diff --git a/attic/extract_saml2sp.pl b/attic/extract_saml2sp.pl
deleted file mode 100755
index 5b7e92be..00000000
--- a/attic/extract_saml2sp.pl
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/usr/bin/perl -w
-
-use Xalan;
-
-open(XML, xalanCall . " -IN ../xml/ukfederation-metadata-unsigned.xml -XSL extract_saml2sp.xsl|") || die "could not open input file";
-while (<XML>) {
-	my ($id, $result) = split;
-	$results{$id} = $result;
-	print $_;
-}
-close XML;
-
-open(IDS, "ids.txt") || die "could not open ids file";
-while (<IDS>) {
-	chop;
-	$id = $_;
-	if (defined $results{$id}) {
-		$result = $results{$id};
-	} else {
-		$result = 'SP?';
-	}
-	print "$result\n";
-}
-close IDS;
diff --git a/attic/extract_saml2sp.xsl b/attic/extract_saml2sp.xsl
deleted file mode 100644
index aa59a0db..00000000
--- a/attic/extract_saml2sp.xsl
+++ /dev/null
@@ -1,37 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-
-    extract_saml2sp.xsl
-
-    XSL stylesheet that takes a SAML 2.0 metadata aggregate and extracts
-    SAML 2.0 support information for each SP entity.
-
-    Author: Ian A. Young <ian@iay.org.uk>
-
--->
-<xsl:stylesheet version="1.0"
-    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    exclude-result-prefixes="md ds">
-
-    <!-- Output is plain text -->
-    <xsl:output method="text"/>
-
-    <xsl:template match="//md:EntityDescriptor[md:SPSSODescriptor]">
-        <xsl:value-of select="@ID"/>
-        <xsl:text> </xsl:text>
-        <xsl:choose>
-            <xsl:when test="contains(md:SPSSODescriptor/@protocolSupportEnumeration,
-                'urn:oasis:names:tc:SAML:2.0:protocol')">yes</xsl:when>
-            <xsl:otherwise>no</xsl:otherwise>
-        </xsl:choose>
-        <xsl:text>&#x0a;</xsl:text>
-    </xsl:template>
-
-    <xsl:template match="text()">
-        <!-- do nothing -->
-    </xsl:template>
-
-</xsl:stylesheet>
diff --git a/attic/keynames.pl b/attic/keynames.pl
deleted file mode 100755
index a917025d..00000000
--- a/attic/keynames.pl
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/usr/bin/env perl
-
-#
-# keynames.pl
-#
-# Extracts statistics about KeyName elements from the published metadata.
-#
-use warnings;
-use lib "../build";
-use Xalan;
-use Months;
-
-# Parse command line arguments
-use Getopt::Long;
-my $allMonths;
-GetOptions('all' => \$allMonths);
-
-# By default, only show results for the most recent month
-if (!$allMonths) {
-	# reduce months table to one element
-	my $oneMonth = pop @months;
-	@months = ( $oneMonth );
-}
-
-# ingest files
-foreach $month (@months) {
-	print "processing $month\n";
-	my $fn = "cache/$month.xml";
-	my $command = xalanCall . " -IN $fn -XSL ../build/extract_embedded.xsl -OUT temp.tmp";
-	# print "command is $command\n";
-	system($command); # || print "ignoring claimed failure in sub command\n";
-	#print "Xalan run on $fn\n";
-	open(TXT, "perl keynames_inner.pl -q <temp.tmp|") || die "could not open input file";
-	while (<TXT>) {
-		if (/^Total: (\d+)$/) {
-			$count = $1;
-		}
-		print $_ unless $allMonths;
-	}
-	close TXT;
-	push @counts, "$month: $count";
-}
-
-if ($allMonths) {
-	print "KeyName count:\n";
-	foreach $count (@counts) {
-		print "$count\n";
-	}
-}
diff --git a/attic/keynames_inner.pl b/attic/keynames_inner.pl
deleted file mode 100755
index 3778f942..00000000
--- a/attic/keynames_inner.pl
+++ /dev/null
@@ -1,351 +0,0 @@
-#!/usr/bin/env perl
-
-use warnings;
-use POSIX qw(floor);
-use File::Temp qw(tempfile);
-use Date::Format;
-use Date::Parse;
-use Digest::SHA1 qw(sha1 sha1_hex sha1_base64);
-
-sub error {
-	my($s) = @_;
-	push(@olines, '   *** ' . $s . ' ***');
-	$printme = 1;
-}
-
-sub warning {
-	my ($s) = @_;
-	push(@olines, '   ' . $s);
-	$printme = 1;
-}
-
-sub comment {
-	my($s) = @_;
-	push(@olines, '   (' . $s . ')');
-}
-
-#
-# Process command-line options.
-#
-while (@ARGV) {
-	$arg = shift @ARGV;
-	$quiet = 1 if $arg eq '-q';
-}
-
-#
-# Hash of already-seen blobs.
-#
-# Each entry in the hash is indexed by the blob itself.  Each blob is a concatenated
-# sequence of information that uniquely identifies an already checked key.  This is
-# used to avoid processing the same blob more than once.
-#
-my %blobs;
-
-#
-# Blob currently being constructed.
-#
-my $blob;
-
-#
-# The day that follows the end of each bin.
-#
-# Bin 0, running from 2014-01-01 to 2014-01-31,
-# is followed by the start of bin 1 on 2014-02-01.
-#
-my @binNextDays = (
-	"2014-02-01",
-	"2014-03-01",
-	"2014-04-01",
-	"2014-05-01",
-	"2014-06-01",
-	"2014-07-01",
-	"2014-08-01",
-	"2014-09-01",
-	"2014-10-01",
-	"2014-11-01",
-	"2014-12-01",
-	"2015-01-01", # 1Q2015
-	"2015-04-01", # 2Q2015
-	"2015-07-01", # 3Q2015
-	"2015-10-01", # 4Q2015
-	"2016-01-01", # 2016
-	"2017-01-01", # 2017
-	"2018-01-01", # 2018...
-);
-
-#
-# Names for bins. The index into this array is
-# displaced by 1, so that the first element (index 0)
-# gives the name for bin -1 ("expired").
-#
-my @binNames = (
-	"expired",
-	"Jan 14",
-	"Feb 14",
-	"Mar 14",
-	"Apr 14",
-	"May 14",
-	"Jun 14",
-	"Jul 14",
-	"Aug 14",
-	"Sep 14",
-	"Oct 14",
-	"Nov 14",
-	"Dec 14",
-	"2015Q1",
-	"2015Q2",
-	"2015Q3",
-	"2015Q4",
-	"2016",
-	"2017",
-);
-
-my $binEndTimes = ();
-for $startDay (@binNextDays) {
-	#print "startDay is $startDay\n";
-	my $endTime = str2time($startDay . "T00:00:00")-1;
-	push(@binEndTimes, $endTime);
-	# local $endTimeText = time2str('%Y-%m-%dT%H:%M:%S', $endTime);
-	# print "end time corresponding to $startDay is $endTime ($endTimeText)\n";
-}
-
-#
-# Proposed evolution deadline.
-#
-my $deadline = "2015-01-01T00:00:00";
-my $deadlineTime = str2time($deadline);
-
-#
-# Start of the current month, as an approximation of what we want
-# to regard as an "expired" certificate.  Ideally, this would be
-# passed in as a parameter.
-#
-#my $nowYearMonth = '2012-08-01T00:00:00';
-my $nowYearMonth = time2str('%Y-%m-01T00:00:00', time());
-my $validStart = str2time($nowYearMonth);
-
-#
-# Total size of deduplicated blobs.
-#
-my $dedupTotal = 0;
-
-while (<>) {
-
-	#
-	# Discard blank lines.
-	#
-	next if /^\s*$/;
-	
-	#
-	# Handle Entity/KeyName header line.
-	#
-	if (/^Entity:/) {
-		@olines = ();
-		$printme = 0;
-		@args = split;
-		$entity = $args[1];
-		$keyname = $args[3];
-		
-		#
-		# Output header line.
-		#
-		$oline = "Entity $entity ";
-		$hasKeyName = !($keyname eq '(none)');
-		if ($hasKeyName) {
-			$oline .= "has KeyName $keyname";
-		} else {
-			$oline .= "has no KeyName";
-		}
-		push(@olines, $oline);
-
-		# Start the blob like this if you want per-entity deduplication
-		# $blob = $oline;		# start building a new blob
-
-		# Start the blob like this if you want global deduplication
-		$blob = "";
-
-		#
-		# Create a temporary file for this certificate in PEM format.
-		#
-		($fh, $filename) = tempfile(UNLINK => 1);
-		#print "temp file is: $filename\n";
-
-		# do not buffer output to the temporary file
-		select((select($fh), $|=1)[0]);
-		next;
-	}
-	
-	#
-	# Put other lines into a temporary file.
-	#
-	print $fh $_;
-	$blob .= '|' . $_;
-	
-	#
-	# If this is the last line of the certificate, actually do
-	# something with it.
-	#
-	if (/END CERTIFICATE/) {
-
-		#
-		# If the certificate is not associated with a KeyName,
-		# we ignore it entirely.
-		#
-		if (!$hasKeyName) {
-			# print "ignoring certificate with no KeyName\n";
-			close $fh;
-			next;
-		}
-
-		#
-		# Have we seen this blob before?  If so, close (and delete) the
-		# temporary file, and go and look for a new certificate to process.
-		#
-		$total_certs++;
-		if (defined($blobs{$blob})) {
-			$dedupTotal += (length($blob) - length($_) - 1);
-			# print "skipping a blob\n";
-			close $fh;
-			next;
-		}
-		
-		#
-		# Otherwise, remember this blob so that we won't process it again.
-		#
-		$blobs{$blob} = 1;
-		$distinct_certs++;
-
-		#
-		# Don't close the temporary file yet, because that would cause it
-		# to be deleted.  We've already arranged for buffering to be
-		# disabled, so the file can simply be passed to other applications
-		# as input, perhaps multiple times.
-		#
-		
-		#
-		# Collection of names this certificate contains
-		#
-		my %names;
-		
-		#
-		# Use openssl to convert the certificate to text
-		#
-		my(@lines, $issuer, $subjectCN, $issuerCN);
-		$cmd = "openssl x509 -in $filename -noout -text -nameopt RFC2253 -modulus |";
-		open(SSL, $cmd) || die "could not open openssl subcommand: $!";
-		$expiryBin = -1;
-		while (<SSL>) {
-			push @lines, $_;
-
-			if (/^\s*Issuer:\s*(.*)$/) {
-				$issuer = $1;
-				if ($issuer =~ /CN=([^,]+)/) {
-					$issuerCN = $1;
-				} else {
-					$issuerCN = $issuer;
-				}
-				next;
-			}
-			
-			if (/^\s*Subject:\s*.*?CN=([a-zA-Z0-9\-\.]+).*$/) {
-				$subjectCN = $1;
-				$names{lc $subjectCN}++;
-				# print "subjectCN = $subjectCN\n";
-				next;
-			}
-
-			if (/Not After : (.*)$/) {
-				$notAfter = $1;
-				$notAfterTime = str2time($notAfter);
-				$days = ($notAfterTime-$validStart)/86400.0;
-				next;
-			}
-		}
-		close SSL;
-
-		#
-		# Check KeyName if one has been supplied.
-		#
-		if ($hasKeyName && !defined($names{lc $keyname})) {
-			my $nameList = join ", ", sort keys %names;
-			error("KeyName mismatch: $keyname not in {$nameList}");
-		}
-		
-		#
-		# Use openssl to ask whether this matches our trust fabric or not.
-		#
-		my $error = '';
-		
-		#
-		# Close the temporary file, which will also cause
-		# it to be deleted.
-		#
-		close $fh;
-
-		#
-		# Expiry binning is on the basis of calendar period bins.
-		#
-		# Bin -1 is for expired certificates, bin 99 is for those that
-		# expire on or after 2018-01-01T00:00:00.
-		#
-		if ($days < 0) {
-			$expiryBin = -1;
-		} else {
-			$expiryBin = 99;
-			my $bin = 0;
-			for $binEndTime (@binEndTimes) {
-				if ($notAfterTime <= $binEndTime) {
-					$expiryBin = $bin;
-					last;
-				}
-				$bin++;
-			}
-		}
-		# print "date $notAfter gets bin $expiryBin\n";
-		$expiryBinCount{$expiryBin}++;
-
-		#
-		# Print any interesting things related to this certificate.
-		#
-		if ($printme || !$quiet) {
-			foreach $oline (@olines) {
-				print $oline, "\n";
-			}
-			print "\n";
-		}
-	}
-}
-
-sub numerically {
-	$a <=> $b;
-}
-
-if ($total_certs > 1) {
-
-	print "Total certificates: $total_certs\n";
-	if ($distinct_certs != $total_certs) {
-		print "Distinct certificates: $distinct_certs\n";
-	}
-
-	print "\nExpiry bins:\n";
-	$total = 0;
-	for $bin (sort numerically keys %expiryBinCount) {
-		if (defined($expiryBinCount{$bin})) {
-			$count = $expiryBinCount{$bin};
-		} else {
-			$count = 0; # nothing was put in that bin
-		}
-		$total += $count;
-		if ($bin == 99) {
-			$binName = ">=2018";
-		} else {
-			$binName = $binNames[$bin+1];
-		}
-		print "   $binName: $count\n";
-	}
-	print "Total: $total\n";
-
-	print "\n";
-
-	print "Deduplication saves: $dedupTotal\n";
-}
diff --git a/build.xml b/build.xml
index 1c8348cf..83bf53f2 100644
--- a/build.xml
+++ b/build.xml
@@ -100,6 +100,27 @@
     <property file="${env}.properties"/>
     <property file="default.properties"/>
 
