diff --git a/README.md b/README.md
index 63fba15b..20dae1a5 100644
--- a/README.md
+++ b/README.md
@@ -18,9 +18,13 @@ The second main category excluded from the public repository is the historic reg
 
 Since 2016, we have separated the entity database and aggregate record from the main toolchain repository, but the nature of Git is to never discard anything. We will therefore continue to make this repository publicly available only in redacted form.
 
-## Licensing
+## Copyright and License
 
-Everything in the public repository is Copyright (C) 2004–2015, University of Edinburgh. Each file is made available to you under the following terms:
+The contents of this repository are Copyright (C) the named contributors or their
+employers, as appropriate.
+
+In particular, all content authored prior to the 1st of August 2016 is
+Copyright (C) 2011—2016, University of Edinburgh.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
diff --git a/attic/extract_entityids.xsl b/attic/extract_entityids.xsl
index dc915ee3..0723dd87 100644
--- a/attic/extract_entityids.xsl
+++ b/attic/extract_entityids.xsl
@@ -1,31 +1,30 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	extract_entityids.xsl
-	
-	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
-	a list of entity IDs.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    extract_entityids.xsl
+
+    XSL stylesheet that takes a SAML 2.0 metadata file and extracts
+    a list of entity IDs.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	exclude-result-prefixes="md ds wayf">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    exclude-result-prefixes="md ds">
+
+    <!-- Output is plain text -->
+    <xsl:output method="text"/>
 
-	<!-- Output is plain text -->
-	<xsl:output method="text"/>
+    <xsl:template match="//md:EntityDescriptor">
+        <xsl:value-of select="@entityID"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
 
-	<xsl:template match="//md:EntityDescriptor">
-		<xsl:value-of select="@entityID"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-	
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 </xsl:stylesheet>
diff --git a/attic/extract_member_dates.xsl b/attic/extract_member_dates.xsl
index b1e69ec8..0a793447 100644
--- a/attic/extract_member_dates.xsl
+++ b/attic/extract_member_dates.xsl
@@ -1,34 +1,34 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	extract_member_dates.xsl
-	
-	XSL stylesheet that takes the UK federation members.xml file ane extracts
-	member names and joining dates in a format suitable for updating.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    extract_member_dates.xsl
+
+    XSL stylesheet that takes the UK federation members.xml file ane extracts
+    member names and joining dates in a format suitable for updating.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:ukfm="http://ukfederation.org.uk/2007/01/members">
-
-	<!-- Output is plain text -->
-	<xsl:output method="text"/>
-	
-	<xsl:template match="ukfm:Member">
-		<xsl:value-of select="ukfm:JoinDate"/>
-		<xsl:text>,"</xsl:text>
-		<xsl:value-of select="md:OrganizationName"/>
-		<xsl:text>"&#x0a;</xsl:text>
-	</xsl:template>
-
-	<!--
-		Junk any extraneous text nodes.
-	-->
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
-	
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:ukfm="http://ukfederation.org.uk/2007/01/members">
+
+    <!-- Output is plain text -->
+    <xsl:output method="text"/>
+
+    <xsl:template match="ukfm:Member">
+        <xsl:value-of select="ukfm:JoinDate"/>
+        <xsl:text>,"</xsl:text>
+        <xsl:value-of select="md:OrganizationName"/>
+        <xsl:text>"&#x0a;</xsl:text>
+    </xsl:template>
+
+    <!--
+        Junk any extraneous text nodes.
+    -->
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/attic/extract_saml2sp.xsl b/attic/extract_saml2sp.xsl
index e3378aaf..aa59a0db 100644
--- a/attic/extract_saml2sp.xsl
+++ b/attic/extract_saml2sp.xsl
@@ -1,37 +1,37 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	extract_saml2sp.xsl
-	
-	XSL stylesheet that takes a SAML 2.0 metadata aggregate and extracts
-	SAML 2.0 support information for each SP entity.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    extract_saml2sp.xsl
+
+    XSL stylesheet that takes a SAML 2.0 metadata aggregate and extracts
+    SAML 2.0 support information for each SP entity.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	exclude-result-prefixes="md ds">
-
-	<!-- Output is plain text -->
-	<xsl:output method="text"/>
-	
-	<xsl:template match="//md:EntityDescriptor[md:SPSSODescriptor]">
-		<xsl:value-of select="@ID"/>
-		<xsl:text> </xsl:text>
-		<xsl:choose>
-			<xsl:when test="contains(md:SPSSODescriptor/@protocolSupportEnumeration,
-				'urn:oasis:names:tc:SAML:2.0:protocol')">yes</xsl:when>
-			<xsl:otherwise>no</xsl:otherwise>
-		</xsl:choose>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-	
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
-	
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    exclude-result-prefixes="md ds">
+
+    <!-- Output is plain text -->
+    <xsl:output method="text"/>
+
+    <xsl:template match="//md:EntityDescriptor[md:SPSSODescriptor]">
+        <xsl:value-of select="@ID"/>
+        <xsl:text> </xsl:text>
+        <xsl:choose>
+            <xsl:when test="contains(md:SPSSODescriptor/@protocolSupportEnumeration,
+                'urn:oasis:names:tc:SAML:2.0:protocol')">yes</xsl:when>
+            <xsl:otherwise>no</xsl:otherwise>
+        </xsl:choose>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/attic/identity.xsl b/attic/identity.xsl
index caac8f28..23f2a177 100644
--- a/attic/identity.xsl
+++ b/attic/identity.xsl
@@ -1,30 +1,30 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	identity.xsl
-	
-	Identity transform.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    identity.xsl
+
+    Identity transform.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 
-	<!--
-		Force UTF-8 encoding for the output.
-	-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-		
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-	
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
-	
+    <!--
+        Force UTF-8 encoding for the output.
+    -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/attic/keynames.pl b/attic/keynames.pl
index 23216794..a917025d 100755
--- a/attic/keynames.pl
+++ b/attic/keynames.pl
@@ -1,10 +1,11 @@
-#!/usr/bin/env perl -w
+#!/usr/bin/env perl
 
 #
 # keynames.pl
 #
 # Extracts statistics about KeyName elements from the published metadata.
 #
+use warnings;
 use lib "../build";
 use Xalan;
 use Months;
diff --git a/attic/keynames_inner.pl b/attic/keynames_inner.pl
index bed6059f..3778f942 100755
--- a/attic/keynames_inner.pl
+++ b/attic/keynames_inner.pl
@@ -1,4 +1,6 @@
-#!/usr/bin/env perl -w
+#!/usr/bin/env perl
+
+use warnings;
 use POSIX qw(floor);
 use File::Temp qw(tempfile);
 use Date::Format;
diff --git a/attic/members_domains.xsl b/attic/members_domains.xsl
index f1104725..6764589b 100644
--- a/attic/members_domains.xsl
+++ b/attic/members_domains.xsl
@@ -1,78 +1,78 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	members_domains.xsl
-	
-	Update members.xml to use Domain and PrimaryScope instead of
-	Scopes and isPrimary.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    members_domains.xsl
+
+    Update members.xml to use Domain and PrimaryScope instead of
+    Scopes and isPrimary.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:members="http://ukfederation.org.uk/2007/01/members"
-	xmlns:xalan="http://xml.apache.org/xalan"
-	
-	exclude-result-prefixes="members xalan"
-	xmlns="http://ukfederation.org.uk/2007/01/members"
-	>
+    xmlns:members="http://ukfederation.org.uk/2007/01/members"
+    xmlns:xalan="http://xml.apache.org/xalan"
+
+    exclude-result-prefixes="members xalan"
+    xmlns="http://ukfederation.org.uk/2007/01/members"
+    >
+
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"
+        indent="yes" xalan:indent-amount="4"
+    />
+
+    <!--
+        If a Scopes element has an isPrimary Scope, extract that
+        as the domain and primary scope for the member.
+
+        The result may not be schema-valid if the Scopes element is not
+        the first one belonging to the member: duplicate Domains elements
+        need to be removed, and misplaced Domains elements may need
+        to be moved around manually.
+    -->
+    <xsl:template match="members:Scopes[members:Scope/@isPrimary='true']">
+        <xsl:variable name="prdom" select="members:Scope[@isPrimary='true']"/>
+        <xsl:element name="Domains">
+            <xsl:text>&#10;            </xsl:text>
+            <xsl:element name="Domain"><xsl:value-of select="$prdom"/></xsl:element>
+            <xsl:text>&#10;        </xsl:text>
+        </xsl:element>
+        <xsl:text>&#10;        </xsl:text>
+        <xsl:element name="PrimaryScope"><xsl:value-of select="$prdom"/></xsl:element>
+        <!--
+            Delete the Scopes element entirely if:
+                * it contains only one Scope, and
+                * it contains no Entity elements
+
+            In other words, retain it if:
+                * it contains more than one Scope, or
+                * it contains any Entity elements
+        -->
+        <xsl:if test="count(members:Scope)>1 or count(members:Entity)!=0">
+            <xsl:text>&#10;        </xsl:text>
+            <xsl:copy>
+                <xsl:apply-templates/>
+            </xsl:copy>
+        </xsl:if>
+    </xsl:template>
+
+    <!--
+        Remove any remaining isPrimary attributes.
+    -->
+    <xsl:template match="@isPrimary">
+        <!-- do nothing -->
+    </xsl:template>
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"
-		indent="yes" xalan:indent-amount="4"
-	/>
-	
-	<!--
-		If a Scopes element has an isPrimary Scope, extract that
-		as the domain and primary scope for the member.
-		
-		The result may not be schema-valid if the Scopes element is not
-		the first one belonging to the member: duplicate Domains elements
-		need to be removed, and misplaced Domains elements may need
-		to be moved around manually.
-	-->
-	<xsl:template match="members:Scopes[members:Scope/@isPrimary='true']">
-		<xsl:variable name="prdom" select="members:Scope[@isPrimary='true']"/>
-		<xsl:element name="Domains">
-			<xsl:text>&#10;            </xsl:text>
-			<xsl:element name="Domain"><xsl:value-of select="$prdom"/></xsl:element>
-			<xsl:text>&#10;        </xsl:text>
-		</xsl:element>
-		<xsl:text>&#10;        </xsl:text>
-		<xsl:element name="PrimaryScope"><xsl:value-of select="$prdom"/></xsl:element>
-		<!--
-			Delete the Scopes element entirely if:
-				* it contains only one Scope, and
-				* it contains no Entity elements
-				
-			In other words, retain it if:
-				* it contains more than one Scope, or
-				* it contains any Entity elements
-		-->
-		<xsl:if test="count(members:Scope)>1 or count(members:Entity)!=0">
-			<xsl:text>&#10;        </xsl:text>
-			<xsl:copy>
-				<xsl:apply-templates/>
-			</xsl:copy>
-		</xsl:if>
-	</xsl:template>
-	
-	<!--
-		Remove any remaining isPrimary attributes.
-	-->
-	<xsl:template match="@isPrimary">
-		<!-- do nothing -->
-	</xsl:template>
-	
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-	
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
-	
 </xsl:stylesheet>
diff --git a/attic/patch_entity.pl b/attic/patch_entity.pl
index a720c6ba..a47c4dfa 100755
--- a/attic/patch_entity.pl
+++ b/attic/patch_entity.pl
@@ -5,4 +5,4 @@
 		next;
 	}
 	print $_;
-}
\ No newline at end of file
+}
diff --git a/build.xml b/build.xml
index 3d51a54d..947cf0ee 100644
--- a/build.xml
+++ b/build.xml
@@ -145,9 +145,10 @@
         Metadata Distribution Service server properties.
     -->
     <property name="md.user" value="mdscp"/>
-    <property name="md.dist.host1.name" value="md1.infr.ukfederation.org.uk"/>
-    <property name="md.dist.host2.name" value="md2.infr.ukfederation.org.uk"/>
-    <property name="md.dist.host3.name" value="md3.infr.ukfederation.org.uk"/>
+    <property name="md.dist.host-ne-01.name" value="md-ne-01.infr.ukfederation.org.uk"/>
+    <property name="md.dist.host-ne-02.name" value="md-ne-02.infr.ukfederation.org.uk"/>
+    <property name="md.dist.host-we-01.name" value="md-we-01.infr.ukfederation.org.uk"/>
+    <property name="md.dist.host-we-02.name" value="md-we-02.infr.ukfederation.org.uk"/>
     <property name="mdq.dist.name" value="mdq.ukfederation.org.uk"/>
     <property name="md.dist.path.name" value="/"/>
 
@@ -171,7 +172,7 @@
         Web server properties.
     -->
     <property name="www.user" value="wwwscp"/>
-    <property name="www.hostname" value="web1.infr.ukfederation.org.uk"/>
+    <property name="www.hostname" value="www-ne-01.infr.ukfederation.org.uk"/>
     <property name="www.path.stats" value="/var/www/html/fed"/>
     <property name="www.path.members" value="/var/www/externals"/>
     <property name="www.url.stats" value="${www.user}@${www.hostname}:${www.path.stats}"/>
@@ -521,7 +522,7 @@
         fs.tar.mdqcache">
         <echo>Stage 4 Success: MDQ cache created; all files comitted to data repository.</echo>
     </target>
-    
+
     <!--
         Stage 4.2 of md process: Copy files from keymaster, push.
 
@@ -548,7 +549,7 @@
         Runs on: orchestrator
             * Git: Create New Tag
             * Git: Push to origin
-            * SCP: Copy mdq cache to repo 
+            * SCP: Copy mdq cache to repo
             * Jenkins: Trigger publish task
     -->
     <target name="process.bagandtag" depends="
@@ -873,7 +874,7 @@
       Checks out master branch of data repository
     -->
     <target name="git.data.masterbranch.checkout">
-        <echo>Switching to deferred branch in data repository.</echo>
+        <echo>Switching to master branch in data repository.</echo>
         <exec executable="${git.executable}" dir="${shared.ws.dir}/${git.repo.project.data}" failonerror="true">
             <arg value="checkout"/>
             <arg value="master"/>
@@ -1186,7 +1187,7 @@
             <delete file="${temp.xml}" quiet="true" verbose="false"/>
         </sequential>
     </macrodef>
-    
+
     <!--
         Verify a metadata file held on the master distribution site, using the ukfederation-mdq.pem key
     -->
@@ -1269,52 +1270,68 @@
         <checksum file="${aggregates.dir}/${mdaggr.export.preview.signed}"
             property="mdaggr.export.preview.signed.checksum"/>
 
-        <echo>Verifying metadata held at ${md.dist.host1.name}</echo>
-        <VFY.remote.and.checksum i="http://${md.dist.host1.name}${md.dist.path.name}${mdaggr.prod.signed}"
+        <echo>Verifying metadata held at ${md.dist.host-ne-01.name}</echo>
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-01.name}${md.dist.path.name}${mdaggr.prod.signed}"
+            checksum="${mdaggr.prod.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-01.name}${md.dist.path.name}${mdaggr.wayf.signed}"
+            checksum="${mdaggr.wayf.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-01.name}${md.dist.path.name}${mdaggr.cdsall.signed}"
+            checksum="${mdaggr.cdsall.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-01.name}${md.dist.path.name}${mdaggr.test.signed}"
+            checksum="${mdaggr.test.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-01.name}${md.dist.path.name}${mdaggr.back.signed}"
+            checksum="${mdaggr.back.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-01.name}${md.dist.path.name}${mdaggr.export.signed}"
+            checksum="${mdaggr.export.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-01.name}${md.dist.path.name}${mdaggr.export.preview.signed}"
+            checksum="${mdaggr.export.preview.signed.checksum}"/>
+
+        <echo>Verifying metadata held at ${md.dist.host-ne-02.name}</echo>
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-02.name}${md.dist.path.name}${mdaggr.prod.signed}"
             checksum="${mdaggr.prod.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host1.name}${md.dist.path.name}${mdaggr.wayf.signed}"
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-02.name}${md.dist.path.name}${mdaggr.wayf.signed}"
             checksum="${mdaggr.wayf.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host1.name}${md.dist.path.name}${mdaggr.cdsall.signed}"
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-02.name}${md.dist.path.name}${mdaggr.cdsall.signed}"
             checksum="${mdaggr.cdsall.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host1.name}${md.dist.path.name}${mdaggr.test.signed}"
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-02.name}${md.dist.path.name}${mdaggr.test.signed}"
             checksum="${mdaggr.test.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host1.name}${md.dist.path.name}${mdaggr.back.signed}"
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-02.name}${md.dist.path.name}${mdaggr.back.signed}"
             checksum="${mdaggr.back.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host1.name}${md.dist.path.name}${mdaggr.export.signed}"
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-02.name}${md.dist.path.name}${mdaggr.export.signed}"
             checksum="${mdaggr.export.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host1.name}${md.dist.path.name}${mdaggr.export.preview.signed}"
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-02.name}${md.dist.path.name}${mdaggr.export.preview.signed}"
             checksum="${mdaggr.export.preview.signed.checksum}"/>
 
-        <echo>Verifying metadata held at ${md.dist.host2.name}</echo>
-        <VFY.remote.and.checksum i="http://${md.dist.host2.name}${md.dist.path.name}${mdaggr.prod.signed}"
+        <echo>Verifying metadata held at ${md.dist.host-we-01.name}</echo>
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-01.name}${md.dist.path.name}${mdaggr.prod.signed}"
             checksum="${mdaggr.prod.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host2.name}${md.dist.path.name}${mdaggr.wayf.signed}"
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-01.name}${md.dist.path.name}${mdaggr.wayf.signed}"
             checksum="${mdaggr.wayf.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host2.name}${md.dist.path.name}${mdaggr.cdsall.signed}"
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-01.name}${md.dist.path.name}${mdaggr.cdsall.signed}"
             checksum="${mdaggr.cdsall.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host2.name}${md.dist.path.name}${mdaggr.test.signed}"
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-01.name}${md.dist.path.name}${mdaggr.test.signed}"
             checksum="${mdaggr.test.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host2.name}${md.dist.path.name}${mdaggr.back.signed}"
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-01.name}${md.dist.path.name}${mdaggr.back.signed}"
             checksum="${mdaggr.back.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host2.name}${md.dist.path.name}${mdaggr.export.signed}"
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-01.name}${md.dist.path.name}${mdaggr.export.signed}"
             checksum="${mdaggr.export.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host2.name}${md.dist.path.name}${mdaggr.export.preview.signed}"
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-01.name}${md.dist.path.name}${mdaggr.export.preview.signed}"
             checksum="${mdaggr.export.preview.signed.checksum}"/>
 
-        <echo>Verifying metadata held at ${md.dist.host3.name}</echo>
-        <VFY.remote.and.checksum i="http://${md.dist.host3.name}${md.dist.path.name}${mdaggr.prod.signed}"
+        <echo>Verifying metadata held at ${md.dist.host-we-02.name}</echo>
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-02.name}${md.dist.path.name}${mdaggr.prod.signed}"
             checksum="${mdaggr.prod.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host3.name}${md.dist.path.name}${mdaggr.wayf.signed}"
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-02.name}${md.dist.path.name}${mdaggr.wayf.signed}"
             checksum="${mdaggr.wayf.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host3.name}${md.dist.path.name}${mdaggr.cdsall.signed}"
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-02.name}${md.dist.path.name}${mdaggr.cdsall.signed}"
             checksum="${mdaggr.cdsall.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host3.name}${md.dist.path.name}${mdaggr.test.signed}"
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-02.name}${md.dist.path.name}${mdaggr.test.signed}"
             checksum="${mdaggr.test.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host3.name}${md.dist.path.name}${mdaggr.back.signed}"
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-02.name}${md.dist.path.name}${mdaggr.back.signed}"
             checksum="${mdaggr.back.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host3.name}${md.dist.path.name}${mdaggr.export.signed}"
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-02.name}${md.dist.path.name}${mdaggr.export.signed}"
             checksum="${mdaggr.export.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host3.name}${md.dist.path.name}${mdaggr.export.preview.signed}"
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-02.name}${md.dist.path.name}${mdaggr.export.preview.signed}"
             checksum="${mdaggr.export.preview.signed.checksum}"/>
 
         <echo>Verification completed.</echo>
@@ -1689,7 +1706,7 @@
             </XMLSECTOOL>
         </sequential>
     </macrodef>
-    
+
     <macrodef name="XMLSECTOOL.VFY.MDQ.uk">
         <attribute name="i"/><!-- input file -->
         <sequential>
@@ -2040,22 +2057,28 @@
             Push metadata files for the UK Federation to the MD dist servers
         -->
         <echo>Pushing UK Federation metadata files to MD dist.</echo>
-        <echo>-> MD1</echo>
+        <echo>-> MD-NE-01</echo>
+        <exec executable="${git.executable}" dir="${shared.ws.dir}/${git.repo.project.products}" failonerror="true">
+            <arg value="push"/>
+            <arg value="md-ne-01"/>
+            <arg value="master"/>
+        </exec>
+        <echo>-> MD-NE-02</echo>
         <exec executable="${git.executable}" dir="${shared.ws.dir}/${git.repo.project.products}" failonerror="true">
             <arg value="push"/>
-            <arg value="md1"/>
+            <arg value="md-ne-02"/>
             <arg value="master"/>
         </exec>
-        <echo>-> MD2</echo>
+        <echo>-> MD-WE-01</echo>
         <exec executable="${git.executable}" dir="${shared.ws.dir}/${git.repo.project.products}" failonerror="true">
             <arg value="push"/>
-            <arg value="md2"/>
+            <arg value="md-we-01"/>
             <arg value="master"/>
         </exec>
-        <echo>-> MD3</echo>
+        <echo>-> MD-WE-01</echo>
         <exec executable="${git.executable}" dir="${shared.ws.dir}/${git.repo.project.products}" failonerror="true">
             <arg value="push"/>
-            <arg value="md3"/>
+            <arg value="md-we-02"/>
             <arg value="master"/>
         </exec>
     </target>
@@ -2065,20 +2088,26 @@
             Push mdq cache tar to the MD dist servers
         -->
         <echo>Pushing UK Federation mdq cache to MD dist.</echo>
-        <echo>-> MD1</echo>
-        <scp failonerror="true" remoteTodir="${md.user}@${md.dist.host1.name}:/tmp" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
+        <echo>-> MD-NE-01</echo>
+        <scp failonerror="true" remoteTodir="${md.user}@${md.dist.host-ne-01.name}:/tmp" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
             <fileset dir="${output.dir}">
                 <include name="${mdq.cache}"/>
             </fileset>
         </scp>
-        <echo>-> MD2</echo>
-        <scp failonerror="true" remoteTodir="${md.user}@${md.dist.host2.name}:/tmp" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
+        <echo>-> MD-NE-02</echo>
+        <scp failonerror="true" remoteTodir="${md.user}@${md.dist.host-ne-02.name}:/tmp" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
             <fileset dir="${output.dir}">
                 <include name="${mdq.cache}"/>
             </fileset>
         </scp>
-        <echo>-> MD3</echo>
-        <scp failonerror="true" remoteTodir="${md.user}@${md.dist.host3.name}:/tmp" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
+        <echo>-> MD-WE-01</echo>
+        <scp failonerror="true" remoteTodir="${md.user}@${md.dist.host-we-01.name}:/tmp" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
+            <fileset dir="${output.dir}">
+                <include name="${mdq.cache}"/>
+            </fileset>
+        </scp>
+        <echo>-> MD-WE-02</echo>
+        <scp failonerror="true" remoteTodir="${md.user}@${md.dist.host-we-02.name}:/tmp" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
             <fileset dir="${output.dir}">
                 <include name="${mdq.cache}"/>
             </fileset>
@@ -2294,6 +2323,15 @@
         <fixcrlf file="${output.dir}/${mdaggr.stats}" eol="lf" encoding="UTF-8"/>
     </target>
 
+    <!--
+        This variant generates a much simpler file, intended for use when building the
+        monthly chart pack.
+    -->
+    <target name="stats.charting">
+        <CHANNEL.do channel="uk" verb="statistics.charting"/>
+        <fixcrlf file="${output.dir}/${mdaggr.stats}" eol="lf" encoding="UTF-8"/>
+    </target>
+
     <!--
         Check mailing list against current metadata
     -->
@@ -2434,6 +2472,29 @@
         <delete file="${temp.dir}/embedded.pem" quiet="true" verbose="false"/>
     </target>
 
+    <!--
+        Check embedded certificates in our production aggregate.
+
+        You can ignore almost all of the output from this, other than
+        the summary information at the end and in particular the
+        number of distinct RSA moduli.
+    -->
+    <target name="check.embedded.all">
+        <echo>Extracting embedded certificates</echo>
+        <XALAN
+            i="${aggregates.dir}/${mdaggr.prod.signed}"
+            o="${temp.dir}/embedded.pem"
+            x="${build.dir}/extract_embedded.xsl"/>
+        <echo>Checking embedded certificates</echo>
+        <echo>Note: ignore expiry on eduGAIN entities</echo>
+        <exec executable="perl" dir="${utilities.dir}"
+            input="${temp.dir}/embedded.pem">
+            <arg value="${utilities.dir}/check_embedded.pl"/>
+            <arg value="${entities.dir}/expiry_whitelist.txt"/>
+        </exec>
+        <delete file="${temp.dir}/embedded.pem" quiet="true" verbose="false"/>
+    </target>
+
     <!--
        Check for IdPs using the single-port configuration.
     -->
diff --git a/build/extract_addresses.xsl b/build/extract_addresses.xsl
index 24bcf16a..76dbd4c5 100644
--- a/build/extract_addresses.xsl
+++ b/build/extract_addresses.xsl
@@ -1,46 +1,45 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	extract_addresses.xsl
-	
-	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
-	a list of contact e-mail addresses.  Only administrative and
-	technical addresses are used; all others are dropped.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    extract_addresses.xsl
+
+    XSL stylesheet that takes a SAML 2.0 metadata file and extracts
+    a list of contact e-mail addresses.  Only administrative and
+    technical addresses are used; all others are dropped.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	exclude-result-prefixes="md ds wayf">
-
-	<!--Force UTF-8 encoding for the output.-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
-
-	<xsl:template match="/md:EntitiesDescriptor">
-		<Addresses>
-			<xsl:apply-templates select="md:EntityDescriptor/md:ContactPerson"/>
-		</Addresses>
-	</xsl:template>
-	
-	<xsl:template match="md:ContactPerson[@contactType='support']">
-		<!-- do nothing -->
-	</xsl:template>
-	
-	<xsl:template match="md:ContactPerson">
-		<xsl:apply-templates select="md:EmailAddress"/>
-	</xsl:template>
-	
-	<xsl:template match="md:EmailAddress">
-		<EmailAddress><xsl:value-of select="."/></EmailAddress>
-	</xsl:template>
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|@*">
-		<xsl:copy/>
-	</xsl:template>
-	
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    exclude-result-prefixes="md ds">
+
+    <!--Force UTF-8 encoding for the output.-->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+
+    <xsl:template match="/md:EntitiesDescriptor">
+        <Addresses>
+            <xsl:apply-templates select="md:EntityDescriptor/md:ContactPerson"/>
+        </Addresses>
+    </xsl:template>
+
+    <xsl:template match="md:ContactPerson[@contactType='support']">
+        <!-- do nothing -->
+    </xsl:template>
+
+    <xsl:template match="md:ContactPerson">
+        <xsl:apply-templates select="md:EmailAddress"/>
+    </xsl:template>
+
+    <xsl:template match="md:EmailAddress">
+        <EmailAddress><xsl:value-of select="."/></EmailAddress>
+    </xsl:template>
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/build/extract_cert_locs.xsl b/build/extract_cert_locs.xsl
index 983f7194..46a293e6 100644
--- a/build/extract_cert_locs.xsl
+++ b/build/extract_cert_locs.xsl
@@ -1,40 +1,40 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	extract_cert_locs.xsl
-	
-	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
-	a list of service locations that require certificates to be
-	presented to them.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    extract_cert_locs.xsl
+
+    XSL stylesheet that takes a SAML 2.0 metadata file and extracts
+    a list of service locations that require certificates to be
+    presented to them.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	exclude-result-prefixes="md">
-
-	<!-- Output is plain text -->
-	<xsl:output method="text"/>
-
-	<xsl:template match="//md:AttributeService">
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-	
-	<!--
-		ArtifactResolutionService endpoints on IdPs are assumed to be
-		authenticated by TLS; those on SPs are assumed to be authenticated
-		using other mechanisms.
-	-->
-	<xsl:template match="//md:IDPSSODescriptor/md:ArtifactResolutionService">
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-	
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    exclude-result-prefixes="md">
+
+    <!-- Output is plain text -->
+    <xsl:output method="text"/>
+
+    <xsl:template match="//md:AttributeService">
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <!--
+        ArtifactResolutionService endpoints on IdPs are assumed to be
+        authenticated by TLS; those on SPs are assumed to be authenticated
+        using other mechanisms.
+    -->
+    <xsl:template match="//md:IDPSSODescriptor/md:ArtifactResolutionService">
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 </xsl:stylesheet>
diff --git a/build/extract_embedded.xsl b/build/extract_embedded.xsl
index 9dc0d3bb..751a6a91 100644
--- a/build/extract_embedded.xsl
+++ b/build/extract_embedded.xsl
@@ -1,62 +1,62 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	extract_embedded.xsl
-	
-	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
-	all embedded certificates on entities in the form of a series of
-	PEM certificate blocks.
-	
-	A descriptive comment is added to indicate the entity in question and
-	the KeyName used (if any) so that later processing can distinguish.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    extract_embedded.xsl
+
+    XSL stylesheet that takes a SAML 2.0 metadata file and extracts
+    all embedded certificates on entities in the form of a series of
+    PEM certificate blocks.
+
+    A descriptive comment is added to indicate the entity in question and
+    the KeyName used (if any) so that later processing can distinguish.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:mdxTextUtils="xalan://uk.ac.sdss.xalan.md.TextUtils">
-
-	<!-- Output is plain text -->
-	<xsl:output method="text"/>
-
-	<xsl:template match="md:EntityDescriptor">
-		<xsl:variable name="entity" select="."/>
-		<xsl:for-each select="descendant::md:KeyDescriptor">
-			<xsl:variable name="keydesc" select="."/>
-			<xsl:variable name="keyinfo" select="$keydesc/ds:KeyInfo"/>
-			<xsl:variable name="keyname" select="$keyinfo/ds:KeyName"/>
-			<xsl:variable name="cert" select="$keyinfo/ds:X509Data/ds:X509Certificate"/>
-			<xsl:if test="$cert">
-				<xsl:text>Entity: </xsl:text>
-				<xsl:if test="$entity/@ID">
-					<xsl:text>[</xsl:text>
-					<xsl:value-of select='$entity/@ID'/>
-					<xsl:text>]</xsl:text>
-				</xsl:if>
-				<xsl:value-of select="$entity/@entityID"/>
-				<xsl:text> KeyName: </xsl:text>
-				<xsl:choose>
-					<xsl:when test="$keyname">
-						<xsl:value-of select="$keyname"/>
-					</xsl:when>
-					<xsl:otherwise>
-						<xsl:text>(none)</xsl:text>
-					</xsl:otherwise>
-				</xsl:choose>
-				<xsl:text>&#x0a;</xsl:text>
-				<xsl:text>-----BEGIN CERTIFICATE-----&#x0a;</xsl:text>
-				<xsl:value-of select="mdxTextUtils:wrapBase64($cert)"/>
-				<xsl:text>&#x0a;</xsl:text>
-				<xsl:text>-----END CERTIFICATE-----&#x0a;</xsl:text>
-			</xsl:if>
-		</xsl:for-each>
-	</xsl:template>
-
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:mdxTextUtils="xalan://uk.ac.sdss.xalan.md.TextUtils">
+
+    <!-- Output is plain text -->
+    <xsl:output method="text"/>
+
+    <xsl:template match="md:EntityDescriptor">
+        <xsl:variable name="entity" select="."/>
+        <xsl:for-each select="descendant::md:KeyDescriptor">
+            <xsl:variable name="keydesc" select="."/>
+            <xsl:variable name="keyinfo" select="$keydesc/ds:KeyInfo"/>
+            <xsl:variable name="keyname" select="$keyinfo/ds:KeyName"/>
+            <xsl:variable name="cert" select="$keyinfo/ds:X509Data/ds:X509Certificate"/>
+            <xsl:if test="$cert">
+                <xsl:text>Entity: </xsl:text>
+                <xsl:if test="$entity/@ID">
+                    <xsl:text>[</xsl:text>
+                    <xsl:value-of select='$entity/@ID'/>
+                    <xsl:text>]</xsl:text>
+                </xsl:if>
+                <xsl:value-of select="$entity/@entityID"/>
+                <xsl:text> KeyName: </xsl:text>
+                <xsl:choose>
+                    <xsl:when test="$keyname">
+                        <xsl:value-of select="$keyname"/>
+                    </xsl:when>
+                    <xsl:otherwise>
+                        <xsl:text>(none)</xsl:text>
+                    </xsl:otherwise>
+                </xsl:choose>
+                <xsl:text>&#x0a;</xsl:text>
+                <xsl:text>-----BEGIN CERTIFICATE-----&#x0a;</xsl:text>
+                <xsl:value-of select="mdxTextUtils:wrapBase64($cert)"/>
+                <xsl:text>&#x0a;</xsl:text>
+                <xsl:text>-----END CERTIFICATE-----&#x0a;</xsl:text>
+            </xsl:if>
+        </xsl:for-each>
+    </xsl:template>
+
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 </xsl:stylesheet>
diff --git a/build/extract_locs.xsl b/build/extract_locs.xsl
index db55917b..468b75e2 100644
--- a/build/extract_locs.xsl
+++ b/build/extract_locs.xsl
@@ -1,46 +1,45 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	extract_locs.xsl
-	
-	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
-	a list of service locations that will have TLS certificates.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    extract_locs.xsl
+
+    XSL stylesheet that takes a SAML 2.0 metadata file and extracts
+    a list of service locations that will have TLS certificates.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	exclude-result-prefixes="md ds wayf">
-
-	<!-- Output is plain text -->
-	<xsl:output method="text"/>
-
-	<xsl:template match="//md:AttributeService">
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-	
-	<xsl:template match="//md:ArtifactResolutionService">
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-	
-	<xsl:template match="//md:SingleSignOnService">
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-	
-	<xsl:template match="//md:AssertionConsumerService">
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-	
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    exclude-result-prefixes="md ds">
+
+    <!-- Output is plain text -->
+    <xsl:output method="text"/>
+
+    <xsl:template match="//md:AttributeService">
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="//md:ArtifactResolutionService">
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="//md:SingleSignOnService">
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="//md:AssertionConsumerService">
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 </xsl:stylesheet>
diff --git a/build/extract_nk_cert_locs.xsl b/build/extract_nk_cert_locs.xsl
index b18d937d..08b25ce2 100644
--- a/build/extract_nk_cert_locs.xsl
+++ b/build/extract_nk_cert_locs.xsl
@@ -1,54 +1,54 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	extract_nk_cert_locs.xsl
-	
-	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
-	a list of service locations that require certificates to be
-	presented to them.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    extract_nk_cert_locs.xsl
+
+    XSL stylesheet that takes a SAML 2.0 metadata file and extracts
+    a list of service locations that require certificates to be
+    presented to them.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	exclude-result-prefixes="md">
-
-	<!-- Output is plain text -->
-	<xsl:output method="text"/>
-
-	<!--
-		Exclude entities which have embedded certificates.
-		
-		I.e., restrict output to entities which only have PKIX trust.
-	-->
-	<xsl:template match="md:EntityDescriptor[descendant::ds:X509Data]">
-		<!-- do nothing -->
-	</xsl:template>
-	
-	<xsl:template match="//md:AttributeService">
-		<xsl:value-of select="ancestor::md:EntityDescriptor/@ID"/>
-		<xsl:text> </xsl:text>
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-	
-	<!--
-		ArtifactResolutionService endpoints on IdPs are assumed to be
-		authenticated by TLS; those on SPs are assumed to be authenticated
-		using other mechanisms.
-	-->
-	<xsl:template match="//md:IDPSSODescriptor/md:ArtifactResolutionService">
-		<xsl:value-of select="ancestor::md:EntityDescriptor/@ID"/>
-		<xsl:text> </xsl:text>
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-	
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    exclude-result-prefixes="md">
+
+    <!-- Output is plain text -->
+    <xsl:output method="text"/>
+
+    <!--
+        Exclude entities which have embedded certificates.
+
+        I.e., restrict output to entities which only have PKIX trust.
+    -->
+    <xsl:template match="md:EntityDescriptor[descendant::ds:X509Data]">
+        <!-- do nothing -->
+    </xsl:template>
+
+    <xsl:template match="//md:AttributeService">
+        <xsl:value-of select="ancestor::md:EntityDescriptor/@ID"/>
+        <xsl:text> </xsl:text>
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <!--
+        ArtifactResolutionService endpoints on IdPs are assumed to be
+        authenticated by TLS; those on SPs are assumed to be authenticated
+        using other mechanisms.
+    -->
+    <xsl:template match="//md:IDPSSODescriptor/md:ArtifactResolutionService">
+        <xsl:value-of select="ancestor::md:EntityDescriptor/@ID"/>
+        <xsl:text> </xsl:text>
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 </xsl:stylesheet>
diff --git a/build/extract_nk_nocert_locs.xsl b/build/extract_nk_nocert_locs.xsl
index fae05589..1a9afcc5 100644
--- a/build/extract_nk_nocert_locs.xsl
+++ b/build/extract_nk_nocert_locs.xsl
@@ -1,57 +1,56 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	extract_nk_nocert_locs.xsl
-	
-	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
-	a list of service locations that do not require certificates to be
-	presented to them.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    extract_nk_nocert_locs.xsl
+
+    XSL stylesheet that takes a SAML 2.0 metadata file and extracts
+    a list of service locations that do not require certificates to be
+    presented to them.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	exclude-result-prefixes="md ds wayf">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    exclude-result-prefixes="md ds">
 
-	<!-- Output is plain text -->
-	<xsl:output method="text"/>
+    <!-- Output is plain text -->
+    <xsl:output method="text"/>
 
-	<!--
+    <!--
         Exclude entities which have embedded certificates.
-        
+
         I.e., restrict output to entities which only have PKIX trust.
     -->
-	<xsl:template match="md:EntityDescriptor[descendant::ds:X509Data]">
-		<!-- do nothing -->
-	</xsl:template>
-	
-	<xsl:template match="//md:SingleSignOnService">
-		<xsl:value-of select="ancestor::md:EntityDescriptor/@ID"/>
-		<xsl:text> </xsl:text>
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-
-	<xsl:template match="//md:AssertionConsumerService">
-		<xsl:value-of select="ancestor::md:EntityDescriptor/@ID"/>
-		<xsl:text> </xsl:text>
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-
-	<xsl:template match="//md:SPSSODescriptor/md:ArtifactResolutionService">
-		<xsl:value-of select="ancestor::md:EntityDescriptor/@ID"/>
-		<xsl:text> </xsl:text>
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    <xsl:template match="md:EntityDescriptor[descendant::ds:X509Data]">
+        <!-- do nothing -->
+    </xsl:template>
+
+    <xsl:template match="//md:SingleSignOnService">
+        <xsl:value-of select="ancestor::md:EntityDescriptor/@ID"/>
+        <xsl:text> </xsl:text>
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="//md:AssertionConsumerService">
+        <xsl:value-of select="ancestor::md:EntityDescriptor/@ID"/>
+        <xsl:text> </xsl:text>
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="//md:SPSSODescriptor/md:ArtifactResolutionService">
+        <xsl:value-of select="ancestor::md:EntityDescriptor/@ID"/>
+        <xsl:text> </xsl:text>
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 </xsl:stylesheet>
diff --git a/build/extract_nocert_locs.xsl b/build/extract_nocert_locs.xsl
index 335e0fc7..054d09bf 100644
--- a/build/extract_nocert_locs.xsl
+++ b/build/extract_nocert_locs.xsl
@@ -1,42 +1,41 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	extract_nocert_locs.xsl
-	
-	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
-	a list of service locations that do not require certificates to be
-	presented to them.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    extract_nocert_locs.xsl
+
+    XSL stylesheet that takes a SAML 2.0 metadata file and extracts
+    a list of service locations that do not require certificates to be
+    presented to them.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	exclude-result-prefixes="md ds wayf">
-
-	<!-- Output is plain text -->
-	<xsl:output method="text"/>
-
-	<xsl:template match="//md:SingleSignOnService">
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-
-	<xsl:template match="//md:AssertionConsumerService">
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-
-	<xsl:template match="//md:SPSSODescriptor/md:ArtifactResolutionService">
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    exclude-result-prefixes="md ds">
+
+    <!-- Output is plain text -->
+    <xsl:output method="text"/>
+
+    <xsl:template match="//md:SingleSignOnService">
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="//md:AssertionConsumerService">
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="//md:SPSSODescriptor/md:ArtifactResolutionService">
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 </xsl:stylesheet>
diff --git a/build/find_OpenAthens_entities_not_in_Eduserv_metadata.xq b/build/find_OpenAthens_entities_not_in_Eduserv_metadata.xq
index e7617b9e..1d134de6 100644
--- a/build/find_OpenAthens_entities_not_in_Eduserv_metadata.xq
+++ b/build/find_OpenAthens_entities_not_in_Eduserv_metadata.xq
@@ -24,4 +24,4 @@ return
 <Entity ID="{data($f/@ID)}">{data($f/@entityID)}
 </Entity>
 }
-</Entities>
\ No newline at end of file
+</Entities>
diff --git a/charting/fetch.pl b/charting/fetch.pl
index 9b01e351..47d3e51e 100755
--- a/charting/fetch.pl
+++ b/charting/fetch.pl
@@ -1,8 +1,9 @@
-#!/usr/bin/env perl -w
+#!/usr/bin/env perl
 
 #
 # fetch.pl
 #
+use warnings;
 use File::stat;
 use Months;
 
diff --git a/charting/just_ours.xsl b/charting/just_ours.xsl
index 5c7323c0..3324d60f 100644
--- a/charting/just_ours.xsl
+++ b/charting/just_ours.xsl
@@ -1,44 +1,44 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	just_ours.xsl
+    just_ours.xsl
 
-	Remove SAML entities registered other than by the UK federation.
+    Remove SAML entities registered other than by the UK federation.
 
-	Leave in entities without registrationAuthority so that this still does
-	the right thing with older aggregates which don't have MDRPI metadata.
+    Leave in entities without registrationAuthority so that this still does
+    the right thing with older aggregates which don't have MDRPI metadata.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
-
-	<!--
-		Force UTF-8 encoding for the output.
-	-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-
-	<!--
-		Discard entities not registered by the UK federation.
-	-->
-	<xsl:template match="md:EntityDescriptor
-		[not(descendant::mdrpi:RegistrationInfo/@registrationAuthority='http://ukfederation.org.uk')]">
-		<!-- do nothing -->
-	</xsl:template>
-
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+    <!--
+        Force UTF-8 encoding for the output.
+    -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
+
+    <!--
+        Discard entities not registered by the UK federation.
+    -->
+    <xsl:template match="md:EntityDescriptor
+        [not(descendant::mdrpi:RegistrationInfo/@registrationAuthority='http://ukfederation.org.uk')]">
+        <!-- do nothing -->
+    </xsl:template>
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/charting/mdui.pl b/charting/mdui.pl
index b6e14bd0..fb2a6bfd 100755
--- a/charting/mdui.pl
+++ b/charting/mdui.pl
@@ -1,8 +1,9 @@
-#!/usr/bin/env perl -w
+#!/usr/bin/env perl
 
 #
 # mdui.pl
 #
+use warnings;
 use lib "../build";
 use Xalan;
 use Months;
diff --git a/charting/saml2.pl b/charting/saml2.pl
index bc69fd04..fd790429 100755
--- a/charting/saml2.pl
+++ b/charting/saml2.pl
@@ -1,10 +1,11 @@
-#!/usr/bin/env perl -w
+#!/usr/bin/env perl
 
 #
 # saml2.pl
 #
 # Extracts statistics about SAML 2 adoption from the published metadata.
 #
+use warnings;
 use lib "../build";
 use Xalan;
 use Months;
diff --git a/charting/saml2.xsl b/charting/saml2.xsl
index 17780729..04dd4455 100644
--- a/charting/saml2.xsl
+++ b/charting/saml2.xsl
@@ -1,52 +1,52 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-	
-	saml2.xsl
-	
-	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
-	statistics about the level of SAML 2 protocol support within the
-	included entities.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
-	
+
+    saml2.xsl
+
+    XSL stylesheet that takes a SAML 2.0 metadata file and extracts
+    statistics about the level of SAML 2 protocol support within the
+    included entities.
+
+    Author: Ian A. Young <ian@iay.org.uk>
+
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	exclude-result-prefixes="md mdrpi">
-	
-	<!-- Output is plain text -->
-	<xsl:output method="text"/>
-	
-	<xsl:template match="md:EntitiesDescriptor">
-		<xsl:variable name="entities" select="//md:EntityDescriptor
-		[descendant::mdrpi:RegistrationInfo/@registrationAuthority='http://ukfederation.org.uk']"/>
-		<xsl:value-of select="count($entities)"/><xsl:text> </xsl:text>
-		<xsl:variable name="idps" select="$entities[md:IDPSSODescriptor]"/>
-		<xsl:value-of select="count($idps)"/><xsl:text> </xsl:text>
-		<xsl:variable name="sps" select="$entities[md:SPSSODescriptor]"/>
-		<xsl:value-of select="count($sps)"/><xsl:text> </xsl:text>
-
-		<xsl:variable name="entities.saml2"
-			select="$entities[
-			md:IDPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')] |
-			md:SPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-			]"/>
-		<xsl:value-of select="count($entities.saml2)"/>
-		<xsl:text> </xsl:text>
-		<xsl:value-of select="count($entities[
-			md:IDPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-			])"/>
-		<xsl:text> </xsl:text>
-		<xsl:value-of select="count($entities[
-			md:SPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-			])"/>
-		<xsl:text>&#10;</xsl:text>
-	</xsl:template>
-	
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    exclude-result-prefixes="md mdrpi">
+
+    <!-- Output is plain text -->
+    <xsl:output method="text"/>
+
+    <xsl:template match="md:EntitiesDescriptor">
+        <xsl:variable name="entities" select="//md:EntityDescriptor
+        [descendant::mdrpi:RegistrationInfo/@registrationAuthority='http://ukfederation.org.uk']"/>
+        <xsl:value-of select="count($entities)"/><xsl:text> </xsl:text>
+        <xsl:variable name="idps" select="$entities[md:IDPSSODescriptor]"/>
+        <xsl:value-of select="count($idps)"/><xsl:text> </xsl:text>
+        <xsl:variable name="sps" select="$entities[md:SPSSODescriptor]"/>
+        <xsl:value-of select="count($sps)"/><xsl:text> </xsl:text>
+
+        <xsl:variable name="entities.saml2"
+            select="$entities[
+            md:IDPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')] |
+            md:SPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+            ]"/>
+        <xsl:value-of select="count($entities.saml2)"/>
+        <xsl:text> </xsl:text>
+        <xsl:value-of select="count($entities[
+            md:IDPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+            ])"/>
+        <xsl:text> </xsl:text>
+        <xsl:value-of select="count($entities[
+            md:SPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+            ])"/>
+        <xsl:text>&#10;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 </xsl:stylesheet>
diff --git a/charting/scopes.pl b/charting/scopes.pl
index 2e38809d..3927471b 100755
--- a/charting/scopes.pl
+++ b/charting/scopes.pl
@@ -1,10 +1,11 @@
-#!/usr/bin/env perl -w
+#!/usr/bin/env perl
 
 #
 # scopes.pl
 #
 # Extracts statistics about number of scopes from the published metadata.
 #
+use warnings;
 use lib "../build";
 use Xalan;
 use Months;
diff --git a/charting/scopes.xsl b/charting/scopes.xsl
index 6b05fd54..76e808c2 100644
--- a/charting/scopes.xsl
+++ b/charting/scopes.xsl
@@ -1,46 +1,46 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	scopes.xsl
-	
-	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
-	a list of scopes used.  Regular expression scopes are ignored.
-	Duplicates are not removed, and the result is unsorted.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    scopes.xsl
+
+    XSL stylesheet that takes a SAML 2.0 metadata file and extracts
+    a list of scopes used.  Regular expression scopes are ignored.
+    Duplicates are not removed, and the result is unsorted.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-
-	<!-- Output is plain text -->
-	<xsl:output method="text"/>
-
-	<!--
-		Discard entities registered by other federations.
-	-->
-	<xsl:template match="md:EntityDescriptor
-		[descendant::mdrpi:RegistrationInfo/@registrationAuthority!='http://ukfederation.org.uk']">
-		<!-- do nothing -->
-	</xsl:template>
-
-	<!--
-		Discard regular expression scopes.
-	-->
-	<xsl:template match="//shibmd:Scope[@regex = 'true']">
-		<!-- do nothing -->
-	</xsl:template>
-
-	<xsl:template match="//shibmd:Scope">
-		<xsl:value-of select="."/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!-- Output is plain text -->
+    <xsl:output method="text"/>
+
+    <!--
+        Discard entities registered by other federations.
+    -->
+    <xsl:template match="md:EntityDescriptor
+        [descendant::mdrpi:RegistrationInfo/@registrationAuthority!='http://ukfederation.org.uk']">
+        <!-- do nothing -->
+    </xsl:template>
+
+    <!--
+        Discard regular expression scopes.
+    -->
+    <xsl:template match="//shibmd:Scope[@regex = 'true']">
+        <!-- do nothing -->
+    </xsl:template>
+
+    <xsl:template match="//shibmd:Scope">
+        <xsl:value-of select="."/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 </xsl:stylesheet>
diff --git a/charting/sizes.pl b/charting/sizes.pl
index 4d36b33d..004c6e3f 100755
--- a/charting/sizes.pl
+++ b/charting/sizes.pl
@@ -1,8 +1,9 @@
-#!/usr/bin/env perl -w
+#!/usr/bin/env perl
 
 #
 # sizes.pl
 #
+use warnings;
 use lib "../build";
 use File::stat;
 use Xalan;
diff --git a/charting/statistics_mdui.xsl b/charting/statistics_mdui.xsl
index 1faf2ae3..15c37bf5 100644
--- a/charting/statistics_mdui.xsl
+++ b/charting/statistics_mdui.xsl
@@ -27,7 +27,7 @@
     <xsl:template match="/md:EntitiesDescriptor">
 
         <xsl:variable name="entities" select="//md:EntityDescriptor
-		[descendant::mdrpi:RegistrationInfo/@registrationAuthority='http://ukfederation.org.uk']"/>
+        [descendant::mdrpi:RegistrationInfo/@registrationAuthority='http://ukfederation.org.uk']"/>
         <xsl:variable name="idps" select="$entities[md:IDPSSODescriptor]"/>
         <xsl:variable name="sps" select="$entities[md:SPSSODescriptor]"/>
 
diff --git a/mdx/_rules/check_adfs.xsl b/mdx/_rules/check_adfs.xsl
index c5336cc8..0381d285 100644
--- a/mdx/_rules/check_adfs.xsl
+++ b/mdx/_rules/check_adfs.xsl
@@ -1,77 +1,77 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_adfs.xsl
-	
-	Checking ruleset containing rules associated with the ADFS metadata profile,
-	as described here:
+    check_adfs.xsl
 
-		https://spaces.internet2.edu/display/SHIB/ADFSMetadataProfile
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    Checking ruleset containing rules associated with the ADFS metadata profile,
+    as described here:
+
+        https://spaces.internet2.edu/display/SHIB/ADFSMetadataProfile
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
+        An IdP's SSO descriptor must contain a SingleSignOn element with
+        the appropriate binding.
+    -->
+    <xsl:template match="md:IDPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext')]
+        [not(md:SingleSignOnService/@Binding = 'http://schemas.xmlsoap.org/ws/2003/07/secext')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">ADFS IdP role lacks SSO service with appropriate Binding</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        An SP's SSO descriptor must contain an AssertionConsumerService element with
+        the appropriate binding.
+    -->
+    <xsl:template match="md:SPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext')]
+        [not(md:AssertionConsumerService/@Binding = 'http://schemas.xmlsoap.org/ws/2003/07/secext')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">ADFS SP role lacks SSO service with appropriate Binding</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        If the ADFS binding appears on any service, the parent role's protocol support
+        enumeration must include the appropruate URI.
+    -->
+    <xsl:template match="md:SingleSignOnService
+        [@Binding='http://schemas.xmlsoap.org/ws/2003/07/secext']
+        [not(contains(../@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">ADFS SingleSignOnService requires appropriate protocolSupportEnumeration</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:AssertionConsumerService
+        [@Binding='http://schemas.xmlsoap.org/ws/2003/07/secext']
+        [not(contains(../@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">ADFS AssertionConsumerService requires appropriate protocolSupportEnumeration</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <xsl:template match="md:SingleLogoutService
+        [@Binding='http://schemas.xmlsoap.org/ws/2003/07/secext']
+        [not(contains(../@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">ADFS SingleLogoutService requires appropriate protocolSupportEnumeration</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
-		An IdP's SSO descriptor must contain a SingleSignOn element with
-		the appropriate binding.
-	-->
-	<xsl:template match="md:IDPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext')]
-		[not(md:SingleSignOnService/@Binding = 'http://schemas.xmlsoap.org/ws/2003/07/secext')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">ADFS IdP role lacks SSO service with appropriate Binding</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
-		An SP's SSO descriptor must contain an AssertionConsumerService element with
-		the appropriate binding.
-	-->
-	<xsl:template match="md:SPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext')]
-		[not(md:AssertionConsumerService/@Binding = 'http://schemas.xmlsoap.org/ws/2003/07/secext')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">ADFS SP role lacks SSO service with appropriate Binding</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
-		If the ADFS binding appears on any service, the parent role's protocol support
-		enumeration must include the appropruate URI.
-	-->
-	<xsl:template match="md:SingleSignOnService
-		[@Binding='http://schemas.xmlsoap.org/ws/2003/07/secext']
-		[not(contains(../@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">ADFS SingleSignOnService requires appropriate protocolSupportEnumeration</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="md:AssertionConsumerService
-		[@Binding='http://schemas.xmlsoap.org/ws/2003/07/secext']
-		[not(contains(../@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">ADFS AssertionConsumerService requires appropriate protocolSupportEnumeration</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="md:SingleLogoutService
-		[@Binding='http://schemas.xmlsoap.org/ws/2003/07/secext']
-		[not(contains(../@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">ADFS SingleLogoutService requires appropriate protocolSupportEnumeration</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_aggregate.xsl b/mdx/_rules/check_aggregate.xsl
index e331c1c2..44337a70 100644
--- a/mdx/_rules/check_aggregate.xsl
+++ b/mdx/_rules/check_aggregate.xsl
@@ -1,45 +1,45 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_aggregate.xsl
-	
-	Checking ruleset containing aggregate-level checks.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    check_aggregate.xsl
+
+    Checking ruleset containing aggregate-level checks.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:set="http://exslt.org/sets"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	<xsl:variable name="entities" select="//md:EntityDescriptor"/>
-	<xsl:variable name="idps" select="$entities[md:IDPSSODescriptor]"/>
-
-	<!--
-		Checks across the whole of the document are defined here.
-	-->
-	<xsl:template match="/">
-		
-		<!-- check for duplicate entityID values -->
-		<xsl:variable name="distinct.entityIDs" select="set:distinct($entities/@entityID)"/>
-		<xsl:variable name="dup.entityIDs"
-			select="set:distinct(set:difference($entities/@entityID, $distinct.entityIDs))"/>
-		<xsl:for-each select="$dup.entityIDs">
-			<xsl:variable name="dup.entityID" select="."/>
-			<xsl:for-each select="$entities[@entityID = $dup.entityID]">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">duplicate entityID: <xsl:value-of select='$dup.entityID'/></xsl:with-param>
-				</xsl:call-template>
-			</xsl:for-each>
-		</xsl:for-each>
-		
-	</xsl:template>
-	
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:set="http://exslt.org/sets"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <xsl:variable name="entities" select="//md:EntityDescriptor"/>
+    <xsl:variable name="idps" select="$entities[md:IDPSSODescriptor]"/>
+
+    <!--
+        Checks across the whole of the document are defined here.
+    -->
+    <xsl:template match="/">
+
+        <!-- check for duplicate entityID values -->
+        <xsl:variable name="distinct.entityIDs" select="set:distinct($entities/@entityID)"/>
+        <xsl:variable name="dup.entityIDs"
+            select="set:distinct(set:difference($entities/@entityID, $distinct.entityIDs))"/>
+        <xsl:for-each select="$dup.entityIDs">
+            <xsl:variable name="dup.entityID" select="."/>
+            <xsl:for-each select="$entities[@entityID = $dup.entityID]">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">duplicate entityID: <xsl:value-of select='$dup.entityID'/></xsl:with-param>
+                </xsl:call-template>
+            </xsl:for-each>
+        </xsl:for-each>
+
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_algsupport.xsl b/mdx/_rules/check_algsupport.xsl
index 2902221f..b9a0962d 100644
--- a/mdx/_rules/check_algsupport.xsl
+++ b/mdx/_rules/check_algsupport.xsl
@@ -1,64 +1,64 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_algsupport.xsl
-	
-	Checking ruleset for the SAML V2.0 Metadata Profile for Algorithm Support.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    check_algsupport.xsl
+
+    Checking ruleset for the SAML V2.0 Metadata Profile for Algorithm Support.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
+        2.3 md:EncryptionMethod should appear only in md:KeyDescriptor elements
+        whose @use is omitted or set to "encryption", i.e., not "signing".
+    -->
+    <xsl:template match="md:EncryptionMethod[../@use='signing']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">EncryptionMethod should not be present on 'signing' KeyDescriptor</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Check for duplicate SigningMethod or DigestMethod algorithms in any given list.
+    -->
+    <xsl:template match="md:Extensions[alg:*]">
+
+        <!-- check individual alg:SigningMethod and alg:DigestMethod elements -->
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <!--
+        2.4 Check for misplaced SigningMethod or DigestMethod elements.
+    -->
+    <xsl:template match="alg:*[not(parent::md:Extensions)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>alg:</xsl:text>
+                <xsl:value-of select="local-name()"/>
+                <xsl:text> must only appear within an Extensions element</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Check for duplicate EncryptionMethod elements in any given list.
+    -->
+    <xsl:template match="md:KeyDescriptor[md:EncryptionMethod]">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+        <!-- check individual md:EncryptionMethod elements -->
+        <xsl:apply-templates/>
+    </xsl:template>
 
-	<!--
-		2.3 md:EncryptionMethod should appear only in md:KeyDescriptor elements
-		whose @use is omitted or set to "encryption", i.e., not "signing".
-	-->
-	<xsl:template match="md:EncryptionMethod[../@use='signing']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">EncryptionMethod should not be present on 'signing' KeyDescriptor</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
-		Check for duplicate SigningMethod or DigestMethod algorithms in any given list.
-	-->
-	<xsl:template match="md:Extensions[alg:*]">
-		
-		<!-- check individual alg:SigningMethod and alg:DigestMethod elements -->
-		<xsl:apply-templates/>  
-	</xsl:template>
-	
-	<!--
-		2.4 Check for misplaced SigningMethod or DigestMethod elements.
-	-->
-	<xsl:template match="alg:*[not(parent::md:Extensions)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>alg:</xsl:text>
-				<xsl:value-of select="local-name()"/>
-				<xsl:text> must only appear within an Extensions element</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
-		Check for duplicate EncryptionMethod elements in any given list.
-	-->
-	<xsl:template match="md:KeyDescriptor[md:EncryptionMethod]">
-		
-		<!-- check individual md:EncryptionMethod elements -->
-		<xsl:apply-templates/>	
-	</xsl:template>
-	
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_bindings.xsl b/mdx/_rules/check_bindings.xsl
index 2525981a..b371869d 100644
--- a/mdx/_rules/check_bindings.xsl
+++ b/mdx/_rules/check_bindings.xsl
@@ -1,176 +1,178 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_bindings.xsl
-	
-	Checking ruleset that checks SAML 2.0 metadata Binding values.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    check_bindings.xsl
+
+    Checking ruleset that checks SAML 2.0 metadata Binding values.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <xsl:template match="md:ArtifactResolutionService
+        [@Binding != 'urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>invalid binding '</xsl:text>
+                <xsl:value-of select="@Binding"/>
+                <xsl:text>' on </xsl:text>
+                <xsl:value-of select="name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:AssertionConsumerService
+        [@Binding != 'http://schemas.xmlsoap.org/ws/2003/07/secext']
+        [@Binding != 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01']
+        [@Binding != 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:PAOS']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>invalid binding '</xsl:text>
+                <xsl:value-of select="@Binding"/>
+                <xsl:text>' on </xsl:text>
+                <xsl:value-of select="name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:AssertionIDRequestService
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:URI']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>invalid binding '</xsl:text>
+                <xsl:value-of select="@Binding"/>
+                <xsl:text>' on </xsl:text>
+                <xsl:value-of select="name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:AttributeService
+        [@Binding != 'urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>invalid binding '</xsl:text>
+                <xsl:value-of select="@Binding"/>
+                <xsl:text>' on </xsl:text>
+                <xsl:value-of select="name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:ManageNameIDService
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>invalid binding '</xsl:text>
+                <xsl:value-of select="@Binding"/>
+                <xsl:text>' on </xsl:text>
+                <xsl:value-of select="name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:NameIDMappingService
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>invalid binding '</xsl:text>
+                <xsl:value-of select="@Binding"/>
+                <xsl:text>' on </xsl:text>
+                <xsl:value-of select="name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <xsl:template match="md:SingleLogoutService
+        [@Binding != 'http://schemas.xmlsoap.org/ws/2003/07/secext']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>invalid binding '</xsl:text>
+                <xsl:value-of select="@Binding"/>
+                <xsl:text>' on </xsl:text>
+                <xsl:value-of select="name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<xsl:template match="md:ArtifactResolutionService
-		[@Binding != 'urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>invalid binding '</xsl:text>
-				<xsl:value-of select="@Binding"/>
-				<xsl:text>' on </xsl:text>
-				<xsl:value-of select="name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="md:AssertionConsumerService
-		[@Binding != 'http://schemas.xmlsoap.org/ws/2003/07/secext']
-		[@Binding != 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01']
-		[@Binding != 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:PAOS']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>invalid binding '</xsl:text>
-				<xsl:value-of select="@Binding"/>
-				<xsl:text>' on </xsl:text>
-				<xsl:value-of select="name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="md:AssertionIDRequestService
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:URI']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>invalid binding '</xsl:text>
-				<xsl:value-of select="@Binding"/>
-				<xsl:text>' on </xsl:text>
-				<xsl:value-of select="name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:SingleSignOnService
+        [@Binding != 'urn:mace:shibboleth:1.0:profiles:AuthnRequest']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
+        [@Binding != 'http://schemas.xmlsoap.org/ws/2003/07/secext']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>invalid binding '</xsl:text>
+                <xsl:value-of select="@Binding"/>
+                <xsl:text>' on </xsl:text>
+                <xsl:value-of select="name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<xsl:template match="md:AttributeService
-		[@Binding != 'urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>invalid binding '</xsl:text>
-				<xsl:value-of select="@Binding"/>
-				<xsl:text>' on </xsl:text>
-				<xsl:value-of select="name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="md:ManageNameIDService
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>invalid binding '</xsl:text>
-				<xsl:value-of select="@Binding"/>
-				<xsl:text>' on </xsl:text>
-				<xsl:value-of select="name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="md:NameIDMappingService
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>invalid binding '</xsl:text>
-				<xsl:value-of select="@Binding"/>
-				<xsl:text>' on </xsl:text>
-				<xsl:value-of select="name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <!--
+        Issue warnings for all Bindings on elements other than the ones
+        called out above, as they may well be accurate but need additional
+        checks researched.
+    -->
+    <xsl:template match="md:*
+        [@Binding]
+        [local-name() != 'ArtifactResolutionService']
+        [local-name() != 'AssertionConsumerService']
+        [local-name() != 'AssertionIDRequestService']
+        [local-name() != 'AttributeService']
+        [local-name() != 'ManageNameIDService']
+        [local-name() != 'NameIDMappingService']
+        [local-name() != 'SingleLogoutService']
+        [local-name() != 'SingleSignOnService']
+        ">
+        <xsl:call-template name="warning">
+            <xsl:with-param name="m">
+                <xsl:text>unknown binding '</xsl:text>
+                <xsl:value-of select="@Binding"/>
+                <xsl:text>' on </xsl:text>
+                <xsl:value-of select="name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<xsl:template match="md:SingleLogoutService
-		[@Binding != 'http://schemas.xmlsoap.org/ws/2003/07/secext']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>invalid binding '</xsl:text>
-				<xsl:value-of select="@Binding"/>
-				<xsl:text>' on </xsl:text>
-				<xsl:value-of select="name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="md:SingleSignOnService
-		[@Binding != 'urn:mace:shibboleth:1.0:profiles:AuthnRequest']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>invalid binding '</xsl:text>
-				<xsl:value-of select="@Binding"/>
-				<xsl:text>' on </xsl:text>
-				<xsl:value-of select="name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
-		Issue warnings for all Bindings on elements other than the ones
-		called out above, as they may well be accurate but need additional
-		checks researched.
-	-->
-	<xsl:template match="md:*
-		[@Binding]
-		[local-name() != 'ArtifactResolutionService']
-		[local-name() != 'AssertionConsumerService']
-		[local-name() != 'AssertionIDRequestService']
-		[local-name() != 'AttributeService']
-		[local-name() != 'ManageNameIDService']
-		[local-name() != 'NameIDMappingService']
-		[local-name() != 'SingleLogoutService']
-		[local-name() != 'SingleSignOnService']
-		">
-		<xsl:call-template name="warning">
-			<xsl:with-param name="m">
-				<xsl:text>unknown binding '</xsl:text>
-				<xsl:value-of select="@Binding"/>
-				<xsl:text>' on </xsl:text>
-				<xsl:value-of select="name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_entityid_prefix.xsl b/mdx/_rules/check_entityid_prefix.xsl
index 6c8e4c71..bf53c54a 100644
--- a/mdx/_rules/check_entityid_prefix.xsl
+++ b/mdx/_rules/check_entityid_prefix.xsl
@@ -1,33 +1,33 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_entityid_prefix.xsl
-	
-	Checking that entityID attributes start with one of a whitelist of prefixes.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    check_entityid_prefix.xsl
+
+    Checking that entityID attributes start with one of a whitelist of prefixes.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-
-	<!--
-		Entity IDs should start with one of "http://", "https://" or "urn:mace:".
-	-->
-	<xsl:template match="md:EntityDescriptor[not(starts-with(@entityID, 'urn:mace:'))]
-		[not(starts-with(@entityID, 'http://'))]
-		[not(starts-with(@entityID, 'https://'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">entity ID <xsl:value-of select="@entityID"/> does not start with acceptable prefix</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+
+    <!--
+        Entity IDs should start with one of "http://", "https://" or "urn:mace:".
+    -->
+    <xsl:template match="md:EntityDescriptor[not(starts-with(@entityID, 'urn:mace:'))]
+        [not(starts-with(@entityID, 'http://'))]
+        [not(starts-with(@entityID, 'https://'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">entity ID <xsl:value-of select="@entityID"/> does not start with acceptable prefix</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_filtered.xsl b/mdx/_rules/check_filtered.xsl
index fdb40a1f..83c057dd 100644
--- a/mdx/_rules/check_filtered.xsl
+++ b/mdx/_rules/check_filtered.xsl
@@ -1,35 +1,35 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_filtered.xsl
+    check_filtered.xsl
 
-	This checking ruleset verifies that certain constructs have been removed from the
-	metadata before it is published.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    This checking ruleset verifies that certain constructs have been removed from the
+    metadata before it is published.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	
-	<xsl:template match="ds:X509SerialNumber">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">ds:X509SerialNumber should have been filtered out</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+
+    <xsl:template match="ds:X509SerialNumber">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">ds:X509SerialNumber should have been filtered out</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_framework.xsl b/mdx/_rules/check_framework.xsl
index 613c1b6a..f4e8d017 100644
--- a/mdx/_rules/check_framework.xsl
+++ b/mdx/_rules/check_framework.xsl
@@ -1,128 +1,128 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_framework.xsl
-	
-	XSL stylesheet providing a framework for use by rule checking files.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    check_framework.xsl
+
+    XSL stylesheet providing a framework for use by rule checking files.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-
-	<!--
-		The stylesheet output will be a text file, which will probably be thrown
-		away in any case.  The real output from the check is sent using the
-		xsl:message element.
-	-->
-	<xsl:output method="text"/>
-	
-
-	<!--
-		Common template to call to report an error on some element within an entity.
-	-->
-	<xsl:template name="error">
-		<xsl:param name="m"/>
-		<xsl:variable name="entity" select="ancestor-or-self::md:EntityDescriptor"/>
-		<xsl:message terminate='no'>
-			<xsl:text>[ERROR] </xsl:text>
-			<!--
-				If we're processing an aggregate, we need to indicate which
-				individual entity we're dealing with.
-			-->
-			<xsl:if test="ancestor-or-self::md:EntitiesDescriptor">
-				<!--
-					Use an ID if available, otherwise the entityID.
-				-->
-				<xsl:choose>
-					<xsl:when test="$entity/@ID">
-						<xsl:value-of select="$entity/@ID"/>
-					</xsl:when>
-					<xsl:otherwise>
-						<xsl:value-of select="$entity/@entityID"/>
-					</xsl:otherwise>
-				</xsl:choose>
-				<xsl:text>: </xsl:text>
-			</xsl:if>
-			<xsl:value-of select="$m"/>
-		</xsl:message>
-	</xsl:template>
-
-
-	<!--
-		Common template to call to report a warning on some element within an entity.
-	-->
-	<xsl:template name="warning">
-		<xsl:param name="m"/>
-		<xsl:variable name="entity" select="ancestor-or-self::md:EntityDescriptor"/>
-		<xsl:message terminate='no'>
-			<xsl:text>[WARN] </xsl:text>
-			<!--
-				If we're processing an aggregate, we need to indicate which
-				individual entity we're dealing with.
-			-->
-			<xsl:if test="ancestor-or-self::md:EntitiesDescriptor">
-				<!--
-					Use an ID if available, otherwise the entityID.
-				-->
-				<xsl:choose>
-					<xsl:when test="$entity/@ID">
-						<xsl:value-of select="$entity/@ID"/>
-					</xsl:when>
-					<xsl:otherwise>
-						<xsl:value-of select="$entity/@entityID"/>
-					</xsl:otherwise>
-				</xsl:choose>
-				<xsl:text>: </xsl:text>
-			</xsl:if>
-			<xsl:value-of select="$m"/>
-		</xsl:message>
-	</xsl:template>
-	
-	
-	<!--
-		Common template to call to report an informational message on some element within an entity.
-	-->
-	<xsl:template name="info">
-		<xsl:param name="m"/>
-		<xsl:variable name="entity" select="ancestor-or-self::md:EntityDescriptor"/>
-		<xsl:message terminate='no'>
-			<xsl:text>[INFO] </xsl:text>
-			<!--
-				If we're processing an aggregate, we need to indicate which
-				individual entity we're dealing with.
-			-->
-			<xsl:if test="ancestor-or-self::md:EntitiesDescriptor">
-				<!--
-					Use an ID if available, otherwise the entityID.
-				-->
-				<xsl:choose>
-					<xsl:when test="$entity/@ID">
-						<xsl:value-of select="$entity/@ID"/>
-					</xsl:when>
-					<xsl:otherwise>
-						<xsl:value-of select="$entity/@entityID"/>
-					</xsl:otherwise>
-				</xsl:choose>
-				<xsl:text>: </xsl:text>
-			</xsl:if>
-			<xsl:value-of select="$m"/>
-		</xsl:message>
-	</xsl:template>
-	
-	
-	<!-- Recurse down through all elements by default. -->
-	<xsl:template match="*">
-		<xsl:apply-templates select="node()|@*"/>
-	</xsl:template>
-	
-
-	<!-- Discard text blocks, comments and attributes by default. -->
-	<xsl:template match="text()|comment()|@*">
-		<!-- do nothing -->
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!--
+        The stylesheet output will be a text file, which will probably be thrown
+        away in any case.  The real output from the check is sent using the
+        xsl:message element.
+    -->
+    <xsl:output method="text"/>
+
+
+    <!--
+        Common template to call to report an error on some element within an entity.
+    -->
+    <xsl:template name="error">
+        <xsl:param name="m"/>
+        <xsl:variable name="entity" select="ancestor-or-self::md:EntityDescriptor"/>
+        <xsl:message terminate='no'>
+            <xsl:text>[ERROR] </xsl:text>
+            <!--
+                If we're processing an aggregate, we need to indicate which
+                individual entity we're dealing with.
+            -->
+            <xsl:if test="ancestor-or-self::md:EntitiesDescriptor">
+                <!--
+                    Use an ID if available, otherwise the entityID.
+                -->
+                <xsl:choose>
+                    <xsl:when test="$entity/@ID">
+                        <xsl:value-of select="$entity/@ID"/>
+                    </xsl:when>
+                    <xsl:otherwise>
+                        <xsl:value-of select="$entity/@entityID"/>
+                    </xsl:otherwise>
+                </xsl:choose>
+                <xsl:text>: </xsl:text>
+            </xsl:if>
+            <xsl:value-of select="$m"/>
+        </xsl:message>
+    </xsl:template>
+
+
+    <!--
+        Common template to call to report a warning on some element within an entity.
+    -->
+    <xsl:template name="warning">
+        <xsl:param name="m"/>
+        <xsl:variable name="entity" select="ancestor-or-self::md:EntityDescriptor"/>
+        <xsl:message terminate='no'>
+            <xsl:text>[WARN] </xsl:text>
+            <!--
+                If we're processing an aggregate, we need to indicate which
+                individual entity we're dealing with.
+            -->
+            <xsl:if test="ancestor-or-self::md:EntitiesDescriptor">
+                <!--
+                    Use an ID if available, otherwise the entityID.
+                -->
+                <xsl:choose>
+                    <xsl:when test="$entity/@ID">
+                        <xsl:value-of select="$entity/@ID"/>
+                    </xsl:when>
+                    <xsl:otherwise>
+                        <xsl:value-of select="$entity/@entityID"/>
+                    </xsl:otherwise>
+                </xsl:choose>
+                <xsl:text>: </xsl:text>
+            </xsl:if>
+            <xsl:value-of select="$m"/>
+        </xsl:message>
+    </xsl:template>
+
+
+    <!--
+        Common template to call to report an informational message on some element within an entity.
+    -->
+    <xsl:template name="info">
+        <xsl:param name="m"/>
+        <xsl:variable name="entity" select="ancestor-or-self::md:EntityDescriptor"/>
+        <xsl:message terminate='no'>
+            <xsl:text>[INFO] </xsl:text>
+            <!--
+                If we're processing an aggregate, we need to indicate which
+                individual entity we're dealing with.
+            -->
+            <xsl:if test="ancestor-or-self::md:EntitiesDescriptor">
+                <!--
+                    Use an ID if available, otherwise the entityID.
+                -->
+                <xsl:choose>
+                    <xsl:when test="$entity/@ID">
+                        <xsl:value-of select="$entity/@ID"/>
+                    </xsl:when>
+                    <xsl:otherwise>
+                        <xsl:value-of select="$entity/@entityID"/>
+                    </xsl:otherwise>
+                </xsl:choose>
+                <xsl:text>: </xsl:text>
+            </xsl:if>
+            <xsl:value-of select="$m"/>
+        </xsl:message>
+    </xsl:template>
+
+
+    <!-- Recurse down through all elements by default. -->
+    <xsl:template match="*">
+        <xsl:apply-templates select="node()|@*"/>
+    </xsl:template>
+
+
+    <!-- Discard text blocks, comments and attributes by default. -->
+    <xsl:template match="text()|comment()|@*">
+        <!-- do nothing -->
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_0.xsl b/mdx/_rules/check_future_0.xsl
index f503721c..809f9ee0 100644
--- a/mdx/_rules/check_future_0.xsl
+++ b/mdx/_rules/check_future_0.xsl
@@ -1,31 +1,30 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_future_0.xsl
-	
-	Checking ruleset containing rules that we don't currently implement,
-	but which we may implement in the future.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    check_future_0.xsl
+
+    Checking ruleset containing rules that we don't currently implement,
+    but which we may implement in the future.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:set="http://exslt.org/sets"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:set="http://exslt.org/sets"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
 
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_1.xsl b/mdx/_rules/check_future_1.xsl
index fef00c40..ed05b114 100644
--- a/mdx/_rules/check_future_1.xsl
+++ b/mdx/_rules/check_future_1.xsl
@@ -1,31 +1,30 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_future_1.xsl
-	
-	Checking ruleset containing rules that we don't currently implement,
-	but which we may implement in the future.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    check_future_1.xsl
+
+    Checking ruleset containing rules that we don't currently implement,
+    but which we may implement in the future.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:set="http://exslt.org/sets"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:set="http://exslt.org/sets"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
 
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_2.xsl b/mdx/_rules/check_future_2.xsl
index c944e5b4..ee51f733 100644
--- a/mdx/_rules/check_future_2.xsl
+++ b/mdx/_rules/check_future_2.xsl
@@ -1,31 +1,30 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_future_2.xsl
-	
-	Checking ruleset containing rules that we don't currently implement,
-	but which we may implement in the future.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    check_future_2.xsl
+
+    Checking ruleset containing rules that we don't currently implement,
+    but which we may implement in the future.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:set="http://exslt.org/sets"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:set="http://exslt.org/sets"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
 
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_3.xsl b/mdx/_rules/check_future_3.xsl
index f0e655b9..a0b99011 100644
--- a/mdx/_rules/check_future_3.xsl
+++ b/mdx/_rules/check_future_3.xsl
@@ -1,32 +1,31 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_future_3.xsl
-	
-	Checking ruleset containing rules that we don't currently implement,
-	but which we may implement in the future.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    check_future_3.xsl
+
+    Checking ruleset containing rules that we don't currently implement,
+    but which we may implement in the future.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:set="http://exslt.org/sets"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:set="http://exslt.org/sets"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_4.xsl b/mdx/_rules/check_future_4.xsl
index 7c8ae169..8a7084f8 100644
--- a/mdx/_rules/check_future_4.xsl
+++ b/mdx/_rules/check_future_4.xsl
@@ -1,31 +1,30 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_future_4.xsl
-	
-	Checking ruleset containing rules that we don't currently implement,
-	but which we may implement in the future.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    check_future_4.xsl
+
+    Checking ruleset containing rules that we don't currently implement,
+    but which we may implement in the future.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:set="http://exslt.org/sets"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:set="http://exslt.org/sets"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
 
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_5.xsl b/mdx/_rules/check_future_5.xsl
index 326c22c2..8ebfc25d 100644
--- a/mdx/_rules/check_future_5.xsl
+++ b/mdx/_rules/check_future_5.xsl
@@ -1,26 +1,26 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_future_5.xsl
-	
+    check_future_5.xsl
+
     Checking ruleset containing rules that we don't currently implement,
     but which we may implement in the future.
-    	
-	Author: Ian A. Young <ian@iay.org.uk>
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:set="http://exslt.org/sets"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:set="http://exslt.org/sets"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_6.xsl b/mdx/_rules/check_future_6.xsl
index b312f48e..14726df4 100644
--- a/mdx/_rules/check_future_6.xsl
+++ b/mdx/_rules/check_future_6.xsl
@@ -1,26 +1,26 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_future_6.xsl
-	
+    check_future_6.xsl
+
     Checking ruleset containing rules that we don't currently implement,
     but which we may implement in the future.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:set="http://exslt.org/sets"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:set="http://exslt.org/sets"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_7.xsl b/mdx/_rules/check_future_7.xsl
index 65f06792..5dbd9a92 100644
--- a/mdx/_rules/check_future_7.xsl
+++ b/mdx/_rules/check_future_7.xsl
@@ -1,27 +1,27 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_future_7.xsl
-	
+    check_future_7.xsl
+
     Checking ruleset containing rules that we don't currently implement,
     but which we may implement in the future.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:set="http://exslt.org/sets"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:set="http://exslt.org/sets"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_8.xsl b/mdx/_rules/check_future_8.xsl
index 52030060..c763514f 100644
--- a/mdx/_rules/check_future_8.xsl
+++ b/mdx/_rules/check_future_8.xsl
@@ -1,27 +1,27 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_future_8.xsl
-	
+    check_future_8.xsl
+
     Checking ruleset containing rules that we don't currently implement,
     but which we may implement in the future.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:set="http://exslt.org/sets"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:set="http://exslt.org/sets"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_9.xsl b/mdx/_rules/check_future_9.xsl
index edfbec8e..54911d3d 100644
--- a/mdx/_rules/check_future_9.xsl
+++ b/mdx/_rules/check_future_9.xsl
@@ -1,27 +1,27 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_future_9.xsl
-	
+    check_future_9.xsl
+
     Checking ruleset containing rules that we don't currently implement,
     but which we may implement in the future.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:set="http://exslt.org/sets"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:set="http://exslt.org/sets"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_hasreginfo.xsl b/mdx/_rules/check_hasreginfo.xsl
index f3319047..e2cb6801 100644
--- a/mdx/_rules/check_hasreginfo.xsl
+++ b/mdx/_rules/check_hasreginfo.xsl
@@ -1,27 +1,27 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_hasreginfo.xsl
+    check_hasreginfo.xsl
+
+    Check that an entity has a RegistrationInfo element.
 
-	Check that an entity has a RegistrationInfo element.
-	
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <xsl:template match="md:EntityDescriptor[not(md:Extensions/mdrpi:RegistrationInfo)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">entity does not have an mdrpi:RegistrationInfo element</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-	
-	<xsl:template match="md:EntityDescriptor[not(md:Extensions/mdrpi:RegistrationInfo)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">entity does not have an mdrpi:RegistrationInfo element</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_hoksso.xsl b/mdx/_rules/check_hoksso.xsl
index ed17d412..d3e50bc1 100644
--- a/mdx/_rules/check_hoksso.xsl
+++ b/mdx/_rules/check_hoksso.xsl
@@ -1,160 +1,160 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_hoksso.xsl
-	
-	Checking ruleset for the SAML V2.0 Holder-of-Key Web Browser SSO
-	Profile Version 1.0, which can be found here:
+    check_hoksso.xsl
+
+    Checking ruleset for the SAML V2.0 Holder-of-Key Web Browser SSO
+    Profile Version 1.0, which can be found here:
 
         https://wiki.oasis-open.org/security/SamlHoKWebSSOProfile
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	<!--
-		Schema checks.
-		
-		The schema itself doesn't help very much as most contexts in which the hoksso
-		namespace is used are subject to "lax" checking.  These checks duplicate some
-		aspects of XML Schema checking as we'd like it to behave.
-	-->
-	
-	<xsl:template match="hoksso:*">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown element hoksso:</xsl:text>
-				<xsl:value-of select="local-name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="@hoksso:*[local-name() != 'ProtocolBinding']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown attribute hoksso:</xsl:text>
-				<xsl:value-of select="local-name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
-		hoksso:ProtocolBinding should only appear on md:SingleSignOnService
-		or on md:AssertionConsumerService.
-	-->
-	<xsl:template match="@hoksso:ProtocolBinding
-		[not(parent::md:SingleSignOnService)][not(parent::md:AssertionConsumerService)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>hoksso:ProtocolBinding may not appear on </xsl:text>
-				<xsl:value-of select="name(parent::*)"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
-		If hoksso:ProtocolBinding appears, there must be a sibling Binding attribute
-		with the appropriate value.
-	-->
-	<xsl:template match="@hoksso:ProtocolBinding
-		[parent::*/@Binding != 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>hoksso:ProtocolBinding requires @Binding of </xsl:text>
-				<xsl:text>urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser</xsl:text>
-				<xsl:text>, saw </xsl:text>
-				<xsl:value-of select="parent::*/@Binding"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
-		If the HoK SSO @Binding appears, hoksso:ProtocolBinding must appear with one of
-		the valid values.
-	-->
-	
-	<xsl:template match="md:*
-		[@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
-		[not(@hoksso:ProtocolBinding)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>holder of key SSO @Binding on </xsl:text>
-				<xsl:value-of select="name()"/>
-				<xsl:text> also requires hoksso:ProtocolBinding</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="md:SingleSignOnService
-		[@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
-		[@hoksso:ProtocolBinding]
-		[@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
-		[@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
-		[@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>holder of key SSO requires appropriate hoksso:ProtocolBinding</xsl:text>
-				<xsl:if test="@hoksso:ProtocolBinding">
-					<xsl:text>, saw </xsl:text>
-					<xsl:value-of select="@hoksso:ProtocolBinding"/>
-				</xsl:if>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="md:AssertionConsumerService
-		[@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
-		[@hoksso:ProtocolBinding]
-		[@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
-		[@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
-		[@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>holder of key SSO requires appropriate hoksso:ProtocolBinding</xsl:text>
-				<xsl:if test="@hoksso:ProtocolBinding">
-					<xsl:text>, saw </xsl:text>
-					<xsl:value-of select="@hoksso:ProtocolBinding"/>
-				</xsl:if>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
+    xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
+        Schema checks.
+
+        The schema itself doesn't help very much as most contexts in which the hoksso
+        namespace is used are subject to "lax" checking.  These checks duplicate some
+        aspects of XML Schema checking as we'd like it to behave.
+    -->
+
+    <xsl:template match="hoksso:*">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>unknown element hoksso:</xsl:text>
+                <xsl:value-of select="local-name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="@hoksso:*[local-name() != 'ProtocolBinding']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>unknown attribute hoksso:</xsl:text>
+                <xsl:value-of select="local-name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        hoksso:ProtocolBinding should only appear on md:SingleSignOnService
+        or on md:AssertionConsumerService.
+    -->
+    <xsl:template match="@hoksso:ProtocolBinding
+        [not(parent::md:SingleSignOnService)][not(parent::md:AssertionConsumerService)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>hoksso:ProtocolBinding may not appear on </xsl:text>
+                <xsl:value-of select="name(parent::*)"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        If hoksso:ProtocolBinding appears, there must be a sibling Binding attribute
+        with the appropriate value.
+    -->
+    <xsl:template match="@hoksso:ProtocolBinding
+        [parent::*/@Binding != 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>hoksso:ProtocolBinding requires @Binding of </xsl:text>
+                <xsl:text>urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser</xsl:text>
+                <xsl:text>, saw </xsl:text>
+                <xsl:value-of select="parent::*/@Binding"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        If the HoK SSO @Binding appears, hoksso:ProtocolBinding must appear with one of
+        the valid values.
+    -->
+
+    <xsl:template match="md:*
+        [@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
+        [not(@hoksso:ProtocolBinding)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>holder of key SSO @Binding on </xsl:text>
+                <xsl:value-of select="name()"/>
+                <xsl:text> also requires hoksso:ProtocolBinding</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:SingleSignOnService
+        [@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
+        [@hoksso:ProtocolBinding]
+        [@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+        [@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
+        [@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>holder of key SSO requires appropriate hoksso:ProtocolBinding</xsl:text>
+                <xsl:if test="@hoksso:ProtocolBinding">
+                    <xsl:text>, saw </xsl:text>
+                    <xsl:value-of select="@hoksso:ProtocolBinding"/>
+                </xsl:if>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:AssertionConsumerService
+        [@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
+        [@hoksso:ProtocolBinding]
+        [@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
+        [@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+        [@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>holder of key SSO requires appropriate hoksso:ProtocolBinding</xsl:text>
+                <xsl:if test="@hoksso:ProtocolBinding">
+                    <xsl:text>, saw </xsl:text>
+                    <xsl:value-of select="@hoksso:ProtocolBinding"/>
+                </xsl:if>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         Use of SAML 2.0 HoK binding requires SAML 2.0 in protocolSupportEnumeration.
     -->
 
-	<xsl:template match="md:IDPSSODescriptor
-		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
-		[md:*/@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>holder of key binding requires SAML 2.0 token in AttributeAuthorityDescriptor/@protocolSupportEnumeration</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="md:SPSSODescriptor
-		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
-		[md:*/@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>holder of key binding requires SAML 2.0 token in SPSSODescriptor/@protocolSupportEnumeration</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
+    <xsl:template match="md:IDPSSODescriptor
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
+        [md:*/@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>holder of key binding requires SAML 2.0 token in AttributeAuthorityDescriptor/@protocolSupportEnumeration</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:SPSSODescriptor
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
+        [md:*/@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>holder of key binding requires SAML 2.0 token in SPSSODescriptor/@protocolSupportEnumeration</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_idp_tls.xsl b/mdx/_rules/check_idp_tls.xsl
index bb6fa6dd..b06074b4 100644
--- a/mdx/_rules/check_idp_tls.xsl
+++ b/mdx/_rules/check_idp_tls.xsl
@@ -1,36 +1,46 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_idp_tls.xsl
-	
-	Checking that all IdP endpoints are TLS-protected.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    check_idp_tls.xsl
+
+    Checking that all IdP endpoints are TLS-protected.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
 
-	<!--
-		Check for IdP endpoints that don't start with https://
-	-->
+    <!--
+        Check for IdP endpoints that don't start with https://
+    -->
     <xsl:template match="md:IDPSSODescriptor//*[@Location and not(starts-with(@Location,'https://'))]">
         <xsl:call-template name="error">
             <xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location does not start with https://</xsl:with-param>
         </xsl:call-template>
     </xsl:template>
-	<xsl:template match="md:AttributeAuthorityDescriptor//*[@Location and not(starts-with(@Location,'https://'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location does not start with https://</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:IDPSSODescriptor//*[@ResponseLocation and not(starts-with(@ResponseLocation,'https://'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m"><xsl:value-of select='local-name()'/> ResponseLocation does not start with https://</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:AttributeAuthorityDescriptor//*[@Location and not(starts-with(@Location,'https://'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location does not start with https://</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:AttributeAuthorityDescriptor//*[@ResponseLocation and not(starts-with(@ResponseLocation,'https://'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m"><xsl:value-of select='local-name()'/> ResponseLocation does not start with https://</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_idpdisc.xsl b/mdx/_rules/check_idpdisc.xsl
index 14077c40..0b4766a7 100644
--- a/mdx/_rules/check_idpdisc.xsl
+++ b/mdx/_rules/check_idpdisc.xsl
@@ -1,65 +1,65 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_idpdisc.xsl
-	
-	Checking ruleset containing rules associated with the SAML IdP Discovery Protocol.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    check_idpdisc.xsl
+
+    Checking ruleset containing rules associated with the SAML IdP Discovery Protocol.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:set="http://exslt.org/sets"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:set="http://exslt.org/sets"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
+        "index" attributes on DiscoveryResponse elements should all be different
+        for any given entity.
+    -->
+
+    <xsl:template match="md:EntityDescriptor[descendant::idpdisc:DiscoveryResponse]">
+        <xsl:variable name="indices" select="descendant::idpdisc:DiscoveryResponse/@index"/>
+        <xsl:variable name="distinct.indices" select="set:distinct($indices)"/>
+        <xsl:if test="count($indices) != count($distinct.indices)">
+            <xsl:call-template name="error">
+                <xsl:with-param name="m">DiscoveryResponse index values not all different</xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+        <!-- check individual DiscoveryResponse elements for correctness as well -->
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <!--
+        Checks on the DiscoveryResponse extension.
+    -->
+
+    <xsl:template match="idpdisc:DiscoveryResponse[not(@index)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">missing index attribute on DiscoveryResponse</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="idpdisc:DiscoveryResponse[not(@Binding)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">missing Binding attribute on DiscoveryResponse</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="idpdisc:DiscoveryResponse[@Binding]
+        [@Binding!='urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">incorrect Binding value on DiscoveryResponse</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
 
-	<!--
-		"index" attributes on DiscoveryResponse elements should all be different
-		for any given entity.
-	-->
-	
-	<xsl:template match="md:EntityDescriptor[descendant::idpdisc:DiscoveryResponse]">
-		<xsl:variable name="indices" select="descendant::idpdisc:DiscoveryResponse/@index"/>
-		<xsl:variable name="distinct.indices" select="set:distinct($indices)"/>
-		<xsl:if test="count($indices) != count($distinct.indices)">
-			<xsl:call-template name="error">
-				<xsl:with-param name="m">DiscoveryResponse index values not all different</xsl:with-param>
-			</xsl:call-template>
-		</xsl:if>
-		<!-- check individual DiscoveryResponse elements for correctness as well -->
-		<xsl:apply-templates/>
-	</xsl:template>
-	
-	<!--
-		Checks on the DiscoveryResponse extension.
-	-->
-	
-	<xsl:template match="idpdisc:DiscoveryResponse[not(@index)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">missing index attribute on DiscoveryResponse</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="idpdisc:DiscoveryResponse[not(@Binding)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">missing Binding attribute on DiscoveryResponse</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="idpdisc:DiscoveryResponse[@Binding]
-		[@Binding!='urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">incorrect Binding value on DiscoveryResponse</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_imported.xsl b/mdx/_rules/check_imported.xsl
index e632f40d..b3064734 100644
--- a/mdx/_rules/check_imported.xsl
+++ b/mdx/_rules/check_imported.xsl
@@ -1,42 +1,42 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_imported.xsl
-	
-	Checking ruleset containing rules associated with imported metadata.	
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    check_imported.xsl
+
+    Checking ruleset containing rules associated with imported metadata.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:dyn="http://exslt.org/dynamic"
-	xmlns:set="http://exslt.org/sets"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:dyn="http://exslt.org/dynamic"
+    xmlns:set="http://exslt.org/sets"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Checks for IdPs.
+    -->
+    <xsl:template match="md:EntityDescriptor[md:IDPSSODescriptor]">
+        <!--
+            IdPs registered with the UK federation are expected to have at least one scope.
+        -->
+        <xsl:if test="not(descendant::shibmd:Scope)">
+            <xsl:call-template name="error">
+                <xsl:with-param name="m">this IdP does not have any Scope elements</xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+    </xsl:template>
 
-	<!--
-		Checks for IdPs.
-	-->
-	<xsl:template match="md:EntityDescriptor[md:IDPSSODescriptor]">
-		<!--
-			IdPs registered with the UK federation are expected to have at least one scope.
-		-->
-		<xsl:if test="not(descendant::shibmd:Scope)">
-			<xsl:call-template name="error">
-				<xsl:with-param name="m">this IdP does not have any Scope elements</xsl:with-param>
-			</xsl:call-template>
-		</xsl:if>		
-	</xsl:template>
-	
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_incmd.xsl b/mdx/_rules/check_incmd.xsl
index 214860a3..2af81047 100644
--- a/mdx/_rules/check_incmd.xsl
+++ b/mdx/_rules/check_incmd.xsl
@@ -1,97 +1,97 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_incmd.xsl
-	
-	Checking ruleset for the InCommon Federation metadata extensions,
-	the schema for which can be found here:
+    check_incmd.xsl
+
+    Checking ruleset for the InCommon Federation metadata extensions,
+    the schema for which can be found here:
 
         https://spaces.internet2.edu/x/iIuVAQ
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:incmd="http://id.incommon.org/metadata"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	<!--
-		Checks for the contactType attribute.
-	-->
-	
-	<xsl:template match="@incmd:contactType[not(parent::md:ContactPerson)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">incmd:contactType should only appear on md:ContactPerson</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="md:ContactPerson[@incmd:contactType][@contactType != 'other']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>incmd:contactType requires contactType='other', found '</xsl:text>
-				<xsl:value-of select="@contactType"/>
-				<xsl:text>'</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="@incmd:contactType[not(starts-with(.,'http://'))][not(starts-with(.,'https://'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">incmd:contactType must be an absolute URI</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
-		Check for specific values.  This test is probably over-specific in the long term.
-	-->
-	<xsl:template match="@incmd:contactType
-		[not(. = 'http://id.incommon.org/metadata/contactType/security')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown value '</xsl:text>
-				<xsl:value-of select="."/>
-				<xsl:text>' for incmd:contactType</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="@incmd:contactType">
-		<!-- otherwise, fine -->
-	</xsl:template>
-	
-	<!--
-		Additional schema checks.
-		
-		The schema itself doesn't help very much as most contexts in which the incmd
-		namespace is used are subject to "lax" checking.  These checks duplicate some
-		aspects of XML Schema checking as we'd like it to behave.
-	-->
-	
-	<xsl:template match="incmd:*">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown element incmd:</xsl:text>
-				<xsl:value-of select="local-name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="@incmd:*">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown attribute incmd:</xsl:text>
-				<xsl:value-of select="local-name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
+    xmlns:incmd="http://id.incommon.org/metadata"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
+        Checks for the contactType attribute.
+    -->
+
+    <xsl:template match="@incmd:contactType[not(parent::md:ContactPerson)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">incmd:contactType should only appear on md:ContactPerson</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:ContactPerson[@incmd:contactType][@contactType != 'other']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>incmd:contactType requires contactType='other', found '</xsl:text>
+                <xsl:value-of select="@contactType"/>
+                <xsl:text>'</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="@incmd:contactType[not(starts-with(.,'http://'))][not(starts-with(.,'https://'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">incmd:contactType must be an absolute URI</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Check for specific values.  This test is probably over-specific in the long term.
+    -->
+    <xsl:template match="@incmd:contactType
+        [not(. = 'http://id.incommon.org/metadata/contactType/security')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>unknown value '</xsl:text>
+                <xsl:value-of select="."/>
+                <xsl:text>' for incmd:contactType</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="@incmd:contactType">
+        <!-- otherwise, fine -->
+    </xsl:template>
+
+    <!--
+        Additional schema checks.
+
+        The schema itself doesn't help very much as most contexts in which the incmd
+        namespace is used are subject to "lax" checking.  These checks duplicate some
+        aspects of XML Schema checking as we'd like it to behave.
+    -->
+
+    <xsl:template match="incmd:*">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>unknown element incmd:</xsl:text>
+                <xsl:value-of select="local-name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="@incmd:*">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>unknown attribute incmd:</xsl:text>
+                <xsl:value-of select="local-name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_init.xsl b/mdx/_rules/check_init.xsl
index f33fd624..c7349ddd 100644
--- a/mdx/_rules/check_init.xsl
+++ b/mdx/_rules/check_init.xsl
@@ -1,42 +1,42 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_int.xsl
-	
-	Checking ruleset containing rules associated with the
-	Service Provider Request Initiation Protocol and Profile Version 1.0.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    check_int.xsl
+
+    Checking ruleset containing rules associated with the
+    Service Provider Request Initiation Protocol and Profile Version 1.0.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	<!--
-		Checks on the RequestInitiator extension.
-	-->
-	
-	<xsl:template match="init:RequestInitiator[not(@Binding)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">missing Binding attribute on RequestInitiator</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="init:RequestInitiator[@Binding]
-		[@Binding!='urn:oasis:names:tc:SAML:profiles:SSO:request-init']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">incorrect Binding value on RequestInitiator</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
+        Checks on the RequestInitiator extension.
+    -->
+
+    <xsl:template match="init:RequestInitiator[not(@Binding)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">missing Binding attribute on RequestInitiator</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="init:RequestInitiator[@Binding]
+        [@Binding!='urn:oasis:names:tc:SAML:profiles:SSO:request-init']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">incorrect Binding value on RequestInitiator</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_mdattr.xsl b/mdx/_rules/check_mdattr.xsl
index f5782d52..3b0e6ad3 100644
--- a/mdx/_rules/check_mdattr.xsl
+++ b/mdx/_rules/check_mdattr.xsl
@@ -1,70 +1,70 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_mdattr.xsl
-	
-	Checking ruleset containing rules associated with the SAML V2.0 Metadata
-	Extension for Entity Attributes Version 1.0, see:
+    check_mdattr.xsl
 
-		https://wiki.oasis-open.org/security/SAML2MetadataAttr
-		
-	This ruleset reflects Committee Specification 01, 04-Aug-2009.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    Checking ruleset containing rules associated with the SAML V2.0 Metadata
+    Extension for Entity Attributes Version 1.0, see:
+
+        https://wiki.oasis-open.org/security/SAML2MetadataAttr
+
+    This ruleset reflects Committee Specification 01, 04-Aug-2009.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
+        Section 2.3
+
+        The specification only defines the meaning of EntityAttributes within the Extensions of either
+        EntitiesDescriptor or EntityDescriptor.
+    -->
+    <xsl:template match="mdattr:EntityAttributes[not(parent::md:Extensions)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">EntityAttributes must only appear within an Extensions element</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:Extensions[mdattr:EntityAttributes]
+        [not(parent::md:EntityDescriptor)][not(parent::md:EntitiesDescriptor)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">EntityAttributes must only appear within Extensions of EntityDescriptor or EntitiesDescriptor</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 2.3 line 176.
 
