+++ b/tests/incommon/data/test-cert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICsjCCAZoCCQCIj9cyx103KjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBB0ZXN0LmV4YW1w
+bGUub3JnMB4XDTE4MTAyMTE3MTc0NloXDTE5MTAyMTE3MTc0NlowGzEZMBcGA1UEAwwQdGVzdC5l
+eGFtcGxlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/lgbjJiZFJJBb9bsYN
+XKAdDzMmLxjP1ikR/zAkYMIMfNZZiJLsKdREs1tzDio6h1FgQ+jgiDwjpBGENfoKGDxg+DiViqIy
+wTh7zRduLfkVqgUHekZFPgn1T2SQb8IZ6EWOVZJwJyjffwiR2VfF5bUrSf+nvRen3wxxQM40Hb5T
+tzRRVtkWr1RoB+j4mxXdShBmk+aVFltD97aM3B/+ekW2deGAogF4+uKo3L0ikAKLjjz3uWny4kHV
+GMg+H6PxJWAZHcnHfH/EgI5F1E+H1MIi/4VCdek5BAsFlwPufEy+ah6FUNaa7xniOKm8kElzbMNa
+hd4IowqyZ9TPnKPPOg0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAYSDTrlmXMILckXtSQqkJOrZ0
+BlQi+IIRV4xbYknTDb107RDm8RXHkpc6A8W8jcwU0djmgmuDlBzhvnzSwE+gxqU1/W3eWtz60rcA
+PwmF+r9wYvVnCmPkUw8RWPasrzRPQMzehA/251Zx6tMPwBkEqOyagi1sq1mZbQSlF08jVBL+J6tb
+P2yRc3pp19dGApL6klIA5Mi5+VmxwMtoQ5v6qHT1oDxeKWcSDNVeSYYoBiLB8hFN692NsDtY9Urd
+pBpLa6CxWSKZd11+sFclGfqh35+2PBfHSCiAFZ8RL2qsq5uIDz53XgfB33j723uF4xGsS80lMSOO
+LT9+TC1qkYRchQ==
+-----END CERTIFICATE-----
diff --git a/tests/incommon/data/test-edugain-metadata.xml b/tests/incommon/data/test-edugain-metadata.xml
new file mode 100644
index 0000000..9d501a6
--- /dev/null
+++ b/tests/incommon/data/test-edugain-metadata.xml
@@ -0,0 +1,216 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?><md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" xmlns:algsupport="urn:oasis:names:tc:SAML:metadata:algsupport" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" xmlns:disco="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:eduidmd="http://eduid.cz/schema/metadata/1.0" xmlns:eidas="http://eidas.europa.eu/saml-extensions" xmlns:elab="http://eduserv.org.uk/labels" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:mduri="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ns1="http://www.w3.org/2000/09/xmldsig#" xmlns:ns2="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:ns3="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns4="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" xmlns:ns5="urn:oasis:names:tc:SAML:metadata:algsupport" xmlns:ns6="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" xmlns:ns7="urn:oasis:names:tc:SAML:metadata:ui" xmlns:oaf="http://schemas.eduserv.org.uk/openathens-federation/1.0" xmlns:privacy="http://docs.oasis-open.org/wsfed/privacy/200706" xmlns:pyff="http://pyff.io/NS" xmlns:q1="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:refeds="http://refeds.org/metadata" xmlns:remd="http://refeds.org/metadata" xmlns:renater="https://federation.renater.fr/metadata" xmlns:req="urn:oasis:names:tc:SAML:profiles:SSO:request-init" xmlns:req-attr="urn:oasis:names:tc:SAML:protocol:ext:req-attr" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:saml1md="urn:mace:shibboleth:metadata:1.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samla="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ser="http://eidas.europa.eu/metadata/servicelist" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:taat="http://www.eenet.ee/EENet/urn" xmlns:ti="https://seamlessaccess.org/NS/trustinfo" xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label" xmlns:wayf="http://wayf.dk/2014/08/wayf" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xrd="http://docs.oasis-open.org/ns/xri/xrd-1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="eduGAIN" Name="http://edugain.org/" cacheDuration="PT6H" validUntil="2025-08-02T15:29:56Z">
+  <ds:Signature><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#eduGAIN"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>BH6UzP4yTXQCUUgZxVwzsU7kTgDlbb4+DRkU21UDcyY=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>wgiyVKQC3RX/fr9zf87Ij1tAN04KJr5bIijt55qHnIQrpd4PUSEjdEK8Uuv6gcU4Wq22hdy5CfbRw8nk0QhXtYQruZBPyzbu5IfRi0vatd5DdMbgFXWXQLZ86yR2qciC+bfJW2vlCJmVzNH6ZakkaTkNAdyvO3e6cs6NoKv9IKLCcGVR9pj+RNKORq4JyKcawd9J+6UDiOAPIr1nQdGnZyqK+5uuuHCU6P63l50XjoYrfQ5cAP4jY2EjvaSbB+lJ7xgjWq6/Zoo2fDRuq6aQVYVgmMHM80SNCoIO151WhBo1IBrnvNpgd8KnSIEcKfs0velg3Pxajp4SlZrEnfXaM9dVj15fzWVFJ9yjq77HtHFeAvs8WL48RjbEywgtCIz28U9u4WwuY5OdI9Kj1k8pwkBh5lFQZlYkoy/UikIfU1NDXBd7vRIoAYaoGBNixkfwfaQJeYkG+9AMv/qJrj8V17ReC0j0Pkuf0c5Lb1UQg2WfVEEGA8NWDczuRVJw9/CBqqyTbnRgs1CFgwsr4cLRHBY1F2al/qei/374UuhIanNXY8LCc7otbysTfqvk4PhEUCEs1ZZ6fXer4K8fPvnTOTuxH4TfLjtGK+se3oK/P5tKGsBSxSvtBL2NnXM0UukfcROwEN2DIWi/PB2+w61ZkrsS4doIZ/APBdRRR/x66bg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIFSzCCAzOgAwIBAgIUY99qGOKOxV+iz/+tWfwixuh0CpowDQYJKoZIhvcNAQEL
+BQAwNTEOMAwGA1UECgwFR0VBTlQxIzAhBgNVBAMMGmVkdUdBSU4gUlNBIFNpZ25l
+ciBDQSAyMDIyMB4XDTIyMDMwODA5MjIzMloXDTQyMDMwODA5MjIzMlowNTEOMAwG
+A1UECgwFR0VBTlQxIzAhBgNVBAMMGmVkdUdBSU4gUlNBIFNpZ25lciBDQSAyMDIy
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1H2PdoPu4QLKqfcg7uC9
+rzPA04tdUAdbdnByPddLFEeOfYUxkzbbmrEkUbvL65YAibbxJwEioIQTgSwrtoHL
+nT/puQnux7T7en5qYRDLpX7qR2ssNN4TiXS8Z8qDmI+LQw9YnNpI35qHguHKBr2J
+kbM7qdq6+8KQD0aK+7FyPcGsYDnOoLlJ8cfmIxY7mumfEbiAni/z/pP4Mo2g4rf4
+GY8nhHudJea6qSvxIGLRy7GlL0VOY/PCnxl+EPYSRZYEJEc9jNXsepIzpSU5AM6r
+kwO6Ue+5crYtJMey07b0IEaFNHc/Omt5KY+UO0ewYnjcdnKa5MWgTntxs+AzDiMp
+dIXGemo2SKfcqmAPUW8bLNFABdwxq/Bhcsqb1K+e4C61dPyI2rDWpaM+NIRLvpLD
+jDZsaMnhZK6/ezxKV4h94YKSF1fTunZsyEtaot53ztXjUgvALMFb/XqAes3V+o7D
+WSQ1JYvifkk2agzjel+A9m+e7UgaBuuqfwpkClgMExrB8CJI1xBuAHI/yldoaITL
+auPKWYb+bXpkPg8BznYhGIA9TSqTPNwd0WmH1SZ1lmINuN8ElKRmi+DKkKe9NRXf
+/jS3PKg9NnrFS9fnhTeaI8ikVSh8qPDfsUYtuDF1SL7B+27yT3+7WKCD6gqu/J4P
+8iYELM++C29VgApxlHnLdO8CAwEAAaNTMFEwHQYDVR0OBBYEFEgBijs8UaPzEW81
+hco9oyNH27b3MB8GA1UdIwQYMBaAFEgBijs8UaPzEW81hco9oyNH27b3MA8GA1Ud
+EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAMTQKHe5mybVO4hlTHeha1xo
+/OYREQsa0We4nR5Rbga6xDMHCjnDYdfZg6VqbgGUA97kOAymhlIFO0pNKGowlOdR
+o9AjEhW2mq2itD7e4T4bDWqJ+6YAVc94DIVAjaY8BSJiet5BccXB8oles+W9nQ8k
+k24X2uCa3lWTbUaNGootbN+DVKVvX85zt5p707++yRQJZH4AWSAgpglnnIxo/y2Z
+rVUl8LvbwU4SuSQnyorfaiA0Q4NCnJPoZh1sEyfqvcVkH915RwP+0Vl7oXYgYKx0
+52U+G6I3w5qm/PafUQ4K2hn2KIHYDCz4P8DV6pbUqzoZ15BvLPu/3eenzqvdtoGj
+hD8/3VxowicLrV69gEWJZ89VMjjPTHp7XyrEvKq4n7uquLArS3dW3+mNrmeFRA99
+Y59RFgtroEbIyk5Z/AQA0vuTfEATIMdn/jbeLC2juz57AAnuu6mE72KBdZY3OK2u
+F1sQCop/lWfN/khleo5EBWucQ+a7nZnByd6J0sp70AxjSOBTP5I0TBcdZgaDXJpH
+b4pOwX4EQeXUwlYTh2eYoZRP2thTdH0QrXKEEicynmBfvECz/4nAPwLPYk+yK9/a
+bYYSBn/KbBhBie7chsknzJ+XXb4C9ROubuuAl26yPQxX5uI03lYkVExpj5SdHzts