+    <!--
+        *******************************************************
+        ***                                                 ***
+        ***   S A M L   O U T P U T   P R O P E R T I E S   ***
+        ***                                                 ***
+        *******************************************************
+    -->
+
+    <!-- Default validUntil duration for all generated metadata, in days. -->
+    <property name="validUntil.default.days" value="14"/>
+
+    <!-- Specific validUntil duration for aggregates, in days. -->
+    <property name="validUntil.aggregate.days" value="${validUntil.default.days}"/>
+    <!-- Same value, as an ISO 8601 duration. -->
+    <property name="validUntil.aggregate.duration" value="P${validUntil.aggregate.days}D"/>
+
+    <!-- Specific validUntil duration for per-entity metadata, in days. -->
+    <property name="validUntil.perEntity.days" value="${validUntil.default.days}"/>
+    <!-- Same value, as an ISO 8601 duration. -->
+    <property name="validUntil.perEntity.duration" value="P${validUntil.perEntity.days}D"/>
+
     <!--
         ***************************************************************
         ***                                                         ***
@@ -152,6 +173,13 @@
     <property name="mdq.dist.name" value="mdq.ukfederation.org.uk"/>
     <property name="md.dist.path.name" value="/"/>
 
+    <property name="cdi-master.user" value="rsync"/>
+    <property name="cdi-master.name" value="cdi-master.ci.ti.ja.net"/>
+    <property name="cdi-master.ssh.port" value="8822"/>
+    <property name="cdi-master.temploc.name" value="/tmp/legacy-ukf"/>
+    <property name="cdi-master.md.path.name" value="/legacy-ukf-md/"/>
+    <property name="cdi-master.mdq.path.name" value="/legacy-ukf-mdq/"/>
+
     <!--
         Middlebox server properties.
     -->
@@ -173,7 +201,7 @@
     -->
     <property name="www.user" value="wwwscp"/>
     <property name="www.hostname" value="www-ne-01.infr.ukfederation.org.uk"/>
-    <property name="www.path.stats" value="/var/www/html/fed"/>
+    <property name="www.path.stats" value="/var/www/www-prod/html/fed"/>
     <property name="www.path.members" value="/var/www/externals"/>
     <property name="www.url.stats" value="${www.user}@${www.hostname}:${www.path.stats}"/>
     <property name="www.url.members" value="${www.user}@${www.hostname}:${www.path.members}"/>
@@ -243,7 +271,6 @@
     <property name="tools.mdnorm" value="${tools.dir}/mdnorm"/>
     <property name="tools.slacktee" value="${tools.dir}/slacktee"/>
     <property name="tools.xmlsectool" value="${tools.dir}/xmlsectool-2.0.0"/>
-    <property name="tools.xalan" value="${tools.dir}/xalan"/>
 
     <!--
         Full path to a commonly used temporary file.
@@ -313,7 +340,7 @@
         be more than some invocations require, but there's no harm in having a higher
         limit for all of them.
     -->
-    <property name="java.max.memory" value="1024m"/>
+    <property name="java.max.memory" value="1280m"/>
 
 
     <!--
@@ -556,7 +583,6 @@
         git.products.masterbranch.pushtoorigin,
         git.products.createtagandpushtoorigin,
         fs.scp.mdqcache.to.repo,
-        fs.clear.outputdir,
         jenkins.triggerjob.publish">
         <echo>Stage 5 Success: Master branch pushed to origin, new tag created and pushed, mdq cache sent to repo, message sent to start publication.</echo>
     </target>
@@ -1132,7 +1158,7 @@
             <arg value="${utilities.dir}/stats-generate.sh"/>
             <arg value="day"/>
         </exec>
-        <SLACK.send conf="${tools.slacktee}/conf/repo-jenkins.conf" colour="good" channel="stats"
+        <SLACK.send conf="${tools.slacktee}/conf/repo-jenkins.conf" colour="good" channel="ukf-stats"
             message="${stats.daily.output}"/>
     </target>
 