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+        Assertions not permitted in the context of an EntitiesDescriptor.
+    -->
+    <xsl:template match="md:EntitiesDescriptor/md:Extensions/mdattr:EntityAttributes/saml:Assertion">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">Assertion may not appear in the EntityAttributes for an EntitiesDescriptor</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-	
-	<!--
-		Section 2.3
+    <!--
+        Section 2.3 line 182.
 
-		The specification only defines the meaning of EntityAttributes within the Extensions of either
-		EntitiesDescriptor or EntityDescriptor. 
-	-->
-	<xsl:template match="mdattr:EntityAttributes[not(parent::md:Extensions)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">EntityAttributes must only appear within an Extensions element</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	<xsl:template match="md:Extensions[mdattr:EntityAttributes]
-		[not(parent::md:EntityDescriptor)][not(parent::md:EntitiesDescriptor)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">EntityAttributes must only appear within Extensions of EntityDescriptor or EntitiesDescriptor</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
-		Section 2.3 line 176.
-		
-		Assertions not permitted in the context of an EntitiesDescriptor.
-	-->
-	<xsl:template match="md:EntitiesDescriptor/md:Extensions/mdattr:EntityAttributes/saml:Assertion">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">Assertion may not appear in the EntityAttributes for an EntitiesDescriptor</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+        EntityAttributes MUST NOT appear more than once within a given <md:Extensions> element.
+    -->
+    <xsl:template match="md:Extensions/mdattr:EntityAttributes[position()>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">more than one EntityAttributes element in an Extensions element</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
-		Section 2.3 line 182.
-		
-		EntityAttributes MUST NOT appear more than once within a given <md:Extensions> element.
-	-->
-	<xsl:template match="md:Extensions/mdattr:EntityAttributes[position()>1]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">more than one EntityAttributes element in an Extensions element</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_mdiop.xsl b/mdx/_rules/check_mdiop.xsl
index ac3104fd..ee0ec366 100644
--- a/mdx/_rules/check_mdiop.xsl
+++ b/mdx/_rules/check_mdiop.xsl
@@ -1,46 +1,46 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_mdiop.xsl
-	
-	Checking ruleset containing rules associated with the SAML V2.0 Metadata
-	Interoperability Profile, see:
+    check_mdiop.xsl
 
-		http://wiki.oasis-open.org/security/SAML2MetadataIOP
+    Checking ruleset containing rules associated with the SAML V2.0 Metadata
+    Interoperability Profile, see:
 
-	Author: Ian A. Young <ian@iay.org.uk>
+        http://wiki.oasis-open.org/security/SAML2MetadataIOP
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	<!--
-		Section 2.5.1: at least one representation must appear.
-	-->
-	<xsl:template match="md:KeyDescriptor
-		[not(ds:KeyInfo/ds:KeyValue)]
-		[not(ds:KeyInfo/ds:X509Data/ds:X509Certificate)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">KeyDescriptor does not contain a key representation</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
-		Section 2.5.1: only one X.509 certificate may appear in any KeyDescriptor.
-	-->
-	<xsl:template match="md:KeyDescriptor[count(ds:KeyInfo/ds:X509Data/ds:X509Certificate)>1]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">KeyDescriptor contains more than one X509Certificate</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
+        Section 2.5.1: at least one representation must appear.
+    -->
+    <xsl:template match="md:KeyDescriptor
+        [not(ds:KeyInfo/ds:KeyValue)]
+        [not(ds:KeyInfo/ds:X509Data/ds:X509Certificate)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">KeyDescriptor does not contain a key representation</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 2.5.1: only one X.509 certificate may appear in any KeyDescriptor.
+    -->
+    <xsl:template match="md:KeyDescriptor[count(ds:KeyInfo/ds:X509Data/ds:X509Certificate)>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">KeyDescriptor contains more than one X509Certificate</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_mdrpi.xsl b/mdx/_rules/check_mdrpi.xsl
index db9911b9..0530f57a 100644
--- a/mdx/_rules/check_mdrpi.xsl
+++ b/mdx/_rules/check_mdrpi.xsl
@@ -1,175 +1,175 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_mdrpi.xsl
-	
-	Checking ruleset containing rules associated with the SAML V2.0 Metadata
-	Extensions for Registration and Publication Information Version 1.0, see:
+    check_mdrpi.xsl
 
-		http://wiki.oasis-open.org/security/SAML2MetadataDRI
-		
-	This ruleset reflects WD08, 12-Dec-2011.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    Checking ruleset containing rules associated with the SAML V2.0 Metadata
+    Extensions for Registration and Publication Information Version 1.0, see:
+
+        http://wiki.oasis-open.org/security/SAML2MetadataDRI
+
+    This ruleset reflects WD08, 12-Dec-2011.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:set="http://exslt.org/sets"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-	
-	<!--
-		Section 2.1
-		
-		RegistrationInfo MUST appear within the Extensions of either
-		EntitiesDescriptor or EntityDescriptor.
-	-->
-	<xsl:template match="mdrpi:RegistrationInfo[not(parent::md:Extensions)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">RegistrationInfo must only appear within an Extensions element</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	<xsl:template match="md:Extensions[mdrpi:RegistrationInfo]
-		[not(parent::md:EntityDescriptor)][not(parent::md:EntitiesDescriptor)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">RegistrationInfo must only appear within Extensions of EntityDescriptor or EntitiesDescriptor</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
-		Section 2.1
-		
-		<mdrpi:RegistrationInfo> MUST NOT appear more than once within a given <md:Extensions> element.
-	-->
-	<xsl:template match="md:Extensions/mdrpi:RegistrationInfo[position()>1]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">more than one RegistrationInfo element in one Extensions element</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
-		Section 2.1
-		
-		If RegistrationInfo appears on an EntitiesDescriptor, that precludes any appearance on nested
-		EntitiesDescriptor or EntityDescriptor elements.
-	-->
-	<xsl:template match="md:EntitiesDescriptor[md:Extensions/mdrpi:RegistrationInfo]
-		[md:EntityDescriptor//mdrpi:RegistrationInfo | md:EntitiesDescriptor//mdrpi:RegistrationInfo]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">RegistrationInfo may not appear on both EntitiesDescriptor and child elements</xsl:with-param>
-		</xsl:call-template>        
-	</xsl:template>
-	
-	<!--
-		Section 2.1.1
-		
-		registrationInstant values MUST be expressed in the UTC timezone using the 'Z' timezone identifier.
-	-->
-	<xsl:template match="mdrpi:RegistrationInfo[@registrationInstant]
-		[substring(@registrationInstant, string-length(@registrationInstant)) != 'Z']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>registrationInstant does not end with 'Z': </xsl:text>
-				<xsl:value-of select="@registrationInstant"/>
-			</xsl:with-param>
-		</xsl:call-template>        
-	</xsl:template>
-	
-	<!--
-		Section 2.1.1
-		
-		RegistrationPolicy elements are required to have unique xml:lang values within a given container.
-	-->
-	<xsl:template match="mdrpi:RegistrationInfo">
-		<!-- unique xml:lang over RegistrationPolicy elements -->
-		<xsl:call-template name="uniqueLang">
-			<xsl:with-param name="e" select="mdrpi:RegistrationPolicy"/>
-		</xsl:call-template>
-		
-		<!-- handle individual elements -->
-		<xsl:apply-templates select="*"/>
-	</xsl:template>
-
-	<xsl:template name="uniqueLang">
-		<xsl:param name="e"/>
-		<xsl:variable name="l" select="$e/@xml:lang"></xsl:variable>
-		<xsl:variable name="u" select="set:distinct($l)"/>
-		<xsl:if test="count($l) != count($u)">
-			<xsl:call-template name="error">
-				<xsl:with-param name="m">
-					<xsl:text>non-unique lang values on </xsl:text>
-					<xsl:value-of select="name($e)"/>
-					<xsl:text> elements</xsl:text>
-				</xsl:with-param>
-			</xsl:call-template>
-		</xsl:if>
-	</xsl:template>
-	
-	<!--
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:set="http://exslt.org/sets"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
+        Section 2.1
+
+        RegistrationInfo MUST appear within the Extensions of either
+        EntitiesDescriptor or EntityDescriptor.
+    -->
+    <xsl:template match="mdrpi:RegistrationInfo[not(parent::md:Extensions)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">RegistrationInfo must only appear within an Extensions element</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:Extensions[mdrpi:RegistrationInfo]
+        [not(parent::md:EntityDescriptor)][not(parent::md:EntitiesDescriptor)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">RegistrationInfo must only appear within Extensions of EntityDescriptor or EntitiesDescriptor</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 2.1
+
+        <mdrpi:RegistrationInfo> MUST NOT appear more than once within a given <md:Extensions> element.
+    -->
+    <xsl:template match="md:Extensions/mdrpi:RegistrationInfo[position()>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">more than one RegistrationInfo element in one Extensions element</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 2.1
+
+        If RegistrationInfo appears on an EntitiesDescriptor, that precludes any appearance on nested
+        EntitiesDescriptor or EntityDescriptor elements.
+    -->
+    <xsl:template match="md:EntitiesDescriptor[md:Extensions/mdrpi:RegistrationInfo]
+        [md:EntityDescriptor//mdrpi:RegistrationInfo | md:EntitiesDescriptor//mdrpi:RegistrationInfo]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">RegistrationInfo may not appear on both EntitiesDescriptor and child elements</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 2.1.1
+
+        registrationInstant values MUST be expressed in the UTC timezone using the 'Z' timezone identifier.
+    -->
+    <xsl:template match="mdrpi:RegistrationInfo[@registrationInstant]
+        [substring(@registrationInstant, string-length(@registrationInstant)) != 'Z']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>registrationInstant does not end with 'Z': </xsl:text>
+                <xsl:value-of select="@registrationInstant"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 2.1.1
+
+        RegistrationPolicy elements are required to have unique xml:lang values within a given container.
+    -->
+    <xsl:template match="mdrpi:RegistrationInfo">
+        <!-- unique xml:lang over RegistrationPolicy elements -->
+        <xsl:call-template name="uniqueLang">
+            <xsl:with-param name="e" select="mdrpi:RegistrationPolicy"/>
+        </xsl:call-template>
+
+        <!-- handle individual elements -->
+        <xsl:apply-templates select="*"/>
+    </xsl:template>
+
+    <xsl:template name="uniqueLang">
+        <xsl:param name="e"/>
+        <xsl:variable name="l" select="$e/@xml:lang"></xsl:variable>
+        <xsl:variable name="u" select="set:distinct($l)"/>
+        <xsl:if test="count($l) != count($u)">
+            <xsl:call-template name="error">
+                <xsl:with-param name="m">
+                    <xsl:text>non-unique lang values on </xsl:text>
+                    <xsl:value-of select="name($e)"/>
+                    <xsl:text> elements</xsl:text>
+                </xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+    </xsl:template>
+
+    <!--
         Section 2.2
-        
+
         PublicationInfo MUST appear within the Extensions of either
         EntitiesDescriptor or EntityDescriptor.
     -->
-	<xsl:template match="md:PublicationInfo[not(parent::md:Extensions)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">PublicationInfo must only appear within an Extensions element</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	<xsl:template match="md:Extensions[mdrpi:PublicationInfo]
-		[not(parent::md:EntityDescriptor)][not(parent::md:EntitiesDescriptor)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">PublicationInfo must only appear within Extensions of EntityDescriptor or EntitiesDescriptor</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
-		Section 2.2
-		
-		PublicationInfo SHOULD NOT appear except on the document element.
-		
-		Interpreted as a MUST NOT for now.
-	-->
-	<xsl:template match="mdrpi:PublicationInfo[parent::md:Extensions/parent::md:*/parent::*]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">PublicationInfo must be within document element's Extensions</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
+    <xsl:template match="md:PublicationInfo[not(parent::md:Extensions)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">PublicationInfo must only appear within an Extensions element</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:Extensions[mdrpi:PublicationInfo]
+        [not(parent::md:EntityDescriptor)][not(parent::md:EntitiesDescriptor)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">PublicationInfo must only appear within Extensions of EntityDescriptor or EntitiesDescriptor</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         Section 2.2
-        
+
+        PublicationInfo SHOULD NOT appear except on the document element.
+
+        Interpreted as a MUST NOT for now.
+    -->
+    <xsl:template match="mdrpi:PublicationInfo[parent::md:Extensions/parent::md:*/parent::*]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">PublicationInfo must be within document element's Extensions</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 2.2
+
         <mdrpi:PublicationInfo> MUST NOT appear more than once within a given <md:Extensions> element.
     -->
-	<xsl:template match="md:Extensions/mdrpi:PublicationInfo[position()>1]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">more than one PublicationInfo element in one Extensions element</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
+    <xsl:template match="md:Extensions/mdrpi:PublicationInfo[position()>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">more than one PublicationInfo element in one Extensions element</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         Section 2.1, 2.2
-        
+
         Restrict the elements in this namespace which can appear directly within md:Extensions
         to the two defined container elements.  This will catch mis-spelled containers.
     -->
-	<xsl:template match="md:Extensions/mdrpi:*
-		[not(local-name()='RegistrationInfo')][not(local-name()='PublicationInfo')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>misspelled or misplaced mdrpi element within md:Extensions: </xsl:text>
-				<xsl:value-of select="local-name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
+    <xsl:template match="md:Extensions/mdrpi:*
+        [not(local-name()='RegistrationInfo')][not(local-name()='PublicationInfo')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>misspelled or misplaced mdrpi element within md:Extensions: </xsl:text>
+                <xsl:value-of select="local-name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_mdui.xsl b/mdx/_rules/check_mdui.xsl
index a2a53f44..547a524e 100644
--- a/mdx/_rules/check_mdui.xsl
+++ b/mdx/_rules/check_mdui.xsl
@@ -1,141 +1,141 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_mdui.xsl
-	
-	Checking ruleset containing rules associated with the SAML V2.0 Metadata
-	Extensions for Login and Discovery User Interface Version 1.0, see:
+    check_mdui.xsl
 
-		http://wiki.oasis-open.org/security/SAML2MetadataUI
-		
-	This ruleset reflects WD08, 17-Jul-2011.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    Checking ruleset containing rules associated with the SAML V2.0 Metadata
+    Extensions for Login and Discovery User Interface Version 1.0, see:
+
+        http://wiki.oasis-open.org/security/SAML2MetadataUI
+
+    This ruleset reflects WD08, 17-Jul-2011.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:mdxURL="xalan://uk.ac.sdss.xalan.md.URLchecker"
-	xmlns:set="http://exslt.org/sets"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-	
-	<!--
-		Section 2.1
-		
-		<mdui:UIInfo> MUST NOT appear more than once within a given <md:Extensions> element.
-	-->
-	<xsl:template match="md:Extensions/mdui:UIInfo[position()>1]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">more than one UIInfo element in one Extensions element</xsl:with-param>
-		</xsl:call-template>		
-	</xsl:template>
-	
-	<!--
-		Section 2.1, 2.2
-		
-		Restrict the elements in this namespace which can appear directly within md:Extensions
-		to the two defined container elements.  This will catch mis-spelled containers.
-	-->
-	<xsl:template match="md:Extensions/mdui:*
-		[not(local-name()='UIInfo')][not(local-name()='DiscoHints')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>misspelled or misplaced mdui element within md:Extensions: </xsl:text>
-				<xsl:value-of select="local-name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		Section 2.1.1
-		
-		The <mdui:UIInfo> container element [...] MUST appear within the
-		<md:Extensions> element of a role element (one whose type is based on
-		md:RoleDescriptorType).
-		
-		[The rule here further restricts the location to within either IDPSSODescriptor or
-		SPSSODescriptor elements, which are the ones it actually makes sense to use today.]
-	-->
-	<xsl:template match="mdui:UIInfo[not(parent::md:Extensions)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">UIInfo appearing outside Extensions element</xsl:with-param>
-		</xsl:call-template>        
-	</xsl:template>
-	<xsl:template match="md:Extensions[mdui:UIInfo]
-		[not(parent::md:IDPSSODescriptor)][not(parent::md:SPSSODescriptor)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>UIInfo appearing outside SSO descriptor element (</xsl:text>
-				<xsl:value-of select="name(..)"/>
-				<xsl:text>)</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>        
-	</xsl:template>
-
-	<!--
-		Constraints across multiple elements within the container.
-		
-		DisplayName, Description, InformationURL and PrivacyStatementURL elements
-		are all required to have unique xml:lang values within their element type.
-	-->
-	<xsl:template match="mdui:UIInfo">
-		<!-- unique xml:lang over DisplayName elements -->
-		<xsl:call-template name="uniqueLang">
-			<xsl:with-param name="e" select="mdui:DisplayName"/>
-		</xsl:call-template>
-		
-		<!-- unique xml:lang over Description elements -->
-		<xsl:call-template name="uniqueLang">
-			<xsl:with-param name="e" select="mdui:Description"/>
-		</xsl:call-template>
-		
-		<!-- unique xml:lang over Keywords elements -->
-		<xsl:call-template name="uniqueLang">
-			<xsl:with-param name="e" select="mdui:Keywords"/>
-		</xsl:call-template>
-		
-		<!-- unique xml:lang over InformationURL elements -->
-		<xsl:call-template name="uniqueLang">
-			<xsl:with-param name="e" select="mdui:InformationURL"/>
-		</xsl:call-template>
-		
-		<!-- unique xml:lang over PrivacyStatementURL elements -->
-		<xsl:call-template name="uniqueLang">
-			<xsl:with-param name="e" select="mdui:PrivacyStatementURL"/>
-		</xsl:call-template>
-		
-		<!-- handle individual elements -->
-		<xsl:apply-templates select="*"/>
-	</xsl:template>
-	<xsl:template name="uniqueLang">
-		<xsl:param name="e"/>
-		<xsl:variable name="l" select="$e/@xml:lang"></xsl:variable>
-		<xsl:variable name="u" select="set:distinct($l)"/>
-		<xsl:if test="count($l) != count($u)">
-			<xsl:call-template name="error">
-				<xsl:with-param name="m">
-					<xsl:text>non-unique lang values on </xsl:text>
-					<xsl:value-of select="name($e)"/>
-					<xsl:text> elements</xsl:text>
-				</xsl:with-param>
-			</xsl:call-template>
-		</xsl:if>
-	</xsl:template>
-	
-	
-	<!--
-		Section 2.1.5 Element <mdui:Logo>
-	-->
-	<xsl:template match="mdui:Logo">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:mdxURL="xalan://uk.ac.sdss.xalan.md.URLchecker"
+    xmlns:set="http://exslt.org/sets"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
+        Section 2.1
+
+        <mdui:UIInfo> MUST NOT appear more than once within a given <md:Extensions> element.
+    -->
+    <xsl:template match="md:Extensions/mdui:UIInfo[position()>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">more than one UIInfo element in one Extensions element</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 2.1, 2.2
+
+        Restrict the elements in this namespace which can appear directly within md:Extensions
+        to the two defined container elements.  This will catch mis-spelled containers.
+    -->
+    <xsl:template match="md:Extensions/mdui:*
+        [not(local-name()='UIInfo')][not(local-name()='DiscoHints')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>misspelled or misplaced mdui element within md:Extensions: </xsl:text>
+                <xsl:value-of select="local-name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 2.1.1
+
+        The <mdui:UIInfo> container element [...] MUST appear within the
+        <md:Extensions> element of a role element (one whose type is based on
+        md:RoleDescriptorType).
+
+        [The rule here further restricts the location to within either IDPSSODescriptor or
+        SPSSODescriptor elements, which are the ones it actually makes sense to use today.]
+    -->
+    <xsl:template match="mdui:UIInfo[not(parent::md:Extensions)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">UIInfo appearing outside Extensions element</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:Extensions[mdui:UIInfo]
+        [not(parent::md:IDPSSODescriptor)][not(parent::md:SPSSODescriptor)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>UIInfo appearing outside SSO descriptor element (</xsl:text>
+                <xsl:value-of select="name(..)"/>
+                <xsl:text>)</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Constraints across multiple elements within the container.
+
+        DisplayName, Description, InformationURL and PrivacyStatementURL elements
+        are all required to have unique xml:lang values within their element type.
+    -->
+    <xsl:template match="mdui:UIInfo">
+        <!-- unique xml:lang over DisplayName elements -->
+        <xsl:call-template name="uniqueLang">
+            <xsl:with-param name="e" select="mdui:DisplayName"/>
+        </xsl:call-template>
+
+        <!-- unique xml:lang over Description elements -->
+        <xsl:call-template name="uniqueLang">
+            <xsl:with-param name="e" select="mdui:Description"/>
+        </xsl:call-template>
+
+        <!-- unique xml:lang over Keywords elements -->
+        <xsl:call-template name="uniqueLang">
+            <xsl:with-param name="e" select="mdui:Keywords"/>
+        </xsl:call-template>
+
+        <!-- unique xml:lang over InformationURL elements -->
+        <xsl:call-template name="uniqueLang">
+            <xsl:with-param name="e" select="mdui:InformationURL"/>
+        </xsl:call-template>
+
+        <!-- unique xml:lang over PrivacyStatementURL elements -->
+        <xsl:call-template name="uniqueLang">
+            <xsl:with-param name="e" select="mdui:PrivacyStatementURL"/>
+        </xsl:call-template>
+
+        <!-- handle individual elements -->
+        <xsl:apply-templates select="*"/>
+    </xsl:template>
+    <xsl:template name="uniqueLang">
+        <xsl:param name="e"/>
+        <xsl:variable name="l" select="$e/@xml:lang"></xsl:variable>
+        <xsl:variable name="u" select="set:distinct($l)"/>
+        <xsl:if test="count($l) != count($u)">
+            <xsl:call-template name="error">
+                <xsl:with-param name="m">
+                    <xsl:text>non-unique lang values on </xsl:text>
+                    <xsl:value-of select="name($e)"/>
+                    <xsl:text> elements</xsl:text>
+                </xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+    </xsl:template>
+
+
+    <!--
+        Section 2.1.5 Element <mdui:Logo>
+    -->
+    <xsl:template match="mdui:Logo">
         <!--
             Logos must never include un-encoded line breaks. This makes them invalid
             URLs, but also causes problems with the Shibboleth CDS.
@@ -151,28 +151,28 @@
                 <xsl:with-param name="m">mdui:Logo contains non-breaking space</xsl:with-param>
             </xsl:call-template>
         </xsl:if>
-		
-		<!--
-			Require that the URL starts with https://
-			
-			This is a SHOULD in the specification; we treat it as a MUST here.
-			
-			Exception: allow data: URIs as well.  The spec is currently
-			ambiguous about this, clarification ticket is here:
-			
-			https://tools.oasis-open.org/issues/browse/SECURITY-24
-		-->
-		<xsl:if test="not(starts-with(., 'https://'))">
-			<xsl:if test="not(starts-with(., 'data:'))">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">mdui:Logo URL does not start with https://</xsl:with-param>
-				</xsl:call-template>
-			</xsl:if>
-		</xsl:if>
-        
+
+        <!--
+            Require that the URL starts with https://
+
+            This is a SHOULD in the specification; we treat it as a MUST here.
+
+            Exception: allow data: URIs as well.  The spec is currently
+            ambiguous about this, clarification ticket is here:
+
+            https://tools.oasis-open.org/issues/browse/SECURITY-24
+        -->
+        <xsl:if test="not(starts-with(., 'https://'))">
+            <xsl:if test="not(starts-with(., 'data:'))">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">mdui:Logo URL does not start with https://</xsl:with-param>
+                </xsl:call-template>
+            </xsl:if>
+        </xsl:if>
+
         <!--
             Check for <mdui:Logo> elements that aren't valid URLs.
-            
+
             Again, explicitly permit anything starting with 'data:', so that the
             only validity test we're performing on data: URLs is the "no newline" rule.
         -->
@@ -190,85 +190,85 @@
                 </xsl:call-template>
             </xsl:if>
         </xsl:if>
-	</xsl:template>
-
-	<!--
-		Section 2.1.6 Element <mdui:InformationURL>
-		
-		Require that the URL is valid.
-	-->
-	<xsl:template match="mdui:InformationURL[mdxURL:invalidURL(.)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>mdui:</xsl:text>
-				<xsl:value-of select='local-name()'/>
-				<xsl:text> '</xsl:text>
-				<xsl:value-of select="."/>
-				<xsl:text>' is not a valid URL: </xsl:text>
-				<xsl:value-of select="mdxURL:whyInvalid(.)"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
+    </xsl:template>
+
+    <!--
+        Section 2.1.6 Element <mdui:InformationURL>
+
+        Require that the URL is valid.
+    -->
+    <xsl:template match="mdui:InformationURL[mdxURL:invalidURL(.)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>mdui:</xsl:text>
+                <xsl:value-of select='local-name()'/>
+                <xsl:text> '</xsl:text>
+                <xsl:value-of select="."/>
+                <xsl:text>' is not a valid URL: </xsl:text>
+                <xsl:value-of select="mdxURL:whyInvalid(.)"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         Section 2.1.7 Element <mdui:PrivacyStatementURL>
-        
+
         Require that the URL is valid.
     -->
-	<xsl:template match="mdui:PrivacyStatementURL[mdxURL:invalidURL(.)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>mdui:</xsl:text>
-				<xsl:value-of select='local-name()'/>
-				<xsl:text> '</xsl:text>
-				<xsl:value-of select="."/>
-				<xsl:text>' is not a valid URL: </xsl:text>
-				<xsl:value-of select="mdxURL:whyInvalid(.)"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
-		Section 2.2
-		
-		The <mdui:DiscoHints> container element [...] MUST appear within the
-		<md:Extensions> element of an <md:IDPSSODescriptor> element.
-	-->
-	<xsl:template match="mdui:DiscoHints[not(parent::md:Extensions)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">DiscoHints appearing outside Extensions element</xsl:with-param>
-		</xsl:call-template>        
-	</xsl:template>
-	<xsl:template match="md:Extensions[mdui:DiscoHints][not(parent::md:IDPSSODescriptor)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>DiscoHints appearing outside IDPSSODescriptor element (</xsl:text>
-				<xsl:value-of select="name(..)"/>
-				<xsl:text>)</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>        
-	</xsl:template>
-	
-	<!--
-		Section 2.2
-		
-		<mdui:DiscoHints> MUST NOT appear more than once within a given <md:Extensions> element.
-	-->
-	<xsl:template match="md:Extensions/mdui:DiscoHints[position()>1]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">more than one DiscoHints element in one Extensions element</xsl:with-param>
-		</xsl:call-template>        
-	</xsl:template>
-	
-	<!--
-		Section 2.2.4
-		
-		Coordinates are given in URI form using the geo URI scheme [RFC5870].
-	-->
-	<xsl:template match="mdui:GeolocationHint[not(starts-with(., 'geo:'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">GeolocationHint must be RFC5870 URI starting with 'geo:'</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
+    <xsl:template match="mdui:PrivacyStatementURL[mdxURL:invalidURL(.)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>mdui:</xsl:text>
+                <xsl:value-of select='local-name()'/>
+                <xsl:text> '</xsl:text>
+                <xsl:value-of select="."/>
+                <xsl:text>' is not a valid URL: </xsl:text>
+                <xsl:value-of select="mdxURL:whyInvalid(.)"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 2.2
+
+        The <mdui:DiscoHints> container element [...] MUST appear within the
+        <md:Extensions> element of an <md:IDPSSODescriptor> element.
+    -->
+    <xsl:template match="mdui:DiscoHints[not(parent::md:Extensions)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">DiscoHints appearing outside Extensions element</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:Extensions[mdui:DiscoHints][not(parent::md:IDPSSODescriptor)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>DiscoHints appearing outside IDPSSODescriptor element (</xsl:text>
+                <xsl:value-of select="name(..)"/>
+                <xsl:text>)</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 2.2
+
+        <mdui:DiscoHints> MUST NOT appear more than once within a given <md:Extensions> element.
+    -->
+    <xsl:template match="md:Extensions/mdui:DiscoHints[position()>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">more than one DiscoHints element in one Extensions element</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 2.2.4
+
+        Coordinates are given in URI form using the geo URI scheme [RFC5870].
+    -->
+    <xsl:template match="mdui:GeolocationHint[not(starts-with(., 'geo:'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">GeolocationHint must be RFC5870 URI starting with 'geo:'</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_misc.xsl b/mdx/_rules/check_misc.xsl
index 1b498ab0..4288d858 100644
--- a/mdx/_rules/check_misc.xsl
+++ b/mdx/_rules/check_misc.xsl
@@ -1,93 +1,106 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_misc.xsl
-	
-	Checking ruleset containing generally applicable rules not falling into any
-	other category.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    check_misc.xsl
+
+    Checking ruleset containing generally applicable rules not falling into any
+    other category.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	
-	<!--
-		Entity IDs should not contain space characters.
-	-->
-	<xsl:template match="md:EntityDescriptor[contains(@entityID, ' ')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">entity ID contains space character</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		Check for OrganizationDisplayName elements containing line breaks.
-	-->
-	<xsl:template match="md:OrganizationDisplayName[contains(., '&#10;')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">OrganizationDisplayName contains line break</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		@Location attributes should not contain space characters.
-		
-		This may be a little strict, and might be better confined to md:* elements.
-		At present, however, this produces no false positives.
-	-->
-	<xsl:template match="*[contains(@Location, ' ')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location contains space character</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		@Binding attributes should not contain space characters.
-		
-		This may be a little strict, and might be better confined to md:* elements.
-		At present, however, this produces no false positives.
-	-->
-	<xsl:template match="*[contains(@Binding, ' ')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> Binding contains space character</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		Check for empty xml:lang elements, automatically generated by OIOSAML.
-		
-		This is not schema-valid so would be caught further down the line anyway,
-		but it's nice to have a clear error message earlier in the process.
-	-->
-	<xsl:template match="@xml:lang[.='']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">empty xml:lang attribute</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		A Shibboleth scope shouldn't be just "ac.uk".
-	-->
-	<xsl:template match="shibmd:Scope[.='ac.uk']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">bare 'ac.uk' scope not permitted</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+
+    <!--
+        Entity IDs should not contain space characters.
+    -->
+    <xsl:template match="md:EntityDescriptor[contains(@entityID, ' ')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">entity ID contains space character</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        Check for OrganizationDisplayName elements containing line breaks.
+    -->
+    <xsl:template match="md:OrganizationDisplayName[contains(., '&#10;')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">OrganizationDisplayName contains line break</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        @Location attributes should not contain space characters.
+
+        This may be a little strict, and might be better confined to md:* elements.
+        At present, however, this produces no false positives.
+    -->
+    <xsl:template match="*[contains(@Location, ' ')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location contains space character</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        @ResponseLocation attributes should not contain space characters.
+
+        This may be a little strict, and might be better confined to md:* elements.
+        At present, however, this produces no false positives.
+    -->
+    <xsl:template match="*[contains(@ResponseLocation, ' ')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m"><xsl:value-of select='local-name()'/> ResponseLocation contains space character</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        @Binding attributes should not contain space characters.
+
+        This may be a little strict, and might be better confined to md:* elements.
+        At present, however, this produces no false positives.
+    -->
+    <xsl:template match="*[contains(@Binding, ' ')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m"><xsl:value-of select='local-name()'/> Binding contains space character</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        Check for empty xml:lang elements, automatically generated by OIOSAML.
+
+        This is not schema-valid so would be caught further down the line anyway,
+        but it's nice to have a clear error message earlier in the process.
+    -->
+    <xsl:template match="@xml:lang[.='']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">empty xml:lang attribute</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        A Shibboleth scope shouldn't be just "ac.uk".
+    -->
+    <xsl:template match="shibmd:Scope[.='ac.uk']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">bare 'ac.uk' scope not permitted</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_namespaces.xsl b/mdx/_rules/check_namespaces.xsl
index 315d39ca..fffd0369 100644
--- a/mdx/_rules/check_namespaces.xsl
+++ b/mdx/_rules/check_namespaces.xsl
@@ -1,112 +1,107 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-	
-	check_namespaces.xsl
-	
-	Metadata checking ruleset that ensures that all namespaces used in a metadata file
-	are known to us, by flagging those which are not.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
-	
+
+    check_namespaces.xsl
+
+    Metadata checking ruleset that ensures that all namespaces used in a metadata file
+    are known to us, by flagging those which are not.
+
+    Author: Ian A. Young <ian@iay.org.uk>
+
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
-	
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-	
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-	
-	<!--
-		Explicitly accept elements in namespaces which we know about.
-	-->
-	
-	<xsl:template match="alg:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-	
-	<xsl:template match="ds:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-	
-	<xsl:template match="hoksso:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-	
-	<xsl:template match="idpdisc:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-	
-	<xsl:template match="init:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-	
-	<xsl:template match="md:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-	
-	<xsl:template match="mdattr:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-	
-	<xsl:template match="mdrpi:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-	
-	<xsl:template match="mdui:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-	
-	<xsl:template match="saml:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-	
-	<xsl:template match="shibmd:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-	
-	<xsl:template match="ukfedlabel:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-	
-	<xsl:template match="wayf:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-	
-	<xsl:template match="xenc:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-	
-	<!--
-		Reject elements in all other namespaces.
-	-->
-	
-	<xsl:template match="*">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>Unknown namespace: </xsl:text>
-				<xsl:value-of select="namespace-uri()"/>
-				<xsl:text> on element </xsl:text>
-				<xsl:value-of select="name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
+        Explicitly accept elements in namespaces which we know about.
+    -->
+
+    <xsl:template match="alg:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="ds:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="hoksso:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="idpdisc:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="init:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="md:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="mdattr:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="mdrpi:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="mdui:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="saml:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="shibmd:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="ukfedlabel:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="xenc:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <!--
+        Reject elements in all other namespaces.
+    -->
+
+    <xsl:template match="*">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>Unknown namespace: </xsl:text>
+                <xsl:value-of select="namespace-uri()"/>
+                <xsl:text> on element </xsl:text>
+                <xsl:value-of select="name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_rands_member.xsl b/mdx/_rules/check_rands_member.xsl
index bee2e9d0..0d98138a 100644
--- a/mdx/_rules/check_rands_member.xsl
+++ b/mdx/_rules/check_rands_member.xsl
@@ -1,86 +1,86 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_rands_member.xsl
-	
-	Checking ruleset containing rules associated with membership of the REFEDS
-	Research and Scholarship entity category, see:
+    check_rands_member.xsl
 
-		https://refeds.org/category/research-and-scholarship/
-		
-	This ruleset reflects v1.3, 8-Sep-2016.
+    Checking ruleset containing rules associated with membership of the REFEDS
+    Research and Scholarship entity category, see:
 
-	Author: Ian A. Young <ian@iay.org.uk>
+        https://refeds.org/category/research-and-scholarship/
+
+    This ruleset reflects v1.3, 8-Sep-2016.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
     <!--
-    	Process entity category.
-	-->
-	<xsl:template match="md:EntityDescriptor
-		[md:Extensions/mdattr:EntityAttributes/saml:Attribute
-		[@NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:uri']
-		[@Name='http://macedir.org/entity-category']
-		/saml:AttributeValue[.='http://refeds.org/category/research-and-scholarship']
-		]">
-		<xsl:choose>
-			<!--
-				(Implicit) applies only to service providers.
-			-->
-			<xsl:when test="not(md:SPSSODescriptor)">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">REFEDS R+S only applies to service provider entities</xsl:with-param>
-				</xsl:call-template>        
-			</xsl:when>
-			<!--
-		        4.3.1
+        Process entity category.
+    -->
+    <xsl:template match="md:EntityDescriptor
+        [md:Extensions/mdattr:EntityAttributes/saml:Attribute
+        [@NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:uri']
+        [@Name='http://macedir.org/entity-category']
+        /saml:AttributeValue[.='http://refeds.org/category/research-and-scholarship']
+        ]">
+        <xsl:choose>
+            <!--
+                (Implicit) applies only to service providers.
+            -->
+            <xsl:when test="not(md:SPSSODescriptor)">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">REFEDS R+S only applies to service provider entities</xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+            <!--
+                4.3.1
+
+                The Service Provider [...] supports SAML V2.0 HTTP-POST binding.
+            -->
+            <xsl:when test="not(md:SPSSODescriptor/md:AssertionConsumerService
+                [@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'])">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">REFEDS R+S requires SAML 2.0 POST support</xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+            <!--
+                4.3.3
 
-        		The Service Provider [...] supports SAML V2.0 HTTP-POST binding.
-    		-->
-			<xsl:when test="not(md:SPSSODescriptor/md:AssertionConsumerService
-				[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'])">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">REFEDS R+S requires SAML 2.0 POST support</xsl:with-param>
-				</xsl:call-template>        
-			</xsl:when>
-			<!--
-				4.3.3
-				
-				The Service Provider provides an mdui:DisplayName and mdui:InformationURL in metadata.
-			-->
-			<xsl:when test="not(md:SPSSODescriptor/md:Extensions/mdui:UIInfo/mdui:DisplayName)">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">REFEDS R+S requires mdui:DisplayName</xsl:with-param>
-				</xsl:call-template>        
-			</xsl:when>
-			<xsl:when test="not(md:SPSSODescriptor/md:Extensions/mdui:UIInfo/mdui:InformationURL)">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">REFEDS R+S requires mdui:InformationURL</xsl:with-param>
-				</xsl:call-template>        
-			</xsl:when>
-			<!--
-				4.3.4
+                The Service Provider provides an mdui:DisplayName and mdui:InformationURL in metadata.
+            -->
+            <xsl:when test="not(md:SPSSODescriptor/md:Extensions/mdui:UIInfo/mdui:DisplayName)">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">REFEDS R+S requires mdui:DisplayName</xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+            <xsl:when test="not(md:SPSSODescriptor/md:Extensions/mdui:UIInfo/mdui:InformationURL)">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">REFEDS R+S requires mdui:InformationURL</xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+            <!--
+                4.3.4
 
-				The Service Provider provides one or more technical contacts in metadata.
-			-->
-			<xsl:when test="not(md:ContactPerson[@contactType='technical'])">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">REFEDS R+S requires one or more technical contacts</xsl:with-param>
-				</xsl:call-template>        
-			</xsl:when>
-		</xsl:choose>
-	</xsl:template>
+                The Service Provider provides one or more technical contacts in metadata.
+            -->
+            <xsl:when test="not(md:ContactPerson[@contactType='technical'])">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">REFEDS R+S requires one or more technical contacts</xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+        </xsl:choose>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_rands_support.xsl b/mdx/_rules/check_rands_support.xsl
index fe92e6d8..c767b394 100644
--- a/mdx/_rules/check_rands_support.xsl
+++ b/mdx/_rules/check_rands_support.xsl
@@ -1,49 +1,49 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_rands_support.xsl
-	
-	Checking ruleset containing rules associated with the REFEDS
-	Research and Scholarship entity support category, see:
+    check_rands_support.xsl
 
-		https://refeds.org/category/research-and-scholarship/
-		
-	This ruleset reflects v1.3, 8-Sep-2016.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    Checking ruleset containing rules associated with the REFEDS
+    Research and Scholarship entity support category, see:
+
+        https://refeds.org/category/research-and-scholarship/
+
+    This ruleset reflects v1.3, 8-Sep-2016.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	<!--
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
         Process entity support category.
     -->
-	<xsl:template match="md:EntityDescriptor
-		[md:Extensions/mdattr:EntityAttributes/saml:Attribute
-		[@NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:uri']
-		[@Name='http://macedir.org/entity-category-support']
-		/saml:AttributeValue[.='http://refeds.org/category/research-and-scholarship']
-		]">
-		<xsl:choose>
-			<!--
+    <xsl:template match="md:EntityDescriptor
+        [md:Extensions/mdattr:EntityAttributes/saml:Attribute
+        [@NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:uri']
+        [@Name='http://macedir.org/entity-category-support']
+        /saml:AttributeValue[.='http://refeds.org/category/research-and-scholarship']
+        ]">
+        <xsl:choose>
+            <!--
                 (Implicit) applies only to identity providers.
             -->
-			<xsl:when test="not(md:IDPSSODescriptor)">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">REFEDS R+S support only applies to identity provider entities</xsl:with-param>
-				</xsl:call-template>        
-			</xsl:when>
-		</xsl:choose>
-	</xsl:template>
+            <xsl:when test="not(md:IDPSSODescriptor)">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">REFEDS R+S support only applies to identity provider entities</xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+        </xsl:choose>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_regauth.xsl b/mdx/_rules/check_regauth.xsl
index e98400ae..617514ca 100644
--- a/mdx/_rules/check_regauth.xsl
+++ b/mdx/_rules/check_regauth.xsl
@@ -1,42 +1,42 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_regauth.xsl
+    check_regauth.xsl
+
+    Check that the registration authority on an entity is the expected one.
 
-	Check that the registration authority on an entity is the expected one.
-	
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-	
-	<!--
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
         expectedAuthority
-        
+
         Set this parameter from the calling context.
     -->
-	<xsl:param name="expectedAuthority">(value not set)</xsl:param>
-	
-	<xsl:template match="mdrpi:RegistrationInfo">
-		<xsl:if test="@registrationAuthority != $expectedAuthority">
-			<xsl:call-template name="error">
-				<xsl:with-param name="m">
-					<xsl:text>unexpected registration authority '</xsl:text>
-					<xsl:value-of select="@registrationAuthority"/>
-					<xsl:text>'; expected '</xsl:text>
-					<xsl:value-of select="$expectedAuthority"/>
-					<xsl:text>' for this channel</xsl:text>
-				</xsl:with-param>
-			</xsl:call-template>
-		</xsl:if>
-	</xsl:template>
-	
+    <xsl:param name="expectedAuthority">(value not set)</xsl:param>
+
+    <xsl:template match="mdrpi:RegistrationInfo">
+        <xsl:if test="@registrationAuthority != $expectedAuthority">
+            <xsl:call-template name="error">
+                <xsl:with-param name="m">
+                    <xsl:text>unexpected registration authority '</xsl:text>
+                    <xsl:value-of select="@registrationAuthority"/>
+                    <xsl:text>'; expected '</xsl:text>
+                    <xsl:value-of select="$expectedAuthority"/>
+                    <xsl:text>' for this channel</xsl:text>
+                </xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_reqattr.xsl b/mdx/_rules/check_reqattr.xsl
index 6840a020..455d35e8 100644
--- a/mdx/_rules/check_reqattr.xsl
+++ b/mdx/_rules/check_reqattr.xsl
@@ -1,507 +1,507 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_reqattr.xsl
-	
-	Checking ruleset for RequestedAttribute elements in SAML 2.0 metadata.
-
-	The main check being performed here is that the Name and NameFormat attributes
-	of a RequestedAttribute element together designate a real SAML attribute, either
-	explicitly or implicitly covered by some specification.  Other combinations
-	of Name+NameFormat are presumptively erroneous.
-	
-	Attribute profiles we make use of here:
-	
-	* eduPerson 2008
-	
-	* MACE-Dir SAML Attribute Profiles, April 2008
-	
-	* SWITCHaai Attribute Specification, 2010-06-23
-	
-	* grEduPerson
-		from http://aai.grnet.gr/static/grEduPerson.schema
-		and http://aai.grnet.gr/static/policy/policy-en.pdf
-	
-	* SCHAC
-		Only very basic coverage, most attributes to come later.
-		http://www.terena.org/activities/tf-emc2/docs/schac/schac-schema-IAD-1.4.1.pdf
-		http://www.terena.org/registry/terena.org/attribute-def/
-		http://www.terena.org/registry/terena.org/schac/
-		Assuming encoding rules equivalent to MACEAttr.
-    
-
-	Author: Ian A. Young <ian@iay.org.uk>
+    check_reqattr.xsl
+
+    Checking ruleset for RequestedAttribute elements in SAML 2.0 metadata.
+
+    The main check being performed here is that the Name and NameFormat attributes
+    of a RequestedAttribute element together designate a real SAML attribute, either
+    explicitly or implicitly covered by some specification.  Other combinations
+    of Name+NameFormat are presumptively erroneous.
+
+    Attribute profiles we make use of here:
+
+    * eduPerson 2008
+
+    * MACE-Dir SAML Attribute Profiles, April 2008
+
+    * SWITCHaai Attribute Specification, 2010-06-23
+
+    * grEduPerson
+        from http://aai.grnet.gr/static/grEduPerson.schema
+        and http://aai.grnet.gr/static/policy/policy-en.pdf
+
+    * SCHAC
+        Only very basic coverage, most attributes to come later.
+        http://www.terena.org/activities/tf-emc2/docs/schac/schac-schema-IAD-1.4.1.pdf
+        http://www.terena.org/registry/terena.org/attribute-def/
+        http://www.terena.org/registry/terena.org/schac/
+        Assuming encoding rules equivalent to MACEAttr.
+
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-
-	<!--
-		Lack of NameFormat is equivalent to an explicit NameFormat of
-		'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified',
-		see http://tools.oasis-open.org/issues/browse/SECURITY-11
-		
-		This is almost certainly not correct, as an implicit
-		NameFormat of 'unspecified' is not the same as saying that
-		any NameFormat will match.
-	-->
-	<xsl:template match="md:RequestedAttribute[not(@NameFormat)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>RequestedAttribute </xsl:text>
-				<xsl:value-of select="@Name"/>
-				<xsl:text> lacks NameFormat attribute</xsl:text>
-				<xsl:text> (implicitly 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified')</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		Present but unknown, and therefore presumptively unsuitable, NameFormat values.
-	-->
-	<xsl:template match="md:RequestedAttribute[@NameFormat]
-		[@NameFormat!='urn:mace:shibboleth:1.0:attributeNamespace:uri']
-		[@NameFormat!='urn:oasis:names:tc:SAML:2.0:attrname-format:uri']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>RequestedAttribute uses NameFormat of </xsl:text>
-				<xsl:value-of select="@NameFormat"/>
-				<xsl:text>: unsuitable for cross-domain use</xsl:text>
-				<xsl:if test="@FriendlyName">
-					<xsl:text> (</xsl:text>
-					<xsl:value-of select="@FriendlyName"/>
-					<xsl:text>)</xsl:text>
-				</xsl:if>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		If NameFormat is "urn:mace:shibboleth:1.0:attributeNamespace:uri", then we are
-		dealing with a SAML 1.x attribute.
-	-->
-	<xsl:template match="md:RequestedAttribute
-		[@NameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri']">
-		<xsl:choose>
-			
-			<!--
-				MACE-Dir Attribute Profile for SAML 1.x
-				
-				2.2.1: Legacy names that are explicitly permitted.
-				
-				Taken from MACE-Dir SAML Attribute Profiles, April 2008
-			-->
-			<xsl:when test="
-				@Name='urn:mace:dir:attribute-def:eduPersonScopedAffiliation' or
-				@Name='urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation' or
-				@Name='urn:mace:dir:attribute-def:eduPersonAffiliation' or
-				@Name='urn:mace:dir:attribute-def:eduPersonPrincipalName' or
-				@Name='urn:mace:dir:attribute-def:eduPersonEntitlement' or
-				@Name='urn:mace:dir:attribute-def:eduPersonTargetedID' or
-				@Name='urn:mace:dir:attribute-def:eduPersonNickname' or
-				@Name='urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN' or
-				@Name='urn:mace:dir:attribute-def:eduPersonOrgUnitDN' or
-				@Name='urn:mace:dir:attribute-def:eduPersonOrgDN' or
-				@Name='urn:mace:dir:attribute-def:eduCourseMember' or
-				@Name='urn:mace:dir:attribute-def:businessCategory' or
-				@Name='urn:mace:dir:attribute-def:carLicense' or
-				@Name='urn:mace:dir:attribute-def:cn' or
-				@Name='urn:mace:dir:attribute-def:departmentNumber' or
-				@Name='urn:mace:dir:attribute-def:description' or
-				@Name='urn:mace:dir:attribute-def:displayName' or
-				@Name='urn:mace:dir:attribute-def:employeeNumber' or
-				@Name='urn:mace:dir:attribute-def:employeeType' or
-				@Name='urn:mace:dir:attribute-def:facsimileTelephoneNumber' or
-				@Name='urn:mace:dir:attribute-def:givenName' or
-				@Name='urn:mace:dir:attribute-def:homePhone' or
-				@Name='urn:mace:dir:attribute-def:homePostalAddress' or
-				@Name='urn:mace:dir:attribute-def:initials' or
-				@Name='urn:mace:dir:attribute-def:jpegPhoto' or
-				@Name='urn:mace:dir:attribute-def:l' or
-				@Name='urn:mace:dir:attribute-def:labeledURI' or
-				@Name='urn:mace:dir:attribute-def:mail' or
-				@Name='urn:mace:dir:attribute-def:manager' or
-				@Name='urn:mace:dir:attribute-def:mobile' or
-				@Name='urn:mace:dir:attribute-def:o' or
-				@Name='urn:mace:dir:attribute-def:ou' or
-				@Name='urn:mace:dir:attribute-def:pager' or
-				@Name='urn:mace:dir:attribute-def:physicalDeliveryOfficeName' or
-				@Name='urn:mace:dir:attribute-def:postalAddress' or
-				@Name='urn:mace:dir:attribute-def:postalCode' or
-				@Name='urn:mace:dir:attribute-def:postOfficeBox' or
-				@Name='urn:mace:dir:attribute-def:preferredLanguage' or
-				@Name='urn:mace:dir:attribute-def:roomNumber' or
-				@Name='urn:mace:dir:attribute-def:seeAlso' or
-				@Name='urn:mace:dir:attribute-def:sn' or
-				@Name='urn:mace:dir:attribute-def:st' or
-				@Name='urn:mace:dir:attribute-def:street' or
-				@Name='urn:mace:dir:attribute-def:telephoneNumber' or
-				@Name='urn:mace:dir:attribute-def:title' or
-				@Name='urn:mace:dir:attribute-def:uid' or
-				@Name='urn:mace:dir:attribute-def:userCertificate' or
-				@Name='urn:mace:dir:attribute-def:userSMIMECertificate'
-				">
-				<!-- OK -->
-			</xsl:when>
-			
-			<!--
-				Legacy name for eduPersonAssurance (from eduPerson 2008)
-			-->
-			<xsl:when test="@Name='urn:mace:dir:attribute-def:eduPersonAssurance'">
-				<!-- OK -->
-			</xsl:when>
-			
-			<!--
-				MACE-Dir Attribute Profile for SAML 1.x
-				
-				2.3.2.1.1: Recommended name and syntax for eduPersonTargetedID.
-			-->
-			<xsl:when test="@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.10'">
-				<!-- OK -->
-			</xsl:when>
-			
-			<!--
-				MACE-Dir Attribute Profile for SAML 1.x
-				
-				'urn:oid:' equivalents of legacy names should NOT appear.
-				If they do, they are probably intended to be a SAML 2.0 mapping.
-				
-				The list is in same order as the list of legacy names above, and
-				includes the OID for eduPersonAssurance at the end.
-			-->
-			<xsl:when test="
-				@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.9' or
-				@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.5' or
-				@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.1' or
-				@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.6' or
-				@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.7' or
-				@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.10' or
-				@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.2' or
-				@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.8' or
-				@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.4' or
-				@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.3' or
-				@Name='urn:oid:1.3.6.1.4.1.5923.1.6.1.2' or
-				@Name='urn:oid:2.5.4.15' or
-				@Name='urn:oid:2.16.840.1.113730.3.1.1' or
-				@Name='urn:oid:2.5.4.3' or
-				@Name='urn:oid:2.16.840.1.113730.3.1.2' or
-				@Name='urn:oid:2.5.4.13' or
-				@Name='urn:oid:2.16.840.1.113730.3.1.241' or
-				@Name='urn:oid:2.16.840.1.113730.3.1.3' or
-				@Name='urn:oid:2.16.840.1.113730.3.1.4' or
-				@Name='urn:oid:2.5.4.23' or
-				@Name='urn:oid:2.5.4.42' or
-				@Name='urn:oid:0.9.2342.19200300.100.1.20' or
-				@Name='urn:oid:0.9.2342.19200300.100.1.39' or
-				@Name='urn:oid:2.5.4.43' or
-				@Name='urn:oid:0.9.2342.19200300.100.1.60' or
-				@Name='urn:oid:2.5.4.7' or
-				@Name='urn:oid:1.3.6.1.4.1.250.1.57' or
-				@Name='urn:oid:0.9.2342.19200300.100.1.3' or
-				@Name='urn:oid:0.9.2342.19200300.100.1.10' or
-				@Name='urn:oid:0.9.2342.19200300.100.1.41' or
-				@Name='urn:oid:2.5.4.10' or
-				@Name='urn:oid:2.5.4.11' or
-				@Name='urn:oid:0.9.2342.19200300.100.1.42' or
-				@Name='urn:oid:2.5.4.19' or
-				@Name='urn:oid:2.5.4.16' or
-				@Name='urn:oid:2.5.4.17' or
-				@Name='urn:oid:2.5.4.18' or
-				@Name='urn:oid:2.16.840.1.113730.3.1.39' or
-				@Name='urn:oid:0.9.2342.19200300.100.1.6' or
-				@Name='urn:oid:2.5.4.34' or
-				@Name='urn:oid:2.5.4.4' or
-				@Name='urn:oid:2.5.4.8' or
-				@Name='urn:oid:2.5.4.9' or
-				@Name='urn:oid:2.5.4.20' or
-				@Name='urn:oid:2.5.4.12' or
-				@Name='urn:oid:0.9.2342.19200300.100.1.1' or
-				@Name='urn:oid:2.5.4.36' or
-				@Name='urn:oid:2.16.840.1.113730.3.1.40' or
-				@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.11'
-				">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">
-						<xsl:text>RequestedAttribute</xsl:text>
-						<xsl:if test="@FriendlyName">
-							<xsl:text> (</xsl:text>
-							<xsl:value-of select="@FriendlyName"/>
-							<xsl:text>)</xsl:text>
-						</xsl:if>
-						<xsl:text> uses OID name </xsl:text>
-						<xsl:value-of select="@Name"/>
-						<xsl:text> with SAML 1.x NameFormat: should use urn:mace name or SAML 2.0 NameFormat</xsl:text>
-					</xsl:with-param>
-				</xsl:call-template>
-			</xsl:when>
-			
-			<!--
-				SWITCHaai SAML 1.x names are prefixed by 'urn:mace:switch.ch:attribute-def:'
-				
-				Arranged in order of appearance in the specification.
-			-->
-			<xsl:when test="
-				@Name='urn:mace:switch.ch:attribute-def:swissEduPersonUniqueID' or
-				@Name='urn:mace:switch.ch:attribute-def:swissEduPersonMatriculationNumber' or
-				@Name='urn:mace:switch.ch:attribute-def:swissEduPersonCardUID' or
-				@Name='urn:mace:switch.ch:attribute-def:swissEduPersonDateOfBirth' or
-				@Name='urn:mace:switch.ch:attribute-def:swissEduPersonGender' or
-				@Name='urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganization' or
-				@Name='urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganizationType' or
-				@Name='urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch1' or
-				@Name='urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch2' or
-				@Name='urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch3' or
-				@Name='urn:mace:switch.ch:attribute-def:swissEduPersonStudyLevel' or
-				@Name='urn:mace:switch.ch:attribute-def:swissEduPersonStaffCategory'
-				">
-				<!-- OK -->
-			</xsl:when>
-			
-			<!--
-				SWITCHaai SAML 2.0 names are oid-based, and should not appear
-				with the SAML 1.x NameFormat.
-				
-				Arranged in order of appearance in the specification.
-			-->
-			<xsl:when test="
-				@Name='urn:oid:2.16.756.1.2.5.1.1.1' or
-				@Name='urn:oid:2.16.756.1.2.5.1.1.11' or
-				@Name='urn:oid:2.16.756.1.2.5.1.1.12' or
-				@Name='urn:oid:2.16.756.1.2.5.1.1.2' or
-				@Name='urn:oid:2.16.756.1.2.5.1.1.3' or
-				@Name='urn:oid:2.16.756.1.2.5.1.1.4' or
-				@Name='urn:oid:2.16.756.1.2.5.1.1.5' or
-				@Name='urn:oid:2.16.756.1.2.5.1.1.6' or
-				@Name='urn:oid:2.16.756.1.2.5.1.1.7' or
-				@Name='urn:oid:2.16.756.1.2.5.1.1.8' or
-				@Name='urn:oid:2.16.756.1.2.5.1.1.9' or
-				@Name='urn:oid:2.16.756.1.2.5.1.1.10'
-				">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">
-						<xsl:text>RequestedAttribute</xsl:text>
-						<xsl:if test="@FriendlyName">
-							<xsl:text> (</xsl:text>
-							<xsl:value-of select="@FriendlyName"/>
-							<xsl:text>)</xsl:text>
-						</xsl:if>
-						<xsl:text> uses OID name </xsl:text>
-						<xsl:value-of select="@Name"/>
-						<xsl:text> with SAML 1.x NameFormat: should use urn:mace name or SAML 2.0 NameFormat</xsl:text>
-					</xsl:with-param>
-				</xsl:call-template>
-			</xsl:when>
-			
-			<!--
-				grEduPerson SAML 1.x binding
-			-->
-			<xsl:when test="@Name='urn:mace:grnet.gr:grEduPerson:attribute-def:grEduPersonUndergraduateBranch'">
-				<!-- OK -->
-			</xsl:when>
-			
-			<!--
-				grEduPerson SAML 2.0 names should not appear.
-			-->
-			<xsl:when test="@Name='urn:oid:1.3.6.1.4.1.16515.2.3.2.1'">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">
-						<xsl:text>RequestedAttribute uses OID name </xsl:text>
-						<xsl:value-of select="@Name"/>
-						<xsl:text> with SAML 1.x NameFormat: should use urn:mace name or SAML 2.0 NameFormat</xsl:text>
-						<xsl:if test="@FriendlyName">
-							<xsl:text> (</xsl:text>
-							<xsl:value-of select="@FriendlyName"/>
-							<xsl:text>)</xsl:text>
-						</xsl:if>
-					</xsl:with-param>
-				</xsl:call-template>
-			</xsl:when>
-			
-			<!--
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+
+    <!--
+        Lack of NameFormat is equivalent to an explicit NameFormat of
+        'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified',
+        see http://tools.oasis-open.org/issues/browse/SECURITY-11
+
+        This is almost certainly not correct, as an implicit
+        NameFormat of 'unspecified' is not the same as saying that
+        any NameFormat will match.
+    -->
+    <xsl:template match="md:RequestedAttribute[not(@NameFormat)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>RequestedAttribute </xsl:text>
+                <xsl:value-of select="@Name"/>
+                <xsl:text> lacks NameFormat attribute</xsl:text>
+                <xsl:text> (implicitly 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified')</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        Present but unknown, and therefore presumptively unsuitable, NameFormat values.
+    -->
+    <xsl:template match="md:RequestedAttribute[@NameFormat]
+        [@NameFormat!='urn:mace:shibboleth:1.0:attributeNamespace:uri']
+        [@NameFormat!='urn:oasis:names:tc:SAML:2.0:attrname-format:uri']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>RequestedAttribute uses NameFormat of </xsl:text>
+                <xsl:value-of select="@NameFormat"/>
+                <xsl:text>: unsuitable for cross-domain use</xsl:text>
+                <xsl:if test="@FriendlyName">
+                    <xsl:text> (</xsl:text>
+                    <xsl:value-of select="@FriendlyName"/>
+                    <xsl:text>)</xsl:text>
+                </xsl:if>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        If NameFormat is "urn:mace:shibboleth:1.0:attributeNamespace:uri", then we are
+        dealing with a SAML 1.x attribute.
+    -->
+    <xsl:template match="md:RequestedAttribute
+        [@NameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri']">
+        <xsl:choose>
+
+            <!--
+                MACE-Dir Attribute Profile for SAML 1.x
+
+                2.2.1: Legacy names that are explicitly permitted.
+
+                Taken from MACE-Dir SAML Attribute Profiles, April 2008
+            -->
+            <xsl:when test="
+                @Name='urn:mace:dir:attribute-def:eduPersonScopedAffiliation' or
+                @Name='urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation' or
+                @Name='urn:mace:dir:attribute-def:eduPersonAffiliation' or
+                @Name='urn:mace:dir:attribute-def:eduPersonPrincipalName' or
+                @Name='urn:mace:dir:attribute-def:eduPersonEntitlement' or
+                @Name='urn:mace:dir:attribute-def:eduPersonTargetedID' or
+                @Name='urn:mace:dir:attribute-def:eduPersonNickname' or
+                @Name='urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN' or
+                @Name='urn:mace:dir:attribute-def:eduPersonOrgUnitDN' or
+                @Name='urn:mace:dir:attribute-def:eduPersonOrgDN' or
+                @Name='urn:mace:dir:attribute-def:eduCourseMember' or
+                @Name='urn:mace:dir:attribute-def:businessCategory' or
+                @Name='urn:mace:dir:attribute-def:carLicense' or
+                @Name='urn:mace:dir:attribute-def:cn' or
+                @Name='urn:mace:dir:attribute-def:departmentNumber' or
+                @Name='urn:mace:dir:attribute-def:description' or
+                @Name='urn:mace:dir:attribute-def:displayName' or
+                @Name='urn:mace:dir:attribute-def:employeeNumber' or
+                @Name='urn:mace:dir:attribute-def:employeeType' or
+                @Name='urn:mace:dir:attribute-def:facsimileTelephoneNumber' or
+                @Name='urn:mace:dir:attribute-def:givenName' or
+                @Name='urn:mace:dir:attribute-def:homePhone' or
+                @Name='urn:mace:dir:attribute-def:homePostalAddress' or
+                @Name='urn:mace:dir:attribute-def:initials' or
+                @Name='urn:mace:dir:attribute-def:jpegPhoto' or
+                @Name='urn:mace:dir:attribute-def:l' or
+                @Name='urn:mace:dir:attribute-def:labeledURI' or
+                @Name='urn:mace:dir:attribute-def:mail' or
+                @Name='urn:mace:dir:attribute-def:manager' or
+                @Name='urn:mace:dir:attribute-def:mobile' or
+                @Name='urn:mace:dir:attribute-def:o' or
+                @Name='urn:mace:dir:attribute-def:ou' or
+                @Name='urn:mace:dir:attribute-def:pager' or
+                @Name='urn:mace:dir:attribute-def:physicalDeliveryOfficeName' or
+                @Name='urn:mace:dir:attribute-def:postalAddress' or
+                @Name='urn:mace:dir:attribute-def:postalCode' or
+                @Name='urn:mace:dir:attribute-def:postOfficeBox' or
+                @Name='urn:mace:dir:attribute-def:preferredLanguage' or
+                @Name='urn:mace:dir:attribute-def:roomNumber' or
+                @Name='urn:mace:dir:attribute-def:seeAlso' or
+                @Name='urn:mace:dir:attribute-def:sn' or
+                @Name='urn:mace:dir:attribute-def:st' or
+                @Name='urn:mace:dir:attribute-def:street' or
+                @Name='urn:mace:dir:attribute-def:telephoneNumber' or
+                @Name='urn:mace:dir:attribute-def:title' or
+                @Name='urn:mace:dir:attribute-def:uid' or
+                @Name='urn:mace:dir:attribute-def:userCertificate' or
+                @Name='urn:mace:dir:attribute-def:userSMIMECertificate'
+                ">
+                <!-- OK -->
+            </xsl:when>
+
+            <!--
+                Legacy name for eduPersonAssurance (from eduPerson 2008)
+            -->
+            <xsl:when test="@Name='urn:mace:dir:attribute-def:eduPersonAssurance'">
+                <!-- OK -->
+            </xsl:when>
+
+            <!--
+                MACE-Dir Attribute Profile for SAML 1.x
+
+                2.3.2.1.1: Recommended name and syntax for eduPersonTargetedID.
+            -->
+            <xsl:when test="@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.10'">
+                <!-- OK -->
+            </xsl:when>
+
+            <!--
+                MACE-Dir Attribute Profile for SAML 1.x
+
+                'urn:oid:' equivalents of legacy names should NOT appear.
+                If they do, they are probably intended to be a SAML 2.0 mapping.
+
+                The list is in same order as the list of legacy names above, and
+                includes the OID for eduPersonAssurance at the end.
+            -->
+            <xsl:when test="
+                @Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.9' or
+                @Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.5' or
+                @Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.1' or
+                @Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.6' or
+                @Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.7' or
+                @Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.10' or
+                @Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.2' or
+                @Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.8' or
+                @Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.4' or
+                @Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.3' or
+                @Name='urn:oid:1.3.6.1.4.1.5923.1.6.1.2' or
+                @Name='urn:oid:2.5.4.15' or
+                @Name='urn:oid:2.16.840.1.113730.3.1.1' or
+                @Name='urn:oid:2.5.4.3' or
+                @Name='urn:oid:2.16.840.1.113730.3.1.2' or
+                @Name='urn:oid:2.5.4.13' or
+                @Name='urn:oid:2.16.840.1.113730.3.1.241' or
+                @Name='urn:oid:2.16.840.1.113730.3.1.3' or
+                @Name='urn:oid:2.16.840.1.113730.3.1.4' or
+                @Name='urn:oid:2.5.4.23' or
+                @Name='urn:oid:2.5.4.42' or
+                @Name='urn:oid:0.9.2342.19200300.100.1.20' or
+                @Name='urn:oid:0.9.2342.19200300.100.1.39' or
+                @Name='urn:oid:2.5.4.43' or
+                @Name='urn:oid:0.9.2342.19200300.100.1.60' or
+                @Name='urn:oid:2.5.4.7' or
+                @Name='urn:oid:1.3.6.1.4.1.250.1.57' or
+                @Name='urn:oid:0.9.2342.19200300.100.1.3' or
+                @Name='urn:oid:0.9.2342.19200300.100.1.10' or
+                @Name='urn:oid:0.9.2342.19200300.100.1.41' or
+                @Name='urn:oid:2.5.4.10' or
+                @Name='urn:oid:2.5.4.11' or
+                @Name='urn:oid:0.9.2342.19200300.100.1.42' or
+                @Name='urn:oid:2.5.4.19' or
+                @Name='urn:oid:2.5.4.16' or
+                @Name='urn:oid:2.5.4.17' or
+                @Name='urn:oid:2.5.4.18' or
+                @Name='urn:oid:2.16.840.1.113730.3.1.39' or
+                @Name='urn:oid:0.9.2342.19200300.100.1.6' or
+                @Name='urn:oid:2.5.4.34' or
+                @Name='urn:oid:2.5.4.4' or
+                @Name='urn:oid:2.5.4.8' or
+                @Name='urn:oid:2.5.4.9' or
+                @Name='urn:oid:2.5.4.20' or
+                @Name='urn:oid:2.5.4.12' or
+                @Name='urn:oid:0.9.2342.19200300.100.1.1' or
+                @Name='urn:oid:2.5.4.36' or
+                @Name='urn:oid:2.16.840.1.113730.3.1.40' or
+                @Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.11'
+                ">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">
+                        <xsl:text>RequestedAttribute</xsl:text>
+                        <xsl:if test="@FriendlyName">
+                            <xsl:text> (</xsl:text>
+                            <xsl:value-of select="@FriendlyName"/>
+                            <xsl:text>)</xsl:text>
+                        </xsl:if>
+                        <xsl:text> uses OID name </xsl:text>
+                        <xsl:value-of select="@Name"/>
+                        <xsl:text> with SAML 1.x NameFormat: should use urn:mace name or SAML 2.0 NameFormat</xsl:text>
+                    </xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+
+            <!--
+                SWITCHaai SAML 1.x names are prefixed by 'urn:mace:switch.ch:attribute-def:'
+
+                Arranged in order of appearance in the specification.
+            -->
+            <xsl:when test="
+                @Name='urn:mace:switch.ch:attribute-def:swissEduPersonUniqueID' or
+                @Name='urn:mace:switch.ch:attribute-def:swissEduPersonMatriculationNumber' or
+                @Name='urn:mace:switch.ch:attribute-def:swissEduPersonCardUID' or
+                @Name='urn:mace:switch.ch:attribute-def:swissEduPersonDateOfBirth' or
+                @Name='urn:mace:switch.ch:attribute-def:swissEduPersonGender' or
+                @Name='urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganization' or
+                @Name='urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganizationType' or
+                @Name='urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch1' or
+                @Name='urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch2' or
+                @Name='urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch3' or
+                @Name='urn:mace:switch.ch:attribute-def:swissEduPersonStudyLevel' or
+                @Name='urn:mace:switch.ch:attribute-def:swissEduPersonStaffCategory'
+                ">
+                <!-- OK -->
+            </xsl:when>
+
+            <!--
+                SWITCHaai SAML 2.0 names are oid-based, and should not appear
+                with the SAML 1.x NameFormat.
+
+                Arranged in order of appearance in the specification.
+            -->
+            <xsl:when test="
+                @Name='urn:oid:2.16.756.1.2.5.1.1.1' or
+                @Name='urn:oid:2.16.756.1.2.5.1.1.11' or
+                @Name='urn:oid:2.16.756.1.2.5.1.1.12' or
+                @Name='urn:oid:2.16.756.1.2.5.1.1.2' or
+                @Name='urn:oid:2.16.756.1.2.5.1.1.3' or
+                @Name='urn:oid:2.16.756.1.2.5.1.1.4' or
+                @Name='urn:oid:2.16.756.1.2.5.1.1.5' or
+                @Name='urn:oid:2.16.756.1.2.5.1.1.6' or
+                @Name='urn:oid:2.16.756.1.2.5.1.1.7' or
+                @Name='urn:oid:2.16.756.1.2.5.1.1.8' or
+                @Name='urn:oid:2.16.756.1.2.5.1.1.9' or
+                @Name='urn:oid:2.16.756.1.2.5.1.1.10'
+                ">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">
+                        <xsl:text>RequestedAttribute</xsl:text>
+                        <xsl:if test="@FriendlyName">
+                            <xsl:text> (</xsl:text>
+                            <xsl:value-of select="@FriendlyName"/>
+                            <xsl:text>)</xsl:text>
+                        </xsl:if>
+                        <xsl:text> uses OID name </xsl:text>
+                        <xsl:value-of select="@Name"/>
+                        <xsl:text> with SAML 1.x NameFormat: should use urn:mace name or SAML 2.0 NameFormat</xsl:text>
+                    </xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+
+            <!--
+                grEduPerson SAML 1.x binding
+            -->
+            <xsl:when test="@Name='urn:mace:grnet.gr:grEduPerson:attribute-def:grEduPersonUndergraduateBranch'">
+                <!-- OK -->
+            </xsl:when>
+
+            <!--
+                grEduPerson SAML 2.0 names should not appear.
+            -->
+            <xsl:when test="@Name='urn:oid:1.3.6.1.4.1.16515.2.3.2.1'">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">
+                        <xsl:text>RequestedAttribute uses OID name </xsl:text>
+                        <xsl:value-of select="@Name"/>
+                        <xsl:text> with SAML 1.x NameFormat: should use urn:mace name or SAML 2.0 NameFormat</xsl:text>
+                        <xsl:if test="@FriendlyName">
+                            <xsl:text> (</xsl:text>
+                            <xsl:value-of select="@FriendlyName"/>
+                            <xsl:text>)</xsl:text>
+                        </xsl:if>
+                    </xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+
+            <!--
                 SCHAC SAML 1.x binding
             -->
-			<xsl:when test="
-				@Name='urn:mace:terena.org:attribute-def:schacHomeOrganization' or
-				@Name='urn:mace:terena.org:attribute-def:schacPersonalUniqueCode'
-				">
-				<!-- OK -->
-			</xsl:when>
-			
-			<!--
+            <xsl:when test="
+                @Name='urn:mace:terena.org:attribute-def:schacHomeOrganization' or
+                @Name='urn:mace:terena.org:attribute-def:schacPersonalUniqueCode'
+                ">
+                <!-- OK -->
+            </xsl:when>
+
+            <!--
                 SCHAC SAML 2.0 names should not appear.
             -->
-			<xsl:when test="
-				@Name='urn:oid:1.3.6.1.4.1.25178.1.2.9' or
-				@Name='urn:oid:1.3.6.1.4.1.25178.1.2.14'
-				">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">
-						<xsl:text>RequestedAttribute uses OID name </xsl:text>
-						<xsl:value-of select="@Name"/>
-						<xsl:text> with SAML 1.x NameFormat: should use urn:mace name or SAML 2.0 NameFormat</xsl:text>
-						<xsl:if test="@FriendlyName">
-							<xsl:text> (</xsl:text>
-							<xsl:value-of select="@FriendlyName"/>
-							<xsl:text>)</xsl:text>
-						</xsl:if>
-					</xsl:with-param>
-				</xsl:call-template>
-			</xsl:when>
-			
-			<!--
-				MACE-Dir Attribute Profile for SAML 1.x
-				
-				Forward-looking "urn:oid:" names are permitted, which is to say
-				any "urn:oid" name which does not correspond to a legacy name.
-				
-				(Any erroneous OIDs have been eliminated above.)
-			-->
-			<xsl:when test="starts-with(@Name, 'urn:oid:')">
-				<!-- OK -->
-			</xsl:when>
-			
-			<!--
-				Otherwise unknown attribute names.
-			-->
-			<xsl:otherwise>
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">
-						<xsl:text>RequestedAttribute uses unknown name </xsl:text>
-						<xsl:value-of select="@Name"/>
-						<xsl:text> with SAML 1.x NameFormat</xsl:text>
-						<xsl:if test="@FriendlyName">
-							<xsl:text> (</xsl:text>
-							<xsl:value-of select="@FriendlyName"/>
-							<xsl:text>)</xsl:text>
-						</xsl:if>
-					</xsl:with-param>
-				</xsl:call-template>
-			</xsl:otherwise>
-			
-		</xsl:choose>
-	</xsl:template>
-	
-
-	<!--
-		If NameFormat is "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", then we are
-		dealing with a SAML 2.0 attribute.
-	-->
-	<xsl:template match="md:RequestedAttribute
-		[@NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:uri']">
-		<xsl:choose>
-
-			<!--
-				Common error: using the legacy MACEAttr name with the SAML 2.0 NameFormat.
-			-->
-			<xsl:when test="starts-with(@Name, 'urn:mace:dir:attribute-def:')">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">
-						<xsl:text>RequestedAttribute uses legacy MACEAttr name </xsl:text>
-						<xsl:value-of select="@Name"/>
-						<xsl:text> with SAML 2.0 NameFormat: should use urn:oid name or SAML 1.x NameFormat</xsl:text>
-						<xsl:if test="@FriendlyName">
-							<xsl:text> (</xsl:text>
-							<xsl:value-of select="@FriendlyName"/>
-							<xsl:text>)</xsl:text>
-						</xsl:if>
-					</xsl:with-param>
-				</xsl:call-template>
-			</xsl:when>
-			
-			<!--
-				Common error: using the legacy SWITCHaai name with the SAML 2.0 NameFormat.
-			-->
-			<xsl:when test="starts-with(@Name, 'urn:mace:switch.ch:attribute-def:')">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">
-						<xsl:text>RequestedAttribute uses legacy SWITCHaai name </xsl:text>
-						<xsl:value-of select="@Name"/>
-						<xsl:text> with SAML 2.0 NameFormat: should use urn:oid name or SAML 1.x NameFormat</xsl:text>
-						<xsl:if test="@FriendlyName">
-							<xsl:text> (</xsl:text>
-							<xsl:value-of select="@FriendlyName"/>
-							<xsl:text>)</xsl:text>
-						</xsl:if>
-					</xsl:with-param>
-				</xsl:call-template>
-			</xsl:when>
-			
-			<!--
+            <xsl:when test="
+                @Name='urn:oid:1.3.6.1.4.1.25178.1.2.9' or
+                @Name='urn:oid:1.3.6.1.4.1.25178.1.2.14'
+                ">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">
+                        <xsl:text>RequestedAttribute uses OID name </xsl:text>
+                        <xsl:value-of select="@Name"/>
+                        <xsl:text> with SAML 1.x NameFormat: should use urn:mace name or SAML 2.0 NameFormat</xsl:text>
+                        <xsl:if test="@FriendlyName">
+                            <xsl:text> (</xsl:text>
+                            <xsl:value-of select="@FriendlyName"/>
+                            <xsl:text>)</xsl:text>
+                        </xsl:if>
+                    </xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+
+            <!--
+                MACE-Dir Attribute Profile for SAML 1.x
+
+                Forward-looking "urn:oid:" names are permitted, which is to say
+                any "urn:oid" name which does not correspond to a legacy name.
+
+                (Any erroneous OIDs have been eliminated above.)
+            -->
+            <xsl:when test="starts-with(@Name, 'urn:oid:')">
+                <!-- OK -->
+            </xsl:when>
+
+            <!--
+                Otherwise unknown attribute names.
+            -->
+            <xsl:otherwise>
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">
+                        <xsl:text>RequestedAttribute uses unknown name </xsl:text>
+                        <xsl:value-of select="@Name"/>
+                        <xsl:text> with SAML 1.x NameFormat</xsl:text>
+                        <xsl:if test="@FriendlyName">
+                            <xsl:text> (</xsl:text>
+                            <xsl:value-of select="@FriendlyName"/>
+                            <xsl:text>)</xsl:text>
+                        </xsl:if>
+                    </xsl:with-param>
+                </xsl:call-template>
+            </xsl:otherwise>
+
+        </xsl:choose>
+    </xsl:template>
+
+
+    <!--
+        If NameFormat is "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", then we are
+        dealing with a SAML 2.0 attribute.
+    -->
+    <xsl:template match="md:RequestedAttribute
+        [@NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:uri']">
+        <xsl:choose>
+
+            <!--
+                Common error: using the legacy MACEAttr name with the SAML 2.0 NameFormat.
+            -->
+            <xsl:when test="starts-with(@Name, 'urn:mace:dir:attribute-def:')">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">
+                        <xsl:text>RequestedAttribute uses legacy MACEAttr name </xsl:text>
+                        <xsl:value-of select="@Name"/>
+                        <xsl:text> with SAML 2.0 NameFormat: should use urn:oid name or SAML 1.x NameFormat</xsl:text>
+                        <xsl:if test="@FriendlyName">
+                            <xsl:text> (</xsl:text>
+                            <xsl:value-of select="@FriendlyName"/>
+                            <xsl:text>)</xsl:text>
+                        </xsl:if>
+                    </xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+
+            <!--
+                Common error: using the legacy SWITCHaai name with the SAML 2.0 NameFormat.
+            -->
+            <xsl:when test="starts-with(@Name, 'urn:mace:switch.ch:attribute-def:')">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">
+                        <xsl:text>RequestedAttribute uses legacy SWITCHaai name </xsl:text>
+                        <xsl:value-of select="@Name"/>
+                        <xsl:text> with SAML 2.0 NameFormat: should use urn:oid name or SAML 1.x NameFormat</xsl:text>
+                        <xsl:if test="@FriendlyName">
+                            <xsl:text> (</xsl:text>
+                            <xsl:value-of select="@FriendlyName"/>
+                            <xsl:text>)</xsl:text>
+                        </xsl:if>
+                    </xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+
+            <!--
                 Common error: using the legacy grEduPerson name with the SAML 2.0 NameFormat.
             -->
-			<xsl:when test="starts-with(@Name, 'urn:mace:grnet.gr:grEduPerson:attribute-def:')">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">
-						<xsl:text>RequestedAttribute uses legacy format name </xsl:text>
-						<xsl:value-of select="@Name"/>
-						<xsl:text> with SAML 2.0 NameFormat: should use urn:oid name or SAML 1.x NameFormat</xsl:text>
-						<xsl:if test="@FriendlyName">
-							<xsl:text> (</xsl:text>
-							<xsl:value-of select="@FriendlyName"/>
-							<xsl:text>)</xsl:text>
-						</xsl:if>
-					</xsl:with-param>
-				</xsl:call-template>
-			</xsl:when>
-			
-			<!--
+            <xsl:when test="starts-with(@Name, 'urn:mace:grnet.gr:grEduPerson:attribute-def:')">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">
+                        <xsl:text>RequestedAttribute uses legacy format name </xsl:text>
+                        <xsl:value-of select="@Name"/>
+                        <xsl:text> with SAML 2.0 NameFormat: should use urn:oid name or SAML 1.x NameFormat</xsl:text>
+                        <xsl:if test="@FriendlyName">
+                            <xsl:text> (</xsl:text>
+                            <xsl:value-of select="@FriendlyName"/>
+                            <xsl:text>)</xsl:text>
+                        </xsl:if>
+                    </xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+
+            <!--
                 Common error: using the legacy SCHAC name with the SAML 2.0 NameFormat.
             -->
-			<xsl:when test="starts-with(@Name, 'urn:mace:terena.org:attribute-def:')">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">
-						<xsl:text>RequestedAttribute uses legacy format name </xsl:text>
-						<xsl:value-of select="@Name"/>
-						<xsl:text> with SAML 2.0 NameFormat: should use urn:oid name or SAML 1.x NameFormat</xsl:text>
-						<xsl:if test="@FriendlyName">
-							<xsl:text> (</xsl:text>
-							<xsl:value-of select="@FriendlyName"/>
-							<xsl:text>)</xsl:text>
-						</xsl:if>
-					</xsl:with-param>
-				</xsl:call-template>
-			</xsl:when>
-			
-			<!--
-				MACE-Dir Attribute Profile for SAML 2.0
-				
-				Attributes are named per the X.500/LDAP attribute profile in [SAML2Prof].
-			-->
-			<xsl:when test="starts-with(@Name, 'urn:oid:')">
-				<!-- OK -->
-			</xsl:when>
-			
-			
-			<!--
-				Otherwise unknown attribute names.
-			-->
-			<xsl:otherwise>
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">
-						<xsl:text>RequestedAttribute uses unknown name </xsl:text>
-						<xsl:value-of select="@Name"/>
-						<xsl:text> with SAML 2.0 NameFormat</xsl:text>
-						<xsl:if test="@FriendlyName">
-							<xsl:text> (</xsl:text>
-							<xsl:value-of select="@FriendlyName"/>
-							<xsl:text>)</xsl:text>
-						</xsl:if>
-					</xsl:with-param>
-				</xsl:call-template>
-			</xsl:otherwise>
-			
-		</xsl:choose>
-	</xsl:template>
-	
+            <xsl:when test="starts-with(@Name, 'urn:mace:terena.org:attribute-def:')">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">
+                        <xsl:text>RequestedAttribute uses legacy format name </xsl:text>
+                        <xsl:value-of select="@Name"/>
+                        <xsl:text> with SAML 2.0 NameFormat: should use urn:oid name or SAML 1.x NameFormat</xsl:text>
+                        <xsl:if test="@FriendlyName">
+                            <xsl:text> (</xsl:text>
+                            <xsl:value-of select="@FriendlyName"/>
+                            <xsl:text>)</xsl:text>
+                        </xsl:if>
+                    </xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+
+            <!--
+                MACE-Dir Attribute Profile for SAML 2.0
+
+                Attributes are named per the X.500/LDAP attribute profile in [SAML2Prof].
+            -->
+            <xsl:when test="starts-with(@Name, 'urn:oid:')">
+                <!-- OK -->
+            </xsl:when>
+
+
+            <!--
+                Otherwise unknown attribute names.
+            -->
+            <xsl:otherwise>
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">
+                        <xsl:text>RequestedAttribute uses unknown name </xsl:text>
+                        <xsl:value-of select="@Name"/>
+                        <xsl:text> with SAML 2.0 NameFormat</xsl:text>
+                        <xsl:if test="@FriendlyName">
+                            <xsl:text> (</xsl:text>
+                            <xsl:value-of select="@FriendlyName"/>
+                            <xsl:text>)</xsl:text>
+                        </xsl:if>
+                    </xsl:with-param>
+                </xsl:call-template>
+            </xsl:otherwise>
+
+        </xsl:choose>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_saml1.xsl b/mdx/_rules/check_saml1.xsl
index 92de66c5..33325ed0 100644
--- a/mdx/_rules/check_saml1.xsl
+++ b/mdx/_rules/check_saml1.xsl
@@ -1,83 +1,83 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_saml1.xsl
+    check_saml1.xsl
 
-	Checking ruleset containing rules associated with the SAML 1.x specification.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    Checking ruleset containing rules associated with the SAML 1.x specification.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        A service provider claiming to support SAML 1.1 should include an appropriate POST AssertionConsumerService.
+    -->
+    <xsl:template match="md:EntityDescriptor/md:SPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
+        [not(md:AssertionConsumerService[@Binding = 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post'])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">no POST support on SAML 1.1 SP</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
-		A service provider claiming to support SAML 1.1 should include an appropriate POST AssertionConsumerService.
-	-->
-	<xsl:template match="md:EntityDescriptor/md:SPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
-		[not(md:AssertionConsumerService[@Binding = 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post'])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">no POST support on SAML 1.1 SP</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-		
-	<!--
+    <!--
         An IdP with a SAML 1.1 AttributeAuthority needs an AttributeService with an appropriate Binding.
     -->
-	<xsl:template match="md:AttributeAuthorityDescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
-		[not(md:AttributeService[@Binding='urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding'])]
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 1.1 AttributeAuthority missing appropriately bound AttributeService</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
+    <xsl:template match="md:AttributeAuthorityDescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
+        [not(md:AttributeService[@Binding='urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding'])]
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 1.1 AttributeAuthority missing appropriately bound AttributeService</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         Use of SAML 1.0 bindings requires SAML 1.1 in protocolSupportEnumeration.
     -->
-	<xsl:template match="md:IDPSSODescriptor
-		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol'))]
-		[md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:1.0:')]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>SAML 1.0 binding requires SAML 1.1 token in IDPSSODescriptor/@protocolSupportEnumeration</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
+    <xsl:template match="md:IDPSSODescriptor
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol'))]
+        [md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:1.0:')]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>SAML 1.0 binding requires SAML 1.1 token in IDPSSODescriptor/@protocolSupportEnumeration</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         Use of SAML 1.0 bindings requires SAML 1.1 in protocolSupportEnumeration.
     -->
-	<xsl:template match="md:AttributeAuthorityDescriptor
-		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol'))]
-		[md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:1.0:')]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>SAML 1.0 binding requires SAML 1.1 token in AttributeAuthorityDescriptor/@protocolSupportEnumeration</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
+    <xsl:template match="md:AttributeAuthorityDescriptor
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol'))]
+        [md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:1.0:')]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>SAML 1.0 binding requires SAML 1.1 token in AttributeAuthorityDescriptor/@protocolSupportEnumeration</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         Use of SAML 1.0 bindings requires SAML 1.1 in protocolSupportEnumeration.
     -->
-	<xsl:template match="md:SPSSODescriptor
-		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol'))]
-		[md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:1.0:')]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>SAML 1.0 binding requires SAML 1.1 token in SPSSODescriptor/@protocolSupportEnumeration</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
+    <xsl:template match="md:SPSSODescriptor
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol'))]
+        [md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:1.0:')]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>SAML 1.0 binding requires SAML 1.1 token in SPSSODescriptor/@protocolSupportEnumeration</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_saml2.xsl b/mdx/_rules/check_saml2.xsl
index e35ed8a6..0f1fed85 100644
--- a/mdx/_rules/check_saml2.xsl
+++ b/mdx/_rules/check_saml2.xsl
@@ -1,110 +1,110 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_saml2.xsl
+    check_saml2.xsl
 