+/ULLKN5t9Us3gc9SQ3+6</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:Extensions>
+    <mdrpi:PublicationInfo creationInstant="2025-07-28T15:29:47Z" publisher="http://mds.edugain.org/"/>
+  </md:Extensions>
+  <md:EntityDescriptor entityID="https://idp.edugain.example.edu/idp/shibboleth">
+    <md:Extensions>
+      <mdrpi:RegistrationInfo registrationAuthority="https://edugain.example.edu">
+        <mdrpi:RegistrationPolicy xml:lang="en">https://example.server.com/Policy-v1.0.pdf</mdrpi:RegistrationPolicy>
+      </mdrpi:RegistrationInfo>
+    </md:Extensions>
+    <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+      <md:Extensions>
+        <shibmd:Scope regexp="false">edugain.example.edu</shibmd:Scope>
+        <mdui:UIInfo>
+          <mdui:DisplayName xml:lang="en">Example IdP for eduGAIN</mdui:DisplayName>
+          <mdui:Description xml:lang="en">Example IdP for eduGAIN</mdui:Description>
+          <mdui:Logo height="80" width="80" xml:lang="en">https://example.server.com/idp/images/logo.png</mdui:Logo>
+        </mdui:UIInfo>
+      </md:Extensions>
+      <md:KeyDescriptor use="signing">
+        <ds:KeyInfo>
+          <ds:X509Data>
+            <ds:X509Certificate>
+MIIEKDCCApCgAwIBAgIVAK3+epRpBYLkDFqBDJP9WacC+I7YMA0GCSqGSIb3DQEBCwUAMBoxGDAW
+BgNVBAMMD2lkcC5tYXJlbi5hYy5tdzAeFw0yNTAyMjUxMjQyMDZaFw00NTAyMjUxMjQyMDZaMBox
+GDAWBgNVBAMMD2lkcC5tYXJlbi5hYy5tdzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGB
+ANp2cU7amXDFx7ZbPgo1lzwB1aF/LirEjfmeLirqK5giWJsgM9H8pxJjC3wQsposaKjvrH574N1L
++yzwHZxHFImyEqp323lcPXzjBuCKQrSkTOxmVrrKSOEwMNQ9fpNluf67J7MvlumN1/OSwesEyA98
+u5J6spp1B2uq9uERyqRbKprxJoNHVfHXlI1bDEc4UqTW2Ca86p9yLjulzvCaN/kM5x76fYdvmGGG
+cmKgjNnc/nc8AsToKHE/2qzbE9AvfR4mEQ/JTf4sJE92rytDu3fr6LvpL8QrnabWe4jW0kjk/9ow
+UBsFAaIvo89qcjxANuY9wM0kTWO8Js0pK220hlim8/tOTFPWKmxNwa3BdKtmtNwI8L5ZQoN40Aq+
+oqy7MD0xl6JUsC7AymAsPYoSPntzAbNwr7Xku0fRwSk4Qki8BB4qrDkQ65jr3T+M87K8hnrKiKYy
+iwWHzoVa6uFINfjngZKy35ThD5cJ7JB7JBYnbE/3fRsfUSf1soFSuJdSaQIDAQABo2UwYzAdBgNV
+HQ4EFgQUmZ2pcY599AATx9dv1TG0sMhmNqQwQgYDVR0RBDswOYIPaWRwLm1hcmVuLmFjLm13hiZo
+dHRwczovL2lkcC5tYXJlbi5hYy5tdy9pZHAvc2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAYEA
+gvQQs9E3bI0WYKaaqwaekD/3LIV6haGYChQISFq7KBxcjSEpuAJif6P3cnjtlaiFwFtgZlh4PGZh
+jXxFyZRkunF8iwPAeZfyWvbwwk+zuPBvE0WNPdfzV2yeqQAzp1TnXP9fcgaRE1FCLzlGA0vgtBuf
+/pXLHw9gV+mcOZV0c6D/GSzshgpH+oRek3Cs1WmjttzFlkcQomCBat1e195Wu6nG7YE0SKsYY7+w
+WEB6rqzVdCPc1UsjpPSPCBbPWX5vD3AgO0VUEpdX9HIxCuBL24R2dMleww9bgErxDOjWOETN5Uv1
+SdGPTG3L1SdDvPnPGfjbYphKpcSpzIhO8HhhcUpUULklBRdgzDWZ8LVcT66O0B4ZRxkRk0zTlkCY
+vZvKZoeeAwuIVbLmfysxw8A74AbAzy/SshG1TJsDntwRUGCpCwsXl+Kvtd7HITTeKjfbItucB471
+MCNlu+JA+MrzGZc7CnjWHgSYkBnaVfjug9ZGxlt7OkEZsV6oxvWy71Av
+                    </ds:X509Certificate>
+          </ds:X509Data>
+        </ds:KeyInfo>
+      </md:KeyDescriptor>
+      <md:KeyDescriptor use="signing">
+        <ds:KeyInfo>
+          <ds:X509Data>
+            <ds:X509Certificate>
+MIIEKDCCApCgAwIBAgIVAKYkzlzQ42lHFsDX1fgwgnxyxT74MA0GCSqGSIb3DQEBCwUAMBoxGDAW
+BgNVBAMMD2lkcC5tYXJlbi5hYy5tdzAeFw0yNTAyMjUxMjQyMDVaFw00NTAyMjUxMjQyMDVaMBox
+GDAWBgNVBAMMD2lkcC5tYXJlbi5hYy5tdzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGB
+AJUaaKVXg50HPzyCHqAtReMRPId9KP21LqdqcJtzZdmWpwoFKanY7sWNE7zLsIcerDp5lxFEM670
+ILO4dUJlQEWQBi7hHWe1jDLaruN/0a694Ptz/ncs3fIdnXs5Jt+RkSlTMHwSDWq/KdkMNc5tAeaw
+s1CyHaNPNa23fP4iA57LHKpJa7YPCgDABpdx0easTiUCuAOUQu5IeeIZGU0684iaTC7fcuYaIG/p
+majFZL+kqwskN0YsJn+mfO0Pcq9QpDQlSYv+X4uEy6fprfQWwALhwiifFLA4TdSVUObb9QkVgCqo
+vOTNScw9fkfsOhTGtj/A9vfaf0ekOtcWLwcJHUj2rTeGXCnWE0/mUqTmvn7NKlwLYkXUSMYSlSEM
+ZEHMtNkPz2HH1hrhPb7VbKLfekG4k10Vz7QSiyGudALmEpxtmBrz7JMmjmv60MvmOiodGFAs53lL
+fTjvYxxmOLvjRSYrt1itRLni932KgI/VQPDpwmS3tUtZI5jfR7bA4hF+9QIDAQABo2UwYzAdBgNV
+HQ4EFgQU54aph3TZpsUp1YtPNoMurShgyrowQgYDVR0RBDswOYIPaWRwLm1hcmVuLmFjLm13hiZo
+dHRwczovL2lkcC5tYXJlbi5hYy5tdy9pZHAvc2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAYEA
+TPaNsUAR/NHEdRQ4ahOQGW3ohbBOg5ven9wTBSKhRTJYZDLdDT7aKodS0DXWIYWN/+WWkdYs8hmz
+mmB5sYmSfJP/PLdjl7p632dsu0P8nlJaWhw+rQ7I7nogKSnKIkGqp/SUBq6cqP9I0Xy9Q/08IjHB
+Bd4OunnRjjYdU87yyhBi7dYBO8X1b2M0X7B5VM0Ig4M9XrjMOfdBzgXi5b4q3Y0o3lqNA0CFLarX
+Gyev+qJ/rWA3iOZas/lWO3TC8gWlY1mNiaZmGnHauqJqPVK2qgzjN2uJHGFXHtBMLphiPLkCG/1Y
+V20CYpX2pN82nLSNtcQlFD0oTmTgjv7abfhfcn8yA6Zw9iXicTpJVJR5rbaJ8JY1XYq6PqFtcMUB
+B/IyINRPpwZmo/npLH1o5LzXfKJXjxX4vmAVz19rL1Bk4ad96qE3vzn6+kKq+c97bZqiPQiaPLb/
+pK+jqOPkWfE5intH8cqLJ8qIi2pmWHnnxrQpQ4nsaztCq8cnJ9muKKCM
+                    </ds:X509Certificate>
+          </ds:X509Data>
+        </ds:KeyInfo>
+      </md:KeyDescriptor>
+      <md:KeyDescriptor use="encryption">
+        <ds:KeyInfo>
+          <ds:X509Data>
+            <ds:X509Certificate>
+MIIEJzCCAo+gAwIBAgIUFsBZm9KQOzx8TL3LuDzyMyc50WkwDQYJKoZIhvcNAQELBQAwGjEYMBYG
+A1UEAwwPaWRwLm1hcmVuLmFjLm13MB4XDTI1MDIyNTEyNDIwNloXDTQ1MDIyNTEyNDIwNlowGjEY
+MBYGA1UEAwwPaWRwLm1hcmVuLmFjLm13MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA
+mtbsq2HLu/lXVgBl07pfvojQMADa8LBnzHMLcH/4vm7QDm2jKZKCK11Xyn1pdTDeVOE1/uHfm8BP
+cwWWKcWEY+lyIWSijPyiBo3PenpVfd/gLsI9L8BoKPzbQMFIVMJd8pvZ+k6CpyAkK/ePH/LLTmNV
+LK5O0wtZSAyoPLtmPAtssVlzqVvcmAYSxLao+/uwLGaTB54Gxki4kQkRN+ydfD6Afy0Slw9jvRb9
+yHXw3GyIc7zlWilgkvu+wm9vlJ18bxgSozkv4PCEWirxPl36XzW7KxSCBpIbKNc3KTskMDKesAL/
+w2kJODBdsAj11AKO8gkotstQzCZLefsdFSq0zUqtp10RZaemz+OVTG/FHM/1T0l+t6e2FQG3tJAP
++W760Gnt0YmnrZ9WjryIdOjQkA2RGIMJKthLu80k8AlWG/Ukk8gTOs+JZYBlJQFJ9ItFz5jXru3h
+QtROJ+7G3nSaiGtpki1f5BP8vV/XjzaUFdFEnbReB3AdUoj0/WnrUZtFAgMBAAGjZTBjMB0GA1Ud
+DgQWBBSThV/OvOzPYkPuTxSEuuBWiVmCVjBCBgNVHREEOzA5gg9pZHAubWFyZW4uYWMubXeGJmh0
+dHBzOi8vaWRwLm1hcmVuLmFjLm13L2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBCwUAA4IBgQAM
+tkfqBgHIVQfVAa/TvutCHDY/0ZQCs/Zy4xT2ycKM18+M/eYLVKCwA4yDnStrckYYPt0o+uw7W9mL
+z8o1+pPONO/P2vZ0m7QszHH4nbv6XMpUnGBxV+x/JHsEsJkTSLZdIyR/vMNSgA9vMdt+DrwOcmhM
+0CrcEnNGuNFctBdUXW/juvoGIZJR8YUTpMbteBjFMtYLHA7eNaZGYgW+Ay9xV4Uh+VoNNinly/ka
+xd5gcJvmtbQS79o/g1HdOc/14USXsPWGDszFafy25d+8mRnnDL2rx0Sp0Eza7c9V/uozGzBiuBgd
+mf3RmuGSP37ESswiYPGOzJS+bwPmMixtNI/YNr5OizAWMpdUJvTi9l2hUdjdnNwO9jJW0Ytd72Pl
+gXP7dr9U0aiyUO2fWkf11XLsR7w2EJlXisv0gZw/NAoQjj6IaYypox/ltxDhSFXN94vH8hJE8MpT
+wn2o+KL6rZHCiWfybfZAjZaH/poZz/kbOz1rRqFEmQtKUz70Y78auBQ=
+                    </ds:X509Certificate>
+          </ds:X509Data>
+        </ds:KeyInfo>
+      </md:KeyDescriptor>
+      <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.edugain.example.edu/idp/profile/SAML2/SOAP/ArtifactResolution"/>