@@ -1270,6 +1296,22 @@
         <checksum file="${aggregates.dir}/${mdaggr.export.preview.signed}"
             property="mdaggr.export.preview.signed.checksum"/>
 
+        <echo>Verifying metadata held at ${cdi-master.name}</echo>
+        <VFY.remote.and.checksum i="http://${cdi-master.name}${cdi-master.md.path.name}${mdaggr.prod.signed}"
+            checksum="${mdaggr.prod.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${cdi-master.name}${cdi-master.md.path.name}${mdaggr.wayf.signed}"
+            checksum="${mdaggr.wayf.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${cdi-master.name}${cdi-master.md.path.name}${mdaggr.cdsall.signed}"
+            checksum="${mdaggr.cdsall.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${cdi-master.name}${cdi-master.md.path.name}${mdaggr.test.signed}"
+            checksum="${mdaggr.test.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${cdi-master.name}${cdi-master.md.path.name}${mdaggr.back.signed}"
+            checksum="${mdaggr.back.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${cdi-master.name}${cdi-master.md.path.name}${mdaggr.export.signed}"
+            checksum="${mdaggr.export.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${cdi-master.name}${cdi-master.md.path.name}${mdaggr.export.preview.signed}"
+            checksum="${mdaggr.export.preview.signed.checksum}"/>
+
         <echo>Verifying metadata held at ${md.dist.host-ne-01.name}</echo>
         <VFY.remote.and.checksum i="http://${md.dist.host-ne-01.name}${md.dist.path.name}${mdaggr.prod.signed}"
             checksum="${mdaggr.prod.signed.checksum}"/>
@@ -1341,10 +1383,14 @@
         Verify a few select mdq files held on the master distribution site.
     -->
     <target name="samlmd.mdq.verify.remote">
-        <echo>Verifying MDQ held at ${mdq.dist.name}</echo>
-        <VFY.MDQ.remote i="http://${mdq.dist.name}/entities"/>
-        <VFY.MDQ.remote i="http://${mdq.dist.name}/entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth"/>
-        <VFY.MDQ.remote i="http://${mdq.dist.name}/entities/https%3A%2F%2Ftest.ukfederation.org.uk%2Fentity"/>
+      <echo>Verifying MDQ held at ${cdi-master.name}${cdi-master.mdq.path.name}</echo>
+      <VFY.MDQ.remote i="http://${cdi-master.name}${cdi-master.mdq.path.name}entities/all"/>
+      <VFY.MDQ.remote i="http://${cdi-master.name}${cdi-master.mdq.path.name}entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth"/>
+      <VFY.MDQ.remote i="http://${cdi-master.name}${cdi-master.mdq.path.name}entities/https%3A%2F%2Ftest.ukfederation.org.uk%2Fentity"/>
+      <echo>Verifying MDQ held at ${mdq.dist.name}</echo>
+      <VFY.MDQ.remote i="http://${mdq.dist.name}/entities"/>
+      <VFY.MDQ.remote i="http://${mdq.dist.name}/entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth"/>
+      <VFY.MDQ.remote i="http://${mdq.dist.name}/entities/https%3A%2F%2Ftest.ukfederation.org.uk%2Fentity"/>
     </target>
 
 
@@ -1449,6 +1495,9 @@
     <property name="mda.sign.keyAlias" value="${sign.uk.keyAlias}"/>
     <property name="mda.sign.pkcs11Config" value="${sign.uk.pkcs11Config}"/>
     <property name="mda.mdq.output" value="${mdq.output.dir}"/>
+    <property name="mda.validUntil.aggregate.days" value="${validUntil.aggregate.days}"/>
+    <property name="mda.validUntil.aggregate.duration" value="${validUntil.aggregate.duration}"/>
+    <property name="mda.validUntil.perEntity.duration" value="${validUntil.perEntity.duration}"/>
 
     <!--
         Build a property set of all the properties to be passed through, with
@@ -1602,7 +1651,7 @@
                     <arg value="${git.repo.project.data}"/>
                     <arg value="${git.repo.project.products}"/>
                 </exec>
-                <SLACK.send conf="${tools.slacktee}/conf/aggr-ant.conf" colour="good" channel="events-publications"
+                <SLACK.send conf="${tools.slacktee}/conf/aggr-ant.conf" colour="good" channel="ukf-events-publish"
                     message="${diff.between.publications}"/>
             </then>
         </if>
@@ -1734,64 +1783,6 @@
         </sequential>
     </macrodef>
 
-    <!--
-        *******************************
-        ***                         ***
-        ***   X A L A N   T O O L   ***
-        ***                         ***
-        *******************************
-    -->
-
-    <!--
-        Macro to run the Xalan XSLT engine, taking files from arbitrary
-        locations.
-    -->
-    <macrodef name="XALAN">
-        <attribute name="i"/>
-        <attribute name="o"/>
-        <attribute name="x"/>
-        <sequential>
-            <java fork="true" maxmemory="${java.max.memory}" failonerror="true" classname="org.apache.xalan.xslt.Process">
-                <classpath>
-                    <fileset dir="${tools.xalan}/lib">
-                        <include name="*.jar"/>
-                    </fileset>
-                </classpath>
-                <jvmarg value="-Djava.endorsed.dirs=${tools.xalan}/endorsed"/>
-                <arg value="-IN"/>
-                <arg value="@{i}"/>
-                <arg value="-OUT"/>
-                <arg value="@{o}"/>
-                <arg value="-XSL"/>
-                <arg value="@{x}"/>
-            </java>
-        </sequential>
-    </macrodef>
-
-    <!--
-        Macro to run the Xalan XSLT engine, taking files from arbitrary
-        locations.  No output specified, so the result of the transform
-        will be sent to standard output.
-    -->
-    <macrodef name="XALAN.noout">
-        <attribute name="i"/>
-        <attribute name="x"/>
-        <sequential>
-            <java fork="true" maxmemory="${java.max.memory}" failonerror="true" classname="org.apache.xalan.xslt.Process">
-                <classpath>
-                    <fileset dir="${tools.xalan}/lib">
-                        <include name="*.jar"/>
-                    </fileset>
-                </classpath>
-                <jvmarg value="-Djava.endorsed.dirs=${tools.xalan}/endorsed"/>
-                <arg value="-IN"/>
-                <arg value="@{i}"/>
-                <arg value="-XSL"/>
-                <arg value="@{x}"/>
-            </java>
-        </sequential>
-    </macrodef>
-
     <!--
         *******************************************
         ***                                     ***
@@ -2068,6 +2059,12 @@
             Push metadata files for the UK Federation to the MD dist servers
         -->
         <echo>Pushing UK Federation metadata files to MD dist.</echo>
+        <echo>-> CDI-master</echo>
+        <exec executable="${git.executable}" dir="${shared.ws.dir}/${git.repo.project.products}" failonerror="true">
+            <arg value="push"/>
+            <arg value="cdi-master"/>
+            <arg value="master"/>
+        </exec>
         <echo>-> MD-NE-01</echo>
         <exec executable="${git.executable}" dir="${shared.ws.dir}/${git.repo.project.products}" failonerror="true">
             <arg value="push"/>
@@ -2099,6 +2096,12 @@
             Push mdq cache tar to the MD dist servers
         -->
         <echo>Pushing UK Federation mdq cache to MD dist.</echo>
+        <echo>-> CDI-master</echo>
+        <scp failonerror="true" remoteTodir="${cdi-master.user}@${cdi-master.name}:${cdi-master.temploc.name}" port="${cdi-master.ssh.port}" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
+            <fileset dir="${output.dir}">
+                <include name="${mdq.cache}"/>
+            </fileset>
+        </scp>
         <echo>-> MD-NE-01</echo>
         <scp failonerror="true" remoteTodir="${md.user}@${md.dist.host-ne-01.name}:/tmp" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
             <fileset dir="${output.dir}">
@@ -2307,8 +2310,10 @@
 
     <target name="uiinfo.list">
         <CHANNEL.do channel="uk" verb="collect"/>
-        <XALAN.noout i="${mdx.dir}/uk/collected.xml"
-               x="${build.dir}/list_uiinfo.xsl"/>
+        <exec executable="xsltproc" failonerror="true">
+            <arg value="${build.dir}/list_uiinfo.xsl"/>
+            <arg value="${mdx.dir}/uk/collected.xml"/>
+        </exec>
     </target>
 