-	Checking ruleset containing rules associated with the SAML 2.0 specification.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    Checking ruleset containing rules associated with the SAML 2.0 specification.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	
-	<!--
-		It does not make sense for an IdP to have more than one SingleSignOnService
-		with any of a list of SAML 2.0 front-channel bindings.
-	-->
-	<xsl:template match="md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'][position()>1]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">more than one SingleSignOnService with SAML 2.0 HTTP-POST binding</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>	
-	
-	<xsl:template match="md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign'][position()>1]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">more than one SingleSignOnService with SAML 2.0 HTTP-POST-SimpleSign binding</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template> 
-
-	<xsl:template match="md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'][position()>1]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">more than one SingleSignOnService with SAML 2.0 HTTP-Redirect binding</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template> 
-
-	<!--
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+
+    <!--
+        It does not make sense for an IdP to have more than one SingleSignOnService
+        with any of a list of SAML 2.0 front-channel bindings.
+    -->
+    <xsl:template match="md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'][position()>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">more than one SingleSignOnService with SAML 2.0 HTTP-POST binding</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign'][position()>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">more than one SingleSignOnService with SAML 2.0 HTTP-POST-SimpleSign binding</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'][position()>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">more than one SingleSignOnService with SAML 2.0 HTTP-Redirect binding</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         A SAML 2.0 IdP with an AttributeAuthority needs an AttributeService with an appropriate Binding.
     -->
-	<xsl:template match="md:AttributeAuthorityDescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[not(md:AttributeService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:SOAP'])]
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 AttributeAuthority missing appropriately bound AttributeService</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:AttributeAuthorityDescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [not(md:AttributeService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:SOAP'])]
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 2.0 AttributeAuthority missing appropriately bound AttributeService</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 
-	<!--
+    <!--
         Check for SAML 2.0 SPs which lack an encryption key.
-    -->	
-	<xsl:template match="md:SPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[not(md:KeyDescriptor[descendant::ds:X509Data][@use='encryption'])]
-		[not(md:KeyDescriptor[descendant::ds:X509Data][not(@use)])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 SP has no encryption key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
+    -->
+    <xsl:template match="md:SPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [not(md:KeyDescriptor[descendant::ds:X509Data][@use='encryption'])]
+        [not(md:KeyDescriptor[descendant::ds:X509Data][not(@use)])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 2.0 SP has no encryption key</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         Use of SAML 2.0 bindings requires SAML 2.0 in protocolSupportEnumeration.
     -->
-	<xsl:template match="md:IDPSSODescriptor
-		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
-		[md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:2.0:bindings:')]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>SAML 2.0 binding requires SAML 2.0 token in IDPSSODescriptor/@protocolSupportEnumeration</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
+    <xsl:template match="md:IDPSSODescriptor
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
+        [md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:2.0:bindings:')]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>SAML 2.0 binding requires SAML 2.0 token in IDPSSODescriptor/@protocolSupportEnumeration</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         Use of SAML 2.0 bindings requires SAML 2.0 in protocolSupportEnumeration.
     -->
-	<xsl:template match="md:AttributeAuthorityDescriptor
-		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
-		[md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:2.0:bindings:')]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>SAML 2.0 binding requires SAML 2.0 token in AttributeAuthorityDescriptor/@protocolSupportEnumeration</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
+    <xsl:template match="md:AttributeAuthorityDescriptor
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
+        [md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:2.0:bindings:')]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>SAML 2.0 binding requires SAML 2.0 token in AttributeAuthorityDescriptor/@protocolSupportEnumeration</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         Use of SAML 2.0 bindings requires SAML 2.0 in protocolSupportEnumeration.
     -->
-	<xsl:template match="md:SPSSODescriptor
-		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
-		[md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:2.0:bindings:')]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>SAML 2.0 binding requires SAML 2.0 token in SPSSODescriptor/@protocolSupportEnumeration</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
+    <xsl:template match="md:SPSSODescriptor
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
+        [md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:2.0:bindings:')]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>SAML 2.0 binding requires SAML 2.0 token in SPSSODescriptor/@protocolSupportEnumeration</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_saml2int.xsl b/mdx/_rules/check_saml2int.xsl
index 812fe87e..42f30770 100644
--- a/mdx/_rules/check_saml2int.xsl
+++ b/mdx/_rules/check_saml2int.xsl
@@ -1,142 +1,142 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_saml2int.xsl
-	
-	Checking ruleset for the Interoperable SAML 2.0 Web Browser SSO Deployment Profile.
-	
-	See: http://saml2int.org/
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    check_saml2int.xsl
+
+    Checking ruleset for the Interoperable SAML 2.0 Web Browser SSO Deployment Profile.
+
+    See: http://saml2int.org/
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	
-	<!--
-		Section 6.
-		
-		Check for SAML 2.0 SPs which exclude both transient and persistent SAML 2 name identifier formats.
-	-->
-	<xsl:template match="md:SPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[md:NameIDFormat]
-		[not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'])]
-		[not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SP excludes both SAML 2 name identifier formats</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
-		Section 6.
-		
-		Check for SAML 2.0 IdPs which exclude the transient SAML 2 name identifier format.
-	-->
-	<xsl:template match="md:IDPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[md:NameIDFormat]
-		[not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 IDPSSODescriptor excludes SAML 2 transient name identifier format</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	<xsl:template match="md:AttributeAuthorityDescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[md:NameIDFormat]
-		[not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 AttributeAuthorityDescriptor excludes SAML 2 transient name identifier format</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+
+    <!--
+        Section 6.
+
+        Check for SAML 2.0 SPs which exclude both transient and persistent SAML 2 name identifier formats.
+    -->
+    <xsl:template match="md:SPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [md:NameIDFormat]
+        [not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'])]
+        [not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SP excludes both SAML 2 name identifier formats</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 6.
+
+        Check for SAML 2.0 IdPs which exclude the transient SAML 2 name identifier format.
+    -->
+    <xsl:template match="md:IDPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [md:NameIDFormat]
+        [not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 2.0 IDPSSODescriptor excludes SAML 2 transient name identifier format</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:AttributeAuthorityDescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [md:NameIDFormat]
+        [not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 2.0 AttributeAuthorityDescriptor excludes SAML 2 transient name identifier format</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         Section 6.1.
-        
+
         "The <saml2p:AuthnRequest> message issued by a Service Provider MUST be
         communicated to the Identity Provider using the HTTP-REDIRECT binding
         [SAML2Bind]."
-        
+
         Therefore, metadata for this binding MUST be present.
     -->
-	<xsl:template match="md:IDPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[not(md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 IDPSSODescriptor does not support HTTP-Redirect SSO binding</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		Section 7.
-		
-		Check for correct NameFormat on Attribute elements.
-	-->
-	<xsl:template match="saml:Attribute[not(@NameFormat)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>Attribute </xsl:text>
-				<xsl:value-of select="@Name"/>
-				<xsl:text> lacks NameFormat attribute</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	<xsl:template match="saml:Attribute[@NameFormat][not(@NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:uri')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>Attribute </xsl:text>
-				<xsl:value-of select="@Name"/>
-				<xsl:text> has incorrect NameFormat </xsl:text>
-				<xsl:value-of select="@NameFormat"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
-		Section 9.1
-		
-		Responses MUST use the HTTP-POST binding, so metadata for that MUST be present.
-	-->
-	<xsl:template match="md:SPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[not(md:AssertionConsumerService[@Binding = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">no HTTP-POST support on SAML 2.0 SP</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
-		Section 9.1
-		
-		Responses MUST be signed, so appropriate IdP roles MUST include embedded key material
-		suitable for signing those responses.
-	-->
-	<xsl:template match="md:IDPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[not(md:KeyDescriptor[descendant::ds:X509Data][@use='signing'])]
-		[not(md:KeyDescriptor[descendant::ds:X509Data][not(@use)])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 IdP has no embedded signing key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	<xsl:template match="md:AttributeAuthorityDescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[not(md:KeyDescriptor[descendant::ds:X509Data][@use='signing'])]
-		[not(md:KeyDescriptor[descendant::ds:X509Data][not(@use)])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 AttributeAuthority has no embedded signing key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
+    <xsl:template match="md:IDPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [not(md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 2.0 IDPSSODescriptor does not support HTTP-Redirect SSO binding</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 7.
+
+        Check for correct NameFormat on Attribute elements.
+    -->
+    <xsl:template match="saml:Attribute[not(@NameFormat)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>Attribute </xsl:text>
+                <xsl:value-of select="@Name"/>
+                <xsl:text> lacks NameFormat attribute</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="saml:Attribute[@NameFormat][not(@NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:uri')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>Attribute </xsl:text>
+                <xsl:value-of select="@Name"/>
+                <xsl:text> has incorrect NameFormat </xsl:text>
+                <xsl:value-of select="@NameFormat"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 9.1
+
+        Responses MUST use the HTTP-POST binding, so metadata for that MUST be present.
+    -->
+    <xsl:template match="md:SPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [not(md:AssertionConsumerService[@Binding = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">no HTTP-POST support on SAML 2.0 SP</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 9.1
+
+        Responses MUST be signed, so appropriate IdP roles MUST include embedded key material
+        suitable for signing those responses.
+    -->
+    <xsl:template match="md:IDPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [not(md:KeyDescriptor[descendant::ds:X509Data][@use='signing'])]
+        [not(md:KeyDescriptor[descendant::ds:X509Data][not(@use)])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 2.0 IdP has no embedded signing key</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:AttributeAuthorityDescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [not(md:KeyDescriptor[descendant::ds:X509Data][@use='signing'])]
+        [not(md:KeyDescriptor[descendant::ds:X509Data][not(@use)])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 2.0 AttributeAuthority has no embedded signing key</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_saml2meta.xsl b/mdx/_rules/check_saml2meta.xsl
index b3990b9b..42b5fad4 100644
--- a/mdx/_rules/check_saml2meta.xsl
+++ b/mdx/_rules/check_saml2meta.xsl
@@ -1,33 +1,33 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_saml2meta.xsl
-	
-	Checking ruleset encapsulating rules from the SAML 2.0 metadata specification that
-	are not completely encoded in the XML schema.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    check_saml2meta.xsl
+
+    Checking ruleset encapsulating rules from the SAML 2.0 metadata specification that
+    are not completely encoded in the XML schema.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdxURL="xalan://uk.ac.sdss.xalan.md.URLchecker"
-	xmlns:set="http://exslt.org/sets"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	
-	<!--
-		Check for distinct index attributes on appropriate elements.
-	-->
-	
-	<xsl:template match="md:SPSSODescriptor">
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdxURL="xalan://uk.ac.sdss.xalan.md.URLchecker"
+    xmlns:set="http://exslt.org/sets"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+
+    <!--
+        Check for distinct index attributes on appropriate elements.
+    -->
+
+    <xsl:template match="md:SPSSODescriptor">
 
         <xsl:variable name="indices" select="md:ArtifactResolutionService/@index"/>
         <xsl:variable name="distinct.indices" select="set:distinct($indices)"/>
@@ -37,63 +37,77 @@
             </xsl:call-template>
         </xsl:if>
 
-		<xsl:variable name="indices" select="md:AssertionConsumerService/@index"/>
-		<xsl:variable name="distinct.indices" select="set:distinct($indices)"/>
-		<xsl:if test="count($indices) != count($distinct.indices)">
-			<xsl:call-template name="error">
-				<xsl:with-param name="m">AssertionConsumerService index values not all different</xsl:with-param>
-			</xsl:call-template>
-		</xsl:if>
-		
-		<!--
-			Perform checks on child elements.
-		-->
-		<xsl:apply-templates/>
-	</xsl:template>
-	
-	<xsl:template match="md:IDPSSODescriptor">
-		<xsl:variable name="indices" select="md:ArtifactResolutionService/@index"/>
-		<xsl:variable name="distinct.indices" select="set:distinct($indices)"/>
-		<xsl:if test="count($indices) != count($distinct.indices)">
-			<xsl:call-template name="error">
-				<xsl:with-param name="m">ArtifactResolutionService index values not all different</xsl:with-param>
-			</xsl:call-template>
-		</xsl:if>
-		
-		<!--
-			Perform checks on child elements.
-		-->
-		<xsl:apply-templates/>
-	</xsl:template>
-	
-	
-	<!--
-		Check for Location attributes that aren't valid URLs.
-	-->
-	<xsl:template match="md:*[@Location and mdxURL:invalidURL(@Location)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:value-of select='local-name()'/>
-				<xsl:text> Location is not a valid URL: </xsl:text>
-				<xsl:value-of select="mdxURL:whyInvalid(@Location)"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		Check for OrganizationURLs that aren't valid URLs.
-	-->
-	<xsl:template match="md:OrganizationURL[mdxURL:invalidURL(.)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>OrganizationURL '</xsl:text>
-				<xsl:value-of select="."/>
-				<xsl:text>' is not a valid URL: </xsl:text>
-				<xsl:value-of select="mdxURL:whyInvalid(.)"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
+        <xsl:variable name="indices2" select="md:AssertionConsumerService/@index"/>
+        <xsl:variable name="distinct.indices2" select="set:distinct($indices2)"/>
+        <xsl:if test="count($indices2) != count($distinct.indices2)">
+            <xsl:call-template name="error">
+                <xsl:with-param name="m">AssertionConsumerService index values not all different</xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+
+        <!--
+            Perform checks on child elements.
+        -->
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="md:IDPSSODescriptor">
+        <xsl:variable name="indices" select="md:ArtifactResolutionService/@index"/>
+        <xsl:variable name="distinct.indices" select="set:distinct($indices)"/>
+        <xsl:if test="count($indices) != count($distinct.indices)">
+            <xsl:call-template name="error">
+                <xsl:with-param name="m">ArtifactResolutionService index values not all different</xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+
+        <!--
+            Perform checks on child elements.
+        -->
+        <xsl:apply-templates/>
+    </xsl:template>
+
+
+    <!--
+        Check for Location attributes that aren't valid URLs.
+    -->
+    <xsl:template match="md:*[@Location and mdxURL:invalidURL(@Location)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:value-of select='local-name()'/>
+                <xsl:text> Location is not a valid URL: </xsl:text>
+                <xsl:value-of select="mdxURL:whyInvalid(@Location)"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        Check for ResponseLocation attributes that aren't valid URLs.
+    -->
+    <xsl:template match="md:*[@ResponseLocation and mdxURL:invalidURL(@ResponseLocation)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:value-of select='local-name()'/>
+                <xsl:text> ResponseLocation is not a valid URL: </xsl:text>
+                <xsl:value-of select="mdxURL:whyInvalid(@ResponseLocation)"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        Check for OrganizationURLs that aren't valid URLs.
+    -->
+    <xsl:template match="md:OrganizationURL[mdxURL:invalidURL(.)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>OrganizationURL '</xsl:text>
+                <xsl:value-of select="."/>
+                <xsl:text>' is not a valid URL: </xsl:text>
+                <xsl:value-of select="mdxURL:whyInvalid(.)"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_shib_noregscope.xsl b/mdx/_rules/check_shib_noregscope.xsl
index 0f1e0b79..e516425f 100644
--- a/mdx/_rules/check_shib_noregscope.xsl
+++ b/mdx/_rules/check_shib_noregscope.xsl
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_shib_noregscope.xsl
+    check_shib_noregscope.xsl
 
     Check for Shibboleth Scope elements lacking a regexp attribute, which can cause
     problems with signature generation and validation because the schema includes
@@ -9,21 +9,21 @@
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <xsl:template match="shibmd:Scope[not(@regexp)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">Scope <xsl:value-of select="."/> lacks @regexp</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<xsl:template match="shibmd:Scope[not(@regexp)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">Scope <xsl:value-of select="."/> lacks @regexp</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_shib_regscope.xsl b/mdx/_rules/check_shib_regscope.xsl
index b20fa7d3..7f522e92 100644
--- a/mdx/_rules/check_shib_regscope.xsl
+++ b/mdx/_rules/check_shib_regscope.xsl
@@ -1,31 +1,31 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_shib_regscope.xsl
+    check_shib_regscope.xsl
+
+    Check for the presence of Shibboleth Scope elements containing regular expressions.
 
-	Check for the presence of Shibboleth Scope elements containing regular expressions.
-	
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <xsl:template match="shibmd:Scope[@regexp='true']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>regular expression in scope '</xsl:text>
+                <xsl:value-of select="."/>
+                <xsl:text>'</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-	
-	<xsl:template match="shibmd:Scope[@regexp='true']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>regular expression in scope '</xsl:text>
-				<xsl:value-of select="."/>
-				<xsl:text>'</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_shibboleth.xsl b/mdx/_rules/check_shibboleth.xsl
index 79aa6799..12e87c7a 100644
--- a/mdx/_rules/check_shibboleth.xsl
+++ b/mdx/_rules/check_shibboleth.xsl
@@ -1,188 +1,188 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_shibboleth.xsl
+    check_shibboleth.xsl
 
-	Checking ruleset containing rules associated with:
-	
-	* the Shibboleth profile specifications
-	
-	* known problems with Shibboleth implementations
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    Checking ruleset containing rules associated with:
+
+    * the Shibboleth profile specifications
+
+    * known problems with Shibboleth implementations
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	
-	<!--
-		OrganizationURL elements should contain actual URLs, or some software
-		will reject the metadata.  This is known to be true for at least the Shibboleth
-		1.3 IdP and the accompanying metadatatool application, because they pass the
-		string to the java.net.URL class.
-		
-		We perform a very cursory test for this by insisting that they start with
-		either "http://" or "https://".
-	-->
-	<xsl:template match="md:OrganizationURL[not(starts-with(., 'http://'))]
-		[not(starts-with(., 'https://'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">OrganizationURL '<xsl:value-of select="."/>' does not start with acceptable prefix</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		If an IDPSSODescriptor contains a SingleSignOnService with the Shibboleth 1.x
-		authentication request binding, the role descriptor's protocolSupportEnumeration
-		must include both of the following:
-		
-			urn:oasis:names:tc:SAML:1.1:protocol
-			urn:mace:shibboleth:1.0
-		
-		See the Shibboleth Protocols and Profiles document, section 3.4.3, for details.
-	-->
-	<xsl:template match="md:IDPSSODescriptor[md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest']]
-		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">Shibboleth 1.x auth request needs urn:oasis:names:tc:SAML:1.1:protocol in IDPSSODescriptor/@protocolSupportEnumeration</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="md:IDPSSODescriptor[md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest']]
-		[not(contains(@protocolSupportEnumeration, 'urn:mace:shibboleth:1.0'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">Shibboleth 1.x auth request needs urn:mace:shibboleth:1.0 in IDPSSODescriptor/@protocolSupportEnumeration</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		If an IDPSSODescriptor indicates support for Shibboleth by including
-		urn:mace:shibboleth:1.0 in its protocolSupportEnumeration, it must contain at
-		least one appropriate SingleSignOnService.
-		
-		This is theoretically too severe, as in principle additional profiles could be invented
-		in the future which exist in the same protocolSupportEnumeration "family".  However,
-		at present there are no such uses of the value, so we can be more restrictive.
-	-->
-	<xsl:template match="md:IDPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:mace:shibboleth:1.0')]
-		[not(md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest'])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">Shibboleth 1.x support claimed but no appropriate SSO service binding</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		It does not make sense for an IdP to have more than one SingleSignOnService
-		with the Shibboleth authentication request binding, because this is a
-		front-channel binding.
-	-->
-	<xsl:template match="md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest'][position()>1]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">more than one SingleSignOnService with Shibboleth binding</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		Check for SAML 1.1 SPs which exclude the Shibboleth transient name identifier format.
-		
-		An SP which has no NameIDFormat elements is fine, but if any are mentioned in a
-		SAML 1.1 SP then the Shibboleth transient must be included in the list as otherwise
-		there will be no name identifier sent to the SP and no attribute query can be
-		performed.
-	-->
-	<xsl:template match="md:SPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
-		[md:NameIDFormat]
-		[not(md:NameIDFormat[.='urn:mace:shibboleth:1.0:nameIdentifier'])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 1.1 SP excludes Shibboleth transient name identifier format</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		Check for a construct which is known to cause the Shibboleth 1.3 SP to dump core.
-		
-			<md:KeyDescriptor use="signing">
-				<ds:KeyInfo>
-					<KeyName>blabla<KeyName>
-				</ds:KeyInfo>
-			</md:KeyDescriptor>
-		
-		The issue here is that the KeyName does not have the ds: namespace.
-	-->
-	<xsl:template match="ds:KeyInfo/*[namespace-uri() != 'http://www.w3.org/2000/09/xmldsig#']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">ds:KeyInfo child element not in ds namespace</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		Check for IDP role descriptors containing (at any level of nesting)
-		SAML 2.0 attribute elements that do not include a NameFormat XML attribute.
-		
-		This combination causes the Shibboleth 1.3 and related code (such as metadatatool)
-		to reject the metadata.
-		
-		See https://bugs.internet2.edu/jira/browse/SIDPO-34
-	-->
-	<xsl:template match="md:IDPSSODescriptor[descendant::saml:Attribute[not(@NameFormat)]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SIDPO-34: Attribute lacking NameFormat in IDPSSODescriptor</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		Scope elements should not contain space characters.
-		
-		This isn't part of the specification, but is assumed by some software.
-	-->
-	<xsl:template match="shibmd:Scope[contains(., ' ')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">Scope value contains space character</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-
-	<!--
-		Scope elements should not contain line breaks.
-		
-		This isn't part of the specification, but is assumed by some software,
-		including the Shibboleth 2.4.3 SP.
-	-->
-	<xsl:template match="shibmd:Scope[contains(., '&#10;')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">Scope value contains line break</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		The Shibboleth 1.3f SP, probably along with other software, has
-		problems with comments inside certificate representations.
-	-->
-	<xsl:template match="ds:X509Certificate[comment()]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">X509Certificate contains XML comment</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+
+    <!--
+        OrganizationURL elements should contain actual URLs, or some software
+        will reject the metadata.  This is known to be true for at least the Shibboleth
+        1.3 IdP and the accompanying metadatatool application, because they pass the
+        string to the java.net.URL class.
+
+        We perform a very cursory test for this by insisting that they start with
+        either "http://" or "https://".
+    -->
+    <xsl:template match="md:OrganizationURL[not(starts-with(., 'http://'))]
+        [not(starts-with(., 'https://'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">OrganizationURL '<xsl:value-of select="."/>' does not start with acceptable prefix</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        If an IDPSSODescriptor contains a SingleSignOnService with the Shibboleth 1.x
+        authentication request binding, the role descriptor's protocolSupportEnumeration
+        must include both of the following:
+
+            urn:oasis:names:tc:SAML:1.1:protocol
+            urn:mace:shibboleth:1.0
+
+        See the Shibboleth Protocols and Profiles document, section 3.4.3, for details.
+    -->
+    <xsl:template match="md:IDPSSODescriptor[md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest']]
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">Shibboleth 1.x auth request needs urn:oasis:names:tc:SAML:1.1:protocol in IDPSSODescriptor/@protocolSupportEnumeration</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:IDPSSODescriptor[md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest']]
+        [not(contains(@protocolSupportEnumeration, 'urn:mace:shibboleth:1.0'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">Shibboleth 1.x auth request needs urn:mace:shibboleth:1.0 in IDPSSODescriptor/@protocolSupportEnumeration</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        If an IDPSSODescriptor indicates support for Shibboleth by including
+        urn:mace:shibboleth:1.0 in its protocolSupportEnumeration, it must contain at
+        least one appropriate SingleSignOnService.
+
+        This is theoretically too severe, as in principle additional profiles could be invented
+        in the future which exist in the same protocolSupportEnumeration "family".  However,
+        at present there are no such uses of the value, so we can be more restrictive.
+    -->
+    <xsl:template match="md:IDPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:mace:shibboleth:1.0')]
+        [not(md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest'])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">Shibboleth 1.x support claimed but no appropriate SSO service binding</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        It does not make sense for an IdP to have more than one SingleSignOnService
+        with the Shibboleth authentication request binding, because this is a
+        front-channel binding.
+    -->
+    <xsl:template match="md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest'][position()>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">more than one SingleSignOnService with Shibboleth binding</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        Check for SAML 1.1 SPs which exclude the Shibboleth transient name identifier format.
+
+        An SP which has no NameIDFormat elements is fine, but if any are mentioned in a
+        SAML 1.1 SP then the Shibboleth transient must be included in the list as otherwise
+        there will be no name identifier sent to the SP and no attribute query can be
+        performed.
+    -->
+    <xsl:template match="md:SPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
+        [md:NameIDFormat]
+        [not(md:NameIDFormat[.='urn:mace:shibboleth:1.0:nameIdentifier'])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 1.1 SP excludes Shibboleth transient name identifier format</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        Check for a construct which is known to cause the Shibboleth 1.3 SP to dump core.
+
+            <md:KeyDescriptor use="signing">
+                <ds:KeyInfo>
+                    <KeyName>blabla<KeyName>
+                </ds:KeyInfo>
+            </md:KeyDescriptor>
+
+        The issue here is that the KeyName does not have the ds: namespace.
+    -->
+    <xsl:template match="ds:KeyInfo/*[namespace-uri() != 'http://www.w3.org/2000/09/xmldsig#']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">ds:KeyInfo child element not in ds namespace</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        Check for IDP role descriptors containing (at any level of nesting)
+        SAML 2.0 attribute elements that do not include a NameFormat XML attribute.
+
+        This combination causes the Shibboleth 1.3 and related code (such as metadatatool)
+        to reject the metadata.
+
+        See https://bugs.internet2.edu/jira/browse/SIDPO-34
+    -->
+    <xsl:template match="md:IDPSSODescriptor[descendant::saml:Attribute[not(@NameFormat)]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SIDPO-34: Attribute lacking NameFormat in IDPSSODescriptor</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Scope elements should not contain space characters.
+
+        This isn't part of the specification, but is assumed by some software.
+    -->
+    <xsl:template match="shibmd:Scope[contains(., ' ')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">Scope value contains space character</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        Scope elements should not contain line breaks.
+
+        This isn't part of the specification, but is assumed by some software,
+        including the Shibboleth 2.4.3 SP.
+    -->
+    <xsl:template match="shibmd:Scope[contains(., '&#10;')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">Scope value contains line break</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        The Shibboleth 1.3f SP, probably along with other software, has
+        problems with comments inside certificate representations.
+    -->
+    <xsl:template match="ds:X509Certificate[comment()]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">X509Certificate contains XML comment</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_sirtfi.xsl b/mdx/_rules/check_sirtfi.xsl
index 78240c01..48f0e6af 100644
--- a/mdx/_rules/check_sirtfi.xsl
+++ b/mdx/_rules/check_sirtfi.xsl
@@ -1,73 +1,73 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_sirtfi.xsl
+    check_sirtfi.xsl
 
-	Checking ruleset containing rules associated with the SIRTFI specification,
-	as described here:
+    Checking ruleset containing rules associated with the SIRTFI specification,
+    as described here:
 
-		https://refeds.org/wp-content/uploads/2016/11/Sirtfi-certification-v1.0.pdf
+        https://refeds.org/wp-content/uploads/2016/11/Sirtfi-certification-v1.0.pdf
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:remd="http://refeds.org/metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-	
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:remd="http://refeds.org/metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 
-	<!--
-		Process only entities claiming SIRTFI compliance.
-	-->
-	<xsl:template match="md:EntityDescriptor[
-			md:Extensions/mdattr:EntityAttributes/saml:Attribute[@NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:uri']
-				[@Name='urn:oasis:names:tc:SAML:attribute:assurance-certification']
-			/saml:AttributeValue[.='https://refeds.org/sirtfi']
-		]">
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-		<!--
-			Collect the REFEDS security contacts for this entity.
-		-->
-		<xsl:variable name="securityContacts"
-			select="md:ContactPerson
-			[@contactType='other']
-			[@remd:contactType='http://refeds.org/metadata/contactType/security']"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
-		<!--
-			There must be at least one REFEDS security contact.
-		-->
-		<xsl:if test="count($securityContacts) = 0">
-			<xsl:call-template name="error">
-				<xsl:with-param name="m">SIRTFI requires a REFEDS security contact</xsl:with-param>
-			</xsl:call-template>
-		</xsl:if>
+    <!--
+        Process only entities claiming SIRTFI compliance.
+    -->
+    <xsl:template match="md:EntityDescriptor[
+            md:Extensions/mdattr:EntityAttributes/saml:Attribute[@NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:uri']
+                [@Name='urn:oasis:names:tc:SAML:attribute:assurance-certification']
+            /saml:AttributeValue[.='https://refeds.org/sirtfi']
+        ]">
 
-		<!--
-			REFEDS security contacts used in SIRTFI compliant entities need to have
-			GivenName and EmailAddress attributes.
-		-->
-		<xsl:for-each select="$securityContacts">
-			<xsl:if test="not(md:GivenName)">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">SIRTFI requires a REFEDS security contact with a GivenName</xsl:with-param>
-				</xsl:call-template>
-			</xsl:if>
-			<xsl:if test="not(md:EmailAddress)">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">SIRTFI requires a REFEDS security contact with an EmailAddress</xsl:with-param>
-				</xsl:call-template>
-			</xsl:if>
-		</xsl:for-each>
-	</xsl:template>
+        <!--
+            Collect the REFEDS security contacts for this entity.
+        -->
+        <xsl:variable name="securityContacts"
+            select="md:ContactPerson
+            [@contactType='other']
+            [@remd:contactType='http://refeds.org/metadata/contactType/security']"/>
+
+        <!--
+            There must be at least one REFEDS security contact.
+        -->
+        <xsl:if test="count($securityContacts) = 0">
+            <xsl:call-template name="error">
+                <xsl:with-param name="m">SIRTFI requires a REFEDS security contact</xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+
+        <!--
+            REFEDS security contacts used in SIRTFI compliant entities need to have
+            GivenName and EmailAddress attributes.
+        -->
+        <xsl:for-each select="$securityContacts">
+            <xsl:if test="not(md:GivenName)">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">SIRTFI requires a REFEDS security contact with a GivenName</xsl:with-param>
+                </xsl:call-template>
+            </xsl:if>
+            <xsl:if test="not(md:EmailAddress)">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">SIRTFI requires a REFEDS security contact with an EmailAddress</xsl:with-param>
+                </xsl:call-template>
+            </xsl:if>
+        </xsl:for-each>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_sp_tls.xsl b/mdx/_rules/check_sp_tls.xsl
index b68c9663..3432cd06 100644
--- a/mdx/_rules/check_sp_tls.xsl
+++ b/mdx/_rules/check_sp_tls.xsl
@@ -1,31 +1,36 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_sp_tls.xsl
-	
-	Checking that all SP endpoints are TLS-protected.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    check_sp_tls.xsl
+
+    Checking that all SP endpoints are TLS-protected.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
 
-	<!--
-		Check for SP endpoints that don't start with https://
-	-->
+    <!--
+        Check for SP endpoints that don't start with https://
+    -->
     <xsl:template match="md:SPSSODescriptor//*[@Location and not(starts-with(@Location,'https://'))]">
         <xsl:call-template name="error">
             <xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location does not start with https://</xsl:with-param>
         </xsl:call-template>
     </xsl:template>
+    <xsl:template match="md:SPSSODescriptor//*[@ResponseLocation and not(starts-with(@ResponseLocation,'https://'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m"><xsl:value-of select='local-name()'/> ResponseLocation does not start with https://</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_uk_algorithms.xsl b/mdx/_rules/check_uk_algorithms.xsl
index 10db2ce2..0a4c024f 100644
--- a/mdx/_rules/check_uk_algorithms.xsl
+++ b/mdx/_rules/check_uk_algorithms.xsl
@@ -1,89 +1,89 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_uk_algorithms.xsl
-	
-	Checking ruleset for cryptographic algorithms. This is named as a UK
-	ruleset because the division between acceptable and unacceptable algorithms
-	is sometimes a judgement call; however, it should be generally
-	applicable.
-
-	The best reference for *all* URIs used as algorithm identifiers is the
-	XML Security Algorithm Cross-Reference at http://www.w3.org/TR/xmlsec-algorithms/
-	Algorithm lists here are in the same order as in that document.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    check_uk_algorithms.xsl
+
+    Checking ruleset for cryptographic algorithms. This is named as a UK
+    ruleset because the division between acceptable and unacceptable algorithms
+    is sometimes a judgement call; however, it should be generally
+    applicable.
+
+    The best reference for *all* URIs used as algorithm identifiers is the
+    XML Security Algorithm Cross-Reference at http://www.w3.org/TR/xmlsec-algorithms/
+    Algorithm lists here are in the same order as in that document.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	<!--
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
         *************************************
         ***                               ***
         ***   S I G N I N G M E T H O D   ***
         ***                               ***
         *************************************
     -->
-	
-	<!--
+
+    <!--
         Check for known BAD SigningMethod algorithms.
     -->
-	<xsl:template match="alg:SigningMethod[
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-md5'
-		]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>insecure algorithm in SigningMethod: '</xsl:text>
-				<xsl:value-of select="@Algorithm"/>
-				<xsl:text>'</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
+    <xsl:template match="alg:SigningMethod[
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-md5'
+        ]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>insecure algorithm in SigningMethod: '</xsl:text>
+                <xsl:value-of select="@Algorithm"/>
+                <xsl:text>'</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         Check for known GOOD SigningMethod algorithms.
     -->
-	<xsl:template match="alg:SigningMethod[
-		@Algorithm = 'http://www.w3.org/2000/09/xmldsig#dsa-sha1' or
-		@Algorithm = 'http://www.w3.org/2009/xmldsig11#dsa-sha256' or
-		@Algorithm = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha224' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512'
-		]">
-		<!-- do nothing -->
-	</xsl:template>
-	
-	<!--
+    <xsl:template match="alg:SigningMethod[
+        @Algorithm = 'http://www.w3.org/2000/09/xmldsig#dsa-sha1' or
+        @Algorithm = 'http://www.w3.org/2009/xmldsig11#dsa-sha256' or
+        @Algorithm = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha224' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512'
+        ]">
+        <!-- do nothing -->
+    </xsl:template>
+
+    <!--
         Misspelled or otherwise not known SigningMethod algorithms.
     -->
-	<xsl:template match="alg:SigningMethod">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown algorithm in SigningMethod: '</xsl:text>
-				<xsl:value-of select="@Algorithm"/>
-				<xsl:text>'</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
+    <xsl:template match="alg:SigningMethod">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>unknown algorithm in SigningMethod: '</xsl:text>
+                <xsl:value-of select="@Algorithm"/>
+                <xsl:text>'</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         ***********************************
         ***                             ***
         ***   D I G E S T M E T H O D   ***
@@ -91,105 +91,105 @@
         ***********************************
     -->
 
-	<!--
+    <!--
         Check for known BAD DigestMethod algorithms.
     -->
-	<xsl:template match="alg:DigestMethod[
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#md5'
-		]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>insecure algorithm in DigestMethod: '</xsl:text>
-				<xsl:value-of select="@Algorithm"/>
-				<xsl:text>'</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
+    <xsl:template match="alg:DigestMethod[
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#md5'
+        ]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>insecure algorithm in DigestMethod: '</xsl:text>
+                <xsl:value-of select="@Algorithm"/>
+                <xsl:text>'</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         Check for known GOOD DigestMethod algorithms.
     -->
-	<xsl:template match="alg:DigestMethod[
-		@Algorithm = 'http://www.w3.org/2000/09/xmldsig#sha1' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#sha224' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#sha256' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#sha384' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#sha512' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#ripemd160'
-		]">
-		<!-- do nothing -->
-	</xsl:template>
-	
-	<!--
+    <xsl:template match="alg:DigestMethod[
+        @Algorithm = 'http://www.w3.org/2000/09/xmldsig#sha1' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#sha224' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmlenc#sha256' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#sha384' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmlenc#sha512' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmlenc#ripemd160'
+        ]">
+        <!-- do nothing -->
+    </xsl:template>
+
+    <!--
         Misspelled or otherwise not known DigestMethod algorithms.
     -->
-	<xsl:template match="alg:DigestMethod">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown algorithm in DigestMethod: '</xsl:text>
-				<xsl:value-of select="@Algorithm"/>
-				<xsl:text>'</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
+    <xsl:template match="alg:DigestMethod">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>unknown algorithm in DigestMethod: '</xsl:text>
+                <xsl:value-of select="@Algorithm"/>
+                <xsl:text>'</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         *******************************************
         ***                                     ***
-		***   E N C R Y P T I O N M E T H O D   ***
+        ***   E N C R Y P T I O N M E T H O D   ***
         ***                                     ***
         *******************************************
-	-->
+    -->
 
-	<!--
+    <!--
         Check for known BAD EncryptionMethod algorithms.
-		
-		This list is of symmetric key encryption algorithms *and*
-		key transport algorithms.
+
+        This list is of symmetric key encryption algorithms *and*
+        key transport algorithms.
+    -->
+    <xsl:template match="md:EncryptionMethod[
+        @Algorithm = 'http://www.w3.org/2001/04/xmlenc#rsa-1_5'
+        ]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>insecure algorithm in EncryptionMethod: '</xsl:text>
+                <xsl:value-of select="@Algorithm"/>
+                <xsl:text>'</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Check for known GOOD EncryptionMethod algorithms.
+
+        This list is of symmetric key encryption algorithms *and*
+        key transport algorithms.
+    -->
+    <xsl:template match="md:EncryptionMethod[
+        @Algorithm = 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' or
+        @Algorithm = 'http://www.w3.org/2009/xmlenc11#aes128-gcm' or
+        @Algorithm = 'http://www.w3.org/2009/xmlenc11#aes192-gcm' or
+        @Algorithm = 'http://www.w3.org/2009/xmlenc11#aes256-gcm' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' or
+        @Algorithm = 'http://www.w3.org/2009/xmlenc11#rsa-oaep'
+        ]">
+        <!-- do nothing -->
+    </xsl:template>
+
+    <!--
+        Misspelled or otherwise not known EncryptionMethod algorithms.
     -->
-	<xsl:template match="md:EncryptionMethod[
-		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#rsa-1_5'
-		]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>insecure algorithm in EncryptionMethod: '</xsl:text>
-				<xsl:value-of select="@Algorithm"/>
-				<xsl:text>'</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
-		Check for known GOOD EncryptionMethod algorithms.
-		
-		This list is of symmetric key encryption algorithms *and*
-		key transport algorithms.
-	-->
-	<xsl:template match="md:EncryptionMethod[
-		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' or
-		@Algorithm = 'http://www.w3.org/2009/xmlenc11#aes128-gcm' or
-		@Algorithm = 'http://www.w3.org/2009/xmlenc11#aes192-gcm' or
-		@Algorithm = 'http://www.w3.org/2009/xmlenc11#aes256-gcm' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' or
-		@Algorithm = 'http://www.w3.org/2009/xmlenc11#rsa-oaep'
-		]">
-		<!-- do nothing -->
-	</xsl:template>
-	
-	<!--
-		Misspelled or otherwise not known EncryptionMethod algorithms.
-	-->
-	<xsl:template match="md:EncryptionMethod">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown algorithm in EncryptionMethod: '</xsl:text>
-				<xsl:value-of select="@Algorithm"/>
-				<xsl:text>'</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:EncryptionMethod">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>unknown algorithm in EncryptionMethod: '</xsl:text>
+                <xsl:value-of select="@Algorithm"/>
+                <xsl:text>'</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_uk_trust.xsl b/mdx/_rules/check_uk_trust.xsl
index 6db92755..00a1bee9 100644
--- a/mdx/_rules/check_uk_trust.xsl
+++ b/mdx/_rules/check_uk_trust.xsl
@@ -1,118 +1,118 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-	
+
     check_uk_trust.xsl
-    
+
     Checking ruleset for the UK federation trust fabric, as documented in the
     Federation Technical Specifications.  Checks are labelled with a section
     number and FTS version, as the section number may change between editions.
-    
+
     Author: Ian A. Young <ian@iay.org.uk>
-    
+
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-	
-	<!--
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
         Common support functions.
     -->
-	<xsl:import href="check_framework.xsl"/>
-	
-	
-	<!--
-		FTS 1.5, section 3.10, first paragraph.
-		
-		Each <IDPSSODescriptor>, <SPSSODescriptor> and <AttributeAuthorityDescriptor>
-		role descriptor appearing in metadata published by the UK federation SHALL
-		contain at least one <KeyDescriptor> element.
-	-->
-	
-	<xsl:template match="md:IDPSSODescriptor[not(md:KeyDescriptor)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">IdP SSO Descriptor lacking KeyDescriptor</xsl:with-param>
-		</xsl:call-template>    
-	</xsl:template>
-	
-	<xsl:template match="md:SPSSODescriptor[not(md:KeyDescriptor)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SP SSO Descriptor lacking KeyDescriptor</xsl:with-param>
-		</xsl:call-template>    
-	</xsl:template>
-	
-	<xsl:template match="md:AttributeAuthorityDescriptor[not(md:KeyDescriptor)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">IdP AA Descriptor lacking KeyDescriptor</xsl:with-param>
-		</xsl:call-template>    
-	</xsl:template>
-	
-	
-	<!--
+    <xsl:import href="check_framework.xsl"/>
+
+
+    <!--
+        FTS 1.5, section 3.10, first paragraph.
+
+        Each <IDPSSODescriptor>, <SPSSODescriptor> and <AttributeAuthorityDescriptor>
+        role descriptor appearing in metadata published by the UK federation SHALL
+        contain at least one <KeyDescriptor> element.
+    -->
+
+    <xsl:template match="md:IDPSSODescriptor[not(md:KeyDescriptor)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">IdP SSO Descriptor lacking KeyDescriptor</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:SPSSODescriptor[not(md:KeyDescriptor)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SP SSO Descriptor lacking KeyDescriptor</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:AttributeAuthorityDescriptor[not(md:KeyDescriptor)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">IdP AA Descriptor lacking KeyDescriptor</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
         FTS 1.5 draft of 2014-01-02, section 3.10, second paragraph.
-        
-		In roles which indicate support through their protocolSupportEnumeration values for
-		SAML 2.0 or SAML 1.1 profiles, each <KeyDescriptor> MUST support the direct key
-		verification scheme as described in section 2.1.1.
-	-->
-	<xsl:template match="md:IDPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 IdP has KeyDescriptor without embedded key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<xsl:template match="md:AttributeAuthorityDescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 AttributeAuthority has KeyDescriptor without embedded key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="md:SPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 SP has KeyDescriptor without embedded key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="md:IDPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
-		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 1.1 IdP has KeyDescriptor without embedded key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="md:AttributeAuthorityDescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
-		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 1.1 AttributeAuthority has KeyDescriptor without embedded key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="md:SPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
-		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 1.1 SP has KeyDescriptor without embedded key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		FTS 1.5 draft of 2014-06-25, section 3.10, last paragraph.
-		
-		<ds:KeyName> elements SHALL NOT be accepted in locally registered metadata
-	-->
-	<xsl:template match="ds:KeyName">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">entity has legacy KeyName element</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
+
+        In roles which indicate support through their protocolSupportEnumeration values for
+        SAML 2.0 or SAML 1.1 profiles, each <KeyDescriptor> MUST support the direct key
+        verification scheme as described in section 2.1.1.
+    -->
+    <xsl:template match="md:IDPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [md:KeyDescriptor[not(descendant::ds:X509Data)]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 2.0 IdP has KeyDescriptor without embedded key</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:AttributeAuthorityDescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [md:KeyDescriptor[not(descendant::ds:X509Data)]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 2.0 AttributeAuthority has KeyDescriptor without embedded key</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:SPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [md:KeyDescriptor[not(descendant::ds:X509Data)]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 2.0 SP has KeyDescriptor without embedded key</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:IDPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
+        [md:KeyDescriptor[not(descendant::ds:X509Data)]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 1.1 IdP has KeyDescriptor without embedded key</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:AttributeAuthorityDescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
+        [md:KeyDescriptor[not(descendant::ds:X509Data)]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 1.1 AttributeAuthority has KeyDescriptor without embedded key</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:SPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
+        [md:KeyDescriptor[not(descendant::ds:X509Data)]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 1.1 SP has KeyDescriptor without embedded key</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        FTS 1.5 draft of 2014-06-25, section 3.10, last paragraph.
+
+        <ds:KeyName> elements SHALL NOT be accepted in locally registered metadata
+    -->
+    <xsl:template match="ds:KeyName">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">entity has legacy KeyName element</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_uk_wayf.xsl b/mdx/_rules/check_uk_wayf.xsl
deleted file mode 100644
index c2e443cd..00000000
--- a/mdx/_rules/check_uk_wayf.xsl
+++ /dev/null
@@ -1,46 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-
-	check_uk_wayf.xsl
-	
-	Checking ruleset for the SDSS/UK federation WAYF namespace.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
-
--->
-<xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	<!--
-		Check for misspelled elements.
-		
-		This covers the case where elements from this namespace are used in a context
-		where lax validation applies.
-	-->
-	<xsl:template match="wayf:*[local-name()!='HideFromWAYF']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown element name wayf:</xsl:text>
-				<xsl:value-of select="local-name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		Check for misplaced HideFromWAYF elements.
-	-->
-	<xsl:template match="wayf:HideFromWAYF[not(parent::md:Extensions) or not(parent::*/parent::md:EntityDescriptor)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">misplaced wayf:HideFromWAYF element</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-</xsl:stylesheet>
diff --git a/mdx/_rules/check_vhosts.xsl b/mdx/_rules/check_vhosts.xsl
index 7b7a1999..230f88c3 100644
--- a/mdx/_rules/check_vhosts.xsl
+++ b/mdx/_rules/check_vhosts.xsl
@@ -1,58 +1,58 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_vhosts.xsl
-	
-	Checking ruleset that makes sure that an IdP's SSO endpoints and SOAP
-	endpoints are on distinct virtual host.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    check_vhosts.xsl
+
+    Checking ruleset that makes sure that an IdP's SSO endpoints and SOAP
+    endpoints are on distinct virtual host.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:dyn="http://exslt.org/dynamic"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:set="http://exslt.org/sets"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	<!--
-		Check IdPs only.
-	-->
-	<xsl:template match="md:EntityDescriptor[md:IDPSSODescriptor]">
-		<!--
-			Look for IdPs which have either attribute authority or artifact resolution locations
-			on the same host:port combination as any of the SSO locations.
-		-->
-		
-		<!-- XPath expression to evaluate to extract host:port strings from locations -->
-		<xsl:variable name="extract">substring-before(substring-after(concat(., '/'), 'https://'), '/')</xsl:variable>
-		
-		<!-- Collect all of the SSO locations -->
-		<xsl:variable name="ssoLocations" select="descendant::md:SingleSignOnService/@Location"/>
-		<!-- convert to set of unique host:port strings -->
-		<xsl:variable name="ssoHosts" select="set:distinct(dyn:map($ssoLocations, $extract))"/>
-		
-		<!-- Collect all of the attribute authority and artifact resolution locations -->
-		<xsl:variable name="soapLocations"
-			select="descendant::md:AttributeService/@Location |
-			descendant::md:ArtifactResolutionService/@Location"/>
-		<!-- convert to set of unique host:port strings -->
-		<xsl:variable name="soapHosts" select="set:distinct(dyn:map($soapLocations, $extract))"/>
-		
-		<!-- we expect these two sets to be disjoint -->
-		<xsl:variable name="bothHosts" select="set:distinct($ssoHosts | $soapHosts)"/>
-		<xsl:if test="count($bothHosts) != count($ssoHosts) + count($soapHosts)">
-			<xsl:call-template name="error">
-				<xsl:with-param name="m">at least one SOAP location on same vhost as an SSO location</xsl:with-param>
-			</xsl:call-template>
-		</xsl:if>
-	</xsl:template>
-	
+    xmlns:dyn="http://exslt.org/dynamic"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:set="http://exslt.org/sets"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
+        Check IdPs only.
+    -->
+    <xsl:template match="md:EntityDescriptor[md:IDPSSODescriptor]">
+        <!--
+            Look for IdPs which have either attribute authority or artifact resolution locations
+            on the same host:port combination as any of the SSO locations.
+        -->
+
+        <!-- XPath expression to evaluate to extract host:port strings from locations -->
+        <xsl:variable name="extract">substring-before(substring-after(concat(., '/'), 'https://'), '/')</xsl:variable>
+
+        <!-- Collect all of the SSO locations -->
+        <xsl:variable name="ssoLocations" select="descendant::md:SingleSignOnService/@Location"/>
+        <!-- convert to set of unique host:port strings -->
+        <xsl:variable name="ssoHosts" select="set:distinct(dyn:map($ssoLocations, $extract))"/>
+
+        <!-- Collect all of the attribute authority and artifact resolution locations -->
+        <xsl:variable name="soapLocations"
+            select="descendant::md:AttributeService/@Location |
+            descendant::md:ArtifactResolutionService/@Location"/>
+        <!-- convert to set of unique host:port strings -->
+        <xsl:variable name="soapHosts" select="set:distinct(dyn:map($soapLocations, $extract))"/>
+
+        <!-- we expect these two sets to be disjoint -->
+        <xsl:variable name="bothHosts" select="set:distinct($ssoHosts | $soapHosts)"/>
+        <xsl:if test="count($bothHosts) != count($ssoHosts) + count($soapHosts)">
+            <xsl:call-template name="error">
+                <xsl:with-param name="m">at least one SOAP location on same vhost as an SSO location</xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/mdui_dn_en_match.xsl b/mdx/_rules/mdui_dn_en_match.xsl
index 8281fe9d..7ecb8015 100644
--- a/mdx/_rules/mdui_dn_en_match.xsl
+++ b/mdx/_rules/mdui_dn_en_match.xsl
@@ -1,41 +1,41 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	mdui_dn_en_match.xsl
-	
+    mdui_dn_en_match.xsl
+
     If an IdP has both an OrganizationDisplayName in English, and an
     mdui:DisplayName in English, they must be identical.
-    
+
     UKFTS 1.4 section 3.3
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	<xsl:template match="md:EntityDescriptor[md:IDPSSODescriptor]">
-		<xsl:variable name="mdui" select="md:IDPSSODescriptor/md:Extensions/mdui:UIInfo/mdui:DisplayName[@xml:lang='en']"/>
-		<xsl:variable name="odn" select="md:Organization/md:OrganizationDisplayName[@xml:lang='en']"/>
-		<xsl:if test="$mdui and $odn and $mdui != $odn">
-			<xsl:call-template name="error">
-				<xsl:with-param name="m">
-					<xsl:text>mismatched xml:lang='en' DisplayNames: '</xsl:text>
-					<xsl:value-of select="$mdui"/>
-					<xsl:text>' in mdui vs. '</xsl:text>
-					<xsl:value-of select="$odn"/>
-					<xsl:text>' in ODN</xsl:text>
-				</xsl:with-param>
-			</xsl:call-template>
-		</xsl:if>
-	</xsl:template>
-	
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <xsl:template match="md:EntityDescriptor[md:IDPSSODescriptor]">
+        <xsl:variable name="mdui" select="md:IDPSSODescriptor/md:Extensions/mdui:UIInfo/mdui:DisplayName[@xml:lang='en']"/>
+        <xsl:variable name="odn" select="md:Organization/md:OrganizationDisplayName[@xml:lang='en']"/>
+        <xsl:if test="$mdui and $odn and $mdui != $odn">
+            <xsl:call-template name="error">
+                <xsl:with-param name="m">
+                    <xsl:text>mismatched xml:lang='en' DisplayNames: '</xsl:text>
+                    <xsl:value-of select="$mdui"/>
+                    <xsl:text>' in mdui vs. '</xsl:text>
+                    <xsl:value-of select="$odn"/>
+                    <xsl:text>' in ODN</xsl:text>
+                </xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/mdui_dn_en_present.xsl b/mdx/_rules/mdui_dn_en_present.xsl
index 16e2ab15..e5364e11 100644
--- a/mdx/_rules/mdui_dn_en_present.xsl
+++ b/mdx/_rules/mdui_dn_en_present.xsl
@@ -1,31 +1,31 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	mdui_dn_en_present.xsl
-	
+    mdui_dn_en_present.xsl
+
     If an entity has mdui:UIInfo, then that must include at least an
     mdui:DisplayName with an English name.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <xsl:template match="mdui:UIInfo[not(mdui:DisplayName[@xml:lang='en'])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>mdui:UIInfo with no xml:lang='en' DisplayName</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<xsl:template match="mdui:UIInfo[not(mdui:DisplayName[@xml:lang='en'])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>mdui:UIInfo with no xml:lang='en' DisplayName</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
 </xsl:stylesheet>
diff --git a/mdx/at_aconet/beans.xml b/mdx/at_aconet/beans.xml
index 15d9c658..5ab7a9fc 100644
--- a/mdx/at_aconet/beans.xml
+++ b/mdx/at_aconet/beans.xml
@@ -11,23 +11,24 @@
     xsi:schemaLocation="
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
-    
+
     <!--
         Location of various resources.
     -->
     <!-- ACOnet-registered entities without interfederation -->
-    <bean id="at_aconet_registrarAggregate_url" class="java.lang.String">
+    <bean id="at_aconet_registrarAggregate_url" parent="String">
         <constructor-arg value="http://eduid.at/md/aconet-registered.xml"/>
     </bean>
     <!-- eduGAIN export aggregate -->
-    <bean id="at_aconet_edugainAggregate_url" class="java.lang.String">
+    <bean id="at_aconet_edugainAggregate_url" parent="String">
         <constructor-arg value="http://eduid.at/md/upstream-edugain.xml"/>
     </bean>
-    
+
     <!--
         Fetch the production aggregate.
     -->
-    <bean id="at_aconet_productionAggregate" parent="DOMResourceSourceStage">
+    <bean id="at_aconet_productionAggregate" parent="mda.DOMResourceSourceStage">
+        <property name="parserPool" ref="parserPool"/>
         <property name="DOMResource">
             <bean parent="HTTPResource">
                 <constructor-arg name="client" ref="httpClient"/>
@@ -35,11 +36,12 @@
             </bean>
         </property>
     </bean>
-    
+
     <!--
         Fetch the eduGAIN export aggregate.
     -->
-    <bean id="at_aconet_edugainAggregate" parent="DOMResourceSourceStage">
+    <bean id="at_aconet_edugainAggregate" parent="mda.DOMResourceSourceStage">
+        <property name="parserPool" ref="parserPool"/>
         <property name="DOMResource">
             <bean parent="HTTPResource">
                 <constructor-arg name="client" ref="httpClient"/>
@@ -47,13 +49,13 @@
             </bean>
         </property>
     </bean>
-    
+
     <!--
         Signing certificate.
     -->
     <bean id="at_aconet_signingCertificate" parent="X509CertificateFactoryBean"
         p:resource="classpath:at_aconet/aconet-aai-metadata-signing.crt"/>
-    
+
     <!--
         Check signing signature.
     -->
@@ -63,10 +65,10 @@
     <bean id="at_aconet_checkEdugainSignature" parent="XMLSignatureValidationStageSHA256">
         <property name="verificationCertificate" ref="at_aconet_signingCertificate"/>
     </bean>
-    
+
     <!--
         at_aconet_check_regauth
-        
+
         Any registrationAuthority already present on an entity in this
         channel must match the known registration authority value.
     -->
@@ -77,10 +79,10 @@
             </map>
         </property>
     </bean>
-    
+
     <!--
         at_aconet_default_regauth
-        
+
         Provide a default registrationAuthority appropriate to
         this channel.
     -->
@@ -91,15 +93,15 @@
             </map>
         </property>
     </bean>
-    
+
     <!--
         Fetch the production entities as a collection.
     -->
-    <bean id="at_aconet_productionEntities" parent="CompositeStage">
+    <bean id="at_aconet_productionEntities" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="at_aconet_productionAggregate"/>
-                
+
                 <!--
                     Check for fatal errors at the aggregate level:
                         missing or expired validUntil attribute
@@ -108,20 +110,20 @@
                 <ref bean="check_validUntil"/>
                 <ref bean="at_aconet_checkProductionSignature"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="disassemble"/>
             </list>
         </property>
     </bean>
-    
+
     <!--
         Fetch the eduGAIN export entities as a collection.
     -->
-    <bean id="at_aconet_edugainEntities" parent="CompositeStage">
+    <bean id="at_aconet_edugainEntities" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="at_aconet_edugainAggregate"/>
-                
+
                 <!--
                     Check for fatal errors at the aggregate level:
                         missing or expired validUntil attribute
@@ -130,15 +132,15 @@
                 <ref bean="check_validUntil"/>
                 <ref bean="at_aconet_checkEdugainSignature"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="disassemble"/>
-                
+
                 <ref bean="check_hasreginfo"/>
                 <ref bean="at_aconet_check_regauth"/>
             </list>
         </property>
     </bean>
-    
+
     <!--
         Select primary export aggregate.
     -->
diff --git a/mdx/at_aconet/verbs.xml b/mdx/at_aconet/verbs.xml
index 4b5a334a..54399699 100644
--- a/mdx/at_aconet/verbs.xml
+++ b/mdx/at_aconet/verbs.xml
@@ -11,26 +11,27 @@
     xsi:schemaLocation="
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
-    
+
     <!--
         Import commonly used beans.
     -->
     <import resource="classpath:common-beans.xml"/>
-        
+
     <!--
         Import channel-specific beans.
     -->
     <import resource="classpath:at_aconet/beans.xml"/>
-    
-    <bean id="serializeImported" parent="SerializationStage">
+
+    <bean id="serializeImported" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${mdx.dir}/at_aconet/imported.xml"/>
             </bean>
         </property>
     </bean>
-    
-    <bean id="importProduction" parent="SimplePipeline">
+
+    <bean id="importProduction" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="at_aconet_productionEntities"/>
@@ -41,7 +42,7 @@
         </property>
     </bean>
 
-    <bean id="importProductionRaw" parent="SimplePipeline">
+    <bean id="importProductionRaw" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="at_aconet_productionAggregate"/>
@@ -49,8 +50,8 @@
             </list>
         </property>
     </bean>
-    
-    <bean id="importEdugain" parent="SimplePipeline">
+
+    <bean id="importEdugain" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="at_aconet_edugainEntities"/>
@@ -60,8 +61,8 @@
             </list>
         </property>
     </bean>
-    
-    <bean id="importEdugainRaw" parent="SimplePipeline">
+
+    <bean id="importEdugainRaw" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="at_aconet_edugainAggregate"/>
@@ -69,29 +70,28 @@
             </list>
         </property>
     </bean>
-    
-    <bean id="verifyEdugain" parent="SimplePipeline">
+
+    <bean id="verifyEdugain" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="at_aconet_edugainEntities"/>
                 <ref bean="standardImportActions"/>
 
-                <bean id="checkCertificates" parent="X509ValidationStage">
+                <bean id="checkCertificates" parent="mda.X509ValidationStage">
                     <property name="validators">
                         <list>
                             <!-- Error on RSA key length less than 2048 bits. -->
-                            <bean parent="X509RSAKeyLengthValidator"
+                            <bean parent="mda.X509RSAKeyLengthValidator"
                                 p:warningBoundary="0" p:errorBoundary="2048"/>
                         </list>
                     </property>
                 </bean>
-                
+
                 <!--
                     Remove a specific entity we know has a problem that it will take
                     a while to resolve.
                 -->
-                <bean id="filterEntities" parent="stage_parent"
-                    class="net.shibboleth.metadata.dom.saml.EntityFilterStage"
+                <bean id="filterEntities" parent="mda.EntityFilterStage"
                     p:whitelistingEntities="false">
                     <property name="designatedEntities">
                         <set>
@@ -104,7 +104,7 @@
             </list>
         </property>
     </bean>
-    
+
     <alias alias="import"    name="importEdugain"/>
     <alias alias="importRaw" name="importEdugainRaw"/>
 </beans>
diff --git a/mdx/clean-import.xsl b/mdx/clean-import.xsl
index 029642f8..e7c2211b 100644
--- a/mdx/clean-import.xsl
+++ b/mdx/clean-import.xsl
@@ -1,79 +1,79 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-	
-	clean-import.xsl
-	
-	Clean up imported metadata from a metadata exchange channel.
-	
+
+    clean-import.xsl
+
+    Clean up imported metadata from a metadata exchange channel.
+
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdxTextUtils="xalan://uk.ac.sdss.xalan.md.TextUtils"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-	extension-element-prefixes="mdxTextUtils">
-
-	<!--Force UTF-8 encoding for the output.-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
-
-	<!-- strip redundant attributes from EntityDescriptor elements -->
-	<xsl:template match="md:EntityDescriptor/@ID"/>
-	<xsl:template match="md:EntityDescriptor/@cacheDuration"/>
-	<xsl:template match="md:EntityDescriptor/@validUntil"/>
-	
-	<!-- Remove md:RoleDescriptor elements, which require additional schemas to be available. -->
-	<xsl:template match="md:RoleDescriptor"/>
-	
-	<!-- strip xml:base entirely -->
-	<xsl:template match="@xml:base"/>
-	
-	<!-- remove KeyDescriptor elements which lack embedded key material -->
-	<xsl:template match="md:KeyDescriptor[not(descendant::ds:X509Certificate)]"/>
-	
-	<!-- Remove KeyName elements; they refer to an inaccessable trust fabric -->
-	<xsl:template match="ds:KeyName"/>
-	
-	<!-- Remove <ds:X509SubjectName> elements; long ones cause problems. -->
-	<xsl:template match="ds:X509SubjectName"/>
-	
-	<!-- Remove any embedded signatures -->
-	<xsl:template match="ds:Signature"/>
-	
-	<!-- Remove xsi:type from any entity attribute values. -->
-	<xsl:template match="saml:AttributeValue/@xsi:type"/>
-
-	<!--
-		Normalise whitespace in X509Certificate elements.
-	-->
-	<xsl:template match="ds:X509Certificate">
-		<xsl:element name="ds:X509Certificate">
-			<xsl:text>&#10;</xsl:text>
-			<xsl:value-of select="mdxTextUtils:wrapBase64(.)"/>
-			<xsl:text>&#10;</xsl:text>
-		</xsl:element>
-	</xsl:template>
-	
-	<!--
-		Discard various ds:X509 elements.  Several of these are known to
-		cause problems with software systems, and they don't affect trust
-		establishment so are safe to remove.
-	-->
-	<xsl:template match="ds:X509SerialNumber"/><!-- libxml2 has problems with long ones -->
-	<xsl:template match="ds:X509IssuerSerial"/><!-- must remove this if we remove SerialNumber -->
-	
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-	
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
-	
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdxTextUtils="xalan://uk.ac.sdss.xalan.md.TextUtils"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    extension-element-prefixes="mdxTextUtils">
+
+    <!--Force UTF-8 encoding for the output.-->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+
+    <!-- strip redundant attributes from EntityDescriptor elements -->
+    <xsl:template match="md:EntityDescriptor/@ID"/>
+    <xsl:template match="md:EntityDescriptor/@cacheDuration"/>
+    <xsl:template match="md:EntityDescriptor/@validUntil"/>
+
+    <!-- Remove md:RoleDescriptor elements, which require additional schemas to be available. -->
+    <xsl:template match="md:RoleDescriptor"/>
+
+    <!-- strip xml:base entirely -->
+    <xsl:template match="@xml:base"/>
+
+    <!-- remove KeyDescriptor elements which lack embedded key material -->
+    <xsl:template match="md:KeyDescriptor[not(descendant::ds:X509Certificate)]"/>
+
+    <!-- Remove KeyName elements; they refer to an inaccessable trust fabric -->
+    <xsl:template match="ds:KeyName"/>
+
+    <!-- Remove <ds:X509SubjectName> elements; long ones cause problems. -->
+    <xsl:template match="ds:X509SubjectName"/>
+
+    <!-- Remove any embedded signatures -->
+    <xsl:template match="ds:Signature"/>
+
+    <!-- Remove xsi:type from any entity attribute values. -->
+    <xsl:template match="saml:AttributeValue/@xsi:type"/>
+
+    <!--
+        Normalise whitespace in X509Certificate elements.
+    -->
+    <xsl:template match="ds:X509Certificate">
+        <xsl:element name="ds:X509Certificate">
+            <xsl:text>&#10;</xsl:text>
+            <xsl:value-of select="mdxTextUtils:wrapBase64(.)"/>
+            <xsl:text>&#10;</xsl:text>
+        </xsl:element>
+    </xsl:template>
+
+    <!--
+        Discard various ds:X509 elements.  Several of these are known to
+        cause problems with software systems, and they don't affect trust
+        establishment so are safe to remove.
+    -->
+    <xsl:template match="ds:X509SerialNumber"/><!-- libxml2 has problems with long ones -->
+    <xsl:template match="ds:X509IssuerSerial"/><!-- must remove this if we remove SerialNumber -->
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index 7c687117..db6b1d20 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -19,6 +19,16 @@
     -->
     <context:property-placeholder/>
 
+    <!--
+        Pick up Shibboleth MDA beans.
+    -->
+    <import resource="mda-beans.xml"/>
+
+    <!--
+        Pick up UK federation MDA beans.
+    -->
+    <import resource="classpath:uk/org/ukfederation/mda/beans.xml"/>
+
     <!--
         ***********************************
         ***                             ***
@@ -26,13 +36,14 @@
         ***                             ***
         ***********************************
     -->
-    
+
     <!--
         Java class parent shorthand beans.
     -->
+    <bean id="File" abstract="true" class="java.io.File"/>
     <bean id="String" abstract="true" class="java.lang.String"/>
     <bean id="QName" abstract="true" class="javax.xml.namespace.QName"/>
-    
+
     <!--
         Spring resource class parent shorthand beans.
     -->
@@ -40,7 +51,7 @@
         class="org.springframework.core.io.ClassPathResource"/>
     <bean id="FileSystemResource" abstract="true"
         class="org.springframework.core.io.FileSystemResource"/>
-    
+
     <!--
         Shibboleth-defined Resource class parent bean.
     -->
@@ -49,38 +60,27 @@
 
     <!--
         component_parent
-        
+
         Parent for anything based on the Shibboleth component system.
         These all require initialization before use.
     -->
     <bean id="component_parent" abstract="true"
         init-method="initialize" destroy-method="destroy"/>
-    
-    <!--
-        stage_parent
-        
-        Parent for all stages.
-    -->
-    <bean id="stage_parent" abstract="true" parent="component_parent"/>
-    
-    <bean id="XMLSignatureSigningStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureSigningStage"/>
 
     <!--
         XMLSignatureValidationStage
-        
+
         Parent for XML Signature validation stages.
-        
+
         Applies global algorithm blacklists. For values, see:
             http://www.w3.org/TR/xmlsec-algorithms/
-            
+
         Establishes a default of *not* permitting empty references
         in signatures, per the SAML specification. This will be
         overridden in specific beans where a signature is known to
         require it.
     -->
-    <bean id="XMLSignatureValidationStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage">
+    <bean id="XMLSignatureValidationStage" abstract="true" parent="mda.XMLSignatureValidationStage">
         <property name="blacklistedDigests">
             <list>
                 <value>http://www.w3.org/2001/04/xmldsig-more#md5</value>
@@ -93,10 +93,10 @@
         </property>
         <property name="permittingEmptyReferences" value="false"/>
     </bean>
-    
+
     <!--
         XMLSignatureValidationStageSHA256
-        
+
         Parent for XML signature validation stages where we know
         the signature will not be made with MD5 or SHA-1.
     -->
@@ -117,78 +117,6 @@
         </property>
     </bean>
 
-    <bean id="XPathFilteringStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XPathFilteringStage"
-        p:namespaceContext-ref="commonNamespaces"/>
-
-    <!--
-        XSLTransformationStage
-        
-        Parent for XSLT-based checking stages.
-    -->
-    <bean id="XSLTransformationStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XSLTransformationStage"/>
-    
-    <!--
-        XSLValidationStage
-        
-        Parent for XSLT-based checking stages.
-    -->
-    <bean id="XSLValidationStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XSLValidationStage"/>
-    
-    <!--
-        EmptyContainerStrippingStage
-        
-        Parent for container stripping stages.
-    -->
-    <bean id="EmptyContainerStrippingStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.EmptyContainerStrippingStage"/>
-    
-    <!--
-        ElementStrippingStage
-        
-        Parent for element stripping stages.
-    -->
-    <bean id="ElementStrippingStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.ElementStrippingStage"/>
-    
-    <!--
-        NamespaceStrippingStage
-        
-        Parent for namespace stripping stages.
-    -->
-    <bean id="NamespaceStrippingStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.NamespaceStrippingStage"/>
-
-    <!--
-        DomFilesystemSourceStage
-        
-        Parent for DOM filesystem source stages.
-    -->
-    <bean id="DOMFilesystemSourceStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.DOMFilesystemSourceStage">
-        <property name="parserPool" ref="parserPool"/>
-    </bean>
-
-    <!--
-        DOMResourceSourceStage
-        
-        Parent for DOM resource source stages.
-    -->
-    <bean id="DOMResourceSourceStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.DOMResourceSourceStage">
-        <property name="parserPool" ref="parserPool"/>
-    </bean>
-
-    <!--
-        EntityRegistrationAuthorityFilterStage
-        
-        Parent for registration authority filtering stages.
-    -->
-    <bean id="EntityRegistrationAuthorityFilterStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.mdrpi.EntityRegistrationAuthorityFilterStage"/>
-    
     <!-- *** Parent beans for Shibboleth spring-extensions factory beans. *** -->
 
     <bean id="DOMDocumentFactoryBean" abstract="true"
@@ -197,135 +125,22 @@
     <!-- PKCS11PrivateKeyFactoryBean is in MDA in V0.9.2. -->
     <bean id="PKCS11PrivateKeyFactoryBean" abstract="true"
         class="net.shibboleth.metadata.util.PKCS11PrivateKeyFactoryBean"/>
-    
+
     <bean id="PrivateKeyFactoryBean" abstract="true"
         class="net.shibboleth.ext.spring.factory.PrivateKeyFactoryBean"/>
-    
+
     <bean id="PublicKeyFactoryBean" abstract="true"
         class="net.shibboleth.ext.spring.factory.PublicKeyFactoryBean"/>
-    
+
     <bean id="X509CertificateChainFactoryBean" abstract="true"
         class="net.shibboleth.ext.spring.factory.X509CertificateChainFactoryBean"/>
 
     <bean id="X509CertificateFactoryBean" abstract="true"
         class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean"/>
 
-    <!-- *** Parent beans for Shibboleth MDA components. *** -->
-
-    <bean id="CRDetectionStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.CRDetectionStage"/>
-    
-    <bean id="ElementWhitespaceTrimmingStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.ElementWhitespaceTrimmingStage"/>
-    
-    <bean id="EntityFilterStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.EntityFilterStage"/>
-
-    <bean id="GenerateIdStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.GenerateIdStage"/>
-
-    <bean id="NamespacesStrippingStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.NamespacesStrippingStage"/>
-    
-    <bean id="SetCacheDurationStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.SetCacheDurationStage"/>
-
-    <bean id="SetValidUntilStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.SetValidUntilStage"/>
-
-    <bean id="XPathItemSelectionStrategy" abstract="true"
-        class="net.shibboleth.metadata.dom.XPathItemSelectionStrategy"/>
-    
-    <!-- *** Parent beans for entity attribute handling. *** -->
-    
-    <bean id="EntityAttributeFilteringStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.mdattr.EntityAttributeFilteringStage"/>
-    
-    <bean id="EntityCategoryMatcher" abstract="true"
-        class="net.shibboleth.metadata.dom.saml.mdattr.EntityCategoryMatcher"/>
-    
-    <bean id="EntityCategorySupportMatcher" abstract="true"
-        class="net.shibboleth.metadata.dom.saml.mdattr.EntityCategorySupportMatcher"/>
-    
-    <bean id="MultiPredicateMatcher" abstract="true"
-        class="net.shibboleth.metadata.dom.saml.mdattr.MultiPredicateMatcher"/>
-    
-    <bean id="RegistrationAuthorityMatcher" abstract="true"
-        class="net.shibboleth.metadata.dom.saml.mdattr.RegistrationAuthorityMatcher"/>
-    
-    <!-- *** Parent beans for X.509 Certificate validation. *** -->
-
-    <bean id="X509ValidationStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.ds.X509ValidationStage"/>
-    
-    <bean id="validator_parent" abstract="true" parent="component_parent"/>
-    
-    <bean id="X509RSAExponentValidator" abstract="true" parent="validator_parent"
-        class="net.shibboleth.metadata.validate.x509.X509RSAExponentValidator"/>
-    
-    <bean id="X509RSAKeyLengthValidator" abstract="true" parent="validator_parent"
-        class="net.shibboleth.metadata.validate.x509.X509RSAKeyLengthValidator"/>
-    
-    <bean id="X509RSAOpenSSLBlacklistValidator" abstract="true" parent="validator_parent"
-        class="net.shibboleth.metadata.validate.x509.X509RSAOpenSSLBlacklistValidator"/>
-
-    <!-- *** Parent beans for net.shibboleth.metadata.pipeline package. *** -->
-
-    <bean id="CompositeStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.pipeline.CompositeStage"/>
-
-    <bean id="FilesInDirectoryMultiOutputStrategy" abstract="true" parent="component_parent"
-        class="net.shibboleth.metadata.pipeline.FilesInDirectoryMultiOutputStrategy"/>
-
-    <bean id="MultiOutputSerializationStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.pipeline.MultiOutputSerializationStage">
-        <property name="serializer" ref="serializer"/>
-    </bean>
-
-    <bean id="PipelineDemultiplexerStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.pipeline.PipelineDemultiplexerStage"
-        p:waitingForPipelines="true"
-    />
-
-    <bean id="PipelineMergeStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.pipeline.PipelineMergeStage"/>
-
-    <bean id="PipelineMergeStage.deduplicate" abstract="true" parent="PipelineMergeStage"
-        p:collectionMergeStrategy-ref="deduplicateMergeStrategy"/>
-
-    <bean id="SerializationStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.pipeline.SerializationStage">
-        <property name="serializer" ref="serializer"/>
-    </bean>
-
-    <bean id="SimplePipeline" abstract="true" parent="component_parent"
-        class="net.shibboleth.metadata.pipeline.SimplePipeline"/>
-
-    <bean id="SplitMergeStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.pipeline.SplitMergeStage"/>
-
-    <!-- *** Parent beans for net.shibboleth.metadata.utils package. *** -->
-
-    <bean id="PathSegmentStringTransformer" abstract="true"
-        class="net.shibboleth.metadata.util.PathSegmentStringTransformer"/>
-
-    <bean id="SHA1StringTransformer" abstract="true"
-        class="net.shibboleth.metadata.util.SHA1StringTransformer"/>
-
-    <!-- *** Parent beans for ukf-mda. *** -->
-
-    <bean id="EntityAttributeAddingStage" abstract="true" parent="stage_parent"
-        class="uk.org.ukfederation.mda.dom.saml.mdattr.EntityAttributeAddingStage"/>
-
-    <bean id="SAMLStringElementCheckingStage" abstract="true" parent="stage_parent"
-        class="uk.org.ukfederation.mda.dom.saml.SAMLStringElementCheckingStage"/>
-
-    <bean id="X509ConsistentNameValidator" abstract="true" parent="validator_parent"
-        class="uk.org.ukfederation.mda.validate.X509ConsistentNameValidator"/>
-        
     <!-- *** Default Shibboleth component bean id property from Spring bean id *** -->
     <bean class="net.shibboleth.ext.spring.config.IdentifiableBeanPostProcessor" lazy-init="false"/>
-    
+
     <!--
         ***********************************************
         ***                                         ***
@@ -333,10 +148,10 @@
         ***                                         ***
         ***********************************************
     -->
-    
+
     <!--
         Namespace URI beans.
-        
+
         One String bean for each of the common namespaces, named by its prefix.
     -->
     <bean id="alg_namespace"        parent="String" c:_="urn:oasis:names:tc:SAML:metadata:algsupport"/>
@@ -355,17 +170,16 @@
     <bean id="samlp_namespace"      parent="String" c:_="urn:oasis:names:tc:SAML:2.0:protocol"/>
     <bean id="shibmd_namespace"     parent="String" c:_="urn:mace:shibboleth:metadata:1.0"/>
     <bean id="ukfedlabel_namespace" parent="String" c:_="http://ukfederation.org.uk/2006/11/label"/>
-    <bean id="wayf_namespace"       parent="String" c:_="http://sdss.ac.uk/2006/06/WAYF"/>
     <bean id="xenc_namespace"       parent="String" c:_="http://www.w3.org/2001/04/xmlenc#"/>
     <bean id="xenc11_namespace"     parent="String" c:_="http://www.w3.org/2009/xmlenc11#"/>
     <bean id="xml_namespace"        parent="String" c:_="http://www.w3.org/XML/1998/namespace"/>
     <bean id="xs_namespace"         parent="String" c:_="http://www.w3.org/2001/XMLSchema"/>
     <bean id="xsi_namespace"        parent="String" c:_="http://www.w3.org/2001/XMLSchema-instance"/>
     <bean id="xsl_namespace"        parent="String" c:_="http://www.w3.org/1999/XSL/Transform"/>
-    
+
     <!--
         commonNamespaces
-        
+
         A NamespaceContext that assigns the usual prefix for each of the commonly used XML namespaces.
         This is used in the evaluation of XPath expressions.
     -->
@@ -388,7 +202,6 @@
                 <entry key="samlp"      value-ref="samlp_namespace"/>
                 <entry key="shibmd"     value-ref="shibmd_namespace"/>
                 <entry key="ukfedlabel" value-ref="ukfedlabel_namespace"/>
-                <entry key="wayf"       value-ref="wayf_namespace"/>
                 <entry key="xenc"       value-ref="xenc_namespace"/>
                 <entry key="xenc11"     value-ref="xenc11_namespace"/>
                 <entry key="xs"         value-ref="xs_namespace"/>
@@ -397,72 +210,64 @@
             </util:map>
         </constructor-arg>
     </bean>
-    
+
     <!--
         stripAlgNamespace
-        
+
         Remove the algorithm support namespace.
     -->
-    <bean id="stripAlgNamespace" parent="NamespaceStrippingStage"
+    <bean id="stripAlgNamespace" parent="mda.NamespaceStrippingStage"
         p:namespace-ref="alg_namespace"/>
-    
+
     <!--
         stripIdpdiscNamespace
-        
+
         Remove the IdP discovery namespace.
     -->
-    <bean id="stripIdpdiscNamespace" parent="NamespaceStrippingStage"
+    <bean id="stripIdpdiscNamespace" parent="mda.NamespaceStrippingStage"
         p:namespace-ref="idpdisc_namespace"/>
 
     <!--
         stripInitNamespace
-        
+
         Remove the session initiation namespace.
     -->
-    <bean id="stripInitNamespace" parent="NamespaceStrippingStage"
+    <bean id="stripInitNamespace" parent="mda.NamespaceStrippingStage"
         p:namespace-ref="init_namespace"/>
-    
+
     <!--
         stripMdattrNamespace
-        
+
         Remove the namespace used by the entity attributes extension.
     -->
-    <bean id="stripMdattrNamespace" parent="NamespaceStrippingStage"
+    <bean id="stripMdattrNamespace" parent="mda.NamespaceStrippingStage"
         p:namespace-ref="mdattr_namespace"/>
-    
+
     <!--
         stripMdrpiNamespace
-        
+
         Remove the namespace used by the registration and publication metdata extension.
     -->
-    <bean id="stripMdrpiNamespace" parent="NamespaceStrippingStage"
+    <bean id="stripMdrpiNamespace" parent="mda.NamespaceStrippingStage"
         p:namespace-ref="mdrpi_namespace"/>
-    
+
     <!--
         stripUkfedlabelNamespace
-        
+
         Remove the UK federation label namespace.
     -->
-    <bean id="stripUkfedlabelNamespace" parent="NamespaceStrippingStage"
+    <bean id="stripUkfedlabelNamespace" parent="mda.NamespaceStrippingStage"
         p:namespace-ref="ukfedlabel_namespace"/>
-    
-    <!--
-        stripWayfNamespace
-        
-        Remove the UK federation WAYF namespace.
-    -->
-    <bean id="stripWayfNamespace" parent="NamespaceStrippingStage"
-        p:namespace-ref="wayf_namespace"/>
-    
+
     <!--
         normaliseNamespaces
-        
+
         A pipeline stage that can be used before serialisation to normalise the namespaces
         used in an XML document.
     -->
-    <bean id="normaliseNamespaces" parent="XSLTransformationStage"
+    <bean id="normaliseNamespaces" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:ns_norm.xsl"/>
-    
+
     <!--
         ***************************************************
         ***                                             ***
@@ -470,12 +275,12 @@
         ***                                             ***
         ***************************************************
     -->
-    
+
     <!--
         Import beans that perform individual validation checks.
     -->
     <import resource="classpath:validation-beans.xml"/>
-    
+
     <!--
         Federation registrationAuthority URIs.
     -->
@@ -505,7 +310,7 @@
     <bean id="hu_eduid_registrar"        parent="String" c:_="http://eduid.hu"/>
     <bean id="ie_edugate_registrar"      parent="String" c:_="http://www.heanet.ie"/>
     <bean id="il_iif_registrar"          parent="String" c:_="http://iif.iucc.ac.il"/>
-    <bean id="in_infed_registrar"        parent="String" c:_="http://infilibnet.ac.in/"/>
+    <bean id="in_infed_registrar"        parent="String" c:_="http://inflibnet.ac.in"/>
     <bean id="it_gridp_registrar"        parent="String" c:_="http://gridp.garr.it"/>
     <bean id="it_idem_registrar"         parent="String" c:_="http://www.idem.garr.it/"/>
     <bean id="jp_gakunin_registrar"      parent="String" c:_="https://www.gakunin.jp"/>
@@ -525,12 +330,13 @@
     <bean id="ug_rif_registrar"          parent="String" c:_="https://www.renu.ac.ug"/>
     <bean id="uk_ukf_registrar"          parent="String" c:_="http://ukfederation.org.uk"/>
     <bean id="us_incommon_registrar"     parent="String" c:_="https://incommon.org"/>
+    <bean id="za_safire_registrar"       parent="String" c:_="https://safire.ac.za"/>
+
+
 
-    
-    
     <!--
         identificationStrategy
-        
+
         Standard item identifier strategy.
     -->
     <bean id="identificationStrategy" class="net.shibboleth.metadata.dom.saml.mdrpi.RegistrationAuthorityItemIdentificationStrategy">
@@ -543,9 +349,9 @@
             <map>
                 <!--
                     eduGAIN participant registration authority display names as country codes.
-                
+
                     The ordering here is as on the eduGAIN status page:
-                    
+
                     http://www.edugain.org/technical/status.php
                 -->
                 <entry key-ref="am_afire_registrar"           value="AM"/>
@@ -567,6 +373,7 @@
                 <entry key-ref="de_dfnaai_registrar"          value="DE"/>
                 <entry key-ref="gr_grnet_registrar"           value="GR"/>
                 <entry key-ref="hu_eduid_registrar"           value="HU"/>
+                <entry key-ref="in_infed_registrar"           value="IN"/>
                 <entry key-ref="ie_edugate_registrar"         value="IE"/>
                 <entry key-ref="il_iif_registrar"             value="IL"/>
                 <entry key-ref="it_idem_registrar"            value="IT"/>
@@ -575,11 +382,13 @@
                 <entry key-ref="lv_laife_registrar"           value="LV"/>
                 <entry key-ref="lt_litnet_registrar"          value="LT"/>
                 <entry key-ref="lu_eduid_registrar"           value="LU"/>
+                <entry key-ref="mk_aaiedumk_registrar"        value="MK"/>
                 <entry key-ref="md_leaf_registrar"            value="MD"/>
                 <entry key-ref="no_feide_registrar"           value="NO"/>
                 <entry key-ref="pl_pionier_registrar"         value="PL"/>
                 <entry key-ref="pt_rctsaai_registrar"         value="PT"/>
                 <entry key-ref="si_arnes_registrar"           value="SI"/>
+                <entry key-ref="za_safire_registrar"          value="ZA"/>
                 <entry key-ref="es_sir_registrar"             value="ES"/>
                 <entry key-ref="se_swamid_registrar"          value="SE"/>
                 <entry key-ref="ch_switchaai_registrar"       value="CH"/>
@@ -587,29 +396,26 @@
                 <entry key-ref="us_incommon_registrar"        value="US"/>
                 <entry key-ref="ua_peano_registrar"           value="UA"/>
                 <entry key-ref="uk_ukf_registrar"             value="UK"/>
-                
+
                 <!-- eduGAIN voting-only members -->
                 <entry key-ref="ar_mate_registrar"            value="AR"/>
                 <entry key-ref="by_febas_registrar"           value="BY"/>
                 <entry key-ref="it_gridp_registrar"           value="IT-GRIDP"/>
-                
+
                 <!-- eduGAIN candidates -->
                 <entry key-ref="dz_arnaai_registrar"          value="DZ"/>
-                <entry key-ref="in_infed_registrar"           value="IN"/>
-                <entry key-ref="mk_aaiedumk_registrar"        value="MK"/>
                 <entry key-ref="ug_rif_registrar"             value="UG"/>
             </map>
         </property>
     </bean>
-    
+
     <!--
         errorAnnouncer
-        
+
         A pipeline stage that logs any errors present,
         but takes no action on them.
     -->
-    <bean id="errorAnnouncer" parent="stage_parent"
-        class="net.shibboleth.metadata.pipeline.StatusMetadataLoggingStage">
+    <bean id="errorAnnouncer" parent="mda.StatusMetadataLoggingStage">
         <property name="identificationStrategy" ref="identificationStrategy"/>
         <property name="selectionRequirements">
             <list>
@@ -620,12 +426,11 @@
 
     <!--
         warningAndErrorAnnouncer
-        
+
         A pipeline stage that logs any errors and warnings present,
         but takes no action on them.
     -->
-    <bean id="warningAndErrorAnnouncer" parent="stage_parent"
-        class="net.shibboleth.metadata.pipeline.StatusMetadataLoggingStage">
+    <bean id="warningAndErrorAnnouncer" parent="mda.StatusMetadataLoggingStage">
         <property name="identificationStrategy" ref="identificationStrategy"/>
         <property name="selectionRequirements">
             <list>
@@ -634,14 +439,13 @@
             </list>
         </property>
     </bean>
-    
+
     <!--
         errorRemover
-        
+
         This pipeline stage removes any items marked with an error status.
     -->
-    <bean id="errorRemover" parent="stage_parent"
-        class="net.shibboleth.metadata.pipeline.ItemMetadataFilterStage">
+    <bean id="errorRemover" parent="mda.ItemMetadataFilterStage">
         <property name="identificationStrategy" ref="identificationStrategy"/>
         <property name="selectionRequirements">
             <list>
@@ -649,14 +453,13 @@
             </list>
         </property>
     </bean>
-    
+
     <!--
         errorTerminator
-        
+
         This pipeline stage causes CLI termination if any item is marked with an error status.
     -->
-    <bean id="errorTerminator" parent="stage_parent"
-        class="net.shibboleth.metadata.pipeline.ItemMetadataTerminationStage">
+    <bean id="errorTerminator" parent="mda.ItemMetadataTerminationStage">
         <property name="identificationStrategy" ref="identificationStrategy"/>
         <property name="selectionRequirements">
             <list>
@@ -664,14 +467,14 @@
             </list>
         </property>
     </bean>
-    
+
     <!--
         errorAnnouncingFilter
-        
+
         Announce any errors or warnings encountered, then remove
         any items that had errors.  Items with just warnings are retained.
     -->
-    <bean id="errorAnnouncingFilter" parent="CompositeStage">
+    <bean id="errorAnnouncingFilter" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="warningAndErrorAnnouncer"/>
@@ -679,15 +482,15 @@
             </list>
         </property>
     </bean>
-    
+
     <!--
         errorTerminatingFilter
-        
+
         Announces any errors encountered, and then terminates if any are present.
-        
+
         Warnings are not announced, and do not cause termination.
     -->
-    <bean id="errorTerminatingFilter" parent="CompositeStage">
+    <bean id="errorTerminatingFilter" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="errorAnnouncer"/>
@@ -695,9 +498,9 @@
             </list>
         </property>
     </bean>
-    
-    
-    
+
+
+
     <!--
         *************************************
         ***                               ***
@@ -705,93 +508,92 @@
         ***                               ***
         *************************************
     -->
-    
+
     <!--
         QNames for SAML metadata elements.
     -->
-    <bean id="md-Company"                 parent="QName" c:_0-ref="md_namespace" c:_1="Company"/>
-    <bean id="md-EmailAddress"            parent="QName" c:_0-ref="md_namespace" c:_1="EmailAddress"/>
-    <bean id="md-GivenName"               parent="QName" c:_0-ref="md_namespace" c:_1="GivenName"/>
-    <bean id="md-NameIDFormat"            parent="QName" c:_0-ref="md_namespace" c:_1="NameIDFormat"/>
-    <bean id="md-OrganizationDisplayName" parent="QName" c:_0-ref="md_namespace" c:_1="OrganizationDisplayName"/>
-    <bean id="md-OrganizationName"        parent="QName" c:_0-ref="md_namespace" c:_1="OrganizationName"/>
-    <bean id="md-OrganizationURL"         parent="QName" c:_0-ref="md_namespace" c:_1="OrganizationURL"/>
-    <bean id="md-ServiceDescription"      parent="QName" c:_0-ref="md_namespace" c:_1="ServiceDescription"/>
-    <bean id="md-ServiceName"             parent="QName" c:_0-ref="md_namespace" c:_1="ServiceName"/>
-    <bean id="md-SurName"                 parent="QName" c:_0-ref="md_namespace" c:_1="SurName"/>
-    <bean id="md-TelephoneNumber"         parent="QName" c:_0-ref="md_namespace" c:_1="TelephoneNumber"/>
+    <bean id="md-AdditionalMetadataLocation"  parent="QName" c:_0-ref="md_namespace" c:_1="AdditionalMetadataLocation"/>
+    <bean id="md-AttributeProfile"            parent="QName" c:_0-ref="md_namespace" c:_1="AttributeProfile"/>
+    <bean id="md-Company"                     parent="QName" c:_0-ref="md_namespace" c:_1="Company"/>
+    <bean id="md-EmailAddress"                parent="QName" c:_0-ref="md_namespace" c:_1="EmailAddress"/>
+    <bean id="md-GivenName"                   parent="QName" c:_0-ref="md_namespace" c:_1="GivenName"/>
+    <bean id="md-NameIDFormat"                parent="QName" c:_0-ref="md_namespace" c:_1="NameIDFormat"/>
+    <bean id="md-OrganizationDisplayName"     parent="QName" c:_0-ref="md_namespace" c:_1="OrganizationDisplayName"/>
+    <bean id="md-OrganizationName"            parent="QName" c:_0-ref="md_namespace" c:_1="OrganizationName"/>
+    <bean id="md-OrganizationURL"             parent="QName" c:_0-ref="md_namespace" c:_1="OrganizationURL"/>
+    <bean id="md-ServiceDescription"          parent="QName" c:_0-ref="md_namespace" c:_1="ServiceDescription"/>
+    <bean id="md-ServiceName"                 parent="QName" c:_0-ref="md_namespace" c:_1="ServiceName"/>
+    <bean id="md-SurName"                     parent="QName" c:_0-ref="md_namespace" c:_1="SurName"/>
+    <bean id="md-TelephoneNumber"             parent="QName" c:_0-ref="md_namespace" c:_1="TelephoneNumber"/>
 
     <!--
         Basic EntitiesDescriptor disassembler pipeline stage.
     -->
-    <bean id="disassemble" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.EntitiesDescriptorDisassemblerStage"/>
-    
+    <bean id="disassemble" parent="mda.EntitiesDescriptorDisassemblerStage"/>
+
     <!--
         Basic EntitiesDescriptor assembler pipeline stage.
     -->
-    <bean id="assemble" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.EntitiesDescriptorAssemblerStage"/>
-    
+    <bean id="assemble" parent="mda.EntitiesDescriptorAssemblerStage"/>
+
     <!--
         Populate ItemId values from entities.
     -->
-    <bean id="populateItemIds" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.EntityDescriptorItemIdPopulationStage"/>
+    <bean id="populateItemIds" parent="mda.EntityDescriptorItemIdPopulationStage"/>
 