+      <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.edugain.example.edu/idp/profile/SAML2/Redirect/SLO"/>
+      <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.edugain.example.edu/idp/profile/SAML2/POST/SLO"/>
+      <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
+      <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
+      <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.edugain.example.edu/idp/profile/SAML2/POST-SimpleSign/SSO"/>
+      <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.edugain.example.edu/idp/profile/SAML2/Redirect/SSO"/>
+      <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.edugain.example.edu/idp/profile/SAML2/POST/SSO"/>
+    </md:IDPSSODescriptor>
+    <md:Organization>
+      <md:OrganizationName xml:lang="en"> eduGAIN example  </md:OrganizationName>
+      <md:OrganizationDisplayName xml:lang="en"> eduGain example </md:OrganizationDisplayName>
+      <md:OrganizationURL xml:lang="en"> https://edugain.example.edu </md:OrganizationURL>
+    </md:Organization>
+    <md:ContactPerson contactType="technical">
+      <md:EmailAddress>mailto:systems@edugain.example.edu</md:EmailAddress>
+    </md:ContactPerson>
+    <md:ContactPerson contactType="support">
+      <md:EmailAddress>mailto:support@edugain.example.edu</md:EmailAddress>
+    </md:ContactPerson>
+  </md:EntityDescriptor>
+<EntityDescriptor entityID="https://identityproxy.sp.example.edugain.edu/sp/saml2">
+    <Extensions>
+      <mdrpi:RegistrationInfo registrationAuthority="https://sp.example.edugain.edu" registrationInstant="2023-12-29T18:40:00Z">
+        <mdrpi:RegistrationPolicy xml:lang="en">https://gif.sp.example.edugain.edu/pdf/metadatastatement.pdf</mdrpi:RegistrationPolicy>
+      </mdrpi:RegistrationInfo>
+    </Extensions>
+    <SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+      <Extensions>
+        <idpdisc:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://identityproxy.sp.example.edugain.edu/sp/disco" index="1"/>
+        <mdui:UIInfo>
+          <mdui:DisplayName xml:lang="en">eduGAIN Example SP</mdui:DisplayName>
+          <mdui:Description xml:lang="en">eduGAIN Example SP</mdui:Description>
+          <mdui:Keywords xml:lang="se">Satosa SP-SE</mdui:Keywords>
+          <mdui:Keywords xml:lang="en">Satosa SP-EN</mdui:Keywords>
+          <mdui:InformationURL xml:lang="en">http://sp.example.edugain.edu/</mdui:InformationURL>
+          <mdui:PrivacyStatementURL xml:lang="en">http://sp.example.edugain.edu/</mdui:PrivacyStatementURL>
+          <mdui:Logo height="80" width="80">https://wsidp.sp.example.edugain.edu/idp/images/logo.png</mdui:Logo>
+        </mdui:UIInfo>
+      </Extensions>
+      <KeyDescriptor>
+        <ds:KeyInfo>
+          <ds:X509Data>
+            <ds:X509Certificate>
+MIIEATCCAumgAwIBAgIUS4N+ue40exBaQsY3B6rcNQRcFZAwDQYJKoZIhvcNAQEL
+BQAwgY8xCzAJBgNVBAYTAkdIMQ4wDAYDVQQIDAVHaGFuYTEOMAwGA1UEBwwFQWNj
+cmExDzANBgNVBAoMBkdBUk5FVDEPMA0GA1UECwwGR0FSTkVUMRwwGgYDVQQDDBNw
+cm94eS5nYXJuZXQuZWR1LmdoMSAwHgYJKoZIhvcNAQkBFhFub2NAZ2FybmV0LmVk
+dS5naDAeFw0yNDA4MzExNzIyNDRaFw0yNTA4MzExNzIyNDRaMIGPMQswCQYDVQQG
+EwJHSDEOMAwGA1UECAwFR2hhbmExDjAMBgNVBAcMBUFjY3JhMQ8wDQYDVQQKDAZH
+QVJORVQxDzANBgNVBAsMBkdBUk5FVDEcMBoGA1UEAwwTcHJveHkuZ2FybmV0LmVk
+dS5naDEgMB4GCSqGSIb3DQEJARYRbm9jQGdhcm5ldC5lZHUuZ2gwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCMwnFBOO1iAtGGLiTkflGJL6+jJVnQiOB2
+mnTZJvoMzRrD1PSrnexftZ4HFhZN7+6mqp/KzO4CeVyWILPH8D1s3dOju5pLM1Al
+6PcUDyx3fSHzOTQ2CKIyygapdhlARQ9G4nJCs1ch38szwDOTZlTf5ddAkDCveG6u
+GZKmoBXTMH3Vf2L0VpRA+NBzA6YYPTYBZ/q+rUa/RgqlKsRdHJkw20IEEkweRmcV
+CpRFXeK2oex9Qej9zAgHwHCbBOfcs5B/Z6M5NB6SvS4EFumZVFvGd6o7TnKKjARo
+XhH5bovBIjiQ/+RCAgOoWYR9+8iis2njwqXWSAqcF1phi7R0olSzAgMBAAGjUzBR
+MB0GA1UdDgQWBBSzC8ESDVwCfcONyo+BgdVi74mp3TAfBgNVHSMEGDAWgBSzC8ES
+DVwCfcONyo+BgdVi74mp3TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
+A4IBAQATOEuBFJOPuZwSL1bn+sJnu7vI9RDdn8d6YzydKc/83WmrMfEsN9QLTYr2
+IrBRR5hsFtOucGTgqn+0/fEB5sKCKIM0tsbSJpmx9bG3W6WG5xQ+FiIjRiOa3wdK
+MXMVPlza1zWAGdR39T/acG8Vt7jtpDA436dsZyRAfSDsz3EJHKT6/afDNrIzY/rg
+ofsmgmwUUN0pPni9tGyzGlmC9cBszYFGX16ksRdOuWCvyyw46stYo6pIHGIJqpuG
+vjLEEu/SD3S9BDNCVnU3xCWHAJuiMuWL78nuAYLOnapV9BQ1wfZAPyfrF7BfJQAc
+rCQ5wiQlCiUdMUTWlNVfhJR1n5Pp
+</ds:X509Certificate>
+          </ds:X509Data>
+        </ds:KeyInfo>
+      </KeyDescriptor>
+      <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://identityproxy.sp.example.edugain.edu/sp/acs/post" index="1"/>
+    </SPSSODescriptor>
+    <Organization>
+      <OrganizationName xml:lang="en">sp.example.edugain.edu</OrganizationName>
+      <OrganizationDisplayName xml:lang="en">sp.example.edugain.edu</OrganizationDisplayName>
+      <OrganizationURL xml:lang="en">http://sp.example.edugain.edu</OrganizationURL>
+    </Organization>
+    <ContactPerson contactType="technical">
+      <GivenName>Technical</GivenName>
+      <EmailAddress>mailto:admin@sp.example.edugain.edu</EmailAddress>
+    </ContactPerson>
+    <ContactPerson contactType="technical">
+      <GivenName>Technical</GivenName>
+      <EmailAddress>mailto:admin@sp.example.edugain.edu</EmailAddress>
+    </ContactPerson>
+  </EntityDescriptor>
+</md:EntitiesDescriptor>
diff --git a/tests/incommon/data/test-metadata-signed.xml b/tests/incommon/data/test-metadata-signed.xml
new file mode 100644
index 0000000..88c90b8
--- /dev/null
+++ b/tests/incommon/data/test-metadata-signed.xml
@@ -0,0 +1,220 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?><EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:icmd="http://id.incommon.org/metadata" xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:remd="http://refeds.org/metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="test20181021T000000" Name="urn:mace:incommon" validUntil="2020-01-01T100:00:00Z"><ds:Signature>
+<ds:SignedInfo>
+<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+<ds:Reference URI="">
+<ds:Transforms>
+<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+</ds:Transforms>
+<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+<ds:DigestValue>sB7Njem2CLBoTYaJqS720jGD2JV9fvyTHxJUtcy57Rs=</ds:DigestValue>
+</ds:Reference>
+</ds:SignedInfo>
+<ds:SignatureValue>
+DuOJlj86XnWZb7wTo0kp9licHMDO0jcW7/feDVyGd+glglqkBFEG4ojQ7KokSK/Z7aT9VyXOygBL
+EZUZeUDtU1EMrkZeVfMNV4gVcUU9Ls9pZ0uIFNz0Vj8Ot4yUKHroXJearCyNnT6hILFCDfzCCQV9