     <!--
@@ -2464,10 +2469,12 @@
     -->
     <target name="extract.embedded" depends="flow.uk.collect">
         <echo>Extracting embedded certificates</echo>
-        <XALAN
-            i="${uk.collected}"
-            o="${temp.dir}/embedded.pem"
-            x="${build.dir}/extract_embedded.xsl"/>
+        <exec executable="xsltproc" failonerror="true">
+            <arg value="--output"/>
+            <arg value="${temp.dir}/embedded.pem"/>
+            <arg value="${build.dir}/extract_embedded.xsl"/>
+            <arg value="${uk.collected}"/>
+        </exec>
     </target>
 
     <!--
@@ -2492,10 +2499,12 @@
     -->
     <target name="check.embedded.all">
         <echo>Extracting embedded certificates</echo>
-        <XALAN
-            i="${aggregates.dir}/${mdaggr.prod.signed}"
-            o="${temp.dir}/embedded.pem"
-            x="${build.dir}/extract_embedded.xsl"/>
+        <exec executable="xsltproc" failonerror="true">
+            <arg value="--output"/>
+            <arg value="${temp.dir}/embedded.pem"/>
+            <arg value="${build.dir}/extract_embedded.xsl"/>
+            <arg value="${aggregates.dir}/${mdaggr.prod.signed}"/>
+        </exec>
         <echo>Checking embedded certificates</echo>
         <echo>Note: ignore expiry on eduGAIN entities</echo>
         <exec executable="perl" dir="${utilities.dir}"
diff --git a/build/Xalan.pm b/build/Xalan.pm
deleted file mode 100755
index be9cbb50..00000000
--- a/build/Xalan.pm
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/usr/bin/perl -w
-
-#
-# Simplified access to the Xalan XSLT processor.
-#
-
-#
-# xalanCall
-#
-# Provides the stem of a "system" call string to access Xalan with the
-# required extensions.
-#
-sub xalanCall
-{
-	my $xalanRoot = "../tools/xalan";
-	
-	my $res = "java";
-	
-	# Endorsed Xalan and Xerces
-	$res .= " -Djava.endorsed.dirs=$xalanRoot/endorsed";
-	
-	# Classpath
-	my $classpath = '';
-	while (glob "$xalanRoot/lib/*") {
-		$classpath .= ':' unless $classpath eq '';
-		$classpath .= $_;
-	}
-	
-	$res .= " -cp $classpath";
-	
-	# Class to invoke
-	$res .= " org.apache.xalan.xslt.Process";
-	$res;
-}
-
-#print ">>>" . xalanCall . "<<<\n";
-
-1;
diff --git a/build/check_entity.pl b/build/check_entity.pl
index f891783c..50003122 100755
--- a/build/check_entity.pl
+++ b/build/check_entity.pl
@@ -1,5 +1,4 @@
 #!/usr/bin/perl -w
-use Xalan;
 use File::Temp qw(tempfile);
 use Date::Parse;
 use Digest::SHA1 qw(sha1 sha1_hex sha1_base64);
@@ -28,16 +27,16 @@
 		# temporary file
 		$temp = '../xml/embedded.pem';
 		unlink($temp) if -e $temp;
-		
+
 		# extract embedded certificates
-		open(EXTRACT, xalanCall . " -IN $fn -OUT $temp -XSL extract_embedded.xsl|")
+		open(EXTRACT, "xsltproc --output $temp extract_embedded.xsl $fn|")
 		 	|| die "could not open certificate extract process";
 		while (<EXTRACT>) {
 			print $_;
 		}
 		close EXTRACT;
 		die "no embedded certificates extracted" unless -e $temp;
-		
+
 		# check embedded certificates
 		open(CHECK, "cd ../xml; perl ../build/check_embedded.pl <$temp|")
 			|| die "could not open certificate check process";
@@ -47,7 +46,7 @@
 			print $_;
 		}
 		close CHECK;
-		
+
 		# clean up
 		unlink($temp) if -e $temp;
 	}
diff --git a/build/extract_embedded.xsl b/build/extract_embedded.xsl
index 751a6a91..9242daba 100644
--- a/build/extract_embedded.xsl
+++ b/build/extract_embedded.xsl
@@ -17,8 +17,7 @@
     xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xmlns:mdxTextUtils="xalan://uk.ac.sdss.xalan.md.TextUtils">
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 
     <!-- Output is plain text -->
     <xsl:output method="text"/>
@@ -49,7 +48,7 @@
                 </xsl:choose>
                 <xsl:text>&#x0a;</xsl:text>
                 <xsl:text>-----BEGIN CERTIFICATE-----&#x0a;</xsl:text>
-                <xsl:value-of select="mdxTextUtils:wrapBase64($cert)"/>
+                <xsl:value-of select="translate(normalize-space($cert),' ','&#x0a;')"/>
                 <xsl:text>&#x0a;</xsl:text>
                 <xsl:text>-----END CERTIFICATE-----&#x0a;</xsl:text>
             </xsl:if>
diff --git a/build/extract_locs.pl b/build/extract_locs.pl
index a516194d..97fa27c9 100755
--- a/build/extract_locs.pl
+++ b/build/extract_locs.pl
@@ -1,8 +1,6 @@
 #!/usr/bin/perl -w
 
-use Xalan;
-
-open(XML, xalanCall . " -IN ../mdx/uk/collected.xml -XSL extract_locs.xsl|") || die "could not open input file";
+open(XML, "xsltproc extract_locs.xsl ../mdx/uk/collected.xml|") || die "could not open input file";
 while (<XML>) {
 	chop;
 	if (/^https:\/\/([^\/:]+(:\d+)?)(\/|$)/) {
diff --git a/build/extract_locs_edugain.pl b/build/extract_locs_edugain.pl
index daf44512..e882d0ca 100755
--- a/build/extract_locs_edugain.pl
+++ b/build/extract_locs_edugain.pl
@@ -1,8 +1,6 @@
 #!/usr/bin/perl -w
 
-use Xalan;
-
-open(XML, xalanCall . " -IN ../mdx/int_edugain/imported.xml -XSL extract_locs.xsl|") || die "could not open input file";
+open(XML, "xsltproc extract_locs.xsl ../mdx/int_edugain/imported.xml|") || die "could not open input file";
 while (<XML>) {
 	chop;
 	if (/^https:\/\/([^\/:]+(:\d+)?)(\/|$)/) {
diff --git a/build/extract_locs_noports.pl b/build/extract_locs_noports.pl
index 68eeb366..24502aa6 100755
--- a/build/extract_locs_noports.pl
+++ b/build/extract_locs_noports.pl
@@ -1,8 +1,6 @@
 #!/usr/bin/perl -w
 
-use Xalan;
-
-open(XML, xalanCall . " -IN ../mdx/uk/collected.xml -XSL extract_locs.xsl|") || die "could not open input file";
+open(XML, "xsltproc extract_locs.xsl ../mdx/uk/collected.xml|") || die "could not open input file";
 while (<XML>) {
     chop;
     if (/^https:\/\/([^\/:]+)(:\d+)?(\/|$)/) {
diff --git a/build/probe_certs.pl b/build/probe_certs.pl
index 5772c566..58f553fa 100755
--- a/build/probe_certs.pl
+++ b/build/probe_certs.pl
@@ -1,10 +1,9 @@
 #!/usr/bin/perl -w
 
 use ExtractCert;
-use Xalan;
 
 print "Loading endpoint locations...\n";
-open(XML, xalanCall . " -IN ../xml/ukfederation-metadata.xml -XSL extract_cert_locs.xsl|") || die "could not open input file";
+open(XML, "xsltproc extract_cert_locs.xsl ../xml/ukfederation-metadata.xml|") || die "could not open input file";
 while (<XML>) {
 	if (/^http:/) {
 		print "skipping http location: $_";
@@ -37,7 +36,7 @@
 	# Remove any old copy of the DER file.
 	#
 	unlink $temp_der;
-	
+
 	#
 	# Separate location into host and port.
 	#
@@ -58,7 +57,7 @@
 		$failed{$loc} = 1;
 		next;
 	}
-	
+
 	#
 	# Use openssl to convert the certificate to text
 	#
@@ -75,7 +74,7 @@
 			$subject = $1;
 		}
 	}
-	
+
 	if ($subject eq $issuer) {
 		$issuer = "(self-signed certificate)";
 	}
@@ -101,7 +100,7 @@
 	print "$n: $issuer\n";
 	foreach $loc (sort keys %locs) {
 		print "   $loc\n";
-	} 
+	}
 }
 