     <!--
         Remove any empty Extensions elements.
     -->
-    <bean id="stripEmptyExtensions" parent="EmptyContainerStrippingStage"
+    <bean id="stripEmptyExtensions" parent="mda.EmptyContainerStrippingStage"
         p:elementName="Extensions"
         p:elementNamespace-ref="md_namespace"/>
-    
+
     <!--
         Beans to strip out selected SAML metadata elements.
     -->
-    
-    <bean id="stripArtifactResolutionService" parent="ElementStrippingStage"
+
+    <bean id="stripArtifactResolutionService" parent="mda.ElementStrippingStage"
         p:elementName="ArtifactResolutionService"
         p:elementNamespace-ref="md_namespace"/>
-    
-    <bean id="stripAssertionConsumerService" parent="ElementStrippingStage"
+
+    <bean id="stripAssertionConsumerService" parent="mda.ElementStrippingStage"
         p:elementName="AssertionConsumerService"
         p:elementNamespace-ref="md_namespace"/>
-    
-    <bean id="stripAttributeAuthorityDescriptor" parent="ElementStrippingStage"
+
+    <bean id="stripAttributeAuthorityDescriptor" parent="mda.ElementStrippingStage"
         p:elementName="AttributeAuthorityDescriptor"
         p:elementNamespace-ref="md_namespace"/>
-    
-    <bean id="stripAttributeConsumingService" parent="ElementStrippingStage"
+
+    <bean id="stripAttributeConsumingService" parent="mda.ElementStrippingStage"
         p:elementName="AttributeConsumingService"
         p:elementNamespace-ref="md_namespace"/>
-    
-    <bean id="stripContactPerson" parent="ElementStrippingStage"
+
+    <bean id="stripContactPerson" parent="mda.ElementStrippingStage"
         p:elementName="ContactPerson"
         p:elementNamespace-ref="md_namespace"/>
-    
-    <bean id="stripKeyDescriptor" parent="ElementStrippingStage"
+
+    <bean id="stripKeyDescriptor" parent="mda.ElementStrippingStage"
         p:elementName="KeyDescriptor"
         p:elementNamespace-ref="md_namespace"/>
-    
-    <bean id="stripManageNameIDService" parent="ElementStrippingStage"
+
+    <bean id="stripManageNameIDService" parent="mda.ElementStrippingStage"
         p:elementName="ManageNameIDService"
         p:elementNamespace-ref="md_namespace"/>
-    
-    <bean id="stripNameIDFormat" parent="ElementStrippingStage"
+
+    <bean id="stripNameIDFormat" parent="mda.ElementStrippingStage"
         p:elementName="NameIDFormat"
         p:elementNamespace-ref="md_namespace"/>
-    
-    <bean id="stripSingleLogoutService" parent="ElementStrippingStage"
+
+    <bean id="stripSingleLogoutService" parent="mda.ElementStrippingStage"
         p:elementName="SingleLogoutService"
         p:elementNamespace-ref="md_namespace"/>
-    
-    <bean id="stripSingleSignOnService" parent="ElementStrippingStage"
+
+    <bean id="stripSingleSignOnService" parent="mda.ElementStrippingStage"
         p:elementName="SingleSignOnService"
         p:elementNamespace-ref="md_namespace"/>
-    
-    
-    
+
+
+
     <!--
         *************************************************
         ***                                           ***
@@ -799,24 +601,23 @@
         ***                                           ***
         *************************************************
     -->
-    
+
     <!--
         Populate RegistrationAuthority values from entities.
     -->
-    <bean id="populateRegistrationAuthorities" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.mdrpi.RegistrationAuthorityPopulationStage"/>
-    
+    <bean id="populateRegistrationAuthorities" parent="mda.RegistrationAuthorityPopulationStage"/>
+
     <!--
         default_regauth_parent
-        
+
         Parent (template) for per-channel beans.
-        
+
         Any registrationAuthority already present on an entity in this
         channel must match the known registration authority value.
     -->
-    <bean id="default_regauth_parent" abstract="true" parent="XSLTransformationStage"
+    <bean id="default_regauth_parent" abstract="true" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:default_regauth.xsl"/>
-    
+
 
 
     <!--
@@ -827,53 +628,54 @@
         ***********************************************
     -->
 
-    <bean id="mdui-Description"     parent="QName" c:_0-ref="mdui_namespace" c:_1="Description"/>
-    <bean id="mdui-DisplayName"     parent="QName" c:_0-ref="mdui_namespace" c:_1="DisplayName"/>
-    <bean id="mdui-DomainHint"      parent="QName" c:_0-ref="mdui_namespace" c:_1="DomainHint"/>
-    <bean id="mdui-GeolocationHint" parent="QName" c:_0-ref="mdui_namespace" c:_1="GeolocationHint"/>
-    <bean id="mdui-InformationURL"  parent="QName" c:_0-ref="mdui_namespace" c:_1="InformationURL"/>
-    <bean id="mdui-IPHint"          parent="QName" c:_0-ref="mdui_namespace" c:_1="IPHint"/>
-    <bean id="mdui-Keywords"        parent="QName" c:_0-ref="mdui_namespace" c:_1="Keywords"/>
-    <bean id="mdui-Logo"            parent="QName" c:_0-ref="mdui_namespace" c:_1="Logo"/>
+    <bean id="mdui-Description"         parent="QName" c:_0-ref="mdui_namespace" c:_1="Description"/>
+    <bean id="mdui-DisplayName"         parent="QName" c:_0-ref="mdui_namespace" c:_1="DisplayName"/>
+    <bean id="mdui-DomainHint"          parent="QName" c:_0-ref="mdui_namespace" c:_1="DomainHint"/>
+    <bean id="mdui-GeolocationHint"     parent="QName" c:_0-ref="mdui_namespace" c:_1="GeolocationHint"/>
+    <bean id="mdui-InformationURL"      parent="QName" c:_0-ref="mdui_namespace" c:_1="InformationURL"/>
+    <bean id="mdui-IPHint"              parent="QName" c:_0-ref="mdui_namespace" c:_1="IPHint"/>
+    <bean id="mdui-Keywords"            parent="QName" c:_0-ref="mdui_namespace" c:_1="Keywords"/>
+    <bean id="mdui-Logo"                parent="QName" c:_0-ref="mdui_namespace" c:_1="Logo"/>
+    <bean id="mdui-PrivacyStatementURL" parent="QName" c:_0-ref="mdui_namespace" c:_1="PrivacyStatementURL"/>
 
-    <bean id="stripMDUIDiscoHints" parent="ElementStrippingStage"
+    <bean id="stripMDUIDiscoHints" parent="mda.ElementStrippingStage"
         p:elementName="DiscoHints"
         p:elementNamespace-ref="mdui_namespace"/>
-    
+
     <!--
         stripAAMDUI
-        
+
         Remove all MDUI metadata from attribute authority roles.
     -->
-    <bean id="stripAAMDUI" parent="XSLTransformationStage"
+    <bean id="stripAAMDUI" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:strip-aa-mdui.xsl"/>
-    
+
     <!--
         stripMDUILogoData
-        
+
         Remove all mdui:Logo elements containing data: URLs.
     -->
-    <bean id="stripMDUILogoData" parent="XSLTransformationStage"
+    <bean id="stripMDUILogoData" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:strip-mdui-logo-data.xsl"/>
 
     <!--
         stripMDUILogoHttp
-        
+
         Remove any mdui:Logo elements containing http:// URLs.
     -->
-    <bean id="stripMDUILogoHttp" parent="XSLTransformationStage"
+    <bean id="stripMDUILogoHttp" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:strip-mdui-logo-http.xsl"/>
-    
+
     <!--
         stripEmptyMDUIUIInfo
-        
+
         Remove any empty mdui:UIInfo container elements.
     -->
-    <bean id="stripEmptyMDUIUIInfo" parent="EmptyContainerStrippingStage">
+    <bean id="stripEmptyMDUIUIInfo" parent="mda.EmptyContainerStrippingStage">
         <property name="elementNamespace" ref="mdui_namespace"/>
         <property name="elementName" value="UIInfo"/>
     </bean>
-    
+
     <!--
         *****************************************************
         ***                                               ***
@@ -881,13 +683,13 @@
         ***                                               ***
         *****************************************************
     -->
-    
+
     <bean id="shibmd-Scope" parent="QName" c:_0-ref="shibmd_namespace" c:_1="Scope"/>
 
-    <bean id="stripShibScope" parent="ElementStrippingStage"
+    <bean id="stripShibScope" parent="mda.ElementStrippingStage"
         p:elementName="Scope"
         p:elementNamespace-ref="shibmd_namespace"/>
-    
+
 
 
     <!--
@@ -897,18 +699,18 @@
         ***                     ***
         ***************************
     -->
-    
+
     <!--
         stripKeyNames
-        
+
         Remove all ds:KeyName elements.
     -->
-    <bean id="stripKeyNames" parent="ElementStrippingStage"
+    <bean id="stripKeyNames" parent="mda.ElementStrippingStage"
         p:elementName="KeyName"
         p:elementNamespace-ref="ds_namespace"/>
-    
-    
-    
+
+
+
     <!--
         *************************************
         ***                               ***
@@ -916,20 +718,20 @@
         ***                               ***
         *************************************
     -->
-    
+
     <!--
         httpClientBuilder
-        
+
         Factory for the httpClient bean below.
-        
+
         Sets the option to ignore validation of a server's TLS credentials.
-        
+
         Sets socket and connection timeouts explicitly (to 100s) to
         override the tight defaults in java-support, see:
-        
+
             https://github.com/ukf/ukf-meta/issues/1
             https://issues.shibboleth.net/jira/browse/JSPT-48
-            
+
         These options can be removed once the underlying issue has been resolved.
     -->
     <bean id="httpClientBuilder"
@@ -941,26 +743,26 @@
 
     <!--
         httpClient
-        
+
         Common, basic, HTTP client for use with HTTP resources.
     -->
     <bean id="httpClient" factory-bean="httpClientBuilder" factory-method="buildClient"/>
-    
+
     <!--
         parserPool
-        
+
         A pre-configured parser pool for use by source stages.
     -->
     <bean id="parserPool" parent="component_parent"
         class="net.shibboleth.utilities.java.support.xml.BasicParserPool"
         p:ignoreComments="false"
         p:ignoreElementContentWhitespace="false"/>
-    
+
     <!--
         schemaResources
-        
+
         A list of all schema documents that we make common use of in SAML metadata.
-        
+
         The schemas are organised such that each schema appears before any of the schemas importing it,
         so that the parser is not required to explicitly resolve any imports.
     -->
@@ -1048,10 +850,6 @@
             <!-- no imports -->
             <constructor-arg value="schema/uk-fed-label.xsd"/>
         </bean>
-        <bean parent="ClassPathResource">
-            <!-- no imports -->
-            <constructor-arg value="schema/uk-wayf.xsd"/>
-        </bean>
         <bean parent="ClassPathResource">
             <!-- imports xenc-schema.xsd -->
             <constructor-arg value="schema/ws-authorization.xsd"/>
@@ -1073,44 +871,43 @@
             <constructor-arg value="schema/xmldsig11-schema.xsd"/>
         </bean>
     </util:list>
-    
+
     <!--
         checkSchemas
-        
+
         A pipeline stage that checks against all the common schemas, as above.
     -->
-    <bean id="checkSchemas" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSchemaValidationStage">
+    <bean id="checkSchemas" parent="mda.XMLSchemaValidationStage">
         <property name="schemaResources" ref="schemaResources"/>
     </bean>
 
     <!--
         stripComments
-        
+
         A pipeline stage that removes all XML comments from items.
     -->
-    
-    <bean id="stripComments" parent="XSLTransformationStage"
+
+    <bean id="stripComments" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:strip-comments.xsl"/>
-    
+
     <!--
         everythingSelector
-        
+
         An item selection strategy that selects all items.
     -->
     <bean id="everythingSelector" class="com.google.common.base.Predicates"
         factory-method="alwaysTrue"/>
-    
+
     <!--
         Standard serializer.
     -->
-    <bean id="serializer" class="net.shibboleth.metadata.dom.DOMElementSerializer"/>
-    
+    <bean id="serializer" parent="mda.DOMElementSerializer"/>
+
     <!--
         Merge strategy that removes duplicates.
     -->
-    <bean id="deduplicateMergeStrategy" class="net.shibboleth.metadata.DeduplicatingItemIdMergeStrategy"/>
-    
+    <bean id="deduplicateMergeStrategy" parent="mda.DeduplicatingItemIdMergeStrategy"/>
+
 
 
     <!--
@@ -1123,47 +920,58 @@
 
     <!--
         cleanImport
-        
+
         A pipeline stage that can be used in an import pipeline to clean up the metadata
         presented, for example by removing redundant attributes or elements which only have
         meaning when added by the UK federation registrar.
     -->
-    <bean id="cleanImport" parent="XSLTransformationStage"
+    <bean id="cleanImport" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:clean-import.xsl"/>
-    
+
     <!--
         trimImportElementWhitespace
-        
+
         Trim whitespace from the specified elements in imported
         entities.  These would be errors in UK-registered metadata,
         but repairing the metadata on the fly is often easier than
         asking for it to be corrected at source.
     -->
-    <bean id="trimImportElementWhitespace" parent="ElementWhitespaceTrimmingStage">
+    <bean id="trimImportElementWhitespace" parent="mda.ElementWhitespaceTrimmingStage">
         <property name="elementNames">
             <set>
+                <ref bean="md-AdditionalMetadataLocation"/>
+                <ref bean="md-AttributeProfile"/>
+                <ref bean="md-Company"/>
                 <ref bean="md-EmailAddress"/>
+                <ref bean="md-GivenName"/>
                 <ref bean="md-NameIDFormat"/>
                 <ref bean="md-OrganizationDisplayName"/>
+                <ref bean="md-OrganizationName"/>
                 <ref bean="md-OrganizationURL"/>
+                <ref bean="md-ServiceDescription"/>
+                <ref bean="md-ServiceName"/>
+                <ref bean="md-SurName"/>
+                <ref bean="md-TelephoneNumber"/>
+                <ref bean="mdui-GeolocationHint"/>
                 <ref bean="mdui-InformationURL"/>
                 <ref bean="mdui-Logo"/>
+                <ref bean="mdui-PrivacyStatementURL"/>
             </set>
         </property>
     </bean>
-    
+
     <!--
         standardImportActions
-        
+
         Standard actions performed on any metadata import channel.  Assumes that the
         collection has been acquired, had its signature validated, and disassembled into
         individual entities.
-        
+
         The result is a collection of entities, some of which may be labelled with
         errors.  No announcement or removal of those entities is performed here;
         that is left to the caller.
     -->
-    <bean id="standardImportActions" parent="CompositeStage">
+    <bean id="standardImportActions" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="populateItemIds"/>
@@ -1173,7 +981,7 @@
                     Strip all elements and attributes that are in namespaces
                     other than the ones we accept from partners.
                 -->
-                <bean id="whitelistImportedNamespaces" parent="NamespacesStrippingStage"
+                <bean id="whitelistImportedNamespaces" parent="mda.NamespacesStrippingStage"
                     p:whitelisting="true">
                     <property name="namespaces">
                         <set>
@@ -1207,45 +1015,45 @@
                 <ref bean="check_shib_regscope"/>
                 <ref bean="check_namespaces"/>
 
-                <bean id="checkCertificates" parent="X509ValidationStage">
+                <bean id="checkCertificates" parent="mda.X509ValidationStage">
                     <property name="validators">
                         <list>
                             <!-- Error on RSA key length less than 2048 bits. -->
-                            <bean parent="X509RSAKeyLengthValidator"
+                            <bean parent="mda.X509RSAKeyLengthValidator"
                                 p:warningBoundary="0" p:errorBoundary="2048"/>
                             <!-- Error on small RSA public exponents. -->
-                            <bean parent="X509RSAExponentValidator"/>
-                            
+                            <bean parent="mda.X509RSAExponentValidator"/>
+
                             <!--
                                 Debian weak key blacklists.
-                                
+
                                 Don't need to check for keys below our minimum key size.
                             -->
                             <ref bean="debian.2048"/>
                             <ref bean="debian.4096"/>
-                            
+
                             <!--
                                 Compromised key blacklists.
-                                
+
                                 Again, don't need to check for keys below our minimum key size.
                             -->
                             <ref bean="compromised.2048"/>
                         </list>
                     </property>
                 </bean>
-                
+
             </list>
         </property>
     </bean>
-    
+
     <!--
         standardImportTail
-        
+
         Standard actions performed at the end of any metadata import flow.  As imports
         are currently ending up in files, build an EntitiesDescriptor and normalise the
         namespaces in the document ready for serialisation.
     -->
-    <bean id="standardImportTail" parent="CompositeStage">
+    <bean id="standardImportTail" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <!-- announce and remove any entities with errors -->
@@ -1255,5 +1063,5 @@
             </list>
         </property>
     </bean>
-    
+
 </beans>
diff --git a/mdx/default_regauth.xsl b/mdx/default_regauth.xsl
index 9d0365a8..c7143d35 100644
--- a/mdx/default_regauth.xsl
+++ b/mdx/default_regauth.xsl
@@ -1,25 +1,25 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	default_regauth.xsl
+    default_regauth.xsl
+
+    Apply a default registrationAuthority to entities which don't have one already.
 
-	Apply a default registrationAuthority to entities which don't have one already.
-	
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
+    <!--
         defaultAuthority
-        
+
         Set this parameter from the calling context.
     -->
 	<xsl:param name="defaultAuthority">(value not set)</xsl:param>
-	
+
 	<!--
 		EntityDescriptor with no Extensions doesn't have a RegistrationInfo,
 		by definition.
@@ -37,7 +37,7 @@
 			<xsl:apply-templates select="node()"/>
 		</xsl:copy>
 	</xsl:template>
-	
+
 	<!--
 		EntityDescriptor with Extensions but without RegistrationInfo needs to have one
 		injected into the existing Extensions.
@@ -48,7 +48,7 @@
 			<xsl:apply-templates select="node()"/>
 		</xsl:copy>
 	</xsl:template>
-	
+
 	<!--
 		Default RegistrationInfo element, with associated white space.
 	-->
@@ -61,17 +61,17 @@
 			</xsl:attribute>
 		</xsl:element>
 	</xsl:template>
-	
+
 	<!--By default, copy text blocks, comments and attributes unchanged.-->
 	<xsl:template match="text()|comment()|@*">
 		<xsl:copy/>
 	</xsl:template>
-	
+
 	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
 	<xsl:template match="*">
 		<xsl:copy>
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:copy>
 	</xsl:template>
-		
+
 </xsl:stylesheet>
diff --git a/mdx/identity.xsl b/mdx/identity.xsl
index dc2ad8b1..23f2a177 100644
--- a/mdx/identity.xsl
+++ b/mdx/identity.xsl
@@ -1,30 +1,30 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	identity.xsl
+    identity.xsl
 
-	Identity transform.
+    Identity transform.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 
-	<!--
-		Force UTF-8 encoding for the output.
-	-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
+    <!--
+        Force UTF-8 encoding for the output.
+    -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/int_cobweb/beans.xml b/mdx/int_cobweb/beans.xml
index 2922f2fc..a937917c 100644
--- a/mdx/int_cobweb/beans.xml
+++ b/mdx/int_cobweb/beans.xml
@@ -11,18 +11,19 @@
     xsi:schemaLocation="
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
-    
+
     <!--
         Location of various resources.
     -->
-    <bean id="int_cobweb_productionAggregate_url" class="java.lang.String">
+    <bean id="int_cobweb_productionAggregate_url" parent="String">
         <constructor-arg value="https://cobweb.edina.ac.uk/metadata/cobweb-metadata.xml"/>
     </bean>
-    
+
     <!--
         Fetch the production aggregate.
     -->
-    <bean id="int_cobweb_productionAggregate" parent="DOMResourceSourceStage">
+    <bean id="int_cobweb_productionAggregate" parent="mda.DOMResourceSourceStage">
+        <property name="parserPool" ref="parserPool"/>
         <property name="DOMResource">
             <bean parent="HTTPResource">
                 <constructor-arg name="client" ref="httpClient"/>
@@ -30,13 +31,13 @@
             </bean>
         </property>
     </bean>
-    
+
     <!--
         Signing certificate.
     -->
     <bean id="int_cobweb_signingCertificate" parent="X509CertificateFactoryBean"
         p:resource="classpath:int_cobweb/cobweb.pem"/>
-    
+
     <!--
         Check signing signature.
     -->
@@ -47,11 +48,11 @@
     <!--
         Fetch the production entities as a collection.
     -->
-    <bean id="int_cobweb_productionEntities" parent="CompositeStage">
+    <bean id="int_cobweb_productionEntities" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="int_cobweb_productionAggregate"/>
-                
+
                 <!--
                     Check for fatal errors at the aggregate level:
                         missing or expired validUntil attribute
@@ -59,12 +60,12 @@
                 -->
                 <ref bean="check_validUntil"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="disassemble"/>
             </list>
         </property>
     </bean>
-        
+
     <!--
         Select primary export aggregate.
     -->
diff --git a/mdx/int_cobweb/verbs.xml b/mdx/int_cobweb/verbs.xml
index dde7a217..0a626f57 100644
--- a/mdx/int_cobweb/verbs.xml
+++ b/mdx/int_cobweb/verbs.xml
@@ -11,26 +11,27 @@
     xsi:schemaLocation="
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
-    
+
     <!--
         Import commonly used beans.
     -->
     <import resource="classpath:common-beans.xml"/>
-        
+
     <!--
         Import channel-specific beans.
     -->
     <import resource="classpath:int_cobweb/beans.xml"/>
-    
-    <bean id="serializeImported" parent="SerializationStage">
+
+    <bean id="serializeImported" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${mdx.dir}/int_cobweb/imported.xml"/>
             </bean>
         </property>
     </bean>
-    
-    <bean id="importProduction" parent="SimplePipeline">
+
+    <bean id="importProduction" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="int_cobweb_productionEntities"/>
@@ -40,8 +41,8 @@
             </list>
         </property>
     </bean>
-    
-    <bean id="verifyProduction" parent="SimplePipeline">
+
+    <bean id="verifyProduction" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="int_cobweb_productionEntities"/>
@@ -50,8 +51,8 @@
             </list>
         </property>
     </bean>
-    
-    <bean id="importProductionRaw" parent="SimplePipeline">
+
+    <bean id="importProductionRaw" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="int_cobweb_productionAggregate"/>
@@ -59,7 +60,7 @@
             </list>
         </property>
     </bean>
-    
+
     <alias alias="import"    name="importProduction"/>
     <alias alias="importRaw" name="importProductionRaw"/>
 </beans>
diff --git a/mdx/int_edugain/beans.xml b/mdx/int_edugain/beans.xml
index 05b7c9b3..95222469 100644
--- a/mdx/int_edugain/beans.xml
+++ b/mdx/int_edugain/beans.xml
@@ -11,29 +11,30 @@
     xsi:schemaLocation="
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
-    
+
     <!--
         Import additional channel-local beans.
     -->
     <import resource="file:${edugain.dir}/entity-blacklist.xml"/>
     <import resource="file:${edugain.dir}/verify-blacklist.xml"/>
-    
+
     <!--
         Location of various resources.
     -->
     <!-- production aggregate -->
-    <bean id="int_edugain_productionAggregate_url" class="java.lang.String">
+    <bean id="int_edugain_productionAggregate_url" parent="String">
         <constructor-arg value="http://mds.edugain.org/"/>
     </bean>
     <!-- test aggregate -->
-    <bean id="int_edugain_testAggregate_url" class="java.lang.String">
+    <bean id="int_edugain_testAggregate_url" parent="String">
         <constructor-arg value="http://mds-test.edugain.org"/>
     </bean>
 
     <!--
         Fetches the eduGAIN production aggregate.
     -->
-    <bean id="int_edugain_productionAggregate" parent="DOMResourceSourceStage">
+    <bean id="int_edugain_productionAggregate" parent="mda.DOMResourceSourceStage">
+        <property name="parserPool" ref="parserPool"/>
         <property name="DOMResource">
             <bean parent="HTTPResource">
                 <constructor-arg name="client" ref="httpClient"/>
@@ -41,11 +42,12 @@
             </bean>
         </property>
     </bean>
-    
+
     <!--
         Fetch the eduGAIN test aggregate.
     -->
-    <bean id="int_edugain_testAggregate" parent="DOMResourceSourceStage">
+    <bean id="int_edugain_testAggregate" parent="mda.DOMResourceSourceStage">
+        <property name="parserPool" ref="parserPool"/>
         <property name="DOMResource">
             <bean parent="HTTPResource">
                 <constructor-arg name="client" ref="httpClient"/>
@@ -53,13 +55,13 @@
             </bean>
         </property>
     </bean>
-    
+
     <!--
         eduGAIN signing certificate.
     -->
     <bean id="int_edugain_signingCertificate" parent="X509CertificateFactoryBean"
         p:resource="classpath:int_edugain/mds-2014.cer"/>
-    
+
     <!--
         Check a signature against the eduGAIN signing certificate.
     -->
@@ -70,14 +72,14 @@
     <!--
         Remove blacklisted entities.
     -->
-    <bean id="int_edugain_removeBlacklistedEntities" parent="EntityFilterStage"
+    <bean id="int_edugain_removeBlacklistedEntities" parent="mda.EntityFilterStage"
         p:whitelistingEntities="false"
         p:designatedEntities-ref="int_edugain_entity_blacklist"/>
 
     <!--
         Fetch the production entities as a collection.
     -->
-    <bean id="int_edugain_productionEntities" parent="CompositeStage">
+    <bean id="int_edugain_productionEntities" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="int_edugain_productionAggregate"/>
@@ -90,9 +92,9 @@
                 <ref bean="check_validUntil"/>
                 <ref bean="int_edugain_checkSignature"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="disassemble"/>
-                
+
                 <ref bean="int_edugain_removeBlacklistedEntities"/>
 
                 <!--
@@ -103,11 +105,11 @@
             </list>
         </property>
     </bean>
-    
+
     <!--
         Fetch the test entities as a collection.
     -->
-    <bean id="int_edugain_testEntities" parent="CompositeStage">
+    <bean id="int_edugain_testEntities" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="int_edugain_testAggregate"/>
@@ -120,11 +122,11 @@
                 <ref bean="check_validUntil"/>
                 <ref bean="int_edugain_checkSignature"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="disassemble"/>
 
                 <ref bean="int_edugain_removeBlacklistedEntities"/>
-                
+
                 <!--
                     All eduGAIN entities should have mdrpi:RegistrationInfo elements, but
                     we can't check the actual values.
@@ -133,5 +135,5 @@
             </list>
         </property>
     </bean>
-    
+
 </beans>
diff --git a/mdx/int_edugain/check_recovered.xsl b/mdx/int_edugain/check_recovered.xsl
index d75b4e1b..2781d372 100644
--- a/mdx/int_edugain/check_recovered.xsl
+++ b/mdx/int_edugain/check_recovered.xsl
@@ -1,26 +1,26 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_recovered.xsl
-	
-	Checking ruleset which labels every entity as having recovered from a previous
-	error condition.
+    check_recovered.xsl
+
+    Checking ruleset which labels every entity as having recovered from a previous
+    error condition.
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="../_rules/check_framework.xsl"/>
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="../_rules/check_framework.xsl"/>
+    <xsl:template match="md:EntityDescriptor">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">entity has recovered from a previous error condition</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<xsl:template match="md:EntityDescriptor">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">entity has recovered from a previous error condition</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
 </xsl:stylesheet>
diff --git a/mdx/int_edugain/verbs.xml b/mdx/int_edugain/verbs.xml
index ed4a6400..e4fa53e4 100644
--- a/mdx/int_edugain/verbs.xml
+++ b/mdx/int_edugain/verbs.xml
@@ -11,26 +11,41 @@
     xsi:schemaLocation="
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
-    
+
     <!--
         Import commonly used beans.
     -->
     <import resource="classpath:common-beans.xml"/>
-    
+
     <!--
         Import channel-specific beans.
     -->
     <import resource="classpath:int_edugain/beans.xml"/>
-    
-    <bean id="serializeImported" parent="SerializationStage">
+
+    <bean id="serializeImported" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${mdx.dir}/int_edugain/imported.xml"/>
             </bean>
         </property>
     </bean>
-    
-    <bean id="importProduction" parent="SimplePipeline">
+
+    <!--
+        removeUKEntities
+
+        Filter out entities which declare themselves as registered
+        by the UK federation, as we don't need to verify those.
+    -->
+    <bean id="removeUKEntities" parent="mda.EntityRegistrationAuthorityFilterStage">
+        <property name="designatedRegistrationAuthorities">
+            <list>
+                <ref bean="uk_ukf_registrar"/>
+            </list>
+        </property>
+    </bean>
+
+    <bean id="importProduction" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="int_edugain_productionEntities"/>
@@ -41,7 +56,7 @@
         </property>
     </bean>
 
-    <bean id="importProductionRaw" parent="SimplePipeline">
+    <bean id="importProductionRaw" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="int_edugain_productionAggregate"/>
@@ -49,8 +64,8 @@
             </list>
         </property>
     </bean>
-    
-    <bean id="importTest" parent="SimplePipeline">
+
+    <bean id="importTest" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="int_edugain_testEntities"/>
@@ -60,20 +75,21 @@
             </list>
         </property>
     </bean>
-    
+
     <!--
         verify
-        
+
         Verifies that entities being imported from eduGAIN match our checks.
         Intended to be run from Jenkins once a week. Errors on the verification
         blacklist are ignored, so that we only need to deal with each entity
         entering an error state once.
     -->
-    <bean id="verify" parent="SimplePipeline">
+    <bean id="verify" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="int_edugain_productionEntities"/>
-                <bean id="removeBlacklistedEntities" parent="EntityFilterStage"
+                <ref bean="removeUKEntities"/>
+                <bean id="removeBlacklistedEntities" parent="mda.EntityFilterStage"
                     p:whitelistingEntities="false"
                     p:designatedEntities-ref="int_edugain_verify_blacklist"/>
 
@@ -85,18 +101,18 @@
 
     <!--
         verify.new
-        
+
         Live verify, but adding "new" checks that we don't impose on the live import.
     -->
-    <bean id="verify.new" parent="SimplePipeline">
+    <bean id="verify.new" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="int_edugain_productionEntities"/>
-                <bean id="removeBlacklistedEntities" parent="EntityFilterStage"
+                <ref bean="removeUKEntities"/>
+                <bean id="removeBlacklistedEntities" parent="mda.EntityFilterStage"
                     p:whitelistingEntities="false"
                     p:designatedEntities-ref="int_edugain_verify_blacklist"/>
-                
-                <ref bean="check_rands"/>
+
                 <ref bean="standardImportActions"/>
                 <ref bean="errorTerminatingFilter"/>
             </list>
@@ -105,54 +121,56 @@
 
     <!--
         verify.recovered
-        
+
         Looks for eduGAIN entities which *were* in an error state, as shown by
         their inclusion in our verification blacklist, but have now recovered.
     -->
-    <bean id="verify.recovered" parent="SimplePipeline">
+    <bean id="verify.recovered" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="int_edugain_productionEntities"/>
-                
+                <ref bean="removeUKEntities"/>
+
                 <!-- remove all entities which still have errors -->
                 <ref bean="standardImportActions"/>
                 <ref bean="errorRemover"/>
-                
+
                 <!-- remove all entities *other* than the ones in the blacklist -->
-                <bean id="removeAllButBlacklistedEntities" parent="EntityFilterStage"
+                <bean id="removeAllButBlacklistedEntities" parent="mda.EntityFilterStage"
                     p:whitelistingEntities="true"
                     p:designatedEntities-ref="int_edugain_verify_blacklist"/>
-                
+
                 <!-- flag up any remaining entities -->
-                <bean id="check_recovered" parent="XSLValidationStage"
+                <bean id="check_recovered" parent="mda.XSLValidationStage"
                     p:XSLResource="classpath:int_edugain/check_recovered.xsl"/>
 
                 <ref bean="errorTerminatingFilter"/>
             </list>
         </property>
     </bean>
-    
+
     <!--
         verify.all
-        
+
         Same as verify, but not making use of the validation
         blacklist. Can be used to check up on blacklisted entities.
-        
+
         Output also includes any warnings attached to entities, although
         these do not result in an error termination.
     -->
-    <bean id="verify.all" parent="SimplePipeline">
+    <bean id="verify.all" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="int_edugain_productionEntities"/>
-                
+                <ref bean="removeUKEntities"/>
+
                 <ref bean="standardImportActions"/>
                 <ref bean="warningAndErrorAnnouncer"/>
                 <ref bean="errorTerminator"/>
             </list>
         </property>
     </bean>
-    
+
     <alias alias="import"    name="importProduction"/>
     <alias alias="importRaw" name="importProductionRaw"/>
 </beans>
diff --git a/mdx/mda-beans.xml b/mdx/mda-beans.xml
new file mode 100644
index 00000000..ea592084
--- /dev/null
+++ b/mdx/mda-beans.xml
@@ -0,0 +1,272 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xmlns:p="http://www.springframework.org/schema/p"
+    xmlns:c="http://www.springframework.org/schema/c"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
+
+    <!--
+        Bean definitions for simplified access to components in the
+        Shibboleth Metadata Aggregator's aggregator-pipeline artifact.
+
+        All defined bean names are prefixed with "mda.".
+    -->
+
+    <!--
+        Parent for anything based on the Shibboleth component system.
+        These all require initialization before use.
+    -->
+    <bean id="mda.component_parent" abstract="true"
+        init-method="initialize" destroy-method="destroy"/>
+
+    <!--
+        Parent for all stages.
+    -->
+    <bean id="mda.stage_parent" abstract="true" parent="mda.component_parent"/>
+
+    <!--
+        net.shibboleth.metadata
+    -->
+
+    <bean id="mda.DeduplicatingItemIdMergeStrategy" abstract="true"
+        class="net.shibboleth.metadata.DeduplicatingItemIdMergeStrategy"/>
+
+    <bean id="mda.FirstItemIdItemIdentificationStrategy" abstract="true"
+        class="net.shibboleth.metadata.FirstItemIdItemIdentificationStrategy"/>
+
+    <bean id="mda.SimpleCollectionMergeStrategy" abstract="true"
+        class="net.shibboleth.metadata.SimpleCollectionMergeStrategy"/>
+
+    <bean id="mda.SimpleItemCollectionSerializer" abstract="true"
+        class="net.shibboleth.metadata.SimpleItemCollectionSerializer"/>
+
+    <!--
+        net.shibboleth.metadata.dom
+    -->
+
+    <bean id="mda.CRDetectionStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.CRDetectionStage"/>
+
+    <bean id="mda.DOMElementSerializer" abstract="true"
+        class="net.shibboleth.metadata.dom.DOMElementSerializer"/>
+
+    <bean id="mda.DOMFilesystemSourceStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.DOMFilesystemSourceStage"/>
+
+    <bean id="mda.DOMResourceSourceStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.DOMResourceSourceStage"/>
+
+    <bean id="mda.ElementStrippingStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.ElementStrippingStage"/>
+
+    <bean id="mda.ElementWhitespaceTrimmingStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.ElementWhitespaceTrimmingStage"/>
+
+    <bean id="mda.EmptyContainerStrippingStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.EmptyContainerStrippingStage"/>
+
+    <bean id="mda.MultiOutputXSLTransformationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.MultiOutputXSLTransformationStage"/>
+
+    <bean id="mda.NamespacesStrippingStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.NamespacesStrippingStage"/>
+
+    <bean id="mda.NamespaceStrippingStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.NamespaceStrippingStage"/>
+
+    <bean id="mda.XMLSchemaValidationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.XMLSchemaValidationStage"/>
+
+    <bean id="mda.XMLSignatureSigningStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.XMLSignatureSigningStage"/>
+
+    <bean id="mda.XMLSignatureValidationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"/>
+
+    <bean id="mda.XPathFilteringStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.XPathFilteringStage"/>
+
+    <bean id="mda.XPathItemSelectionStrategy" abstract="true"
+        class="net.shibboleth.metadata.dom.XPathItemSelectionStrategy"/>
+
+    <bean id="mda.XSLTransformationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.XSLTransformationStage"/>
+
+    <bean id="mda.XSLValidationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.XSLValidationStage"/>
+
+    <!--
+        net.shibboleth.metadata.dom.ds
+    -->
+
+    <bean id="mda.X509ValidationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.ds.X509ValidationStage"/>
+
+    <!--
+        net.shibboleth.metadata.dom.saml
+    -->
+
+    <bean id="mda.ContactPersonFilterStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.ContactPersonFilterStage"/>
+
+    <bean id="mda.EntitiesDescriptorAssemblerStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.EntitiesDescriptorAssemblerStage"/>
+
+    <bean id="mda.EntitiesDescriptorDisassemblerStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.EntitiesDescriptorDisassemblerStage"/>
+
+    <bean id="mda.EntityDescriptorItemIdPopulationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.EntityDescriptorItemIdPopulationStage"/>
+
+    <bean id="mda.EntityFilterStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.EntityFilterStage"/>
+
+    <bean id="mda.EntityRoleFilterStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.EntityRoleFilterStage"/>
+
+    <bean id="mda.GenerateIdStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.GenerateIdStage"/>
+
+    <bean id="mda.PullUpCacheDurationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.PullUpCacheDurationStage"/>
+
+    <bean id="mda.PullUpValidUntilStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.PullUpValidUntilStage"/>
+
+    <bean id="mda.RemoveOrganizationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.RemoveOrganizationStage"/>
+
+    <bean id="mda.SetCacheDurationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.SetCacheDurationStage"/>
+
+    <bean id="mda.SetValidUntilStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.SetValidUntilStage"/>
+
+    <bean id="mda.ValidateValidUntilStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.ValidateValidUntilStage"/>
+
+    <!--
+        net.shibboleth.metadata.dom.saml.mdattr
+    -->
+
+    <bean id="mda.EntityAttributeFilteringStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.mdattr.EntityAttributeFilteringStage"/>
+
+    <bean id="mda.EntityCategoryMatcher" abstract="true"
+        class="net.shibboleth.metadata.dom.saml.mdattr.EntityCategoryMatcher"/>
+
+    <bean id="mda.EntityCategorySupportMatcher" abstract="true"
+        class="net.shibboleth.metadata.dom.saml.mdattr.EntityCategorySupportMatcher"/>
+
+    <bean id="mda.MultiPredicateMatcher" abstract="true"
+        class="net.shibboleth.metadata.dom.saml.mdattr.MultiPredicateMatcher"/>
+
+    <bean id="mda.RegistrationAuthorityMatcher" abstract="true"
+        class="net.shibboleth.metadata.dom.saml.mdattr.RegistrationAuthorityMatcher"/>
+
+    <!--
+        net.shibboleth.metadata.dom.saml.mdrpi
+    -->
+
+    <bean id="mda.EntityRegistrationAuthorityFilterStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.mdrpi.EntityRegistrationAuthorityFilterStage"/>
+
+    <bean id="mda.RegistrationAuthorityItemIdentificationStrategy" abstract="true"
+        class="net.shibboleth.metadata.dom.saml.mdrpi.RegistrationAuthorityItemIdentificationStrategy"/>
+
+    <bean id="mda.RegistrationAuthorityPopulationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.mdrpi.RegistrationAuthorityPopulationStage"/>
+
+    <!--
+        net.shibboleth.metadata.pipeline
+    -->
+
+    <bean id="mda.AtLeastCollectionPredicate" abstract="true"
+        class="net.shibboleth.metadata.pipeline.AtLeastCollectionPredicate"/>
+
+    <bean id="mda.CompositeStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.CompositeStage"/>
+
+    <bean id="mda.FilesInDirectoryMultiOutputStrategy" abstract="true" parent="mda.component_parent"
+        class="net.shibboleth.metadata.pipeline.FilesInDirectoryMultiOutputStrategy"/>
+
+    <bean id="mda.ItemIdTransformStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.ItemIdTransformStage"/>
+
+    <bean id="mda.ItemMetadataAddingStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.ItemMetadataAddingStage"/>
+
+    <bean id="mda.ItemMetadataFilterStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.ItemMetadataFilterStage"/>
+
+    <bean id="mda.ItemMetadataTerminationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.ItemMetadataTerminationStage"/>
+
+    <bean id="mda.MDQueryMD5ItemIdTransformer" abstract="true"
+        class="net.shibboleth.metadata.pipeline.MDQueryMD5ItemIdTransformer"/>
+
+    <bean id="mda.MDQuerySHA1ItemIdTransformer" abstract="true"
+        class="net.shibboleth.metadata.pipeline.MDQuerySHA1ItemIdTransformer"/>
+
+    <bean id="mda.MultiOutputSerializationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.MultiOutputSerializationStage"/>
+
+    <bean id="mda.PipelineDemultiplexerStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.PipelineDemultiplexerStage"/>
+
+    <bean id="mda.PipelineMergeStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.PipelineMergeStage"/>
+
+    <bean id="mda.ScriptletStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.ScriptletStage"/>
+
+    <bean id="mda.SerializationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.SerializationStage"/>
+
+    <bean id="mda.SimplePipeline" abstract="true" parent="mda.component_parent"
+        class="net.shibboleth.metadata.pipeline.SimplePipeline"/>
+
+    <bean id="mda.SplitMergeStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.SplitMergeStage"/>
+
+    <bean id="mda.StaticItemSourceStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.StaticItemSourceStage"/>
+
+    <bean id="mda.StatusMetadataLoggingStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.StatusMetadataLoggingStage"/>
+
+    <!--
+        net.shibboleth.metadata.util
+    -->
+
+    <bean id="mda.PathSegmentStringTransformer" abstract="true"
+        class="net.shibboleth.metadata.util.PathSegmentStringTransformer"/>
+
+    <bean id="mda.SHA1StringTransformer" abstract="true"
+        class="net.shibboleth.metadata.util.SHA1StringTransformer"/>
+
+    <!--
+        net.shibboleth.metadata.validate
+    -->
+
+    <bean id="mda.validator_parent" abstract="true" parent="mda.component_parent"/>
+
+    <!--
+        net.shibboleth.metadata.validate.x509
+    -->
+
+    <bean id="mda.X509RSAExponentValidator" abstract="true" parent="mda.validator_parent"
+        class="net.shibboleth.metadata.validate.x509.X509RSAExponentValidator"/>
+
+    <bean id="mda.X509RSAKeyLengthValidator" abstract="true" parent="mda.validator_parent"
+        class="net.shibboleth.metadata.validate.x509.X509RSAKeyLengthValidator"/>
+
+    <bean id="mda.X509RSAOpenSSLBlacklistValidator" abstract="true" parent="mda.validator_parent"
+        class="net.shibboleth.metadata.validate.x509.X509RSAOpenSSLBlacklistValidator"/>
+
+</beans>
diff --git a/mdx/ns_norm.xsl b/mdx/ns_norm.xsl
index 2c907602..60b4c6ac 100644
--- a/mdx/ns_norm.xsl
+++ b/mdx/ns_norm.xsl
@@ -1,229 +1,222 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	ns_norm.xsl
-	
-	XSL stylesheet that takes a SAML 2 metadata file and normalises
-	the namespaces used.  In general, this means assigning a standard
-	prefix to each known namespace and ensuring that those namespaces
-	are declared on the document element.
-	
-	The exception is the SAML 2.0 metadata namespace, which is established
-	as the default namespace for the document and therefore does not
-	require a prefix.
-	
-	The stylesheet operates by matching every element node in the document
-	and rebuilding it from scratch.  This has the side-effect of discarding
-	any unwanted namespace definitions from intermediate nodes.
-	
-	The result is a document with a large number of namespaces declared
-	with associated prefixes on the document element, and with few
-	(hopefully no) namespace prefix declarations elsewhere.  For any
-	particular document, this normalised form may define some namespaces
-	which are never used, and define some at the document level which
-	would be better defined on the elements on which they are actually
-	used (with or without prefixes).  For example, a bug in one of the
-	libraries underlying the xmlsectool application means that it cannot
-	verify the signature on a document where more than about ten prefixes
-	are in scope on any given element.  In practice this may mean that
-	after normalisation, some *de*normalisation will be required or at
-	least desirable prior to publication.  The responsibility for this
-	lies further down the processing pipeline.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    ns_norm.xsl
+
+    XSL stylesheet that takes a SAML 2 metadata file and normalises
+    the namespaces used.  In general, this means assigning a standard
+    prefix to each known namespace and ensuring that those namespaces
+    are declared on the document element.
+
+    The exception is the SAML 2.0 metadata namespace, which is established
+    as the default namespace for the document and therefore does not
+    require a prefix.
+
+    The stylesheet operates by matching every element node in the document
+    and rebuilding it from scratch.  This has the side-effect of discarding
+    any unwanted namespace definitions from intermediate nodes.
+
+    The result is a document with a large number of namespaces declared
+    with associated prefixes on the document element, and with few
+    (hopefully no) namespace prefix declarations elsewhere.  For any
+    particular document, this normalised form may define some namespaces
+    which are never used, and define some at the document level which
+    would be better defined on the elements on which they are actually
+    used (with or without prefixes).  For example, a bug in one of the
+    libraries underlying the xmlsectool application means that it cannot
+    verify the signature on a document where more than about ten prefixes
+    are in scope on any given element.  In practice this may mean that
+    after normalisation, some *de*normalisation will be required or at
+    least desirable prior to publication.  The responsibility for this
+    lies further down the processing pipeline.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
-	
-	exclude-result-prefixes="md"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Force UTF-8 encoding for the output.
-	-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-
-
-	<!--
-		*******************************************
-		***                                     ***
-		***   D O C U M E N T   E L E M E N T   ***
-		***                                     ***
-		*******************************************
-	-->
-	
-	
-	<!--
-		We need to handle the document element specially in order to arrange
-		for all appropriate namespace prefix definitions to appear on it.
-		
-		There are only two possible document elements in SAML metadata.
-	-->
-	
-	
-	<!--
-		Document element is <EntityDescriptor>.
-	-->
-	<xsl:template match="/md:EntityDescriptor">
-		<EntityDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntityDescriptor>
-	</xsl:template>
-	
-	<!--
-		Document element is <EntitiesDescriptor>.
-	-->
-	<xsl:template match="/md:EntitiesDescriptor">
-		<EntitiesDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntitiesDescriptor>
-	</xsl:template>
-	
-	
-	<!--
-		*********************************************
-		***                                       ***
-		***   D E F A U L T   N A M E S P A C E   ***
-		***                                       ***
-		*********************************************
-	-->
-	
-	
-	<xsl:template match="md:*">
-		<xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:2.0:metadata">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-	
-	
-	<!--
-		*************************************************************
-		***                                                       ***
-		***   K N O W N   P R E F I X E D   N A M E S P A C E S   ***
-		***                                                       ***
-		*************************************************************
-	-->
-	
-
-	<xsl:template match="alg:*">
-		<xsl:element name="alg:{local-name()}">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-
-	<xsl:template match="ds:*">
-		<xsl:element name="ds:{local-name()}">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-	
-	<xsl:template match="idpdisc:*">
-		<xsl:element name="idpdisc:{local-name()}">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-	
-	<xsl:template match="init:*">
-		<xsl:element name="init:{local-name()}">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-	
-	<xsl:template match="mdattr:*">
-		<xsl:element name="mdattr:{local-name()}">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-	
-	<xsl:template match="mdrpi:*">
-		<xsl:element name="mdrpi:{local-name()}">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-	
-	<xsl:template match="mdui:*">
-		<xsl:element name="mdui:{local-name()}">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-	
-	<xsl:template match="saml:*">
-		<xsl:element name="saml:{local-name()}">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-	
-	<xsl:template match="shibmd:*">
-		<xsl:element name="shibmd:{local-name()}">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-
-	<xsl:template match="ukfedlabel:*">
-		<xsl:element name="ukfedlabel:{local-name()}">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-	
-	<xsl:template match="wayf:*">
-		<xsl:element name="wayf:{local-name()}">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-
-	<xsl:template match="xenc:*">
-		<xsl:element name="xenc:{local-name()}">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-	
-		
-	<!--
-		*********************************************
-		***                                       ***
-		***   D E F A U L T   T E M P L A T E S   ***
-		***                                       ***
-		*********************************************
-	-->
-	
-	
-	<!--
-		Copy text blocks, comments and attributes unchanged.
-	-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-	
-	
-	<!--
-		Copy all other elements from the input to the output, along with their
-		attributes and contents.
-		
-		Note that this will also copy across their namespaces and namespace prefix
-		declarations, which can result in denormalised output.  If that turns out
-		to be a problem in practice, this should be changed to reconstruct the
-		nodes in question using xsl:element with name="{local-name()}" along
-		with the original node's namespace but probably not prefix.
-	-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
-	
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+
+    exclude-result-prefixes="md"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Force UTF-8 encoding for the output.
+    -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
+
+
+    <!--
+        *******************************************
+        ***                                     ***
+        ***   D O C U M E N T   E L E M E N T   ***
+        ***                                     ***
+        *******************************************
+    -->
+
+
+    <!--
+        We need to handle the document element specially in order to arrange
+        for all appropriate namespace prefix definitions to appear on it.
+
+        There are only two possible document elements in SAML metadata.
+    -->
+
+
+    <!--
+        Document element is <EntityDescriptor>.
+    -->
+    <xsl:template match="/md:EntityDescriptor">
+        <EntityDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntityDescriptor>
+    </xsl:template>
+
+    <!--
+        Document element is <EntitiesDescriptor>.
+    -->
+    <xsl:template match="/md:EntitiesDescriptor">
+        <EntitiesDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntitiesDescriptor>
+    </xsl:template>
+
+
+    <!--
+        *********************************************
+        ***                                       ***
+        ***   D E F A U L T   N A M E S P A C E   ***
+        ***                                       ***
+        *********************************************
+    -->
+
+
+    <xsl:template match="md:*">
+        <xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:2.0:metadata">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+
+    <!--
+        *************************************************************
+        ***                                                       ***
+        ***   K N O W N   P R E F I X E D   N A M E S P A C E S   ***
+        ***                                                       ***
+        *************************************************************
+    -->
+
+
+    <xsl:template match="alg:*">
+        <xsl:element name="alg:{local-name()}">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+    <xsl:template match="ds:*">
+        <xsl:element name="ds:{local-name()}">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+    <xsl:template match="idpdisc:*">
+        <xsl:element name="idpdisc:{local-name()}">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+    <xsl:template match="init:*">
+        <xsl:element name="init:{local-name()}">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+    <xsl:template match="mdattr:*">
+        <xsl:element name="mdattr:{local-name()}">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+    <xsl:template match="mdrpi:*">
+        <xsl:element name="mdrpi:{local-name()}">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+    <xsl:template match="mdui:*">
+        <xsl:element name="mdui:{local-name()}">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+    <xsl:template match="saml:*">
+        <xsl:element name="saml:{local-name()}">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+    <xsl:template match="shibmd:*">
+        <xsl:element name="shibmd:{local-name()}">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+    <xsl:template match="ukfedlabel:*">
+        <xsl:element name="ukfedlabel:{local-name()}">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+    <xsl:template match="xenc:*">
+        <xsl:element name="xenc:{local-name()}">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+
+    <!--
+        *********************************************
+        ***                                       ***
+        ***   D E F A U L T   T E M P L A T E S   ***
+        ***                                       ***
+        *********************************************
+    -->
+
+
+    <!--
+        Copy text blocks, comments and attributes unchanged.
+    -->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+
+    <!--
+        Copy all other elements from the input to the output, along with their
+        attributes and contents.
+
+        Note that this will also copy across their namespaces and namespace prefix
+        declarations, which can result in denormalised output.  If that turns out
+        to be a problem in practice, this should be changed to reconstruct the
+        nodes in question using xsl:element with name="{local-name()}" along
+        with the original node's namespace but probably not prefix.
+    -->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/schema/MetadataExchange.xsd b/mdx/schema/MetadataExchange.xsd
index 53094fb7..06d2a6fd 100644
--- a/mdx/schema/MetadataExchange.xsd
+++ b/mdx/schema/MetadataExchange.xsd
@@ -2,15 +2,15 @@
 <!--
 (c) 2004-2006 BEA Systems Inc., Computer Associates International, Inc.,
 International Business Machines Corporation, Microsoft Corporation,
-Inc., SAP AG, Sun Microsystems, and webMethods. All rights reserved. 
+Inc., SAP AG, Sun Microsystems, and webMethods. All rights reserved.
 
 Permission to copy and display the WS-MetadataExchange Specification
 (the "Specification"), in any medium without fee or royalty is hereby
 granted, provided that you include the following on ALL copies of the
 Specification that you make:
 
-1.	A link or URL to the Specification at this location.
-2.	The copyright notice as shown in the Specification.
+1.  A link or URL to the Specification at this location.
+2.  The copyright notice as shown in the Specification.
 
 BEA Systems, Computer Associates, IBM, Microsoft, SAP, Sun, and
 webMethods (collectively, the "Authors") each agree to grant you a
@@ -90,8 +90,8 @@ No other rights are granted by implication, estoppel or otherwise.
       <xs:anyAttribute namespace='##other' processContents='lax' />
     </xs:complexType>
   </xs:element>
-  
-  <!-- 
+
+  <!--
        Ideally, the type of the MetadataReference would have been
        the union of wsa04:EndpointReferenceType and
        wsa10:EndpointReferenceType but unfortunately xs:union only
@@ -102,7 +102,7 @@ No other rights are granted by implication, estoppel or otherwise.
   <xs:element name='MetadataReference'>
     <xs:complexType>
       <xs:sequence>
-        <xs:any minOccurs='1' maxOccurs='unbounded' 
+        <xs:any minOccurs='1' maxOccurs='unbounded'
                 processContents='lax' namespace='##other' />
       </xs:sequence>
     </xs:complexType>
diff --git a/mdx/schema/incommon-metadata.xsd b/mdx/schema/incommon-metadata.xsd
index f33a8398..b1b046ed 100644
--- a/mdx/schema/incommon-metadata.xsd
+++ b/mdx/schema/incommon-metadata.xsd
@@ -7,13 +7,13 @@
   attributeFormDefault="unqualified"
   blockDefault="substitution"
   version="2.0">
-  
+
   <xs:annotation>
     <xs:documentation>
       Document title: Schema for InCommon Federation metadata extensions
       Document identifier: Metadata Extension Schema
       Location: https://spaces.internet2.edu/x/iIuVAQ
-      Revision history: 
+      Revision history:
       V1.2 (3 May 2013):
       Make schema itself schema-valid.
       V1.1 (2 May 2013):
@@ -22,7 +22,7 @@
       Initial version. Added contactType attribute.
     </xs:documentation>
   </xs:annotation>
-  
+
   <xs:attribute name="contactType" type="xs:anyURI"/>
-  
+
 </xs:schema>
diff --git a/mdx/schema/oasis-200401-wss-wssecurity-secext-1.0.xsd b/mdx/schema/oasis-200401-wss-wssecurity-secext-1.0.xsd
index 6829a00f..78a73ef8 100644
--- a/mdx/schema/oasis-200401-wss-wssecurity-secext-1.0.xsd
+++ b/mdx/schema/oasis-200401-wss-wssecurity-secext-1.0.xsd
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!-- 
+<!--
 OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification, can be obtained from the OASIS Executive Director.
 OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to implement this specification. Please address the information to the OASIS Executive Director.
 Copyright © OASIS Open 2002-2004. All Rights Reserved.
@@ -8,188 +8,188 @@ The limited permissions granted above are perpetual and will not be revoked by O
 This document and the information contained herein is provided on an “AS IS” basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 -->
 <xsd:schema targetNamespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" elementFormDefault="qualified" attributeFormDefault="unqualified" blockDefault="#all" version="0.2">
-	<xsd:import namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" schemaLocation="oasis-200401-wss-wssecurity-utility-1.0.xsd"/>
-	<xsd:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/>
-	<xsd:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/>
-	<xsd:complexType name="AttributedString">
-		<xsd:annotation>
-			<xsd:documentation>This type represents an element with arbitrary attributes.</xsd:documentation>
-		</xsd:annotation>
-		<xsd:simpleContent>
-			<xsd:extension base="xsd:string">
-				<xsd:attribute ref="wsu:Id"/>
-				<xsd:anyAttribute namespace="##other" processContents="lax"/>
-			</xsd:extension>
-		</xsd:simpleContent>
-	</xsd:complexType>
-	<xsd:complexType name="PasswordString">
-		<xsd:annotation>
-			<xsd:documentation>This type is used for password elements per Section 4.1.</xsd:documentation>
-		</xsd:annotation>
-		<xsd:simpleContent>
-			<xsd:extension base="wsse:AttributedString">
-				<xsd:attribute name="Type" type="xsd:anyURI"/>
-			</xsd:extension>
-		</xsd:simpleContent>
-	</xsd:complexType>
-	<xsd:complexType name="EncodedString">
-		<xsd:annotation>
-			<xsd:documentation>This type is used for elements containing stringified binary data.</xsd:documentation>
-		</xsd:annotation>
-		<xsd:simpleContent>
-			<xsd:extension base="wsse:AttributedString">
-				<xsd:attribute name="EncodingType" type="xsd:anyURI"/>
-			</xsd:extension>
-		</xsd:simpleContent>
-	</xsd:complexType>
-	<xsd:complexType name="UsernameTokenType">
-		<xsd:annotation>
-			<xsd:documentation>This type represents a username token per Section 4.1</xsd:documentation>
-		</xsd:annotation>
-		<xsd:sequence>
-			<xsd:element name="Username" type="wsse:AttributedString"/>
-			<xsd:any processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
-		</xsd:sequence>
-		<xsd:attribute ref="wsu:Id"/>
-		<xsd:anyAttribute namespace="##other" processContents="lax"/>
-	</xsd:complexType>
-	<xsd:complexType name="BinarySecurityTokenType">
-		<xsd:annotation>
-			<xsd:documentation>A security token that is encoded in binary</xsd:documentation>
-		</xsd:annotation>
-		<xsd:simpleContent>
-			<xsd:extension base="wsse:EncodedString">
-				<xsd:attribute name="ValueType" type="xsd:anyURI"/>
-			</xsd:extension>
-		</xsd:simpleContent>
-	</xsd:complexType>
-	<xsd:complexType name="KeyIdentifierType">
-		<xsd:annotation>
-			<xsd:documentation>A security token key identifier</xsd:documentation>
-		</xsd:annotation>
-		<xsd:simpleContent>
-			<xsd:extension base="wsse:EncodedString">
-				<xsd:attribute name="ValueType" type="xsd:anyURI"/>
-			</xsd:extension>
-		</xsd:simpleContent>
-	</xsd:complexType>
-	<xsd:simpleType name="tUsage">
-		<xsd:annotation>
-			<xsd:documentation>Typedef to allow a list of usages (as URIs).</xsd:documentation>
-		</xsd:annotation>
-		<xsd:list itemType="xsd:anyURI"/>
-	</xsd:simpleType>
-	<xsd:attribute name="Usage" type="tUsage">
-		<xsd:annotation>
-			<xsd:documentation>This global attribute is used to indicate the usage of a referenced or indicated token within the containing context</xsd:documentation>
-		</xsd:annotation>
-	</xsd:attribute>
-	<xsd:complexType name="ReferenceType">
-		<xsd:annotation>
-			<xsd:documentation>This type represents a reference to an external security token.</xsd:documentation>
-		</xsd:annotation>
-		<xsd:attribute name="URI" type="xsd:anyURI"/>
-		<xsd:attribute name="ValueType" type="xsd:anyURI"/>
-		<xsd:anyAttribute namespace="##other" processContents="lax"/>
-	</xsd:complexType>
-	<xsd:complexType name="EmbeddedType">
-		<xsd:annotation>
-			<xsd:documentation>This type represents a reference to an embedded security token.</xsd:documentation>
-		</xsd:annotation>
-		<xsd:choice minOccurs="0" maxOccurs="unbounded">
-			<xsd:any processContents="lax"/>
-		</xsd:choice>
-		<xsd:attribute name="ValueType" type="xsd:anyURI"/>
-		<xsd:anyAttribute namespace="##other" processContents="lax"/>
-	</xsd:complexType>
-	<xsd:complexType name="SecurityTokenReferenceType">
-		<xsd:annotation>
-			<xsd:documentation>This type is used reference a security token.</xsd:documentation>
-		</xsd:annotation>
-		<xsd:choice minOccurs="0" maxOccurs="unbounded">
-			<xsd:any processContents="lax"/>
-		</xsd:choice>
-		<xsd:attribute ref="wsu:Id"/>
-		<xsd:attribute ref="wsse:Usage"/>
-		<xsd:anyAttribute namespace="##other" processContents="lax"/>
-	</xsd:complexType>
-	<xsd:complexType name="SecurityHeaderType">
-		<xsd:annotation>
-			<xsd:documentation>This complexType defines header block to use for security-relevant data directed at a specific SOAP actor.</xsd:documentation>
-		</xsd:annotation>
-		<xsd:sequence>
-			<xsd:any processContents="lax" minOccurs="0" maxOccurs="unbounded">
-				<xsd:annotation>
-					<xsd:documentation>The use of "any" is to allow extensibility and different forms of security data.</xsd:documentation>
-				</xsd:annotation>
-			</xsd:any>
-		</xsd:sequence>
-		<xsd:anyAttribute namespace="##other" processContents="lax"/>
-	</xsd:complexType>
-	<xsd:complexType name="TransformationParametersType">
-		<xsd:annotation>
-			<xsd:documentation>This complexType defines a container for elements to be specified from any namespace as properties/parameters of a DSIG transformation.</xsd:documentation>
-		</xsd:annotation>
-		<xsd:sequence>
-			<xsd:any processContents="lax" minOccurs="0" maxOccurs="unbounded">
-				<xsd:annotation>
-					<xsd:documentation>The use of "any" is to allow extensibility from any namespace.</xsd:documentation>
-				</xsd:annotation>
-			</xsd:any>
-		</xsd:sequence>
-		<xsd:anyAttribute namespace="##other" processContents="lax"/>
-	</xsd:complexType>
-	<xsd:element name="UsernameToken" type="wsse:UsernameTokenType">
-		<xsd:annotation>
-			<xsd:documentation>This element defines the wsse:UsernameToken element per Section 4.1.</xsd:documentation>
-		</xsd:annotation>
-	</xsd:element>
-	<xsd:element name="BinarySecurityToken" type="wsse:BinarySecurityTokenType">
-		<xsd:annotation>
-			<xsd:documentation>This element defines the wsse:BinarySecurityToken element per Section 4.2.</xsd:documentation>
-		</xsd:annotation>
-	</xsd:element>
-	<xsd:element name="Reference" type="wsse:ReferenceType">
-		<xsd:annotation>
-			<xsd:documentation>This element defines a security token reference</xsd:documentation>
-		</xsd:annotation>
-	</xsd:element>
-	<xsd:element name="Embedded" type="wsse:EmbeddedType">
-		<xsd:annotation>
-			<xsd:documentation>This element defines a security token embedded reference</xsd:documentation>
-		</xsd:annotation>
-	</xsd:element>
-	<xsd:element name="KeyIdentifier" type="wsse:KeyIdentifierType">
-		<xsd:annotation>
-			<xsd:documentation>This element defines a key identifier reference</xsd:documentation>
-		</xsd:annotation>
-	</xsd:element>
-	<xsd:element name="SecurityTokenReference" type="wsse:SecurityTokenReferenceType">
-		<xsd:annotation>
-			<xsd:documentation>This element defines the wsse:SecurityTokenReference per Section 4.3.</xsd:documentation>
-		</xsd:annotation>
-	</xsd:element>
-	<xsd:element name="Security" type="wsse:SecurityHeaderType">
-		<xsd:annotation>
-			<xsd:documentation>This element defines the wsse:Security SOAP header element per Section 4.</xsd:documentation>
-		</xsd:annotation>
-	</xsd:element>
-	<xsd:element name="TransformationParameters" type="wsse:TransformationParametersType">
-		<xsd:annotation>
-			<xsd:documentation>This element contains properties for transformations from any namespace, including DSIG.</xsd:documentation>
-		</xsd:annotation>
-	</xsd:element>
-	<xsd:element name="Password" type="wsse:PasswordString"/>
-	<xsd:element name="Nonce" type="wsse:EncodedString"/>
-	<xsd:simpleType name="FaultcodeEnum">
-		<xsd:restriction base="xsd:QName">
-			<xsd:enumeration value="wsse:UnsupportedSecurityToken"/>
-			<xsd:enumeration value="wsse:UnsupportedAlgorithm"/>
-			<xsd:enumeration value="wsse:InvalidSecurity"/>
-			<xsd:enumeration value="wsse:InvalidSecurityToken"/>
-			<xsd:enumeration value="wsse:FailedAuthentication"/>
-			<xsd:enumeration value="wsse:FailedCheck"/>
-			<xsd:enumeration value="wsse:SecurityTokenUnavailable"/>
-		</xsd:restriction>
-	</xsd:simpleType>
+    <xsd:import namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" schemaLocation="oasis-200401-wss-wssecurity-utility-1.0.xsd"/>
+    <xsd:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/>
+    <xsd:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/>
+    <xsd:complexType name="AttributedString">
+        <xsd:annotation>
+            <xsd:documentation>This type represents an element with arbitrary attributes.</xsd:documentation>
+        </xsd:annotation>
+        <xsd:simpleContent>
+            <xsd:extension base="xsd:string">
+                <xsd:attribute ref="wsu:Id"/>
+                <xsd:anyAttribute namespace="##other" processContents="lax"/>
+            </xsd:extension>
+        </xsd:simpleContent>
+    </xsd:complexType>
+    <xsd:complexType name="PasswordString">
+        <xsd:annotation>
+            <xsd:documentation>This type is used for password elements per Section 4.1.</xsd:documentation>
+        </xsd:annotation>
+        <xsd:simpleContent>
+            <xsd:extension base="wsse:AttributedString">
+                <xsd:attribute name="Type" type="xsd:anyURI"/>
+            </xsd:extension>
+        </xsd:simpleContent>
+    </xsd:complexType>
+    <xsd:complexType name="EncodedString">
+        <xsd:annotation>
+            <xsd:documentation>This type is used for elements containing stringified binary data.</xsd:documentation>
+        </xsd:annotation>
+        <xsd:simpleContent>
+            <xsd:extension base="wsse:AttributedString">
+                <xsd:attribute name="EncodingType" type="xsd:anyURI"/>
+            </xsd:extension>
+        </xsd:simpleContent>
+    </xsd:complexType>
+    <xsd:complexType name="UsernameTokenType">
+        <xsd:annotation>
+            <xsd:documentation>This type represents a username token per Section 4.1</xsd:documentation>
+        </xsd:annotation>
+        <xsd:sequence>
+            <xsd:element name="Username" type="wsse:AttributedString"/>
+            <xsd:any processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+        </xsd:sequence>
+        <xsd:attribute ref="wsu:Id"/>
+        <xsd:anyAttribute namespace="##other" processContents="lax"/>
+    </xsd:complexType>
+    <xsd:complexType name="BinarySecurityTokenType">
+        <xsd:annotation>
+            <xsd:documentation>A security token that is encoded in binary</xsd:documentation>
+        </xsd:annotation>
+        <xsd:simpleContent>
+            <xsd:extension base="wsse:EncodedString">
+                <xsd:attribute name="ValueType" type="xsd:anyURI"/>
+            </xsd:extension>
+        </xsd:simpleContent>
+    </xsd:complexType>
+    <xsd:complexType name="KeyIdentifierType">
+        <xsd:annotation>
+            <xsd:documentation>A security token key identifier</xsd:documentation>
+        </xsd:annotation>
+        <xsd:simpleContent>
+            <xsd:extension base="wsse:EncodedString">
+                <xsd:attribute name="ValueType" type="xsd:anyURI"/>
+            </xsd:extension>
+        </xsd:simpleContent>
+    </xsd:complexType>
+    <xsd:simpleType name="tUsage">
+        <xsd:annotation>
+            <xsd:documentation>Typedef to allow a list of usages (as URIs).</xsd:documentation>
+        </xsd:annotation>
+        <xsd:list itemType="xsd:anyURI"/>
+    </xsd:simpleType>
+    <xsd:attribute name="Usage" type="tUsage">
+        <xsd:annotation>
+            <xsd:documentation>This global attribute is used to indicate the usage of a referenced or indicated token within the containing context</xsd:documentation>
+        </xsd:annotation>
+    </xsd:attribute>
+    <xsd:complexType name="ReferenceType">
+        <xsd:annotation>
+            <xsd:documentation>This type represents a reference to an external security token.</xsd:documentation>
+        </xsd:annotation>
+        <xsd:attribute name="URI" type="xsd:anyURI"/>
+        <xsd:attribute name="ValueType" type="xsd:anyURI"/>
+        <xsd:anyAttribute namespace="##other" processContents="lax"/>
+    </xsd:complexType>
+    <xsd:complexType name="EmbeddedType">
+        <xsd:annotation>
+            <xsd:documentation>This type represents a reference to an embedded security token.</xsd:documentation>
+        </xsd:annotation>
+        <xsd:choice minOccurs="0" maxOccurs="unbounded">
+            <xsd:any processContents="lax"/>
+        </xsd:choice>
+        <xsd:attribute name="ValueType" type="xsd:anyURI"/>
+        <xsd:anyAttribute namespace="##other" processContents="lax"/>
+    </xsd:complexType>
+    <xsd:complexType name="SecurityTokenReferenceType">
+        <xsd:annotation>
+            <xsd:documentation>This type is used reference a security token.</xsd:documentation>
+        </xsd:annotation>
+        <xsd:choice minOccurs="0" maxOccurs="unbounded">
+            <xsd:any processContents="lax"/>
+        </xsd:choice>
+        <xsd:attribute ref="wsu:Id"/>
+        <xsd:attribute ref="wsse:Usage"/>
+        <xsd:anyAttribute namespace="##other" processContents="lax"/>
+    </xsd:complexType>
+    <xsd:complexType name="SecurityHeaderType">
+        <xsd:annotation>
+            <xsd:documentation>This complexType defines header block to use for security-relevant data directed at a specific SOAP actor.</xsd:documentation>
+        </xsd:annotation>
+        <xsd:sequence>
+            <xsd:any processContents="lax" minOccurs="0" maxOccurs="unbounded">
+                <xsd:annotation>
+                    <xsd:documentation>The use of "any" is to allow extensibility and different forms of security data.</xsd:documentation>
+                </xsd:annotation>
+            </xsd:any>
+        </xsd:sequence>
+        <xsd:anyAttribute namespace="##other" processContents="lax"/>
+    </xsd:complexType>
+    <xsd:complexType name="TransformationParametersType">
+        <xsd:annotation>
+            <xsd:documentation>This complexType defines a container for elements to be specified from any namespace as properties/parameters of a DSIG transformation.</xsd:documentation>
+        </xsd:annotation>
+        <xsd:sequence>
+            <xsd:any processContents="lax" minOccurs="0" maxOccurs="unbounded">
+                <xsd:annotation>
+                    <xsd:documentation>The use of "any" is to allow extensibility from any namespace.</xsd:documentation>
+                </xsd:annotation>
+            </xsd:any>
+        </xsd:sequence>
+        <xsd:anyAttribute namespace="##other" processContents="lax"/>
+    </xsd:complexType>
+    <xsd:element name="UsernameToken" type="wsse:UsernameTokenType">
+        <xsd:annotation>
+            <xsd:documentation>This element defines the wsse:UsernameToken element per Section 4.1.</xsd:documentation>
+        </xsd:annotation>
+    </xsd:element>
+    <xsd:element name="BinarySecurityToken" type="wsse:BinarySecurityTokenType">
+        <xsd:annotation>
+            <xsd:documentation>This element defines the wsse:BinarySecurityToken element per Section 4.2.</xsd:documentation>
+        </xsd:annotation>
+    </xsd:element>
+    <xsd:element name="Reference" type="wsse:ReferenceType">
+        <xsd:annotation>
+            <xsd:documentation>This element defines a security token reference</xsd:documentation>
+        </xsd:annotation>
+    </xsd:element>
+    <xsd:element name="Embedded" type="wsse:EmbeddedType">
+        <xsd:annotation>
+            <xsd:documentation>This element defines a security token embedded reference</xsd:documentation>
+        </xsd:annotation>
+    </xsd:element>
+    <xsd:element name="KeyIdentifier" type="wsse:KeyIdentifierType">
+        <xsd:annotation>
+            <xsd:documentation>This element defines a key identifier reference</xsd:documentation>
+        </xsd:annotation>
+    </xsd:element>
+    <xsd:element name="SecurityTokenReference" type="wsse:SecurityTokenReferenceType">
+        <xsd:annotation>
+            <xsd:documentation>This element defines the wsse:SecurityTokenReference per Section 4.3.</xsd:documentation>
+        </xsd:annotation>
+    </xsd:element>
+    <xsd:element name="Security" type="wsse:SecurityHeaderType">
+        <xsd:annotation>
+            <xsd:documentation>This element defines the wsse:Security SOAP header element per Section 4.</xsd:documentation>
+        </xsd:annotation>
+    </xsd:element>
+    <xsd:element name="TransformationParameters" type="wsse:TransformationParametersType">
+        <xsd:annotation>
+            <xsd:documentation>This element contains properties for transformations from any namespace, including DSIG.</xsd:documentation>
+        </xsd:annotation>
+    </xsd:element>
+    <xsd:element name="Password" type="wsse:PasswordString"/>
+    <xsd:element name="Nonce" type="wsse:EncodedString"/>
+    <xsd:simpleType name="FaultcodeEnum">
+        <xsd:restriction base="xsd:QName">
+            <xsd:enumeration value="wsse:UnsupportedSecurityToken"/>
+            <xsd:enumeration value="wsse:UnsupportedAlgorithm"/>
+            <xsd:enumeration value="wsse:InvalidSecurity"/>
+            <xsd:enumeration value="wsse:InvalidSecurityToken"/>
+            <xsd:enumeration value="wsse:FailedAuthentication"/>
+            <xsd:enumeration value="wsse:FailedCheck"/>
+            <xsd:enumeration value="wsse:SecurityTokenUnavailable"/>
+        </xsd:restriction>
+    </xsd:simpleType>
 </xsd:schema>
diff --git a/mdx/schema/oasis-200401-wss-wssecurity-utility-1.0.xsd b/mdx/schema/oasis-200401-wss-wssecurity-utility-1.0.xsd
index f8d74e9c..f2ed72d8 100644
--- a/mdx/schema/oasis-200401-wss-wssecurity-utility-1.0.xsd
+++ b/mdx/schema/oasis-200401-wss-wssecurity-utility-1.0.xsd
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!-- 
+<!--
 OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification, can be obtained from the OASIS Executive Director.
 OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to implement this specification. Please address the information to the OASIS Executive Director.
 Copyright © OASIS Open 2002-2004. All Rights Reserved.
@@ -7,102 +7,102 @@ This document and translations of it may be copied and furnished to others, and
 The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.
 This document and the information contained herein is provided on an “AS IS” basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 -->
-<xsd:schema targetNamespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
+<xsd:schema targetNamespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
 
 
 
-xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
+xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
 elementFormDefault="qualified" attributeFormDefault="unqualified" version="0.1">
-	<!-- // Fault Codes /////////////////////////////////////////// -->
-	<xsd:simpleType name="tTimestampFault">
-		<xsd:annotation>
-			<xsd:documentation>
+    <!-- // Fault Codes /////////////////////////////////////////// -->
+    <xsd:simpleType name="tTimestampFault">
+        <xsd:annotation>
+            <xsd:documentation>
 This type defines the fault code value for Timestamp message expiration.
           </xsd:documentation>
-		</xsd:annotation>
-		<xsd:restriction base="xsd:QName">
-			<xsd:enumeration value="wsu:MessageExpired"/>
-		</xsd:restriction>
-	</xsd:simpleType>
-	<!-- // Global attributes //////////////////////////////////// -->
-	<xsd:attribute name="Id" type="xsd:ID">
-		<xsd:annotation>
-			<xsd:documentation>
+        </xsd:annotation>
+        <xsd:restriction base="xsd:QName">
+            <xsd:enumeration value="wsu:MessageExpired"/>
+        </xsd:restriction>
+    </xsd:simpleType>
+    <!-- // Global attributes //////////////////////////////////// -->
+    <xsd:attribute name="Id" type="xsd:ID">
+        <xsd:annotation>
+            <xsd:documentation>
 This global attribute supports annotating arbitrary elements with an ID.
           </xsd:documentation>
-		</xsd:annotation>
-	</xsd:attribute>
-	<xsd:attributeGroup name="commonAtts">
-		<xsd:annotation>
-			<xsd:documentation>
+        </xsd:annotation>
+    </xsd:attribute>
+    <xsd:attributeGroup name="commonAtts">
+        <xsd:annotation>
+            <xsd:documentation>
 Convenience attribute group used to simplify this schema.
           </xsd:documentation>
-		</xsd:annotation>
-		<xsd:attribute ref="wsu:Id" use="optional"/>
-		<xsd:anyAttribute namespace="##other" processContents="lax"/>
-	</xsd:attributeGroup>
-	<!-- // Utility types //////////////////////////////////////// -->
-	<xsd:complexType name="AttributedDateTime">
-		<xsd:annotation>
-			<xsd:documentation>
-This type is for elements whose [children] is a psuedo-dateTime and can have arbitrary attributes. 
+        </xsd:annotation>
+        <xsd:attribute ref="wsu:Id" use="optional"/>
+        <xsd:anyAttribute namespace="##other" processContents="lax"/>
+    </xsd:attributeGroup>
+    <!-- // Utility types //////////////////////////////////////// -->
+    <xsd:complexType name="AttributedDateTime">
+        <xsd:annotation>
+            <xsd:documentation>
+This type is for elements whose [children] is a psuedo-dateTime and can have arbitrary attributes.
       </xsd:documentation>
-		</xsd:annotation>
-		<xsd:simpleContent>
-			<xsd:extension base="xsd:string">
-				<xsd:attributeGroup ref="wsu:commonAtts"/>
-			</xsd:extension>
-		</xsd:simpleContent>
-	</xsd:complexType>
-	<xsd:complexType name="AttributedURI">
-		<xsd:annotation>
-			<xsd:documentation>
+        </xsd:annotation>
+        <xsd:simpleContent>
+            <xsd:extension base="xsd:string">
+                <xsd:attributeGroup ref="wsu:commonAtts"/>
+            </xsd:extension>
+        </xsd:simpleContent>
+    </xsd:complexType>
+    <xsd:complexType name="AttributedURI">
+        <xsd:annotation>
+            <xsd:documentation>
 This type is for elements whose [children] is an anyURI and can have arbitrary attributes.
       </xsd:documentation>
-		</xsd:annotation>
-		<xsd:simpleContent>
-			<xsd:extension base="xsd:anyURI">
-				<xsd:attributeGroup ref="wsu:commonAtts"/>
-			</xsd:extension>
-		</xsd:simpleContent>
-	</xsd:complexType>
-	<!-- // Timestamp header components /////////////////////////// -->
-	<xsd:complexType name="TimestampType">
-		<xsd:annotation>
-			<xsd:documentation>
+        </xsd:annotation>
+        <xsd:simpleContent>
+            <xsd:extension base="xsd:anyURI">
+                <xsd:attributeGroup ref="wsu:commonAtts"/>
+            </xsd:extension>
+        </xsd:simpleContent>
+    </xsd:complexType>
+    <!-- // Timestamp header components /////////////////////////// -->
+    <xsd:complexType name="TimestampType">
+        <xsd:annotation>
+            <xsd:documentation>
 This complex type ties together the timestamp related elements into a composite type.
             </xsd:documentation>
-		</xsd:annotation>
-		<xsd:sequence>
-			<xsd:element ref="wsu:Created" minOccurs="0"/>
-			<xsd:element ref="wsu:Expires" minOccurs="0"/>
-			<xsd:choice minOccurs="0" maxOccurs="unbounded">
-				<xsd:any namespace="##other" processContents="lax"/>
-			</xsd:choice>
-		</xsd:sequence>
-		<xsd:attributeGroup ref="wsu:commonAtts"/>
-	</xsd:complexType>
-	<xsd:element name="Timestamp" type="wsu:TimestampType">
-		<xsd:annotation>
-			<xsd:documentation>
+        </xsd:annotation>
+        <xsd:sequence>
+            <xsd:element ref="wsu:Created" minOccurs="0"/>
+            <xsd:element ref="wsu:Expires" minOccurs="0"/>
+            <xsd:choice minOccurs="0" maxOccurs="unbounded">
+                <xsd:any namespace="##other" processContents="lax"/>
+            </xsd:choice>
+        </xsd:sequence>
+        <xsd:attributeGroup ref="wsu:commonAtts"/>
+    </xsd:complexType>
+    <xsd:element name="Timestamp" type="wsu:TimestampType">
+        <xsd:annotation>
+            <xsd:documentation>
 This element allows Timestamps to be applied anywhere element wildcards are present,
 including as a SOAP header.
             </xsd:documentation>
-		</xsd:annotation>
-	</xsd:element>
-	<!-- global element decls to allow individual elements to appear anywhere -->
-	<xsd:element name="Expires" type="wsu:AttributedDateTime">
-		<xsd:annotation>
-			<xsd:documentation>
+        </xsd:annotation>
+    </xsd:element>
+    <!-- global element decls to allow individual elements to appear anywhere -->
+    <xsd:element name="Expires" type="wsu:AttributedDateTime">
+        <xsd:annotation>
+            <xsd:documentation>
 This element allows an expiration time to be applied anywhere element wildcards are present.
             </xsd:documentation>
-		</xsd:annotation>
-	</xsd:element>
-	<xsd:element name="Created" type="wsu:AttributedDateTime">
-		<xsd:annotation>
-			<xsd:documentation>
+        </xsd:annotation>
+    </xsd:element>
+    <xsd:element name="Created" type="wsu:AttributedDateTime">
+        <xsd:annotation>
+            <xsd:documentation>
 This element allows a creation time to be applied anywhere element wildcards are present.
             </xsd:documentation>
-		</xsd:annotation>
-	</xsd:element>
+        </xsd:annotation>
+    </xsd:element>
 </xsd:schema>
diff --git a/mdx/schema/refeds-metadata.xsd b/mdx/schema/refeds-metadata.xsd
index 1dadc094..3cab63b2 100644
--- a/mdx/schema/refeds-metadata.xsd
+++ b/mdx/schema/refeds-metadata.xsd
@@ -7,14 +7,14 @@
   attributeFormDefault="unqualified"
   blockDefault="substitution"
   version="2.0">
-  
+
   <xs:annotation>
     <xs:documentation>
       Unofficial schema for REFEDS metadata;
       specifically the contactType extension required for SIRTFI.
     </xs:documentation>
   </xs:annotation>
-  
+
   <xs:attribute name="contactType" type="xs:anyURI"/>
-  
+
 </xs:schema>
diff --git a/mdx/schema/saml-metadata-rpi-v1.0.xsd b/mdx/schema/saml-metadata-rpi-v1.0.xsd
index 135efa33..d5025fe2 100644
--- a/mdx/schema/saml-metadata-rpi-v1.0.xsd
+++ b/mdx/schema/saml-metadata-rpi-v1.0.xsd
@@ -12,10 +12,10 @@
     xmlns="http://www.w3.org/2001/XMLSchema"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
     xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-    elementFormDefault="unqualified" 
-    attributeFormDefault="unqualified" 
-    blockDefault="substitution" 
-    version="1.0"> 
+    elementFormDefault="unqualified"
+    attributeFormDefault="unqualified"
+    blockDefault="substitution"
+    version="1.0">
 
     <annotation>
         <documentation>
@@ -24,17 +24,17 @@
             Location: http://docs.oasis-open.org/security/saml/Post2.0/
             Revision history:
               21 March 2011
-                Correct minOccurs on elements that were meant to be optional              
+                Correct minOccurs on elements that were meant to be optional
               17 December 2010
                 Change of document title and namespace
               24 November 2010
                 Initial Submission
         </documentation>
     </annotation>
-    
+
     <import namespace="urn:oasis:names:tc:SAML:2.0:metadata" schemaLocation="saml-schema-metadata-2.0.xsd"/>
     <import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/>
-    
+
     <element name="RegistrationInfo" type="mdrpi:RegistrationInfoType" />
     <complexType name="RegistrationInfoType">
         <sequence>
@@ -45,9 +45,9 @@
         <attribute name="registrationInstant" type="dateTime" />
         <anyAttribute namespace="##other" processContents="lax" />
     </complexType>
-    
+
     <element name="RegistrationPolicy" type="md:localizedURIType" />
-    
+
     <element name="PublicationInfo" type="mdrpi:PublicationInfoType" />
     <complexType name="PublicationInfoType">
         <sequence>
@@ -59,21 +59,21 @@
         <attribute name="publicationId" type="string" />
         <anyAttribute namespace="##other" processContents="lax" />
     </complexType>
-    
+
     <element name="UsagePolicy" type="md:localizedURIType" />
-    
+
     <element name="PublicationPath" type="mdrpi:PublicationPathType" />
     <complexType name="PublicationPathType">
         <sequence>
             <element ref="mdrpi:Publication" minOccurs="0" maxOccurs="unbounded" />
         </sequence>
     </complexType>
-    
+
     <element name="Publication" type="mdrpi:PublicationType" />
     <complexType name="PublicationType">
         <attribute name="publisher" type="string" use="required" />
         <attribute name="creationInstant" type="dateTime" />
         <attribute name="publicationId" type="string" />
     </complexType>
-    
-</schema>
\ No newline at end of file
+
+</schema>
diff --git a/mdx/schema/saml-schema-assertion-2.0.xsd b/mdx/schema/saml-schema-assertion-2.0.xsd
index 2b2f7b80..a1ef536c 100644
--- a/mdx/schema/saml-schema-assertion-2.0.xsd
+++ b/mdx/schema/saml-schema-assertion-2.0.xsd
@@ -163,7 +163,7 @@
             </sequence>
             <attribute name="Count" type="nonNegativeInteger" use="optional"/>
         </extension>
-	</complexContent>
+    </complexContent>
     </complexType>
     <element name="Advice" type="saml:AdviceType"/>
     <complexType name="AdviceType">
diff --git a/mdx/schema/saml-schema-metadata-2.0.xsd b/mdx/schema/saml-schema-metadata-2.0.xsd
index b656d4f4..f052721c 100644
--- a/mdx/schema/saml-schema-metadata-2.0.xsd
+++ b/mdx/schema/saml-schema-metadata-2.0.xsd
@@ -47,14 +47,14 @@
             </extension>
         </simpleContent>
     </complexType>
-    
+
     <element name="Extensions" type="md:ExtensionsType"/>
     <complexType final="#all" name="ExtensionsType">
         <sequence>
             <any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
         </sequence>
     </complexType>
-    
+
     <complexType name="EndpointType">
         <sequence>
             <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
@@ -64,7 +64,7 @@
         <attribute name="ResponseLocation" type="anyURI" use="optional"/>
         <anyAttribute namespace="##other" processContents="lax"/>
     </complexType>
-    
+
     <complexType name="IndexedEndpointType">
         <complexContent>
             <extension base="md:EndpointType">
@@ -73,7 +73,7 @@
             </extension>
         </complexContent>
     </complexType>
-    
+
     <element name="EntitiesDescriptor" type="md:EntitiesDescriptorType"/>
     <complexType name="EntitiesDescriptorType">
         <sequence>
@@ -116,7 +116,7 @@
         <attribute name="ID" type="ID" use="optional"/>
         <anyAttribute namespace="##other" processContents="lax"/>
     </complexType>
-    
+
     <element name="Organization" type="md:OrganizationType"/>
     <complexType name="OrganizationType">
         <sequence>
@@ -202,7 +202,7 @@
         </restriction>
     </simpleType>
     <element name="EncryptionMethod" type="xenc:EncryptionMethodType"/>
-    
+
     <complexType name="SSODescriptorType" abstract="true">
         <complexContent>
             <extension base="md:RoleDescriptorType">
@@ -239,7 +239,7 @@
     <element name="NameIDMappingService" type="md:EndpointType"/>
     <element name="AssertionIDRequestService" type="md:EndpointType"/>
     <element name="AttributeProfile" type="anyURI"/>
-    
+
     <element name="SPSSODescriptor" type="md:SPSSODescriptorType"/>
     <complexType name="SPSSODescriptorType">
         <complexContent>
@@ -274,7 +274,7 @@
             </extension>
         </complexContent>
     </complexType>
-  
+
     <element name="AuthnAuthorityDescriptor" type="md:AuthnAuthorityDescriptorType"/>
     <complexType name="AuthnAuthorityDescriptorType">
         <complexContent>
@@ -318,7 +318,7 @@
         </complexContent>
     </complexType>
     <element name="AttributeService" type="md:EndpointType"/>
-   
+
     <element name="AffiliationDescriptor" type="md:AffiliationDescriptorType"/>
     <complexType name="AffiliationDescriptorType">
         <sequence>
diff --git a/mdx/schema/shibboleth-metadata-1.0.xsd b/mdx/schema/shibboleth-metadata-1.0.xsd
index be1441dd..476ba7b8 100644
--- a/mdx/schema/shibboleth-metadata-1.0.xsd
+++ b/mdx/schema/shibboleth-metadata-1.0.xsd
@@ -1,42 +1,42 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <schema targetNamespace="urn:mace:shibboleth:metadata:1.0"
-	xmlns="http://www.w3.org/2001/XMLSchema"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	elementFormDefault="unqualified"
-	attributeFormDefault="unqualified"
-	version="1.0">
+    xmlns="http://www.w3.org/2001/XMLSchema"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    elementFormDefault="unqualified"
+    attributeFormDefault="unqualified"
+    version="1.0">
 
-	<import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/>
+    <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/>
 
-	<element name="Scope">
-		<annotation>
-			<documentation>
-			SAML metadata extension used to regulate allowable attribute scopes.
-			</documentation>
-		</annotation>
-		<complexType>
-			<simpleContent>
-				<extension base="string">
-					<attribute name="regexp" type="boolean" use="optional" default="false"/>
-				</extension>
-			</simpleContent>
-		</complexType>
-	</element>
+    <element name="Scope">
+        <annotation>
+            <documentation>
+            SAML metadata extension used to regulate allowable attribute scopes.
+            </documentation>
+        </annotation>
+        <complexType>
+            <simpleContent>
+                <extension base="string">
+                    <attribute name="regexp" type="boolean" use="optional" default="false"/>
+                </extension>
+            </simpleContent>
+        </complexType>
+    </element>
 
-	<element name="KeyAuthority">
-		<annotation>
-			<documentation>
-			Binds keying authorities to the system entity/entities to which the enclosing
-			metadata element applies.
-			</documentation>
-		</annotation>
-		<complexType>
-			<sequence>
-				<element ref="ds:KeyInfo" maxOccurs="unbounded"/>
-			</sequence>
-			<attribute name="VerifyDepth" type="unsignedByte" use="optional" default="1"/>
-			<anyAttribute namespace="##other" processContents="lax"/>
-		</complexType>
-	</element>
+    <element name="KeyAuthority">
+        <annotation>
+            <documentation>
+            Binds keying authorities to the system entity/entities to which the enclosing
+            metadata element applies.
+            </documentation>
+        </annotation>
+        <complexType>
+            <sequence>
+                <element ref="ds:KeyInfo" maxOccurs="unbounded"/>
+            </sequence>
+            <attribute name="VerifyDepth" type="unsignedByte" use="optional" default="1"/>
+            <anyAttribute namespace="##other" processContents="lax"/>
+        </complexType>
+    </element>
 
 </schema>
diff --git a/mdx/schema/sstc-metadata-attr.xsd b/mdx/schema/sstc-metadata-attr.xsd
index 5a445e21..432ef1a7 100644
--- a/mdx/schema/sstc-metadata-attr.xsd
+++ b/mdx/schema/sstc-metadata-attr.xsd
@@ -22,4 +22,4 @@
     </choice>
   </complexType>
 
-</schema>
\ No newline at end of file
+</schema>
diff --git a/mdx/schema/sstc-saml-holder-of-key-browser-sso.xsd b/mdx/schema/sstc-saml-holder-of-key-browser-sso.xsd
index 7860d029..11f34de3 100644
--- a/mdx/schema/sstc-saml-holder-of-key-browser-sso.xsd
+++ b/mdx/schema/sstc-saml-holder-of-key-browser-sso.xsd
@@ -14,10 +14,10 @@
       Document identifier: sstc-saml-holder-of-key-browser-sso.xsd
       Location: http://www.oasis-open.org/committees/documents.php?wg_abbrev=security
       Revision history:
-	V1.2 (2 November 2008):
-	  Renamed attribute from protocol to ProtocolBinding; targetNamespace changed in accordance with new conventions
-	V1.1 (6 August 2008):
-	  string type changed to anyURI to match original SAML2Meta schema
+    V1.2 (2 November 2008):
+      Renamed attribute from protocol to ProtocolBinding; targetNamespace changed in accordance with new conventions
+    V1.1 (6 August 2008):
+      string type changed to anyURI to match original SAML2Meta schema
         V1.0 (4 August 2008):
           Initial version.
     </xs:documentation>
diff --git a/mdx/schema/sstc-saml-metadata-algsupport-v1.0.xsd b/mdx/schema/sstc-saml-metadata-algsupport-v1.0.xsd
index c4e0f58b..8e30f4af 100644
--- a/mdx/schema/sstc-saml-metadata-algsupport-v1.0.xsd
+++ b/mdx/schema/sstc-saml-metadata-algsupport-v1.0.xsd
@@ -10,7 +10,7 @@
 
 -->
 
-<schema 
+<schema
   targetNamespace="urn:oasis:names:tc:SAML:metadata:algsupport"
   xmlns="http://www.w3.org/2001/XMLSchema"
   xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
diff --git a/mdx/schema/sstc-saml-metadata-ui-v1.0.xsd b/mdx/schema/sstc-saml-metadata-ui-v1.0.xsd
index 66a4a8ba..7b6e5325 100644
--- a/mdx/schema/sstc-saml-metadata-ui-v1.0.xsd
+++ b/mdx/schema/sstc-saml-metadata-ui-v1.0.xsd
@@ -8,7 +8,7 @@
   Source: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-ui/v1.0/cs01/xsd/
 -->
 
-<schema 
+<schema
   targetNamespace="urn:oasis:names:tc:SAML:metadata:ui"
   xmlns="http://www.w3.org/2001/XMLSchema"
   xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
@@ -62,7 +62,7 @@
       </extension>
     </simpleContent>
   </complexType>
-  
+
   <simpleType name="listOfStrings">
     <list itemType="string"/>
   </simpleType>
@@ -89,7 +89,7 @@
   </complexType>
 
   <element name="IPHint" type="string"/>
-  <element name="DomainHint" type="string"/>	
+  <element name="DomainHint" type="string"/>
   <element name="GeolocationHint" type="anyURI"/>
 