+VnD2Mn0Mm7XdFXQy2P2FJXRUPiGWGIYsPfemHofVzazxQtXtVmVmi7AZ5/rGEYUQckrQZL++IvGo
+S45xlNH3qUuUt9vr+w00ihiBWBjYQGZFPxafrYlMmbX/SZqRATM7HF9oC+1isG4prHQkCyhMxXir
+lxhq/Ffeg16TmMTBwpgPY6TyihHlqdn7RdWxeA==
+</ds:SignatureValue>
+<ds:KeyInfo>
+<ds:KeyValue>
+<ds:RSAKeyValue>
+<ds:Modulus>
+v+WBuMmJkUkkFv1uxg1coB0PMyYvGM/WKRH/MCRgwgx81lmIkuwp1ESzW3MOKjqHUWBD6OCIPCOk
+EYQ1+goYPGD4OJWKojLBOHvNF24t+RWqBQd6RkU+CfVPZJBvwhnoRY5VknAnKN9/CJHZV8XltStJ
+/6e9F6ffDHFAzjQdvlO3NFFW2RavVGgH6PibFd1KEGaT5pUWW0P3tozcH/56RbZ14YCiAXj64qjc
+vSKQAouOPPe5afLiQdUYyD4fo/ElYBkdycd8f8SAjkXUT4fUwiL/hUJ16TkECwWXA+58TL5qHoVQ
+1prvGeI4qbyQSXNsw1qF3gijCrJn1M+co886DQ==
+</ds:Modulus>
+<ds:Exponent>AQAB</ds:Exponent>
+</ds:RSAKeyValue>
+</ds:KeyValue>
+<ds:X509Data>
+<ds:X509Certificate>
+MIICsjCCAZoCCQCIj9cyx103KjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBB0ZXN0LmV4YW1w
+bGUub3JnMB4XDTE4MTAyMTE3MTc0NloXDTE5MTAyMTE3MTc0NlowGzEZMBcGA1UEAwwQdGVzdC5l
+eGFtcGxlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/lgbjJiZFJJBb9bsYN
+XKAdDzMmLxjP1ikR/zAkYMIMfNZZiJLsKdREs1tzDio6h1FgQ+jgiDwjpBGENfoKGDxg+DiViqIy
+wTh7zRduLfkVqgUHekZFPgn1T2SQb8IZ6EWOVZJwJyjffwiR2VfF5bUrSf+nvRen3wxxQM40Hb5T
+tzRRVtkWr1RoB+j4mxXdShBmk+aVFltD97aM3B/+ekW2deGAogF4+uKo3L0ikAKLjjz3uWny4kHV
+GMg+H6PxJWAZHcnHfH/EgI5F1E+H1MIi/4VCdek5BAsFlwPufEy+ah6FUNaa7xniOKm8kElzbMNa
+hd4IowqyZ9TPnKPPOg0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAYSDTrlmXMILckXtSQqkJOrZ0
+BlQi+IIRV4xbYknTDb107RDm8RXHkpc6A8W8jcwU0djmgmuDlBzhvnzSwE+gxqU1/W3eWtz60rcA
+PwmF+r9wYvVnCmPkUw8RWPasrzRPQMzehA/251Zx6tMPwBkEqOyagi1sq1mZbQSlF08jVBL+J6tb
+P2yRc3pp19dGApL6klIA5Mi5+VmxwMtoQ5v6qHT1oDxeKWcSDNVeSYYoBiLB8hFN692NsDtY9Urd
+pBpLa6CxWSKZd11+sFclGfqh35+2PBfHSCiAFZ8RL2qsq5uIDz53XgfB33j723uF4xGsS80lMSOO
+LT9+TC1qkYRchQ==
+</ds:X509Certificate>
+</ds:X509Data>
+</ds:KeyInfo>
+</ds:Signature>
+  <Extensions>
+    <mdrpi:PublicationInfo creationInstant="2018-09-05T19:29:24Z" publisher="https://incommon.org"/>
+  </Extensions>
+  <EntityDescriptor entityID="https://example.com/shibboleth">
+    <Extensions>
+      <mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/>
+      <mdattr:EntityAttributes>
+        <saml:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+          <saml:AttributeValue>http://id.incommon.org/category/research-and-scholarship</saml:AttributeValue>
+          <saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
+          <saml:AttributeValue>http://id.incommon.org/category/registered-by-incommon</saml:AttributeValue>
+        </saml:Attribute>
+      </mdattr:EntityAttributes>
+    </Extensions>
+    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+      <Extensions>
+        <idpdisc:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://example.com/Shibboleth.sso/Login" index="1"/>
+        <idpdisc:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://example.com/Shibboleth.sso/Clear" index="2"/>
+        <mdui:UIInfo>
+          <mdui:DisplayName xml:lang="en">Example Service</mdui:DisplayName>
+          <mdui:Description xml:lang="en">Example Service at Example Company.</mdui:Description>
+          <mdui:InformationURL xml:lang="en">https://example.com/services/view/example-service</mdui:InformationURL>
+          <mdui:PrivacyStatementURL xml:lang="en">https://example.com/privacy</mdui:PrivacyStatementURL>
+          <mdui:Logo height="200" width="200" xml:lang="en">https://example.com/images/logo200x200.gif</mdui:Logo>
+        </mdui:UIInfo>
+      </Extensions>
+      <KeyDescriptor>
+        <ds:KeyInfo>
+          <ds:X509Data>
+            <!-- Serial No. 15149766524924023670, expires on Sat Jul  4 22:43:05 2020 GMT -->
+            <ds:X509Certificate>
+MIIDGzCCAgOgAwIBAgIJANI+yGM0M1N2MA0GCSqGSIb3DQEBBQUAMCcxJTAjBgNV
+BAMTHGx0Y2F3aWtpMDEuaXQub2hpby1zdGF0ZS5lZHUwHhcNMTAwNzA3MjI0MzA1
+WhcNMjAwNzA0MjI0MzA1WjAnMSUwIwYDVQQDExxsdGNhd2lraTAxLml0Lm9oaW8t
+c3RhdGUuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5fsEv25M
+r9wfa48qfjn8m40yB/lwimJ8dSnYw2erd/tfB+sPESw42Is5Lv2B3pI3mj9a0PT0
+Gf1VgUoQW0RCT6L4VOW50WsPFv/RKPfT/AIRl00dTCqb440PgotGbrK9ivZqlvkz
+lSGUKuFcg2gLj+CJlbMcwEneSwn0FE1xKEGpMDUk91lZH1XxmnIDDOQn1G5qul4q
+AbXITMpLi2MlsHAEXxnLrthFFas6zDrviTwHcqGXq9zJJkPHDcbu1qg6AUT7bRJr
+qszxxktSV6mFclkgLPpcVkigMR8RNVMQkWaaWSnfBkFy2iAe3xw3DNp7obtzgItY
+i9N8U6K5qorSkQIDAQABo0owSDAnBgNVHREEIDAeghxsdGNhd2lraTAxLml0Lm9o
+aW8tc3RhdGUuZWR1MB0GA1UdDgQWBBR32XnCliG78DdyTtZhyIQSHChtyjANBgkq
+hkiG9w0BAQUFAAOCAQEAVEweCxPElHGmam4Iv2QeJsGE7m4de7axp3epAJb7uVbN
+Z2P1S/s4GZQhmGsUoGoxwqca3wyQ+C1ZkpQJdyFl5s1tFc26D+Z0KTDo174GzO9i
+I9SeQ4YSp3FNhZqxn4xH3DULzzHwoVSwFr5irLPAVtrqK8H/rzBREhqOse2VSJ/1
+PkI+p7lUiElIzMiObLGjumF2fDOPkXOSMNyC4c5oCCJtcrip/BaLo6bqdqn3DKP8
+onMw/lHZQolyVsupuhGsSX13WVJ0uyGvuA7hiHnGEkpDmskUd3TsriyQAt47RZzY
+tTupO/NdWvz8SvXU1qIOk9CTQ0D2b2OOftfUW+FuAQ==
+            </ds:X509Certificate>
+          </ds:X509Data>
+        </ds:KeyInfo>
+      </KeyDescriptor>
+      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://example.com/Shibboleth.sso/SAML/Artifact" index="1"/>
+      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://example.com/Shibboleth.sso/SAML/POST" index="2"/>
+      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://example.com/Shibboleth.sso/SAML2/Artifact" index="3"/>
+      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/Shibboleth.sso/SAML2/POST" index="4"/>
+      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://example.com/Shibboleth.sso/SAML2/ECP" index="5"/>
+      <AttributeConsumingService index="1">
+        <ServiceName xml:lang="en">Example Service</ServiceName>
+        <ServiceDescription xml:lang="en">Example Service at Example Company.</ServiceDescription>
+        <RequestedAttribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+        <RequestedAttribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+        <RequestedAttribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+      </AttributeConsumingService>
+    </SPSSODescriptor>
+    <Organization>
+      <OrganizationName xml:lang="en">Example Company, Inc.</OrganizationName>
+      <OrganizationDisplayName xml:lang="en">Example Company</OrganizationDisplayName>
+      <OrganizationURL xml:lang="en">https://www.example.com/</OrganizationURL>
+    </Organization>
+    <ContactPerson contactType="administrative">
+      <GivenName>Administrative Contact</GivenName>
+      <EmailAddress>admin@example.com</EmailAddress>
+    </ContactPerson>