 #
diff --git a/build/probe_nk_certs.pl b/build/probe_nk_certs.pl
index 36554355..337e3e66 100755
--- a/build/probe_nk_certs.pl
+++ b/build/probe_nk_certs.pl
@@ -3,7 +3,6 @@
 use POSIX qw(floor);
 use Date::Parse;
 use ExtractCert;
-use Xalan;
 
 sub error {
 	my($s) = @_;
@@ -28,7 +27,7 @@ sub comment {
 my $longExpiredDays = 30*3; # about three months
 
 print "Loading endpoint locations...\n";
-open(XML, xalanCall . " -IN ../xml/ukfederation-metadata.xml -XSL extract_nk_cert_locs.xsl|") || die "could not open input file";
+open(XML, "xsltproc extract_nk_cert_locs.xsl ../xml/ukfederation-metadata.xml|") || die "could not open input file";
 while (<XML>) {
 	my ($entity, $url) = split;
 	if ($url =~ /^https:\/\/([^\/:]+(:\d+)?)\//) {
@@ -61,7 +60,7 @@ sub comment {
 	# Remove any old copy of the DER file.
 	#
 	unlink $temp_der;
-	
+
 	#
 	# Separate location into host and port.
 	#
@@ -82,7 +81,7 @@ sub comment {
 		$failed{$loc} = 1;
 		next;
 	}
-	
+
 	#
 	# Use openssl to convert the certificate to text
 	#
@@ -122,7 +121,7 @@ sub comment {
 			}
 			next;
 		}
-		
+
 		if (/Not After : (.*)$/) {
 			$notAfter = $1;
 			$notAfterTime = str2time($notAfter);
@@ -143,7 +142,7 @@ sub comment {
 		}
 
 	}
-	
+
 	if ($pubSize < 2048) {
 		warning("short public key: $pubSize bits, certificate expires $notAfter");
 	}
@@ -173,7 +172,7 @@ sub comment {
 	print "$n: $issuer\n";
 	foreach $loc (sort keys %locs) {
 		print "   $loc\n";
-	} 
+	}
 }
 
 #
diff --git a/build/probe_nk_nocerts.pl b/build/probe_nk_nocerts.pl
index 808f6ac6..07932fb4 100755
--- a/build/probe_nk_nocerts.pl
+++ b/build/probe_nk_nocerts.pl
@@ -3,7 +3,6 @@
 use POSIX qw(floor);
 use Date::Parse;
 use ExtractCert;
-use Xalan;
 
 sub error {
 	my($s) = @_;
@@ -30,7 +29,7 @@ sub comment {
 my $longExpiredDays = 30*3; # about three months
 
 print "Loading endpoint locations...\n";
-open(XML, xalanCall . " -IN ../xml/ukfederation-metadata.xml -XSL extract_nk_nocert_locs.xsl|") || die "could not open input file";
+open(XML, "xsltproc extract_nk_nocert_locs.xsl ../xml/ukfederation-metadata.xml|") || die "could not open input file";
 while (<XML>) {
 	my ($entity, $url) = split;
 	if ($url =~ /^https:\/\/([^\/:]+(:\d+)?)(\/|$)/) {
@@ -62,12 +61,12 @@ sub comment {
 	my $entity = $locations{$loc};
 	print "$count: probing $entity: $loc\n";
 	$count--;
-	
+
 	#
 	# Remove any old copy of the DER file.
 	#
 	unlink $temp_der;
-	
+
 	#
 	# Separate location into host and port.
 	#
@@ -88,7 +87,7 @@ sub comment {
 		$failed{$loc} = 1;
 		next;
 	}
-	
+
 	#
 	# Use openssl to convert the certificate to text
 	#
@@ -128,7 +127,7 @@ sub comment {
 			}
 			next;
 		}
-		
+
 		if (/Not After : (.*)$/) {
 			$notAfter = $1;
 			$notAfterTime = str2time($notAfter);
@@ -179,7 +178,7 @@ sub comment {
 	print "$n: $issuer\n";
 	foreach $loc (sort keys %locs) {
 		print "   $loc\n";
-	} 
+	}
 }
 
 #
diff --git a/build/probe_nocerts.pl b/build/probe_nocerts.pl
index fbb0771c..cd6f5d8d 100755
--- a/build/probe_nocerts.pl
+++ b/build/probe_nocerts.pl
@@ -1,12 +1,11 @@
 #!/usr/bin/perl -w
 
 use ExtractCert;
-use Xalan;
 
 $known_bad{'census.data-archive.ac.uk:8080'} = 1; # it is really http, not https
 
 print "Loading endpoint locations...\n";
-open(XML, xalanCall . " -IN ../xml/ukfederation-metadata.xml -XSL extract_nocert_locs.xsl|") || die "could not open input file";
+open(XML, "xsltproc extract_nocert_locs.xsl ../xml/ukfederation-metadata.xml|") || die "could not open input file";
 while (<XML>) {
 	chop;
 	if (/^http:/) {
@@ -39,12 +38,12 @@
 foreach $loc (sort keys %locations) {
 	print "$count: probing: $loc\n";
 	$count--;
-	
+
 	#
 	# Remove any old copy of the DER file.
 	#
 	unlink $temp_der;
-	
+
 	#
 	# Separate location into host and port.
 	#
@@ -65,7 +64,7 @@
 		$failed{$loc} = 1;
 		next;
 	}
-	
+
 	#
 	# Use openssl to convert the certificate to text
 	#
@@ -108,7 +107,7 @@
 	print "$n: $issuer\n";
 	foreach $loc (sort keys %locs) {
 		print "   $loc\n";
-	} 
+	}
 }
 
 #
diff --git a/build/probe_openssl.pl b/build/probe_openssl.pl
index d71e759a..1b2e83cb 100755
--- a/build/probe_openssl.pl
+++ b/build/probe_openssl.pl
@@ -1,12 +1,11 @@
 #!/usr/bin/perl -w
 
 use ExtractCert;
-use Xalan;
 
 $known_bad{'census.data-archive.ac.uk:8080'} = 1; # it is really http, not https
 
 print "Loading endpoint locations...\n";
-open(XML, xalanCall . " -IN ../xml/ukfederation-metadata.xml -XSL extract_nocert_locs.xsl|") || die "could not open input file";
+open(XML, "xsltproc extract_nocert_locs.xsl ../xml/ukfederation-metadata.xml|") || die "could not open input file";
 while (<XML>) {
 	chop;
 	if (/^http:/) {
@@ -39,12 +38,12 @@
 foreach $loc (sort keys %locations) {
 	print "$count: probing: $loc\n";
 	$count--;
-	
+
 	#
 	# Remove any old copy of the DER file.
 	#
 	unlink $temp_der;
-	
+
 	#
 	# Separate location into host and port.
 	#
diff --git a/charting/mdui.pl b/charting/mdui.pl
index fb2a6bfd..2651703b 100755
--- a/charting/mdui.pl
+++ b/charting/mdui.pl
@@ -4,8 +4,7 @@
 # mdui.pl
 #
 use warnings;
-use lib "../build";
-use Xalan;
+use lib '.';
 use Months;
 
 # Parse command line arguments
@@ -29,9 +28,9 @@
 foreach $month (@months) {
 	print "Processing $month\n";
 
-	my $command = xalanCall . " -IN cache/$month.xml -XSL statistics_mdui.xsl";
+	my $command = "xsltproc statistics_mdui.xsl cache/$month.xml";
 	# print "command is $command\n";
 	system($command); # || print "ignoring claimed failure in sub command\n";
-	# print "Xalan run on $fn\n";
+	# print "xsltproc run on $fn\n";
 	print "\n";
 }
diff --git a/charting/saml2.pl b/charting/saml2.pl
index fd790429..0542f210 100755
--- a/charting/saml2.pl
+++ b/charting/saml2.pl
@@ -6,8 +6,7 @@
 # Extracts statistics about SAML 2 adoption from the published metadata.
 #
 use warnings;
-use lib "../build";
-use Xalan;
+use lib ".";
 use Months;
 
 # Parse command line arguments
@@ -25,7 +24,7 @@
 # ingest files
 foreach $month (@months) {
 	my $fn = "cache/$month.xml";
-	open(TXT, xalanCall . " -IN $fn -XSL saml2.xsl|") || die "could not open input file";
+	open(TXT, "xsltproc saml2.xsl $fn|") || die "could not open input file";
 	$_ = <TXT>;
 	chop;
 	# print "$month: $_\n";
diff --git a/charting/scopes.pl b/charting/scopes.pl
index 3927471b..8a8c6692 100755
--- a/charting/scopes.pl
+++ b/charting/scopes.pl
@@ -6,8 +6,7 @@
 # Extracts statistics about number of scopes from the published metadata.
 #
 use warnings;
-use lib "../build";
-use Xalan;
+use lib ".";
 use Months;
 