 </schema>
diff --git a/mdx/schema/uk-fed-label.xsd b/mdx/schema/uk-fed-label.xsd
index 8c1656ae..fdf261d3 100644
--- a/mdx/schema/uk-fed-label.xsd
+++ b/mdx/schema/uk-fed-label.xsd
@@ -4,17 +4,17 @@
     targetNamespace="http://ukfederation.org.uk/2006/11/label"
     version="2016-09-15"
     elementFormDefault="qualified">
-    
+
     <annotation>
         <documentation>
             This schema describes the UK federation label namespace.
-            
+
             For additional information, see the Federation Technical Specification.
-            
+
             This version of the schema follows FTS edition 1.1 of 1-June-2007.
         </documentation>
     </annotation>
-    
+
     <complexType name="basicLabel">
         <annotation>
             <documentation>
@@ -28,7 +28,7 @@
             neither text nor nested elements.
         -->
     </complexType>
-    
+
     <complexType name="datedLabel">
         <annotation>
             <documentation>
@@ -84,7 +84,7 @@
             </complexContent>
         </complexType>
     </element>
-    
+
     <element name="AccountableUsers" type="ukfedlabel:basicLabel">
         <annotation>
             <documentation>
@@ -95,7 +95,7 @@
             </documentation>
         </annotation>
     </element>
-    
+
     <element name="Software">
         <annotation>
             <documentation>
@@ -104,7 +104,7 @@
                 version of software used.  This information is added to
                 an entity only if it has been received from the deployer
                 of the entity on the indicated date.
-                
+
                 This information is used in entity fragment files only,
                 and is not included in the metadata published by the
                 UK federation.  Its principal use is in classifying
@@ -124,7 +124,7 @@
                             </documentation>
                         </annotation>
                     </attribute>
-                    
+
                     <attribute name="version" use="optional" type="token">
                         <annotation>
                             <documentation>
@@ -135,7 +135,7 @@
                             </documentation>
                         </annotation>
                     </attribute>
-                    
+
                     <attribute name="fullVersion" use="optional" type="token">
                         <annotation>
                             <documentation>
@@ -147,7 +147,7 @@
             </complexContent>
         </complexType>
     </element>
-    
+
     <element name="ExportOptIn" type="ukfedlabel:datedLabel">
         <annotation>
             <documentation>
@@ -156,7 +156,7 @@
             </documentation>
         </annotation>
     </element>
-    
+
     <element name="ExportOptOut" type="ukfedlabel:datedLabel">
         <annotation>
             <documentation>
@@ -165,5 +165,5 @@
             </documentation>
         </annotation>
     </element>
-    
-</schema>
\ No newline at end of file
+
+</schema>
diff --git a/mdx/schema/uk-wayf.xsd b/mdx/schema/uk-wayf.xsd
deleted file mode 100644
index 1139a62c..00000000
--- a/mdx/schema/uk-wayf.xsd
+++ /dev/null
@@ -1,39 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<schema xmlns="http://www.w3.org/2001/XMLSchema"
-    xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-    targetNamespace="http://sdss.ac.uk/2006/06/WAYF"
-    version="2015-04-16"
-    elementFormDefault="qualified">
-    
-    <annotation>
-        <documentation>
-            This schema describes the WAYF namespace, used internally by the
-            UK federation for the "HideFromWAYF" label.
-            
-            For additional information, see the Federation Technical Specification.
-        </documentation>
-    </annotation>
-    
-    <complexType name="basicLabel">
-        <annotation>
-            <documentation>
-                Basic labels are empty elements whose presence or absence
-                is all that is important.
-            </documentation>
-        </annotation>
-        <!--
-            No content elements are defined, so a basicLabel may contain
-            neither text nor nested elements.
-        -->
-    </complexType>
-    
-    <element name="HideFromWAYF" type="wayf:basicLabel">
-        <annotation>
-            <documentation>
-                Indicates an entity which should be hidden from the
-                Central Discovery Service.
-            </documentation>
-        </annotation>
-    </element>
-
-</schema>
diff --git a/mdx/schema/ws-addr.xsd b/mdx/schema/ws-addr.xsd
index 47362edb..f6fc9c53 100644
--- a/mdx/schema/ws-addr.xsd
+++ b/mdx/schema/ws-addr.xsd
@@ -16,122 +16,122 @@
    $Id: ws-addr.xsd,v 1.2 2008/07/23 13:38:16 plehegar Exp $
 -->
 <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:tns="http://www.w3.org/2005/08/addressing" targetNamespace="http://www.w3.org/2005/08/addressing" blockDefault="#all" elementFormDefault="qualified" finalDefault="" attributeFormDefault="unqualified">
-	
-	<!-- Constructs from the WS-Addressing Core -->
-
-	<xs:element name="EndpointReference" type="tns:EndpointReferenceType"/>
-	<xs:complexType name="EndpointReferenceType" mixed="false">
-		<xs:sequence>
-			<xs:element name="Address" type="tns:AttributedURIType"/>
-			<xs:element ref="tns:ReferenceParameters" minOccurs="0"/>
-			<xs:element ref="tns:Metadata" minOccurs="0"/>
-			<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
-		</xs:sequence>
-		<xs:anyAttribute namespace="##other" processContents="lax"/>
-	</xs:complexType>
-	
-	<xs:element name="ReferenceParameters" type="tns:ReferenceParametersType"/>
-	<xs:complexType name="ReferenceParametersType" mixed="false">
-		<xs:sequence>
-			<xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
-		</xs:sequence>
-		<xs:anyAttribute namespace="##other" processContents="lax"/>
-	</xs:complexType>
-	
-	<xs:element name="Metadata" type="tns:MetadataType"/>
-	<xs:complexType name="MetadataType" mixed="false">
-		<xs:sequence>
-			<xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
-		</xs:sequence>
-		<xs:anyAttribute namespace="##other" processContents="lax"/>
-	</xs:complexType>
-	
-	<xs:element name="MessageID" type="tns:AttributedURIType"/>
-	<xs:element name="RelatesTo" type="tns:RelatesToType"/>
-	<xs:complexType name="RelatesToType" mixed="false">
-		<xs:simpleContent>
-			<xs:extension base="xs:anyURI">
-				<xs:attribute name="RelationshipType" type="tns:RelationshipTypeOpenEnum" use="optional" default="http://www.w3.org/2005/08/addressing/reply"/>
-				<xs:anyAttribute namespace="##other" processContents="lax"/>
-			</xs:extension>
-		</xs:simpleContent>
-	</xs:complexType>
-	
-	<xs:simpleType name="RelationshipTypeOpenEnum">
-		<xs:union memberTypes="tns:RelationshipType xs:anyURI"/>
-	</xs:simpleType>
-	
-	<xs:simpleType name="RelationshipType">
-		<xs:restriction base="xs:anyURI">
-			<xs:enumeration value="http://www.w3.org/2005/08/addressing/reply"/>
-		</xs:restriction>
-	</xs:simpleType>
-	
-	<xs:element name="ReplyTo" type="tns:EndpointReferenceType"/>
-	<xs:element name="From" type="tns:EndpointReferenceType"/>
-	<xs:element name="FaultTo" type="tns:EndpointReferenceType"/>
-	<xs:element name="To" type="tns:AttributedURIType"/>
-	<xs:element name="Action" type="tns:AttributedURIType"/>
-
-	<xs:complexType name="AttributedURIType" mixed="false">
-		<xs:simpleContent>
-			<xs:extension base="xs:anyURI">
-				<xs:anyAttribute namespace="##other" processContents="lax"/>
-			</xs:extension>
-		</xs:simpleContent>
-	</xs:complexType>
-	
-	<!-- Constructs from the WS-Addressing SOAP binding -->
-
-	<xs:attribute name="IsReferenceParameter" type="xs:boolean"/>
-	
-	<xs:simpleType name="FaultCodesOpenEnumType">
-		<xs:union memberTypes="tns:FaultCodesType xs:QName"/>
-	</xs:simpleType>
-	
-	<xs:simpleType name="FaultCodesType">
-		<xs:restriction base="xs:QName">
-			<xs:enumeration value="tns:InvalidAddressingHeader"/>
-			<xs:enumeration value="tns:InvalidAddress"/>
-			<xs:enumeration value="tns:InvalidEPR"/>
-			<xs:enumeration value="tns:InvalidCardinality"/>
-			<xs:enumeration value="tns:MissingAddressInEPR"/>
-			<xs:enumeration value="tns:DuplicateMessageID"/>
-			<xs:enumeration value="tns:ActionMismatch"/>
-			<xs:enumeration value="tns:MessageAddressingHeaderRequired"/>
-			<xs:enumeration value="tns:DestinationUnreachable"/>
-			<xs:enumeration value="tns:ActionNotSupported"/>
-			<xs:enumeration value="tns:EndpointUnavailable"/>
-		</xs:restriction>
-	</xs:simpleType>
-	
-	<xs:element name="RetryAfter" type="tns:AttributedUnsignedLongType"/>
-	<xs:complexType name="AttributedUnsignedLongType" mixed="false">
-		<xs:simpleContent>
-			<xs:extension base="xs:unsignedLong">
-				<xs:anyAttribute namespace="##other" processContents="lax"/>
-			</xs:extension>
-		</xs:simpleContent>
-	</xs:complexType>
-	
-	<xs:element name="ProblemHeaderQName" type="tns:AttributedQNameType"/>
-	<xs:complexType name="AttributedQNameType" mixed="false">
-		<xs:simpleContent>
-			<xs:extension base="xs:QName">
-				<xs:anyAttribute namespace="##other" processContents="lax"/>
-			</xs:extension>
-		</xs:simpleContent>
-	</xs:complexType>
-	
-	<xs:element name="ProblemIRI" type="tns:AttributedURIType"/>
-	
-	<xs:element name="ProblemAction" type="tns:ProblemActionType"/>
-	<xs:complexType name="ProblemActionType" mixed="false">
-		<xs:sequence>
-			<xs:element ref="tns:Action" minOccurs="0"/>
-			<xs:element name="SoapAction" minOccurs="0" type="xs:anyURI"/>
-		</xs:sequence>
-		<xs:anyAttribute namespace="##other" processContents="lax"/>
-	</xs:complexType>
-	
+
+    <!-- Constructs from the WS-Addressing Core -->
+
+    <xs:element name="EndpointReference" type="tns:EndpointReferenceType"/>
+    <xs:complexType name="EndpointReferenceType" mixed="false">
+        <xs:sequence>
+            <xs:element name="Address" type="tns:AttributedURIType"/>
+            <xs:element ref="tns:ReferenceParameters" minOccurs="0"/>
+            <xs:element ref="tns:Metadata" minOccurs="0"/>
+            <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+        </xs:sequence>
+        <xs:anyAttribute namespace="##other" processContents="lax"/>
+    </xs:complexType>
+
+    <xs:element name="ReferenceParameters" type="tns:ReferenceParametersType"/>
+    <xs:complexType name="ReferenceParametersType" mixed="false">
+        <xs:sequence>
+            <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+        </xs:sequence>
+        <xs:anyAttribute namespace="##other" processContents="lax"/>
+    </xs:complexType>
+
+    <xs:element name="Metadata" type="tns:MetadataType"/>
+    <xs:complexType name="MetadataType" mixed="false">
+        <xs:sequence>
+            <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+        </xs:sequence>
+        <xs:anyAttribute namespace="##other" processContents="lax"/>
+    </xs:complexType>
+
+    <xs:element name="MessageID" type="tns:AttributedURIType"/>
+    <xs:element name="RelatesTo" type="tns:RelatesToType"/>
+    <xs:complexType name="RelatesToType" mixed="false">
+        <xs:simpleContent>
+            <xs:extension base="xs:anyURI">
+                <xs:attribute name="RelationshipType" type="tns:RelationshipTypeOpenEnum" use="optional" default="http://www.w3.org/2005/08/addressing/reply"/>
+                <xs:anyAttribute namespace="##other" processContents="lax"/>
+            </xs:extension>
+        </xs:simpleContent>
+    </xs:complexType>
+
+    <xs:simpleType name="RelationshipTypeOpenEnum">
+        <xs:union memberTypes="tns:RelationshipType xs:anyURI"/>
+    </xs:simpleType>
+
+    <xs:simpleType name="RelationshipType">
+        <xs:restriction base="xs:anyURI">
+            <xs:enumeration value="http://www.w3.org/2005/08/addressing/reply"/>
+        </xs:restriction>
+    </xs:simpleType>
+
+    <xs:element name="ReplyTo" type="tns:EndpointReferenceType"/>
+    <xs:element name="From" type="tns:EndpointReferenceType"/>
+    <xs:element name="FaultTo" type="tns:EndpointReferenceType"/>
+    <xs:element name="To" type="tns:AttributedURIType"/>
+    <xs:element name="Action" type="tns:AttributedURIType"/>
+
+    <xs:complexType name="AttributedURIType" mixed="false">
+        <xs:simpleContent>
+            <xs:extension base="xs:anyURI">
+                <xs:anyAttribute namespace="##other" processContents="lax"/>
+            </xs:extension>
+        </xs:simpleContent>
+    </xs:complexType>
+
+    <!-- Constructs from the WS-Addressing SOAP binding -->
+
+    <xs:attribute name="IsReferenceParameter" type="xs:boolean"/>
+
+    <xs:simpleType name="FaultCodesOpenEnumType">
+        <xs:union memberTypes="tns:FaultCodesType xs:QName"/>
+    </xs:simpleType>
+
+    <xs:simpleType name="FaultCodesType">
+        <xs:restriction base="xs:QName">
+            <xs:enumeration value="tns:InvalidAddressingHeader"/>
+            <xs:enumeration value="tns:InvalidAddress"/>
+            <xs:enumeration value="tns:InvalidEPR"/>
+            <xs:enumeration value="tns:InvalidCardinality"/>
+            <xs:enumeration value="tns:MissingAddressInEPR"/>
+            <xs:enumeration value="tns:DuplicateMessageID"/>
+            <xs:enumeration value="tns:ActionMismatch"/>
+            <xs:enumeration value="tns:MessageAddressingHeaderRequired"/>
+            <xs:enumeration value="tns:DestinationUnreachable"/>
+            <xs:enumeration value="tns:ActionNotSupported"/>
+            <xs:enumeration value="tns:EndpointUnavailable"/>
+        </xs:restriction>
+    </xs:simpleType>
+
+    <xs:element name="RetryAfter" type="tns:AttributedUnsignedLongType"/>
+    <xs:complexType name="AttributedUnsignedLongType" mixed="false">
+        <xs:simpleContent>
+            <xs:extension base="xs:unsignedLong">
+                <xs:anyAttribute namespace="##other" processContents="lax"/>
+            </xs:extension>
+        </xs:simpleContent>
+    </xs:complexType>
+
+    <xs:element name="ProblemHeaderQName" type="tns:AttributedQNameType"/>
+    <xs:complexType name="AttributedQNameType" mixed="false">
+        <xs:simpleContent>
+            <xs:extension base="xs:QName">
+                <xs:anyAttribute namespace="##other" processContents="lax"/>
+            </xs:extension>
+        </xs:simpleContent>
+    </xs:complexType>
+
+    <xs:element name="ProblemIRI" type="tns:AttributedURIType"/>
+
+    <xs:element name="ProblemAction" type="tns:ProblemActionType"/>
+    <xs:complexType name="ProblemActionType" mixed="false">
+        <xs:sequence>
+            <xs:element ref="tns:Action" minOccurs="0"/>
+            <xs:element name="SoapAction" minOccurs="0" type="xs:anyURI"/>
+        </xs:sequence>
+        <xs:anyAttribute namespace="##other" processContents="lax"/>
+    </xs:complexType>
+
 </xs:schema>
diff --git a/mdx/schema/ws-authorization.xsd b/mdx/schema/ws-authorization.xsd
index 5b8ae986..51dc059e 100644
--- a/mdx/schema/ws-authorization.xsd
+++ b/mdx/schema/ws-authorization.xsd
@@ -1,34 +1,34 @@
 <?xml version="1.0" encoding="utf-8"?>
-<!-- 
-OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the 
-implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; 
-neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS 
-specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made 
-available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users 
+<!--
+OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the
+implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available;
+neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS
+specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made
+available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users
 of this specification, can be obtained from the OASIS Executive Director.
-OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may 
+OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may
 cover technology that may be required to implement this specification. Please address the information to the OASIS Executive Director.
 Copyright © OASIS Open 2002-2007. All Rights Reserved.
-This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist 
-in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the 
-above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself does not be modified 
-in any way, such as by removing the copyright notice or references to OASIS, except as needed for the purpose of developing OASIS specifications, 
-in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to translate 
+This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist
+in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the
+above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself does not be modified
+in any way, such as by removing the copyright notice or references to OASIS, except as needed for the purpose of developing OASIS specifications,
+in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to translate
 it into languages other than English.
 The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.
-This document and the information contained herein is provided on an AS IS basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, 
-INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 
+This document and the information contained herein is provided on an AS IS basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
+INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   -->
 
 <xs:schema xmlns:xs='http://www.w3.org/2001/XMLSchema'
-       xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'    
-		   xmlns:tns='http://docs.oasis-open.org/wsfed/authorization/200706'
-		   targetNamespace='http://docs.oasis-open.org/wsfed/authorization/200706'
-		   elementFormDefault='qualified' >
+       xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'
+           xmlns:tns='http://docs.oasis-open.org/wsfed/authorization/200706'
+           targetNamespace='http://docs.oasis-open.org/wsfed/authorization/200706'
+           elementFormDefault='qualified' >
   <xs:import namespace='http://www.w3.org/2001/04/xmlenc#'
              schemaLocation='xenc-schema.xsd'/>
-  
+
   <!-- Section 9.2 -->
   <xs:element name='AdditionalContext' type='tns:AdditionalContextType' />
   <xs:complexType name='AdditionalContextType' >
@@ -45,8 +45,8 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
       <xs:any namespace='##other' processContents='lax' minOccurs='1' maxOccurs='1' />
     </xs:choice>
     <xs:attribute name='Name' type='xs:anyURI' use='required' />
-	<xs:attribute name='Scope' type='xs:anyURI' use='optional' />
-	<xs:anyAttribute namespace='##other' processContents='lax' />	
+    <xs:attribute name='Scope' type='xs:anyURI' use='optional' />
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <!-- Section 9.3 -->
@@ -57,16 +57,16 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
       <xs:element name="Description" type="tns:DescriptionType" minOccurs="0" maxOccurs="1" />
       <xs:element name="DisplayValue" type="tns:DisplayValueType" minOccurs="0" maxOccurs="1" />
       <xs:choice minOccurs='0'>
-	      <xs:element name='Value' type='xs:string' minOccurs='1' maxOccurs='1' />
+          <xs:element name='Value' type='xs:string' minOccurs='1' maxOccurs='1' />
         <xs:element name='EncryptedValue' type='tns:EncryptedValueType' minOccurs='1' maxOccurs='1' />
         <xs:element name='StructuredValue' type='tns:StructuredValueType' minOccurs='1' maxOccurs='1' />
         <xs:element name='ConstrainedValue' type='tns:ConstrainedValueType' minOccurs='1' maxOccurs='1' />
- 	      <xs:any namespace='##other' processContents='lax' minOccurs='1' maxOccurs='1' />
-	    </xs:choice>
+          <xs:any namespace='##other' processContents='lax' minOccurs='1' maxOccurs='1' />
+        </xs:choice>
     </xs:sequence>
-	<xs:attribute name='Uri' type='xs:anyURI' use='required' />
-	<xs:attribute name='Optional' type='xs:boolean' use='optional' />
-	<xs:anyAttribute namespace='##other' processContents='lax' />	
+    <xs:attribute name='Uri' type='xs:anyURI' use='required' />
+    <xs:attribute name='Optional' type='xs:boolean' use='optional' />
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:complexType name="DisplayNameType">
@@ -127,7 +127,7 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
       <xs:element name='ValueLowerBound' type='tns:ConstrainedSingleValueType' minOccurs='1' maxOccurs='1'/>
     </xs:sequence>
   </xs:complexType>
-  
+
   <xs:complexType name='ConstrainedSingleValueType'>
     <xs:choice minOccurs='0'>
       <xs:element name='Value' type='xs:string' minOccurs='1' maxOccurs='1' />
@@ -142,4 +142,4 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
     </xs:choice>
   </xs:complexType>
 
-</xs:schema>
\ No newline at end of file
+</xs:schema>
diff --git a/mdx/schema/ws-federation.xsd b/mdx/schema/ws-federation.xsd
index f87059db..d7b3dcf5 100644
--- a/mdx/schema/ws-federation.xsd
+++ b/mdx/schema/ws-federation.xsd
@@ -1,49 +1,49 @@
 <?xml version="1.0" encoding="UTF-8" ?>
-<!-- 
-OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the 
-implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; 
-neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS 
-specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made 
-available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users 
+<!--
+OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the
+implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available;
+neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS
+specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made
+available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users
 of this specification, can be obtained from the OASIS Executive Director.
-OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may 
+OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may
 cover technology that may be required to implement this specification. Please address the information to the OASIS Executive Director.
 Copyright © OASIS Open 2002-2007. All Rights Reserved.
-This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist 
-in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the 
-above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself does not be modified 
-in any way, such as by removing the copyright notice or references to OASIS, except as needed for the purpose of developing OASIS specifications, 
-in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to translate 
+This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist
+in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the
+above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself does not be modified
+in any way, such as by removing the copyright notice or references to OASIS, except as needed for the purpose of developing OASIS specifications,
+in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to translate
 it into languages other than English.
 The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.
-This document and the information contained herein is provided on an AS IS basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, 
-INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 
+This document and the information contained herein is provided on an AS IS basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
+INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   -->
 <xs:schema xmlns:xs='http://www.w3.org/2001/XMLSchema'
-		   xmlns:sp='http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702'
-		   xmlns:tns='http://docs.oasis-open.org/wsfed/federation/200706'
-		   xmlns:wsa='http://www.w3.org/2005/08/addressing'
+           xmlns:sp='http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702'
+           xmlns:tns='http://docs.oasis-open.org/wsfed/federation/200706'
+           xmlns:wsa='http://www.w3.org/2005/08/addressing'
        xmlns:mex='http://schemas.xmlsoap.org/ws/2004/09/mex'
        xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
-		   xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
+           xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
        xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata'
        xmlns:auth='http://docs.oasis-open.org/wsfed/authorization/200706'
-		   targetNamespace='http://docs.oasis-open.org/wsfed/federation/200706'
-		   elementFormDefault='qualified' >
+           targetNamespace='http://docs.oasis-open.org/wsfed/federation/200706'
+           elementFormDefault='qualified' >
 
   <xs:import namespace='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
-			 schemaLocation='oasis-200401-wss-wssecurity-secext-1.0.xsd' />
+             schemaLocation='oasis-200401-wss-wssecurity-secext-1.0.xsd' />
   <xs:import namespace='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
-			 schemaLocation='oasis-200401-wss-wssecurity-utility-1.0.xsd' />
+             schemaLocation='oasis-200401-wss-wssecurity-utility-1.0.xsd' />
   <xs:import namespace='http://www.w3.org/2005/08/addressing'
-			 schemaLocation='ws-addr.xsd' />
+             schemaLocation='ws-addr.xsd' />
   <xs:import namespace='http://schemas.xmlsoap.org/ws/2004/09/mex'
-			 schemaLocation='MetadataExchange.xsd' />
+             schemaLocation='MetadataExchange.xsd' />
   <xs:import namespace='urn:oasis:names:tc:SAML:2.0:metadata'
-			 schemaLocation='saml-schema-metadata-2.0.xsd' />
+             schemaLocation='saml-schema-metadata-2.0.xsd' />
   <xs:import namespace='http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702'
-			 schemaLocation='ws-securitypolicy-1.2.xsd'/>
+             schemaLocation='ws-securitypolicy-1.2.xsd'/>
   <xs:import namespace='http://docs.oasis-open.org/wsfed/authorization/200706'
              schemaLocation='ws-authorization.xsd'/>
 
@@ -53,22 +53,22 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 
   <xs:complexType name='FederationMetadataType' >
     <xs:sequence>
-	  <!--
-		  *** Accurate content model is nondeterministic ***
-		  <xs:element name='Federation' type='tns:FederationType' minOccurs='1' maxOccurs='unbounded' />
-		  <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
-	  -->
-	  <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+      <!--
+          *** Accurate content model is nondeterministic ***
+          <xs:element name='Federation' type='tns:FederationType' minOccurs='1' maxOccurs='unbounded' />
+          <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+      -->
+      <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:complexType name='FederationType' >
-	<xs:sequence>
-	  <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:attribute name='FederationID' type='xs:anyURI' />
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:attribute name='FederationID' type='xs:anyURI' />
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <!-- Section 3.1.2.1 -->
@@ -170,17 +170,17 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   <!--<xs:element name='LogicalServiceNamesOffered' type='tns:LogicalServiceNamesOfferedType' />-->
 
   <xs:complexType name='LogicalServiceNamesOfferedType' >
-	<xs:sequence>
-	  <xs:element name='IssuerName' type='tns:IssuerNameType' minOccurs='1' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:element name='IssuerName' type='tns:IssuerNameType' minOccurs='1' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:complexType name='IssuerNameType' >
-	<xs:attribute name='Uri' type='xs:anyURI' use='required' />
-	<xs:anyAttribute namespace='##other' processContents='lax' />
-  </xs:complexType>  
-  
+    <xs:attribute name='Uri' type='xs:anyURI' use='required' />
+    <xs:anyAttribute namespace='##other' processContents='lax' />
+  </xs:complexType>
+
   <!-- Section 3.1.4 -->
   <xs:element name='PsuedonymServiceEndpoints' type='tns:EndpointType' />
   <xs:complexType name='EndpointType' >
@@ -188,7 +188,7 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
       <xs:element ref='wsa:EndpointReference' minOccurs='1' maxOccurs='unbounded'/>
     </xs:sequence>
   </xs:complexType>
-  
+
   <!-- Section 3.1.5 -->
   <xs:element name='AttributeServiceEndpoints' type='tns:EndpointType' />
 
@@ -202,31 +202,31 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   <!-- Defined above -->
   <!--<xs:element name='TokenTypesOffered' type='tns:TokenTypesOfferedType' />-->
   <xs:complexType name='TokenTypesOfferedType' >
-	<xs:sequence>
-	  <xs:element name='TokenType' type='tns:TokenType' minOccurs='1' maxOccurs='unbounded' />
-	  <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:element name='TokenType' type='tns:TokenType' minOccurs='1' maxOccurs='unbounded' />
+      <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:complexType name='TokenType' >
-	<xs:sequence>
-	  <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:attribute name='Uri' type='xs:anyURI' />
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:attribute name='Uri' type='xs:anyURI' />
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <!-- Section 3.1.9 -->
   <!-- Defined above -->
   <!-- <xs:element name='ClaimTypesOffered' type='tns:ClaimTypesOfferedType' /> -->
   <xs:complexType name='ClaimTypesOfferedType'>
-	<xs:sequence>
-	  <xs:element ref='auth:ClaimType' minOccurs='1' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:element ref='auth:ClaimType' minOccurs='1' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
-  
+
   <!-- Section 3.1.10 -->
   <!-- Defined above -->
   <!-- <xs:element name='ClaimTypesRequested' ype='tns:ClaimTypesRequestedType' /> -->
@@ -236,7 +236,7 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
     </xs:sequence>
     <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
-  
+
   <!-- Section 3.1.11 -->
   <!-- Defined above -->
   <!--<xs:element name='ClaimDialectsOffered' type='tns:ClaimDialectsOfferedType' />-->
@@ -254,41 +254,41 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
     <xs:attribute name='Uri' type='xs:anyURI' />
     <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
-  
+
   <!-- Section 3.1.12 -->
   <!-- Defined above -->
   <!-- <xs:element name='AutomaticPseudonyms' type='xs:boolean' /> -->
 
   <!-- Section 3.1.13 -->
   <xs:element name='PassiveRequestorEnpoints' type='tns:EndpointType'/>
-  
+
   <!-- Section 3.1.14 -->
   <!-- Defined above -->
   <!--<xs:element name='TargetScopes' type='tns:EndpointType'/>-->
-  
+
   <!-- Section 3.2.4 -->
   <xs:element name='FederationMetadataHandler' type='tns:FederationMetadataHandlerType' />
   <xs:complexType name='FederationMetadataHandlerType' >
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <!-- Section 4.1 -->
   <xs:element name='SignOut' type='tns:SignOutType' />
   <xs:complexType name='SignOutType' >
-	<xs:sequence>
-	  <xs:element ref='tns:Realm' minOccurs='0' />
-	  <xs:element name='SignOutBasis' type='tns:SignOutBasisType' minOccurs='1' maxOccurs='1' />
-	  <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:attribute ref='wsu:Id' use='optional' />
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:element ref='tns:Realm' minOccurs='0' />
+      <xs:element name='SignOutBasis' type='tns:SignOutBasisType' minOccurs='1' maxOccurs='1' />
+      <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:attribute ref='wsu:Id' use='optional' />
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:complexType name='SignOutBasisType' >
-	<xs:sequence>
-	  <xs:any namespace='##other' processContents='lax' minOccurs='1' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />	
+    <xs:sequence>
+      <xs:any namespace='##other' processContents='lax' minOccurs='1' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <!-- Section 4.2 -->
@@ -297,98 +297,98 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   <!-- Section 6.1 -->
   <xs:element name='FilterPseudonyms' type='tns:FilterPseudonymsType' />
   <xs:complexType name='FilterPseudonymsType' >
-	<xs:sequence>
-	  <xs:element ref='tns:PseudonymBasis' minOccurs='0' maxOccurs='1' />
-	  <xs:element ref='tns:RelativeTo' minOccurs='0' maxOccurs='1' />
-	  <xs:any namespace='##other' minOccurs='0' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />	
+    <xs:sequence>
+      <xs:element ref='tns:PseudonymBasis' minOccurs='0' maxOccurs='1' />
+      <xs:element ref='tns:RelativeTo' minOccurs='0' maxOccurs='1' />
+      <xs:any namespace='##other' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:element name='PseudonymBasis' type='tns:PseudonymBasisType' />
   <xs:complexType name='PseudonymBasisType' >
- 	<xs:sequence>
-	  <xs:any namespace='##other' processContents='lax' minOccurs='1' maxOccurs='1' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:any namespace='##other' processContents='lax' minOccurs='1' maxOccurs='1' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:element name='RelativeTo' type='tns:RelativeToType' />
   <xs:complexType name='RelativeToType' >
-	<xs:sequence>
-	  <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <!-- Section 6.2  -->
   <xs:element name='Pseudonym' type='tns:PseudonymType' />
 
   <xs:complexType name='PseudonymType' >
-	<xs:sequence>
-	  <!--
-		  *** Accurate content model is nondeterministic ***
-		  <xs:element ref='tns:PseudonymBasis' minOccurs='1' maxOccurs='1' /> 
-		  <xs:element ref='tns:RelativeTo' minOccurs='1' maxOccurs='1' />
-		  <xs:element ref='wsu:Expires' minOccurs='0' maxOccurs='1' />
-		  <xs:element ref='tns:SecurityToken' minOccurs='0' maxOccurs='unbounded' />
-		  <xs:element ref='tns:ProofToken' minOccurs='0' maxOccurs='unbounded' />
-		  <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />	  
-	  -->
-
-	  <xs:element ref='tns:PseudonymBasis' minOccurs='1' maxOccurs='1' /> 
-	  <xs:element ref='tns:RelativeTo' minOccurs='1' maxOccurs='1' />
-	  <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />	  
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />	
+    <xs:sequence>
+      <!--
+          *** Accurate content model is nondeterministic ***
+          <xs:element ref='tns:PseudonymBasis' minOccurs='1' maxOccurs='1' />
+          <xs:element ref='tns:RelativeTo' minOccurs='1' maxOccurs='1' />
+          <xs:element ref='wsu:Expires' minOccurs='0' maxOccurs='1' />
+          <xs:element ref='tns:SecurityToken' minOccurs='0' maxOccurs='unbounded' />
+          <xs:element ref='tns:ProofToken' minOccurs='0' maxOccurs='unbounded' />
+          <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+      -->
+
+      <xs:element ref='tns:PseudonymBasis' minOccurs='1' maxOccurs='1' />
+      <xs:element ref='tns:RelativeTo' minOccurs='1' maxOccurs='1' />
+      <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:element name='SecurityToken' type='tns:SecurityTokenType' />
   <xs:complexType name='SecurityTokenType' >
- 	<xs:sequence>
-	  <xs:any namespace='##other' processContents='lax' minOccurs='1' maxOccurs='1' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:any namespace='##other' processContents='lax' minOccurs='1' maxOccurs='1' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:element name='ProofToken' type='tns:ProofTokenType' />
   <xs:complexType name='ProofTokenType' >
- 	<xs:sequence>
-	  <xs:any namespace='##other' processContents='lax' minOccurs='1' maxOccurs='1' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:any namespace='##other' processContents='lax' minOccurs='1' maxOccurs='1' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <!-- Section 7.1 -->
   <xs:element name='RequestPseudonym' type='tns:RequestPseudonymType' />
   <xs:complexType name='RequestPseudonymType' >
-	<xs:sequence>
-	  <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />	  
-	</xs:sequence>
-	<xs:attribute name='SingleUse' type='xs:boolean' use='optional' />
-	<xs:attribute name='Lookup' type='xs:boolean' use='optional' />
-	<xs:anyAttribute namespace='##other' processContents='lax' />  
+    <xs:sequence>
+      <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:attribute name='SingleUse' type='xs:boolean' use='optional' />
+    <xs:attribute name='Lookup' type='xs:boolean' use='optional' />
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <!-- Section 8.1 -->
   <xs:element name='ReferenceToken' type='tns:ReferenceTokenType' />
   <xs:complexType name='ReferenceTokenType'>
-	<xs:sequence>
-	  <xs:element name='ReferenceEPR' type='wsa:EndpointReferenceType' minOccurs='1' maxOccurs='unbounded' />
-	  <xs:element name='ReferenceDigest' type='tns:ReferenceDigestType' minOccurs='0' maxOccurs='1' />
-	  <xs:element name='ReferenceType' type='tns:AttributeExtensibleURI' minOccurs='0' maxOccurs='1' />
-	  <xs:element name='SerialNo' type='tns:AttributeExtensibleURI' minOccurs='0' maxOccurs='1' />
-	  <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />	  	  
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />  
+    <xs:sequence>
+      <xs:element name='ReferenceEPR' type='wsa:EndpointReferenceType' minOccurs='1' maxOccurs='unbounded' />
+      <xs:element name='ReferenceDigest' type='tns:ReferenceDigestType' minOccurs='0' maxOccurs='1' />
+      <xs:element name='ReferenceType' type='tns:AttributeExtensibleURI' minOccurs='0' maxOccurs='1' />
+      <xs:element name='SerialNo' type='tns:AttributeExtensibleURI' minOccurs='0' maxOccurs='1' />
+      <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:complexType name='ReferenceDigestType' >
-	<xs:simpleContent>
-	  <xs:extension base='xs:base64Binary' >
-		<xs:anyAttribute namespace='##other' processContents='lax' />  
-	  </xs:extension>
-	</xs:simpleContent>
+    <xs:simpleContent>
+      <xs:extension base='xs:base64Binary' >
+        <xs:anyAttribute namespace='##other' processContents='lax' />
+      </xs:extension>
+    </xs:simpleContent>
   </xs:complexType>
   <xs:complexType name='AttributeExtensibleURI' >
     <xs:simpleContent>
@@ -397,48 +397,48 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
       </xs:extension>
     </xs:simpleContent>
   </xs:complexType>
-  
+
   <!-- Section 8.2 -->
   <xs:element name='FederationID' type='tns:AttributeExtensibleURI' />
 
   <!-- Section 8.3 -->
   <xs:element name='RequestProofToken' type='tns:RequestProofTokenType' />
   <xs:complexType name='RequestProofTokenType' >
-	<xs:sequence>
-	  <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <!-- Section 8.4 -->
   <xs:element name='ClientPseudonym' type='tns:ClientPseudonymType' />
   <xs:complexType name='ClientPseudonymType' >
-	<xs:sequence>
-	  <xs:element name='PPID' type='tns:AttributeExtensibleString' minOccurs='0' />
-	  <xs:element name='DisplayName' type='tns:AttributeExtensibleString' minOccurs='0' />
-	  <xs:element name='EMail' type='tns:AttributeExtensibleString' minOccurs='0' />
-	  <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />	  	  
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />	
+    <xs:sequence>
+      <xs:element name='PPID' type='tns:AttributeExtensibleString' minOccurs='0' />
+      <xs:element name='DisplayName' type='tns:AttributeExtensibleString' minOccurs='0' />
+      <xs:element name='EMail' type='tns:AttributeExtensibleString' minOccurs='0' />
+      <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:complexType name='AttributeExtensibleString' >
-	<xs:simpleContent>
-	  <xs:extension base='xs:string' >
-		<xs:anyAttribute namespace='##other' processContents='lax' />
-	  </xs:extension>
-	</xs:simpleContent>
+    <xs:simpleContent>
+      <xs:extension base='xs:string' >
+        <xs:anyAttribute namespace='##other' processContents='lax' />
+      </xs:extension>
+    </xs:simpleContent>
   </xs:complexType>
 
   <!-- Section 8.5 -->
   <xs:element name='Freshness' type='tns:Freshness' />
   <xs:complexType name='Freshness'>
-	<xs:simpleContent>
-	  <xs:extension base='xs:unsignedInt' >
-		<xs:attribute name='AllowCache' type='xs:boolean' use='optional' />
-		<xs:anyAttribute namespace='##other' processContents='lax' />		
-	  </xs:extension>
-	</xs:simpleContent>
+    <xs:simpleContent>
+      <xs:extension base='xs:unsignedInt' >
+        <xs:attribute name='AllowCache' type='xs:boolean' use='optional' />
+        <xs:anyAttribute namespace='##other' processContents='lax' />
+      </xs:extension>
+    </xs:simpleContent>
   </xs:complexType>
 
   <!-- Section 14.1 -->
@@ -446,10 +446,10 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   <xs:element name='ReferenceToken11' type='tns:AssertionType' />
 
   <xs:complexType name='AssertionType' >
-	<xs:sequence>
-	  <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <!-- Section 14.2 -->
@@ -459,7 +459,7 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   <xs:element name='RequireSignedTokens' type='tns:AssertionType' />
   <xs:element name='RequireBearerTokens' type='tns:AssertionType' />
   <xs:element name='RequireSharedCookies' type='tns:AssertionType' />
-  
+
 
   <!-- Section 14.3 -->
   <xs:element name='RequiresGenericClaimDialect' type='tns:AssertionType' />
diff --git a/mdx/schema/ws-securitypolicy-1.2.xsd b/mdx/schema/ws-securitypolicy-1.2.xsd
index 0e562726..bda124b8 100644
--- a/mdx/schema/ws-securitypolicy-1.2.xsd
+++ b/mdx/schema/ws-securitypolicy-1.2.xsd
@@ -1,39 +1,39 @@
 <?xml version="1.0" encoding="utf-8"?>
-<!-- 
-OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the 
-implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; 
-neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS 
-specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made 
-available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users 
+<!--
+OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the
+implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available;
+neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS
+specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made
+available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users
 of this specification, can be obtained from the OASIS Executive Director.
-OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may 
+OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may
 cover technology that may be required to implement this specification. Please address the information to the OASIS Executive Director.
 Copyright © OASIS Open 2002-2007. All Rights Reserved.
-This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist 
-in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the 
-above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself does not be modified 
-in any way, such as by removing the copyright notice or references to OASIS, except as needed for the purpose of developing OASIS specifications, 
-in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to translate 
+This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist
+in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the
+above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself does not be modified
+in any way, such as by removing the copyright notice or references to OASIS, except as needed for the purpose of developing OASIS specifications,
+in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to translate
 it into languages other than English.
 The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.
-This document and the information contained herein is provided on an AS IS basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, 
-INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 
+This document and the information contained herein is provided on an AS IS basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
+INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 -->
 <xs:schema
-	targetNamespace='http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702'
+    targetNamespace='http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702'
   xmlns:tns='http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702'
-	xmlns:wsa="http://www.w3.org/2005/08/addressing"
+    xmlns:wsa="http://www.w3.org/2005/08/addressing"
   xmlns:xs="http://www.w3.org/2001/XMLSchema"
-	elementFormDefault="qualified"
-	blockDefault="#all" >
+    elementFormDefault="qualified"
+    blockDefault="#all" >
 
-  <xs:import namespace="http://www.w3.org/2005/08/addressing" 
-		schemaLocation="ws-addr.xsd" />
+  <xs:import namespace="http://www.w3.org/2005/08/addressing"
+        schemaLocation="ws-addr.xsd" />
 
   <!--
-	4. Protection Assertions
-	-->
+    4. Protection Assertions
+    -->
   <xs:element name="SignedParts" type="tns:SePartsType">
     <xs:annotation>
       <xs:documentation xml:lang="en">
@@ -95,8 +95,8 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   </xs:complexType>
 
   <!--
-	5. Token Assertions
-	-->
+    5. Token Assertions
+    -->
   <xs:attribute name="IncludeToken" type="tns:IncludeTokenOpenType" >
     <xs:annotation>
       <xs:documentation xml:lang="en">
@@ -131,9 +131,9 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
         <xs:element name="IssuerName" type="xs:anyURI" />
       </xs:choice>
       <!--
-			Actual content model is non-deterministic, hence wildcard. The following shows intended content model:
-			<xs:element ref="wsp:Policy" minOccurs="0" />
-			-->
+            Actual content model is non-deterministic, hence wildcard. The following shows intended content model:
+            <xs:element ref="wsp:Policy" minOccurs="0" />
+            -->
       <xs:any minOccurs="0" maxOccurs="unbounded" namespace="##other" processContents="lax"/>
     </xs:sequence>
     <xs:attribute ref="tns:IncludeToken" use="optional" />
@@ -191,9 +191,9 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
       </xs:choice>
       <xs:element name="RequestSecurityTokenTemplate" type="tns:RequestSecurityTokenTemplateType" />
       <!--
-			Actual content model is non-deterministic, hence wildcard. The following shows intended content model:
-			<xs:element ref="wsp:Policy" minOccurs="0" />
-			-->
+            Actual content model is non-deterministic, hence wildcard. The following shows intended content model:
+            <xs:element ref="wsp:Policy" minOccurs="0" />
+            -->
       <xs:any minOccurs="0" maxOccurs="unbounded" namespace="##other" processContents="lax" />
     </xs:sequence>
     <xs:attribute ref="tns:IncludeToken" use="optional" />
@@ -253,7 +253,7 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   <!-- RequireDerivedKeys defined above. -->
   <!-- RequireImpliedDerivedKeys defined above. -->
   <!-- RequireExplicitDerivedKeys defined above. -->
-  
+
   <xs:element name="RequireKeyIdentifierReference" type="tns:QNameAssertionType" >
     <xs:annotation>
       <xs:documentation xml:lang="en">
@@ -373,9 +373,9 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
         <xs:element name="IssuerName" type="xs:anyURI" />
       </xs:choice>
       <!--
-			Actual content model is non-deterministic, hence wildcard. The following shows intended content model:
-			<xs:element ref="wsp:Policy" minOccurs="0" />
-			-->
+            Actual content model is non-deterministic, hence wildcard. The following shows intended content model:
+            <xs:element ref="wsp:Policy" minOccurs="0" />
+            -->
       <xs:any minOccurs="0" maxOccurs="unbounded" namespace="##other" processContents="lax" />
     </xs:sequence>
     <xs:attribute ref="tns:IncludeToken" use="optional" />
@@ -446,9 +446,9 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
         <xs:element name="IssuerName" type="xs:anyURI" />
       </xs:choice>
       <!--
-			Actual content model is non-deterministic, hence wildcard. The following shows intended content model:
-			<xs:element ref="wsp:Policy" minOccurs="0" />
-			-->
+            Actual content model is non-deterministic, hence wildcard. The following shows intended content model:
+            <xs:element ref="wsp:Policy" minOccurs="0" />
+            -->
       <xs:any minOccurs="0" maxOccurs="unbounded" namespace="##other" processContents="lax" />
     </xs:sequence>
     <xs:attribute ref="tns:IncludeToken" use="optional" />
@@ -574,7 +574,7 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
       </xs:documentation>
     </xs:annotation>
   </xs:element>
-  
+
   <xs:element name="KeyValueToken" type="tns:KeyValueTokenType">
     <xs:annotation>
       <xs:documentation xml:lang="en">
@@ -585,9 +585,9 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   <xs:complexType name="KeyValueTokenType">
     <xs:sequence>
       <!--
-			Actual content model is non-deterministic, hence wildcard. The following shows intended content model:
-			<xs:element ref="wsp:Policy" minOccurs="0" />
-			-->
+            Actual content model is non-deterministic, hence wildcard. The following shows intended content model:
+            <xs:element ref="wsp:Policy" minOccurs="0" />
+            -->
       <xs:any minOccurs="0" maxOccurs="unbounded" namespace="##other" processContents="lax" />
     </xs:sequence>
     <xs:attribute ref="tns:IncludeToken" use="optional" />
@@ -600,10 +600,10 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
       </xs:documentation>
     </xs:annotation>
   </xs:element>
-  
+
   <!--
-	7. Security Binding Assertions
-	-->
+    7. Security Binding Assertions
+    -->
   <xs:element name="AlgorithmSuite" type="tns:NestedPolicyType" >
     <xs:annotation>
       <xs:documentation xml:lang="en">
@@ -961,8 +961,8 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   <!-- OnlySignEntireHeadersAndBody defined above. -->
 
   <!--
-	8. Supporting Tokens
-	-->
+    8. Supporting Tokens
+    -->
   <xs:element name="SupportingTokens" type="tns:NestedPolicyType">
     <xs:annotation>
       <xs:documentation xml:lang="en">
@@ -1040,7 +1040,7 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   <!-- SignedElements defined above. -->
   <!-- EncryptedParts defined above. -->
   <!-- EncryptedElements defined above. -->
-  
+
   <xs:element name="EndorsingEncryptedSupportingTokens" type="tns:NestedPolicyType">
     <xs:annotation>
       <xs:documentation xml:lang="en">
@@ -1066,10 +1066,10 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   <!-- SignedElements defined above. -->
   <!-- EncryptedParts defined above. -->
   <!-- EncryptedElements defined above. -->
-  
+
   <!--
-	9. WSS: SOAP Message Security Options
-	-->
+    9. WSS: SOAP Message Security Options
+    -->
   <xs:element name="Wss10" type="tns:NestedPolicyType">
     <xs:annotation>
       <xs:documentation xml:lang="en">
@@ -1142,8 +1142,8 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   </xs:element>
 
   <!--
-	10. WS-Trust Options
-	-->
+    10. WS-Trust Options
+    -->
   <xs:element name="Trust13" type="tns:NestedPolicyType">
     <xs:annotation>
       <xs:documentation xml:lang="en">
@@ -1201,5 +1201,5 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
       </xs:documentation>
     </xs:annotation>
   </xs:element>
-  
-</xs:schema>
\ No newline at end of file
+
+</xs:schema>
diff --git a/mdx/schema/xenc-schema-11.xsd b/mdx/schema/xenc-schema-11.xsd
index 1abb6437..9535d2f7 100644
--- a/mdx/schema/xenc-schema-11.xsd
+++ b/mdx/schema/xenc-schema-11.xsd
@@ -2,14 +2,14 @@
 
 <!--
 #
-# Copyright ©[2011] World Wide Web Consortium 
-# (Massachusetts Institute of Technology,  
-#  European Research Consortium for Informatics and Mathematics, 
-#  Keio University). All Rights Reserved.  
+# Copyright ©[2011] World Wide Web Consortium
+# (Massachusetts Institute of Technology,
+#  European Research Consortium for Informatics and Mathematics,
+#  Keio University). All Rights Reserved.
 # This work is distributed under the W3C® Software License [1] in the
 # hope that it will be useful, but WITHOUT ANY WARRANTY; without even
 # the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-# PURPOSE. 
+# PURPOSE.
 # [1] http://www.w3.org/Consortium/Legal/2002/copyright-software-20021231
 #
 -->
@@ -21,77 +21,77 @@
         targetNamespace='http://www.w3.org/2009/xmlenc11#'
         elementFormDefault='qualified'>
 
-	<import namespace='http://www.w3.org/2000/09/xmldsig#'
-			schemaLocation='xmldsig-core-schema.xsd'/>
+    <import namespace='http://www.w3.org/2000/09/xmldsig#'
+            schemaLocation='xmldsig-core-schema.xsd'/>
 
-	<import namespace='http://www.w3.org/2001/04/xmlenc#'
-			schemaLocation='xenc-schema.xsd'/>
+    <import namespace='http://www.w3.org/2001/04/xmlenc#'
+            schemaLocation='xenc-schema.xsd'/>
 
-	<element name="ConcatKDFParams" type="xenc11:ConcatKDFParamsType"/>
-	<complexType name="ConcatKDFParamsType">
-		<sequence>
-			<element ref="ds:DigestMethod"/>
-		</sequence>
-		<attribute name="AlgorithmID" type="hexBinary"/>
-		<attribute name="PartyUInfo" type="hexBinary"/>
-		<attribute name="PartyVInfo" type="hexBinary"/>
-		<attribute name="SuppPubInfo" type="hexBinary"/>
-		<attribute name="SuppPrivInfo" type="hexBinary"/>
-	</complexType>
+    <element name="ConcatKDFParams" type="xenc11:ConcatKDFParamsType"/>
+    <complexType name="ConcatKDFParamsType">
+        <sequence>
+            <element ref="ds:DigestMethod"/>
+        </sequence>
+        <attribute name="AlgorithmID" type="hexBinary"/>
+        <attribute name="PartyUInfo" type="hexBinary"/>
+        <attribute name="PartyVInfo" type="hexBinary"/>
+        <attribute name="SuppPubInfo" type="hexBinary"/>
+        <attribute name="SuppPrivInfo" type="hexBinary"/>
+    </complexType>
 
-	<element name="DerivedKey" type="xenc11:DerivedKeyType"/>
-	<complexType name="DerivedKeyType">
-		<sequence>
-			<element ref="xenc11:KeyDerivationMethod" minOccurs="0"/>
-			<element ref="xenc:ReferenceList" minOccurs="0"/>
-			<element name="DerivedKeyName" type="string" minOccurs="0"/>
-			<element name="MasterKeyName" type="string" minOccurs="0"/>
-		</sequence>
-		<attribute name="Recipient" type="string" use="optional"/>
-		<attribute name="Id" type="ID" use="optional"/>
-		<attribute name="Type" type="anyURI" use="optional"/>
-	</complexType>
+    <element name="DerivedKey" type="xenc11:DerivedKeyType"/>
+    <complexType name="DerivedKeyType">
+        <sequence>
+            <element ref="xenc11:KeyDerivationMethod" minOccurs="0"/>
+            <element ref="xenc:ReferenceList" minOccurs="0"/>
+            <element name="DerivedKeyName" type="string" minOccurs="0"/>
+            <element name="MasterKeyName" type="string" minOccurs="0"/>
+        </sequence>
+        <attribute name="Recipient" type="string" use="optional"/>
+        <attribute name="Id" type="ID" use="optional"/>
+        <attribute name="Type" type="anyURI" use="optional"/>
+    </complexType>
 
-	<element name="KeyDerivationMethod" type="xenc11:KeyDerivationMethodType"/>
-	<complexType name="KeyDerivationMethodType">
-		<sequence>
-			<any namespace="##any" minOccurs="0" maxOccurs="unbounded"/>
-		</sequence>
-		<attribute name="Algorithm" type="anyURI" use="required"/>
-	</complexType>
+    <element name="KeyDerivationMethod" type="xenc11:KeyDerivationMethodType"/>
+    <complexType name="KeyDerivationMethodType">
+        <sequence>
+            <any namespace="##any" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="Algorithm" type="anyURI" use="required"/>
+    </complexType>
 
-	<element name="PBKDF2-params" type="xenc11:PBKDF2ParameterType"/>
+    <element name="PBKDF2-params" type="xenc11:PBKDF2ParameterType"/>
 
-	<complexType name="AlgorithmIdentifierType">
-		<sequence>
-			<element name="Parameters" minOccurs="0"/>
-		</sequence>
+    <complexType name="AlgorithmIdentifierType">
+        <sequence>
+            <element name="Parameters" minOccurs="0"/>
+        </sequence>
         <attribute name="Algorithm" type="anyURI" use="required" />
-	</complexType>
+    </complexType>
 
-	<complexType name="PRFAlgorithmIdentifierType">
-		<complexContent>
+    <complexType name="PRFAlgorithmIdentifierType">
+        <complexContent>
           <restriction base="xenc11:AlgorithmIdentifierType">
             <attribute name="Algorithm" type="anyURI" use="required" />
           </restriction>
         </complexContent>
-	</complexType>
+    </complexType>
 
-	<complexType name="PBKDF2ParameterType">
-		<sequence>
-			<element name="Salt">
-				<complexType>
-					<choice>
-						<element name="Specified" type="base64Binary"/>
-						<element name="OtherSource" type="xenc11:AlgorithmIdentifierType"/>
-					</choice>
-				</complexType>
-			</element>
-			<element name="IterationCount" type="positiveInteger"/>
-			<element name="KeyLength" type="positiveInteger"/>
-			<element name="PRF" type="xenc11:PRFAlgorithmIdentifierType"/>
-		</sequence>
-	</complexType>
+    <complexType name="PBKDF2ParameterType">
+        <sequence>
+            <element name="Salt">
+                <complexType>
+                    <choice>
+                        <element name="Specified" type="base64Binary"/>
+                        <element name="OtherSource" type="xenc11:AlgorithmIdentifierType"/>
+                    </choice>
+                </complexType>
+            </element>
+            <element name="IterationCount" type="positiveInteger"/>
+            <element name="KeyLength" type="positiveInteger"/>
+            <element name="PRF" type="xenc11:PRFAlgorithmIdentifierType"/>
+        </sequence>
+    </complexType>
 
     <element name="MGF" type="xenc11:MGFType"/>
     <complexType name="MGFType">
diff --git a/mdx/schema/xenc-schema.xsd b/mdx/schema/xenc-schema.xsd
index cdfc8333..82f7be4b 100644
--- a/mdx/schema/xenc-schema.xsd
+++ b/mdx/schema/xenc-schema.xsd
@@ -2,14 +2,14 @@
 
 <!--
 #
-# Copyright ©[2011] World Wide Web Consortium 
-# (Massachusetts Institute of Technology,  
-#  European Research Consortium for Informatics and Mathematics, 
-#  Keio University). All Rights Reserved.  
+# Copyright ©[2011] World Wide Web Consortium
+# (Massachusetts Institute of Technology,
+#  European Research Consortium for Informatics and Mathematics,
+#  Keio University). All Rights Reserved.
 # This work is distributed under the W3C® Software License [1] in the
 # hope that it will be useful, but WITHOUT ANY WARRANTY; without even
 # the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-# PURPOSE. 
+# PURPOSE.
 # [1] http://www.w3.org/Consortium/Legal/2002/copyright-software-20021231
 #
 -->
@@ -35,7 +35,7 @@
     <attribute name='MimeType' type='string' use='optional'/>
     <attribute name='Encoding' type='anyURI' use='optional'/>
   </complexType>
-  
+
   <complexType name='EncryptionMethodType' mixed='true'>
     <sequence>
       <element name='KeySize' minOccurs='0' type='xenc:KeySizeType'/>
@@ -166,6 +166,6 @@
   </complexType>
 
   <!-- End Children of ds:KeyValue -->
-  
+
 </schema>
 
diff --git a/mdx/schema/xml.xsd b/mdx/schema/xml.xsd
index 38bba34d..f10e6abb 100644
--- a/mdx/schema/xml.xsd
+++ b/mdx/schema/xml.xsd
@@ -27,7 +27,7 @@
         &lt;type . . .>
          . . .
          &lt;attributeGroup ref="xml:specialAttrs"/>
- 
+
          will define a type which will schema-validate an instance
          element with any of those attributes</xs:documentation>
  </xs:annotation>
diff --git a/mdx/schema/xmldsig-core-schema.xsd b/mdx/schema/xmldsig-core-schema.xsd
index 07aad278..ebcd6a42 100644
--- a/mdx/schema/xmldsig-core-schema.xsd
+++ b/mdx/schema/xmldsig-core-schema.xsd
@@ -19,7 +19,7 @@
 <schema xmlns="http://www.w3.org/2001/XMLSchema"
         xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
         targetNamespace="http://www.w3.org/2000/09/xmldsig#"
-        version="0.1" elementFormDefault="qualified"> 
+        version="0.1" elementFormDefault="qualified">
 
 <!-- Basic Types Defined for Signatures -->
 
@@ -32,16 +32,16 @@
 
 <element name="Signature" type="ds:SignatureType"/>
 <complexType name="SignatureType">
-  <sequence> 
-    <element ref="ds:SignedInfo"/> 
-    <element ref="ds:SignatureValue"/> 
-    <element ref="ds:KeyInfo" minOccurs="0"/> 
-    <element ref="ds:Object" minOccurs="0" maxOccurs="unbounded"/> 
-  </sequence>  
+  <sequence>
+    <element ref="ds:SignedInfo"/>
+    <element ref="ds:SignatureValue"/>
+    <element ref="ds:KeyInfo" minOccurs="0"/>
+    <element ref="ds:Object" minOccurs="0" maxOccurs="unbounded"/>
+  </sequence>
   <attribute name="Id" type="ID" use="optional"/>
 </complexType>
 
-  <element name="SignatureValue" type="ds:SignatureValueType"/> 
+  <element name="SignatureValue" type="ds:SignatureValueType"/>
   <complexType name="SignatureValueType">
     <simpleContent>
       <extension base="base64Binary">
@@ -54,21 +54,21 @@
 
 <element name="SignedInfo" type="ds:SignedInfoType"/>
 <complexType name="SignedInfoType">
-  <sequence> 
-    <element ref="ds:CanonicalizationMethod"/> 
-    <element ref="ds:SignatureMethod"/> 
-    <element ref="ds:Reference" maxOccurs="unbounded"/> 
-  </sequence>  
-  <attribute name="Id" type="ID" use="optional"/> 
+  <sequence>
+    <element ref="ds:CanonicalizationMethod"/>
+    <element ref="ds:SignatureMethod"/>
+    <element ref="ds:Reference" maxOccurs="unbounded"/>
+  </sequence>
+  <attribute name="Id" type="ID" use="optional"/>
 </complexType>
 
-  <element name="CanonicalizationMethod" type="ds:CanonicalizationMethodType"/> 
+  <element name="CanonicalizationMethod" type="ds:CanonicalizationMethodType"/>
   <complexType name="CanonicalizationMethodType" mixed="true">
     <sequence>
       <any namespace="##any" minOccurs="0" maxOccurs="unbounded"/>
       <!-- (0,unbounded) elements from (1,1) namespace -->
     </sequence>
-    <attribute name="Algorithm" type="anyURI" use="required"/> 
+    <attribute name="Algorithm" type="anyURI" use="required"/>
   </complexType>
 
   <element name="SignatureMethod" type="ds:SignatureMethodType"/>
@@ -78,48 +78,48 @@
       <any namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
       <!-- (0,unbounded) elements from (1,1) external namespace -->
     </sequence>
-    <attribute name="Algorithm" type="anyURI" use="required"/> 
+    <attribute name="Algorithm" type="anyURI" use="required"/>
   </complexType>
 
 <!-- Start Reference -->
 
 <element name="Reference" type="ds:ReferenceType"/>
 <complexType name="ReferenceType">
-  <sequence> 
-    <element ref="ds:Transforms" minOccurs="0"/> 
-    <element ref="ds:DigestMethod"/> 
-    <element ref="ds:DigestValue"/> 
+  <sequence>
+    <element ref="ds:Transforms" minOccurs="0"/>
+    <element ref="ds:DigestMethod"/>
+    <element ref="ds:DigestValue"/>
   </sequence>
-  <attribute name="Id" type="ID" use="optional"/> 
-  <attribute name="URI" type="anyURI" use="optional"/> 
-  <attribute name="Type" type="anyURI" use="optional"/> 
+  <attribute name="Id" type="ID" use="optional"/>
+  <attribute name="URI" type="anyURI" use="optional"/>
+  <attribute name="Type" type="anyURI" use="optional"/>
 </complexType>
 
   <element name="Transforms" type="ds:TransformsType"/>
   <complexType name="TransformsType">
     <sequence>
-      <element ref="ds:Transform" maxOccurs="unbounded"/>  
+      <element ref="ds:Transform" maxOccurs="unbounded"/>
     </sequence>
   </complexType>
 
   <element name="Transform" type="ds:TransformType"/>
   <complexType name="TransformType" mixed="true">
-    <choice minOccurs="0" maxOccurs="unbounded"> 
+    <choice minOccurs="0" maxOccurs="unbounded">
       <any namespace="##other" processContents="lax"/>
       <!-- (1,1) elements from (0,unbounded) namespaces -->
-      <element name="XPath" type="string"/> 
+      <element name="XPath" type="string"/>
     </choice>
-    <attribute name="Algorithm" type="anyURI" use="required"/> 
+    <attribute name="Algorithm" type="anyURI" use="required"/>
   </complexType>
 
 <!-- End Reference -->
 
 <element name="DigestMethod" type="ds:DigestMethodType"/>
-<complexType name="DigestMethodType" mixed="true"> 
+<complexType name="DigestMethodType" mixed="true">
   <sequence>
     <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
-  </sequence>    
-  <attribute name="Algorithm" type="anyURI" use="required"/> 
+  </sequence>
+  <attribute name="Algorithm" type="anyURI" use="required"/>
 </complexType>
 
 <element name="DigestValue" type="ds:DigestValueType"/>
@@ -131,26 +131,26 @@
 
 <!-- Start KeyInfo -->
 
-<element name="KeyInfo" type="ds:KeyInfoType"/> 
+<element name="KeyInfo" type="ds:KeyInfoType"/>
 <complexType name="KeyInfoType" mixed="true">
-  <choice maxOccurs="unbounded">     
-    <element ref="ds:KeyName"/> 
-    <element ref="ds:KeyValue"/> 
-    <element ref="ds:RetrievalMethod"/> 
-    <element ref="ds:X509Data"/> 
-    <element ref="ds:PGPData"/> 
+  <choice maxOccurs="unbounded">
+    <element ref="ds:KeyName"/>
+    <element ref="ds:KeyValue"/>
+    <element ref="ds:RetrievalMethod"/>
+    <element ref="ds:X509Data"/>
+    <element ref="ds:PGPData"/>
     <element ref="ds:SPKIData"/>
     <element ref="ds:MgmtData"/>
     <any processContents="lax" namespace="##other"/>
     <!-- (1,1) elements from (0,unbounded) namespaces -->
   </choice>
-  <attribute name="Id" type="ID" use="optional"/> 
+  <attribute name="Id" type="ID" use="optional"/>
 </complexType>
 
   <element name="KeyName" type="string"/>
   <element name="MgmtData" type="string"/>
 
-  <element name="KeyValue" type="ds:KeyValueType"/> 
+  <element name="KeyValue" type="ds:KeyValueType"/>
   <complexType name="KeyValueType" mixed="true">
    <choice>
      <element ref="ds:DSAKeyValue"/>
@@ -159,18 +159,18 @@
    </choice>
   </complexType>
 
-  <element name="RetrievalMethod" type="ds:RetrievalMethodType"/> 
+  <element name="RetrievalMethod" type="ds:RetrievalMethodType"/>
   <complexType name="RetrievalMethodType">
     <sequence>
-      <element ref="ds:Transforms" minOccurs="0"/> 
-    </sequence>  
+      <element ref="ds:Transforms" minOccurs="0"/>
+    </sequence>
     <attribute name="URI" type="anyURI"/>
     <attribute name="Type" type="anyURI" use="optional"/>
   </complexType>
 
 <!-- Start X509Data -->
 
-<element name="X509Data" type="ds:X509DataType"/> 
+<element name="X509Data" type="ds:X509DataType"/>
 <complexType name="X509DataType">
   <sequence maxOccurs="unbounded">
     <choice>
@@ -184,10 +184,10 @@
   </sequence>
 </complexType>
 
-<complexType name="X509IssuerSerialType"> 
-  <sequence> 
-    <element name="X509IssuerName" type="string"/> 
-    <element name="X509SerialNumber" type="integer"/> 
+<complexType name="X509IssuerSerialType">
+  <sequence>
+    <element name="X509IssuerName" type="string"/>
+    <element name="X509SerialNumber" type="integer"/>
   </sequence>
 </complexType>
 
@@ -195,17 +195,17 @@
 
 <!-- Begin PGPData -->
 
-<element name="PGPData" type="ds:PGPDataType"/> 
-<complexType name="PGPDataType"> 
+<element name="PGPData" type="ds:PGPDataType"/>
+<complexType name="PGPDataType">
   <choice>
     <sequence>
-      <element name="PGPKeyID" type="base64Binary"/> 
-      <element name="PGPKeyPacket" type="base64Binary" minOccurs="0"/> 
+      <element name="PGPKeyID" type="base64Binary"/>
+      <element name="PGPKeyPacket" type="base64Binary" minOccurs="0"/>
       <any namespace="##other" processContents="lax" minOccurs="0"
        maxOccurs="unbounded"/>
     </sequence>
     <sequence>
-      <element name="PGPKeyPacket" type="base64Binary"/> 
+      <element name="PGPKeyPacket" type="base64Binary"/>
       <any namespace="##other" processContents="lax" minOccurs="0"
        maxOccurs="unbounded"/>
     </sequence>
@@ -216,13 +216,13 @@
 
 <!-- Begin SPKIData -->
 
-<element name="SPKIData" type="ds:SPKIDataType"/> 
+<element name="SPKIData" type="ds:SPKIDataType"/>
 <complexType name="SPKIDataType">
   <sequence maxOccurs="unbounded">
     <element name="SPKISexp" type="base64Binary"/>
     <any namespace="##other" processContents="lax" minOccurs="0"/>
   </sequence>
-</complexType> 
+</complexType>
 
 <!-- End SPKIData -->
 
@@ -230,40 +230,40 @@
 
 <!-- Start Object (Manifest, SignatureProperty) -->
 
-<element name="Object" type="ds:ObjectType"/> 
+<element name="Object" type="ds:ObjectType"/>
 <complexType name="ObjectType" mixed="true">
   <sequence minOccurs="0" maxOccurs="unbounded">
     <any namespace="##any" processContents="lax"/>
   </sequence>
-  <attribute name="Id" type="ID" use="optional"/> 
+  <attribute name="Id" type="ID" use="optional"/>
   <attribute name="MimeType" type="string" use="optional"/> <!-- add a grep facet -->
-  <attribute name="Encoding" type="anyURI" use="optional"/> 
+  <attribute name="Encoding" type="anyURI" use="optional"/>
 </complexType>
 
-<element name="Manifest" type="ds:ManifestType"/> 
+<element name="Manifest" type="ds:ManifestType"/>
 <complexType name="ManifestType">
   <sequence>
-    <element ref="ds:Reference" maxOccurs="unbounded"/> 
+    <element ref="ds:Reference" maxOccurs="unbounded"/>
   </sequence>
-  <attribute name="Id" type="ID" use="optional"/> 
+  <attribute name="Id" type="ID" use="optional"/>
 </complexType>
 
-<element name="SignatureProperties" type="ds:SignaturePropertiesType"/> 
+<element name="SignatureProperties" type="ds:SignaturePropertiesType"/>
 <complexType name="SignaturePropertiesType">
   <sequence>
-    <element ref="ds:SignatureProperty" maxOccurs="unbounded"/> 
+    <element ref="ds:SignatureProperty" maxOccurs="unbounded"/>
   </sequence>
-  <attribute name="Id" type="ID" use="optional"/> 
+  <attribute name="Id" type="ID" use="optional"/>
 </complexType>
 
-   <element name="SignatureProperty" type="ds:SignaturePropertyType"/> 
+   <element name="SignatureProperty" type="ds:SignaturePropertyType"/>
    <complexType name="SignaturePropertyType" mixed="true">
      <choice maxOccurs="unbounded">
        <any namespace="##other" processContents="lax"/>
        <!-- (1,1) elements from (1,unbounded) namespaces -->
      </choice>
-     <attribute name="Target" type="anyURI" use="required"/> 
-     <attribute name="Id" type="ID" use="optional"/> 
+     <attribute name="Target" type="anyURI" use="required"/>
+     <attribute name="Id" type="ID" use="optional"/>
    </complexType>
 
 <!-- End Object (Manifest, SignatureProperty) -->
@@ -296,10 +296,10 @@
 <element name="RSAKeyValue" type="ds:RSAKeyValueType"/>
 <complexType name="RSAKeyValueType">
   <sequence>
-    <element name="Modulus" type="ds:CryptoBinary"/> 
-    <element name="Exponent" type="ds:CryptoBinary"/> 
+    <element name="Modulus" type="ds:CryptoBinary"/>
+    <element name="Exponent" type="ds:CryptoBinary"/>
   </sequence>
-</complexType> 
+</complexType>
 
 <!-- End KeyValue Element-types -->
 
diff --git a/mdx/schema/xmldsig11-schema.xsd b/mdx/schema/xmldsig11-schema.xsd
index f03643a3..4de60789 100644
--- a/mdx/schema/xmldsig11-schema.xsd
+++ b/mdx/schema/xmldsig11-schema.xsd
@@ -2,14 +2,14 @@
 
 <!--
 #
-# Copyright ©[2011] World Wide Web Consortium 
-# (Massachusetts Institute of Technology,  
-#  European Research Consortium for Informatics and Mathematics, 
-#  Keio University). All Rights Reserved.  
+# Copyright ©[2011] World Wide Web Consortium
+# (Massachusetts Institute of Technology,
+#  European Research Consortium for Informatics and Mathematics,
+#  Keio University). All Rights Reserved.
 # This work is distributed under the W3C® Software License [1] in the
 # hope that it will be useful, but WITHOUT ANY WARRANTY; without even
 # the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-# PURPOSE. 
+# PURPOSE.
 # [1] http://www.w3.org/Consortium/Legal/2002/copyright-software-20021231
 #
 -->
@@ -37,7 +37,7 @@
   <complexType name="NamedCurveType">
     <attribute name="URI" type="anyURI" use="required"/>
   </complexType>
-  
+
   <simpleType name="ECPointType">
     <restriction base="ds:CryptoBinary"/>
   </simpleType>
@@ -53,7 +53,7 @@
                type="dsig11:ECValidationDataType" minOccurs="0"/>
     </sequence>
   </complexType>
-  
+
   <complexType name="FieldIDType">
     <choice>
       <element ref="dsig11:Prime"/>
@@ -91,7 +91,7 @@
       <element name="M" type="positiveInteger"/>
     </sequence>
   </complexType>
-  
+
   <element name="TnB" type="dsig11:TnBFieldParamsType"/>
   <complexType name="TnBFieldParamsType">
     <complexContent>
@@ -125,7 +125,7 @@
     </simpleContent>
   </complexType>
 
-  <element name="KeyInfoReference" type="dsig11:KeyInfoReferenceType"/> 
+  <element name="KeyInfoReference" type="dsig11:KeyInfoReferenceType"/>
   <complexType name="KeyInfoReferenceType">
     <attribute name="URI" type="anyURI" use="required"/>
     <attribute name="Id" type="ID" use="optional"/>
diff --git a/mdx/strip-aa-mdui.xsl b/mdx/strip-aa-mdui.xsl
index dd323f4b..2368a915 100644
--- a/mdx/strip-aa-mdui.xsl
+++ b/mdx/strip-aa-mdui.xsl
@@ -1,32 +1,32 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-	
-	strip-aa-mdui.xsl
-	
-	Remove all MDUI metadata from attribute authority roles.
-	
+
+    strip-aa-mdui.xsl
+
+    Remove all MDUI metadata from attribute authority roles.
+
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Remove all MDUI metadata from attribute authority roles.
+    -->
+    <xsl:template match="md:AttributeAuthorityDescriptor/md:Extensions/mdui:*"/>
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
-	<!--
-		Remove all MDUI metadata from attribute authority roles.
-	-->
-	<xsl:template match="md:AttributeAuthorityDescriptor/md:Extensions/mdui:*"/>
-	
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-	
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
-	
 </xsl:stylesheet>
diff --git a/mdx/strip-comments.xsl b/mdx/strip-comments.xsl
index d42afa7e..5bbe1fb9 100644
--- a/mdx/strip-comments.xsl
+++ b/mdx/strip-comments.xsl
@@ -1,28 +1,28 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-	
-	strip-comments.xsl
-	
-	Remove all comment nodes from a document.
-	
+
+    strip-comments.xsl
+
+    Remove all comment nodes from a document.
+
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!-- Force UTF-8 encoding for the output. -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+
+    <!-- Copy text blocks and attributes unchanged. -->
+    <xsl:template match="text()|@*">
+        <xsl:copy/>
+    </xsl:template>
 
-	<!-- Force UTF-8 encoding for the output. -->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+    <!-- Copy all elements from the input to the output, along with their attributes and contents. -->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
-	<!-- Copy text blocks and attributes unchanged. -->
-	<xsl:template match="text()|@*">
-		<xsl:copy/>
-	</xsl:template>
-	
-	<!-- Copy all elements from the input to the output, along with their attributes and contents. -->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
-	
 </xsl:stylesheet>
diff --git a/mdx/strip-mdui-logo-data.xsl b/mdx/strip-mdui-logo-data.xsl
index da379da0..e4923841 100644
--- a/mdx/strip-mdui-logo-data.xsl
+++ b/mdx/strip-mdui-logo-data.xsl
@@ -1,32 +1,32 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-	
-	strip-mdui-logo-data.xsl
-	
-	Remove all mdui:Logo elements containing data: URLs.
-	
+
+    strip-mdui-logo-data.xsl
+
+    Remove all mdui:Logo elements containing data: URLs.
+
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Remove all mdui:Logo elements containing data: URLs.
+    -->
+    <xsl:template match="mdui:Logo[starts-with(., 'data:')]"/>
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
-	<!--
-	    Remove all mdui:Logo elements containing data: URLs.
-	-->
-	<xsl:template match="mdui:Logo[starts-with(., 'data:')]"/>
-	
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-	
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
-	
 </xsl:stylesheet>
diff --git a/mdx/strip-mdui-logo-http.xsl b/mdx/strip-mdui-logo-http.xsl
index 50702a53..68526030 100644
--- a/mdx/strip-mdui-logo-http.xsl
+++ b/mdx/strip-mdui-logo-http.xsl
@@ -1,49 +1,49 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	strip-mdui-logo-http.xsl
+    strip-mdui-logo-http.xsl
 
-	Remove mdui:Logo elements whose value starts with http://, as these
-	may cause mixed content errors in browser-based discovery interfaces.
+    Remove mdui:Logo elements whose value starts with http://, as these
+    may cause mixed content errors in browser-based discovery interfaces.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="_rules/check_framework.xsl"/>
-
-	<!-- Force UTF-8 encoding for the output. -->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
-
-	<!-- Match the pattern we want to remove. -->
-	<xsl:template match="mdui:Logo[starts-with(., 'http://')]">
-		<xsl:call-template name="warning">
-			<xsl:with-param name="m">
-				<xsl:text>mdui:Logo from non-TLS location removed: '</xsl:text>
-				<xsl:value-of select="."/>
-				<xsl:text>'</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-		<!-- ... and don't copy the element to the output, so that it is removed ... -->
-	</xsl:template>
-
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-
-	<!-- Copy all elements from the input to the output, along with their attributes and contents. -->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="_rules/check_framework.xsl"/>
+
+    <!-- Force UTF-8 encoding for the output. -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+
+    <!-- Match the pattern we want to remove. -->
+    <xsl:template match="mdui:Logo[starts-with(., 'http://')]">
+        <xsl:call-template name="warning">
+            <xsl:with-param name="m">
+                <xsl:text>mdui:Logo from non-TLS location removed: '</xsl:text>
+                <xsl:value-of select="."/>
+                <xsl:text>'</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+        <!-- ... and don't copy the element to the output, so that it is removed ... -->
+    </xsl:template>
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!-- Copy all elements from the input to the output, along with their attributes and contents. -->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/test/beans.xml b/mdx/test/beans.xml
index 2795c95b..e3a8f5a0 100644
--- a/mdx/test/beans.xml
+++ b/mdx/test/beans.xml
@@ -11,17 +11,18 @@
     xsi:schemaLocation="
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
-    
+
     <!--
         Fetch the aggregate aggregate.
     -->
-    <bean id="test_aggregate" parent="DOMResourceSourceStage"
+    <bean id="test_aggregate" parent="mda.DOMResourceSourceStage"
+        p:parserPool-ref="parserPool"
         p:DOMResource="classpath:test/input.xml"/>
-    
+
     <!--
         Fetch and process the entities as a collection.
     -->
-    <bean id="test_entities" parent="CompositeStage">
+    <bean id="test_entities" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="test_aggregate"/>
@@ -29,5 +30,5 @@
             </list>
         </property>
     </bean>
-    
+
 </beans>
diff --git a/mdx/test/verbs.xml b/mdx/test/verbs.xml
index f5f692df..3214ed55 100644
--- a/mdx/test/verbs.xml
+++ b/mdx/test/verbs.xml
@@ -11,26 +11,27 @@
     xsi:schemaLocation="
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
-    
+
     <!--
         Import commonly used beans.
     -->
     <import resource="classpath:common-beans.xml"/>
-        
+
     <!--
         Import channel-specific beans.
     -->
     <import resource="classpath:test/beans.xml"/>
-    
-    <bean id="serializeImported" parent="SerializationStage">
+
+    <bean id="serializeImported" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${mdx.dir}/test/imported.xml"/>
             </bean>
         </property>
     </bean>
-    
-    <bean id="import" parent="SimplePipeline">
+
+    <bean id="import" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="test_entities"/>
@@ -41,7 +42,7 @@
         </property>
     </bean>
 
-    <bean id="importRaw" parent="SimplePipeline">
+    <bean id="importRaw" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="test_aggregate"/>
@@ -49,5 +50,5 @@
             </list>
         </property>
     </bean>
-    
+
 </beans>
diff --git a/mdx/uk/README.md b/mdx/uk/README.md
index fdff0d19..88b4703b 100644
--- a/mdx/uk/README.md
+++ b/mdx/uk/README.md
@@ -28,9 +28,9 @@ before being included in the `export` version consumed by interfederation partne
 
 ### Export Preview Aggregate vs. Export Aggregate
 
-Status (2017-01-27):
+Status (2017-02-14):
 
-* these two aggregates are currently identical.
+* These aggregates are currently identical.
 
 ## Production Maturity Pipeline
 
@@ -43,6 +43,12 @@ The production maturity pipeline consists of:
 In this arrangement, features are first introduced to the `test` variant of the aggregate for a period
 before being included in the `metadata` variant consumed by federation members.
 
+The following additional aggregates are normally kept in sync (where appropriate) with the production `metadata`
+aggregate:
+
+* `ukfederation-cdsall-unsigned.xml`
+* `ukfederation-wayf-unsigned.xml`
+
 Once a feature has been "in production" (present in the `metadata` variant) for a period, normally one month but
 subject to extension at Federation discretion, it will be introduced to the `back` variant. This provides a
 temporary "fallback" mechanism for entity owners whose entities have difficulty with a newly introduced
@@ -53,21 +59,13 @@ when it appeared in the fallback aggregate, which would be too late to take corr
 
 ### Test Aggregate vs. Production Aggregate
 
-Status (2017-01-27):
+Status (2017-03-02):
 
-* the test aggregate implements a _blacklisting_ approach to entity attributes imported from eduGAIN,
-while the production aggregate implements the traditional entity attribute _whitelist_.
-* the test aggregate no longer implements the "key use" fixup required for pre-1.3.1 Shibboleth SPs.
-This adds the `use="signing"` XML attribute to `<KeyDescriptor>` elements present in IdP metadata
-without a `use` attribute. It is not needed for later releases of the Shibboleth SP.
-* The test aggregate defines the `saml` namespace prefix (used by entity attributes) on the document element
-instead of in each SAML `<Attribute>`.
-* The test aggregate defines the `mdattr` namespace prefix (used by entity attributes) on the document element
-instead of in each `<EntityAttributes>` element.
-* The test aggregate normalises the `xenc` namespace to not use a prefix, as it is not very commonly used.
+* These aggregates are currently identical.
 