+    <ContactPerson contactType="support">
+      <GivenName>Support Contact</GivenName>
+      <EmailAddress>support@example.com</EmailAddress>
+    </ContactPerson>
+    <ContactPerson contactType="technical">
+      <GivenName>Technical Contact</GivenName>
+      <EmailAddress>technical@example.com</EmailAddress>
+    </ContactPerson>
+    <ContactPerson contactType="other" remd:contactType="http://refeds.org/metadata/contactType/security">
+      <GivenName>Security Contact</GivenName>
+      <EmailAddress>security@example.com</EmailAddress>
+    </ContactPerson>
+  </EntityDescriptor>
+  <EntityDescriptor entityID="urn:mace:incommon:example.edu">
+    <Extensions>
+      <mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/>
+      <mdattr:EntityAttributes>
+        <saml:Attribute Name="http://macedir.org/entity-category-support" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+          <saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
+        </saml:Attribute>
+        <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certific ation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+          <saml:AttributeValue>https://refeds.org/sirtfi</saml:AttributeValue>
+        </saml:Attribute>
+        <saml:Attribute Name="http://macedir.org/entity-category" NameFormat="urn: oasis:names:tc:SAML:2.0:attrname-format:uri">
+          <saml:AttributeValue>http://id.incommon.org/category/registered-by-incom
+mon</saml:AttributeValue>
+        </saml:Attribute>
+      </mdattr:EntityAttributes>
+    </Extensions>
+    <IDPSSODescriptor errorURL="https://example.edu/error/" protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+      <Extensions>
+        <shibmd:Scope regexp="false">example.edu</shibmd:Scope>
+        <mdui:UIInfo>
+          <mdui:DisplayName xml:lang="en">Example University</mdui:DisplayName>
+          <mdui:InformationURL xml:lang="en">https://example.edu/information/</mdui:InformationURL>
+          <mdui:PrivacyStatementURL xml:lang="en">https://example.edu/privacy/</mdui:PrivacyStatementURL>
+          <mdui:Logo height="64" width="64" xml:lang="en">https://example.edu/images/logo64x64.png</mdui:Logo>
+        </mdui:UIInfo>
+      </Extensions>
+      <KeyDescriptor use="signing">
+        <ds:KeyInfo>
+          <ds:X509Data>
+            <!-- Serial No. 12375483969372239368, expires on Mon Feb  4 20:07:37 2030 GMT -->
+            <ds:X509Certificate>
+MIIDITCCAgmgAwIBAgIJAKu+jRod+TYIMA0GCSqGSIb3DQEBBQUAMCkxJzAlBgNV
+BAMTHndlYmF1dGguc2VydmljZS5vaGlvLXN0YXRlLmVkdTAeFw0xMDAyMDkyMDA3
+MzdaFw0zMDAyMDQyMDA3MzdaMCkxJzAlBgNVBAMTHndlYmF1dGguc2VydmljZS5v
+aGlvLXN0YXRlLmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMpZ
+P+xV7kNCuuUtg4X8MTxTnS2TSU/tompvYjI0af4q7N5od7uzEqHBD9FMvh9bZ7GS
+CACX5yYjBYZCb59i0tstfpCsDBho2Wi497EjmaTw81EQ1AjM6EhRb/we0MLj0er8
+8q+vnVC7Jb7DoStoNIEFoOTv8LvKldrrXVX3yHZR3bEVtvblZbGMSYtPdH/TYMDQ
+cmqkpzldfz9rQFDLSM8mqBqf56zmB8uzkZKhujTXOzb4STvaq7hhAnDwT3z9c00O
+XbDBWxd1CplgHwZvrbWxYxf5gTCaPvHuLY5WeA8Ky5SUZifO/szEDvEm8K0rHStK
+H/blQiX5fUQ6t3SfxbsCAwEAAaNMMEowKQYDVR0RBCIwIIIed2ViYXV0aC5zZXJ2
+aWNlLm9oaW8tc3RhdGUuZWR1MB0GA1UdDgQWBBR70C49vjOa/Ikk86hkX998wqQt
+UDANBgkqhkiG9w0BAQUFAAOCAQEAlgMMaTIwrly4U896lUa92iif3bLGADPjc0Is
+6a6k6RytjJm/r0lbtjCWW6zs1T6L7458Ow+57fyF0Oh/iXvj65m+dvCBWXnag7hN
+1yMBJQMRpSjH7dLko7y0EJ/ZrKEYQwYnBGmCILvJB/MIj2eEkq2Z47uWpvrehJfb
+zsEeAbjNqw1V/AJN7E4paw8aYg8TXEXAdOvNL5h7KRQw8Ui0kCw2DeTTIXExSxZd
+bqw6ldfQD2fVYnLxDGTFqITCi1a9TidA4xCXD95F7uQaEao3O8ArZcyag62uiMtv
+i24RvCRvD/vsnUhI82pV/DK+2icz6UDtiiKrFNAmIiR14TanfA==
+            </ds:X509Certificate>
+          </ds:X509Data>
+        </ds:KeyInfo>
+      </KeyDescriptor>
+      <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://example.edu/idp/profile/Shibboleth/SSO"/>
+      <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.edu/idp/profile/SAML2/POST/SSO"/>
+      <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://example.edu/idp/profile/SAML2/POST-SimpleSign/SSO"/>
+      <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.edu/idp/profile/SAML2/Redirect/SSO"/>
+      <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://example.edu/idp/profile/SAML2/SOAP/ECP"/>
+    </IDPSSODescriptor>
+    <Organization>
+      <OrganizationName xml:lang="en">Example University</OrganizationName>
+      <OrganizationDisplayName xml:lang="en">Example University</OrganizationDisplayName>
+      <OrganizationURL xml:lang="en">https://www.example.edu/</OrganizationURL>
+    </Organization>
+    <ContactPerson contactType="support">
+      <GivenName>Support Contact</GivenName>
+      <EmailAddress>support@example.edu</EmailAddress>
+    </ContactPerson>
+    <ContactPerson contactType="technical">
+      <GivenName>Technical Contactt</GivenName>
+      <EmailAddress>technical@example.edu</EmailAddress>
+    </ContactPerson>
+    <ContactPerson contactType="administrative">
+      <GivenName>Administrative Contact</GivenName>
+      <EmailAddress>admin@example.edu</EmailAddress>
+    </ContactPerson>
+    <ContactPerson contactType="other" remd:contactType="http://refeds.org/metadata/contactType/security">
+      <GivenName>Security Contact</GivenName>
+      <EmailAddress>security@example.edu</EmailAddress>
+    </ContactPerson>
+  </EntityDescriptor>
+</EntitiesDescriptor>
diff --git a/tests/incommon/data/test-metadata.xml b/tests/incommon/data/test-metadata.xml
new file mode 100644
index 0000000..dd8b92b
--- /dev/null
+++ b/tests/incommon/data/test-metadata.xml
@@ -0,0 +1,188 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+  xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+  xmlns:icmd="http://id.incommon.org/metadata"
+  xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+  xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+  xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+  xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+  xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+  xmlns:remd="http://refeds.org/metadata"
+  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+  xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+  xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  ID="test20181021T000000"
+  Name="urn:mace:incommon"
+  validUntil="2020-01-01T100:00:00Z">
+  <Extensions>
+    <mdrpi:PublicationInfo creationInstant="2018-09-05T19:29:24Z" publisher="https://incommon.org"/>