 # Parse command line arguments
@@ -31,7 +30,7 @@
 foreach $month (@months) {
 	my $fn = "cache/$month.xml";
 	my %scopes;
-	open(TXT, xalanCall . " -IN $fn -XSL scopes.xsl|") || die "could not open input file";
+	open(TXT, "xsltproc scopes.xsl $fn|") || die "could not open input file";
 	while (<TXT>) {
 		chop;
 		my $scope = $_;
diff --git a/charting/sizes.pl b/charting/sizes.pl
index 004c6e3f..7f9fa924 100755
--- a/charting/sizes.pl
+++ b/charting/sizes.pl
@@ -4,9 +4,8 @@
 # sizes.pl
 #
 use warnings;
-use lib "../build";
+use lib ".";
 use File::stat;
-use Xalan;
 use Months;
 
 # Parse command line arguments
@@ -47,10 +46,10 @@
 	# Now generate a reduced version of the archived
 	# file that contains only UK federation registered entities.
 	#
-	my $command = xalanCall . " -IN $fn -XSL just_ours.xsl -OUT temp.tmp";
+	my $command = "xsltproc --output temp.tmp just_ours.xsl $fn";
 	# print "command is $command\n";
 	system($command); # || print "ignoring claimed failure in sub command\n";
-	# print "Xalan run on $fn\n";
+	# print "xsltproc run on $fn\n";
 
 	#
 	# Process the reduced version of the archived file.
diff --git a/mdx/_rules/check_future_1.xsl b/mdx/_rules/check_future_1.xsl
index ed05b114..c6d5d479 100644
--- a/mdx/_rules/check_future_1.xsl
+++ b/mdx/_rules/check_future_1.xsl
@@ -27,4 +27,31 @@
     -->
     <xsl:import href="check_framework.xsl"/>
 
+    <!--
+
+        It does not make sense for an IdP to have more than one SingleLogoutService
+        with any of a list of SAML 2.0 front-channel bindings.
+
+        See ukf/ukf-meta#155
+
+    -->
+    <xsl:template match="md:SingleLogoutService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'][position()>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">more than one SingleLogoutService with SAML 2.0 HTTP-POST binding</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:SingleLogoutService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign'][position()>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">more than one SingleLogoutService with SAML 2.0 HTTP-POST-SimpleSign binding</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:SingleLogoutService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'][position()>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">more than one SingleLogoutService with SAML 2.0 HTTP-Redirect binding</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_2.xsl b/mdx/_rules/check_future_2.xsl
index ee51f733..0b697102 100644
--- a/mdx/_rules/check_future_2.xsl
+++ b/mdx/_rules/check_future_2.xsl
@@ -27,4 +27,27 @@
     -->
     <xsl:import href="check_framework.xsl"/>
 
+    <!--
+
+        Check whether md:OrganizationDisplayname matches mdui:DisplayName for SPs
+
+        See ukf/ukf-data#325
+
+    -->
+    <xsl:template match="md:EntityDescriptor[md:SPSSODescriptor]">
+        <xsl:variable name="mdui" select="md:SPSSODescriptor/md:Extensions/mdui:UIInfo/mdui:DisplayName[@xml:lang='en']"/>
+        <xsl:variable name="odn" select="md:Organization/md:OrganizationDisplayName[@xml:lang='en']"/>
+        <xsl:if test="$mdui and $odn and $mdui != $odn">
+            <xsl:call-template name="error">
+                <xsl:with-param name="m">
+                    <xsl:text>mismatched xml:lang='en' DisplayNames: '</xsl:text>
+                    <xsl:value-of select="$mdui"/>
+                    <xsl:text>' in mdui vs. '</xsl:text>
+                    <xsl:value-of select="$odn"/>
+                    <xsl:text>' in ODN</xsl:text>
+                </xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_4.xsl b/mdx/_rules/check_future_4.xsl
index 8a7084f8..ef19cc39 100644
--- a/mdx/_rules/check_future_4.xsl
+++ b/mdx/_rules/check_future_4.xsl
@@ -17,6 +17,7 @@
     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
     xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
     xmlns:set="http://exslt.org/sets"
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
 
@@ -27,4 +28,73 @@
     -->
     <xsl:import href="check_framework.xsl"/>
 
+    <!--
+
+        If an entity has algorithmic agility metadata, check whether it has the algorithms
+        which are listed in the 2018 SAML V2.0 Interoperability Deployment Profile
+
+        See section 3.3 of https://kantarainitiative.github.io/SAMLprofiles/saml2int.html
+        and ukf/ukf-meta#157
+
+    -->
+    <xsl:template match="md:KeyDescriptor[count(md:EncryptionMethod) > 0]">
+
+        <xsl:variable name="gcm"
+            select="md:EncryptionMethod[
+            @Algorithm='http://www.w3.org/2009/xmlenc11#aes128-gcm' or
+            @Algorithm='http://www.w3.org/2009/xmlenc11#aes192-gcm' or
+            @Algorithm='http://www.w3.org/2009/xmlenc11#aes256-gcm'
+            ]"/>
+
+        <xsl:variable name="keytransport"
+            select="md:EncryptionMethod[
+            @Algorithm='http://www.w3.org/2009/xmlenc11#rsa-oaep' or
+            @Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p'
+            ]"/>
+
+        <xsl:if test="count($gcm) = 0">
+            <xsl:call-template name="warning">
+                <xsl:with-param name="m">Does not contain a GCM EncryptionMethod specified in new saml2int</xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+
+        <xsl:if test="count($keytransport) = 0">
+            <xsl:call-template name="warning">
+                <xsl:with-param name="m">Does not contain a Key Transport EncryptionMethod specified in new saml2int</xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+
+    </xsl:template>
+
+    <xsl:template match="md:Extensions
+        [
+        count(alg:DigestMethod) > 0 or
+        count(alg:SigningMethod) > 0
+        ]">
+
+        <xsl:variable name="signing"
+            select="alg:SigningMethod[
+            @Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' or
+            @Algorithm='http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256'
+            ]"/>
+
+        <xsl:variable name="digest"
+            select="alg:DigestMethod[
+            @Algorithm='http://www.w3.org/2001/04/xmlenc#sha256'
+            ]"/>
+
+        <xsl:if test="count($signing) = 0">
+            <xsl:call-template name="warning">
+                <xsl:with-param name="m">Does not contain a SigningMethod specified in new saml2int</xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+
+        <xsl:if test="count($digest) = 0">
+            <xsl:call-template name="warning">
+                <xsl:with-param name="m">Does not contain a DigestMethod specified in new saml2int</xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_5.xsl b/mdx/_rules/check_future_5.xsl
index 8ebfc25d..ca6bcd72 100644
--- a/mdx/_rules/check_future_5.xsl
+++ b/mdx/_rules/check_future_5.xsl
@@ -13,6 +13,7 @@
     xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
     xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:mdxURL="xalan://uk.ac.sdss.xalan.md.URLchecker"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
     xmlns:set="http://exslt.org/sets"
@@ -23,4 +24,16 @@
     -->
     <xsl:import href="check_framework.xsl"/>
 
+    <xsl:template match="md:IDPSSODescriptor/@errorURL[mdxURL:invalidURL(.)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:value-of select='local-name()'/>
+                <xsl:text> '</xsl:text>
+                <xsl:value-of select="."/>
+                <xsl:text>' is not a valid URL: </xsl:text>
+                <xsl:value-of select="mdxURL:whyInvalid(.)"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_9.xsl b/mdx/_rules/check_future_9.xsl
index 54911d3d..546f4275 100644
--- a/mdx/_rules/check_future_9.xsl
+++ b/mdx/_rules/check_future_9.xsl
@@ -6,7 +6,8 @@
     Checking ruleset containing rules that we don't currently implement,
     but which we may implement in the future.
 
-    Author: Ian A. Young <ian@iay.org.uk>
+    This is to warn if an SP suggests that it wants signed assertions.
+    Typically, it is the response that should be signed.
 