 ### Fallback Aggregate vs. Production Aggregate
 
-Status (2017-01-27):
+Status (2017-03-14):
 
-* these two aggregates are currently identical
+* the production aggregate implements a _blacklisting_ approach to entity attributes imported from eduGAIN,
+while the production aggregate implements the traditional entity attribute _whitelist_. (2017-03-02)
diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
index 6fb81d6a..22b88e63 100644
--- a/mdx/uk/beans.xml
+++ b/mdx/uk/beans.xml
@@ -15,24 +15,24 @@
     <!--
         Location of various resources.
     -->
-    <bean id="uk_productionAggregate_url" class="java.lang.String">
+    <bean id="uk_productionAggregate_url" parent="String">
         <constructor-arg value="http://metadata.ukfederation.org.uk/ukfederation-metadata.xml"/>
     </bean>
-    <bean id="uk_exportAggregate_url" class="java.lang.String">
+    <bean id="uk_exportAggregate_url" parent="String">
         <constructor-arg value="http://metadata.ukfederation.org.uk/ukfederation-export.xml"/>
     </bean>
-    
-    
+
+
     <!--
         uk_federation_uri
-        
+
         URI for the UK federation.  Used in several contexts:
-        
+
         * as the Name attribute for the main EntitiesDescriptor in UK federation metadata
           (not always the document element)
-          
+
         * in mdrpi:PublicationInfo, as the unique identifier for the UK federation publisher
-        
+
         It is the same as the URI used to indicate the UK federation as a registrar, so is made
         an alias of that bean.
     -->
@@ -42,53 +42,54 @@
     <!--
         Fetch the export aggregate.
     -->
-    <bean id="uk_exportAggregate" parent="DOMResourceSourceStage">
+    <bean id="uk_exportAggregate" parent="mda.DOMResourceSourceStage">
+        <property name="parserPool" ref="parserPool"/>
         <property name="DOMResource">
             <bean parent="HTTPResource">
                 <constructor-arg name="client" ref="httpClient"/>
-                <constructor-arg name="url" ref="uk_exportAggregate_url"/>        
+                <constructor-arg name="url" ref="uk_exportAggregate_url"/>
             </bean>
         </property>
     </bean>
-    
-    
+
+
     <!--
         Fetch the production aggregate.
     -->
-    <bean id="uk_productionAggregate" parent="DOMResourceSourceStage">
+    <bean id="uk_productionAggregate" parent="mda.DOMResourceSourceStage">
+        <property name="parserPool" ref="parserPool"/>
         <property name="DOMResource">
             <bean parent="HTTPResource">
                 <constructor-arg name="client" ref="httpClient"/>
-                <constructor-arg name="url" ref="uk_productionAggregate_url"/>        
+                <constructor-arg name="url" ref="uk_productionAggregate_url"/>
             </bean>
         </property>
     </bean>
-    
-    
+
+
     <!--
         Metadata signing certificate.
     -->
     <bean id="uk_signingCertificate" parent="X509CertificateFactoryBean"
         p:resource="classpath:uk/ukfederation-2014.pem"/>
-    
-    
+
+
     <!--
         Check the signature on a document.
     -->
     <bean id="uk_checkSignature" parent="XMLSignatureValidationStage">
         <property name="verificationCertificate" ref="uk_signingCertificate"/>
     </bean>
-    
-    
+
+
     <!--
         uk_check_validUntil
-        
+
         Check that an aggregate has a validUntil instant specified, and that it has not
         yet expired.  Sets a bound of 30 days on the validity interval; 14 days is the
         expected value.
     -->
-    <bean id="uk_check_validUntil" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.ValidateValidUntilStage">
+    <bean id="uk_check_validUntil" parent="mda.ValidateValidUntilStage">
         <!--
             The validUntil attribute must be present.
         -->
@@ -98,35 +99,34 @@
         -->
         <property name="maxValidityInterval" value="#{ 1000L * 60 * 60 * 24 * 30 }"/>
     </bean>
-    
-    
+
+
     <!--
         uk_fetchFragmentFiles
-        
+
         Collects all the UK metadata "fragment files" from the /entities directory.
-        
+
         Each fragment file contains a single EntityDescriptor.  The name of each
         eligible file matches a particular regular expression.
     -->
-    <bean id="uk_fetchFragmentFiles" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.DOMFilesystemSourceStage">
+    <bean id="uk_fetchFragmentFiles" parent="mda.DOMFilesystemSourceStage">
         <property name="parserPool" ref="parserPool"/>
         <property name="source">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${entities.dir}"/>
             </bean>
         </property>
         <property name="sourceFileFilter">
-            <bean class="uk.org.ukfederation.mda.RegexFileFilter">
+            <bean parent="ukf.RegexFileFilter">
                 <constructor-arg value="uk\d{6}.xml"/>
             </bean>
         </property>
     </bean>
-    
-    
+
+
     <!--
         uk_membersDocument
-        
+
         This bean contains the contents of the members.xml file as a DOM Document.
     -->
     <bean id="uk_membersDocument" parent="DOMDocumentFactoryBean">
@@ -135,11 +135,11 @@
         </property>
         <property name="parserPool" ref="parserPool"/>
     </bean>
-    
-    
+
+
     <!--
         uk_membersSchemaDocument
-        
+
         This bean loads the schema for the members.xml file as a DOM Document.
     -->
     <bean id="uk_membersSchemaDocument" parent="DOMDocumentFactoryBean">
@@ -148,88 +148,86 @@
         </property>
         <property name="parserPool" ref="parserPool"/>
     </bean>
-    
+
 
     <!--
         uk_members
-        
+
         This bean implements an API for access to the contents of the members.xml document.
     -->
     <bean id="uk_members" class="uk.org.ukfederation.members.Members"
         c:_0-ref="uk_membersDocument"
         c:_1-ref="uk_membersSchemaDocument"/>
-    
-    
+
+
     <!--
         uk_fix_mailto
-        
+
         Adds "mailto:" to md:EmailAddress elements which don't already have it.
     -->
-    <bean id="uk_fix_mailto" parent="XSLTransformationStage"
+    <bean id="uk_fix_mailto" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/fix_mailto.xsl"/>
-    
-    
+
+
     <!--
         check_ukreg
-        
+
         Checks specific to the UK registrar function.
     -->
-    <bean id="check_ukreg" parent="XSLValidationStage"
+    <bean id="check_ukreg" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:uk/check_ukreg.xsl"/>
-    
+
     <!--
         check_owner
-        
+
         Checks that entities are owned by UK federation members.
     -->
-    <bean id="check_owner" parent="stage_parent"
-        class="uk.org.ukfederation.mda.dom.saml.EntityOwnerCheckingStage"
+    <bean id="check_owner" parent="ukf.EntityOwnerCheckingStage"
         p:members-ref="uk_members"/>
-    
+
     <!--
         check_uk_keydesc_key
     -->
-    <bean id="check_uk_keydesc_key" parent="XSLValidationStage"
+    <bean id="check_uk_keydesc_key" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:uk/check_uk_keydesc_key.xsl"/>
 
 
     <!--
         check_uk_mdattr
     -->
-    <bean id="check_uk_mdattr" parent="XSLValidationStage"
+    <bean id="check_uk_mdattr" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:uk/check_uk_mdattr.xsl"/>
-    
-    
+
+
     <!--
         check_uk_mdrps
     -->
-    <bean id="check_uk_mdrps" parent="XSLValidationStage"
+    <bean id="check_uk_mdrps" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:uk/check_uk_mdrps.xsl"/>
-    
-    
+
+
     <!--
         check_uk_urlenc
     -->
-    <bean id="check_uk_urlenc" parent="XSLValidationStage"
+    <bean id="check_uk_urlenc" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:uk/check_uk_urlenc.xsl"/>
-    
+
 
     <!--
         uk_processFragment
-        
+
         This stage performs any standard cleanup required for UK federation fragment files.
     -->
-    <bean id="uk_processFragment" parent="XSLTransformationStage"
+    <bean id="uk_processFragment" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/fragment.xsl"/>
-    
-    
+
+
     <!--
         uk_stripAdminContacts
-        
+
         Remove any md:ContactPerson elements with contactType of "administrative".
     -->
-    <bean id="uk_stripAdminContacts" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.ContactPersonFilterStage">
+    <bean id="uk_stripAdminContacts" parent="mda.ContactPersonFilterStage">
         <property name="designatedTypes">
             <list>
                 <value>administrative</value>
@@ -237,46 +235,32 @@
         </property>
         <property name="whitelistingTypes" value="false"/>
     </bean>
-    
-    
+
+
     <!--
         Populate UKId values from entities.
     -->
-    <bean id="uk_populateIds" parent="stage_parent"
-        class="uk.org.ukfederation.mda.EntityDescriptorUKIdPopulationStage"/>
-    
+    <bean id="uk_populateIds" parent="ukf.EntityDescriptorUKIdPopulationStage"/>
+
 
     <!--
         UK federation named EntitiesDescriptor assembler pipeline stage.
-        
+
         Name attribute is set to the federation URI.  UK ordering is applied.
     -->
-    <bean id="uk_assemble" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.EntitiesDescriptorAssemblerStage">
+    <bean id="uk_assemble" parent="mda.EntitiesDescriptorAssemblerStage">
         <property name="descriptorName" ref="uk_federation_uri"/>
         <property name="itemOrderingStrategy">
-            <bean class="uk.org.ukfederation.mda.UKEntityOrderingStrategy"/>
+            <bean parent="ukf.UKEntityOrderingStrategy"/>
         </property>
     </bean>
-    
 
-    <!--
-        UK federation unnamed EntitiesDescriptor assembler pipeline stage.
-        
-        Name attribute is not set.  UK ordering is applied.
-    -->
-    <bean id="uk_assembleUnnamed" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.EntitiesDescriptorAssemblerStage">
-        <property name="itemOrderingStrategy">
-            <bean class="uk.org.ukfederation.mda.UKEntityOrderingStrategy"/>
-        </property>
-    </bean>
-    
+
 
     <!--
         Fetch and process the registered entities as a collection.
     -->
-    <bean id="uk_registeredEntities" parent="CompositeStage">
+    <bean id="uk_registeredEntities" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="uk_fetchFragmentFiles"/>
@@ -286,81 +270,56 @@
                     Make all three potential scope lists equivalent (on the entity, on
                     the IDPSSODescriptor and on the AttributeAuthority).
                 -->
-                <bean id="scopes_copy" parent="XSLTransformationStage"
+                <bean id="scopes_copy" parent="mda.XSLTransformationStage"
                     p:XSLResource="classpath:uk/scopes_copy.xsl"/>
 
                 <!--
                     Inject scopes "pushed" to entities from the members.xml file.
                 -->
-                <bean id="scopes_inject" parent="stage_parent"
-                    class="uk.org.ukfederation.mda.dom.saml.ScopeInjectionStage"
+                <bean id="scopes_inject" parent="ukf.ScopeInjectionStage"
                     p:members-ref="uk_members"/>
 
                 <ref bean="populateItemIds"/>
                 <ref bean="uk_populateIds"/>
                 <ref bean="uk_default_regauth"/>
                 <ref bean="populateRegistrationAuthorities"/>
-                
-                <!--
-                    Add REFEDS Hide from Discovery category as a standardised
-                    equivalent to our HideFromWAYF element.
-                -->
-                <bean id="uk_addHideFromDiscovery" parent="SplitMergeStage">
-                    <!-- select entities with HideFromWayf label -->
-                    <property name="selectionStrategy">
-                        <bean parent="XPathItemSelectionStrategy">
-                            <constructor-arg value="/md:EntityDescriptor[md:Extensions/wayf:HideFromWAYF]"/>
-                            <constructor-arg ref="commonNamespaces"/>
-                        </bean>
-                    </property>
-                    
-                    <property name="selectedItemPipeline">
-                        <bean id="selectedItemPipeline" parent="SimplePipeline">
-                            <property name="stages">
-                                <bean id="addHideFromDiscovery" parent="EntityAttributeAddingStage"
-                                    p:attributeValue="http://refeds.org/category/hide-from-discovery"
-                                    p:addingFirstChild="true"/>
-                            </property>
-                        </bean>
-                    </property>
 
-                </bean>
-                
                 <ref bean="checkSchemas"/>
                 <ref bean="CHECK_std"/>
+                <bean id="check_ukfedlabel" parent="mda.XSLValidationStage"
+                    p:XSLResource="classpath:uk/check_ukfedlabel.xsl"/>
                 <ref bean="check_ukreg"/>
                 <ref bean="check_owner"/>
                 <ref bean="check_uk_keydesc_key"/>
                 <ref bean="check_uk_mdattr"/>
                 <ref bean="check_uk_mdrps"/>
                 <ref bean="check_uk_urlenc"/>
-                <ref bean="check_rands"/>
                 <ref bean="mdui_dn_en_present"/>
                 <ref bean="mdui_dn_en_match"/>
                 <ref bean="check_dup_display"/>
-                
-                <bean id="checkCertificates" parent="X509ValidationStage">
+
+                <bean id="checkCertificates" parent="mda.X509ValidationStage">
                     <property name="validators">
                         <list>
                             <!-- Error on RSA key length less than 2048 bits. -->
-                            <bean parent="X509RSAKeyLengthValidator"
+                            <bean parent="mda.X509RSAKeyLengthValidator"
                                 p:warningBoundary="0" p:errorBoundary="2048"/>
                             <!-- Error on small RSA public exponents. -->
-                            <bean parent="X509RSAExponentValidator"/>
+                            <bean parent="mda.X509RSAExponentValidator"/>
                             <!-- Error on inconsistent subjectAltNames. -->
-                            <bean parent="X509ConsistentNameValidator"/>
-                            
+                            <bean parent="ukf.X509ConsistentNameValidator"/>
+
                             <!--
                                 Debian weak key blacklists.
-                                
+
                                 Don't need to check for keys below our minimum key size.
                             -->
                             <ref bean="debian.2048"/>
                             <ref bean="debian.4096"/>
-                            
+
                             <!--
                                 Compromised key blacklists.
-                                
+
                                 Again, don't need to check for keys below our minimum key size.
                             -->
                             <ref bean="compromised.2048"/>
@@ -373,16 +332,23 @@
             </list>
         </property>
     </bean>
-    
-    
+
+
     <!--
         uk_stripExtensions
-        
+
         Strip those UK federation extensions which we never publish.
     -->
-    <bean id="uk_stripExtensions" parent="XSLTransformationStage"
+    <bean id="uk_stripExtensions" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/strip_extensions.xsl"/>
-    
+
+
+    <!--
+        uk_strip_UKFederationMember
+    -->
+    <bean id="uk_strip_UKFederationMember" parent="mda.ElementStrippingStage"
+        p:elementNamespace-ref="ukfedlabel_namespace"
+        p:elementName="UKFederationMember"/>
 
     <!--
         ***********************************************
@@ -391,17 +357,17 @@
         ***                                         ***
         ***********************************************
     -->
-    
+
     <!--
         uk_normaliseNamespaces
-        
+
         A pipeline stage that can be used before serialisation to normalise the namespaces
         used in an XML document.  This one is UK-specific, as it makes specific choices
         in order to limit the number of prefixes used.
     -->
-    <bean id="uk_normaliseNamespaces" parent="XSLTransformationStage"
+    <bean id="uk_normaliseNamespaces" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/ns_norm_uk.xsl"/>
-    
+
     <!--
         *************************************************
         ***                                           ***
@@ -409,10 +375,10 @@
         ***                                           ***
         *************************************************
     -->
-    
+
     <!--
         uk_check_regauth
-        
+
         Any registrationAuthority already present on an entity in this
         channel must match the known registration authority value.
     -->
@@ -423,10 +389,10 @@
             </map>
         </property>
     </bean>
-    
+
     <!--
         uk_default_regauth
-        
+
         Provide a default registrationAuthority appropriate to
         this channel.
     -->
@@ -437,7 +403,7 @@
             </map>
         </property>
     </bean>
-    
+
     <!--
         *********************************************
         ***                                       ***
@@ -445,27 +411,28 @@
         ***                                       ***
         *********************************************
     -->
-    
+
     <!--
         uk_serializeStatistics
-        
+
         Serialise the (assumed HTML) DomDocumentItem into the UK federation statistics
         output file in the production XML directory.
     -->
-    <bean id="uk_serializeStatistics" parent="SerializationStage">
+    <bean id="uk_serializeStatistics" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${output.dir}/ukfederation-stats.html"/>
             </bean>
         </property>
     </bean>
-    
+
     <!--
         uk_generateStatistics
-        
+
         Input is an aggregate of all registered entities, output is the HTML statistics.
     -->
-    <bean id="uk_generateStatistics" parent="XSLTransformationStage"
+    <bean id="uk_generateStatistics" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/statistics.xsl">
         <property name="transformParameters">
             <map>
@@ -473,16 +440,16 @@
             </map>
         </property>
     </bean>
-    
+
     <!--
         uk_statisticsPipeline
-        
+
         Pipeline to generate the registrar statistics for the UK federation's
         registered entities.  Input is assumed to be a collection of the entities in question;
         resulting HTML output is written into the appropriate file in the production
         XML directory.
     -->
-    <bean id="uk_statisticsPipeline" parent="SimplePipeline">
+    <bean id="uk_statisticsPipeline" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="assemble"/>
@@ -491,7 +458,7 @@
             </list>
         </property>
     </bean>
-    
+
     <!--
         #################################################
         ###                                           ###
@@ -499,15 +466,15 @@
         ###                                           ###
         #################################################
     -->
-    
+
     <!--
         Fetch the export entities as a collection.
     -->
-    <bean id="uk_exportedEntities" parent="CompositeStage">
+    <bean id="uk_exportedEntities" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="uk_exportAggregate"/>
-                
+
                 <!--
                     Check for fatal errors at the aggregate level:
                         missing or expired validUntil attribute
@@ -516,13 +483,13 @@
                 <ref bean="uk_check_validUntil"/>
                 <ref bean="uk_checkSignature"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="disassemble"/>
-                
+
                 <ref bean="uk_default_regauth"/>
                 <ref bean="uk_check_regauth"/>
             </list>
         </property>
     </bean>
-    
+
 </beans>
diff --git a/mdx/uk/blacklist.xml b/mdx/uk/blacklist.xml
index d3cca924..10658de7 100644
--- a/mdx/uk/blacklist.xml
+++ b/mdx/uk/blacklist.xml
@@ -24,7 +24,7 @@
         silently discards entities containing errors anyway.
     -->
     <util:set id="importEntityBlacklist">
-        
+
     </util:set>
-    
+
 </beans>
diff --git a/mdx/uk/check_fixup_encmethod.xsl b/mdx/uk/check_fixup_encmethod.xsl
index 0e5825cf..afbe978e 100644
--- a/mdx/uk/check_fixup_encmethod.xsl
+++ b/mdx/uk/check_fixup_encmethod.xsl
@@ -1,36 +1,36 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_fixup_encmethod.xsl
+    check_fixup_encmethod.xsl
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="../_rules/check_framework.xsl"/>
-
-	
-	<!--
-		Use of EncryptionMethod within KeyDescriptor causes metadata loading problems
-		for OpenSAML-C 2.0.
-		
-		See https://wiki.shibboleth.net/confluence/display/SHIB2/MetadataCorrectness#MetadataCorrectness-Version2.0
-	-->
-	<xsl:template match="md:KeyDescriptor/md:EncryptionMethod">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">KeyDescriptor contains EncryptionMethod: OpenSAML-C 2.0 problem</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="../_rules/check_framework.xsl"/>
+
+
+    <!--
+        Use of EncryptionMethod within KeyDescriptor causes metadata loading problems
+        for OpenSAML-C 2.0.
+
+        See https://wiki.shibboleth.net/confluence/display/SHIB2/MetadataCorrectness#MetadataCorrectness-Version2.0
+    -->
+    <xsl:template match="md:KeyDescriptor/md:EncryptionMethod">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">KeyDescriptor contains EncryptionMethod: OpenSAML-C 2.0 problem</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
 </xsl:stylesheet>
diff --git a/mdx/uk/check_fixup_keyuse.xsl b/mdx/uk/check_fixup_keyuse.xsl
deleted file mode 100644
index cb91fe5d..00000000
--- a/mdx/uk/check_fixup_keyuse.xsl
+++ /dev/null
@@ -1,44 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-
-	check_fixup_keyuse.xsl
-
--->
-<xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="../_rules/check_framework.xsl"/>
-
-	
-	<!--
-        Checks for an IdP whose KeyDescriptor elements do not include a @use attribute.
-        This causes problems with the Shibboleth 1.3 SP prior to V1.3.1, which
-        interprets this as "no use permitted" rather than "either signing or encryption use
-        permitted".
-        
-        Two checks are required, one for each of the IdP role descriptors.
-    -->
-	
-	<xsl:template match="md:IDPSSODescriptor/md:KeyDescriptor[not(@use)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">IdP SSO KeyDescriptor lacking @use</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="md:AttributeAuthorityDescriptor/md:KeyDescriptor[not(@use)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">IdP AA KeyDescriptor lacking @use</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-		
-</xsl:stylesheet>
diff --git a/mdx/uk/check_uk_keydesc_key.xsl b/mdx/uk/check_uk_keydesc_key.xsl
index 1214b41c..a134c95f 100644
--- a/mdx/uk/check_uk_keydesc_key.xsl
+++ b/mdx/uk/check_uk_keydesc_key.xsl
@@ -1,33 +1,33 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_uk_keydesc_key.xsl
-	
+    check_uk_keydesc_key.xsl
+
     UKf-specific check that all KeyDescriptor elements contain an embedded key.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="../_rules/check_framework.xsl"/>
-
-
-	<xsl:template match="md:KeyDescriptor[not(descendant::ds:X509Data)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>KeyDescriptor lacks embedded key material</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="../_rules/check_framework.xsl"/>
+
+
+    <xsl:template match="md:KeyDescriptor[not(descendant::ds:X509Data)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>KeyDescriptor lacks embedded key material</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/uk/check_uk_mdattr.xsl b/mdx/uk/check_uk_mdattr.xsl
index c7e4d913..48f3ef66 100644
--- a/mdx/uk/check_uk_mdattr.xsl
+++ b/mdx/uk/check_uk_mdattr.xsl
@@ -1,123 +1,124 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_uk_mdattr.xsl
-	
+    check_uk_mdattr.xsl
+
     UKf-specific check for appropriate entity attributes in fragment files.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-	
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="../_rules/check_framework.xsl"/>
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="../_rules/check_framework.xsl"/>
 
-	<!--
-		UKf doesn't register entity attributes using assertions.
-	-->
-	<xsl:template match="mdattr:EntityAttributes/saml:Assertion">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">Assertion not permitted within EntityAttributes</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
-		All entity attributes should have the standard SAML 2.0 URI name format.
-	-->
-	<xsl:template match="mdattr:EntityAttributes/saml:Attribute[not(@NameFormat)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>entity attribute </xsl:text>
-				<xsl:value-of select="@Name"/>
-				<xsl:text> has no NameFormat attribute</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	<xsl:template match="mdattr:EntityAttributes/saml:Attribute
-		[@NameFormat != 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>entity attribute </xsl:text>
-				<xsl:value-of select="@Name"/>
-				<xsl:text> has wrong NameFormat value </xsl:text>
-				<xsl:value-of select="@NameFormat"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
 
-	<!--
-		Validate attribute name. Each @Name permitted here should have a
-		corresponding attribute value validator below.
-	-->
-	<xsl:template match="mdattr:EntityAttributes/saml:Attribute
-		[@Name != 'http://macedir.org/entity-category']
-		[@Name != 'http://macedir.org/entity-category-support']
-		[@Name != 'urn:oasis:names:tc:SAML:attribute:assurance-certification']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown entity attribute name </xsl:text>
-				<xsl:value-of select="@Name"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
-		Validate entity category values.
-	-->
-	<xsl:template match="mdattr:EntityAttributes/saml:Attribute[@Name='http://macedir.org/entity-category']
-		/saml:AttributeValue
-		[. != 'http://refeds.org/category/hide-from-discovery']
-		[. != 'http://refeds.org/category/research-and-scholarship']
-		[. != 'http://www.geant.net/uri/dataprotection-code-of-conduct/v1']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown entity category URI </xsl:text>
-				<xsl:value-of select="."/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<!--
+    <!--
+        UKf doesn't register entity attributes using assertions.
+    -->
+    <xsl:template match="mdattr:EntityAttributes/saml:Assertion">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">Assertion not permitted within EntityAttributes</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        All entity attributes should have the standard SAML 2.0 URI name format.
+    -->
+    <xsl:template match="mdattr:EntityAttributes/saml:Attribute[not(@NameFormat)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>entity attribute </xsl:text>
+                <xsl:value-of select="@Name"/>
+                <xsl:text> has no NameFormat attribute</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="mdattr:EntityAttributes/saml:Attribute
+        [@NameFormat != 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>entity attribute </xsl:text>
+                <xsl:value-of select="@Name"/>
+                <xsl:text> has wrong NameFormat value </xsl:text>
+                <xsl:value-of select="@NameFormat"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Validate attribute name. Each @Name permitted here should have a
+        corresponding attribute value validator below.
+    -->
+    <xsl:template match="mdattr:EntityAttributes/saml:Attribute
+        [@Name != 'http://macedir.org/entity-category']
+        [@Name != 'http://macedir.org/entity-category-support']
+        [@Name != 'urn:oasis:names:tc:SAML:attribute:assurance-certification']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>unknown entity attribute name </xsl:text>
+                <xsl:value-of select="@Name"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Validate entity category values.
+    -->
+    <xsl:template match="mdattr:EntityAttributes/saml:Attribute[@Name='http://macedir.org/entity-category']
+        /saml:AttributeValue
+        [. != 'http://refeds.org/category/hide-from-discovery']
+        [. != 'http://refeds.org/category/research-and-scholarship']
+        [. != 'http://www.geant.net/uri/dataprotection-code-of-conduct/v1']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>unknown entity category URI </xsl:text>
+                <xsl:value-of select="."/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         Validate entity category support values.
     -->
-	<xsl:template match="mdattr:EntityAttributes/saml:Attribute[@Name='http://macedir.org/entity-category-support']
-		/saml:AttributeValue
-		[. != 'http://refeds.org/category/research-and-scholarship']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown entity category support URI </xsl:text>
-				<xsl:value-of select="."/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="mdattr:EntityAttributes/saml:Attribute[@Name='http://macedir.org/entity-category-support']
+        /saml:AttributeValue
+        [. != 'http://refeds.org/category/research-and-scholarship']
+        [. != 'http://www.geant.net/uri/dataprotection-code-of-conduct/v1']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>unknown entity category support URI </xsl:text>
+                <xsl:value-of select="."/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
-		Validate assurance certification values.
-	-->
-	<xsl:template match="mdattr:EntityAttributes/saml:Attribute[@Name='urn:oasis:names:tc:SAML:attribute:assurance-certification']
-		/saml:AttributeValue
-		[. != 'https://refeds.org/sirtfi']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown assurance certification URI </xsl:text>
-				<xsl:value-of select="."/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <!--
+        Validate assurance certification values.
+    -->
+    <xsl:template match="mdattr:EntityAttributes/saml:Attribute[@Name='urn:oasis:names:tc:SAML:attribute:assurance-certification']
+        /saml:AttributeValue
+        [. != 'https://refeds.org/sirtfi']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>unknown assurance certification URI </xsl:text>
+                <xsl:value-of select="."/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/uk/check_uk_mdrps.xsl b/mdx/uk/check_uk_mdrps.xsl
index d7b83d45..bebafa19 100644
--- a/mdx/uk/check_uk_mdrps.xsl
+++ b/mdx/uk/check_uk_mdrps.xsl
@@ -1,57 +1,57 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_uk_mdrps.xsl
-	
+    check_uk_mdrps.xsl
+
     UKf-specific check for appropriate RegistrationPolicy values.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="../_rules/check_framework.xsl"/>
-
-
-	<!--
-		If a UK-registered entity is opted in to the export aggregate, it MUST
-		have a registrationInstant.
-	-->
-	<xsl:template match="md:EntityDescriptor
-		[descendant::mdrpi:RegistrationInfo[@registrationAuthority='http://ukfederation.org.uk']]
-		[md:Extensions/ukfedlabel:ExportOptIn]
-		[not(descendant::mdrpi:RegistrationInfo/@registrationInstant)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>exported entity lacks a registrationInstant value</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		Restrict registrationAuthority values for UK federation entities, if present,
-		to previously used MDRPS document URLs.
-	-->
-	<xsl:template match="mdrpi:RegistrationInfo[@registrationAuthority='http://ukfederation.org.uk']
-		/mdrpi:RegistrationPolicy
-			[.!='http://ukfederation.org.uk/doc/mdrps-20130902']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>invalid RegistrationPolicy value </xsl:text>
-				<xsl:value-of select="."/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="../_rules/check_framework.xsl"/>
+
+
+    <!--
+        If a UK-registered entity is opted in to the export aggregate, it MUST
+        have a registrationInstant.
+    -->
+    <xsl:template match="md:EntityDescriptor
+        [descendant::mdrpi:RegistrationInfo[@registrationAuthority='http://ukfederation.org.uk']]
+        [md:Extensions/ukfedlabel:ExportOptIn]
+        [not(descendant::mdrpi:RegistrationInfo/@registrationInstant)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>exported entity lacks a registrationInstant value</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        Restrict registrationAuthority values for UK federation entities, if present,
+        to previously used MDRPS document URLs.
+    -->
+    <xsl:template match="mdrpi:RegistrationInfo[@registrationAuthority='http://ukfederation.org.uk']
+        /mdrpi:RegistrationPolicy
+            [.!='http://ukfederation.org.uk/doc/mdrps-20130902']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>invalid RegistrationPolicy value </xsl:text>
+                <xsl:value-of select="."/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
 </xsl:stylesheet>
diff --git a/mdx/uk/check_uk_urlenc.xsl b/mdx/uk/check_uk_urlenc.xsl
index d9806fc9..3f14f05c 100644
--- a/mdx/uk/check_uk_urlenc.xsl
+++ b/mdx/uk/check_uk_urlenc.xsl
@@ -1,32 +1,32 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_uk_urlenc.xsl
-	
+    check_uk_urlenc.xsl
+
     UKf-specific check for endpoint locations that include a '%' character,
     which is symptomatic of their being URL-encoded instead of entity-encoded.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="../_rules/check_framework.xsl"/>
-
-
-	<xsl:template match="@Location[contains(., '%')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">URL-encoded Location attribute; should be entity-encoded</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="../_rules/check_framework.xsl"/>
+
+
+    <xsl:template match="@Location[contains(., '%')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">URL-encoded Location attribute; should be entity-encoded</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
 </xsl:stylesheet>
diff --git a/mdx/uk/check_ukfedlabel.xsl b/mdx/uk/check_ukfedlabel.xsl
new file mode 100644
index 00000000..8d236355
--- /dev/null
+++ b/mdx/uk/check_ukfedlabel.xsl
@@ -0,0 +1,74 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    check_ukfedlabel.xsl
+
+    Checking ruleset for the ukfedlabel namespace.
+
+-->
+<xsl:stylesheet version="1.0"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="../_rules/check_framework.xsl"/>
+
+
+    <!--
+        Check for individual elements appearing more than once in
+        a single entity.
+    -->
+    <xsl:template match="md:EntityDescriptor[count(descendant::ukfedlabel:AccountableUsers)>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>entity must not have more than one ukfedlabel:AccountableUsers element</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:EntityDescriptor[count(descendant::ukfedlabel:ExportOptIn)>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>entity must not have more than one ukfedlabel:ExportOptIn element</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:EntityDescriptor[count(descendant::ukfedlabel:ExportOptOut)>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>entity must not have more than one ukfedlabel:ExportOptOut element</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:EntityDescriptor[count(descendant::ukfedlabel:Software)>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>entity must not have more than one ukfedlabel:Software element</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:EntityDescriptor[count(descendant::ukfedlabel:UKFederationMember)>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>entity must not have more than one ukfedlabel:UKFederationMember element</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        Check for entities which are both opted in to and opted out from export.
+    -->
+    <xsl:template match="md:EntityDescriptor/md:Extensions[ukfedlabel:ExportOptIn][ukfedlabel:ExportOptOut]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>entity cannot be both opted in to and opted out from export</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+</xsl:stylesheet>
diff --git a/mdx/uk/check_ukreg.xsl b/mdx/uk/check_ukreg.xsl
index 728c0306..b29eea90 100644
--- a/mdx/uk/check_ukreg.xsl
+++ b/mdx/uk/check_ukreg.xsl
@@ -1,65 +1,53 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_ukreg.xsl
-	
-	Checking ruleset containing rules that only apply to metadata registered
-	by the UK federation's registrar function.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    check_ukreg.xsl
+
+    Checking ruleset containing rules that only apply to metadata registered
+    by the UK federation's registrar function.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+
+    xmlns:mdxMail="xalan://uk.ac.sdss.xalan.md.Mail"
+    extension-element-prefixes="mdxMail"
+
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="../_rules/check_framework.xsl"/>
+
 
-	xmlns:mdxMail="xalan://uk.ac.sdss.xalan.md.Mail"
-	extension-element-prefixes="mdxMail"
+    <!--
+        Check for badly formatted e-mail addresses.
+    -->
+    <xsl:template match="md:EmailAddress[mdxMail:dodgyAddress(.)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">badly formatted e-mail address: '<xsl:value-of select='.'/>'</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="../_rules/check_framework.xsl"/>
+    <!--
+        Check for https:// locations that use an explicit but redundant port specifier.
+    -->
+    <xsl:template match="*[@Location and starts-with(@Location, 'https://')
+        and contains(@Location,':443/')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:value-of select='local-name()'/>
+                <xsl:text> Location </xsl:text>
+                <xsl:value-of select="@Location"/>
+                <xsl:text> not in standard form</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	
-	<!--
-		Check for badly formatted e-mail addresses.
-	-->
-	<xsl:template match="md:EmailAddress[mdxMail:dodgyAddress(.)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">badly formatted e-mail address: '<xsl:value-of select='.'/>'</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		Check for https:// locations that use an explicit but redundant port specifier.
-	-->
-	<xsl:template match="*[@Location and starts-with(@Location, 'https://')
-		and contains(@Location,':443/')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:value-of select='local-name()'/>
-				<xsl:text> Location </xsl:text>
-				<xsl:value-of select="@Location"/>
-				<xsl:text> not in standard form</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		Check for entities which are both opted in to and opted out from export.
-	-->
-	<xsl:template match="md:EntityDescriptor/md:Extensions[ukfedlabel:ExportOptIn][ukfedlabel:ExportOptOut]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>entity cannot be both opted in to and opted out from export</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
 </xsl:stylesheet>
diff --git a/mdx/uk/collect.xml b/mdx/uk/collect.xml
index fa987eb6..fd7392f5 100644
--- a/mdx/uk/collect.xml
+++ b/mdx/uk/collect.xml
@@ -16,21 +16,22 @@
         Import commonly used beans.
     -->
     <import resource="classpath:common-beans.xml"/>
-    
+
     <!--
         Import channel-specific beans.
     -->
     <import resource="classpath:uk/beans.xml"/>
 
-    <bean id="serializeCollected" parent="SerializationStage">
+    <bean id="serializeCollected" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${mdx.dir}/uk/collected.xml"/>
             </bean>
         </property>
     </bean>
 
-    <bean id="collect" parent="SimplePipeline">
+    <bean id="collect" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="uk_registeredEntities"/>
diff --git a/mdx/uk/entity_scopes.xsl b/mdx/uk/entity_scopes.xsl
index 66c3548f..34e74758 100644
--- a/mdx/uk/entity_scopes.xsl
+++ b/mdx/uk/entity_scopes.xsl
@@ -1,38 +1,38 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	entity_scopes.xsl
+    entity_scopes.xsl
 
-	Remove entity-level Scope elements, leaving only the ones associated
-	with role descriptors.
+    Remove entity-level Scope elements, leaving only the ones associated
+    with role descriptors.
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	exclude-result-prefixes="md">
-
-	<!--Force UTF-8 encoding for the output.-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
-
-	<xsl:template match="md:EntityDescriptor/md:Extensions/shibmd:Scope">
-		<!-- remove entirely -->
-	</xsl:template>
-	
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-	
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
-	
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    exclude-result-prefixes="md">
+
+    <!--Force UTF-8 encoding for the output.-->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+
+    <xsl:template match="md:EntityDescriptor/md:Extensions/shibmd:Scope">
+        <!-- remove entirely -->
+    </xsl:template>
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/uk/final_tweak.xsl b/mdx/uk/final_tweak.xsl
index f27f7e9a..c52acc4c 100644
--- a/mdx/uk/final_tweak.xsl
+++ b/mdx/uk/final_tweak.xsl
@@ -1,183 +1,167 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	final_tweak.xsl
+    final_tweak.xsl
+
+    Final tweaks required for UK federation aggregates.
 
-	Final tweaks required for UK federation aggregates.
-	
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-
-	xmlns:date="http://exslt.org/dates-and-times"
-	xmlns:mdxDates="xalan://uk.ac.sdss.xalan.md.Dates"
-	extension-element-prefixes="date mdxDates"
-	
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	exclude-result-prefixes="md">
-
-	<!--Force UTF-8 encoding for the output.-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
-
-	<!--
-		extraText
-		
-		This parameter, if present, provides additional text to be put in the
-		document comment.
-	-->
-	<xsl:param name="extraText"/>
-	
-	<!--
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+
+    xmlns:date="http://exslt.org/dates-and-times"
+    xmlns:mdxDates="xalan://uk.ac.sdss.xalan.md.Dates"
+    extension-element-prefixes="date mdxDates"
+
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    exclude-result-prefixes="md">
+
+    <!--Force UTF-8 encoding for the output.-->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+
+    <!--
+        extraText
+
+        This parameter, if present, provides additional text to be put in the
+        document comment.
+    -->
+    <xsl:param name="extraText"/>
+
+    <!--
         publisher
-        
+
         This parameter, if present, prompts the generation of a PublicationInfo
         element on the EntitiesDescriptor.
     -->
-	<xsl:param name="publisher"/>
-	
-	<!--
-		validityDays
-		
-		This parameter determines the number of days between the aggregation instant and the
-		end of validity of the signed metadata.
-	-->
-	<xsl:param name="validityDays" select="14"/>
-	
-	<xsl:variable name="now" select="date:date-time()"/>
-	<xsl:variable name="validUntil" select="mdxDates:dateAdd($now, $validityDays)"/>
-	
-	<!--
-		documentID
-		
-		This value is generated from a normalised version of the aggregation instant,
-		transformed so that it can be used as an XML ID value.
-		
-		Strict conformance to the SAML 2.0 metadata specification (section 3.1.2) requires
-		that the signature explicitly references an identifier attribute in the element
-		being signed, in this case the document element.
-	-->
-	<xsl:variable name="normalisedNow" select="mdxDates:dateAdd($now, 0)"/>
-	<xsl:variable name="documentID"
-		select="concat('uk', translate($normalisedNow, ':-', ''))"/>
-
-	<!--
-		Document root.
-	-->
-	<xsl:template match="/">
-		<xsl:call-template name="document.comment"/>
-		<xsl:apply-templates/>
-	</xsl:template>
-	
-	<!--
-		Document element.
-	-->
-	<xsl:template match="/md:EntitiesDescriptor">
-		<EntitiesDescriptor>
-			<xsl:attribute name="validUntil">
-				<xsl:value-of select="$validUntil"/>
-			</xsl:attribute>
-			<xsl:attribute name="ID">
-				<xsl:value-of select="$documentID"/>
-			</xsl:attribute>
-			<xsl:apply-templates select="@*"/>
-			<xsl:call-template name="document.comment"/>
-			
-			<!--
+    <xsl:param name="publisher"/>
+
+    <!--
+        validityDays
+
+        This parameter determines the number of days between the aggregation instant and the
+        end of validity of the signed metadata.
+    -->
+    <xsl:param name="validityDays" select="14"/>
+
+    <xsl:variable name="now" select="date:date-time()"/>
+    <xsl:variable name="validUntil" select="mdxDates:dateAdd($now, $validityDays)"/>
+    <xsl:variable name="normalisedNow" select="mdxDates:dateAdd($now, 0)"/>
+
+    <!--
+        Document root.
+    -->
+    <xsl:template match="/">
+        <xsl:call-template name="document.comment"/>
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <!--
+        Document element.
+    -->
+    <xsl:template match="/md:EntitiesDescriptor">
+        <EntitiesDescriptor>
+            <xsl:attribute name="validUntil">
+                <xsl:value-of select="$validUntil"/>
+            </xsl:attribute>
+            <xsl:apply-templates select="@*"/>
+            <xsl:call-template name="document.comment"/>
+
+            <!--
                 Add an Extensions element if there isn't one, but we need one
                 so that we can put a PublicationInfo inside it.
             -->
-			<xsl:if test="$publisher and not(md:Extensions)">
-				<xsl:text>&#10;</xsl:text>
-				<xsl:text>    </xsl:text>
-				<xsl:element name="md:Extensions">
-					<xsl:call-template name="generate.publicationInfo"/>
-					<xsl:text>&#10;</xsl:text>
-					<xsl:text>    </xsl:text>
-				</xsl:element>
-				<xsl:text>&#10;</xsl:text>
-			</xsl:if>
-			
-			<xsl:apply-templates select="node()"/>
-		</EntitiesDescriptor>
-	</xsl:template>
-
-	<!--
-		Comment to be added to the top of the document, and just inside the document element.
-	-->
-	<xsl:template name="document.comment">
+            <xsl:if test="$publisher and not(md:Extensions)">
+                <xsl:text>&#10;</xsl:text>
+                <xsl:text>    </xsl:text>
+                <xsl:element name="md:Extensions">
+                    <xsl:call-template name="generate.publicationInfo"/>
+                    <xsl:text>&#10;</xsl:text>
+                    <xsl:text>    </xsl:text>
+                </xsl:element>
+                <xsl:text>&#10;</xsl:text>
+            </xsl:if>
+
+            <xsl:apply-templates select="node()"/>
+        </EntitiesDescriptor>
+    </xsl:template>
+
+    <!--
+        Comment to be added to the top of the document, and just inside the document element.
+    -->
+    <xsl:template name="document.comment">
         <xsl:text>&#10;</xsl:text>
-		<xsl:comment>
-			<xsl:text>&#10;&#9;U K   F E D E R A T I O N   M E T A D A T A&#10;</xsl:text>
-			<xsl:text>&#10;</xsl:text>
-			<xsl:if test="$extraText">
-				<xsl:text>&#9;*** </xsl:text>
-				<xsl:value-of select="$extraText"/>
-				<xsl:text> ***&#10;</xsl:text>
-				<xsl:text>&#10;</xsl:text>
-			</xsl:if>
-			<xsl:text>&#9;Aggregate built </xsl:text>
+        <xsl:comment>
+            <xsl:text>&#10;&#9;U K   F E D E R A T I O N   M E T A D A T A&#10;</xsl:text>
+            <xsl:text>&#10;</xsl:text>
+            <xsl:if test="$extraText">
+                <xsl:text>&#9;*** </xsl:text>
+                <xsl:value-of select="$extraText"/>
+                <xsl:text> ***&#10;</xsl:text>
+                <xsl:text>&#10;</xsl:text>
+            </xsl:if>
+            <xsl:text>&#9;Aggregate built </xsl:text>
             <xsl:value-of select="$normalisedNow"/>
             <xsl:if test="string($normalisedNow) != string($now)">
                 <xsl:text> (</xsl:text>
                 <xsl:value-of select="$now"/>
                 <xsl:text> local)</xsl:text>
             </xsl:if>
-			<xsl:text>&#10;</xsl:text>
-			<xsl:text>&#10;</xsl:text>
-			<xsl:text>&#9;Aggregate valid for </xsl:text>
-			<xsl:value-of select="$validityDays"/>
-			<xsl:text> days, until </xsl:text>
-			<xsl:value-of select="$validUntil"/>
-			<xsl:text>&#10;</xsl:text>
-		</xsl:comment>
-	</xsl:template>
-	
-	<!--
+            <xsl:text>&#10;</xsl:text>
+            <xsl:text>&#10;</xsl:text>
+            <xsl:text>&#9;Aggregate valid for </xsl:text>
+            <xsl:value-of select="$validityDays"/>
+            <xsl:text> days, until </xsl:text>
+            <xsl:value-of select="$validUntil"/>
+            <xsl:text>&#10;</xsl:text>
+        </xsl:comment>
+    </xsl:template>
+
+    <!--
         Document element's Extensions.
-        
+
         Insert a PublicationInfo at the top, if required.
     -->
-	<xsl:template match="/md:EntitiesDescriptor/md:Extensions">
-		<xsl:copy>
-			<xsl:if test="$publisher">
-				<xsl:call-template name="generate.publicationInfo"/>
-			</xsl:if>
-			<xsl:apply-templates select="node()"/>
-		</xsl:copy>
-	</xsl:template>
-	
-	<!--
+    <xsl:template match="/md:EntitiesDescriptor/md:Extensions">
+        <xsl:copy>
+            <xsl:if test="$publisher">
+                <xsl:call-template name="generate.publicationInfo"/>
+            </xsl:if>
+            <xsl:apply-templates select="node()"/>
+        </xsl:copy>
+    </xsl:template>
+
+    <!--
         PublicationInfo generation.
-        
+
         Assumption: called at the start of the document element's Extensions, at 4-space
         indentation, so the element itself requires 8-space indentation.
     -->
-	<xsl:template name="generate.publicationInfo">
-		<xsl:text>&#10;</xsl:text>
-		<xsl:text>        </xsl:text>
-		<xsl:element name="mdrpi:PublicationInfo">
-			<xsl:attribute name="publisher">
-				<xsl:value-of select="$publisher"/>
-			</xsl:attribute>
-			<xsl:attribute name="creationInstant">
-				<xsl:value-of select="$normalisedNow"/>
-			</xsl:attribute>
-		</xsl:element>
-	</xsl:template>
-	
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-	
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
-	
+    <xsl:template name="generate.publicationInfo">
+        <xsl:text>&#10;</xsl:text>
+        <xsl:text>        </xsl:text>
+        <xsl:element name="mdrpi:PublicationInfo">
+            <xsl:attribute name="publisher">
+                <xsl:value-of select="$publisher"/>
+            </xsl:attribute>
+            <xsl:attribute name="creationInstant">
+                <xsl:value-of select="$normalisedNow"/>
+            </xsl:attribute>
+        </xsl:element>
+    </xsl:template>
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/uk/fix_mailto.xsl b/mdx/uk/fix_mailto.xsl
index b25f1793..1c99b1e5 100644
--- a/mdx/uk/fix_mailto.xsl
+++ b/mdx/uk/fix_mailto.xsl
@@ -1,40 +1,40 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	fix_mailto.xsl
+    fix_mailto.xsl
+
+    Add "mailto:" scheme to e-mail addresses if not already present.
 
-	Add "mailto:" scheme to e-mail addresses if not already present.
-	
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	exclude-result-prefixes="md">
-
-	<!--Force UTF-8 encoding for the output.-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
-
-	<xsl:template match="md:EmailAddress[not(starts-with(., 'mailto:'))]">
-		<xsl:copy>
-			<xsl:apply-templates select="@*"/>
-			<xsl:text>mailto:</xsl:text>
-			<xsl:value-of select="."/>
-		</xsl:copy>
-	</xsl:template>
-	
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-	
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
-	
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    exclude-result-prefixes="md">
+
+    <!--Force UTF-8 encoding for the output.-->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+
+    <xsl:template match="md:EmailAddress[not(starts-with(., 'mailto:'))]">
+        <xsl:copy>
+            <xsl:apply-templates select="@*"/>
+            <xsl:text>mailto:</xsl:text>
+            <xsl:value-of select="."/>
+        </xsl:copy>
+    </xsl:template>
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/uk/fixup_keyuse.xsl b/mdx/uk/fixup_keyuse.xsl
deleted file mode 100644
index 126069b6..00000000
--- a/mdx/uk/fixup_keyuse.xsl
+++ /dev/null
@@ -1,52 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-
-	fixup_keyuse.xsl
-	
--->
-<xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	exclude-result-prefixes="xsl">
-
-	<!--Force UTF-8 encoding for the output.-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
-
-	
-	<!--
-		Patch any @use-less KeyDescriptor elements in IdP roles
-		for the benefit of Shib SPs pre-1.3.1.
-	-->
-	<xsl:template match="md:IDPSSODescriptor/md:KeyDescriptor[not(@use)] |
-		md:AttributeAuthorityDescriptor/md:KeyDescriptor[not(@use)]">
-		<xsl:copy>
-			<xsl:attribute name="use">signing</xsl:attribute>
-			<xsl:apply-templates/>
-		</xsl:copy>
-	</xsl:template>
-	
-	
-	<!--
-        *********************************************
-        ***                                       ***
-        ***   D E F A U L T   T E M P L A T E S   ***
-        ***                                       ***
-        *********************************************
-    -->
-    
-
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-	
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
-	
-</xsl:stylesheet>
diff --git a/mdx/uk/fragment.xsl b/mdx/uk/fragment.xsl
index f0a7ef0b..87375526 100644
--- a/mdx/uk/fragment.xsl
+++ b/mdx/uk/fragment.xsl
@@ -1,73 +1,73 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	fragment.xsl
-	
-	XSL stylesheet to perform any required clean-up on a UK federation fragment file
-	before it is passed along to other processes.
-	
+    fragment.xsl
+
+    XSL stylesheet to perform any required clean-up on a UK federation fragment file
+    before it is passed along to other processes.
+
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	exclude-result-prefixes="xsi xsl">
+    exclude-result-prefixes="xsi xsl">
+
+    <!--Force UTF-8 encoding for the output.-->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+
+
+    <!--
+        Remove any xsi:schemaLocation attributes.
+    -->
+    <xsl:template match="@xsi:schemaLocation"/>
 
-	<!--Force UTF-8 encoding for the output.-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
 
+    <!--
+        Discard various ds:X509 elements.  Several of these are known to
+        cause problems with software systems, and they don't affect trust
+        establishment so are safe to remove.
+    -->
+    <xsl:template match="ds:X509SerialNumber"/><!-- libxml2 has problems with long ones -->
+    <xsl:template match="ds:X509IssuerSerial"/><!-- must remove this if we remove SerialNumber -->
 
-	<!--
-		Remove any xsi:schemaLocation attributes.
-	-->
-	<xsl:template match="@xsi:schemaLocation"/>
 
+    <!--
+        Retain only certain comments.
+    -->
 
-	<!--
-		Discard various ds:X509 elements.  Several of these are known to
-		cause problems with software systems, and they don't affect trust
-		establishment so are safe to remove.
-	-->
-	<xsl:template match="ds:X509SerialNumber"/><!-- libxml2 has problems with long ones -->
-	<xsl:template match="ds:X509IssuerSerial"/><!-- must remove this if we remove SerialNumber -->
-	
+    <xsl:template match="md:EntityDescriptor/comment()">
+        <xsl:copy/>
+    </xsl:template>
 
-	<!--
-		Retain only certain comments.
-	-->
-	
-	<xsl:template match="md:EntityDescriptor/comment()">
-		<xsl:copy/>
-	</xsl:template>
-	
-	<!--
-		All other comments are stripped by the default templates.
-	-->
+    <!--
+        All other comments are stripped by the default templates.
+    -->
 
 
-	<!--
+    <!--
         *********************************************
         ***                                       ***
         ***   D E F A U L T   T E M P L A T E S   ***
         ***                                       ***
         *********************************************
     -->
-    
-
-	<!--By default, copy text blocks and attributes unchanged.-->
-	<xsl:template match="text()|@*">
-		<xsl:copy/>
-	</xsl:template>
-	
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
-	
+
+
+    <!--By default, copy text blocks and attributes unchanged.-->
+    <xsl:template match="text()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index d4fcbaaa..0c679ef1 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -16,13 +16,13 @@
         Import commonly used beans.
     -->
     <import resource="classpath:common-beans.xml"/>
-    
+
     <!--
         Import channel-specific beans.
     -->
     <import resource="classpath:uk/beans.xml"/>
     <import resource="classpath:uk/blacklist.xml"/>
-    
+
     <!--
         Import beans from other channels.
     -->
@@ -36,23 +36,23 @@
         ***                       ***
         *****************************
     -->
-    
+
     <!--
         stripEntityScopes
-    
+
         Remove entity-level Scope elements, leaving only the ones associated
-        with role descriptors.    
+        with role descriptors.
     -->
-    <bean id="stripEntityScopes" parent="XSLTransformationStage"
+    <bean id="stripEntityScopes" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/entity_scopes.xsl"/>
-    
+
     <!--
         finalise_parent
-        
+
         Template for a stage used in each output pipeline which performs
         final tweaks on the document.
     -->
-    <bean id="finalise_parent" abstract="true" parent="XSLTransformationStage"
+    <bean id="finalise_parent" abstract="true" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/final_tweak.xsl">
         <property name="transformParameters">
             <map>
@@ -60,56 +60,16 @@
             </map>
         </property>
     </bean>
-    
-    
-    <!--
-        ***********************
-        ***                 ***
-        ***   F I X U P S   ***
-        ***                 ***
-        ***********************
-    -->
-    
-    <!--
-        Published UK federation metadata for consumption by federation
-        members has a couple of restrictions arising from known bugs in
-        early software.  We address these by "fixups" which transform the
-        metadata into a form which doesn't trigger the bug, and verify that
-        each constraints is met before publication.
-        
-        We apply fixups "late" in each publication pipeline, so that
-        the metadata is only transformed if required for a particular
-        output document.  Our export aggregate, for example, does
-        not have any of the fixups applied.
-        
-        In the long term, we'd hope to retire these fixups entirely as the
-        software they to cater for is retired.
-    -->
-    
-    <!--
-        fixup_keyuse
-        
-        Patch any @use-less KeyName descriptors in IdP roles
-        for the benefit of Shib SPs pre-1.3.1.
-    -->
-    <bean id="fixup_keyuse" parent="XSLTransformationStage"
-        p:XSLResource="classpath:uk/fixup_keyuse.xsl"/>
-    
-    <!--
-        check_fixup_keyuse
-    -->
-    <bean id="check_fixup_keyuse" parent="XSLValidationStage"
-        p:XSLResource="classpath:uk/check_fixup_keyuse.xsl"/>
-    
+
     <!--
         checkPublishable
-        
+
         Check an aggregate metadata document for publishability.  This is applied during
         all UK publication flows prior to any signature step.  It is not applied to
         export flows, for which we desire the closest possible correspondence to
         the registered metadata.
     -->
-    <bean id="checkPublishable" parent="CompositeStage">
+    <bean id="checkPublishable" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="checkSchemas"/>
@@ -120,6 +80,18 @@
         </property>
     </bean>
 
+    <!--
+        setStaticID
+
+        Set the item's ID attribute to the static string "_".
+    -->
+    <bean id="setStaticID" parent="mda.GenerateIdStage">
+        <constructor-arg>
+            <bean parent="ukf.FixedStringIdentifierGenerationStrategy" c:_="_"/>
+        </constructor-arg>
+    </bean>
+
+
     <!--
         *****************************************
         ***                                   ***
@@ -131,7 +103,7 @@
     <!--
         Entity attribute matcher for the SIRTFI assurance certification.
     -->
-    <bean id="SIRTFI.entity.attribute.matcher" parent="MultiPredicateMatcher">
+    <bean id="SIRTFI.entity.attribute.matcher" parent="mda.MultiPredicateMatcher">
         <property name="nameFormatPredicate">
             <bean class="com.google.common.base.Predicates"
                 factory-method="equalTo"
@@ -155,24 +127,24 @@
     <!--
         Remove the REFEDS metadata namespace.
     -->
-    <bean id="strip.remd.namespace" parent="NamespaceStrippingStage"
+    <bean id="strip.remd.namespace" parent="mda.NamespaceStrippingStage"
         p:namespace-ref="remd_namespace"/>
 
     <!--
         Strip SIRTFI information.
     -->
-    <bean id="strip.SIRTFI" parent="CompositeStage">
+    <bean id="strip.SIRTFI" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <!-- remove REFEDS contacts associated with SIRTFI -->
-                <bean id="strip.SIRTFI.contacts" parent="XSLTransformationStage"
+                <bean id="strip.SIRTFI.contacts" parent="mda.XSLTransformationStage"
                     p:XSLResource="classpath:uk/strip_sirtfi_contacts.xsl"/>
 
                 <!-- remove the REFEDS metadata namespace -->
                 <ref bean="strip.remd.namespace"/>
 
                 <!-- remove the SIRTFI entity attribute -->
-                <bean id="entityAttributes" parent="EntityAttributeFilteringStage"
+                <bean id="entityAttributes" parent="mda.EntityAttributeFilteringStage"
                     p:whitelisting="false">
                     <property name="rules">
                         <list>
@@ -194,13 +166,13 @@
 
     <!--
         removeUKEntities
-        
+
         Filter out entities which declare themselves as registered
         by the UK federation.  We don't want those coming back in
         from another registrar or metadata exchange as they may be
         old versions of entities we have deregistered, or spoofed.
     -->
-    <bean id="removeUKEntities" parent="EntityRegistrationAuthorityFilterStage">
+    <bean id="removeUKEntities" parent="mda.EntityRegistrationAuthorityFilterStage">
         <property name="designatedRegistrationAuthorities">
             <list>
                 <ref bean="uk_ukf_registrar"/>
@@ -212,84 +184,56 @@
 
     <!--
         removeBlacklistedEntities
-        
+
         Filter out entities which are included in our global import blacklist.
     -->
-    <bean id="removeBlacklistedEntities" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.EntityFilterStage"
+    <bean id="removeBlacklistedEntities" parent="mda.EntityFilterStage"
         p:whitelistingEntities="false"
         p:designatedEntities-ref="importEntityBlacklist"/>
 
     <!--
         importCommonTail
-        
+
         Common actions to be performed on each import pipeline.
     -->
-    <bean id="importCommonTail" parent="CompositeStage">
+    <bean id="importCommonTail" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="removeUKEntities"/>
                 <ref bean="removeBlacklistedEntities"/>
                 <ref bean="standardImportActions"/>
-                
+
                 <!--
                     Silently remove entities which are marked as
                     having errors.
                 -->
                 <ref bean="errorRemover"/>
-                
+
                 <ref bean="uk_fix_mailto"/>
             </list>
         </property>
     </bean>
 
-    <bean id="entityAttributes.blacklist" parent="EntityAttributeFilteringStage">
+    <bean id="entityAttributes.blacklist" parent="mda.EntityAttributeFilteringStage">
         <property name="whitelisting" value="false"/>
         <property name="rules">
             <list>
                 <!-- Deny "InCommon registration" attribute (duplicates mdrpi:registrationAuthority) -->
-                <bean parent="EntityCategoryMatcher"
+                <bean parent="mda.EntityCategoryMatcher"
                     c:category="http://id.incommon.org/category/registered-by-incommon"/>
 
                 <!-- Deny InCommon "supports InCommon R+S" attribute (duplicates REFEDS variant) -->
-                <bean parent="EntityCategorySupportMatcher"
+                <bean parent="mda.EntityCategorySupportMatcher"
                     c:category="http://id.incommon.org/category/research-and-scholarship"/>
             </list>
         </property>
     </bean>
 
-    <bean id="entityAttributes.whitelist" parent="EntityAttributeFilteringStage">
-        <property name="whitelisting" value="true"/>
-        <property name="rules">
-            <list>
-                <!-- Permit GÉANT CoC category from any eduGAIN participant. -->
-                <bean parent="EntityCategoryMatcher"
-                    c:category="http://www.geant.net/uri/dataprotection-code-of-conduct/v1"/>
-                
-                <!-- Permit REFEDS Hide From Discovery category from any eduGAIN participant. -->
-                <bean parent="EntityCategoryMatcher"
-                    c:category="http://refeds.org/category/hide-from-discovery"/>
-                
-                <!-- Permit REFEDS R&S category from any eduGAIN participant. -->
-                <bean parent="EntityCategoryMatcher"
-                    c:category="http://refeds.org/category/research-and-scholarship"/>
-                
-                <!-- Permit REFEDS R&S category *support* from any eduGAIN participant. -->
-                <bean parent="EntityCategorySupportMatcher"
-                    c:category="http://refeds.org/category/research-and-scholarship"/>
-                
-                <!-- Permit SIRTFI entity attribute from any eduGAIN participant -->
-                <ref bean="SIRTFI.entity.attribute.matcher"/>
-                
-            </list>
-        </property>
-    </bean>
-    
-    <bean id="uk_int_edugain_importPipeline" parent="SimplePipeline">
+    <bean id="uk_int_edugain_importPipeline" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="int_edugain_productionEntities"/>
-                
+
                 <!--
                     Entity Attribute policy for entities from eduGAIN participants.
                 -->
@@ -299,8 +243,8 @@
             </list>
         </property>
     </bean>
-    
-    
+
+
     <!--
         ***************************************************
         ***                                             ***
@@ -308,7 +252,7 @@
         ***                                             ***
         ***************************************************
     -->
-    
+
     <bean id="uk_finaliseProduction" parent="finalise_parent">
         <property name="transformParameters">
             <map>
@@ -317,15 +261,16 @@
         </property>
     </bean>
 
-    <bean id="serializeUnsignedProductionAggregate" parent="SerializationStage">
+    <bean id="serializeUnsignedProductionAggregate" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${output.dir}/ukfederation-metadata-unsigned.xml"/>
             </bean>
         </property>
     </bean>
 
-    <bean id="uk_productionPipeline" parent="SimplePipeline">
+    <bean id="uk_productionPipeline" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <!--
@@ -333,24 +278,21 @@
                 -->
                 <ref bean="check_dup_display"/>
                 <ref bean="errorTerminatingFilter"/>
-                
-                <ref bean="entityAttributes.whitelist"/>
+
                 <ref bean="uk_assemble"/>
-                <ref bean="stripWayfNamespace"/>
-                <ref bean="fixup_keyuse"/>
                 <ref bean="uk_finaliseProduction"/>
+                <ref bean="setStaticID"/>
                 <ref bean="uk_normaliseNamespaces"/>
-                
+
                 <!-- production aggregate MUST pass publishability test -->
-                <ref bean="check_fixup_keyuse"/>
                 <ref bean="checkPublishable"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="serializeUnsignedProductionAggregate"/>
             </list>
         </property>
     </bean>
-    
+
     <!--
         ***************************************
         ***                                 ***
@@ -358,14 +300,14 @@
         ***                                 ***
         ***************************************
     -->
-    
+
     <!--
-    	Select all entities which are not both:
-    	
-    	   * identity providers, and
-    	   * members of the "hide from discovery" entity category.
+        Select all entities which are not both:
+
+           * identity providers, and
+           * members of the "hide from discovery" entity category.
     -->
-    <bean id="uk_wayfSelector" parent="XPathItemSelectionStrategy">
+    <bean id="uk_wayfSelector" parent="mda.XPathItemSelectionStrategy">
         <constructor-arg value="/md:EntityDescriptor[not(md:IDPSSODescriptor and
             md:Extensions[mdattr:EntityAttributes/saml:Attribute
                 [@Name = 'http://macedir.org/entity-category']
@@ -374,16 +316,17 @@
             ])]"/>
         <constructor-arg ref="commonNamespaces"/>
     </bean>
-    
-    <bean id="serializeUnsignedWayfAggregate" parent="SerializationStage">
+
+    <bean id="serializeUnsignedWayfAggregate" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${output.dir}/ukfederation-wayf-unsigned.xml"/>
             </bean>
         </property>
     </bean>
-    
-    <bean id="uk_wayfPipeline" parent="SimplePipeline">
+
+    <bean id="uk_wayfPipeline" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <!--
@@ -396,7 +339,7 @@
                 -->
                 <ref bean="check_dup_display"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="uk_assemble"/>
 
                 <!--
@@ -405,14 +348,13 @@
                 <ref bean="stripMDUILogoData"/>
                 <ref bean="stripEmptyMDUIUIInfo"/>
                 <ref bean="stripEmptyExtensions"/>
-                
+
                 <ref bean="stripMdattrNamespace"/>
-                <ref bean="fixup_keyuse"/>
                 <ref bean="uk_finaliseProduction"/>
+                <ref bean="setStaticID"/>
                 <ref bean="uk_normaliseNamespaces"/>
 
                 <!-- WAYF aggregate MUST pass publishability test -->
-                <ref bean="check_fixup_keyuse"/>
                 <ref bean="checkPublishable"/>
                 <ref bean="errorTerminatingFilter"/>
 
@@ -420,7 +362,7 @@
             </list>
         </property>
     </bean>
-    
+
     <!--
         ***************************************
         ***                                 ***
@@ -428,26 +370,25 @@
         ***                                 ***
         ***************************************
     -->
-    
+
     <!--
         CDSStripUnwanted
-        
+
         The CDS needs only a very restricted subset of
         normal metadata in order to do its job.  This stage
         removes everything it does not need.
     -->
-    <bean id="CDSStripUnwanted" parent="CompositeStage">
+    <bean id="CDSStripUnwanted" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="stripComments"/>
-                
+
                 <ref bean="stripAlgNamespace"/>
                 <ref bean="stripInitNamespace"/>
                 <ref bean="stripMdattrNamespace"/>
                 <ref bean="stripMdrpiNamespace"/>
                 <ref bean="stripUkfedlabelNamespace"/>
-                <ref bean="stripWayfNamespace"/>
-                
+
                 <ref bean="stripArtifactResolutionService"/>
                 <ref bean="stripAttributeAuthorityDescriptor"/>
                 <ref bean="stripAttributeConsumingService"/>
@@ -456,15 +397,15 @@
                 <ref bean="stripManageNameIDService"/>
                 <ref bean="stripNameIDFormat"/>
                 <ref bean="stripSingleLogoutService"/>
-                
+
                 <ref bean="stripShibScope"/>
-                
+
                 <!-- remove any now-empty Extensions elements -->
                 <ref bean="stripEmptyExtensions"/>
             </list>
         </property>
     </bean>
-    
+
     <bean id="CDSFinalise" parent="finalise_parent">
         <property name="transformParameters">
             <map>
@@ -474,8 +415,8 @@
             </map>
         </property>
     </bean>
-    
-    <bean id="CDSNormaliseNamespaces" parent="XSLTransformationStage"
+
+    <bean id="CDSNormaliseNamespaces" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/ns_norm_cds.xsl"/>
 
     <!--
@@ -485,26 +426,27 @@
         ***                                     ***
         *******************************************
     -->
-    
+
     <!--
         Entities in the CDSALL aggregate are restricted to those entities registered by the
         UK federation plus all identity providers from whatever source.
     -->
-    <bean id="CDSAllSelector" parent="XPathItemSelectionStrategy">
+    <bean id="CDSAllSelector" parent="mda.XPathItemSelectionStrategy">
         <constructor-arg value="/md:EntityDescriptor[md:IDPSSODescriptor or
             md:Extensions/mdrpi:RegistrationInfo/@registrationAuthority = 'http://ukfederation.org.uk']"/>
         <constructor-arg ref="commonNamespaces"/>
     </bean>
-    
-    <bean id="serializeCDSAllAggregate" parent="SerializationStage">
+
+    <bean id="serializeCDSAllAggregate" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${output.dir}/ukfederation-cdsall-unsigned.xml"/>
             </bean>
         </property>
     </bean>
-    
-    <bean id="CDSAllPipeline" parent="SimplePipeline">
+
+    <bean id="CDSAllPipeline" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <!--
@@ -512,13 +454,13 @@
                 -->
                 <ref bean="check_dup_display"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <!-- make an aggregate first so that we're only traversing one item -->
                 <ref bean="uk_assemble"/>
-                
+
                 <!-- remove many things that the CDS doesn't look at -->
                 <ref bean="CDSStripUnwanted"/>
-                
+
                 <!--
                     Remove embedded images used in mdui:Logo elements.
                 -->
@@ -527,17 +469,18 @@
                 <ref bean="stripEmptyExtensions"/>
 
                 <ref bean="CDSFinalise"/>
+                <ref bean="setStaticID"/>
                 <ref bean="CDSNormaliseNamespaces"/>
-                
+
                 <!-- schema validity check MUST pass -->
                 <ref bean="checkSchemas"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="serializeCDSAllAggregate"/>
             </list>
         </property>
     </bean>
-    
+
     <!--
         ***********************************************
         ***                                         ***
@@ -545,7 +488,7 @@
         ***                                         ***
         ***********************************************
     -->
-    
+
     <bean id="uk_finaliseFallback" parent="finalise_parent">
         <property name="transformParameters">
             <map>
@@ -554,19 +497,20 @@
             </map>
         </property>
     </bean>
-    
-    <bean id="uk_normaliseFallback" parent="XSLTransformationStage"
+
+    <bean id="uk_normaliseFallback" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/ns_norm_back.xsl"/>
-    
-    <bean id="serializeUnsignedFallbackAggregate" parent="SerializationStage">
+
+    <bean id="serializeUnsignedFallbackAggregate" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${output.dir}/ukfederation-back-unsigned.xml"/>
             </bean>
         </property>
     </bean>
-    
-    <bean id="uk_fallbackPipeline" parent="SimplePipeline">
+
+    <bean id="uk_fallbackPipeline" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <!--
@@ -574,25 +518,22 @@
                 -->
                 <ref bean="check_dup_display"/>
                 <ref bean="errorTerminatingFilter"/>
-                
-                <ref bean="entityAttributes.whitelist"/>
+
                 <ref bean="uk_assemble"/>
-                <ref bean="stripWayfNamespace"/>
-                <ref bean="fixup_keyuse"/>
                 <ref bean="stripEmptyExtensions"/>
                 <ref bean="uk_finaliseFallback"/>
+                <ref bean="setStaticID"/>
                 <ref bean="uk_normaliseFallback"/>
-                
+
                 <!-- fallback aggregate MUST pass publishability test -->
-                <ref bean="check_fixup_keyuse"/>
                 <ref bean="checkPublishable"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="serializeUnsignedFallbackAggregate"/>
             </list>
         </property>
     </bean>
-    
+
     <!--
         ***************************************
         ***                                 ***
@@ -600,7 +541,7 @@
         ***                                 ***
         ***************************************
     -->
-    
+
     <bean id="uk_finaliseTest" parent="finalise_parent">
         <property name="transformParameters">
             <map>
@@ -609,19 +550,20 @@
             </map>
         </property>
     </bean>
-    
-    <bean id="uk_normaliseTest" parent="XSLTransformationStage"
+
+    <bean id="uk_normaliseTest" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/ns_norm_test.xsl"/>
-    
-    <bean id="serializeUnsignedTestAggregate" parent="SerializationStage">
+
+    <bean id="serializeUnsignedTestAggregate" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${output.dir}/ukfederation-test-unsigned.xml"/>
             </bean>
         </property>
     </bean>
-    
-    <bean id="uk_testPipeline" parent="CompositeStage">
+
+    <bean id="uk_testPipeline" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <!--
@@ -629,16 +571,18 @@
                 -->
                 <ref bean="check_dup_display"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
+                <ref bean="uk_strip_UKFederationMember"/>
                 <ref bean="uk_assemble"/>
-                <ref bean="stripWayfNamespace"/>
+                <ref bean="stripEntityScopes"/>
                 <ref bean="uk_finaliseTest"/>
+                <ref bean="setStaticID"/>
                 <ref bean="uk_normaliseTest"/>
-                
+
                 <!-- test aggregate MUST pass publishability test -->
                 <ref bean="checkPublishable"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="serializeUnsignedTestAggregate"/>
             </list>
         </property>
@@ -651,7 +595,7 @@
         ***                                     ***
         *******************************************
     -->
-    
+
     <bean id="uk_finaliseExport" parent="finalise_parent">
         <property name="transformParameters">
             <map>
@@ -660,40 +604,38 @@
             </map>
         </property>
     </bean>
-    
-    <bean id="uk_normaliseExport" parent="XSLTransformationStage"
-        p:XSLResource="classpath:uk/ns_norm_export.xsl"/>
-    
-    <bean id="uk_exportSelector" parent="XPathItemSelectionStrategy">
+
+    <bean id="uk_exportSelector" parent="mda.XPathItemSelectionStrategy">
         <constructor-arg value="/md:EntityDescriptor[not(md:Extensions/ukfedlabel:ExportOptOut)]"/>
         <constructor-arg ref="commonNamespaces"/>
     </bean>
-    
-    <bean id="serializeUnsignedExportAggregate" parent="SerializationStage">
+
+    <bean id="serializeUnsignedExportAggregate" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${output.dir}/ukfederation-export-unsigned.xml"/>
             </bean>
         </property>
     </bean>
-    
-    <bean id="uk_exportPipeline" parent="SimplePipeline">
+
+    <bean id="uk_exportPipeline" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <!--
                     Additional rules excluding entities from the aggregate.
-                    
+
                     The basic rule (expressed in uk_exportPreviewSelector) is that
                     entities are excluded if they do not have the ExportOptOut label.
                     Additional rules below are applied to entities which do not
                     have the ExportOptIn label: in other words, a rule in this section
                     can always be overridden by an explicit ExportOptIn.
                 -->
-                <bean id="exclusion" parent="SplitMergeStage">
-                    
+                <bean id="exclusion" parent="mda.SplitMergeStage">
+
                     <!-- select entities with ExportOptIn label -->
                     <property name="selectionStrategy">
-                        <bean parent="XPathItemSelectionStrategy">
+                        <bean parent="mda.XPathItemSelectionStrategy">
                             <constructor-arg value="/md:EntityDescriptor[md:Extensions/ukfedlabel:ExportOptIn]"/>
                             <constructor-arg ref="commonNamespaces"/>
                         </bean>
@@ -704,39 +646,43 @@
                         matching specific rules.
                     -->
                     <property name="nonselectedItemPipeline">
-                        <bean id="nonSelectedItemPipeline" parent="SimplePipeline">
+                        <bean id="nonSelectedItemPipeline" parent="mda.SimplePipeline">
                             <property name="stages">
                                 <list>
-                                    
+
                                     <!-- Identity providers lacking support for SAML 2.0 -->
-                                    <bean id="SAML1onlyIdPs" parent="XPathFilteringStage"
+                                    <bean id="SAML1onlyIdPs" parent="mda.XPathFilteringStage"
+                                        p:namespaceContext-ref="commonNamespaces"
                                         p:XPathExpression="md:IDPSSODescriptor
                                         [not(contains(@protocolSupportEnumeration,'urn:oasis:names:tc:SAML:2.0:protocol'))]">
                                     </bean>
-                                    
+
                                     <!-- Aggregated schools sector identity providers -->
                                     <!--
                                         Preferred implementation:
-                                        
-                                        <bean id="syntheticScopes" parent="XPathFilteringStage"
+
+                                        <bean id="syntheticScopes" parent="mda.XPathFilteringStage"
+                                            p:namespaceContext-ref="commonNamespaces"
                                             p:XPathExpression="shibmd:Scope[ends-with(., '.eng.ukfederation.org.uk']"/>
-                                        
+
                                         Unfortunately, the "ends-with" function is an XPath 2 feature, so we settle for
                                         using "contains" instead; in our case it is equivalent.
                                     -->
-                                    <bean id="syntheticScopes" parent="XPathFilteringStage"
+                                    <bean id="syntheticScopes" parent="mda.XPathFilteringStage"
+                                        p:namespaceContext-ref="commonNamespaces"
                                         p:XPathExpression="//shibmd:Scope[contains(., '.eng.ukfederation.org.uk')]"/>
                                     <!-- Specific providers not caught by the previous condition -->
-                                    <bean id="GlowScotland" parent="EntityFilterStage">
+                                    <bean id="GlowScotland" parent="mda.EntityFilterStage">
                                         <property name="designatedEntities">
                                             <set>
                                                 <value>https://idp.glowscotland.org.uk/shibboleth</value>
                                             </set>
                                         </property>
                                     </bean>
-                                    
+
                                     <!-- Identity providers with regular expression scopes -->
-                                    <bean id="regexScopes" parent="XPathFilteringStage"
+                                    <bean id="regexScopes" parent="mda.XPathFilteringStage"
+                                        p:namespaceContext-ref="commonNamespaces"
                                         p:XPathExpression="//shibmd:Scope[@regexp='true']"/>
                                 </list>
                             </property>
@@ -749,18 +695,20 @@
                 -->
                 <ref bean="check_dup_display"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="stripUkfedlabelNamespace"/>
-                <ref bean="stripWayfNamespace"/>
                 <ref bean="uk_assemble"/>
                 <ref bean="stripEntityScopes"/>
                 <ref bean="stripEmptyExtensions"/>
                 <ref bean="uk_finaliseExport"/>
-                <ref bean="uk_normaliseExport"/>
-                
+                <ref bean="setStaticID"/>
+
+                <bean id="uk_normaliseExport" parent="mda.XSLTransformationStage"
+                    p:XSLResource="classpath:uk/ns_norm_export.xsl"/>
+
                 <!--
                     Schema validity and other checks MUST pass.
-                    
+
                     These are a subset of the publishability tests applied to
                     aggregates published to federation members.
                 -->
@@ -768,12 +716,12 @@
                 <ref bean="check_aggregate"/>
                 <ref bean="check_namespaces"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="serializeUnsignedExportAggregate"/>
             </list>
         </property>
     </bean>
-    
+
     <!--
         ***********************************************************
         ***                                                     ***
@@ -781,29 +729,29 @@
         ***                                                     ***
         ***********************************************************
     -->
-    
-    <bean id="uk_exportPreviewSelector" parent="XPathItemSelectionStrategy">
+
+    <bean id="uk_exportPreviewSelector" parent="mda.XPathItemSelectionStrategy">
         <constructor-arg value="/md:EntityDescriptor[not(md:Extensions/ukfedlabel:ExportOptOut)]"/>
         <constructor-arg ref="commonNamespaces"/>
     </bean>
-    
-    <bean id="uk_exportPreviewPipeline" parent="SimplePipeline">
+
+    <bean id="uk_exportPreviewPipeline" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <!--
                     Additional rules excluding entities from the aggregate.
-                    
+
                     The basic rule (expressed in uk_exportPreviewSelector) is that
                     entities are excluded if they do not have the ExportOptOut label.
                     Additional rules below are applied to entities which do not
                     have the ExportOptIn label: in other words, a rule in this section
                     can always be overridden by an explicit ExportOptIn.
                 -->
-                <bean id="exclusion" parent="SplitMergeStage">
+                <bean id="exclusion" parent="mda.SplitMergeStage">
 
                     <!-- select entities with ExportOptIn label -->
                     <property name="selectionStrategy">
-                        <bean parent="XPathItemSelectionStrategy">
+                        <bean parent="mda.XPathItemSelectionStrategy">
                             <constructor-arg value="/md:EntityDescriptor[md:Extensions/ukfedlabel:ExportOptIn]"/>
                             <constructor-arg ref="commonNamespaces"/>
                         </bean>
@@ -814,12 +762,13 @@
                         matching specific rules.
                     -->
                     <property name="nonselectedItemPipeline">
-                        <bean id="nonSelectedItemPipeline" parent="SimplePipeline">
+                        <bean id="nonSelectedItemPipeline" parent="mda.SimplePipeline">
                             <property name="stages">
                                 <list>
 
                                     <!-- Identity providers lacking support for SAML 2.0 -->
-                                    <bean id="SAML1onlyIdPs" parent="XPathFilteringStage"
+                                    <bean id="SAML1onlyIdPs" parent="mda.XPathFilteringStage"
+                                        p:namespaceContext-ref="commonNamespaces"
                                         p:XPathExpression="md:IDPSSODescriptor
                                             [not(contains(@protocolSupportEnumeration,'urn:oasis:names:tc:SAML:2.0:protocol'))]">
                                     </bean>
@@ -827,17 +776,19 @@
                                     <!-- Aggregated schools sector identity providers -->
                                     <!--
                                         Preferred implementation:
-                                        
-                                        <bean id="syntheticScopes" parent="XPathFilteringStage"
+
+                                        <bean id="syntheticScopes" parent="mda.XPathFilteringStage"
+                                            p:namespaceContext-ref="commonNamespaces"
                                             p:XPathExpression="shibmd:Scope[ends-with(., '.eng.ukfederation.org.uk']"/>
-                                        
+
                                         Unfortunately, the "ends-with" function is an XPath 2 feature, so we settle for
                                         using "contains" instead; in our case it is equivalent.
                                     -->
-                                    <bean id="syntheticScopes" parent="XPathFilteringStage"
+                                    <bean id="syntheticScopes" parent="mda.XPathFilteringStage"
+                                        p:namespaceContext-ref="commonNamespaces"
                                         p:XPathExpression="//shibmd:Scope[contains(., '.eng.ukfederation.org.uk')]"/>
                                     <!-- Specific providers not caught by the previous condition -->
-                                    <bean id="GlowScotland" parent="EntityFilterStage">
+                                    <bean id="GlowScotland" parent="mda.EntityFilterStage">
                                         <property name="designatedEntities">
                                             <set>
                                                 <value>https://idp.glowscotland.org.uk/shibboleth</value>
@@ -846,7 +797,8 @@
                                     </bean>
 
                                     <!-- Identity providers with regular expression scopes -->
-                                    <bean id="regexScopes" parent="XPathFilteringStage"
+                                    <bean id="regexScopes" parent="mda.XPathFilteringStage"
+                                        p:namespaceContext-ref="commonNamespaces"
                                         p:XPathExpression="//shibmd:Scope[@regexp='true']"/>
                                 </list>
                             </property>
@@ -859,18 +811,20 @@
                 -->
                 <ref bean="check_dup_display"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="stripUkfedlabelNamespace"/>
-                <ref bean="stripWayfNamespace"/>
                 <ref bean="uk_assemble"/>
                 <ref bean="stripEntityScopes"/>
                 <ref bean="stripEmptyExtensions"/>
                 <ref bean="uk_finaliseExport"/>
-                <ref bean="uk_normaliseExport"/>
-                
+                <ref bean="setStaticID"/>
+
+                <bean id="uk_normaliseExportPreview" parent="mda.XSLTransformationStage"
+                    p:XSLResource="classpath:uk/ns_norm_export_preview.xsl"/>
+
                 <!--
                     Schema validity and other checks MUST pass.
-                    
+
                     These are a subset of the publishability tests applied to
                     aggregates published to federation members.
                 -->
@@ -878,15 +832,16 @@
                 <ref bean="check_aggregate"/>
                 <ref bean="check_namespaces"/>
                 <ref bean="errorTerminatingFilter"/>
-                
-                <bean id="serializeUnsignedExportPreviewAggregate" parent="SerializationStage">
+
+                <bean id="serializeUnsignedExportPreviewAggregate" parent="mda.SerializationStage">
+                    <property name="serializer" ref="serializer"/>
                     <property name="outputFile">
-                        <bean class="java.io.File">
+                        <bean parent="File">
                             <constructor-arg value="${output.dir}/ukfederation-export-preview-unsigned.xml"/>
                         </bean>
                     </property>
                 </bean>
-                
+
             </list>
         </property>
     </bean>
@@ -899,32 +854,32 @@
         ***                               ***
         *************************************
     -->
-    
-    <bean id="generate" parent="SimplePipeline">
+
+    <bean id="generate" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <!--
                     Acquire metadata for all UK-registered entities.
                 -->
                 <ref bean="uk_registeredEntities"/>
-                
+
                 <!--
                     *******************************************************
                     ***                                                 ***
                     ***   R A W   R E G I S T R A R   E N T I T I E S   ***
                     ***                                                 ***
                     *******************************************************
-                    
+
                     At this point, the collection contains only entities
                     registered by the UK federation registrar.  The minimum
                     changes possible have been performed, so that the statistics
                     report can be as comprehensive as possible.
                 -->
-                
+
                 <!--
                     Fork a new output pipeline for the registrar statistics.
                 -->
-                <bean id="rawRegistrarDemux" parent="PipelineDemultiplexerStage">
+                <bean id="rawRegistrarDemux" parent="mda.PipelineDemultiplexerStage">
                     <property name="pipelineAndSelectionStrategies">
                         <list>
                             <bean class="net.shibboleth.utilities.java.support.collection.Pair">
@@ -935,36 +890,36 @@
                     </property>
                     <property name="waitingForPipelines" value="true"/>
                 </bean>
-                
+
                 <!--
                     Remove constructs which we no longer publish to any
                     external registry clients.
                 -->
                 <ref bean="uk_stripAdminContacts"/>
                 <ref bean="stripEmptyExtensions"/>
-                
+
                 <!--
                     ***********************************************
                     ***                                         ***
                     ***   R E G I S T R A R   E N T I T I E S   ***
                     ***                                         ***
                     ***********************************************
-                    
+
                     At this point, the collection contains only
                     entities registered by the UK federation registrar.
                 -->
-                
+
                 <!--
                     Fork a new output pipeline for the export and export preview aggregates.
-                    
+
                     These aggregates only include UK-registered entities,
                     so the fork needs to occur before any others are introduced.
-                    
+
                     The export aggregates are also intended to reflect the registered
                     metadata as closely as possible, so the fork must happen before
                     too many UK-specific transformations are performed.
                 -->
-                <bean id="registrarDemux" parent="PipelineDemultiplexerStage">
+                <bean id="registrarDemux" parent="mda.PipelineDemultiplexerStage">
                     <property name="pipelineAndSelectionStrategies">
                         <list>
                             <bean class="net.shibboleth.utilities.java.support.collection.Pair">
@@ -979,10 +934,10 @@
                     </property>
                     <property name="waitingForPipelines" value="true"/>
                 </bean>
-                
+
                 <!--
                     Strip out those ukfedlabel extensions that we don't publish.
-                    
+
                     This is performed independently on the export pipeline because
                     selection for that pipeline is based on these same extensions.
                     A better solution would be to extract the ExportOptIn label into
@@ -990,18 +945,19 @@
                 -->
                 <ref bean="uk_stripExtensions"/>
                 <ref bean="stripEmptyExtensions"/>
-                
+
                 <!--
                     ***************************************************
                     ***                                             ***
                     ***   P R O D U C T I O N   M D X   M E R G E   ***
                     ***                                             ***
                     ***************************************************
-                    
+
                     Merge in entities from production metadata exchange sources.
                 -->
-                
-                <bean id="mergeProductionMDXEntities" parent="PipelineMergeStage.deduplicate">
+
+                <bean id="mergeProductionMDXEntities" parent="mda.PipelineMergeStage"
+                    p:collectionMergeStrategy-ref="deduplicateMergeStrategy">
                     <property name="mergedPipelines">
                         <list>
                             <!-- entries earlier in the list have higher precedence -->
@@ -1009,14 +965,14 @@
                         </list>
                     </property>
                 </bean>
-                
+
                 <!--
                     *************************************************
                     ***                                           ***
                     ***   P R O D U C T I O N   E N T I T I E S   ***
                     ***                                           ***
                     *************************************************
-                    
+
                     At this point, the collection contains entities
                     registered by the UK federation registrar plus
                     entities received through production-status MDX
@@ -1026,7 +982,7 @@
                 <!--
                     Fork into new pipelines for the production, fallback and WAYF aggregates.
                 -->
-                <bean id="productionDemux" parent="PipelineDemultiplexerStage">
+                <bean id="productionDemux" parent="mda.PipelineDemultiplexerStage">
                     <property name="pipelineAndSelectionStrategies">
                         <list>
                             <bean class="net.shibboleth.utilities.java.support.collection.Pair">
@@ -1052,11 +1008,12 @@
                     ***   P R E - P R O D U C T I O N   M D X   M E R G E   ***
                     ***                                                     ***
                     ***********************************************************
-                    
+
                     Merge in entities from pre-production metadata exchange sources.
                 -->
 
-                <bean id="mergePreproductionMDXEntities" parent="PipelineMergeStage.deduplicate">
+                <bean id="mergePreproductionMDXEntities" parent="mda.PipelineMergeStage"
+                    p:collectionMergeStrategy-ref="deduplicateMergeStrategy">
                     <property name="mergedPipelines">
                         <list>
                             <!-- entries earlier in the list have higher precedence -->
@@ -1064,24 +1021,24 @@
                         </list>
                     </property>
                 </bean>
-                
+
                 <!--
                     *********************************************************
                     ***                                                   ***
                     ***   P R E - P R O D U C T I O N   E N T I T I E S   ***
                     ***                                                   ***
                     *********************************************************
-                    
+
                     At this point, the collection contains entities
                     registered by the UK federation registrar plus
                     entities received through both production-status
                     and pre-production-status MDX relationships.
                 -->
-                
+
                 <!--
                     Fork into new pipelines for additional aggregates.
                 -->
-                <bean id="preProductionDemux" parent="PipelineDemultiplexerStage">
+                <bean id="preProductionDemux" parent="mda.PipelineDemultiplexerStage">
                     <property name="pipelineAndSelectionStrategies">
                         <list>
                             <bean class="net.shibboleth.utilities.java.support.collection.Pair">
@@ -1092,7 +1049,7 @@
                     </property>
                     <property name="waitingForPipelines" value="true"/>
                 </bean>
-                
+
                 <!-- pipeline continues to generate test aggregate -->
                 <ref bean="uk_testPipeline"/>
 
diff --git a/mdx/uk/import.xsl b/mdx/uk/import.xsl
index c413f8c6..900cd105 100644
--- a/mdx/uk/import.xsl
+++ b/mdx/uk/import.xsl
@@ -75,7 +75,6 @@
             urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd
             http://ukfederation.org.uk/2006/11/label uk-fed-label.xsd
             http://refeds.org/metadata refeds-metadata.xsd
-            http://sdss.ac.uk/2006/06/WAYF uk-wayf.xsd
             http://www.w3.org/2001/04/xmlenc# xenc-schema.xsd
             http://www.w3.org/2009/xmlenc11# xenc-schema-11.xsd
             http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd">
diff --git a/mdx/uk/mdq-multisign.xml b/mdx/uk/mdq-multisign.xml
index 443f09a8..f97e91d3 100644
--- a/mdx/uk/mdq-multisign.xml
+++ b/mdx/uk/mdq-multisign.xml
@@ -38,18 +38,22 @@
     <!--
         Generate per-entity metadata.
     -->
-    <bean id="mdq-multisign" parent="SimplePipeline">
+    <bean id="mdq-multisign" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <!--
                     Start with the unsigned production aggregate.
                 -->
-                <bean id="production_aggregate" parent="DOMResourceSourceStage">
+                <bean id="production_aggregate" parent="mda.DOMResourceSourceStage">
+                    <property name="parserPool" ref="parserPool"/>
                     <property name="DOMResource">
                         <bean parent="FileSystemResource" c:_0="${mdq.input}"/>
                     </property>
                 </bean>
 
+                <!-- Remove UKFederationLabel elements. -->
+                <ref bean="uk_strip_UKFederationMember"/>
+
                 <!-- Break down into individual entities. -->
                 <ref bean="disassemble"/>
 
@@ -57,16 +61,20 @@
                 <ref bean="populateItemIds"/>
 
                 <!-- Set ID, cacheDuration and validUntil attributes. -->
-                <bean parent="GenerateIdStage"/>
-                <bean parent="SetCacheDurationStage" p:cacheDuration="PT6H"/>
-                <bean parent="SetValidUntilStage" p:validityDuration="P14D"/>
+                <bean parent="mda.GenerateIdStage">
+                    <constructor-arg>
+                        <bean parent="ukf.FixedStringIdentifierGenerationStrategy" c:_="_"/>
+                    </constructor-arg>
+                </bean>
+                <bean parent="mda.SetCacheDurationStage" p:cacheDuration="PT6H"/>
+                <bean parent="mda.SetValidUntilStage" p:validityDuration="P14D"/>
 
                 <!-- Identity transform fixes signing issues. -->
-                <bean parent="XSLTransformationStage"
+                <bean parent="mda.XSLTransformationStage"
                     p:XSLResource="classpath:identity.xsl"/>
 
                 <!-- Sign each item. -->
-                <bean id="perform.signature" parent="XMLSignatureSigningStage">
+                <bean id="perform.signature" parent="mda.XMLSignatureSigningStage">
                     <property name="privateKey">
                         <bean parent="PKCS11PrivateKeyFactoryBean"
                             p:pkcs11Config="${sign.pkcs11Config}"
@@ -77,14 +85,15 @@
                 </bean>
 
                 <!-- Write individual entity documents to files. -->
-                <bean id="write.perentity" parent="MultiOutputSerializationStage">
+                <bean id="write.perentity" parent="mda.MultiOutputSerializationStage">
+                    <property name="serializer" ref="serializer"/>
                     <property name="outputStrategy">
-                        <bean parent="FilesInDirectoryMultiOutputStrategy" p:nameSuffix=".xml">
+                        <bean parent="mda.FilesInDirectoryMultiOutputStrategy" p:nameSuffix=".xml">
                             <property name="directory">
-                                <bean class="java.io.File" c:_="${mdq.output}"/>
+                                <bean parent="File" c:_="${mdq.output}"/>
                             </property>
                             <property name="nameTransformer">
-                                <bean parent="PathSegmentStringTransformer"/>
+                                <bean parent="mda.PathSegmentStringTransformer"/>
                             </property>
                         </bean>
                     </property>
diff --git a/mdx/uk/ns_norm_back.xsl b/mdx/uk/ns_norm_back.xsl
index f485059c..c482464e 100644
--- a/mdx/uk/ns_norm_back.xsl
+++ b/mdx/uk/ns_norm_back.xsl
@@ -1,117 +1,138 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	ns_norm_back.xsl
-	
-	Normalise the namespaces in the UK federation fallback aggregate.
-	
-	The main constraint on the output of this transform is that it should minimise the size
-	of the output file while not having "too many" namespace prefix definitions in scope
-	at any point in the document.  "Too many" is more than about ten, as a result of a bug
-	in the metadatatool application used by Shibboleth 1.3 IdPs to download and verify
-	metadata.
-	
-	The strategy is to define the most commonly-used prefixes in the document element.
-	
-	Prefixes which are less often used, but which may be used by container elements
-	(e.g., mdui:) or for attributes are normalised to use a prefix, but not declared
-	on the document element.
-	
-	Prefixes which are less often used and are only used for non-containers can be
-	normalised to non-prefix use (i.e., to redefine the default namespace) if required
-	to cut the numbers down.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    ns_norm_back.xsl
+
+    Normalise the namespaces in the UK federation fallback aggregate.
+
+    The main constraint on the output of this transform is that it should minimise the size
+    of the output file while not having "too many" namespace prefix definitions in scope
+    at any point in the document.  "Too many" is more than about ten, as a result of a bug
+    in the metadatatool application used by Shibboleth 1.3 IdPs to download and verify
+    metadata.
+
+    The strategy is to define the most commonly-used prefixes in the document element.
+
+    Prefixes which are less often used, but which may be used by container elements
+    (e.g., mdui:) or for attributes are normalised to use a prefix, but not declared
+    on the document element.
+
+    Prefixes which are less often used and are only used for non-containers can be
+    normalised to non-prefix use (i.e., to redefine the default namespace) if required
+    to cut the numbers down.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:remd="http://refeds.org/metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	
-	exclude-result-prefixes="alg md mdattr saml wayf"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-
-	<!--
-		Import templates for basic normalisation.
-	-->
-	<xsl:import href="../ns_norm.xsl"/>
-	
-
-	<!--
-		Force UTF-8 encoding for the output.
-	-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-	
-
-	<!--
-		*******************************************
-		***                                     ***
-		***   D O C U M E N T   E L E M E N T   ***
-		***                                     ***
-		*******************************************
-	-->
-	
-	
-	<!--
-		We need to handle the document element specially in order to arrange
-		for all appropriate namespace prefix definitions to appear on it.
-		
-		There are only two possible document elements in SAML metadata.
-	-->
-	
-	
-	<!--
-		Document element is <EntityDescriptor>.
-	-->
-	<xsl:template match="/md:EntityDescriptor">
-		<EntityDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntityDescriptor>
-	</xsl:template>
-	
-	<!--
-		Document element is <EntitiesDescriptor>.
-	-->
-	<xsl:template match="/md:EntitiesDescriptor">
-		<EntitiesDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntitiesDescriptor>
-	</xsl:template>
-	
-	
-	<!--
-		*************************************
-		***                               ***
-		***   A L G   N A M E S P A C E   ***
-		***                               ***
-		*************************************
-	-->
-	
-	
-	<!--
-		alg:*
-		
-		Normalise namespace to not use a prefix.
-	-->
-	<xsl:template match="alg:*">
-		<xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:metadata:algsupport">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-	
-	
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:remd="http://refeds.org/metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    exclude-result-prefixes="alg md xenc"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+
+    <!--
+        Import templates for basic normalisation.
+    -->
+    <xsl:import href="../ns_norm.xsl"/>
+
+
+    <!--
+        Force UTF-8 encoding for the output.
+    -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
+
+
+    <!--
+        *******************************************
+        ***                                     ***
+        ***   D O C U M E N T   E L E M E N T   ***
+        ***                                     ***
+        *******************************************
+    -->
+
+
+    <!--
+        We need to handle the document element specially in order to arrange
+        for all appropriate namespace prefix definitions to appear on it.
+
+        There are only two possible document elements in SAML metadata.
+    -->
+
+
+    <!--
+        Document element is <EntityDescriptor>.
+    -->
+    <xsl:template match="/md:EntityDescriptor">
+        <EntityDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntityDescriptor>
+    </xsl:template>
+
+    <!--
+        Document element is <EntitiesDescriptor>.
+    -->
+    <xsl:template match="/md:EntitiesDescriptor">
+        <EntitiesDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntitiesDescriptor>
+    </xsl:template>
+
+
+    <!--
+        *************************************
+        ***                               ***
+        ***   A L G   N A M E S P A C E   ***
+        ***                               ***
+        *************************************
+    -->
+
+
+    <!--
+        alg:*
+
+        Normalise namespace to not use a prefix.
+    -->
+    <xsl:template match="alg:*">
+        <xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:metadata:algsupport">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+
+    <!--
+        ***************************************
+        ***                                 ***
+        ***   X E N C   N A M E S P A C E   ***
+        ***                                 ***
+        ***************************************
+    -->
+
+
+    <!--
+        xenc:*
+
+        Normalise namespace to not use a prefix.
+    -->
+    <xsl:template match="xenc:*">
+        <xsl:element name="{local-name()}" namespace="http://www.w3.org/2001/04/xmlenc#">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+
 </xsl:stylesheet>
diff --git a/mdx/uk/ns_norm_cds.xsl b/mdx/uk/ns_norm_cds.xsl
index 718dba73..2d3dcfb2 100644
--- a/mdx/uk/ns_norm_cds.xsl
+++ b/mdx/uk/ns_norm_cds.xsl
@@ -1,78 +1,77 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	ns_norm_cds.xsl
-	
-	Normalise the namespaces in a metadata file for publication to the UKf CDS.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    ns_norm_cds.xsl
+
+    Normalise the namespaces in a metadata file for publication to the UKf CDS.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	
-	exclude-result-prefixes="alg ds init md mdattr saml shibmd ukfedlabel wayf xsi"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-
-	<!--
-		Import templates for basic normalisation.
-	-->
-	<xsl:import href="../ns_norm.xsl"/>
-	
-
-	<!--
-		Force UTF-8 encoding for the output.
-	-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-	
-
-	<!--
-		*******************************************
-		***                                     ***
-		***   D O C U M E N T   E L E M E N T   ***
-		***                                     ***
-		*******************************************
-	-->
-	
-	
-	<!--
-		We need to handle the document element specially in order to arrange
-		for all appropriate namespace prefix definitions to appear on it.
-		
-		There are only two possible document elements in SAML metadata.
-	-->
-	
-	
-	<!--
-		Document element is <EntityDescriptor>.
-	-->
-	<xsl:template match="/md:EntityDescriptor">
-		<EntityDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntityDescriptor>
-	</xsl:template>
-	
-	<!--
-		Document element is <EntitiesDescriptor>.
-	-->
-	<xsl:template match="/md:EntitiesDescriptor">
-		<EntitiesDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntitiesDescriptor>
-	</xsl:template>
-	
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+
+    exclude-result-prefixes="alg ds init md mdattr saml shibmd ukfedlabel xsi"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+
+    <!--
+        Import templates for basic normalisation.
+    -->
+    <xsl:import href="../ns_norm.xsl"/>
+
+
+    <!--
+        Force UTF-8 encoding for the output.
+    -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
+
+
+    <!--
+        *******************************************
+        ***                                     ***
+        ***   D O C U M E N T   E L E M E N T   ***
+        ***                                     ***
+        *******************************************
+    -->
+
+
+    <!--
+        We need to handle the document element specially in order to arrange
+        for all appropriate namespace prefix definitions to appear on it.
+
+        There are only two possible document elements in SAML metadata.
+    -->
+
+
+    <!--
+        Document element is <EntityDescriptor>.
+    -->
+    <xsl:template match="/md:EntityDescriptor">
+        <EntityDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntityDescriptor>
+    </xsl:template>
+
+    <!--
+        Document element is <EntitiesDescriptor>.
+    -->
+    <xsl:template match="/md:EntitiesDescriptor">
+        <EntitiesDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntitiesDescriptor>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/uk/ns_norm_export.xsl b/mdx/uk/ns_norm_export.xsl
index 45f91dd9..7947548f 100644
--- a/mdx/uk/ns_norm_export.xsl
+++ b/mdx/uk/ns_norm_export.xsl
@@ -1,117 +1,132 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	ns_norm_export.xsl
-	
-	Normalise the namespaces in a metadata file for export.
-	
-	The main constraint on the output of this transform is that it should minimise the size
-	of the output file while not having "too many" namespace prefix definitions in scope
-	at any point in the document.  "Too many" is more than about ten, as a result of a bug
-	in the metadatatool application used by Shibboleth 1.3 IdPs to download and verify
-	metadata.
-	
-	The strategy is to define the most commonly-used prefixes in the document element.
-	
-	Prefixes which are less often used, but which may be used by container elements
-	(e.g., mdui:) or for attributes are normalised to use a prefix, but not declared
-	on the document element.
-	
-	Prefixes which are less often used and are only used for non-containers can be
-	normalised to non-prefix use (i.e., to redefine the default namespace) if required
-	to cut the numbers down.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    ns_norm_export.xsl
+
+    Normalise the namespaces in the export aggregate.
+
+    The strategy is to define the most commonly-used prefixes in the document element.
+
+    Prefixes which are less often used, but which may be used by container elements
+    (e.g., mdui:) or for attributes are normalised to use a prefix, but not declared
+    on the document element.
+
+    Prefixes which are less often used and are only used for non-containers can be
+    normalised to non-prefix use (i.e., to redefine the default namespace) if required
+    to cut the numbers down.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:remd="http://refeds.org/metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	
-	exclude-result-prefixes="alg md mdattr saml ukfedlabel wayf"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-
-	<!--
-		Import templates for basic normalisation.
-	-->
-	<xsl:import href="../ns_norm.xsl"/>
-	
-
-	<!--
-		Force UTF-8 encoding for the output.
-	-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-	
-
-	<!--
-		*******************************************
-		***                                     ***
-		***   D O C U M E N T   E L E M E N T   ***
-		***                                     ***
-		*******************************************
-	-->
-	
-	
-	<!--
-		We need to handle the document element specially in order to arrange
-		for all appropriate namespace prefix definitions to appear on it.
-		
-		There are only two possible document elements in SAML metadata.
-	-->
-	
-	
-	<!--
-		Document element is <EntityDescriptor>.
-	-->
-	<xsl:template match="/md:EntityDescriptor">
-		<EntityDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntityDescriptor>
-	</xsl:template>
-	
-	<!--
-		Document element is <EntitiesDescriptor>.
-	-->
-	<xsl:template match="/md:EntitiesDescriptor">
-		<EntitiesDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntitiesDescriptor>
-	</xsl:template>
-	
-	
-	<!--
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:remd="http://refeds.org/metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+
+    exclude-result-prefixes="alg md ukfedlabel xenc"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+
+    <!--
+        Import templates for basic normalisation.
+    -->
+    <xsl:import href="../ns_norm.xsl"/>
+
+
+    <!--
+        Force UTF-8 encoding for the output.
+    -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
+
+
+    <!--
+        *******************************************
+        ***                                     ***
+        ***   D O C U M E N T   E L E M E N T   ***
+        ***                                     ***
+        *******************************************
+    -->
+
+
+    <!--
+        We need to handle the document element specially in order to arrange
+        for all appropriate namespace prefix definitions to appear on it.
+
+        There are only two possible document elements in SAML metadata.
+    -->
+
+
+    <!--
+        Document element is <EntityDescriptor>.
+    -->
+    <xsl:template match="/md:EntityDescriptor">
+        <EntityDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntityDescriptor>
+    </xsl:template>
+
+    <!--
+        Document element is <EntitiesDescriptor>.
+    -->
+    <xsl:template match="/md:EntitiesDescriptor">
+        <EntitiesDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntitiesDescriptor>
+    </xsl:template>
+
+
+    <!--
         *************************************
         ***                               ***
         ***   A L G   N A M E S P A C E   ***
         ***                               ***
         *************************************
     -->
-	
-	
-	<!--
+
+
+    <!--
         alg:*
-        
+
         Normalise namespace to not use a prefix.
     -->
-	<xsl:template match="alg:*">
-		<xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:metadata:algsupport">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-	
-	
+    <xsl:template match="alg:*">
+        <xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:metadata:algsupport">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+
+    <!--
+        ***************************************
+        ***                                 ***
+        ***   X E N C   N A M E S P A C E   ***
+        ***                                 ***
+        ***************************************
+    -->
+
+
+    <!--
+        xenc:*
+
+        Normalise namespace to not use a prefix.
+    -->
+    <xsl:template match="xenc:*">
+        <xsl:element name="{local-name()}" namespace="http://www.w3.org/2001/04/xmlenc#">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+
 </xsl:stylesheet>
diff --git a/mdx/uk/ns_norm_export_preview.xsl b/mdx/uk/ns_norm_export_preview.xsl
new file mode 100644
index 00000000..0ddc1e1f
--- /dev/null
+++ b/mdx/uk/ns_norm_export_preview.xsl
@@ -0,0 +1,132 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    ns_norm_export_preview.xsl
+
+    Normalise the namespaces in the export preview aggregate.
+
+    The strategy is to define the most commonly-used prefixes in the document element.
+
+    Prefixes which are less often used, but which may be used by container elements
+    (e.g., mdui:) or for attributes are normalised to use a prefix, but not declared
+    on the document element.
+
+    Prefixes which are less often used and are only used for non-containers can be
+    normalised to non-prefix use (i.e., to redefine the default namespace) if required
+    to cut the numbers down.
+
+    Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:remd="http://refeds.org/metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+
+    exclude-result-prefixes="alg md ukfedlabel xenc"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+
+    <!--
+        Import templates for basic normalisation.
+    -->
+    <xsl:import href="../ns_norm.xsl"/>
+
+
+    <!--
+        Force UTF-8 encoding for the output.
+    -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
+
+
+    <!--
+        *******************************************
+        ***                                     ***
+        ***   D O C U M E N T   E L E M E N T   ***
+        ***                                     ***
+        *******************************************
+    -->
+
+
+    <!--
+        We need to handle the document element specially in order to arrange
+        for all appropriate namespace prefix definitions to appear on it.
+
+        There are only two possible document elements in SAML metadata.
+    -->
+
+
+    <!--
+        Document element is <EntityDescriptor>.
+    -->
+    <xsl:template match="/md:EntityDescriptor">
+        <EntityDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntityDescriptor>
+    </xsl:template>
+
+    <!--
+        Document element is <EntitiesDescriptor>.
+    -->
+    <xsl:template match="/md:EntitiesDescriptor">
+        <EntitiesDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntitiesDescriptor>
+    </xsl:template>
+
+
+    <!--
+        *************************************
+        ***                               ***
+        ***   A L G   N A M E S P A C E   ***
+        ***                               ***
+        *************************************
+    -->
+
+
+    <!--
+        alg:*
+
+        Normalise namespace to not use a prefix.
+    -->
+    <xsl:template match="alg:*">
+        <xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:metadata:algsupport">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+
+    <!--
+        ***************************************
+        ***                                 ***
+        ***   X E N C   N A M E S P A C E   ***
+        ***                                 ***
+        ***************************************
+    -->
+
+
+    <!--
+        xenc:*
+
+        Normalise namespace to not use a prefix.
+    -->
+    <xsl:template match="xenc:*">
+        <xsl:element name="{local-name()}" namespace="http://www.w3.org/2001/04/xmlenc#">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+
+</xsl:stylesheet>
diff --git a/mdx/uk/ns_norm_fragment.xsl b/mdx/uk/ns_norm_fragment.xsl
index 9d58ec58..1402c135 100644
--- a/mdx/uk/ns_norm_fragment.xsl
+++ b/mdx/uk/ns_norm_fragment.xsl
@@ -1,85 +1,84 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	ns_norm_fragment.xsl
-	
-	Normalise the namespaces in a fragment file.
-	
-	The only difference between this and full normalisation is the selection of prefixes which are
-	included on the document element by default.  We can therefore import the standard templates
-	and just override the ones for the document element as long as an appropriate exclude-result-prefixes
-	is in effect.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    ns_norm_fragment.xsl
+
+    Normalise the namespaces in a fragment file.
+
+    The only difference between this and full normalisation is the selection of prefixes which are
+    included on the document element by default.  We can therefore import the standard templates
+    and just override the ones for the document element as long as an appropriate exclude-result-prefixes
+    is in effect.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:remd="http://refeds.org/metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	
-	exclude-result-prefixes="md"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-
-	<!--
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:remd="http://refeds.org/metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+
+    exclude-result-prefixes="md"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+
+    <!--
         Import templates for basic normalisation.
     -->
-	<xsl:import href="../ns_norm.xsl"/>
-	
-
-	<!--
-		Force UTF-8 encoding for the output.
-	-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-	
-
-	<!--
-		*******************************************
-		***                                     ***
-		***   D O C U M E N T   E L E M E N T   ***
-		***                                     ***
-		*******************************************
-	-->
-	
-	
-	<!--
-		We need to handle the document element specially in order to arrange
-		for all appropriate namespace prefix definitions to appear on it.
-		
-		There are only two possible document elements in SAML metadata.
-	-->
-	
-	
-	<!--
-		Document element is <EntityDescriptor>.
-	-->
-	<xsl:template match="/md:EntityDescriptor">
-		<EntityDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntityDescriptor>
-	</xsl:template>
-	
-	<!--
-		Document element is <EntitiesDescriptor>.
-	-->
-	<xsl:template match="/md:EntitiesDescriptor">
-		<EntitiesDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntitiesDescriptor>
-	</xsl:template>
-	
-	
+    <xsl:import href="../ns_norm.xsl"/>
+
+
+    <!--
+        Force UTF-8 encoding for the output.
+    -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
+
+
+    <!--
+        *******************************************
+        ***                                     ***
+        ***   D O C U M E N T   E L E M E N T   ***
+        ***                                     ***
+        *******************************************
+    -->
+
+
+    <!--
+        We need to handle the document element specially in order to arrange
+        for all appropriate namespace prefix definitions to appear on it.
+
+        There are only two possible document elements in SAML metadata.
+    -->
+
+
+    <!--
+        Document element is <EntityDescriptor>.
+    -->
+    <xsl:template match="/md:EntityDescriptor">
+        <EntityDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntityDescriptor>
+    </xsl:template>
+
+    <!--
+        Document element is <EntitiesDescriptor>.
+    -->
+    <xsl:template match="/md:EntitiesDescriptor">
+        <EntitiesDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntitiesDescriptor>
+    </xsl:template>
+
+
 </xsl:stylesheet>
diff --git a/mdx/uk/ns_norm_test.xsl b/mdx/uk/ns_norm_test.xsl
index b05bf888..3f930240 100644
--- a/mdx/uk/ns_norm_test.xsl
+++ b/mdx/uk/ns_norm_test.xsl
@@ -1,121 +1,120 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	ns_norm_test.xsl
-	
-	Normalise the namespaces in the UK federation's test aggregate.
-	
-	The main constraint on the output of this transform is that it should minimise the size
-	of the output file while not having "too many" namespace prefix definitions in scope
-	at any point in the document.  "Too many" is more than about ten, as a result of a bug
-	in the metadatatool application used by Shibboleth 1.3 IdPs to download and verify
-	metadata.
-	
-	The strategy is to define the most commonly-used prefixes in the document element.
-	
-	Prefixes which are less often used, but which may be used by container elements
-	(e.g., mdui:) or for attributes are normalised to use a prefix, but not declared
-	on the document element.
-	
-	Prefixes which are less often used and are only used for non-containers can be
-	normalised to non-prefix use (i.e., to redefine the default namespace) if required
-	to cut the numbers down.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    ns_norm_test.xsl
+
+    Normalise the namespaces in the UK federation's test aggregate.
+
+    The main constraint on the output of this transform is that it should minimise the size
+    of the output file while not having "too many" namespace prefix definitions in scope
+    at any point in the document.  "Too many" is more than about ten, as a result of a bug
+    in the metadatatool application used by Shibboleth 1.3 IdPs to download and verify
+    metadata.
+
+    The strategy is to define the most commonly-used prefixes in the document element.
+
+    Prefixes which are less often used, but which may be used by container elements
+    (e.g., mdui:) or for attributes are normalised to use a prefix, but not declared
+    on the document element.
+
+    Prefixes which are less often used and are only used for non-containers can be
+    normalised to non-prefix use (i.e., to redefine the default namespace) if required
+    to cut the numbers down.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:remd="http://refeds.org/metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
-	
-	exclude-result-prefixes="alg md wayf xenc"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-
-	<!--
-		Import templates for basic normalisation.
-	-->
-	<xsl:import href="../ns_norm.xsl"/>
-	
-
-	<!--
-		Force UTF-8 encoding for the output.
-	-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-	
-
-	<!--
-		*******************************************
-		***                                     ***
-		***   D O C U M E N T   E L E M E N T   ***
-		***                                     ***
-		*******************************************
-	-->
-	
-	
-	<!--
-		We need to handle the document element specially in order to arrange
-		for all appropriate namespace prefix definitions to appear on it.
-		
-		There are only two possible document elements in SAML metadata.
-	-->
-	
-	
-	<!--
-		Document element is <EntityDescriptor>.
-	-->
-	<xsl:template match="/md:EntityDescriptor">
-		<EntityDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntityDescriptor>
-	</xsl:template>
-	
-	<!--
-		Document element is <EntitiesDescriptor>.
-	-->
-	<xsl:template match="/md:EntitiesDescriptor">
-		<EntitiesDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntitiesDescriptor>
-	</xsl:template>
-	
-	
-	<!--
-		*************************************
-		***                               ***
-		***   A L G   N A M E S P A C E   ***
-		***                               ***
-		*************************************
-	-->
-	
-	
-	<!--
-		alg:*
-		
-		Normalise namespace to not use a prefix.
-	-->
-	<xsl:template match="alg:*">
-		<xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:metadata:algsupport">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-	
-
-	<!--
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:remd="http://refeds.org/metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+
+    exclude-result-prefixes="alg md xenc"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+
+    <!--
+        Import templates for basic normalisation.
+    -->
+    <xsl:import href="../ns_norm.xsl"/>
+
+
+    <!--
+        Force UTF-8 encoding for the output.
+    -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
+
+
+    <!--
+        *******************************************
+        ***                                     ***
+        ***   D O C U M E N T   E L E M E N T   ***
+        ***                                     ***
+        *******************************************
+    -->
+
+
+    <!--
+        We need to handle the document element specially in order to arrange
+        for all appropriate namespace prefix definitions to appear on it.
+
+        There are only two possible document elements in SAML metadata.
+    -->
+
+
+    <!--
+        Document element is <EntityDescriptor>.
+    -->
+    <xsl:template match="/md:EntityDescriptor">
+        <EntityDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntityDescriptor>
+    </xsl:template>
+
+    <!--
+        Document element is <EntitiesDescriptor>.
+    -->
+    <xsl:template match="/md:EntitiesDescriptor">
+        <EntitiesDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntitiesDescriptor>
+    </xsl:template>
+
+
+    <!--
+        *************************************
+        ***                               ***
+        ***   A L G   N A M E S P A C E   ***
+        ***                               ***
+        *************************************
+    -->
+
+
+    <!--
+        alg:*
+
+        Normalise namespace to not use a prefix.
+    -->
+    <xsl:template match="alg:*">
+        <xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:metadata:algsupport">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+
+    <!--
         ***************************************
         ***                                 ***
         ***   X E N C   N A M E S P A C E   ***
@@ -124,16 +123,16 @@
     -->
 