+  </Extensions>
+  <EntityDescriptor entityID="https://example.com/shibboleth">
+    <Extensions>
+      <mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/>
+      <mdattr:EntityAttributes>
+        <saml:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+          <saml:AttributeValue>http://id.incommon.org/category/research-and-scholarship</saml:AttributeValue>
+          <saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
+          <saml:AttributeValue>http://id.incommon.org/category/registered-by-incommon</saml:AttributeValue>
+        </saml:Attribute>
+      </mdattr:EntityAttributes>
+    </Extensions>
+    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+      <Extensions>
+        <idpdisc:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://example.com/Shibboleth.sso/Login" index="1"/>
+        <idpdisc:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://example.com/Shibboleth.sso/Clear" index="2"/>
+        <mdui:UIInfo>
+          <mdui:DisplayName xml:lang="en">Example Service</mdui:DisplayName>
+          <mdui:Description xml:lang="en">Example Service at Example Company.</mdui:Description>
+          <mdui:InformationURL xml:lang="en">https://example.com/services/view/example-service</mdui:InformationURL>
+          <mdui:PrivacyStatementURL xml:lang="en">https://example.com/privacy</mdui:PrivacyStatementURL>
+          <mdui:Logo height="200" width="200" xml:lang="en">https://example.com/images/logo200x200.gif</mdui:Logo>
+        </mdui:UIInfo>
+      </Extensions>
+      <KeyDescriptor>
+        <ds:KeyInfo>
+          <ds:X509Data>
+            <!-- Serial No. 15149766524924023670, expires on Sat Jul  4 22:43:05 2020 GMT -->
+            <ds:X509Certificate>
+MIIDGzCCAgOgAwIBAgIJANI+yGM0M1N2MA0GCSqGSIb3DQEBBQUAMCcxJTAjBgNV
+BAMTHGx0Y2F3aWtpMDEuaXQub2hpby1zdGF0ZS5lZHUwHhcNMTAwNzA3MjI0MzA1
+WhcNMjAwNzA0MjI0MzA1WjAnMSUwIwYDVQQDExxsdGNhd2lraTAxLml0Lm9oaW8t
+c3RhdGUuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5fsEv25M
+r9wfa48qfjn8m40yB/lwimJ8dSnYw2erd/tfB+sPESw42Is5Lv2B3pI3mj9a0PT0
+Gf1VgUoQW0RCT6L4VOW50WsPFv/RKPfT/AIRl00dTCqb440PgotGbrK9ivZqlvkz
+lSGUKuFcg2gLj+CJlbMcwEneSwn0FE1xKEGpMDUk91lZH1XxmnIDDOQn1G5qul4q
+AbXITMpLi2MlsHAEXxnLrthFFas6zDrviTwHcqGXq9zJJkPHDcbu1qg6AUT7bRJr
+qszxxktSV6mFclkgLPpcVkigMR8RNVMQkWaaWSnfBkFy2iAe3xw3DNp7obtzgItY
+i9N8U6K5qorSkQIDAQABo0owSDAnBgNVHREEIDAeghxsdGNhd2lraTAxLml0Lm9o
+aW8tc3RhdGUuZWR1MB0GA1UdDgQWBBR32XnCliG78DdyTtZhyIQSHChtyjANBgkq
+hkiG9w0BAQUFAAOCAQEAVEweCxPElHGmam4Iv2QeJsGE7m4de7axp3epAJb7uVbN
+Z2P1S/s4GZQhmGsUoGoxwqca3wyQ+C1ZkpQJdyFl5s1tFc26D+Z0KTDo174GzO9i
+I9SeQ4YSp3FNhZqxn4xH3DULzzHwoVSwFr5irLPAVtrqK8H/rzBREhqOse2VSJ/1
+PkI+p7lUiElIzMiObLGjumF2fDOPkXOSMNyC4c5oCCJtcrip/BaLo6bqdqn3DKP8
+onMw/lHZQolyVsupuhGsSX13WVJ0uyGvuA7hiHnGEkpDmskUd3TsriyQAt47RZzY
+tTupO/NdWvz8SvXU1qIOk9CTQ0D2b2OOftfUW+FuAQ==
+            </ds:X509Certificate>
+          </ds:X509Data>
+        </ds:KeyInfo>
+      </KeyDescriptor>
+      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://example.com/Shibboleth.sso/SAML/Artifact" index="1"/>
+      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://example.com/Shibboleth.sso/SAML/POST" index="2"/>
+      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://example.com/Shibboleth.sso/SAML2/Artifact" index="3"/>
+      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/Shibboleth.sso/SAML2/POST" index="4"/>
+      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://example.com/Shibboleth.sso/SAML2/ECP" index="5"/>
+      <AttributeConsumingService index="1">
+        <ServiceName xml:lang="en">Example Service</ServiceName>
+        <ServiceDescription xml:lang="en">Example Service at Example Company.</ServiceDescription>
+        <RequestedAttribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+        <RequestedAttribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+        <RequestedAttribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+      </AttributeConsumingService>
+    </SPSSODescriptor>
+    <Organization>
+      <OrganizationName xml:lang="en">Example Company, Inc.</OrganizationName>
+      <OrganizationDisplayName xml:lang="en">Example Company</OrganizationDisplayName>
+      <OrganizationURL xml:lang="en">https://www.example.com/</OrganizationURL>
+    </Organization>
+    <ContactPerson contactType="administrative">
+      <GivenName>Administrative Contact</GivenName>
+      <EmailAddress>admin@example.com</EmailAddress>
+    </ContactPerson>
+    <ContactPerson contactType="support">
+      <GivenName>Support Contact</GivenName>
+      <EmailAddress>support@example.com</EmailAddress>
+    </ContactPerson>
+    <ContactPerson contactType="technical">
+      <GivenName>Technical Contact</GivenName>
+      <EmailAddress>technical@example.com</EmailAddress>
+    </ContactPerson>
+    <ContactPerson contactType="other" remd:contactType="http://refeds.org/metadata/contactType/security">
+      <GivenName>Security Contact</GivenName>
+      <EmailAddress>security@example.com</EmailAddress>
+    </ContactPerson>
+  </EntityDescriptor>
+  <EntityDescriptor entityID="urn:mace:incommon:example.edu">
+    <Extensions>
+      <mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/>
+      <mdattr:EntityAttributes>
+        <saml:Attribute Name="http://macedir.org/entity-category-support" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+          <saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
+        </saml:Attribute>
+        <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certific
+ation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+          <saml:AttributeValue>https://refeds.org/sirtfi</saml:AttributeValue>
+        </saml:Attribute>
+        <saml:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:
+oasis:names:tc:SAML:2.0:attrname-format:uri">
+          <saml:AttributeValue>http://id.incommon.org/category/registered-by-incom
+mon</saml:AttributeValue>
+        </saml:Attribute>
+      </mdattr:EntityAttributes>
+    </Extensions>
+    <IDPSSODescriptor errorURL="https://example.edu/error/" protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+      <Extensions>
+        <shibmd:Scope regexp="false">example.edu</shibmd:Scope>
+        <mdui:UIInfo>
+          <mdui:DisplayName xml:lang="en">Example University</mdui:DisplayName>