 -->
 <xsl:stylesheet version="1.0"
@@ -23,5 +24,11 @@
     -->
     <xsl:import href="check_framework.xsl"/>
 
+    <xsl:template match="md:EntityDescriptor[md:SPSSODescriptor[@WantAssertionsSigned='true']]">
+        <xsl:call-template name="warning">
+            <xsl:with-param name="m">SP sets WantAssertionsSigned, although typically you would want Responses signed not Assertions</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_reqattr.xsl b/mdx/_rules/check_reqattr.xsl
index 455d35e8..3bdb565d 100644
--- a/mdx/_rules/check_reqattr.xsl
+++ b/mdx/_rules/check_reqattr.xsl
@@ -28,6 +28,10 @@
         http://www.terena.org/registry/terena.org/attribute-def/
         http://www.terena.org/registry/terena.org/schac/
         Assuming encoding rules equivalent to MACEAttr.
+    
+    * eduroam.cz
+        Currently only a single attribute, documented at:
+        https://www.eduroam.cz/attributes/eduroamUID
 
 
     Author: Ian A. Young <ian@iay.org.uk>
@@ -482,6 +486,12 @@
                 <!-- OK -->
             </xsl:when>
 
+            <!--
+                eduroam.cz SAML 2.x binding
+            -->
+            <xsl:when test="@Name='http://eduroam.cz/attributes/eduroamUID'">
+                <!-- OK -->
+            </xsl:when>
 
             <!--
                 Otherwise unknown attribute names.
diff --git a/mdx/at_aconet/verbs.xml b/mdx/at_aconet/verbs.xml
index 54399699..64da4a80 100644
--- a/mdx/at_aconet/verbs.xml
+++ b/mdx/at_aconet/verbs.xml
@@ -88,14 +88,13 @@
                 </bean>
 
                 <!--
-                    Remove a specific entity we know has a problem that it will take
+                    Remove any specific entities we know have problems that it will take
                     a while to resolve.
                 -->
                 <bean id="filterEntities" parent="mda.EntityFilterStage"
                     p:whitelistingEntities="false">
                     <property name="designatedEntities">
                         <set>
-                            <value>https://zididp.uni-graz.at/idp/shibboleth</value>
                         </set>
                     </property>
                 </bean>
diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index db6b1d20..1ec9a4b1 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -259,6 +259,14 @@
     <bean id="stripUkfedlabelNamespace" parent="mda.NamespaceStrippingStage"
         p:namespace-ref="ukfedlabel_namespace"/>
 
+    <!--
+        stripXsiNamespace
+
+        Strip the XML Schema Instance namespace.
+    -->
+    <bean id="stripXsiNamespace" parent="mda.NamespaceStrippingStage"
+        p:namespace-ref="xsi_namespace"/>
+
     <!--
         normaliseNamespaces
 
@@ -284,17 +292,20 @@
     <!--
         Federation registrationAuthority URIs.
     -->
-    <bean id="ar_mate_registrar"         parent="String" c:_="http://www.federacionmate.gob.ar"/>
     <bean id="am_afire_registrar"        parent="String" c:_="https://aai.asnet.am"/>
+    <bean id="ar_mate_registrar"         parent="String" c:_="http://www.federacionmate.gob.ar"/>
     <bean id="at_aconet_registrar"       parent="String" c:_="http://eduid.at"/>
     <bean id="au_aaf_registrar"          parent="String" c:_="https://aaf.edu.au"/>
     <bean id="be_belnet_registrar"       parent="String" c:_="http://federation.belnet.be/"/>
+    <bean id="bg_bif_registrar"          parent="String" c:_="http://bif.bren.bg"/>
     <bean id="br_cafe_registrar"         parent="String" c:_="http://cafe.rnp.br"/>
-    <bean id="by_febas_registrar"        parent="String" c:_="http://febas.basnet.by/"/>
+    <bean id="by_febas_registrar"        parent="String" c:_="https://febas.basnet.by"/>
     <bean id="ca_caf_registrar"          parent="String" c:_="http://www.canarie.ca"/>
     <bean id="ch_switchaai_registrar"    parent="String" c:_="http://rr.aai.switch.ch/"/>
     <bean id="cl_cofre_registrar"        parent="String" c:_="http://cofre.reuna.cl"/>
+    <bean id="cn_carsi_registrar"        parent="String" c:_="http://carsi.edu.cn"/>
     <bean id="co_colfire_registrar"      parent="String" c:_="http://colfire.co"/>
+    <bean id="cy_cynet_registrar"        parent="String" c:_="http://cynet.ac.cy"/>
     <bean id="cz_eduid_registrar"        parent="String" c:_="http://www.eduid.cz/"/>
     <bean id="de_dfnaai_registrar"       parent="String" c:_="https://www.aai.dfn.de"/>
     <bean id="dk_wayf_registrar"         parent="String" c:_="https://www.wayf.dk"/>
@@ -306,26 +317,39 @@
     <bean id="fr_renater_registrar"      parent="String" c:_="https://federation.renater.fr/"/>
     <bean id="ge_gif_registrar"          parent="String" c:_="https://mtd.gif.grena.ge"/>
     <bean id="gr_grnet_registrar"        parent="String" c:_="http://aai.grnet.gr/"/>
+    <bean id="hk_hkaf_registrar"         parent="String" c:_="https://hkaf.edu.hk"/>
     <bean id="hr_eduhr_registrar"        parent="String" c:_="http://www.srce.hr"/>
     <bean id="hu_eduid_registrar"        parent="String" c:_="http://eduid.hu"/>
     <bean id="ie_edugate_registrar"      parent="String" c:_="http://www.heanet.ie"/>
     <bean id="il_iif_registrar"          parent="String" c:_="http://iif.iucc.ac.il"/>
     <bean id="in_infed_registrar"        parent="String" c:_="http://inflibnet.ac.in"/>
+    <bean id="ir_irfed_registrar"        parent="String" c:_="https://irfed.ir/"/>
     <bean id="it_gridp_registrar"        parent="String" c:_="http://gridp.garr.it"/>
     <bean id="it_idem_registrar"         parent="String" c:_="http://www.idem.garr.it/"/>
     <bean id="jp_gakunin_registrar"      parent="String" c:_="https://www.gakunin.jp"/>
     <bean id="kr_kafe_registrar"         parent="String" c:_="http://kafe.kreonet.net"/>
+    <bean id="lb_life_registrar"         parent="String" c:_="http://life.aub.edu.lb"/><!-- A guess -->
     <bean id="lt_litnet_registrar"       parent="String" c:_="https://fedi.litnet.lt"/>
     <bean id="lu_eduid_registrar"        parent="String" c:_="http://eduid.lu"/>
     <bean id="lv_laife_registrar"        parent="String" c:_="http://laife.lanet.lv/"/>
-    <bean id="mk_aaiedumk_registrar"     parent="String" c:_="https://rr.aaiedu.mk"/>
     <bean id="md_leaf_registrar"         parent="String" c:_="http://federations.renam.md/"/>
+    <bean id="me_eduid_registrar"        parent="String" c:_="http://mren.ac.me"/><!-- A guess -->
+    <bean id="mk_aaiedumk_registrar"     parent="String" c:_="https://rr.aaiedu.mk"/>
+    <bean id="mw_maren_registrar"        parent="String" c:_="https://maren.ac.mw"/><!-- A guess -->
+    <bean id="mz_cafmoz_registrar"       parent="String" c:_="http://cafmoz.morenet.ac.mz"/><!-- A guess -->
     <bean id="nl_surfconext_registrar"   parent="String" c:_="http://www.surfconext.nl/"/>
     <bean id="no_feide_registrar"        parent="String" c:_="http://feide.no/"/>
+    <bean id="nz_tuakiri_registrar"      parent="String" c:_="http://tuakiri.ac.nz/"/><!-- A guess -->
+    <bean id="om_omankid_registrar"      parent="String" c:_="https://home.trc.gov.om"/>
     <bean id="pl_pionier_registrar"      parent="String" c:_="https://aai.pionier.net.pl"/>
     <bean id="pt_rctsaai_registrar"      parent="String" c:_="https://www.fccn.pt"/>
+    <bean id="rs_amres_registrar"        parent="String" c:_="http://amres.ac.rs/"/><!-- A guess -->
+    <bean id="ru_fedurus_registrar"      parent="String" c:_="http://www.fedurus.ru/"/><!-- A guess -->
     <bean id="se_swamid_registrar"       parent="String" c:_="http://www.swamid.se/"/>
+    <bean id="sg_sgaf_registrar"         parent="String" c:_="https://www.singaren.net.sg"/>
     <bean id="si_arnes_registrar"        parent="String" c:_="http://aai.arnes.si"/>
+    <bean id="sk_safeid_registrar"       parent="String" c:_="http://safeid.sk"/>
+    <bean id="tr_yetkim_registrar"       parent="String" c:_="http://aai.ulak.net.tr/"/><!-- A guess -->
     <bean id="ua_peano_registrar"        parent="String" c:_="https://peano.uran.ua"/>
     <bean id="ug_rif_registrar"          parent="String" c:_="https://www.renu.ac.ug"/>
     <bean id="uk_ukf_registrar"          parent="String" c:_="http://ukfederation.org.uk"/>
@@ -354,9 +378,12 @@
 