 
-	<!--
+    <!--
         xenc:*
-        
+
         Normalise namespace to not use a prefix.
     -->
-	<xsl:template match="xenc:*">
-		<xsl:element name="{local-name()}" namespace="http://www.w3.org/2001/04/xmlenc#">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>	
-	
-	
+    <xsl:template match="xenc:*">
+        <xsl:element name="{local-name()}" namespace="http://www.w3.org/2001/04/xmlenc#">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+
 </xsl:stylesheet>
diff --git a/mdx/uk/ns_norm_uk.xsl b/mdx/uk/ns_norm_uk.xsl
index e42943f7..dca0f099 100644
--- a/mdx/uk/ns_norm_uk.xsl
+++ b/mdx/uk/ns_norm_uk.xsl
@@ -1,117 +1,138 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	ns_norm_uk.xsl
-	
-	Normalise the namespaces in a metadata file for publication to UK federation members.
-	
-	The main constraint on the output of this transform is that it should minimise the size
-	of the output file while not having "too many" namespace prefix definitions in scope
-	at any point in the document.  "Too many" is more than about ten, as a result of a bug
-	in the metadatatool application used by Shibboleth 1.3 IdPs to download and verify
-	metadata.
-	
-	The strategy is to define the most commonly-used prefixes in the document element.
-	
-	Prefixes which are less often used, but which may be used by container elements
-	(e.g., mdui:) or for attributes are normalised to use a prefix, but not declared
-	on the document element.
-	
-	Prefixes which are less often used and are only used for non-containers can be
-	normalised to non-prefix use (i.e., to redefine the default namespace) if required
-	to cut the numbers down.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
+    ns_norm_uk.xsl
+
+    Normalise the namespaces in a metadata file for publication to UK federation members.
+
+    The main constraint on the output of this transform is that it should minimise the size
+    of the output file while not having "too many" namespace prefix definitions in scope
+    at any point in the document.  "Too many" is more than about ten, as a result of a bug
+    in the metadatatool application used by Shibboleth 1.3 IdPs to download and verify
+    metadata.
+
+    The strategy is to define the most commonly-used prefixes in the document element.
+
+    Prefixes which are less often used, but which may be used by container elements
+    (e.g., mdui:) or for attributes are normalised to use a prefix, but not declared
+    on the document element.
+
+    Prefixes which are less often used and are only used for non-containers can be
+    normalised to non-prefix use (i.e., to redefine the default namespace) if required
+    to cut the numbers down.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:remd="http://refeds.org/metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	
-	exclude-result-prefixes="alg md mdattr saml wayf"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-
-	<!--
-		Import templates for basic normalisation.
-	-->
-	<xsl:import href="../ns_norm.xsl"/>
-	
-
-	<!--
-		Force UTF-8 encoding for the output.
-	-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-	
-
-	<!--
-		*******************************************
-		***                                     ***
-		***   D O C U M E N T   E L E M E N T   ***
-		***                                     ***
-		*******************************************
-	-->
-	
-	
-	<!--
-		We need to handle the document element specially in order to arrange
-		for all appropriate namespace prefix definitions to appear on it.
-		
-		There are only two possible document elements in SAML metadata.
-	-->
-	
-	
-	<!--
-		Document element is <EntityDescriptor>.
-	-->
-	<xsl:template match="/md:EntityDescriptor">
-		<EntityDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntityDescriptor>
-	</xsl:template>
-	
-	<!--
-		Document element is <EntitiesDescriptor>.
-	-->
-	<xsl:template match="/md:EntitiesDescriptor">
-		<EntitiesDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntitiesDescriptor>
-	</xsl:template>
-	
-	
-	<!--
-		*************************************
-		***                               ***
-		***   A L G   N A M E S P A C E   ***
-		***                               ***
-		*************************************
-	-->
-	
-	
-	<!--
-		alg:*
-		
-		Normalise namespace to not use a prefix.
-	-->
-	<xsl:template match="alg:*">
-		<xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:metadata:algsupport">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-	
-	
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:remd="http://refeds.org/metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+
+    exclude-result-prefixes="alg md xenc"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+
+    <!--
+        Import templates for basic normalisation.
+    -->
+    <xsl:import href="../ns_norm.xsl"/>
+
+
+    <!--
+        Force UTF-8 encoding for the output.
+    -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
+
+
+    <!--
+        *******************************************
+        ***                                     ***
+        ***   D O C U M E N T   E L E M E N T   ***
+        ***                                     ***
+        *******************************************
+    -->
+
+
+    <!--
+        We need to handle the document element specially in order to arrange
+        for all appropriate namespace prefix definitions to appear on it.
+
+        There are only two possible document elements in SAML metadata.
+    -->
+
+
+    <!--
+        Document element is <EntityDescriptor>.
+    -->
+    <xsl:template match="/md:EntityDescriptor">
+        <EntityDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntityDescriptor>
+    </xsl:template>
+
+    <!--
+        Document element is <EntitiesDescriptor>.
+    -->
+    <xsl:template match="/md:EntitiesDescriptor">
+        <EntitiesDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntitiesDescriptor>
+    </xsl:template>
+
+
+    <!--
+        *************************************
+        ***                               ***
+        ***   A L G   N A M E S P A C E   ***
+        ***                               ***
+        *************************************
+    -->
+
+
+    <!--
+        alg:*
+
+        Normalise namespace to not use a prefix.
+    -->
+    <xsl:template match="alg:*">
+        <xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:metadata:algsupport">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+
+    <!--
+        ***************************************
+        ***                                 ***
+        ***   X E N C   N A M E S P A C E   ***
+        ***                                 ***
+        ***************************************
+    -->
+
+
+    <!--
+        xenc:*
+
+        Normalise namespace to not use a prefix.
+    -->
+    <xsl:template match="xenc:*">
+        <xsl:element name="{local-name()}" namespace="http://www.w3.org/2001/04/xmlenc#">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+
 </xsl:stylesheet>
diff --git a/mdx/uk/scopes_copy.xsl b/mdx/uk/scopes_copy.xsl
index 658a1a18..c97e12e5 100644
--- a/mdx/uk/scopes_copy.xsl
+++ b/mdx/uk/scopes_copy.xsl
@@ -1,22 +1,22 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	scopes_copy.xsl
-	
-	Make all three potential scope lists equivalent (on the entity, on
-	the IDPSSODescriptor and on the AttributeAuthority).
-	
+    scopes_copy.xsl
+
+    Make all three potential scope lists equivalent (on the entity, on
+    the IDPSSODescriptor and on the AttributeAuthority).
+
 -->
 <xsl:stylesheet version="1.0"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 
-	<!--Force UTF-8 encoding for the output.-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+    <!--Force UTF-8 encoding for the output.-->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
 
     <!--
         If an IdP's SSO or AA roles are missing Extensions (and Scope extensions in
@@ -24,41 +24,41 @@
     -->
     <xsl:template match="md:IDPSSODescriptor[not(md:Extensions)] |
                          md:AttributeAuthorityDescriptor[not(md:Extensions)]">
-		<xsl:copy>
-		    <xsl:apply-templates select="@*"/>
-			<xsl:text>&#10;        </xsl:text>
-			<xsl:element name="Extensions" namespace="urn:oasis:names:tc:SAML:2.0:metadata">
-				<!-- copy scopes from EntityDescriptor extensions -->
-			    <xsl:for-each select="ancestor::md:EntityDescriptor/md:Extensions/shibmd:Scope">
-					<xsl:text>&#10;            </xsl:text>
-					<xsl:copy-of select="."/>
-				</xsl:for-each>
-				<xsl:text>&#10;        </xsl:text>
-			</xsl:element>
-			<xsl:apply-templates select="node()"/>
-		</xsl:copy>
-	</xsl:template>
-	
-	<!--
-		If an IdP's SSO or AA roles already includes an Extensions element, this may
-		already contain extensions other than scopes.  We need to make sure that
-		if it does not also contain scopes, then any scopes declared at the entity
-		level are copied down.
-	-->
-	<xsl:template match="md:IDPSSODescriptor/md:Extensions |
-						 md:AttributeAuthorityDescriptor/md:Extensions">
-		<xsl:copy>
-			<xsl:apply-templates select="node()"/>
-			<xsl:if test="not(shibmd:Scope)">
-				<!-- copy scopes from EntityDescriptor extensions -->
-				<xsl:for-each select="ancestor::md:EntityDescriptor/md:Extensions/shibmd:Scope">
-					<xsl:text>    </xsl:text>
-					<xsl:copy-of select="."/>
-					<xsl:text>&#10;        </xsl:text>
-				</xsl:for-each>
-			</xsl:if>			
-		</xsl:copy>
-	</xsl:template>
+        <xsl:copy>
+            <xsl:apply-templates select="@*"/>
+            <xsl:text>&#10;        </xsl:text>
+            <xsl:element name="Extensions" namespace="urn:oasis:names:tc:SAML:2.0:metadata">
+                <!-- copy scopes from EntityDescriptor extensions -->
+                <xsl:for-each select="ancestor::md:EntityDescriptor/md:Extensions/shibmd:Scope">
+                    <xsl:text>&#10;            </xsl:text>
+                    <xsl:copy-of select="."/>
+                </xsl:for-each>
+                <xsl:text>&#10;        </xsl:text>
+            </xsl:element>
+            <xsl:apply-templates select="node()"/>
+        </xsl:copy>
+    </xsl:template>
+
+    <!--
+        If an IdP's SSO or AA roles already includes an Extensions element, this may
+        already contain extensions other than scopes.  We need to make sure that
+        if it does not also contain scopes, then any scopes declared at the entity
+        level are copied down.
+    -->
+    <xsl:template match="md:IDPSSODescriptor/md:Extensions |
+                         md:AttributeAuthorityDescriptor/md:Extensions">
+        <xsl:copy>
+            <xsl:apply-templates select="node()"/>
+            <xsl:if test="not(shibmd:Scope)">
+                <!-- copy scopes from EntityDescriptor extensions -->
+                <xsl:for-each select="ancestor::md:EntityDescriptor/md:Extensions/shibmd:Scope">
+                    <xsl:text>    </xsl:text>
+                    <xsl:copy-of select="."/>
+                    <xsl:text>&#10;        </xsl:text>
+                </xsl:for-each>
+            </xsl:if>
+        </xsl:copy>
+    </xsl:template>
 
     <!--
         *********************************************
@@ -67,18 +67,18 @@
         ***                                       ***
         *********************************************
     -->
-    
-    
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-	
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
-	
+
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/uk/sp_mdui_test.xsl b/mdx/uk/sp_mdui_test.xsl
index b1e2a0e1..4c67f43f 100644
--- a/mdx/uk/sp_mdui_test.xsl
+++ b/mdx/uk/sp_mdui_test.xsl
@@ -1,11 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-    
+
     sp_mdui_test.xsl
-    
+
     XSL stylesheet taking a UK Federation metadata aggregate and resulting in an HTML document
     giving discovery links for each mdui-supporting SP entity.
-    
+
     Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -16,29 +16,28 @@
     xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:members="http://ukfederation.org.uk/2007/01/members"
-    xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
     xmlns:math="http://exslt.org/math"
     xmlns:date="http://exslt.org/dates-and-times"
     xmlns:dyn="http://exslt.org/dynamic"
     xmlns:set="http://exslt.org/sets"
     xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-    exclude-result-prefixes="xsl ds md mdui xsi members wayf math date dyn set idpdisc"
+    exclude-result-prefixes="xsl ds md mdui xsi members math date dyn set idpdisc"
     version="1.0">
 
     <xsl:output method="html" omit-xml-declaration="yes"/>
-    
+
     <xsl:template match="md:EntitiesDescriptor">
-        
+
         <xsl:variable name="entities" select="//md:EntityDescriptor"/>
         <xsl:variable name="sps" select="$entities[md:SPSSODescriptor/md:Extensions/mdui:UIInfo]"/>
-        
+
         <html>
             <head>
                 <title>UK Federation SP discovery UI test</title>
             </head>
             <body>
                 <h1>UK Federation SP discovery UI test</h1>
-                
+
                 <ul>
                     <xsl:for-each select="$sps">
                         <xsl:variable name="acs"
@@ -47,9 +46,9 @@
                             <xsl:value-of select="@ID"/>
                             <xsl:text>: </xsl:text>
                             <xsl:value-of select="@entityID"/>
-                            
+
                             <ul>
-                                
+
                                 <li>
                                     <xsl:choose>
                                         <xsl:when test="descendant::mdui:DisplayName">
@@ -87,7 +86,7 @@
 
                                 <xsl:variable name="parms" select="concat('?shire=',
                                     $acs, '&amp;providerId=', @entityID, '&amp;target=cookie')"/>
-                                
+
                                 <li>
                                     <xsl:variable name="prod" select="concat(
                                         'https://wayf.ukfederation.org.uk/WAYF',
@@ -100,7 +99,7 @@
                                         Production DS (as WAYF)
                                     </xsl:element>
                                 </li>
-                                
+
                                 <li>
                                     <xsl:variable name="rod" select="concat(
                                         'https://dlib-adidp.ucs.ed.ac.uk/discovery/ukfull.wayf',
@@ -126,14 +125,14 @@
                                         Test DS (ukfed4, as WAYF)
                                     </xsl:element>
                                 </li>
-                                
+
                             </ul>
                         </li>
                     </xsl:for-each>
                 </ul>
-                
+
             </body>
         </html>
     </xsl:template>
-    
-</xsl:stylesheet>
\ No newline at end of file
+
+</xsl:stylesheet>
diff --git a/mdx/uk/statistics-charting.xsl b/mdx/uk/statistics-charting.xsl
new file mode 100644
index 00000000..c8cf91fe
--- /dev/null
+++ b/mdx/uk/statistics-charting.xsl
@@ -0,0 +1,500 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    statistics.xsl
+
+    XSL stylesheet taking a UK Federation metadata file and resulting in an HTML document
+    giving statistics.
+
+    Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:members="http://ukfederation.org.uk/2007/01/members"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:math="http://exslt.org/math"
+    xmlns:date="http://exslt.org/dates-and-times"
+    xmlns:dyn="http://exslt.org/dynamic"
+    xmlns:set="http://exslt.org/sets"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    exclude-result-prefixes="xsl alg ds init md mdattr mdui saml xsi members ukfedlabel math date dyn set idpdisc"
+    version="1.0">
+
+    <xsl:output method="xml" omit-xml-declaration="yes" indent="no"/>
+
+    <!--
+        memberDocument
+
+        The members.xml file, as a DOM document, is passed as a parameter.
+    -->
+    <xsl:param name="memberDocument"/>
+
+    <xsl:template match="md:EntitiesDescriptor">
+
+        <!--
+            Break down the "members" document.
+        -->
+        <!-- federation members -->
+        <xsl:variable name="members" select="$memberDocument//members:Member"/>
+        <xsl:variable name="memberCount" select="count($members)"/>
+        <xsl:variable name="memberNames" select="$members/members:Name"/>
+
+        <xsl:variable name="entities" select="//md:EntityDescriptor"/>
+        <xsl:variable name="entityCount" select="count($entities)"/>
+
+        <xsl:variable name="idps" select="$entities[md:IDPSSODescriptor]"/>
+        <xsl:variable name="idps.saml1"
+            select="$idps[contains(md:IDPSSODescriptor/@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]"/>
+
+        <xsl:variable name="idpCount" select="count($idps)"/>
+        <xsl:variable name="idps.saml1.count" select="count($idps.saml1)"/>
+
+        <xsl:variable name="sps" select="$entities[md:SPSSODescriptor]"/>
+        <xsl:variable name="sps.saml1"
+            select="$sps[contains(md:SPSSODescriptor/@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]"/>
+
+        <xsl:variable name="spCount" select="count($sps)"/>
+        <xsl:variable name="sps.saml1.count" select="count($sps.saml1)"/>
+
+        <xsl:variable name="entities.saml1" select="set:distinct($idps.saml1 | $sps.saml1)"/>
+        <xsl:variable name="entities.saml1.count" select="count($entities.saml1)"/>
+
+        <xsl:variable name="dualEntities" select="$entities[md:IDPSSODescriptor][md:SPSSODescriptor]"/>
+        <xsl:variable name="dualEntityCount" select="count($dualEntities)"/>
+
+        <xsl:variable name="federationMemberEntityCount"
+            select="count($entities[md:Extensions/ukfedlabel:UKFederationMember])"/>
+
+        <xsl:variable name="memberEntities"
+            select="dyn:closure($members/members:Name, '$entities[md:Organization/md:OrganizationName = current()]')"/>
+        <xsl:variable name="memberEntityCount"
+            select="dyn:sum($memberNames, 'count($entities[md:Organization/md:OrganizationName = current()])')"/>
+
+        <xsl:variable name="idps.artifact"
+            select="$idps[md:IDPSSODescriptor[md:ArtifactResolutionService]]"/>
+        <xsl:variable name="idps.artifact.count" select="count($idps.artifact)"/>
+        <xsl:variable name="idps.artifact.saml1"
+            select="$idps[md:IDPSSODescriptor
+            [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
+            [md:ArtifactResolutionService]]"/>
+        <xsl:variable name="idps.artifact.saml1.count" select="count($idps.artifact.saml1)"/>
+        <xsl:variable name="sps.artifact.saml1"
+            select="$sps[md:SPSSODescriptor/md:AssertionConsumerService/@Binding='urn:oasis:names:tc:SAML:1.0:profiles:artifact-01']"/>
+        <xsl:variable name="sps.artifact.saml1.count" select="count($sps.artifact.saml1)"/>
+        <xsl:variable name="entities.artifact.saml1" select="set:distinct($idps.artifact.saml1 | $sps.artifact.saml1)"/>
+        <xsl:variable name="entities.artifact.saml1.count" select="count($entities.artifact.saml1)"/>
+
+        <pre>
+
+            <!--
+                ***************************
+                ***                     ***
+                ***   C H A R T I N G   ***
+                ***                     ***
+                ***************************
+            -->
+            <xsl:text>&#10;</xsl:text>
+
+            <xsl:text>Members: </xsl:text>
+            <xsl:value-of select="$memberCount"/>
+            <xsl:text>&#10;</xsl:text>
+
+            <xsl:text>Entities: </xsl:text>
+            <xsl:value-of select="$entityCount"/>
+            <xsl:text>&#10;</xsl:text>
+
+            <xsl:text>   IdPs: </xsl:text>
+            <xsl:value-of select="$idpCount"/>
+            <xsl:text>&#10;</xsl:text>
+
+            <xsl:text>   SPs: </xsl:text>
+            <xsl:value-of select="$spCount"/>
+            <xsl:text>&#10;</xsl:text>
+
+            <xsl:text>Entities per member: </xsl:text>
+            <xsl:value-of select="format-number($entityCount div $memberCount, '0.000000')"/>
+            <xsl:text>&#10;</xsl:text>
+
+            <xsl:variable name="charting.entities.algsupport" select="$entities[descendant::alg:* or descendant::md:EncryptionMethod]"/>
+            <xsl:variable name="charting.entities.algsupport.count" select="count($charting.entities.algsupport)"/>
+            <xsl:text>Algorithm support: </xsl:text>
+            <xsl:value-of select="format-number($charting.entities.algsupport.count div $entityCount, '0.00%')"/>
+            <xsl:text> of all entities</xsl:text>
+            <xsl:text>&#10;</xsl:text>
+
+            <xsl:variable name="charting.entities.algsupport.gcm"
+                select="$charting.entities.algsupport[
+                descendant::md:EncryptionMethod/@Algorithm='http://www.w3.org/2009/xmlenc11#aes128-gcm' or
+                descendant::md:EncryptionMethod/@Algorithm='http://www.w3.org/2009/xmlenc11#aes192-gcm' or
+                descendant::md:EncryptionMethod/@Algorithm='http://www.w3.org/2009/xmlenc11#aes256-gcm']"/>
+            <xsl:variable name="charting.entities.algsupport.gcm.count" select="count($charting.entities.algsupport.gcm)"/>
+            <xsl:text>GCM support: </xsl:text>
+            <xsl:value-of select="format-number($charting.entities.algsupport.gcm.count div $entityCount, '0.00%')"/>
+            <xsl:text> of all entities</xsl:text>
+            <xsl:text>&#10;</xsl:text>
+
+            <xsl:variable name="charting.sps.algsupport" select="$sps[descendant::alg:* or descendant::md:EncryptionMethod]"/>
+            <xsl:variable name="charting.sps.algsupport.count" select="count($charting.sps.algsupport)"/>
+            <xsl:text>Algorithm support:</xsl:text>
+            <xsl:value-of select="format-number($charting.sps.algsupport.count div $spCount, '0.00%')"/>
+            <xsl:text> of SP entities</xsl:text>
+            <xsl:text>&#10;</xsl:text>
+
+            <xsl:variable name="charting.idp3" select="$idps[
+                md:Extensions/ukfedlabel:Software[@name='Shibboleth'][@version = '3']
+                ]"/>
+            <xsl:variable name="charting.idp3.count" select="count($charting.idp3)"/>
+            <xsl:text>Shibboleth IdP v3: </xsl:text>
+            <xsl:value-of select="$charting.idp3.count"/>
+            <xsl:text> (</xsl:text>
+            <xsl:value-of select="format-number($charting.idp3.count div $idpCount, '0.0%')"/>
+            <xsl:text> of IdPs)</xsl:text>
+            <xsl:text>&#10;</xsl:text>
+
+            <xsl:variable name="nosaml2.sps" select="$sps[md:SPSSODescriptor[not(contains(@protocolSupportEnumeration,
+                'urn:oasis:names:tc:SAML:2.0:protocol'))]]"/>
+            <xsl:variable name="nosaml2.sps.count" select="count($nosaml2.sps)"/>
+            <xsl:text>&#10;</xsl:text>
+            <xsl:text>SPs without SAML 2.0 support: </xsl:text>
+            <xsl:value-of select="$nosaml2.sps.count"/>
+            <xsl:text>&#10;</xsl:text>
+
+            <xsl:for-each select="$nosaml2.sps">
+                <xsl:sort select="descendant::md:OrganizationName"/>
+                <xsl:text>   </xsl:text>
+                <xsl:value-of select="@ID"/>
+                <xsl:text>: </xsl:text>
+                <xsl:value-of select="descendant::md:OrganizationName"/>
+                <xsl:text>: </xsl:text>
+                <xsl:choose>
+                    <xsl:when test="descendant::mdui:DisplayName">
+                        <xsl:value-of select="descendant::mdui:DisplayName"/>
+                    </xsl:when>
+                    <xsl:otherwise>
+                        <xsl:text>(</xsl:text>
+                        <xsl:value-of select="descendant::md:OrganizationDisplayName"/>
+                        <xsl:text>)</xsl:text>
+                    </xsl:otherwise>
+                </xsl:choose>
+                <xsl:apply-templates select="md:Extensions/ukfedlabel:Software" mode="short"/>
+                <xsl:text>&#10;</xsl:text>
+            </xsl:for-each>
+
+            <xsl:call-template name="entity.breakdown.by.software">
+                <xsl:with-param name="entities" select="$sps[md:SPSSODescriptor[not(contains(@protocolSupportEnumeration,
+                    'urn:oasis:names:tc:SAML:2.0:protocol'))]]"/>
+            </xsl:call-template>
+
+            <xsl:variable name="nosaml2.idps" select="$idps[md:IDPSSODescriptor[not(contains(@protocolSupportEnumeration,
+                'urn:oasis:names:tc:SAML:2.0:protocol'))]]"/>
+            <xsl:variable name="nosaml2.idps.count" select="count($nosaml2.idps)"/>
+
+            <xsl:text>&#10;</xsl:text>
+            <xsl:text>IdPs without SAML 2.0 support: </xsl:text>
+            <xsl:value-of select="$nosaml2.idps.count"/>
+            <xsl:text>&#10;</xsl:text>
+
+            <xsl:call-template name="entity.breakdown.by.software">
+                <xsl:with-param name="entities" select="$nosaml2.idps"/>
+            </xsl:call-template>
+
+        </pre>
+    </xsl:template>
+
+
+    <!--
+        Break down a set of entities by the software used.
+    -->
+    <xsl:template name="entity.breakdown.by.software">
+        <xsl:param name="entities"/>
+        <xsl:variable name="entityCount" select="count($entities)"/>
+        <xsl:text>Breakdown by software used:</xsl:text>
+        <xsl:text>&#10;</xsl:text>
+
+        <!--
+            *********************************************************************
+            ***                                                               ***
+            ***   C L A S S I F Y   E N T I T I E S   B Y   S O F T W A R E   ***
+            ***                                                               ***
+            *********************************************************************
+
+            The classification algorithms used here are chained together so that
+            each classification step works only on those entities not already
+            classified.  This means that entities won't be counted twice, but
+            means that the order of classification blocks is important and
+            shouldn't be changed without careful thought.  In general, more
+            specific algorithms should appear before more general ones.
+        -->
+
+        <!--
+            Classify miscellaneous entities.
+
+            Here we pull off a list of entities labelled with explicit
+            Software labels that aren't for the software we address
+            in more detail below.  The result is, as it were, a list of
+            "known unknowns" that we can re-integrate later with those
+            entities we fail to classify altogether.
+        -->
+        <xsl:variable name="entities.misc.in" select="$entities"/>
+        <xsl:variable name="entities.misc"
+            select="$entities.misc.in[
+                md:Extensions/ukfedlabel:Software
+                    [@name != 'Shibboleth']
+                    [@name != 'EZproxy']
+                    [@name != 'OpenAthens']
+                    [@name != 'Guanxi']
+                    [@name != 'simpleSAMLphp']
+                    [@name != 'Atypon SAML SP 1.1/2.0']
+                    [@name != 'AthensIM']
+                    [@name != 'Eduserv Gateway']
+            ]"/>
+        <xsl:variable name="entities.misc.out"
+            select="set:difference($entities.misc.in, $entities.misc)"/>
+
+        <!--
+            Classify EZproxy SPs
+        -->
+        <xsl:variable name="entities.ezproxy.in" select="$entities.misc.out"/>
+        <xsl:variable name="entities.ezproxy"
+            select="$entities.ezproxy.in[md:Extensions/ukfedlabel:Software/@name='EZproxy']"/>
+        <xsl:variable name="entities.ezproxy.out"
+            select="set:difference($entities.ezproxy.in, $entities.ezproxy)"/>
+
+        <!--
+            Classify simpleSAMLphp entities.
+        -->
+        <xsl:variable name="entities.simplesamlphp.in" select="$entities.ezproxy.out"/>
+        <xsl:variable name="entities.simplesamlphp"
+            select="$entities.simplesamlphp.in[md:Extensions/ukfedlabel:Software/@name='simpleSAMLphp']"/>
+        <xsl:variable name="entities.simplesamlphp.out"
+            select="set:difference($entities.simplesamlphp.in, $entities.simplesamlphp)"/>
+
+        <!--
+            Classify Atypon SAML SP entities.
+        -->
+        <xsl:variable name="entities.atyponsamlsp.in" select="$entities.simplesamlphp.out"/>
+        <xsl:variable name="entities.atyponsamlsp"
+            select="$entities.atyponsamlsp.in[md:Extensions/ukfedlabel:Software/@name='Atypon SAML SP 1.1/2.0']"/>
+        <xsl:variable name="entities.atyponsamlsp.out"
+            select="set:difference($entities.atyponsamlsp.in, $entities.atyponsamlsp)"/>
+
+        <!--
+            Classify OpenAthens entities.
+        -->
+        <xsl:variable name="entities.openathens.in" select="$entities.atyponsamlsp.out"/>
+        <xsl:variable name="entities.openathens"
+            select="$entities.openathens.in[md:Extensions/ukfedlabel:Software/@name='OpenAthens']"/>
+        <xsl:variable name="entities.openathens.out"
+            select="set:difference($entities.openathens.in, $entities.openathens)"/>
+
+        <!--
+            Classify Shibboleth 3 IdPs entities.
+        -->
+        <xsl:variable name="entities.shib.3.in" select="$entities.openathens.out"/>
+        <xsl:variable name="entities.shib.3"
+            select="$entities.shib.3.in[
+            md:Extensions/ukfedlabel:Software[@name='Shibboleth'][@version = '3']
+            ]"/>
+        <xsl:variable name="entities.shib.3.out"
+            select="set:difference($entities.shib.3.in, $entities.shib.3)"/>
+
+        <!--
+            Classify Shibboleth 2.0 IdPs and SPs.
+        -->
+        <xsl:variable name="entities.shib.2.in" select="$entities.shib.3.out"/>
+        <xsl:variable name="entities.shib.2"
+            select="$entities.shib.2.in[
+                md:IDPSSODescriptor/md:SingleSignOnService[contains(@Location, '/profile/Shibboleth/SSO')] |
+                md:SPSSODescriptor/md:AssertionConsumerService[contains(@Location, '/Shibboleth.sso/SAML2/POST')] |
+                md:Extensions/ukfedlabel:Software[@name='Shibboleth'][@version = '2']
+            ]"/>
+        <xsl:variable name="entities.shib.2.out"
+            select="set:difference($entities.shib.2.in, $entities.shib.2)"/>
+
+        <!--
+            Classify Athens Gateway entities
+        -->
+        <xsl:variable name="entities.gateways.in" select="$entities.shib.2.out"/>
+        <xsl:variable name="entities.gateways"
+            select="$entities.gateways.in[md:Extensions/ukfedlabel:Software/@name='Eduserv Gateway']"/>
+        <xsl:variable name="entities.gateways.out"
+            select="set:difference($entities.gateways.in, $entities.gateways)"/>
+
+        <!--
+            Classify OpenAthens virtual IdPs.
+        -->
+        <xsl:variable name="entities.openathens.virtual.in" select="$entities.gateways.out"/>
+        <xsl:variable name="entities.openathens.virtual"
+            select="$entities.openathens.virtual.in[
+                descendant::md:AttributeService/@Location=
+                    'https://gateway.athensams.net:5057/services/SAML11AttributeAuthority' or
+                descendant::md:SingleSignOnService[starts-with(@Location,
+                    'https://login.openathens.net/saml/')]
+                ]"/>
+        <xsl:variable name="entities.openathens.virtual.out"
+            select="set:difference($entities.openathens.virtual.in, $entities.openathens.virtual)"/>
+
+        <!--
+            Classify Guanxi entities.
+        -->
+        <xsl:variable name="entities.guanxi.in" select="$entities.openathens.virtual.out"/>
+        <xsl:variable name="entities.guanxi"
+            select="$entities.guanxi.in[md:Extensions/ukfedlabel:Software/@name='Guanxi']"/>
+        <xsl:variable name="entities.guanxi.out"
+            select="set:difference($entities.guanxi.in, $entities.guanxi)"/>
+
+        <!--
+            Classify AthensIM entities.
+        -->
+        <xsl:variable name="entities.athensim.in" select="$entities.guanxi.out"/>
+        <xsl:variable name="entities.athensim"
+            select="$entities.athensim.in[md:Extensions/ukfedlabel:Software/@name='AthensIM']"/>
+        <xsl:variable name="entities.athensim.out"
+            select="set:difference($entities.athensim.in, $entities.athensim)"/>
+
+        <!--
+            Remaining entities are unknown.
+        -->
+        <xsl:variable name="entities.unclassified" select="$entities.athensim.out"/>
+        <xsl:variable name="unknownSoftwareEntities"
+            select="$entities.unclassified | $entities.misc"/>
+
+        <!--
+            ***************************************************************
+            ***                                                         ***
+            ***   R E P O R T   C L A S S I F I E D   E N T I T I E S   ***
+            ***                                                         ***
+            ***************************************************************
+        -->
+
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$entities.shib.3"/>
+            <xsl:with-param name="name">Shibboleth 3.x</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+        </xsl:call-template>
+
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$entities.shib.2"/>
+            <xsl:with-param name="name">Shibboleth 2.x</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+        </xsl:call-template>
+
+        <xsl:variable name="entities.shib" select="$entities.shib.2 | $entities.shib.3"/>
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$entities.shib"/>
+            <xsl:with-param name="name">Shibboleth combined</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+        </xsl:call-template>
+
+        <xsl:variable name="entities.not.shib" select="set:difference($entities, $entities.shib)"/>
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$entities.not.shib"/>
+            <xsl:with-param name="name">Other than Shibboleth</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+        </xsl:call-template>
+
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$entities.ezproxy"/>
+            <xsl:with-param name="name">EZproxy</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+        </xsl:call-template>
+
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$entities.simplesamlphp"/>
+            <xsl:with-param name="name">simpleSAMLphp</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+        </xsl:call-template>
+
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$entities.atyponsamlsp"/>
+            <xsl:with-param name="name">Atypon SAML SP</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+        </xsl:call-template>
+
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$entities.athensim"/>
+            <xsl:with-param name="name">AthensIM</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+        </xsl:call-template>
+
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$entities.guanxi"/>
+            <xsl:with-param name="name">Guanxi</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+        </xsl:call-template>
+
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$entities.gateways"/>
+            <xsl:with-param name="name">Athens/Shibboleth gateway</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+        </xsl:call-template>
+
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$entities.openathens.virtual"/>
+            <xsl:with-param name="name">OpenAthens Virtual IdP</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+        </xsl:call-template>
+
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$entities.openathens"/>
+            <xsl:with-param name="name">OpenAthens</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+        </xsl:call-template>
+
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$unknownSoftwareEntities"/>
+            <xsl:with-param name="name">Unknown or other</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+            <xsl:with-param name="show" select="1"/>
+            <xsl:with-param name="show.software" select="1"/>
+        </xsl:call-template>
+
+    </xsl:template>
+
+    <xsl:template name="entity.breakdown.by.software.line">
+        <xsl:param name="entities"/>
+        <xsl:param name="name"/>
+        <xsl:param name="total"/>
+        <xsl:param name="show">0</xsl:param>
+        <xsl:param name="show.software">0</xsl:param>
+        <xsl:param name="show.max">8</xsl:param>
+        <xsl:variable name="n" select="count($entities)"/>
+        <xsl:if test="$n != 0">
+            <xsl:text>   </xsl:text>
+            <xsl:value-of select="$name"/>
+            <xsl:text>: </xsl:text>
+            <xsl:value-of select="$n"/>
+            <xsl:text> (</xsl:text>
+            <xsl:value-of select="format-number($n div $total, '0.0%')"/>
+            <xsl:text>)</xsl:text>
+            <xsl:text>&#10;</xsl:text>
+             <xsl:if test="($show != 0) or ($n &lt;= $show.max)">
+                <xsl:for-each select="$entities">
+                    <xsl:sort select="@ID"/>
+                    <xsl:text>      </xsl:text>
+                    <xsl:value-of select="@ID"/>
+                    <xsl:text>: </xsl:text>
+                    <xsl:value-of select="@entityID"/>
+                    <xsl:if test="$show.software != 0">
+                        <xsl:choose>
+                            <xsl:when test="md:Extensions/ukfedlabel:Software">
+                                (<xsl:value-of select="md:Extensions/ukfedlabel:Software/@name"/>)
+                            </xsl:when>
+                        </xsl:choose>
+                    </xsl:if>
+                    <xsl:text>&#10;</xsl:text>
+                </xsl:for-each>
+            </xsl:if>
+        </xsl:if>
+    </xsl:template>
+
+</xsl:stylesheet>
diff --git a/mdx/uk/statistics.xsl b/mdx/uk/statistics.xsl
index c31d1721..ab3b13c3 100644
--- a/mdx/uk/statistics.xsl
+++ b/mdx/uk/statistics.xsl
@@ -1,11 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-    
+
     statistics.xsl
-    
+
     XSL stylesheet taking a UK Federation metadata file and resulting in an HTML document
     giving statistics.
-    
+
     Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -30,16 +30,16 @@
     version="1.0">
 
     <xsl:output method="html" omit-xml-declaration="yes"/>
-    
+
     <!--
         memberDocument
-        
+
         The members.xml file, as a DOM document, is passed as a parameter.
     -->
     <xsl:param name="memberDocument"/>
-    
+
     <xsl:template match="md:EntitiesDescriptor">
-        
+
         <xsl:variable name="now" select="date:date-time()"/>
 
         <!--
@@ -49,33 +49,33 @@
         <xsl:variable name="members" select="$memberDocument//members:Member"/>
         <xsl:variable name="memberCount" select="count($members)"/>
         <xsl:variable name="memberNames" select="$members/members:Name"/>
-        
+
         <xsl:variable name="entities" select="//md:EntityDescriptor"/>
         <xsl:variable name="entityCount" select="count($entities)"/>
 
         <xsl:variable name="idps" select="$entities[md:IDPSSODescriptor]"/>
         <xsl:variable name="idps.saml1"
             select="$idps[contains(md:IDPSSODescriptor/@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]"/>
-        
+
         <xsl:variable name="idpCount" select="count($idps)"/>
         <xsl:variable name="idps.saml1.count" select="count($idps.saml1)"/>
-        
+
         <xsl:variable name="sps" select="$entities[md:SPSSODescriptor]"/>
         <xsl:variable name="sps.saml1"
             select="$sps[contains(md:SPSSODescriptor/@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]"/>
-        
+
         <xsl:variable name="spCount" select="count($sps)"/>
         <xsl:variable name="sps.saml1.count" select="count($sps.saml1)"/>
-        
+
         <xsl:variable name="entities.saml1" select="set:distinct($idps.saml1 | $sps.saml1)"/>
         <xsl:variable name="entities.saml1.count" select="count($entities.saml1)"/>
-        
+
         <xsl:variable name="dualEntities" select="$entities[md:IDPSSODescriptor][md:SPSSODescriptor]"/>
         <xsl:variable name="dualEntityCount" select="count($dualEntities)"/>
-        
+
         <xsl:variable name="federationMemberEntityCount"
             select="count($entities[md:Extensions/ukfedlabel:UKFederationMember])"/>
-        
+
         <xsl:variable name="memberEntities"
             select="dyn:closure($members/members:Name, '$entities[md:Organization/md:OrganizationName = current()]')"/>
         <xsl:variable name="memberEntityCount"
@@ -94,7 +94,7 @@
         <xsl:variable name="sps.artifact.saml1.count" select="count($sps.artifact.saml1)"/>
         <xsl:variable name="entities.artifact.saml1" select="set:distinct($idps.artifact.saml1 | $sps.artifact.saml1)"/>
         <xsl:variable name="entities.artifact.saml1.count" select="count($entities.artifact.saml1)"/>
-        
+
         <html>
             <head>
                 <title>UK Federation metadata statistics</title>
@@ -112,9 +112,9 @@
                     The document is regenerated each time the UK Federation metadata is built;
                     this version was created at <xsl:value-of select="$now"/>.
                 </p>
-                <p>This document is produced as a working document of the UK federation core team. 
+                <p>This document is produced as a working document of the UK federation core team.
                    Some of the statistics may be approximations, and the report may be used to track
-                   details of current team interest. 
+                   details of current team interest.
                    For this reason it may be liable to misinterpetation, and should not be considered
                    complete or authoritative.
                 </p>
@@ -125,34 +125,36 @@
                     <li><p><a href="#byOwner">Entities by Owner</a></p></li>
                     <li><p><a href="#accountableIdPs">Identity Provider Accountability</a></p></li>
                     <li><p><a href="#undeployedMembers">Members Lacking Deployment</a></p></li>
-                    <li><p><a href="#shib13">Shibboleth 1.3 Remnants</a></p></li>
                     <li><p><a href="#exportOptOut">Export Aggregate: Entities Opted Out</a></p></li>
                     <li><p><a href="#exportOptIn">Export Aggregate: Entities Explicitly Opted In</a></p></li>
                     <li><p><a href="#nosaml2">Entities Without SAML 2.0 Support</a></p></li>
                 </ul>
-                
 
-                
+
+
                 <h2><a name="members">Member Statistics</a></h2>
                 <p>Number of members: <xsl:value-of select="$memberCount"/></p>
-                <p>The following table shows the canonical name of each member organisation and 
-                   the number of entities belonging to that member.
-                   The canonical name for a member is derived from the member's legal name. 
-                   Ownership  of an entity is established by the OrganizationName field of an entity exactly 
-                   matching the canonical name of the member organisation. 
+                <p>
+                    The following table shows the canonical name of each member organisation,
+                    the Jisc organization ID and the number of entities belonging to that member.
+                    The canonical name for a member is derived from the member's legal name.
+                    Ownership  of an entity is established by the OrganizationName field of an entity exactly
+                    matching the canonical name of the member organisation.
                 </p>
                 <p>
-                   Many organisations have no entities in the federation. 
-                   This may be because they have not yet registered any; perhaps because they have only recently joined. 
+                   Many organisations have no entities in the federation.
+                   This may be because they have not yet registered any; perhaps because they have only recently joined.
                    Alternatively, they may have outsourced their identity provision.
                    Outsourcing of IdP provision is indicated by an asterisk in the OSrc column in the table.
-                   This indicates either outsourcing to an Eduserv virtual IdP or a member who "pushes" scopes
+                   This indicates a member who "pushes" scopes
                    to an aggregate IdP.
-                   Other IdP outsourcing, and any SP outsourcing, is not recorded in the table.
+                   Other IdP outsourcing (such as use of an OpenAthens virtual IdP),
+                   and any SP outsourcing, is not recorded in the table.
                 </p>
                 <table border="1" cellspacing="2" cellpadding="4">
                     <tr>
                         <th align="left">Member</th>
+                        <th>orgID</th>
                         <th>Entities</th>
                         <th>IdPs</th>
                         <th>SPs</th>
@@ -180,12 +182,6 @@
                     select="set:difference($membersWithSps, $membersWithIdPs)"/>
                 <xsl:variable name="membersWithNone"
                     select="set:difference($members, $membersWithEither)"/>
-                <xsl:variable name="membersWithAthensIdP"
-                    select="$members[@usesAthensIdP = 'true']"/>
-                <xsl:variable name="membersWithJustAthensIdP"
-                    select="set:difference($membersWithAthensIdP, $membersWithEither)"/>
-                <xsl:variable name="membersWithNoneNoAthens"
-                    select="set:difference($membersWithNone, $membersWithAthensIdP)"/>
                 <xsl:variable name="membersWithIdPsCount" select="count($membersWithIdPs)"/>
                 <xsl:variable name="membersWithSpsCount" select="count($membersWithSps)"/>
                 <xsl:variable name="membersWithBothCount" select="count($membersWithBoth)"/>
@@ -193,8 +189,6 @@
                 <xsl:variable name="membersWithJustIdPsCount" select="count($membersWithJustIdPs)"/>
                 <xsl:variable name="membersWithJustSPsCount" select="count($membersWithJustSPs)"/>
                 <xsl:variable name="membersWithNoneCount" select="count($membersWithNone)"/>
-                <xsl:variable name="membersWithJustAthensIdPCount" select="count($membersWithJustAthensIdP)"/>
-                <xsl:variable name="membersWithNoneNoAthensCount" select="count($membersWithNoneNoAthens)"/>
                 <p>Breakdown of members by entity registration status:</p>
                 <ul>
                     <li>
@@ -239,30 +233,17 @@
                             (<xsl:value-of select="format-number($membersWithNoneCount div $memberCount, '0.0%')"/>)
                         </p>
                     </li>
-                    <li>
-                        <p>
-                            Without entities, but with Athens IdP access: <xsl:value-of select="$membersWithJustAthensIdPCount"/>
-                            (<xsl:value-of select="format-number($membersWithJustAthensIdPCount div $memberCount, '0.0%')"/>)
-                        </p>
-                    </li>
-                    <li>
-                        <p>
-                            Without entities, and with no Athens IdP access: <xsl:value-of select="$membersWithNoneNoAthensCount"/>
-                            (<xsl:value-of select="format-number($membersWithNoneNoAthensCount div $memberCount, '0.0%')"/>)
-                        </p>
-                    </li>
                     <li>
                         <p>
                             Chart:
                             <xsl:value-of select="$membersWithJustIdPsCount"/>,
                             <xsl:value-of select="$membersWithJustSPsCount"/>,
                             <xsl:value-of select="$membersWithBothCount"/>,
-                            <xsl:value-of select="$membersWithJustAthensIdPCount"/>,
-                            <xsl:value-of select="$membersWithNoneNoAthensCount"/>.                            
+                            <xsl:value-of select="$membersWithNoneCount"/>.
                         </p>
                     </li>
                 </ul>
-                
+
                 <!--
                     *********************************
                     ***                           ***
@@ -270,35 +251,7 @@
                     ***                           ***
                     *********************************
                 -->
-                
-                <!--
-                    Members who are Eduserv.
-                    
-                    This is computed because Eduserv are an exception to the normal
-                    rules about outsourcing because they do not outsource even though
-                    they do use an Athens IdP.
-                -->
-                <xsl:variable name="members.eduserv"
-                    select="$members[members:Name = 'Eduserv']"/>
-                <xsl:variable name="members.eduserv.count" select="count($members.eduserv)"/>
-                
-                <!--
-                    Members who are deduced as outsourcing as a result of their use
-                    of an Athens IdP.
-                -->
-                <xsl:variable name="members.osrc.athens"
-                    select="$members[@usesAthensIdP = 'true']"/>
-                <xsl:variable name="members.osrc.athens.count" select="count($members.osrc.athens)"/>
-                
-                <!--
-                    Members who are deduced as outsourcing as a result of their use
-                    of an Athens IdP.  This count excludes Eduserv, as clearly they
-                    can not outsource to themselves.
-                -->
-                <xsl:variable name="members.osrc.athens.true"
-                    select="$members[@usesAthensIdP = 'true'][members:Name != 'Eduserv']"/>
-                <xsl:variable name="members.osrc.athens.true.count" select="count($members.osrc.athens.true)"/>
-                
+
                 <!--
                     Members who are deduced as outsourcing as a result of their use
                     of the mechanism for describing scopes "pushed" to a specific entity.
@@ -306,48 +259,29 @@
                 <xsl:variable name="members.osrc.scopes.push"
                     select="$members[members:Scopes/members:Entity]"/>
                 <xsl:variable name="members.osrc.scopes.push.count" select="count($members.osrc.scopes.push)"/>
-                
+
                 <!--
                     Members who are deduced as outsourcing.
                 -->
-                <xsl:variable name="members.osrc"
-                    select="set:distinct($members.osrc.athens.true | $members.osrc.scopes.push)"/>
+                <xsl:variable name="members.osrc" select="$members.osrc.scopes.push"/>
                 <xsl:variable name="members.osrc.count" select="count($members.osrc)"/>
-                
+
                 <!--
                     Members whose only representation in the federation is through outsourcing.
                 -->
                 <xsl:variable name="members.osrc.only"
                     select="set:difference($members.osrc, $membersWithEither)"/>
                 <xsl:variable name="members.osrc.only.count" select="count($members.osrc.only)"/>
-                
+
                 <!--
                     Members with no representation, even through outsourcing.
                 -->
                 <xsl:variable name="members.osrc.none"
                     select="set:difference($membersWithNone, $members.osrc)"/>
                 <xsl:variable name="members.osrc.none.count" select="count($members.osrc.none)"/>
-                
+
                 <p>Outsourcing worksheet:</p>
                 <ul>
-                    <li>
-                        <p>
-                            Members who are Eduserv: <xsl:value-of select="$members.eduserv.count"/>
-                            (<xsl:value-of select="format-number($members.eduserv.count div $memberCount, '0.0%')"/>)
-                        </p>
-                    </li>
-                    <li>
-                        <p>
-                            Members using an Athens IdP: <xsl:value-of select="$members.osrc.athens.count"/>
-                            (<xsl:value-of select="format-number($members.osrc.athens.count div $memberCount, '0.0%')"/>)
-                        </p>
-                    </li>
-                    <li>
-                        <p>
-                            Members (other than Eduserv) using an Athens IdP: <xsl:value-of select="$members.osrc.athens.true.count"/>
-                            (<xsl:value-of select="format-number($members.osrc.athens.true.count div $memberCount, '0.0%')"/>)
-                        </p>
-                    </li>
                     <li>
                         <p>
                             Members pushing scopes: <xsl:value-of select="$members.osrc.scopes.push.count"/>
@@ -372,16 +306,6 @@
                             (<xsl:value-of select="format-number($members.osrc.none.count div $memberCount, '0.0%')"/>)
                         </p>
                     </li>
-                    <li>
-                        <p>
-                            Chart:
-                            <xsl:value-of select="$membersWithJustIdPsCount"/>,
-                            <xsl:value-of select="$membersWithJustSPsCount"/>,
-                            <xsl:value-of select="$membersWithBothCount"/>,
-                            <xsl:value-of select="$members.osrc.only.count"/>,
-                            <xsl:value-of select="$members.osrc.none.count"/>.                            
-                        </p>
-                    </li>
                 </ul>
 
 
@@ -392,22 +316,22 @@
                     ***                                       ***
                     *********************************************
                 -->
-                
+
 
                 <h2><a name="entities">Entity Statistics</a></h2>
                 <p>
-                    This section provides a useful bottom-up summary of the federation, 
-                    by categorisation of entities, both total numbers and percentages. 
-                    There are three subsections, presenting statistics applying to all entities, 
-                    to Identity Providers and to Service Providers. 
-                    In each subsection there is a 'breakdown by software used'. 
-                    This lists the entities using each type of software recorded if 
-                    there are fewer than 10 such entities in the category; 
-                    otherwise only the overall numbers and percentages are given. 
+                    This section provides a useful bottom-up summary of the federation,
+                    by categorisation of entities, both total numbers and percentages.
+                    There are three subsections, presenting statistics applying to all entities,
+                    to Identity Providers and to Service Providers.
+                    In each subsection there is a 'breakdown by software used'.
+                    This lists the entities using each type of software recorded if
+                    there are fewer than 10 such entities in the category;
+                    otherwise only the overall numbers and percentages are given.
                     (The software used is requested by the UK federation as part of the entity registration procedure,
                     and this information is recorded in the Software element of our records but not included
                     in published metadata.  Heuristics are used to guess the software in use
-                    if there is no Software element in the metadata.) 
+                    if there is no Software element in the metadata.)
                 </p>
                 <p>Total entities: <xsl:value-of select="$entityCount"/>.  This breaks down into:</p>
                 <ul>
@@ -421,7 +345,7 @@
                         <p>(including dual nature: <xsl:value-of select="$dualEntityCount"/>)</p>
                     </li>
                 </ul>
-                
+
                 <p>Of the <xsl:value-of select="$entityCount"/> entities:</p>
                 <ul>
                     <li>
@@ -462,7 +386,7 @@
                             </p>
                         </li>
                     </xsl:if>
-                    
+
                     <xsl:variable name="urnEntities" select="$entities[starts-with(@entityID, 'urn:')]"/>
                     <xsl:variable name="urnEntityCount" select="count($urnEntities)"/>
                     <xsl:if test="$urnEntityCount != 0">
@@ -482,7 +406,7 @@
                             </p>
                         </li>
                     </xsl:if>
-                    
+
                     <xsl:variable name="httpsEntities" select="$entities[starts-with(@entityID, 'https://')]"/>
                     <xsl:variable name="httpsEntityCount" select="count($httpsEntities)"/>
                     <xsl:if test="$httpsEntityCount != 0">
@@ -502,11 +426,11 @@
                             </p>
                         </li>
                     </xsl:if>
-                    
+
                     <xsl:call-template name="ofthese.entity.extras">
                         <xsl:with-param name="entities" select="$entities"/>
                     </xsl:call-template>
-                    
+
                 </ul>
 
                 <xsl:call-template name="entity.breakdown.by.software">
@@ -526,8 +450,8 @@
                     ***                                         ***
                     ***********************************************
                 -->
-                
-                
+
+
                 <h3>Identity Providers</h3>
                 <p>There are <xsl:value-of select="$idpCount"/> identity providers,
                 including <xsl:value-of select="$dualEntityCount"/>
@@ -560,12 +484,12 @@
                         <p>
                             Support SAML 1.1 artifact resolution: <xsl:value-of select="$idps.artifact.saml1.count"/>
                             (<xsl:value-of select="format-number($idps.artifact.saml1.count div $idpCount, '0.0%')"/>
-                            of all IdPs, 
+                            of all IdPs,
                             <xsl:value-of select="format-number($idps.artifact.saml1.count div $idps.saml1.count, '0.0%')"/>
                             of SAML 1.1 IdPs).
                         </p>
                     </li>
-                    
+
                     <xsl:variable name="idp.noaa" select="$idps[not(md:AttributeAuthorityDescriptor)]"/>
                     <xsl:variable name="idp.noaa.count" select="count($idp.noaa)"/>
                     <xsl:if test="$idp.noaa.count != 0">
@@ -582,7 +506,7 @@
                     </xsl:call-template>
 
                 </ul>
-                
+
                 <p>SSO protocol support:</p>
                 <ul>
                     <xsl:variable name="idp.sso.shibboleth"
@@ -621,7 +545,7 @@
                             </li>
                         </ul>
                     </li>
-                    
+
                     <xsl:variable name="idp.sso.saml.1.1"
                         select="$idps[contains(md:IDPSSODescriptor/@protocolSupportEnumeration,
                         'urn:oasis:names:tc:SAML:1.1:protocol')]"/>
@@ -632,7 +556,7 @@
                             (<xsl:value-of select="format-number($idp.sso.saml.1.1.count div $idpCount, '0.0%')"/>)
                         </p>
                     </li>
-                    
+
                     <li>
                         <p>
                             Not supporting SAML 1.1 SSO:
@@ -641,7 +565,7 @@
                             (<xsl:value-of select="format-number($not.saml.1.1 div $idpCount, '0.0%')"/>)
                         </p>
                     </li>
-                    
+
                     <xsl:variable name="idp.sso.saml.2.0"
                         select="$idps[contains(md:IDPSSODescriptor/@protocolSupportEnumeration,
                         'urn:oasis:names:tc:SAML:2.0:protocol')]"/>
@@ -651,7 +575,7 @@
                             SAML 2.0 SSO: <xsl:value-of select="$idp.sso.saml.2.0.count"/>
                             (<xsl:value-of select="format-number($idp.sso.saml.2.0.count div $idpCount, '0.0%')"/>)
                         </p>
-                        
+
                         <ul>
                             <xsl:variable name="idp.sso.saml.2.0.soap"
                                 select="$idp.sso.saml.2.0[descendant::md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:SOAP']]"/>
@@ -661,7 +585,7 @@
                                 (<xsl:value-of select="format-number($idp.sso.saml.2.0.soap.count div $idp.sso.saml.2.0.count, '0.0%')"/> of SAML 2.0 IdPs,
                                 <xsl:value-of select="format-number($idp.sso.saml.2.0.soap.count div $idpCount, '0.0%')"/> of all IdPs)
                             </li>
-                            
+
                             <xsl:variable name="idp.sso.saml.2.0.artifact"
                                 select="$idp.sso.saml.2.0[descendant::md:ArtifactResolutionService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:SOAP']]"/>
                             <xsl:variable name="idp.sso.saml.2.0.artifact.count" select="count($idp.sso.saml.2.0.artifact)"/>
@@ -673,7 +597,7 @@
 
                         </ul>
                     </li>
-                    
+
                     <li>
                         <p>
                             Not supporting SAML 2.0 SSO:
@@ -682,7 +606,7 @@
                             (<xsl:value-of select="format-number($not.saml.2 div $idpCount, '0.0%')"/>)
                         </p>
                     </li>
-                    
+
                 </ul>
 
                 <xsl:call-template name="entity.breakdown.by.software">
@@ -692,8 +616,8 @@
                 <xsl:call-template name="keydescriptor.breakdown">
                     <xsl:with-param name="entities" select="$idps"/>
                 </xsl:call-template>
-                
-                
+
+
 
                 <!--
                     *********************************************
@@ -702,8 +626,8 @@
                     ***                                       ***
                     *********************************************
                 -->
-                
-                
+
+
                 <h3>Service Providers</h3>
                 <p>There are <xsl:value-of select="$spCount"/> service providers,
                     including <xsl:value-of select="$dualEntityCount"/>
@@ -718,7 +642,7 @@
                             (<xsl:value-of select="format-number($sp.slo.count div $spCount, '0.0%')"/>).
                         </p>
                     </li>
-                    
+
                     <xsl:variable name="sp.nim" select="$sps[md:SPSSODescriptor/md:ManageNameIDService]"/>
                     <xsl:variable name="sp.nim.count" select="count($sp.nim)"/>
                     <li>
@@ -727,7 +651,7 @@
                             (<xsl:value-of select="format-number($sp.nim.count div $spCount, '0.0%')"/>).
                         </p>
                     </li>
-                    
+
                     <xsl:variable name="sp.idpdisc"
                         select="$sps[md:SPSSODescriptor/md:Extensions/idpdisc:DiscoveryResponse/@Binding=
                         'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']"/>
@@ -738,7 +662,7 @@
                             (<xsl:value-of select="format-number($sp.idpdisc.count div $spCount, '0.0%')"/>).
                         </p>
                     </li>
-                    
+
                     <xsl:variable name="sp.init" select="$sps[md:SPSSODescriptor/md:Extensions/init:RequestInitiator]"/>
                     <xsl:variable name="sp.init.count" select="count($sp.init)"/>
                     <li>
@@ -747,7 +671,7 @@
                             (<xsl:value-of select="format-number($sp.init.count div $spCount, '0.0%')"/>).
                         </p>
                     </li>
-                    
+
                     <xsl:variable name="sp.rqa" select="$sps[descendant::md:RequestedAttribute]"/>
                     <xsl:variable name="sp.rqa.count" select="count($sp.rqa)"/>
                     <xsl:if test="$sp.rqa.count != 0">
@@ -762,9 +686,9 @@
                     <xsl:call-template name="ofthese.entity.extras">
                         <xsl:with-param name="entities" select="$sps"/>
                     </xsl:call-template>
-                    
+
                 </ul>
-                
+
                 <p>SSO protocol support:</p>
                 <ul>
                     <xsl:variable name="sp.sso.saml.1.0"
@@ -786,7 +710,7 @@
                                     (<xsl:value-of select="format-number($sp.saml.1.0.acs.saml.1.0.post.count div $sp.sso.saml.1.0.count, '0.0%')"/>)
                                 </p>
                             </li>
-                            
+
                             <xsl:variable name="sp.saml.1.0.acs.saml.1.0.artifact"
                                 select="$sp.sso.saml.1.0[md:SPSSODescriptor/md:AssertionConsumerService/@Binding='urn:oasis:names:tc:SAML:1.0:profiles:artifact-01']"/>
                             <xsl:variable name="sp.saml.1.0.acs.saml.1.0.artifact.count" select="count($sp.saml.1.0.acs.saml.1.0.artifact)"/>
@@ -798,7 +722,7 @@
                             </li>
                         </ul>
                     </li>
-                    
+
                     <xsl:variable name="sp.sso.saml.1.1"
                         select="$sps[contains(md:SPSSODescriptor/@protocolSupportEnumeration,
                         'urn:oasis:names:tc:SAML:1.1:protocol')]"/>
@@ -818,7 +742,7 @@
                                     (<xsl:value-of select="format-number($sp.saml.1.1.acs.saml.1.0.post.count div $sp.sso.saml.1.1.count, '0.0%')"/>)
                                 </p>
                             </li>
-                            
+
                             <xsl:variable name="sp.saml.1.1.acs.saml.1.0.artifact"
                                 select="$sp.sso.saml.1.1[md:SPSSODescriptor/md:AssertionConsumerService/@Binding='urn:oasis:names:tc:SAML:1.0:profiles:artifact-01']"/>
                             <xsl:variable name="sp.saml.1.1.acs.saml.1.0.artifact.count" select="count($sp.saml.1.1.acs.saml.1.0.artifact)"/>
@@ -831,7 +755,7 @@
 
                         </ul>
                     </li>
-                    
+
                     <li>
                         <p>
                             Not supporting SAML 1.1 SSO:
@@ -840,7 +764,7 @@
                             (<xsl:value-of select="format-number($not.saml.1.1 div $spCount, '0.0%')"/>)
                         </p>
                     </li>
-                    
+
                     <xsl:variable name="sp.sso.saml.2.0"
                         select="$sps[contains(md:SPSSODescriptor/@protocolSupportEnumeration,
                         'urn:oasis:names:tc:SAML:2.0:protocol')]"/>
@@ -860,7 +784,7 @@
                                     (<xsl:value-of select="format-number($sp.saml.2.0.acs.saml.2.0.post.count div $sp.sso.saml.2.0.count, '0.0%')"/>)
                                 </p>
                             </li>
-                            
+
                             <xsl:variable name="sp.saml.2.0.acs.saml.2.0.post.ss"
                                 select="$sp.sso.saml.2.0[md:SPSSODescriptor/md:AssertionConsumerService/@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']"/>
                             <xsl:variable name="sp.saml.2.0.acs.saml.2.0.post.ss.count" select="count($sp.saml.2.0.acs.saml.2.0.post.ss)"/>
@@ -889,11 +813,11 @@
                                     PAOS: <xsl:value-of select="$sp.saml.2.0.acs.saml.2.0.paos.count"/>
                                     (<xsl:value-of select="format-number($sp.saml.2.0.acs.saml.2.0.paos.count div $sp.sso.saml.2.0.count, '0.0%')"/>)
                                 </p>
-                            </li>                            
-                            
+                            </li>
+
                         </ul>
                     </li>
-                    
+
                     <li>
                         <p>
                             Not supporting SAML 2.0 SSO:
@@ -904,7 +828,7 @@
                     </li>
 
                 </ul>
-                
+
                 <xsl:call-template name="entity.breakdown.by.software">
                     <xsl:with-param name="entities" select="$sps"/>
                 </xsl:call-template>
@@ -912,9 +836,9 @@
                 <xsl:call-template name="keydescriptor.breakdown">
                     <xsl:with-param name="entities" select="$sps"/>
                 </xsl:call-template>
-                
-                
-                
+
+
+
                 <!--
                     *********************************************
                     ***                                       ***
@@ -924,9 +848,9 @@
                 -->
                 <h2><a name="byOwner">Entities by Owner</a></h2>
                 <p>
-                    This section is intended to be largely self-explanatory. 
-                    Any items in [...] brackets give additional information about the entity: 
-                    its type, the software used, etc. 
+                    This section is intended to be largely self-explanatory.
+                    Any items in [...] brackets give additional information about the entity:
+                    its type, the software used, etc.
                  </p>
                 <ul>
                     <xsl:apply-templates select="$memberNames" mode="enumerate">
@@ -934,8 +858,8 @@
                     </xsl:apply-templates>
                 </ul>
 
-                
-                
+
+
                 <!--
                     ***********************************************
                     ***                                         ***
@@ -944,7 +868,7 @@
                     ***********************************************
                 -->
                 <h2><a name="accountableIdPs">Identity Provider Accountability</a></h2>
-                
+
                 <p>
                     The following entities are visible in the main federation discovery service
                     but do not assert user accountability:
@@ -971,8 +895,8 @@
                     ***************************************************************
                 -->
                 <h2><a name="undeployedMembers">Members Lacking Deployment</a></h2>
-                <!-- start with members with no entities and no OpenAthens -->
-                <xsl:variable name="nodeploy.0" select="$membersWithNoneNoAthens"/>
+                <!-- start with members with no entities -->
+                <xsl:variable name="nodeploy.0" select="$membersWithNone"/>
                 <!-- remove members who have scopes sent to some entity -->
                 <xsl:variable name="nodeploy.1"
                     select="$nodeploy.0[not(members:Scopes/members:Entity)]"
@@ -981,7 +905,9 @@
                 <p>
                     The following <xsl:value-of select="count($nodeploy.out)"/>
                     members of the UK federation have no deployed entities,
-                    either in their own name or deployed on their behalf by other members.
+                    either in their own name or deployed on their behalf by other members
+                    and to which they have "pushed" scopes.
+                    Use of OpenAthens virtual IdPs is not considered here.
                     The list is ordered by date of joining the UK federation.
                 </p>
                 <ul>
@@ -992,37 +918,10 @@
                             <xsl:value-of select="members:Name"/>
                         </li>
                     </xsl:for-each>
-                </ul>                
-                
+                </ul>
 
 
-                <!--
-                    ***************************************************************
-                    ***                                                         ***
-                    ***      S H I B B O L E T H   1 . 3   R E M N A N T S      ***
-                    ***                                                         ***
-                    ***************************************************************
-                -->
-                <h2><a name="shib13">Shibboleth 1.3 Remnants</a></h2>
-                <p>
-                    The following lists show entities that are believed to be running the
-                    Shibboleth 1.3 software, which reached its official end of life
-                    date on 30-June-2010.
-                    As heuristics have been used to create these lists, they may
-                    not be completely accurate.
-                </p>
 
-                <h3>Shibboleth 1.3 Identity Provider Entities</h3>
-                <xsl:call-template name="list.shibboleth.1.3.entities">
-                    <xsl:with-param name="entities" select="$idps"/>
-                </xsl:call-template>
-
-                <h3>Shibboleth 1.3 Service Provider Entities</h3>
-                <xsl:call-template name="list.shibboleth.1.3.entities">
-                    <xsl:with-param name="entities" select="$sps"/>
-                </xsl:call-template>
- 
- 
                 <!--
                     ***************************************
                     ***                                 ***
@@ -1030,7 +929,7 @@
                     ***                                 ***
                     ***************************************
                 -->
-                
+
                 <h2><a name="exportOptOut">Export Aggregate: Entities Opted Out</a></h2>
                 <xsl:variable name="entities.export.opt.out" select="$entities[descendant::ukfedlabel:ExportOptOut]"/>
                 <xsl:variable name="entities.export.opt.out.count" select="count($entities.export.opt.out)"/>
@@ -1050,7 +949,7 @@
                                             <xsl:text>[RqA] </xsl:text>
                                         </xsl:when>
                                         <xsl:otherwise>
-                                            <xsl:text>[!RqA] </xsl:text> 
+                                            <xsl:text>[!RqA] </xsl:text>
                                         </xsl:otherwise>
                                     </xsl:choose>
                                 </xsl:if>
@@ -1070,13 +969,13 @@
                                         <li>
                                             No SAML 2.0 support
                                         </li>
-                                    </ul>                                    
+                                    </ul>
                                 </xsl:if>
                             </li>
                         </xsl:for-each>
                     </ul>
                 </xsl:if>
-                
+
                 <!--
                     *************************************
                     ***                               ***
@@ -1084,7 +983,7 @@
                     ***                               ***
                     *************************************
                 -->
-                
+
                 <h2><a name="exportOptIn">Export Aggregate: Entities Explicitly Opted In</a></h2>
                 <xsl:variable name="entities.export" select="$entities[descendant::ukfedlabel:ExportOptIn]"/>
                 <xsl:variable name="entities.export.count" select="count($entities.export)"/>
@@ -1104,7 +1003,7 @@
                                             <xsl:text>[RqA] </xsl:text>
                                         </xsl:when>
                                         <xsl:otherwise>
-                                            <xsl:text>[!RqA] </xsl:text> 
+                                            <xsl:text>[!RqA] </xsl:text>
                                         </xsl:otherwise>
                                     </xsl:choose>
                                 </xsl:if>
@@ -1124,13 +1023,14 @@
                                         <li>
                                             No SAML 2.0 support
                                         </li>
-                                    </ul>                                    
+                                    </ul>
                                 </xsl:if>
                             </li>
                         </xsl:for-each>
                     </ul>
                 </xsl:if>
-                
+
+
                 <!--
                     *****************************************************************************
                     ***                                                                       ***
@@ -1151,9 +1051,14 @@
                     The software used by the entity, if known, is included at the end of the listing within
                     brackets [like this].
                 </p>
+                <xsl:variable name="nosaml2.sps" select="$sps[md:SPSSODescriptor[not(contains(@protocolSupportEnumeration,
+                    'urn:oasis:names:tc:SAML:2.0:protocol'))]]"/>
+                <xsl:variable name="nosaml2.sps.count" select="count($nosaml2.sps)"/>
+                <p>
+                    SPs: <xsl:value-of select="$nosaml2.sps.count"/>
+                </p>
                 <ul>
-                    <xsl:for-each select="$sps[md:SPSSODescriptor[not(contains(@protocolSupportEnumeration,
-                        'urn:oasis:names:tc:SAML:2.0:protocol'))]]">
+                    <xsl:for-each select="$nosaml2.sps">
                         <xsl:sort select="descendant::md:OrganizationName"/>
                         <li>
                             <xsl:value-of select="@ID"/>
@@ -1180,15 +1085,44 @@
                 </xsl:call-template>
 
                 <h3>Identity Providers Without SAML 2.0 Support</h3>
+                <xsl:variable name="nosaml2.idps" select="$idps[md:IDPSSODescriptor[not(contains(@protocolSupportEnumeration,
+                    'urn:oasis:names:tc:SAML:2.0:protocol'))]]"/>
+                <xsl:variable name="nosaml2.idps.count" select="count($nosaml2.idps)"/>
+                <p>
+                    IdPs: <xsl:value-of select="$nosaml2.idps.count"/>
+                </p>
+                <xsl:if test="$nosaml2.idps.count != 0">
+                    <ul>
+                        <xsl:for-each select="$nosaml2.idps">
+                            <xsl:sort select="descendant::md:OrganizationName"/>
+                            <li>
+                                <xsl:value-of select="@ID"/>
+                                <xsl:text>: </xsl:text>
+                                <xsl:value-of select="descendant::md:OrganizationName"/>
+                                <xsl:text>: </xsl:text>
+                                <xsl:choose>
+                                    <xsl:when test="descendant::mdui:DisplayName">
+                                        <xsl:value-of select="descendant::mdui:DisplayName"/>
+                                    </xsl:when>
+                                    <xsl:otherwise>
+                                        <xsl:text>(</xsl:text>
+                                        <xsl:value-of select="descendant::md:OrganizationDisplayName"/>
+                                        <xsl:text>)</xsl:text>
+                                    </xsl:otherwise>
+                                </xsl:choose>
+                                <xsl:apply-templates select="md:Extensions/ukfedlabel:Software" mode="short"/>
+                            </li>
+                        </xsl:for-each>
+                    </ul>
+                </xsl:if>
                 <xsl:call-template name="entity.breakdown.by.software">
-                    <xsl:with-param name="entities" select="$idps[md:IDPSSODescriptor[not(contains(@protocolSupportEnumeration,
-                        'urn:oasis:names:tc:SAML:2.0:protocol'))]]"/>
+                    <xsl:with-param name="entities" select="$nosaml2.idps"/>
                 </xsl:call-template>
-                
+
             </body>
         </html>
     </xsl:template>
-    
+
     <!--
         *****************************************
         ***                                   ***
@@ -1196,7 +1130,7 @@
         ***                                   ***
         *****************************************
     -->
-    
+
     <xsl:template match="members:Member" mode="count">
         <xsl:param name="entities"/>
         <xsl:variable name="myName" select="string(members:Name)"/>
@@ -1211,6 +1145,18 @@
                     <xsl:text>)</xsl:text>
                 </xsl:if>
             </td>
+            <td>
+                <xsl:choose>
+                    <!-- remove a prefix 'ukforg' if present (currently always the case) -->
+                    <xsl:when test="starts-with(@ID, 'ukforg')">
+                        <xsl:value-of select="substring-after(@ID, 'ukforg')"/>
+                    </xsl:when>
+                    <!-- otherwise just use the whole of the ID -->
+                    <xsl:otherwise>
+                        <xsl:value-of select="@ID"/>
+                    </xsl:otherwise>
+                </xsl:choose>
+            </td>
             <!-- count total entities -->
             <td align="center">
                 <xsl:choose>
@@ -1246,31 +1192,26 @@
                     </xsl:otherwise>
                 </xsl:choose>
             </td>
-            
+
             <!-- Outsourcing in general -->
             <td align="center">
                 <xsl:choose>
-                
-                	<!-- Special case: Eduserv does NOT outsource -->
+
+                    <!-- Special case: Eduserv does NOT outsource -->
                     <xsl:when test="members:Name = 'Eduserv'">
                         &#160;
                     </xsl:when>
-                    
-                    <!-- anyone else using the Athens IdP does outsource -->
-                    <xsl:when test="@usesAthensIdP = 'true'">
-                        *
-                    </xsl:when>
-                    
+
                     <!--
-                    	Anyone pushing scopes to an entity is assumed to
-                    	be outsourcing.  Strictly speaking, this should be
-                    	anyone pushing scopes to an entity owned by another
-                    	member.
+                        Anyone pushing scopes to an entity is assumed to
+                        be outsourcing.  Strictly speaking, this should be
+                        anyone pushing scopes to an entity owned by another
+                        member.
                     -->
                     <xsl:when test="members:Scopes/members:Entity">
                         *
                     </xsl:when>
-                    
+
                     <!-- if none of the above, not outsourcing -->
                     <xsl:otherwise>
                         &#160;
@@ -1279,7 +1220,7 @@
             </td>
         </tr>
     </xsl:template>
-    
+
     <xsl:template match="members:Name" mode="enumerate">
         <xsl:param name="entities"/>
         <xsl:variable name="myName" select="."/>
@@ -1336,7 +1277,7 @@
         ***   " O F   T H E S E "   E X T R A S   ***
         ***                                       ***
         *********************************************
-        
+
         Extra list entries for the "of these" breakdowns
         in the entity sections.
     -->
@@ -1355,7 +1296,7 @@
                 </p>
             </li>
         </xsl:if>
-        
+
         <xsl:variable name="e.algsupport"
             select="$entities[descendant::alg:* or descendant::md:EncryptionMethod]"/>
         <xsl:variable name="e.algsupport.count" select="count($e.algsupport)"/>
@@ -1366,7 +1307,7 @@
                     (<xsl:value-of select="format-number($e.algsupport.count div $entityCount, '0.0%')"/>)
                     provide algorithm support metadata:
                 </p>
-                
+
                 <ul>
                     <xsl:variable name="e.alg.dig" select="$entities[descendant::alg:SigningMethod]"/>
                     <xsl:variable name="e.alg.dig.count" select="count($e.alg.dig)"/>
@@ -1385,7 +1326,7 @@
                             <xsl:value-of select="$e.sha1.count"/>
                             (<xsl:value-of select="format-number($e.sha1.count div $e.alg.dig.count, '0.0%')"/>)
                         </li>
-                        
+
                         <xsl:variable name="e.sha224" select="$entities[
                             descendant::alg:DigestMethod/@Algorithm='http://www.w3.org/2001/04/xmldsig-more#sha224']"/>
                         <xsl:variable name="e.sha224.count" select="count($e.sha224)"/>
@@ -1394,7 +1335,7 @@
                             <xsl:value-of select="$e.sha224.count"/>
                             (<xsl:value-of select="format-number($e.sha224.count div $e.alg.dig.count, '0.0%')"/>)
                         </li>
-                        
+
                         <xsl:variable name="e.sha256" select="$entities[
                             descendant::alg:DigestMethod/@Algorithm='http://www.w3.org/2001/04/xmlenc#sha256']"/>
                         <xsl:variable name="e.sha256.count" select="count($e.sha256)"/>
@@ -1403,7 +1344,7 @@
                             <xsl:value-of select="$e.sha256.count"/>
                             (<xsl:value-of select="format-number($e.sha256.count div $e.alg.dig.count, '0.0%')"/>)
                         </li>
-                        
+
                         <xsl:variable name="e.sha384" select="$entities[
                             descendant::alg:DigestMethod/@Algorithm='http://www.w3.org/2001/04/xmldsig-more#sha384']"/>
                         <xsl:variable name="e.sha384.count" select="count($e.sha384)"/>
@@ -1412,7 +1353,7 @@
                             <xsl:value-of select="$e.sha384.count"/>
                             (<xsl:value-of select="format-number($e.sha384.count div $e.alg.dig.count, '0.0%')"/>)
                         </li>
-                        
+
                         <xsl:variable name="e.sha512" select="$entities[
                             descendant::alg:DigestMethod/@Algorithm='http://www.w3.org/2001/04/xmlenc#sha512']"/>
                         <xsl:variable name="e.sha512.count" select="count($e.sha512)"/>
@@ -1433,9 +1374,9 @@
                             <xsl:value-of select="$e.sha3.any.count"/>
                             (<xsl:value-of select="format-number($e.sha3.any.count div $e.alg.dig.count, '0.0%')"/>)
                         </li>
-                        
+
                     </ul>
-                    
+
                     <xsl:variable name="e.alg.sig" select="$entities[descendant::alg:SigningMethod]"/>
                     <xsl:variable name="e.alg.sig.count" select="count($e.alg.sig)"/>
                     <li>
@@ -1453,7 +1394,7 @@
                             <xsl:value-of select="$e.sha1.count"/>
                             (<xsl:value-of select="format-number($e.sha1.count div $e.alg.sig.count, '0.0%')"/>)
                         </li>
-                        
+
                         <xsl:variable name="e.sha224" select="$entities[
                             descendant::alg:SigningMethod/@Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha224']"/>
                         <xsl:variable name="e.sha224.count" select="count($e.sha224)"/>
@@ -1462,7 +1403,7 @@
                             <xsl:value-of select="$e.sha224.count"/>
                             (<xsl:value-of select="format-number($e.sha224.count div $e.alg.sig.count, '0.0%')"/>)
                         </li>
-                        
+
                         <xsl:variable name="e.sha256" select="$entities[
                             descendant::alg:SigningMethod/@Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256']"/>
                         <xsl:variable name="e.sha256.count" select="count($e.sha256)"/>
@@ -1489,7 +1430,7 @@
                             <xsl:value-of select="$e.sha512.count"/>
                             (<xsl:value-of select="format-number($e.sha512.count div $e.alg.sig.count, '0.0%')"/>)
                         </li>
-                        
+
                         <xsl:variable name="e.ec.any" select="$entities[
                             descendant::alg:SigningMethod/@Algorithm='http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1' or
                             descendant::alg:SigningMethod/@Algorithm='http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224' or
@@ -1502,7 +1443,7 @@
                             <xsl:value-of select="$e.ec.any.count"/>
                             (<xsl:value-of select="format-number($e.ec.any.count div $e.alg.sig.count, '0.0%')"/>)
                         </li>
-                        
+
                         <xsl:variable name="e.dsa.any" select="$entities[
                             descendant::alg:SigningMethod/@Algorithm='http://www.w3.org/2000/09/xmldsig#dsa-sha1' or
                             descendant::alg:SigningMethod/@Algorithm='http://www.w3.org/2009/xmldsig11#dsa-sha256']"/>
@@ -1519,9 +1460,9 @@
                             <xsl:variable name="e.dsa.new.count" select="count($e.dsa.new)"/>
                             [<xsl:value-of select="$e.dsa.old.count"/>, <xsl:value-of select="$e.dsa.new.count"/>]
                         </li>
-                        
+
                     </ul>
-                    
+
                     <xsl:variable name="e.alg.enc" select="$entities[descendant::md:EncryptionMethod]"/>
                     <xsl:variable name="e.alg.enc.count" select="count($e.alg.enc)"/>
                     <li>
@@ -1542,71 +1483,15 @@
                             (<xsl:value-of select="format-number($e.gcm.count div $e.alg.enc.count, '0.0%')"/>)
                         </li>
                     </ul>
-                    
+
                 </ul>
-    
+
             </li>
         </xsl:if>
 
     </xsl:template>
 
 
-
-    <!--
-        Given a list of entities, extract and list those which are apparently running Shibboleth 1.3.
-    -->
-    <xsl:template name="list.shibboleth.1.3.entities">
-        <xsl:param name="entities"/>
-        <!--
-            Remove everything that says it is something other than Shibboleth, or which includes
-            a SAML 2.0 token in any of its role descriptors' protocolSupportEnumerations.
-        -->
-        <xsl:variable name="entities.1"
-            select="set:difference($entities,
-                $entities[
-                    md:Extensions/ukfedlabel:Software[@name != 'Shibboleth'] |
-                    md:*[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-                ])"/>
-        <!-- remove things that look like Shibboleth 2.x -->
-        <xsl:variable name="entities.2"
-            select="set:difference($entities.1,
-                $entities.1[
-                    md:IDPSSODescriptor/md:SingleSignOnService[contains(@Location, '/profile/Shibboleth/SSO')] |
-                    md:SPSSODescriptor/md:AssertionConsumerService[contains(@Location, '/Shibboleth.sso/SAML2/POST')] |
-                    md:Extensions/ukfedlabel:Software[@name='Shibboleth'][@version = '2']
-                ]
-            )"/>
-        <!-- select only remainder that look like Shibboleth 1.3 -->
-        <xsl:variable name="entities.3"
-            select="$entities.2[
-                md:Extensions/ukfedlabel:Software[@name='Shibboleth'][@version = '1.3'] |
-                md:IDPSSODescriptor/md:SingleSignOnService[contains(@Location, '-idp/SSO')] |
-                md:SPSSODescriptor/md:AssertionConsumerService[contains(@Location, 'Shibboleth.sso')]
-            ]"/>
-        <!-- final set -->
-        <xsl:variable name="entities.out" select="$entities.3"/>
-        <xsl:variable name="entities.out.count" select="count($entities.out)"/>
-        <!-- print the list -->
-        <p>
-            <xsl:value-of select="$entities.out.count"/> entities:
-        </p>
-        <ul>
-            <xsl:for-each select="$entities.out">
-                <li>
-                    <xsl:value-of select="@ID"/>:
-                    <code><xsl:value-of select="@entityID"/></code>
-                    <!-- suspect misclassification if an SP has an encryption key -->
-                    <xsl:if test="md:SPSSODescriptor/md:KeyDescriptor[@use='encryption']">
-                        <xsl:text> [HasEncKey]</xsl:text>
-                    </xsl:if>
-                    <xsl:text> (</xsl:text>
-                    <xsl:value-of select="md:Organization/md:OrganizationName"/>
-                    <xsl:text>)</xsl:text>
-                </li>
-            </xsl:for-each>
-        </ul>
-    </xsl:template>
-    
     <!--
         Break down a set of entities by the software used.
     -->
@@ -1623,7 +1508,7 @@
                 ***   C L A S S I F Y   E N T I T I E S   B Y   S O F T W A R E   ***
                 ***                                                               ***
                 *********************************************************************
-                
+
                 The classification algorithms used here are chained together so that
                 each classification step works only on those entities not already
                 classified.  This means that entities won't be counted twice, but
@@ -1631,10 +1516,10 @@
                 shouldn't be changed without careful thought.  In general, more
                 specific algorithms should appear before more general ones.
             -->
-            
+
             <!--
                 Classify miscellaneous entities.
-                
+
                 Here we pull off a list of entities labelled with explicit
                 Software labels that aren't for the software we address
                 in more detail below.  The result is, as it were, a list of
@@ -1656,7 +1541,7 @@
                 ]"/>
             <xsl:variable name="entities.misc.out"
                 select="set:difference($entities.misc.in, $entities.misc)"/>
-            
+
             <!--
                 Classify EZproxy SPs
             -->
@@ -1674,7 +1559,7 @@
                 select="$entities.simplesamlphp.in[md:Extensions/ukfedlabel:Software/@name='simpleSAMLphp']"/>
             <xsl:variable name="entities.simplesamlphp.out"
                 select="set:difference($entities.simplesamlphp.in, $entities.simplesamlphp)"/>
-            
+
             <!--
                 Classify Atypon SAML SP entities.
             -->
@@ -1683,7 +1568,7 @@
                 select="$entities.atyponsamlsp.in[md:Extensions/ukfedlabel:Software/@name='Atypon SAML SP 1.1/2.0']"/>
             <xsl:variable name="entities.atyponsamlsp.out"
                 select="set:difference($entities.atyponsamlsp.in, $entities.atyponsamlsp)"/>
-            
+
             <!--
                 Classify OpenAthens entities.
             -->
@@ -1692,7 +1577,7 @@
                 select="$entities.openathens.in[md:Extensions/ukfedlabel:Software/@name='OpenAthens']"/>
             <xsl:variable name="entities.openathens.out"
                 select="set:difference($entities.openathens.in, $entities.openathens)"/>
-            
+
             <!--
                 Classify Shibboleth 3 IdPs entities.
             -->
@@ -1703,7 +1588,7 @@
                 ]"/>
             <xsl:variable name="entities.shib.3.out"
                 select="set:difference($entities.shib.3.in, $entities.shib.3)"/>
-            
+
             <!--
                 Classify Shibboleth 2.0 IdPs and SPs.
             -->
@@ -1717,30 +1602,15 @@
             <xsl:variable name="entities.shib.2.out"
                 select="set:difference($entities.shib.2.in, $entities.shib.2)"/>
 