+          <mdui:InformationURL xml:lang="en">https://example.edu/information/</mdui:InformationURL>
+          <mdui:PrivacyStatementURL xml:lang="en">https://example.edu/privacy/</mdui:PrivacyStatementURL>
+          <mdui:Logo height="64" width="64" xml:lang="en">https://example.edu/images/logo64x64.png</mdui:Logo>
+        </mdui:UIInfo>
+      </Extensions>
+      <KeyDescriptor use="signing">
+        <ds:KeyInfo>
+          <ds:X509Data>
+            <!-- Serial No. 12375483969372239368, expires on Mon Feb  4 20:07:37 2030 GMT -->
+            <ds:X509Certificate>
+MIIDITCCAgmgAwIBAgIJAKu+jRod+TYIMA0GCSqGSIb3DQEBBQUAMCkxJzAlBgNV
+BAMTHndlYmF1dGguc2VydmljZS5vaGlvLXN0YXRlLmVkdTAeFw0xMDAyMDkyMDA3
+MzdaFw0zMDAyMDQyMDA3MzdaMCkxJzAlBgNVBAMTHndlYmF1dGguc2VydmljZS5v
+aGlvLXN0YXRlLmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMpZ
+P+xV7kNCuuUtg4X8MTxTnS2TSU/tompvYjI0af4q7N5od7uzEqHBD9FMvh9bZ7GS
+CACX5yYjBYZCb59i0tstfpCsDBho2Wi497EjmaTw81EQ1AjM6EhRb/we0MLj0er8
+8q+vnVC7Jb7DoStoNIEFoOTv8LvKldrrXVX3yHZR3bEVtvblZbGMSYtPdH/TYMDQ
+cmqkpzldfz9rQFDLSM8mqBqf56zmB8uzkZKhujTXOzb4STvaq7hhAnDwT3z9c00O
+XbDBWxd1CplgHwZvrbWxYxf5gTCaPvHuLY5WeA8Ky5SUZifO/szEDvEm8K0rHStK
+H/blQiX5fUQ6t3SfxbsCAwEAAaNMMEowKQYDVR0RBCIwIIIed2ViYXV0aC5zZXJ2
+aWNlLm9oaW8tc3RhdGUuZWR1MB0GA1UdDgQWBBR70C49vjOa/Ikk86hkX998wqQt
+UDANBgkqhkiG9w0BAQUFAAOCAQEAlgMMaTIwrly4U896lUa92iif3bLGADPjc0Is
+6a6k6RytjJm/r0lbtjCWW6zs1T6L7458Ow+57fyF0Oh/iXvj65m+dvCBWXnag7hN
+1yMBJQMRpSjH7dLko7y0EJ/ZrKEYQwYnBGmCILvJB/MIj2eEkq2Z47uWpvrehJfb
+zsEeAbjNqw1V/AJN7E4paw8aYg8TXEXAdOvNL5h7KRQw8Ui0kCw2DeTTIXExSxZd
+bqw6ldfQD2fVYnLxDGTFqITCi1a9TidA4xCXD95F7uQaEao3O8ArZcyag62uiMtv
+i24RvCRvD/vsnUhI82pV/DK+2icz6UDtiiKrFNAmIiR14TanfA==
+            </ds:X509Certificate>
+          </ds:X509Data>
+        </ds:KeyInfo>
+      </KeyDescriptor>
+      <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://example.edu/idp/profile/Shibboleth/SSO"/>
+      <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.edu/idp/profile/SAML2/POST/SSO"/>
+      <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://example.edu/idp/profile/SAML2/POST-SimpleSign/SSO"/>
+      <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.edu/idp/profile/SAML2/Redirect/SSO"/>
+      <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://example.edu/idp/profile/SAML2/SOAP/ECP"/>
+    </IDPSSODescriptor>
+    <Organization>
+      <OrganizationName xml:lang="en">Example University</OrganizationName>
+      <OrganizationDisplayName xml:lang="en">Example University</OrganizationDisplayName>
+      <OrganizationURL xml:lang="en">https://www.example.edu/</OrganizationURL>
+    </Organization>
+    <ContactPerson contactType="support">
+      <GivenName>Support Contact</GivenName>
+      <EmailAddress>support@example.edu</EmailAddress>
+    </ContactPerson>
+    <ContactPerson contactType="technical">
+      <GivenName>Technical Contactt</GivenName>
+      <EmailAddress>technical@example.edu</EmailAddress>
+    </ContactPerson>
+    <ContactPerson contactType="administrative">
+      <GivenName>Administrative Contact</GivenName>
+      <EmailAddress>admin@example.edu</EmailAddress>
+    </ContactPerson>
+    <ContactPerson contactType="other" remd:contactType="http://refeds.org/metadata/contactType/security">
+      <GivenName>Security Contact</GivenName>
+      <EmailAddress>security@example.edu</EmailAddress>
+    </ContactPerson>
+  </EntityDescriptor>
+</EntitiesDescriptor>
diff --git a/tests/incommon/scripts/consolidateIncommonAndEdugain.sh b/tests/incommon/scripts/consolidateIncommonAndEdugain.sh
new file mode 100755
index 0000000..56837ee
--- /dev/null
+++ b/tests/incommon/scripts/consolidateIncommonAndEdugain.sh
@@ -0,0 +1,67 @@
+#!/bin/bash
+# Generate metadata files required for the MDQ service
+
+# TODO:
+#   * Wrap mda output in debug function
+#   * Count files
+
+set -euo pipefail
+
+# Get script name
+PROG=`basename $0`
+
+# Get metadata validation funtions
+source /$MDQ_HOME/tests/incommon/scripts/metadataValidation.sh
+
+# Print debug output
+function debug {
+  echo [DEBUG] $PROG: "$@"
+}
+
+# Print error output
+function error {
+  echo [ERROR] $PROG: "$@"
+}
+
+# Print informational output
+function info {
+  echo [INFO] $PROG: "$@"
+}
+
+info "Starting at $(date)"
+
+# Use local key
+debug "Using local key"
+
+# The inc.generate.import_sign_localkey target erroneously depends on sign.uk.keyPassword
+# The mda.inc.imported-idp.xml is  the parameter for the unsigned idp-only aggregate output file
+# The mda.inc.imported.xml is the parameter for the unsigned aggregate output file
+ANT_OPTS=(inc.generate.import_sign_localkey \
+  "-Dedugain.dir=/mda/inc/inc-meta/mdx/int_edugain" \
+  "-Dmda.inc.edugain.xml=tests/incommon/data/test-edugain-metadata.xml" \
+  "-Dmda.inc.imported.xml=/tmp/incommon-and-edugain-metadata.xml" \
+  "-Dmda.inc.imported-idp.xml=/tmp/incommon-and-edugain-idp-metadata.xml" \
+  "-Dmda.inc.production.xml=tests/incommon/data/test-metadata.xml" \
+  "-Dmda.sign.keyResource=file:///keys/mda-signing.key" \
+  "-Dshared.ws.dir=/mda/inc/inc-meta" \
+  "-Dsign.uk.keyPassword=dummypassword")
+
+# Set source for signed InCommon metadata aggregate
+MD_SOURCE_FILE=$MDQ_HOME/tests/incommon/data/test-metadata.xml
+MD_SOURCE_CERT=/$MDQ_HOME/tests/incommon/data/test-cert.pem
+
+# Create temp local signing key/cert
+SGNPWD=dummypassword
+export SGNPWD
+mkdir -p /keys
+[ ! -L /keys/mda-signing.crt ] && ln -s /$MDQ_HOME/tests/incommon/data/mda-signing.crt /keys/mda-signing.crt
+[ ! -L /keys/mda-signing.key ] && ln -s /$MDQ_HOME/tests/incommon/data/mda-signing.key /keys/mda-signing.key
+
+# Generate all required metadata for the MDQ service
+debug "Generating metadata"
+cd "$MDQ_HOME" || exit 1
+if ! /usr/bin/ant "${ANT_OPTS[@]}"
+then
+  error "Metadata generation failed"
+  exit 1
+fi
diff --git a/tests/incommon/scripts/edugainDownload.sh b/tests/incommon/scripts/edugainDownload.sh
new file mode 100755
index 0000000..b6d2121
--- /dev/null
+++ b/tests/incommon/scripts/edugainDownload.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+# Download metadata files required for the MDQ service
+
+ANT_OPTS=(inc.edugain.download \
+  "-Dshared.ws.dir=/mda/inc/inc-meta" \
+  "-Dedugain.dir=/mda/inc/inc-meta/mdx/int_edugain" \
+  "-Dmda.inc.edugain.xml=/tmp/edugain-metadata.xml")
+
+# Download eduGAIN metadata for the MDQ service
+echo "Running ant to download the eduGAIN metadata file."