-            <!--
-                Classify Shibboleth 1.3 entities.
-            -->
-            <xsl:variable name="entities.shib.13.in" select="$entities.shib.2.out"/>
-            <xsl:variable name="entities.shib.13"
-                select="$entities.shib.13.in[
-                    md:Extensions/ukfedlabel:Software[@name='Shibboleth'][@version = '1.3'] |
-                    md:IDPSSODescriptor/md:SingleSignOnService[contains(@Location, '-idp/SSO')] |
-                    md:SPSSODescriptor/md:AssertionConsumerService[contains(@Location, 'Shibboleth.sso')]
-                ][
-                    not(md:*[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')])
-                ]"/>
-            <xsl:variable name="entities.shib.13.out"
-                select="set:difference($entities.shib.13.in, $entities.shib.13)"/>
-            
             <!--
                 Classify Athens Gateway entities
             -->
-            <xsl:variable name="entities.gateways.in" select="$entities.shib.13.out"/>
+            <xsl:variable name="entities.gateways.in" select="$entities.shib.2.out"/>
             <xsl:variable name="entities.gateways"
                 select="$entities.gateways.in[md:Extensions/ukfedlabel:Software/@name='Eduserv Gateway']"/>
             <xsl:variable name="entities.gateways.out"
                 select="set:difference($entities.gateways.in, $entities.gateways)"/>
-            
+
             <!--
                 Classify OpenAthens virtual IdPs.
             -->
@@ -1754,7 +1624,7 @@
                     ]"/>
             <xsl:variable name="entities.openathens.virtual.out"
                 select="set:difference($entities.openathens.virtual.in, $entities.openathens.virtual)"/>
-            
+
             <!--
                 Classify Guanxi entities.
             -->
@@ -1763,7 +1633,7 @@
                 select="$entities.guanxi.in[md:Extensions/ukfedlabel:Software/@name='Guanxi']"/>
             <xsl:variable name="entities.guanxi.out"
                 select="set:difference($entities.guanxi.in, $entities.guanxi)"/>
-            
+
             <!--
                 Classify AthensIM entities.
             -->
@@ -1772,14 +1642,14 @@
                 select="$entities.athensim.in[md:Extensions/ukfedlabel:Software/@name='AthensIM']"/>
             <xsl:variable name="entities.athensim.out"
                 select="set:difference($entities.athensim.in, $entities.athensim)"/>
-            
+
             <!--
                 Remaining entities are unknown.
             -->
             <xsl:variable name="entities.unclassified" select="$entities.athensim.out"/>
             <xsl:variable name="unknownSoftwareEntities"
                 select="$entities.unclassified | $entities.misc"/>
-            
+
             <!--
                 ***************************************************************
                 ***                                                         ***
@@ -1787,27 +1657,20 @@
                 ***                                                         ***
                 ***************************************************************
             -->
-            
+
             <xsl:call-template name="entity.breakdown.by.software.line">
                 <xsl:with-param name="entities" select="$entities.shib.3"/>
                 <xsl:with-param name="name">Shibboleth 3.x</xsl:with-param>
                 <xsl:with-param name="total" select="$entityCount"/>
             </xsl:call-template>
-            
+
             <xsl:call-template name="entity.breakdown.by.software.line">
                 <xsl:with-param name="entities" select="$entities.shib.2"/>
                 <xsl:with-param name="name">Shibboleth 2.x</xsl:with-param>
                 <xsl:with-param name="total" select="$entityCount"/>
             </xsl:call-template>
-            
-            <xsl:call-template name="entity.breakdown.by.software.line">
-                <xsl:with-param name="entities" select="$entities.shib.13"/>
-                <xsl:with-param name="name">Shibboleth 1.3</xsl:with-param>
-                <xsl:with-param name="total" select="$entityCount"/>
-                <xsl:with-param name="show.max" select="10"/>
-            </xsl:call-template>
 
-            <xsl:variable name="entities.shib" select="$entities.shib.13 | $entities.shib.2 | $entities.shib.3"/>
+            <xsl:variable name="entities.shib" select="$entities.shib.2 | $entities.shib.3"/>
             <xsl:call-template name="entity.breakdown.by.software.line">
                 <xsl:with-param name="entities" select="$entities.shib"/>
                 <xsl:with-param name="name">Shibboleth combined</xsl:with-param>
@@ -1820,13 +1683,13 @@
                 <xsl:with-param name="name">Other than Shibboleth</xsl:with-param>
                 <xsl:with-param name="total" select="$entityCount"/>
             </xsl:call-template>
-            
+
             <xsl:call-template name="entity.breakdown.by.software.line">
                 <xsl:with-param name="entities" select="$entities.ezproxy"/>
                 <xsl:with-param name="name">EZproxy</xsl:with-param>
                 <xsl:with-param name="total" select="$entityCount"/>
             </xsl:call-template>
-            
+
             <xsl:call-template name="entity.breakdown.by.software.line">
                 <xsl:with-param name="entities" select="$entities.simplesamlphp"/>
                 <xsl:with-param name="name">simpleSAMLphp</xsl:with-param>
@@ -1844,31 +1707,31 @@
                 <xsl:with-param name="name">AthensIM</xsl:with-param>
                 <xsl:with-param name="total" select="$entityCount"/>
             </xsl:call-template>
-            
+
             <xsl:call-template name="entity.breakdown.by.software.line">
                 <xsl:with-param name="entities" select="$entities.guanxi"/>
                 <xsl:with-param name="name">Guanxi</xsl:with-param>
                 <xsl:with-param name="total" select="$entityCount"/>
             </xsl:call-template>
-            
+
             <xsl:call-template name="entity.breakdown.by.software.line">
                 <xsl:with-param name="entities" select="$entities.gateways"/>
                 <xsl:with-param name="name">Athens/Shibboleth gateway</xsl:with-param>
                 <xsl:with-param name="total" select="$entityCount"/>
             </xsl:call-template>
-            
+
             <xsl:call-template name="entity.breakdown.by.software.line">
                 <xsl:with-param name="entities" select="$entities.openathens.virtual"/>
                 <xsl:with-param name="name">OpenAthens Virtual IdP</xsl:with-param>
                 <xsl:with-param name="total" select="$entityCount"/>
             </xsl:call-template>
-            
+
             <xsl:call-template name="entity.breakdown.by.software.line">
                 <xsl:with-param name="entities" select="$entities.openathens"/>
                 <xsl:with-param name="name">OpenAthens</xsl:with-param>
                 <xsl:with-param name="total" select="$entityCount"/>
             </xsl:call-template>
-            
+
             <xsl:call-template name="entity.breakdown.by.software.line">
                 <xsl:with-param name="entities" select="$unknownSoftwareEntities"/>
                 <xsl:with-param name="name">Unknown or other</xsl:with-param>
@@ -1915,7 +1778,7 @@
             </li>
         </xsl:if>
     </xsl:template>
-    
+
     <!--
         *********************************************************
         ***                                                   ***
@@ -1932,5 +1795,5 @@
             (<xsl:value-of select="format-number($kd.count div count($entities), '0.0')"/> per entity).
         </p>
     </xsl:template>
-    
-</xsl:stylesheet>
\ No newline at end of file
+
+</xsl:stylesheet>
diff --git a/mdx/uk/strip_extensions.xsl b/mdx/uk/strip_extensions.xsl
index 335a0236..176baabb 100644
--- a/mdx/uk/strip_extensions.xsl
+++ b/mdx/uk/strip_extensions.xsl
@@ -1,55 +1,55 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-	strip_extensions.xsl
-	
-	Strip out any ukfedlabel namespace extensions that we don't intend to publish.
-	This may require removing now-empty md:Extensions elements.
+    strip_extensions.xsl
+
+    Strip out any ukfedlabel namespace extensions that we don't intend to publish.
+    This may require removing now-empty md:Extensions elements.
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	
-	xmlns:exsl="http://exslt.org/common"
-	extension-element-prefixes="exsl"
-	
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	exclude-result-prefixes="md">
-
-	<!--
-		Pass through certain ukfedlabel namespace elements.
-	-->
-	<xsl:template match="ukfedlabel:UKFederationMember | ukfedlabel:AccountableUsers">
-		<xsl:copy>
-			<!--
-				Copy nested text and comments, but not attributes.
-
-				AccountableUsers does not have any attributes.
-
-				UKFederationMember does not have any attributes intended for
-				publication.
-			-->
-			<xsl:apply-templates select="text()|comment()"/>
-		</xsl:copy>
-	</xsl:template>
-	
-	<!--
-		Strip all other ukfedlabel namespace elements entirely.
-	-->
-	<xsl:template match="ukfedlabel:*"/>
-
-
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-	
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
-	
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+
+    xmlns:exsl="http://exslt.org/common"
+    extension-element-prefixes="exsl"
+
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    exclude-result-prefixes="md">
+
+    <!--
+        Pass through certain ukfedlabel namespace elements.
+    -->
+    <xsl:template match="ukfedlabel:UKFederationMember | ukfedlabel:AccountableUsers">
+        <xsl:copy>
+            <!--
+                Copy nested text and comments, but not attributes.
+
+                AccountableUsers does not have any attributes.
+
+                UKFederationMember does not have any attributes intended for
+                publication.
+            -->
+            <xsl:apply-templates select="text()|comment()"/>
+        </xsl:copy>
+    </xsl:template>
+
+    <!--
+        Strip all other ukfedlabel namespace elements entirely.
+    -->
+    <xsl:template match="ukfedlabel:*"/>
+
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/uk/strip_sirtfi_contacts.xsl b/mdx/uk/strip_sirtfi_contacts.xsl
index 9975d051..659847dd 100644
--- a/mdx/uk/strip_sirtfi_contacts.xsl
+++ b/mdx/uk/strip_sirtfi_contacts.xsl
@@ -1,34 +1,34 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-	strip_sirtfi_contacts.xsl
-	
-	Strip out any UK federation-registered ContactPerson elements associated with SIRTFI.
+    strip_sirtfi_contacts.xsl
+
+    Strip out any UK federation-registered ContactPerson elements associated with SIRTFI.
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:remd="http://refeds.org/metadata"
-	
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	exclude-result-prefixes="md">
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:remd="http://refeds.org/metadata"
+
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    exclude-result-prefixes="md">
+
+    <xsl:template match="md:EntityDescriptor[md:Extensions/mdrpi:RegistrationInfo[@registrationAuthority='http://ukfederation.org.uk']]
+        /md:ContactPerson[@contactType='other'][@remd:contactType='http://refeds.org/metadata/contactType/security']">
+        <!-- remove -->
+    </xsl:template>
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
 
-	<xsl:template match="md:EntityDescriptor[md:Extensions/mdrpi:RegistrationInfo[@registrationAuthority='http://ukfederation.org.uk']]
-		/md:ContactPerson[@contactType='other'][@remd:contactType='http://refeds.org/metadata/contactType/security']">
-		<!-- remove -->
-	</xsl:template>
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-	
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
-	
 </xsl:stylesheet>
diff --git a/mdx/uk/verbs.xml b/mdx/uk/verbs.xml
index e613951b..cfed773c 100644
--- a/mdx/uk/verbs.xml
+++ b/mdx/uk/verbs.xml
@@ -16,12 +16,12 @@
         Import commonly used beans.
     -->
     <import resource="classpath:common-beans.xml"/>
-    
+
     <!--
         Import channel-specific beans.
     -->
     <import resource="classpath:uk/beans.xml"/>
-    
+
     <!--
         ***************************************
         ***                                 ***
@@ -29,13 +29,13 @@
         ***                                 ***
         ***************************************
     -->
-    
+
     <!--
         statistics
-        
+
         Stand-alone statistics generation.
     -->
-    <bean id="statistics" parent="SimplePipeline">
+    <bean id="statistics" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="uk_registeredEntities"/>
@@ -46,22 +46,53 @@
         </property>
     </bean>
 
+    <!--
+        statistics.charting
+
+        Stand-along statistics generation for charting.
+    -->
+    <bean id="statistics.charting" parent="mda.SimplePipeline">
+        <property name="stages">
+            <list>
+                <ref bean="uk_registeredEntities"/>
+                <ref bean="assemble"/>
+                <bean parent="mda.XSLTransformationStage"
+                    p:XSLResource="classpath:uk/statistics-charting.xsl">
+                    <property name="transformParameters">
+                        <map>
+                            <entry key="memberDocument" value-ref="uk_membersDocument"/>
+                        </map>
+                    </property>
+                </bean>
+                <bean parent="mda.SerializationStage">
+                    <property name="serializer" ref="serializer"/>
+                    <property name="outputFile">
+                        <bean parent="File">
+                            <constructor-arg value="${output.dir}/statistics-charting.html"/>
+                        </bean>
+                    </property>
+                </bean>
+            </list>
+        </property>
+    </bean>
+
     <!--
         sp_mdui_test
-        
+
         Generates a page of links to discovery services, for each SP that
         has mdui:uiinfo metadata.
     -->
-    <bean id="sp_mdui_test" parent="SimplePipeline">
+    <bean id="sp_mdui_test" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="uk_registeredEntities"/>
                 <ref bean="assemble"/>
-                <bean id="process" parent="XSLTransformationStage"
+                <bean id="process" parent="mda.XSLTransformationStage"
                     p:XSLResource="classpath:uk/sp_mdui_test.xsl"/>
-                <bean id="serialize" parent="SerializationStage">
+                <bean id="serialize" parent="mda.SerializationStage">
+                    <property name="serializer" ref="serializer"/>
                     <property name="outputFile">
-                        <bean class="java.io.File">
+                        <bean parent="File">
                             <constructor-arg value="${mdx.dir}/uk/temp.html"/>
                         </bean>
                     </property>
@@ -77,8 +108,8 @@
         ***                 ***
         ***********************
     -->
-    
-    <bean id="verify" parent="SimplePipeline">
+
+    <bean id="verify" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <!--
@@ -87,7 +118,7 @@
                     any of them fail.
                 -->
                 <ref bean="uk_registeredEntities"/>
-                
+
                 <!--
                     Now build an aggregate so that we can perform
                     checks across the whole aggregate, such as
@@ -100,7 +131,7 @@
             </list>
         </property>
     </bean>
-    
+
     <!--
         *********************************
         ***                           ***
@@ -108,12 +139,12 @@
         ***                           ***
         *********************************
     -->
-    
-    <bean id="checkPorts" parent="SimplePipeline">
+
+    <bean id="checkPorts" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="uk_registeredEntities"/>
-                
+
                 <!--
                     The next four stages ensure that any errors are reported
                     in entity ID order, even on systems where the native order
@@ -126,13 +157,13 @@
                 <ref bean="populateItemIds"/>
                 <ref bean="uk_populateIds"/>
                 <ref bean="populateRegistrationAuthorities"/>
-                
+
                 <ref bean="check_vhosts"/>
                 <ref bean="errorAnnouncingFilter"/>
             </list>
         </property>
     </bean>
-    
+
     <!--
         ***********************************
         ***                             ***
@@ -140,8 +171,8 @@
         ***                             ***
         ***********************************
     -->
-    
-    <bean id="checkFuture" parent="SimplePipeline">
+
+    <bean id="checkFuture" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="uk_registeredEntities"/>
@@ -158,25 +189,25 @@
                 <ref bean="populateItemIds"/>
                 <ref bean="uk_populateIds"/>
                 <ref bean="populateRegistrationAuthorities"/>
-                
+
                 <!--
                     Additional X.509 certificate checks, over and above those
                     performed in uk_registeredEntities.
                 -->
-                <bean id="checkCertificates" parent="X509ValidationStage">
+                <bean id="checkCertificates" parent="mda.X509ValidationStage">
                     <property name="validators">
                         <list>
                             <!-- none at present -->
                         </list>
                     </property>
                 </bean>
-                
+
                 <ref bean="check_future"/>
                 <ref bean="errorAnnouncingFilter"/>
             </list>
         </property>
     </bean>
-    
+
     <!--
         *****************************************
         ***                                   ***
@@ -184,29 +215,31 @@
         ***                                   ***
         *****************************************
     -->
-    
+
     <!--
         fetchImportMetadata
-        
+
         Fetches the contents of the file used to hold metadata to be imported
         into a UK federation fragment file.
     -->
-    <bean id="fetchImportMetadata" parent="DOMFilesystemSourceStage">
+    <bean id="fetchImportMetadata" parent="mda.DOMFilesystemSourceStage">
+        <property name="parserPool" ref="parserPool"/>
         <property name="source">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${entities.dir}/import.xml"/>
             </bean>
         </property>
     </bean>
-    
+
     <!--
         serializeImportedMetadata
-        
+
         Serialise the fragment file just imported.
     -->
-    <bean id="serializeImportedMetadata" parent="SerializationStage">
+    <bean id="serializeImportedMetadata" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${entities.dir}/imported.xml"/>
             </bean>
         </property>
@@ -214,39 +247,39 @@
 
     <!--
         import
-        
+
         Pipeline to import a metadata fragment file.
-        
+
         For now, just the head of that pipeline.
     -->
-    <bean id="import.metadata" parent="SimplePipeline">
+    <bean id="import.metadata" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <!-- fetch the input file -->
                 <ref bean="fetchImportMetadata"/>
                 <ref bean="populateItemIds"/>
-                
+
                 <!-- perform schema validation and stop immediately if this fails -->
                 <ref bean="checkSchemas"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <!-- fix mailto: in contacts -->
                 <ref bean="uk_fix_mailto"/>
-                
+
                 <!-- transform into a fragment using our local conventions -->
-                <bean id="importTransform" parent="XSLTransformationStage"
+                <bean id="importTransform" parent="mda.XSLTransformationStage"
                     p:XSLResource="classpath:uk/import.xsl"/>
-                
+
                 <!-- normalise namespaces in a specific way -->
-                <bean id="normalizeFragment" parent="XSLTransformationStage"
+                <bean id="normalizeFragment" parent="mda.XSLTransformationStage"
                     p:XSLResource="classpath:uk/ns_norm_fragment.xsl"/>
-                
+
                 <!-- check the transformed input -->
                 <ref bean="checkSchemas"/>
-                
+
                 <!--
                     Standard checks (i.e., CHECK_std), with some exclusions.
-                    
+
                     check_saml2meta is excluded so that the "FILL IN" boilerplate on
                     OrganizationURL is not flagged.
                 -->
@@ -272,43 +305,43 @@
                 <ref bean="check_shibboleth"/>
                 <ref bean="check_sp_tls"/>
                 <ref bean="check_uk_trust"/>
-                
-                <bean id="checkCertificates" parent="X509ValidationStage">
+
+                <bean id="checkCertificates" parent="mda.X509ValidationStage">
                     <property name="validators">
                         <list>
                             <!-- Error on RSA key length less than 2048 bits. -->
-                            <bean parent="X509RSAKeyLengthValidator"
+                            <bean parent="mda.X509RSAKeyLengthValidator"
                                 p:warningBoundary="0" p:errorBoundary="2048"/>
                             <!-- Error on small RSA public exponents. -->
-                            <bean parent="X509RSAExponentValidator"/>
+                            <bean parent="mda.X509RSAExponentValidator"/>
                             <!-- Error on inconsistent subjectAltNames. -->
-                            <bean parent="X509ConsistentNameValidator"/>
+                            <bean parent="ukf.X509ConsistentNameValidator"/>
 
                             <!--
                                 Debian weak key blacklists.
-                                
+
                                 Don't need to check for keys below our minimum key size.
                             -->
                             <ref bean="debian.2048"/>
                             <ref bean="debian.4096"/>
-                            
+
                             <!--
                                 Compromised key blacklists.
-                                
+
                                 Again, don't need to check for keys below our minimum key size.
                             -->
                             <ref bean="compromised.2048"/>
                         </list>
                     </property>
                 </bean>
-                
+
                 <ref bean="check_uk_mdrps"/>
                 <ref bean="check_uk_urlenc"/>
                 <ref bean="check_future"/>
                 <ref bean="check_imported"/>
                 <ref bean="check_vhosts"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <!-- write output file -->
                 <ref bean="serializeImportedMetadata"/>
             </list>
@@ -322,16 +355,17 @@
         ###                                           ###
         #################################################
     -->
-    
-    <bean id="serializeImported" parent="SerializationStage">
+
+    <bean id="serializeImported" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${mdx.dir}/uk/imported.xml"/>
             </bean>
         </property>
     </bean>
-    
-    <bean id="importExported" parent="SimplePipeline">
+
+    <bean id="importExported" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="uk_exportedEntities"/>
@@ -341,8 +375,8 @@
             </list>
         </property>
     </bean>
-    
-    <bean id="importExportedRaw" parent="SimplePipeline">
+
+    <bean id="importExportedRaw" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="uk_exportAggregate"/>
@@ -350,7 +384,7 @@
             </list>
         </property>
     </bean>
-    
+
     <alias alias="import"    name="importExported"/>
-    <alias alias="importRaw" name="importExportedRaw"/>    
+    <alias alias="importRaw" name="importExportedRaw"/>
 </beans>
diff --git a/mdx/us_incommon/beans.xml b/mdx/us_incommon/beans.xml
index 749202da..8d99949b 100644
--- a/mdx/us_incommon/beans.xml
+++ b/mdx/us_incommon/beans.xml
@@ -11,27 +11,28 @@
     xsi:schemaLocation="
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
-    
+
     <!--
         Location of various resources.
     -->
-    <bean id="us_incommon_productionAggregate_url" class="java.lang.String">
+    <bean id="us_incommon_productionAggregate_url" parent="String">
         <constructor-arg value="http://md.incommon.org/InCommon/InCommon-metadata.xml"/>
     </bean>
-    <bean id="us_incommon_fallbackAggregate_url" class="java.lang.String">
+    <bean id="us_incommon_fallbackAggregate_url" parent="String">
         <constructor-arg value="http://md.incommon.org/InCommon/InCommon-metadata-fallback.xml"/>
     </bean>
-    <bean id="us_incommon_previewAggregate_url" class="java.lang.String">
+    <bean id="us_incommon_previewAggregate_url" parent="String">
         <constructor-arg value="http://md.incommon.org/InCommon/InCommon-metadata-preview.xml"/>
     </bean>
-    <bean id="us_incommon_legacyAggregate_url" class="java.lang.String">
+    <bean id="us_incommon_legacyAggregate_url" parent="String">
         <constructor-arg value="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml"/>
     </bean>
-    
+
     <!--
         Fetch the production aggregate.
     -->
-    <bean id="us_incommon_productionAggregate" parent="DOMResourceSourceStage">
+    <bean id="us_incommon_productionAggregate" parent="mda.DOMResourceSourceStage">
+        <property name="parserPool" ref="parserPool"/>
         <property name="DOMResource">
             <bean parent="HTTPResource">
                 <constructor-arg name="client" ref="httpClient"/>
@@ -39,13 +40,13 @@
             </bean>
         </property>
     </bean>
-    
+
     <!--
         InCommon signing certificate.
     -->
     <bean id="us_incommon_signingCertificate" parent="X509CertificateFactoryBean"
-    	p:resource="classpath:us_incommon/inc-md-cert.pem"/>
-    
+        p:resource="classpath:us_incommon/inc-md-cert.pem"/>
+
     <!--
         Check InCommon signing signature.
     -->
@@ -55,7 +56,7 @@
 
     <!--
         us_incommon_check_regauth
-        
+
         Any registrationAuthority already present on an entity in this
         channel must match the known registration authority value.
     -->
@@ -66,10 +67,10 @@
             </map>
         </property>
     </bean>
-    
+
     <!--
         us_incommon_default_regauth
-        
+
         Provide a default registrationAuthority appropriate to
         this channel.
     -->
@@ -80,11 +81,11 @@
             </map>
         </property>
     </bean>
-    
+
     <!--
         Fetch the production entities as a collection.
     -->
-    <bean id="us_incommon_productionEntities" parent="CompositeStage">
+    <bean id="us_incommon_productionEntities" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="us_incommon_productionAggregate"/>
@@ -97,20 +98,20 @@
                 <ref bean="check_validUntil"/>
                 <ref bean="us_incommon_checkSignature"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="disassemble"/>
             </list>
         </property>
     </bean>
-    
+
     <!--
         Synthesise an export collection by filtering the production entities.
     -->
-    <bean id="us_incommon_exportedEntities" parent="CompositeStage">
+    <bean id="us_incommon_exportedEntities" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="us_incommon_productionAggregate"/>
-                
+
                 <!--
                     Check for fatal errors at the aggregate level:
                         missing or expired validUntil attribute
@@ -119,9 +120,9 @@
                 <ref bean="check_validUntil"/>
                 <ref bean="us_incommon_checkSignature"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="disassemble"/>
-                
+
                 <!--
                     ***********************************
                     ***                             ***
@@ -129,12 +130,11 @@
                     ***                             ***
                     ***********************************
                 -->
-                    
+
                 <!--
                     Filter out all entities not involved in the pilot.
                 -->
-                <bean id="us_incommon_pilot_filterEntities" parent="stage_parent"
-                    class="net.shibboleth.metadata.dom.saml.EntityFilterStage"
+                <bean id="us_incommon_pilot_filterEntities" parent="mda.EntityFilterStage"
                     p:whitelistingEntities="true">
                     <property name="designatedEntities">
                         <set>
@@ -143,20 +143,19 @@
                         </set>
                     </property>
                 </bean>
-                
+
                 <!--
                     Remove all contact information.
                 -->
-                <bean id="us_incommon_remove_contacts" parent="stage_parent"
-                    class="net.shibboleth.metadata.dom.saml.ContactPersonFilterStage"
+                <bean id="us_incommon_remove_contacts" parent="mda.ContactPersonFilterStage"
                     p:whitelistingTypes="true">
                     <property name="designatedTypes">
                         <set>
                             <!-- no whitelisted types implies remove everything -->
                         </set>
-                    </property>                    
+                    </property>
                 </bean>
-                
+
                 <!--
                     ******************************
                     ***                        ***
@@ -164,18 +163,18 @@
                     ***                        ***
                     ******************************
                 -->
-                
+
                 <!-- default and check registrar -->
                 <ref bean="us_incommon_default_regauth"/>
                 <ref bean="us_incommon_check_regauth"/>
             </list>
         </property>
     </bean>
-    
+
     <!--
         Fake an export aggregate by aggregating the exported entities.
     -->
-    <bean id="us_incommon_exportedAggregate" parent="CompositeStage">
+    <bean id="us_incommon_exportedAggregate" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="us_incommon_exportedEntities"/>
diff --git a/mdx/us_incommon/verbs.xml b/mdx/us_incommon/verbs.xml
index 6ca5a631..aff47f46 100644
--- a/mdx/us_incommon/verbs.xml
+++ b/mdx/us_incommon/verbs.xml
@@ -11,29 +11,30 @@
     xsi:schemaLocation="
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
-    
+
     <!--
         Import commonly used beans.
     -->
     <import resource="classpath:common-beans.xml"/>
-        
+
     <!--
         Import channel-specific beans.
     -->
     <import resource="classpath:us_incommon/beans.xml"/>
-    
+
     <!--
         Serialise into this channel's "imported" aggregate file.
     -->
-    <bean id="serializeImported" parent="SerializationStage">
+    <bean id="serializeImported" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${mdx.dir}/us_incommon/imported.xml"/>
             </bean>
         </property>
     </bean>
-    
-    <bean id="importProduction" parent="SimplePipeline">
+
+    <bean id="importProduction" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="us_incommon_productionEntities"/>
@@ -44,7 +45,7 @@
         </property>
     </bean>
 
-    <bean id="importProductionRaw" parent="SimplePipeline">
+    <bean id="importProductionRaw" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="us_incommon_productionAggregate"/>
@@ -52,8 +53,8 @@
             </list>
         </property>
     </bean>
-    
-    <bean id="importExported" parent="SimplePipeline">
+
+    <bean id="importExported" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="us_incommon_exportedEntities"/>
@@ -63,8 +64,8 @@
             </list>
         </property>
     </bean>
-    
-    <bean id="importExportedRaw" parent="SimplePipeline">
+
+    <bean id="importExportedRaw" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="us_incommon_exportedAggregate"/>
@@ -72,7 +73,7 @@
             </list>
         </property>
     </bean>
-    
+
     <alias alias="import"    name="importExported"/>
     <alias alias="importRaw" name="importExportedRaw"/>
 </beans>
diff --git a/mdx/validation-beans.xml b/mdx/validation-beans.xml
index da3237f7..f7ed527f 100644
--- a/mdx/validation-beans.xml
+++ b/mdx/validation-beans.xml
@@ -20,12 +20,12 @@
         ***********************************
     -->
 
-    <!--        
+    <!--
         The tests in this section are not applied to the UK federation metadata at the moment,
         but will be in the future.  Usually, the delay is due to the presence of the specific
         case in the current metadata, and the test will be moved into production once that
         has been cleaned up.  In some cases, this can be a lengthy process.
-        
+
         The main check_future test is broken down into a number of sub-tests rather than
         just writing it as one long XSLT ruleset so that overlapping failures can all be
         seen at the same time.  This isn't so important in production, where any failure
@@ -33,73 +33,73 @@
         it's less productive to clear up one problem only to have another one emerge from
         hiding.
     -->
-    
+
     <!--
         check_future_0
     -->
-    <bean id="check_future_0" parent="XSLValidationStage"
+    <bean id="check_future_0" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_0.xsl"/>
-    
+
     <!--
         check_future_1
     -->
-    <bean id="check_future_1" parent="XSLValidationStage"
+    <bean id="check_future_1" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_1.xsl"/>
-    
+
     <!--
         check_future_2
     -->
-    <bean id="check_future_2" parent="XSLValidationStage"
+    <bean id="check_future_2" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_2.xsl"/>
-    
+
     <!--
         check_future_3
     -->
-    <bean id="check_future_3" parent="XSLValidationStage"
+    <bean id="check_future_3" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_3.xsl"/>
-    
+
     <!--
         check_future_4
     -->
-    <bean id="check_future_4" parent="XSLValidationStage"
+    <bean id="check_future_4" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_4.xsl"/>
-    
+
     <!--
         check_future_5
     -->
-    <bean id="check_future_5" parent="XSLValidationStage"
+    <bean id="check_future_5" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_5.xsl"/>
-    
+
     <!--
         check_future_6
     -->
-    <bean id="check_future_6" parent="XSLValidationStage"
+    <bean id="check_future_6" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_6.xsl"/>
-    
+
     <!--
         check_future_7
     -->
-    <bean id="check_future_7" parent="XSLValidationStage"
+    <bean id="check_future_7" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_7.xsl"/>
-    
+
     <!--
         check_future_8
     -->
-    <bean id="check_future_8" parent="XSLValidationStage"
+    <bean id="check_future_8" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_8.xsl"/>
-    
+
     <!--
         check_future_9
     -->
-    <bean id="check_future_9" parent="XSLValidationStage"
+    <bean id="check_future_9" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_9.xsl"/>
-    
+
     <!--
         check_future
-        
+
         Combines all check_future_N stages.
     -->
-    <bean id="check_future" parent="CompositeStage">
+    <bean id="check_future" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="check_future_0"/>
@@ -115,7 +115,7 @@
             </list>
         </property>
     </bean>
-    
+
 
     <!--
         ***********************************************************
@@ -128,7 +128,7 @@
     <!--
         check_algsupport
     -->
-    <bean id="check_algsupport" parent="XSLValidationStage"
+    <bean id="check_algsupport" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_algsupport.xsl"/>
 
 
@@ -143,10 +143,10 @@
     <!--
         check_mdattr
     -->
-    <bean id="check_mdattr" parent="XSLValidationStage"
+    <bean id="check_mdattr" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_mdattr.xsl"/>
 
-    
+
     <!--
         *************************************************
         ***                                           ***
@@ -154,48 +154,48 @@
         ***                                           ***
         *************************************************
     -->
-    
+
     <!--
         check_mdrpi_xslt
-        
+
         Miscellaneous MDRPI tests, in XSLT.
     -->
-    <bean id="check_mdrpi_xslt" parent="XSLValidationStage"
+    <bean id="check_mdrpi_xslt" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_mdrpi.xsl"/>
-    
+
     <!--
         check_mdrpi
-        
+
         Composite check for the MDRPI specification.
     -->
-    <bean id="check_mdrpi" parent="CompositeStage">
+    <bean id="check_mdrpi" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="check_mdrpi_xslt"/>
             </list>
         </property>
     </bean>
-    
+
     <!--
         check_regauth_parent
-        
+
         Parent (template) for per-channel beans.
-        
+
         Any registrationAuthority already present on an entity in this
         channel must match the known registration authority value.
     -->
-    <bean id="check_regauth_parent" abstract="true" parent="XSLValidationStage"
+    <bean id="check_regauth_parent" abstract="true" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_regauth.xsl"/>
-    
+
     <!--
         check_hasreginfo
-        
+
         Check that each entity has an mdrpi:RegistrationInfo element.
     -->
-    <bean id="check_hasreginfo" parent="XSLValidationStage"
+    <bean id="check_hasreginfo" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_hasreginfo.xsl"/>
 
-    
+
     <!--
         ***********************************************
         ***                                         ***
@@ -203,56 +203,55 @@
         ***                                         ***
         ***********************************************
     -->
-    
+
     <!--
         check_mdui_iphint
-        
+
         Checks for the mdui:IPHint element.
     -->
-    <bean id="check_mdui_iphint" parent="stage_parent"
-        class="uk.org.ukfederation.mda.validate.mdui.IPHintValidationStage"
+    <bean id="check_mdui_iphint" parent="ukf.IPHintValidationStage"
         p:checkingNetworks="true"/>
-    
+
     <!--
         check_mdui_xslt
-        
+
         Miscellaneous MDUI tests, in XSLT.
     -->
-    <bean id="check_mdui_xslt" parent="XSLValidationStage"
+    <bean id="check_mdui_xslt" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_mdui.xsl"/>
-    
+
     <!--
         mdui_dn_en_match
-        
+
         If an IdP has both an OrganizationDisplayName in English, and an
         mdui:DisplayName in English, they must be identical.
-        
+
         UKFTS 1.4 section 3.3
     -->
-    <bean id="mdui_dn_en_match" parent="XSLValidationStage"
+    <bean id="mdui_dn_en_match" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/mdui_dn_en_match.xsl"/>
-    
+
     <!--
         mdui_dn_en_present
-        
+
         If an entity has mdui:UIInfo, then that must include at least an
         mdui:DisplayName with an English name.
     -->
-    <bean id="mdui_dn_en_present" parent="XSLValidationStage"
+    <bean id="mdui_dn_en_present" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/mdui_dn_en_present.xsl"/>
-    
+
     <!--
         check_mdui
-        
+
         Composite check for the MDUI specification.
-        
+
         Omitted the following, which are only applied to
         UK-registered metadata:
-        
+
             mdui_dn_en_present
             mdui_dn_en_match
     -->
-    <bean id="check_mdui" parent="CompositeStage">
+    <bean id="check_mdui" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="check_mdui_iphint"/>
@@ -273,10 +272,10 @@
     <!--
         check_incmd
     -->
-    <bean id="check_incmd" parent="XSLValidationStage"
+    <bean id="check_incmd" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_incmd.xsl"/>
 
-    
+
     <!--
         ***********************************************************
         ***                                                     ***
@@ -285,13 +284,13 @@
         ***********************************************************
     -->
 
-    <bean id="check_rands_member" parent="XSLValidationStage"
+    <bean id="check_rands_member" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_rands_member.xsl"/>
 
-    <bean id="check_rands_support" parent="XSLValidationStage"
+    <bean id="check_rands_support" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_rands_support.xsl"/>
 
-    <bean id="check_rands" parent="CompositeStage">
+    <bean id="check_rands" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="check_rands_member"/>
@@ -311,27 +310,27 @@
 
     <!--
         check_shib_regscope
-        
+
         Check for regular expressions in Shibboleth Scope elements.  Applied very selectively,
         because we do permit this in certain circumstances.
     -->
-    <bean id="check_shib_regscope" parent="XSLValidationStage"
+    <bean id="check_shib_regscope" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_shib_regscope.xsl"/>
 
     <!--
         check_shib_noregscope
-        
+
         Check for Shibboleth Scope elements lacking a regexp attribute, which can cause
         problems with signature generation and validation because the schema includes
         a default value.
     -->
-    <bean id="check_shib_noregscope" parent="XSLValidationStage"
+    <bean id="check_shib_noregscope" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_shib_noregscope.xsl"/>
 
     <!--
         check_shibboleth
     -->
-    <bean id="check_shibboleth" parent="XSLValidationStage"
+    <bean id="check_shibboleth" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_shibboleth.xsl"/>
 
 
@@ -346,7 +345,7 @@
     <!--
         check_sirtfi
     -->
-    <bean id="check_sirtfi" parent="XSLValidationStage"
+    <bean id="check_sirtfi" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_sirtfi.xsl"/>
 
 
@@ -357,24 +356,18 @@
         ***                                                             ***
         *******************************************************************
     -->
-    
+
     <!--
         check_uk_algorithms
     -->
-    <bean id="check_uk_algorithms" parent="XSLValidationStage"
+    <bean id="check_uk_algorithms" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_uk_algorithms.xsl"/>
-    
+
     <!--
         check_uk_trust
     -->
-    <bean id="check_uk_trust" parent="XSLValidationStage"
+    <bean id="check_uk_trust" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_uk_trust.xsl"/>
-    
-    <!--
-        check_uk_wayf
-    -->
-    <bean id="check_uk_wayf" parent="XSLValidationStage"
-        p:XSLResource="classpath:_rules/check_uk_wayf.xsl"/>
 
 
     <!--
@@ -384,7 +377,7 @@
         ***                                                 ***
         *******************************************************
     -->
-    
+
     <!--
         These checks are for consistency across a collection of entities
         rather than on each entity independently.
@@ -392,25 +385,24 @@
 
     <!--
         check_aggregate
-        
+
         Checks for duplicate entityID values across a set of entities.
-        
+
         It is assumed that the entities are wrapped in a single EntitiesDescriptor.
     -->
-    <bean id="check_aggregate" parent="XSLValidationStage"
+    <bean id="check_aggregate" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_aggregate.xsl"/>
-    
+
     <!--
         check_dup_display
-        
+
         Checks for duplicate identity provider display names across a set of entities.
-        
+
         It is assumed that the entities are independently represented as EntityDescriptor
         items in the item collection.
     -->
-    <bean id="check_dup_display" parent="stage_parent"
-        p:identificationStrategy-ref="identificationStrategy"
-        class="uk.org.ukfederation.mda.IdPDisplayNameDuplicateDetectingStage"/>
+    <bean id="check_dup_display" parent="ukf.IdPDisplayNameDuplicateDetectingStage"
+        p:identificationStrategy-ref="identificationStrategy"/>
 
 
     <!--
@@ -420,20 +412,20 @@
         ***                                         ***
         ***********************************************
     -->
-    
+
     <!--
         Debian weak key blacklists.
     -->
 
-    <bean id="debian.1024" parent="X509RSAOpenSSLBlacklistValidator"
+    <bean id="debian.1024" parent="mda.X509RSAOpenSSLBlacklistValidator"
         p:keySize="1024"
         p:blacklistResource="classpath:net/shibboleth/metadata/validate/x509/debian-1024.txt"/>
 
-    <bean id="debian.2048" parent="X509RSAOpenSSLBlacklistValidator"
+    <bean id="debian.2048" parent="mda.X509RSAOpenSSLBlacklistValidator"
         p:keySize="2048"
         p:blacklistResource="classpath:net/shibboleth/metadata/validate/x509/debian-2048.txt"/>
 
-    <bean id="debian.4096" parent="X509RSAOpenSSLBlacklistValidator"
+    <bean id="debian.4096" parent="mda.X509RSAOpenSSLBlacklistValidator"
         p:keySize="4096"
         p:blacklistResource="classpath:net/shibboleth/metadata/validate/x509/debian-4096.txt"/>
 
@@ -441,7 +433,7 @@
         Blacklist of known compromised 1024-bit keys, e.g., "dummy" keys shipped with
         SAML products that are sometimes deployed by accident.
     -->
-    <bean id="compromised.1024" parent="X509RSAOpenSSLBlacklistValidator"
+    <bean id="compromised.1024" parent="mda.X509RSAOpenSSLBlacklistValidator"
         p:keySize="1024"
         p:blacklistResource="classpath:net/shibboleth/metadata/validate/x509/compromised-1024.txt"/>
 
@@ -449,7 +441,7 @@
         Blacklist of known compromised 2048-bit keys, e.g., "dummy" keys shipped with
         SAML products that are sometimes deployed by accident.
     -->
-    <bean id="compromised.2048" parent="X509RSAOpenSSLBlacklistValidator"
+    <bean id="compromised.2048" parent="mda.X509RSAOpenSSLBlacklistValidator"
         p:keySize="2048"
         p:blacklistResource="classpath:net/shibboleth/metadata/validate/x509/compromised-2048.txt"/>
 
@@ -465,123 +457,123 @@
     <!--
         check_adfs
     -->
-    <bean id="check_adfs" parent="XSLValidationStage"
+    <bean id="check_adfs" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_adfs.xsl"/>
-    
+
     <!--
         check_bindings
     -->
-    <bean id="check_bindings" parent="XSLValidationStage"
+    <bean id="check_bindings" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_bindings.xsl"/>
-    
+
     <!--
         check_filtered
     -->
-    <bean id="check_filtered" parent="XSLValidationStage"
+    <bean id="check_filtered" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_filtered.xsl"/>
-    
+
     <!--
         check_hoksso
     -->
-    <bean id="check_hoksso" parent="XSLValidationStage"
+    <bean id="check_hoksso" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_hoksso.xsl"/>
-        
+
     <!--
         check_idpdisc
     -->
-    <bean id="check_idpdisc" parent="XSLValidationStage"
+    <bean id="check_idpdisc" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_idpdisc.xsl"/>
-    
+
     <!--
         check_imported
     -->
-    <bean id="check_imported" parent="XSLValidationStage"
+    <bean id="check_imported" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_imported.xsl"/>
-    
+
     <!--
         check_init
     -->
-    <bean id="check_init" parent="XSLValidationStage"
+    <bean id="check_init" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_init.xsl"/>
-    
+
     <!--
         check_mdiop
     -->
-    <bean id="check_mdiop" parent="XSLValidationStage"
+    <bean id="check_mdiop" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_mdiop.xsl"/>
 
     <!--
         check_cr
-        
+
         Check for the presence of CR characters in text content or attribute values.
         This protects against SSPCPP-684 in the Shibboleth SP.
     -->
-    <bean id="check_cr" parent="CRDetectionStage"/>
+    <bean id="check_cr" parent="mda.CRDetectionStage"/>
 
     <!--
         check_entityid_prefix
     -->
-    <bean id="check_entityid_prefix" parent="XSLValidationStage"
+    <bean id="check_entityid_prefix" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_entityid_prefix.xsl"/>
 
     <!--
         check_idp_tls
     -->
-    <bean id="check_idp_tls" parent="XSLValidationStage"
+    <bean id="check_idp_tls" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_idp_tls.xsl"/>
 
     <!--
         check_sp_tls
     -->
-    <bean id="check_sp_tls" parent="XSLValidationStage"
+    <bean id="check_sp_tls" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_sp_tls.xsl"/>
 
     <!--
         check_misc
     -->
-    <bean id="check_misc" parent="XSLValidationStage"
+    <bean id="check_misc" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_misc.xsl"/>
-    
+
     <!--
         check_namespaces
     -->
-    <bean id="check_namespaces" parent="XSLValidationStage"
+    <bean id="check_namespaces" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_namespaces.xsl"/>
-    
+
     <!--
         check_reqattr
     -->
-    <bean id="check_reqattr" parent="XSLValidationStage"
+    <bean id="check_reqattr" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_reqattr.xsl"/>
-    
+
     <!--
         check_saml2int
     -->
-    <bean id="check_saml2int" parent="XSLValidationStage"
+    <bean id="check_saml2int" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_saml2int.xsl"/>
 
     <!--
         check_saml1
     -->
-    <bean id="check_saml1" parent="XSLValidationStage"
+    <bean id="check_saml1" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_saml1.xsl"/>
-    
+
     <!--
         check_saml2
     -->
-    <bean id="check_saml2" parent="XSLValidationStage"
+    <bean id="check_saml2" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_saml2.xsl"/>
-    
+
     <!--
         check_saml2meta
     -->
-    <bean id="check_saml2meta" parent="XSLValidationStage"
+    <bean id="check_saml2meta" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_saml2meta.xsl"/>
-    
+
     <!--
         check_saml_strings
     -->
-    <bean id="check_saml_strings" parent="SAMLStringElementCheckingStage">
+    <bean id="check_saml_strings" parent="ukf.SAMLStringElementCheckingStage">
         <property name="elementNames">
             <set>
                 <ref bean="md-Company"/>
@@ -607,27 +599,26 @@
 
     <!--
         check_validUntil
-        
+
         Check that an aggregate has a validUntil instant specified, and that it has not
         yet expired.  Does not put an upper bound on validUntil intervals.
     -->
-    <bean id="check_validUntil" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.ValidateValidUntilStage">
+    <bean id="check_validUntil" parent="mda.ValidateValidUntilStage">
         <!--
             The validUntil attribute must be present.
         -->
         <property name="requireValidUntil" value="true"/>
         <!--
             Do not constrain the validity interval in this general stage.
-            Constrain in necessary on a per-channel basis.
+            Constrain if necessary on a per-channel basis.
         -->
         <property name="maxValidityInterval" value="0"/>
     </bean>
-    
+
     <!--
         check_vhosts
     -->
-    <bean id="check_vhosts" parent="XSLValidationStage"
+    <bean id="check_vhosts" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_vhosts.xsl"/>
 
 
@@ -638,11 +629,11 @@
         ***                                       ***
         *********************************************
     -->
-    
+
     <!--
         CHECK_std
     -->
-    <bean id="CHECK_std" parent="CompositeStage">
+    <bean id="CHECK_std" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="check_adfs"/>
@@ -660,6 +651,7 @@
                 <ref bean="check_mdrpi"/>
                 <ref bean="check_mdui"/>
                 <ref bean="check_misc"/>
+                <ref bean="check_rands"/>
                 <ref bean="check_reqattr"/>
                 <ref bean="check_saml1"/>
                 <ref bean="check_saml2"/>
@@ -672,9 +664,8 @@
                 <ref bean="check_sp_tls"/>
                 <ref bean="check_uk_algorithms"/>
                 <ref bean="check_uk_trust"/>
-                <ref bean="check_uk_wayf"/>
             </list>
         </property>
     </bean>
-    
+
 </beans>
diff --git a/preprod.properties b/preprod.properties
index 5d6b3cb4..ef97e089 100644
--- a/preprod.properties
+++ b/preprod.properties
@@ -35,13 +35,14 @@ git.repo.project.tooling=ukf-test-meta
 #
 # Preprod publishes its aggregates to / but accessible at a different hostname
 #
-md.dist.host1.name=md1-test.infr.ukfederation.org.uk
-md.dist.host2.name=md2-test.infr.ukfederation.org.uk
-md.dist.host3.name=md3-test.infr.ukfederation.org.uk
+md.dist.host-ne-01.name=md-ne-01-test.infr.ukfederation.org.uk
+md.dist.host-ne-02.name=md-ne-02-test.infr.ukfederation.org.uk
+md.dist.host-we-01.name=md-we-01-test.infr.ukfederation.org.uk
+md.dist.host-we-02.name=md-we-02-test.infr.ukfederation.org.uk
 md.dist.path.name=/
 
 #
 # Preprod MDQ cache is a different file published at a different hostname
 #
 mdq.dist.name=mdq-test.ukfederation.org.uk
-mdq.cache=mdqcache-test.tar.gz
\ No newline at end of file
+mdq.cache=mdqcache-test.tar.gz
diff --git a/tools/ukf-mda/ukf-mda-0.9.4.jar b/tools/ukf-mda/ukf-mda-0.9.4.jar
deleted file mode 100644
index 2f7e1a70..00000000
Binary files a/tools/ukf-mda/ukf-mda-0.9.4.jar and /dev/null differ
diff --git a/tools/ukf-mda/ukf-mda-0.9.5.jar b/tools/ukf-mda/ukf-mda-0.9.5.jar
new file mode 100644
index 00000000..de2941e6
Binary files /dev/null and b/tools/ukf-mda/ukf-mda-0.9.5.jar differ
diff --git a/utilities/2016-09-16/doall.pl b/utilities/2016-09-16/doall.pl
index 7056b5d1..d2b8255b 100755
--- a/utilities/2016-09-16/doall.pl
+++ b/utilities/2016-09-16/doall.pl
@@ -1,4 +1,6 @@
-#!/usr/bin/env perl -W
+#!/usr/bin/env perl
+
+use warnings;
 
 open(F, "id-to-name.txt") || die "could not open id-to-name map";
 while (<F>) {
diff --git a/utilities/2016-09-16/gen-id-to-name.xsl b/utilities/2016-09-16/gen-id-to-name.xsl
index a2c477cc..4f1d0a7b 100644
--- a/utilities/2016-09-16/gen-id-to-name.xsl
+++ b/utilities/2016-09-16/gen-id-to-name.xsl
@@ -1,19 +1,19 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
     xmlns:members="http://ukfederation.org.uk/2007/01/members"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 
-	<xsl:output method="text" encoding="UTF-8"/>
+    <xsl:output method="text" encoding="UTF-8"/>
 
-	<xsl:template match="members:Member">
-		<xsl:value-of select="@ID"/>
-		<xsl:text>&#9;</xsl:text>
-		<xsl:value-of select="members:Name"/>
-		<xsl:text>&#10;</xsl:text>
-	</xsl:template>
+    <xsl:template match="members:Member">
+        <xsl:value-of select="@ID"/>
+        <xsl:text>&#9;</xsl:text>
+        <xsl:value-of select="members:Name"/>
+        <xsl:text>&#10;</xsl:text>
+    </xsl:template>
 
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 </xsl:stylesheet>
diff --git a/utilities/2016-09-16/gen-ukid-to-name.xsl b/utilities/2016-09-16/gen-ukid-to-name.xsl
index 3df2bd3b..0cd3ba9f 100644
--- a/utilities/2016-09-16/gen-ukid-to-name.xsl
+++ b/utilities/2016-09-16/gen-ukid-to-name.xsl
@@ -1,19 +1,19 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 
-	<xsl:output method="text" encoding="UTF-8"/>
+    <xsl:output method="text" encoding="UTF-8"/>
 
-	<xsl:template match="md:EntityDescriptor">
-		<xsl:value-of select="@ID"/>
-		<xsl:text>&#9;</xsl:text>
-		<xsl:value-of select="md:Organization/md:OrganizationName"/>
-		<xsl:text>&#10;</xsl:text>
-	</xsl:template>
+    <xsl:template match="md:EntityDescriptor">
+        <xsl:value-of select="@ID"/>
+        <xsl:text>&#9;</xsl:text>
+        <xsl:value-of select="md:Organization/md:OrganizationName"/>
+        <xsl:text>&#10;</xsl:text>
+    </xsl:template>
 
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 </xsl:stylesheet>
diff --git a/utilities/2016-09-16/patch.pl b/utilities/2016-09-16/patch.pl
index c47766c3..543e0a0c 100755
--- a/utilities/2016-09-16/patch.pl
+++ b/utilities/2016-09-16/patch.pl
@@ -1,4 +1,6 @@
-#!/usr/bin/env perl -W
+#!/usr/bin/env perl
+
+use warnings;
 
 my $orgID = shift @ARGV;
 
diff --git a/utilities/2016-10-06/gen-id-to-name.xsl b/utilities/2016-10-06/gen-id-to-name.xsl
index a2c477cc..4f1d0a7b 100644
--- a/utilities/2016-10-06/gen-id-to-name.xsl
+++ b/utilities/2016-10-06/gen-id-to-name.xsl
@@ -1,19 +1,19 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
     xmlns:members="http://ukfederation.org.uk/2007/01/members"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 
-	<xsl:output method="text" encoding="UTF-8"/>
+    <xsl:output method="text" encoding="UTF-8"/>
 
-	<xsl:template match="members:Member">
-		<xsl:value-of select="@ID"/>
-		<xsl:text>&#9;</xsl:text>
-		<xsl:value-of select="members:Name"/>
-		<xsl:text>&#10;</xsl:text>
-	</xsl:template>
+    <xsl:template match="members:Member">
+        <xsl:value-of select="@ID"/>
+        <xsl:text>&#9;</xsl:text>
+        <xsl:value-of select="members:Name"/>
+        <xsl:text>&#10;</xsl:text>
+    </xsl:template>
 
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 </xsl:stylesheet>
diff --git a/utilities/2016-10-06/patch.pl b/utilities/2016-10-06/patch.pl
index 638f5d7d..86744119 100755
--- a/utilities/2016-10-06/patch.pl
+++ b/utilities/2016-10-06/patch.pl
@@ -1,4 +1,6 @@
-#!/usr/bin/env perl -W
+#!/usr/bin/env perl
+
+use warnings;
 
 open(F, "id-to-name.txt") || die "could not open id-to-name map";
 while (<F>) {
diff --git a/utilities/2017-02-27/README.md b/utilities/2017-02-27/README.md
new file mode 100644
index 00000000..525155d2
--- /dev/null
+++ b/utilities/2017-02-27/README.md
@@ -0,0 +1,42 @@
+# `utilities/2017-02-27`
+
+Scripts to replace the HideFromWAYF element in entity fragment files
+with the REFEDS Hide from Discovery Entity Category.
+
+## 1. Check that no hidden IdPs have Entity Attributes already
+
+Since there can only be a single Entity Attribute element in an entity fragment file,
+we first check that there are no hidden IdPs that already have an Entity Attributes
+element. If there are (and there are not too many) we edit these files manually.
+
+First, check that the XSLT will flag an entity fragment file that has an Entity
+Attribute and the HideFromWAYF element. Run `xsltproc listHideFromWAYFandEA.xsl ./test.xml`.
+This should report `https://idp.example.ac.uk/idp/shibboleth`.
+
+Then run the script on all entity fragment files: `xsltproc listHideFromWAYFandEA.xsl uk*.xml`
+
+## 2. Replace HideFromWAYF element with hide-from-disco Entity Category
+
+This command replaces the HideFromWAYF element with an Entity Attributes element
+containing the REFEDS hide-from-disco entity category:
+
+`replaceHideFromWAYF.pl uk*.xml`
+
+It presumes that the `saml` and `mdattr` namespace prefixes are already defined in the
+entity fragment files.
+
+The perl regex matches the string HideFromWAYF rather than an XML element, so check
+that transform has only modified the HideFromWAYF element by generating unsigned
+aggregates before and after the transform and and looking at the differences.
+The only changes should be the timestamp and quantities derived from the timestamp.
+There is a small possibility that the generate target imports different entities from
+eduGAIN -- these differences can be ignored.
+
+```
+ant samlmd.aggregates.generate
+cp ukfederation-metadata-unsigned.xml /tmp/
+replaceHideFromWAYF.pl uk*.xml
+ant samlmd.aggregates.generate
+diff ukfederation-metadata-unsigned.xml /tmp/
+```
+
diff --git a/utilities/2017-02-27/listHideFromWAYFandEA.xsl b/utilities/2017-02-27/listHideFromWAYFandEA.xsl
new file mode 100644
index 00000000..44d25f20
--- /dev/null
+++ b/utilities/2017-02-27/listHideFromWAYFandEA.xsl
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet version="1.0"
+        xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+        xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+        xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+        xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+        <xsl:output method="text" encoding="UTF-8"/>
+
+        <xsl:template match="md:EntityDescriptor
+                            [md:Extensions/mdattr:EntityAttributes]
+                            [md:Extensions/wayf:HideFromWAYF]">
+                <xsl:value-of select="@entityID"/>
+                <xsl:text>&#10;</xsl:text>
+        </xsl:template>
+
+        <xsl:template match="text()">
+                <!-- do nothing -->
+        </xsl:template>
+</xsl:stylesheet>
diff --git a/utilities/2017-02-27/replaceHideFromWAYF.pl b/utilities/2017-02-27/replaceHideFromWAYF.pl
new file mode 100755
index 00000000..32356fed
--- /dev/null
+++ b/utilities/2017-02-27/replaceHideFromWAYF.pl
@@ -0,0 +1,18 @@
+#!/usr/bin/perl -wni
+
+# If line contains HideFromWAYF, replace it with the Entity Category
+if (/HideFromWAYF/) {
+    print <<EOF;
+        <mdattr:EntityAttributes>
+            <saml:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+                <saml:AttributeValue>http://refeds.org/category/hide-from-discovery</saml:AttributeValue>
+            </saml:Attribute>
+        </mdattr:EntityAttributes>
+EOF
+# and don't print the line containing HideFromWAYF
+    next;
+}
+
+# If the line didn't have HideFromWAYF, print it unchanged
+print;
+
diff --git a/utilities/2017-02-27/test.xml b/utilities/2017-02-27/test.xml
new file mode 100644
index 00000000..8474b788
--- /dev/null
+++ b/utilities/2017-02-27/test.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata saml-schema-metadata-2.0.xsd
+        urn:oasis:names:tc:SAML:metadata:attribute sstc-metadata-attr.xsd
+        urn:oasis:names:tc:SAML:2.0:assertion saml-schema-assertion-2.0.xsd
+        http://sdss.ac.uk/2006/06/WAYF uk-wayf.xsd"
+    ID="test000275" entityID="https://idp.example.ac.uk/idp/shibboleth">
+    <Extensions>
+        <mdattr:EntityAttributes>
+            <saml:Attribute Name="http://macedir.org/entity-category-support" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+                <saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
+            </saml:Attribute>
+        </mdattr:EntityAttributes>
+        <wayf:HideFromWAYF />
+    </Extensions>
+</EntityDescriptor>
diff --git a/utilities/addresses.pl b/utilities/addresses.pl
index 09f72f14..1c9772d5 100755
--- a/utilities/addresses.pl
+++ b/utilities/addresses.pl
@@ -24,7 +24,7 @@
 #
 # UK addresses
 #
-open(XML, xalanCall . " -IN ../mdx/uk/collected.xml -XSL extract_addresses.xsl|") || die "could not open input file";
+open(XML, xalanCall . " -IN ../mdx/uk/collected.xml -XSL ../build/extract_addresses.xsl|") || die "could not open input file";
 while (<XML>) {
 	if (/<EmailAddress>(mailto:)?(.*)<\/EmailAddress>/) {
 		$metadata{$2} = 1;
diff --git a/utilities/check_embedded.pl b/utilities/check_embedded.pl
index 8272fccd..6919014b 100755
--- a/utilities/check_embedded.pl
+++ b/utilities/check_embedded.pl
@@ -311,6 +311,14 @@ sub comment {
 				next;
 			}
 
+            #
+            # Track distinct RSA moduli
+            #
+            if (/^Modulus=(.*)$/) {
+                $modulus = $1;
+                # print "   modulus: '$modulus'\n";
+                $rsa_modulus{$modulus} = 1;
+            }
 		}
 		close SSL;
 		#print "   text lines: $#lines\n";
@@ -405,6 +413,11 @@ sub comment {
 	}
 	print "\n";
 
+    $distinct_moduli = scalar keys %rsa_modulus;
+    if ($distinct_moduli > 1) {
+        print "Distinct RSA moduli: $distinct_moduli\n";
+    }
+
 	my $first = 1;
 	foreach $fingerprint (sort keys %expiry_whitelist) {
 		if ($expiry_whitelist{$fingerprint} eq 'unused') {
diff --git a/utilities/normalise_fragment b/utilities/normalise_fragment
index a5cc93ac..9e7231ac 100755
--- a/utilities/normalise_fragment
+++ b/utilities/normalise_fragment
@@ -55,7 +55,6 @@ ED_TEMPLATE = Template('''<?xml version="1.0" encoding="UTF-8"?>
     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
     xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
     xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-    xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata saml-schema-metadata-2.0.xsd
         urn:oasis:names:tc:SAML:metadata:algsupport sstc-saml-metadata-algsupport-v1.0.xsd
@@ -68,7 +67,6 @@ ED_TEMPLATE = Template('''<?xml version="1.0" encoding="UTF-8"?>
         urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd
         http://ukfederation.org.uk/2006/11/label uk-fed-label.xsd
         http://refeds.org/metadata refeds-metadata.xsd
-        http://sdss.ac.uk/2006/06/WAYF uk-wayf.xsd
         http://www.w3.org/2001/04/xmlenc# xenc-schema.xsd
         http://www.w3.org/2009/xmlenc11# xenc-schema-11.xsd
         http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd"
diff --git a/utilities/stats-generate.sh b/utilities/stats-generate.sh
index bbc6bbf6..2debef68 100755
--- a/utilities/stats-generate.sh
+++ b/utilities/stats-generate.sh
@@ -179,18 +179,18 @@ fi
 # Get the filesize of the latest uncompressed main aggregate.
 # Since this is just used for estimation, we'll just take the biggest
 # unique filesize for the relevant periods
-aggrfilesizebytes=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | grep -v "GZIP" | cut -f 10 -d " " | sort -r | uniq | head -1)
+aggrfilesizebytes=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | grep -v "GZIP" | cut -f 10 -d " " | sort -r | uniq | head -1)
 
 #
 # Download counts
 #
 
 # Aggregate requests. Everything for .xml (HEAD/GET, 200 and 304)
-mdaggrcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | wc -l)
+mdaggrcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | wc -l)
 mdaggrcountfriendly=$(echo $mdaggrcount | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Main Aggregate requests. Everything for ukfederation-metadata.xml (HEAD/GET, 200 and 304)
-mdaggrmaincount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-metadata.xml" | wc -l)
+mdaggrmaincount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-metadata.xml" | wc -l)
 mdaggrmaincountfriendly=$(echo $mdaggrmaincount | awk '{ printf ("%'"'"'d\n", $0) }')
 if [[ "$mdaggrmaincount" -ne "0" ]]; then
     mdaggrmainpc=$(echo "scale=4;($mdaggrmaincount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
@@ -200,42 +200,42 @@ fi
 
 # Other aggregate requests (don't calculate these if doing daily stats)
 if [[ "$timeperiod" != "day" ]]; then
-    mdaggrbackcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-back.xml" | wc -l)
+    mdaggrbackcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-back.xml" | wc -l)
     mdaggrbackcountfriendly=$(echo $mdaggrbackcount | awk '{ printf ("%'"'"'d\n", $0) }')
     if [[ "$mdaggrbackcount" -ne "0" ]]; then
         mdaggrbackpc=$(echo "scale=4;($mdaggrbackcount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     else
         mdaggrbackpc="0.0"
     fi
-    mdaggrcdsallcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-cdsall.xml" | wc -l)
+    mdaggrcdsallcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-cdsall.xml" | wc -l)
     mdaggrcdsallcountfriendly=$(echo $mdaggrcdsallcount | awk '{ printf ("%'"'"'d\n", $0) }')
     if [[ "$mdaggrcdsallcount" -ne "0" ]]; then
         mdaggrcdsallpc=$(echo "scale=4;($mdaggrcdsallcount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     else
         mdaggrcdsallpc="0.0"
     fi
-    mdaggrexportpreviewcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-export-preview.xml" | wc -l)
+    mdaggrexportpreviewcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-export-preview.xml" | wc -l)
     mdaggrexportpreviewcountfriendly=$(echo $mdaggrexportpreviewcount | awk '{ printf ("%'"'"'d\n", $0) }')
     if [[ "$mdaggrexportpreviewkcount" -ne "0" ]]; then
         mdaggrexportpreviewpc=$(echo "scale=4;($mdaggrexportpreviewcount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     else
         mdaggrexportpreviewpc="0.0"
     fi
-    mdaggrexportcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-export.xml" | wc -l)
+    mdaggrexportcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-export.xml" | wc -l)
     mdaggrexportcountfriendly=$(echo $mdaggrexportcount | awk '{ printf ("%'"'"'d\n", $0) }')
     if [[ "$mdaggrexportcount" -ne "0" ]]; then
         mdaggrexportpc=$(echo "scale=4;($mdaggrexportcount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     else
         mdaggrexportpc="0.0"
     fi
-    mdaggrtestcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-test.xml" | wc -l)
+    mdaggrtestcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-test.xml" | wc -l)
     mdaggrtestcountfriendly=$(echo $mdaggrtestcount | awk '{ printf ("%'"'"'d\n", $0) }')
     if [[ "$mdaggrtestcount" -ne "0" ]]; then
         mdaggrtestpc=$(echo "scale=4;($mdaggrtestcount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     else
         mdaggrtestpc="0.0"
     fi
-    mdaggrwayfcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-wayf.xml" | wc -l)
+    mdaggrwayfcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-wayf.xml" | wc -l)
     mdaggrwayfcountfriendly=$(echo $mdaggrwayfcount | awk '{ printf ("%'"'"'d\n", $0) }')
     if [[ "$mdaggrwayfcount" -ne "0" ]]; then
         mdaggrwayfpc=$(echo "scale=4;($mdaggrwayfcount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
@@ -245,11 +245,11 @@ if [[ "$timeperiod" != "day" ]]; then
 fi
 
 # Aggregate downloads (i.e. GETs with HTTP 200 responses only)
-mdaggrcountfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404| grep "\" 200" | grep "GET" | wc -l)
+mdaggrcountfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404| grep "\" 200" | grep "GET" | wc -l)
 mdaggrcountfullfriendly=$(echo $mdaggrcountfull | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Main Aggregate downloads (i.e. GETs with HTTP 200 responses only)
-mdaggrmaincountfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | wc -l)
+mdaggrmaincountfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | wc -l)
 mdaggrmaincountfullfriendly=$(echo $mdaggrmaincountfull | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Percentage of GETs with HTTP 200 responses compared to total requests
@@ -260,11 +260,11 @@ else
 fi
 
 # Compressed downloads for all
-mdaggrcountfullcompr=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | grep "\"GZIP\"" | wc -l)
+mdaggrcountfullcompr=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | grep "\"GZIP\"" | wc -l)
 mdaggrcountfullcomprfriendly=$(echo $mdaggrcountfullcompr | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Compressed downloads for main aggregate
-mdaggrmaincountfullcompr=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | grep "\"GZIP\"" | wc -l)
+mdaggrmaincountfullcompr=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | grep "\"GZIP\"" | wc -l)
 
 # Percentage of GZIPPED HTTP 200 responses compared to total full downloads
 if [[ "$mdaggrcountfull" -ne "0" ]]; then
@@ -274,18 +274,18 @@ else
 fi
 
 # Unique IP addresses requesting aggregates
-mdaggruniqueip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 2 -d ":" | cut -f 1 -d " " | sort | uniq | wc -l)
+mdaggruniqueip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l)
 mdaggruniqueipfriendly=$(echo $mdaggruniqueip | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Unique IP addresses requesting aggregates, full D/Ls only
-mdaggruniqueipfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 2 -d ":" | cut -f 1 -d " " | sort | uniq | wc -l)
+mdaggruniqueipfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l)
 
 #
 # Data shipped
 #
 
 # Total data shipped, all .xml files
-mdaggrtotalbytes=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 10 -d " " | awk '{sum+=$1} END {print sum}')
+mdaggrtotalbytes=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 10 -d " " | awk '{sum+=$1} END {print sum}')
 if [[ "$mdaggrtotalbytes" -gt "0" ]]; then
     mdaggrtotalhr=$(bytestohr $mdaggrtotalbytes)
 else
@@ -293,7 +293,7 @@ else
 fi
 
 # Total data shipped, ukfederation-metadata.xml file
-mdaggrmaintotalbytes=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | cut -f 10 -d " " | awk '{sum+=$1} END {print sum}')
+mdaggrmaintotalbytes=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | cut -f 10 -d " " | awk '{sum+=$1} END {print sum}')
 if [[ "$mdaggrtotalbytes" -gt "0" ]]; then
     mdaggrmaintotalhr=$(bytestohr $mdaggrmaintotalbytes)
 else
@@ -321,27 +321,34 @@ fi
 #
 
 # IPv4 vs IPv6 traffic (don't calculate these if doing daily stats)
-# Note, while all v6 traffic passes through v6v4proxy1/2, we're counting accesses from the IPv4 addresses of those servers vs all others.
-# When we add "real" v6 support to the servers, this needs changing to count IPv4 addresses vs IPv6 addresses.
+# Some v6 traffic has traditionally passed through v6v4proxy1/2, so to count v4 we're counting all accesses, minus those from the v4 proxy IP addresses, minus actual v6 addresses
 if [[ "$timeperiod" != "day" ]]; then
-    mdaggrv4count=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep -v 193.63.72.83 | grep -v 194.83.7.211 | wc -l)
+    mdaggrv4count=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep -v ":" | wc -l)
     mdaggrv4pc=$(echo "scale=4;($mdaggrv4count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     mdaggrv6count=$(( mdaggrcount - mdaggrv4count ))
     mdaggrv6pc=$(echo "scale=4;($mdaggrv6count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
 
     # Per-server request count
-    mdaggrmd1count=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | grep md1 | wc -l)
+    mdaggrmd1count=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
     mdaggrmd1pc=$(echo "scale=4;($mdaggrmd1count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    mdaggrmd2count=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | grep md2 | wc -l)
-    mdaggrmd2pc=$(echo "scale=4;($mdaggrmd1count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    mdaggrmd3count=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | grep md3 | wc -l)
-    mdaggrmd3pc=$(echo "scale=4;($mdaggrmd1count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    mdaggrmd2count=$(grep $apachesearchterm $logslocation/md/md2/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
+    mdaggrmd2pc=$(echo "scale=4;($mdaggrmd2count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    mdaggrmd3count=$(grep $apachesearchterm $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
+    mdaggrmd3pc=$(echo "scale=4;($mdaggrmd3count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    mdaggrmdne01count=$(grep $apachesearchterm $logslocation/md/md-ne-01/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
+    mdaggrmdne01pc=$(echo "scale=4;($mdaggrmdne01count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    mdaggrmdne02count=$(grep $apachesearchterm $logslocation/md/md-ne-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
+    mdaggrmdne02pc=$(echo "scale=4;($mdaggrmdne02count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    mdaggrmdwe01count=$(grep $apachesearchterm $logslocation/md/md-we-01/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
+    mdaggrmdwe01pc=$(echo "scale=4;($mdaggrmdwe01count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    mdaggrmdwe02count=$(grep $apachesearchterm $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
+    mdaggrmdwe02pc=$(echo "scale=4;($mdaggrmdwe02count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
 fi
 
 
 # Min queries per IP
 if [[ $mdaggrcount -gt "0" ]]; then
-    mdaggrminqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 2 -d ":" | cut -f 1 -d " " | sort | uniq -c | sort -nr | tail -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
+    mdaggrminqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | tail -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
 else
     mdaggrinqueriesperip="0"
 fi
@@ -355,14 +362,14 @@ fi
 
 # Max queries per IP
 if [[ $mdaggrcount -gt "0" ]]; then
-    mdaggrmaxqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 2 -d ":" | cut -f 1 -d " " | sort | uniq -c | sort -nr | head -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
+    mdaggrmaxqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
 else
     mdaggrmaxqueriesperip="0"
 fi
 
 # Min queries per IP, full D/L only
 if [[ $mdaggrcountfull -gt "0" ]]; then
-    mdaggrminqueriesperipfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 2 -d ":" | cut -f 1 -d " " | sort | uniq -c | sort -nr | tail -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
+    mdaggrminqueriesperipfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | tail -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
 else
     mdaggrinqueriesperipfull="0"
 fi
@@ -376,7 +383,7 @@ fi
 
 # Max queries per IP, full D/L only
 if [[ $mdaggrcountfull -gt "0" ]]; then
-    mdaggrmaxqueriesperipfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 2 -d ":" | cut -f 1 -d " " | sort | uniq -c | sort -nr | head -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
+    mdaggrmaxqueriesperipfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
 else
     mdaggrmaxqueriesperipfull="0"
 fi
@@ -386,7 +393,7 @@ if [[ "$timeperiod" != "day" ]]; then
 
     # Top 10 downloaders and how many downloads / total data shipped (full downloads only)
     if [[ "$timeperiod" != "day" ]]; then
-        mdaggrtoptenipsbycount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | cut -f 2 -d ":" | cut -f 1 -d " " | sort | uniq -c | sort -nr | head -10)
+        mdaggrtoptenipsbycount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -10)
     fi
 
     #
@@ -408,7 +415,7 @@ if [[ "$timeperiod" != "day" ]]; then
         countfriendly=$(echo $count | awk '{ printf ("%'"'"'d\n", $0) }')
     
         # Figure out total traffic shipped to this IP
-        totaldataforthisip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | grep $ipaddr | cut -f 10 -d " " | grep -v - | awk '{sum+=$1} END {print sum}')
+        totaldataforthisip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | grep $ipaddr | cut -f 10 -d " " | grep -v - | awk '{sum+=$1} END {print sum}')
         if [[ "$totaldataforthisip" -gt "0" ]]; then
             totaldataforthisiphr=$(bytestohr $totaldataforthisip)
         else
@@ -436,11 +443,11 @@ fi
 # =====
 
 # MDQ requests
-mdqcount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep -v 404 | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | wc -l)
+mdqcount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep -v 404 | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | wc -l)
 mdqcountfriendly=$(echo $mdqcount | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # MDQ downloads (i.e. HTTP 200 responses only)
-mdqcountfull=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | grep "GET" | wc -l)
+mdqcountfull=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | grep "GET" | wc -l)
 mdqcountfullfriendly=$(echo $mdqcountfull | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Percentage of HTTP 200 responses compared to total requests
@@ -451,7 +458,7 @@ else
 fi
 
 # Compressed downloads
-mdqfullcomprcount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | grep "GET" | grep "\"GZIP\"" | wc -l)
+mdqfullcomprcount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | grep "GET" | grep "\"GZIP\"" | wc -l)
 mdqfullcomprcountfriendly=$(echo $mdqfullcomprcount | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Percentage of GZIPPED HTTP 200 responses compared to total full downloads
@@ -465,10 +472,9 @@ fi
 # IPv4 vs IPv6 traffic (don't calculate this for daily stats)
 
 if [[ "$timeperiod" != "day" ]]; then
-    # Note, while all v6 traffic passes through v6v4proxy1/2, we're counting accesses from the IPv4 addresses of those servers vs all others.
-    # When we add "real" v6 support to the servers, this needs changing to count IPv4 addresses vs IPv6 addresses.
+    # Some v6 traffic has traditionally passed through v6v4proxy1/2, so to count v4 we're counting all accesses, minus those from the v4 proxy IP addresses, minus actual v6 addresses
     if [[ "$mdqcount" -ne "0" ]]; then
-        mdqv4count=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep -v 193.63.72.83 | grep -v 194.83.7.211 | wc -l)
+        mdqv4count=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep -v ":" | wc -l)
         mdqv4pc=$(echo "scale=4;($mdqv4count/$mdqcount)*100" | bc | awk '{printf "%.1f\n", $0}')
         mdqv6count=$(( mdqcount - mdqv4count ))
         mdqv6pc=$(echo "scale=4;($mdqv6count/$mdqcount)*100" | bc | awk '{printf "%.1f\n", $0}')
@@ -479,8 +485,8 @@ if [[ "$timeperiod" != "day" ]]; then
 fi
 
 # MDQ requests for entityId based names
-mdqcountentityidhttp=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "/entities/http" | wc -l)
-mdqcountentityidurn=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "/entities/urn" | wc -l)
+mdqcountentityidhttp=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "/entities/http" | wc -l)
+mdqcountentityidurn=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "/entities/urn" | wc -l)
 mdqcountentityid=$((mdqcountentityidhttp+mdqcountentityidurn))
 if [[ "$mdqcount" -ne "0" ]]; then
     mdqcountentityidpc=$(echo "scale=3;($mdqcountentityid/$mdqcount)*100" | bc | awk '{printf "%.1f\n", $0}')
@@ -490,7 +496,7 @@ fi
 mdqcountentityidfriendly=$(echo $mdqcountentityid | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # MDQ requests for hash based names
-mdqcountsha1=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep sha1 | wc -l)
+mdqcountsha1=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep sha1 | wc -l)
 if [[ "$mdqcount" -ne "0" ]]; then
     mdqcountsha1pc=$(echo "scale=3;($mdqcountsha1/$mdqcount)*100" | bc | awk '{printf "%.1f\n", $0}')
 else
@@ -500,14 +506,14 @@ mdqcountsha1friendly=$(echo $mdqcountsha1 | awk '{ printf ("%'"'"'d\n", $0) }')
 
 
 # MDQ requests for all entities
-mdqcountallentities=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities " | grep -v 404 | wc -l)
+mdqcountallentities=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities " | grep -v 404 | wc -l)
 
 # Unique IP addresses requesting MDQ
-mdquniqueip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities/" | grep -v "/entities/ " | grep -v 404 | cut -f 2 -d ":" | cut -f 1 -d " " | sort | uniq | wc -l)
+mdquniqueip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities/" | grep -v "/entities/ " | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l)
 mdquniqueipfriendly=$(echo $mdquniqueip | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Total data shipped
-mdqtotalbytes=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities/" | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | cut -f 10 -d " " | grep -v - | awk '{sum+=$1} END {print sum}')
+mdqtotalbytes=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities/" | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | cut -f 10 -d " " | grep -v - | awk '{sum+=$1} END {print sum}')
 if [[ "$mdqtotalbytes" -gt "0" ]]; then
     mdqtotalhr=$(bytestohr $mdqtotalbytes)
 else
@@ -516,7 +522,7 @@ fi
 
 # Min queries per IP
 if [[ $mdqcount -gt "0" ]]; then
-    mdqminqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | cut -f 2 -d ":" | cut -f 1 -d " " | sort | uniq -c | sort -nr | tail -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
+    mdqminqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | tail -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
 else
     mdqminqueriesperip="0"
 fi
@@ -530,14 +536,14 @@ fi
 
 # Max queries per IP
 if [[ $mdqcount -gt "0" ]]; then
-    mdqmaxqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | cut -f 2 -d ":" | cut -f 1 -d " " | sort | uniq -c | sort -nr | head -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
+    mdqmaxqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
 else
     mdqmaxqueriesperip="0"
 fi
 
 if [[ "$timeperiod" != "day" ]]; then
     # Top 10 downloaders and how many downloads / total data shipped
-    mdqtoptenipsbycount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep "/entities" | grep -v "/entities/ " | grep -v 404 | grep -v "/entities/ " | cut -f 2 -d ":" | cut -f 1 -d " " | sort | uniq -c | sort -nr | head -10)
+    mdqtoptenipsbycount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep "/entities" | grep -v "/entities/ " | grep -v 404 | grep -v "/entities/ " | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -10)
     
     #
     # Manipute results of the top 10
@@ -558,7 +564,7 @@ if [[ "$timeperiod" != "day" ]]; then
         countfriendly=$(echo $count | awk '{ printf ("%'"'"'d\n", $0) }')
     
         # Figure out total traffic shipped to this IP
-        totaldataforthisip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities/" | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | grep $ipaddr | cut -f 10 -d " " | grep -v - | awk '{sum+=$1} END {print sum}')
+        totaldataforthisip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities/" | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | grep $ipaddr | cut -f 10 -d " " | grep -v - | awk '{sum+=$1} END {print sum}')
         if [[ "$totaldataforthisip" -gt "0" ]]; then
             totaldataforthisiphr=$(bytestohr $totaldataforthisip)
         else
@@ -581,7 +587,7 @@ if [[ "$timeperiod" != "day" ]]; then
     
     
     # Top 10 queries and how many downloads / total data shipped
-    mdqtoptenqueriesbycount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep /entities/ | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | awk '{print $7}' | cut -f 3 -d "/" | sed "s@+@ @g;s@%@\\\\x@g" | xargs -0 printf "%b" | sort | uniq -c | sort -nr | head -10)
+    mdqtoptenqueriesbycount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep /entities/ | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | awk '{print $7}' | cut -f 3 -d "/" | sed "s@+@ @g;s@%@\\\\x@g" | printf "%b\n" $(</dev/stdin) | sort | uniq -c | sort -nr | head -10)
 fi
 
 # =====
@@ -589,32 +595,39 @@ fi
 # =====
 
 # How many accesses to .ds.
-cdscount=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* | grep .ds? | wc -l)
+cdscount=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* $logslocation/cds/shibcds-ne-01/ssl_access_log* $logslocation/cds/shibcds-ne-02/ssl_access_log* $logslocation/cds/shibcds-we-01/ssl_access_log* $logslocation/cds/shibcds-we-02/ssl_access_log* | grep .ds? | wc -l)
 cdscountfriendly=$(echo $cdscount | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # IPv4 vs IPv6 traffic (don't count these for daily stats)
 if [[ "$timeperiod" != "day" ]]; then
-    # Note, while all v6 traffic passes through v6v4proxy1/2, we're counting accesses from the IPv4 addresses of those servers vs all others.
-    # When we add "real" v6 support to the servers, this needs changing to count IPv4 addresses vs IPv6 addresses.
-    cdsv4count=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* | grep .ds? | grep -v 193.63.72.83 | grep -v 194.83.7.211 | wc -l)
+    # Some v6 traffic has traditionally passed through v6v4proxy1/2, so to count v4 we're counting all accesses, minus those from the v4 proxy IP addresses, minus actual v6 addresses
+    cdsv4count=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* $logslocation/cds/shibcds-ne-01/ssl_access_log* $logslocation/cds/shibcds-ne-02/ssl_access_log* $logslocation/cds/shibcds-we-01/ssl_access_log* $logslocation/cds/shibcds-we-02/ssl_access_log* | grep .ds? | cut -f 1 -d " " | cut -f 2-9 -d ":" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep -v ":" | wc -l)
     cdsv4pc=$(echo "scale=4;($cdsv4count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
     cdsv6count=$(( cdscount - cdsv4count ))
     cdsv6pc=$(echo "scale=4;($cdsv6count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
 
     # Per-server request count
-    cds1count=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* | grep .ds? | grep shib-cds1 | wc -l)
+    cds1count=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* | grep .ds? | wc -l)
     cds1pc=$(echo "scale=4;($cds1count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    cds2count=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* | grep .ds? | grep shib-cds2 | wc -l)
+    cds2count=$(grep $apachesearchterm $logslocation/cds/shib-cds2/ssl_access_log* | grep .ds? | wc -l)
     cds2pc=$(echo "scale=4;($cds2count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    cds3count=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* | grep .ds? | grep shib-cds3 | wc -l)
+    cds3count=$(grep $apachesearchterm $logslocation/cds/shib-cds3/ssl_access_log* | grep .ds? | wc -l)
     cds3pc=$(echo "scale=4;($cds3count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    cdsne01count=$(grep $apachesearchterm $logslocation/cds/shibcds-ne-01/ssl_access_log* | grep .ds? | wc -l)
+    cdsne01pc=$(echo "scale=4;($cdsne01count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    cdsne02count=$(grep $apachesearchterm $logslocation/cds/shibcds-ne-02/ssl_access_log* | grep .ds? | wc -l)
+    cdsne02pc=$(echo "scale=4;($cdsne02count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    cdswe01count=$(grep $apachesearchterm $logslocation/cds/shibcds-we-01/ssl_access_log* | grep .ds? | wc -l)
+    cdswe01pc=$(echo "scale=4;($cdswe01count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    cdswe02count=$(grep $apachesearchterm $logslocation/cds/shibcds-we-02/ssl_access_log* | grep .ds? | wc -l)
+    cdswe02pc=$(echo "scale=4;($cdswe02count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
 fi
 
 # How many of these were to the DS (has entityId in the parameters)
-cdsdscount=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* | grep .ds? | grep entityID | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
+cdsdscount=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* $logslocation/cds/shibcds-ne-01/ssl_access_log* $logslocation/cds/shibcds-ne-02/ssl_access_log* $logslocation/cds/shibcds-we-01/ssl_access_log* $logslocation/cds/shibcds-we-02/ssl_access_log* | grep .ds? | grep entityID | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # How many of these were to the WAYF (has shire in the parameters)
-cdswayfcount=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* | grep .ds? | grep shire | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
+cdswayfcount=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* $logslocation/cds/shibcds-ne-01/ssl_access_log* $logslocation/cds/shibcds-ne-02/ssl_access_log* $logslocation/cds/shibcds-we-01/ssl_access_log* $logslocation/cds/shibcds-we-02/ssl_access_log* | grep .ds? | grep shire | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
 
 
 # =====
@@ -665,6 +678,35 @@ if [[ "$timeperiod" != "day" ]]; then
 fi
 
 
+# =====
+# Website stats
+# =====
+
+# Set up grepping out bots
+botstringlist="(Googlebot|Bingbo|DuckDuckBot|Baiduspider|Yandexbot|Sogou|Exabot|AhrefsBot|seoscanners)"
+
+# How many requests were there for the main content files?
+wwwaccesscount=$(grep $apachesearchterm $logslocation/www/web1/ssl_access_log* $logslocation/www/web2/ssl_access_log* $logslocation/www/www-ne-01/ssl_access_log* $logslocation/www/www-we-01/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep 200 | grep "/content/" | wc -l)
+wwwaccesscountfriendly=$(echo $wwwaccesscount | awk '{ printf ("%'"'"'d\n", $0) }')
+
+# And from how many unique IdPs?
+wwwaccessipcount=$(grep $apachesearchterm $logslocation/www/web1/ssl_access_log* $logslocation/www/web2/ssl_access_log* $logslocation/www/www-ne-01/ssl_access_log* $logslocation/www/www-we-01/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep 200 | grep "/content/" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
+
+# Don't count these when doing daily stats
+if [[ "$timeperiod" != "day" ]]; then
+
+    # Per-server request count
+    wwwaccessweb1count=$(grep $apachesearchterm $logslocation/www/web1/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep 200 | grep "/content/" | wc -l)
+    wwwaccessweb1pc=$(echo "scale=4;($wwwaccessweb1count/$wwwaccesscount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    wwwaccessweb2count=$(grep $apachesearchterm $logslocation/www/web2/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep 200 | grep "/content/" | wc -l)
+    wwwaccessweb2pc=$(echo "scale=4;($wwwaccessweb2count/$wwwaccesscount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    wwwaccessne01count=$(grep $apachesearchterm $logslocation/www/www-ne-01/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep 200 | grep "/content/" | wc -l)
+    wwwaccessne01pc=$(echo "scale=4;($wwwaccessne01count/$wwwaccesscount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    wwwaccesswe01count=$(grep $apachesearchterm $logslocation/www/www-we-01/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep 200 | grep "/content/" | wc -l)
+    wwwaccesswe01pc=$(echo "scale=4;($wwwaccesswe01count/$wwwaccesscount)*100" | bc | awk '{printf "%.1f\n", $0}')
+fi
+
+
 # =====
 # = Now we're ready to build the message. Different message for daily vs month/year
 # =====
@@ -687,7 +729,9 @@ if [[ "$timeperiod" == "day" ]]; then
     msg+=">*CDS:* $cdscountfriendly requests serviced (DS: $cdsdscount / WAYF: $cdswayfcount).\n"
     msg+=">*Wugen:* $wugencount WAYFless URLs generated, $wugennewsubs new subscriptions.\n"
     msg+=">*Test IdP:* $testidplogincount logins to $testidpspcount SPs.\n"
-    msg+=">*Test SP:* $testsplogincount logins from $testspidpcount IdPs."
+    msg+=">*Test SP:* $testsplogincount logins from $testspidpcount IdPs.\n"
+    msg+=">*Website:* $wwwaccesscountfriendly hits from $wwwaccessipcount unique IPs."
+    
     
 else
     #
@@ -706,7 +750,7 @@ else
     msg+="--> * $mdaggrcountfullfriendly ($mdaggrfullpc%) were full downloads, of which $mdaggrcountfullcomprfriendly ($mdaggrfullcomprpc%) were compressed.\n"
     msg+="--> ukfederation-metadata.xml: $mdaggrmaintotalhr of data actually shipped; would have been an estimated $mdaggrmaintotalestnocompresshr without compression, and $mdaggrmaintotalestnocompressnocgethr without compression or conditional gets.\n"
     msg+="-> IPv4: $mdaggrv4pc% vs IPv6: $mdaggrv6pc%\n"
-    msg+="-> Server distribution: md1: $mdaggrmd1pc% md2: $mdaggrmd2pc% md3: $mdaggrmd3pc%\n"
+    msg+="-> Server distribution: md-ne-01: $mdaggrmdne01pc% md-ne-02: $mdaggrmdne02pc% md-we-01: $mdaggrmdwe01pc% md-we-02: $mdaggrmdwe02pc% / md1: $mdaggrmd1pc% md2: $mdaggrmd2pc% md3: $mdaggrmd3pc%\n"
     msg+="-> $mdaggrminqueriesperip/$mdaggravgqueriesperip/$mdaggrmaxqueriesperip min/avg/max queries per querying IP (all reqs)\n"
     msg+="-> $mdaggrminqueriesperipfull/$mdaggravgqueriesperipfull/$mdaggrmaxqueriesperipfull min/avg/max queries per querying IP (full D/Ls only)\n"
     msg+="\nRequests per published aggregate\n"
@@ -735,7 +779,7 @@ else
     msg+="Central Discovery Service:\n"
     msg+="-> $cdscountfriendly total requests serviced\n"
     msg+="-> IPv4: $cdsv4pc% vs IPv6: $cdsv6pc%\n"
-    msg+="-> Server distribution: shib-cds1: $cds1pc% shib-cds2: $cds2pc% shib-cds3: $cds3pc%\n"
+    msg+="-> Server distribution: shibcds-ne-01: $cdsne01pc% shibcds-ne-02: $cdsne02pc% shibcds-we-01: $cdswe01pc% shibcds-we-02: $cdswe02pc% / shib-cds1: $cds1pc% shib-cds2: $cds2pc% shib-cds3: $cds3pc%\n"
     msg+="-> DS: $cdsdscount / WAYF: $cdswayfcount\n"
     msg+="\n-----\n"
     msg+="Wugen:\n"
@@ -753,6 +797,10 @@ else
     msg+="-> $testsplogincount logins from $testspidpcount IdPs.\n"    
     msg+="\n-> Top 10 IdPs logged in from:\n"
     msg+="$testsptoptenidpsbycount\n"
+    msg+="\n-----\n"
+    msg+="Website usage:\n"
+    msg+="-> $wwwaccesscountfriendly hits from $wwwaccessipcount unique IPs.\n"
+    msg+="-> Server distribution: www-ne-01: $wwwaccessne01pc% www-we-01: $wwwaccesswe01pc% / web1: $wwwaccessweb1pc% web2: $wwwaccessweb2pc% \n"
     msg+="\n-----"
 fi
 
@@ -765,4 +813,4 @@ fi
 
 
 echo -e "$msg"
-exit 0
\ No newline at end of file
+exit 0
diff --git a/utilities/stats-sync.sh b/utilities/stats-sync.sh
index af5f02b2..f2fdba77 100755
--- a/utilities/stats-sync.sh
+++ b/utilities/stats-sync.sh
@@ -10,18 +10,20 @@ logslocation="/var/stats"
 # Logs from API
 
 # Logs from MD servers
-rsync -at --exclude modsec* stats@md1:/var/log/httpd/* $logslocation/md/md1/
-rsync -at --exclude modsec* stats@md2:/var/log/httpd/* $logslocation/md/md2/
-rsync -at --exclude modsec* stats@md3:/var/log/httpd/* $logslocation/md/md3/
+rsync -at --exclude modsec* stats@md-ne-01:/var/log/httpd/* $logslocation/md/md-ne-01/
+rsync -at --exclude modsec* stats@md-ne-02:/var/log/httpd/* $logslocation/md/md-ne-02/
+rsync -at --exclude modsec* stats@md-we-01:/var/log/httpd/* $logslocation/md/md-we-01/
+rsync -at --exclude modsec* stats@md-we-02:/var/log/httpd/* $logslocation/md/md-we-02/
 
 # Logs from CDS servers
-rsync -at --exclude modsec* stats@shib-cds1:/var/log/httpd/* $logslocation/cds/shib-cds1/
-rsync -at --exclude modsec* stats@shib-cds2:/var/log/httpd/* $logslocation/cds/shib-cds2/
-rsync -at --exclude modsec* stats@shib-cds3:/var/log/httpd/* $logslocation/cds/shib-cds3/
+rsync -at --exclude modsec* stats@shibcds-ne-01:/var/log/httpd/* $logslocation/cds/shibcds-ne-01/
+rsync -at --exclude modsec* stats@shibcds-ne-02:/var/log/httpd/* $logslocation/cds/shibcds-ne-02/
+rsync -at --exclude modsec* stats@shibcds-we-01:/var/log/httpd/* $logslocation/cds/shibcds-we-01/
+rsync -at --exclude modsec* stats@shibcds-we-02:/var/log/httpd/* $logslocation/cds/shibcds-we-02/
 
 # Logs from websites
-rsync -at --exclude modsec* stats@web1:/var/log/httpd/* $logslocation/www/web1/
-rsync -at --exclude modsec* stats@web2:/var/log/httpd/* $logslocation/www/web2/
+rsync -at --exclude modsec* stats@www-ne-01:/var/log/httpd/* $logslocation/www/www-ne-01/
+rsync -at --exclude modsec* stats@www-we-01:/var/log/httpd/* $logslocation/www/www-we-01/
 
 # Logs from Wugen
 rsync -at --exclude modsec* stats@wugen:/var/log/httpd/* $logslocation/wugen/
@@ -37,4 +39,4 @@ rsync -at stats@test-sp:/var/log/shibboleth/shibd* $logslocation/test-sp/
 rsync -at stats@test-sp:/var/log/shibboleth/transaction* $logslocation/test-sp/
 
 # Exit happily
-exit 0
\ No newline at end of file
+exit 0