+cd "$MDQ_HOME" || exit 1
+if ! /usr/bin/ant "${ANT_OPTS[@]}"
+then
+  echo "Download failed"
+  exit 1
+fi
diff --git a/tests/incommon/scripts/genMDFromSignedMD.sh b/tests/incommon/scripts/genMDFromSignedMD.sh
new file mode 100755
index 0000000..163a2ff
--- /dev/null
+++ b/tests/incommon/scripts/genMDFromSignedMD.sh
@@ -0,0 +1,78 @@
+#!/bin/bash
+# Generate metadata files required for the MDQ service
+
+# TODO:
+#   * Wrap mda output in debug function
+#   * Count files
+
+set -euo pipefail
+
+# Get script name
+PROG=`basename $0`
+
+# Get metadata validation funtions
+source /$MDQ_HOME/tests/incommon/scripts/metadataValidation.sh
+
+# Print debug output
+function debug {
+  echo [DEBUG] $PROG: "$@"
+}
+
+# Print error output
+function error {
+  echo [ERROR] $PROG: "$@"
+}
+
+# Print informational output
+function info {
+  echo [INFO] $PROG: "$@"
+}
+
+info "Starting at $(date)"
+
+# Use local key
+debug "Using local key"
+# The inc.mdq.generate.all.localkey target erroneously depends on sign.uk.keyPassword
+ANT_OPTS=(inc.mdq.generate.all.localkey \
+  "-Dshared.ws.dir=/mda/inc/inc-meta" \
+  "-Dmda.sign.keyResource=file:///keys/mda-signing.key" \
+  "-Dmda.inc.imported.xml=tests/incommon/data/test-metadata-signed.xml" \
+  "-Dsign.uk.keyPassword=dummypassword")
+
+# Set source for signed InCommon metadata aggregate
+MD_SOURCE_FILE=$MDQ_HOME/tests/incommon/data/test-metadata-signed.xml
+MD_SOURCE_CERT=/$MDQ_HOME/tests/incommon/data/test-cert.pem
+
+debug "Verifying source metadata signature"
+# Get the timestamp from the metadata aggregate file
+MDTIME=$(stat -c %y "$MD_SOURCE_FILE" | cut -d ' ' -f1,2)
+export MDTIME
+
+# Verify the signature on the metadata aggregate
+args=(--verifySignature \
+  --inFile "$MD_SOURCE_FILE" \
+  --certificate "$MD_SOURCE_CERT" \
+  --outFile "$INC_MD_VERIFIED_PATH")
+if ! "$XMLSECTOOL_PATH" "${args[@]}"
+then
+  error "Source metadata signature verification failed"
+  exit 1
+fi
+
+rm -f /tmp/inc-metadata.xml
+
+# Create temp local signing key/cert
+SGNPWD=dummypassword
+export SGNPWD
+mkdir -p /keys
+[ ! -L /keys/mda-signing.crt ] && ln -s /$MDQ_HOME/tests/incommon/data/mda-signing.crt /keys/mda-signing.crt
+[ ! -L /keys/mda-signing.key ] && ln -s /$MDQ_HOME/tests/incommon/data/mda-signing.key /keys/mda-signing.key
+
+# Generate all required metadata for the MDQ service
+debug "Generating metadata"
+cd "$MDQ_HOME" || exit 1
+if ! /usr/bin/ant "${ANT_OPTS[@]}"
+then
+  error "Metadata generation failed"
+  exit 1
+fi
diff --git a/tests/incommon/scripts/genMDFromUnsignedMD.sh b/tests/incommon/scripts/genMDFromUnsignedMD.sh
new file mode 100755
index 0000000..d3b6d44
--- /dev/null
+++ b/tests/incommon/scripts/genMDFromUnsignedMD.sh
@@ -0,0 +1,60 @@
+#!/bin/bash
+# Generate metadata files required for the MDQ service
+
+# TODO:
+#   * Wrap mda output in debug function
+#   * Count files
+
+set -euo pipefail
+
+# Get script name
+PROG=`basename $0`
+
+# Get metadata validation funtions
+source /$MDQ_HOME/tests/incommon/scripts/metadataValidation.sh
+
+# Print debug output
+function debug {
+  echo [DEBUG] $PROG: "$@"
+}
+
+# Print error output
+function error {
+  echo [ERROR] $PROG: "$@"
+}
+
+# Print informational output
+function info {
+  echo [INFO] $PROG: "$@"
+}
+
+info "Starting at $(date)"
+
+# Use local key
+debug "Using local key"
+# The inc.mdq.generate.all.localkey target erroneously depends on sign.uk.keyPassword
+ANT_OPTS=(inc.mdq.generate.all.localkey \
+  "-Dshared.ws.dir=/mda/inc/inc-meta" \
+  "-Dmda.sign.keyResource=file:///keys/mda-signing.key" \
+  "-Dmda.inc.imported.xml=tests/incommon/data/test-edugain-metadata.xml" \
+  "-Dsign.uk.keyPassword=dummypassword")
+
+# Set source for signed InCommon metadata aggregate
+MD_SOURCE_FILE=$MDQ_HOME/tests/incommon/data/test-metadata.xml
+MD_SOURCE_CERT=/$MDQ_HOME/tests/incommon/data/test-cert.pem
+
+# Create temp local signing key/cert
+SGNPWD=dummypassword
+export SGNPWD
+mkdir -p /keys
+[ ! -L /keys/mda-signing.crt ] && ln -s /$MDQ_HOME/tests/incommon/data/mda-signing.crt /keys/mda-signing.crt
+[ ! -L /keys/mda-signing.key ] && ln -s /$MDQ_HOME/tests/incommon/data/mda-signing.key /keys/mda-signing.key
+
+# Generate all required metadata for the MDQ service
+debug "Generating metadata"
+cd "$MDQ_HOME" || exit 1
+if ! /usr/bin/ant "${ANT_OPTS[@]}"
+then
+  error "Metadata generation failed"
+  exit 1
+fi
diff --git a/tests/incommon/scripts/metadataValidation.sh b/tests/incommon/scripts/metadataValidation.sh
new file mode 100755
index 0000000..5b5f203
--- /dev/null
+++ b/tests/incommon/scripts/metadataValidation.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Function to check metadata validity window (validUntil attribute)
+check_validity_window() {
+  local file="$1"
+
+  # Check if the file exists
+  if [ ! -f "$file" ]; then
+    echo "File $file does not exist."
+    exit 1
+  fi
+
+  # echo "Verifying metadata validity window in file: $file"
+
+  # Extract a specific element/attribute value
+  valid_until_timestamp_string=$(grep -oP '(Entity|Entities)Descriptor[^>]*\svalidUntil="\K[^"]*' "$file")
+
+  # Extract the date portion from the date string (YYYY-MM-DD)
+  valid_until_date=$(echo "$valid_until_timestamp_string" | cut -d'T' -f1)
+
+  # Get the current date in YYYY-MM-DD format
+  current_date=$(date +%Y-%m-%d)
+
+  # Calculate the date for two weeks in the future
+  future_date=$(date -d "$current_date + 14 days" +%Y-%m-%d)
+
+  # Compare the date portion of the date string with the future date
+  if [ "$valid_until_date" != "$future_date" ]; then
+    echo "[ERROR] $file"
+    echo "[ERROR] validUntil date $valid_until_date is not 2 weeks in the future from $current_date"
+    exit 1
+  fi
+}