                     http://www.edugain.org/technical/status.php
                 -->
+                <entry key-ref="dz_arnaai_registrar"          value="DZ"/>
+                <entry key-ref="ar_mate_registrar"            value="AR"/>
                 <entry key-ref="am_afire_registrar"           value="AM"/>
                 <entry key-ref="au_aaf_registrar"             value="AU"/>
                 <entry key-ref="at_aconet_registrar"          value="AT"/>
+                <entry key-ref="by_febas_registrar"           value="BY"/>
                 <entry key-ref="be_belnet_registrar"          value="BE"/>
                 <entry key-ref="br_cafe_registrar"            value="BR"/>
                 <entry key-ref="ca_caf_registrar"             value="CA"/>
@@ -374,6 +401,7 @@
                 <entry key-ref="gr_grnet_registrar"           value="GR"/>
                 <entry key-ref="hu_eduid_registrar"           value="HU"/>
                 <entry key-ref="in_infed_registrar"           value="IN"/>
+                <entry key-ref="ir_irfed_registrar"           value="IR"/>
                 <entry key-ref="ie_edugate_registrar"         value="IE"/>
                 <entry key-ref="il_iif_registrar"             value="IL"/>
                 <entry key-ref="it_idem_registrar"            value="IT"/>
@@ -385,8 +413,10 @@
                 <entry key-ref="mk_aaiedumk_registrar"        value="MK"/>
                 <entry key-ref="md_leaf_registrar"            value="MD"/>
                 <entry key-ref="no_feide_registrar"           value="NO"/>
+                <entry key-ref="om_omankid_registrar"         value="OM"/>
                 <entry key-ref="pl_pionier_registrar"         value="PL"/>
                 <entry key-ref="pt_rctsaai_registrar"         value="PT"/>
+                <entry key-ref="sg_sgaf_registrar"            value="SG"/>
                 <entry key-ref="si_arnes_registrar"           value="SI"/>
                 <entry key-ref="za_safire_registrar"          value="ZA"/>
                 <entry key-ref="es_sir_registrar"             value="ES"/>
@@ -394,17 +424,27 @@
                 <entry key-ref="ch_switchaai_registrar"       value="CH"/>
                 <entry key-ref="nl_surfconext_registrar"      value="NL"/>
                 <entry key-ref="us_incommon_registrar"        value="US"/>
+                <entry key-ref="ug_rif_registrar"             value="UG"/>
                 <entry key-ref="ua_peano_registrar"           value="UA"/>
                 <entry key-ref="uk_ukf_registrar"             value="UK"/>
 
                 <!-- eduGAIN voting-only members -->
-                <entry key-ref="ar_mate_registrar"            value="AR"/>
-                <entry key-ref="by_febas_registrar"           value="BY"/>
+                <entry key-ref="bg_bif_registrar"             value="BG"/>
+                <entry key-ref="cy_cynet_registrar"           value="CY"/>
+                <entry key-ref="hk_hkaf_registrar"            value="HK"/>
                 <entry key-ref="it_gridp_registrar"           value="IT-GRIDP"/>
+                <entry key-ref="nz_tuakiri_registrar"         value="NZ"/>
+                <entry key-ref="tr_yetkim_registrar"          value="TR"/>
 
                 <!-- eduGAIN candidates -->
-                <entry key-ref="dz_arnaai_registrar"          value="DZ"/>
-                <entry key-ref="ug_rif_registrar"             value="UG"/>
+                <entry key-ref="cn_carsi_registrar"           value="CN"/>
+                <entry key-ref="lb_life_registrar"            value="LB"/>
+                <entry key-ref="mw_maren_registrar"           value="MW"/>
+                <entry key-ref="me_eduid_registrar"           value="ME"/>
+                <entry key-ref="mz_cafmoz_registrar"          value="MZ"/>
+                <entry key-ref="ru_fedurus_registrar"         value="RU"/>
+                <entry key-ref="rs_amres_registrar"           value="RS"/>
+                <entry key-ref="sk_safeid_registrar"          value="SK"/>
             </map>
         </property>
     </bean>
@@ -424,6 +464,21 @@
         </property>
     </bean>
 
+    <!--
+        warningAnnouncer
+
+        A pipeline stage that logs any warnings present,
+        but takes no action on them.
+    -->
+    <bean id="warningAnnouncer" parent="mda.StatusMetadataLoggingStage">
+        <property name="identificationStrategy" ref="identificationStrategy"/>
+        <property name="selectionRequirements">
+            <list>
+                <value>#{T(net.shibboleth.metadata.WarningStatus)}</value>
+            </list>
+        </property>
+    </bean>
+
     <!--
         warningAndErrorAnnouncer
 
@@ -1018,11 +1073,16 @@
                 <bean id="checkCertificates" parent="mda.X509ValidationStage">
                     <property name="validators">
                         <list>
+                            <!-- Error on DSA keys. -->
+                            <bean p:id="DSA" parent="ukf.X509DSADetector"/>
+
                             <!-- Error on RSA key length less than 2048 bits. -->
-                            <bean parent="mda.X509RSAKeyLengthValidator"
+                            <bean p:id="RSAKeyLength" parent="mda.X509RSAKeyLengthValidator"
                                 p:warningBoundary="0" p:errorBoundary="2048"/>
                             <!-- Error on small RSA public exponents. -->
-                            <bean parent="mda.X509RSAExponentValidator"/>
+                            <bean p:id="RSAExponent" parent="mda.X509RSAExponentValidator"/>
+                            <!-- Error on keys vulnerable to ROCA. -->
+                            <bean p:id="ROCA" parent="ukf.X509ROCAValidator"/>
 
                             <!--
                                 Debian weak key blacklists.
diff --git a/mdx/uk/README.md b/mdx/uk/README.md
index 88b4703b..d12e364b 100644
--- a/mdx/uk/README.md
+++ b/mdx/uk/README.md
@@ -28,7 +28,7 @@ before being included in the `export` version consumed by interfederation partne
 
 ### Export Preview Aggregate vs. Export Aggregate
 
-Status (2017-02-14):
+Status (2017-12-05):
 
 * These aggregates are currently identical.
 
@@ -59,13 +59,23 @@ when it appeared in the fallback aggregate, which would be too late to take corr
 
 ### Test Aggregate vs. Production Aggregate
 
-Status (2017-03-02):
+Status (2017-12-05):
 
-* These aggregates are currently identical.
+* The `test` aggregate does not include the `<UKFederationMember>` label (`ukf-meta#34`).
+
+* The `test` aggregate does not include the entity-level copy of the scopes for an
+  identity provider (`ukf-meta#49`) 
+
+### `cds-all` Aggregate vs. Production Aggregate
+
+Status (2017-12-05):
+
+* The `cdsall` aggregate omits many elements not necessary for the generation of a discovery feed.
+
+* Otherwise, these aggregates are currently identical.
 
 ### Fallback Aggregate vs. Production Aggregate
 
-Status (2017-03-14):
+Status (2018-01-08):
 
-* the production aggregate implements a _blacklisting_ approach to entity attributes imported from eduGAIN,
-while the production aggregate implements the traditional entity attribute _whitelist_. (2017-03-02)
+* These aggregates are currently identical.
diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
index 22b88e63..30fd7d53 100644
--- a/mdx/uk/beans.xml
+++ b/mdx/uk/beans.xml
@@ -12,6 +12,68 @@
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
 
+
+    <!--
+        *****************************
+        ***                       ***
+        ***   U T I L I T I E S   ***
+        ***                       ***
+        *****************************
+    -->
+
+
+    <!--
+        uk_fix_mailto
+
+        Adds "mailto:" to md:EmailAddress elements which don't already have it.
+    -->
+    <bean id="uk_fix_mailto" parent="mda.XSLTransformationStage"
+        p:XSLResource="classpath:uk/fix_mailto.xsl"/>
+
+
+    <!--
+        uk_stripAdminContacts
+
+        Remove any md:ContactPerson elements with contactType of "administrative".
+    -->
+    <bean id="uk_stripAdminContacts" parent="mda.ContactPersonFilterStage">
+        <property name="designatedTypes">
+            <list>
+                <value>administrative</value>
+            </list>
+        </property>
+        <property name="whitelistingTypes" value="false"/>
+    </bean>
+
+
+    <!--
+        Populate UKId values from entities.
+    -->
+    <bean id="uk_populateIds" parent="ukf.EntityDescriptorUKIdPopulationStage"/>
+
+
+    <!--
+        UK federation named EntitiesDescriptor assembler pipeline stage.
+
+        Name attribute is set to the federation URI.  UK ordering is applied.
+    -->
+    <bean id="uk_assemble" parent="mda.EntitiesDescriptorAssemblerStage">
+        <property name="descriptorName" ref="uk_federation_uri"/>
+        <property name="itemOrderingStrategy">
+            <bean parent="ukf.UKEntityOrderingStrategy"/>
+        </property>
+    </bean>
+
+
+    <!--
+        ***********************************************
+        ***                                         ***
+        ***   A G G R E G A T E   H A N D L I N G   ***
+        ***                                         ***
+        ***********************************************
+    -->
+
+
     <!--
         Location of various resources.
     -->
@@ -102,26 +164,12 @@
 
 
     <!--
-        uk_fetchFragmentFiles
-
-        Collects all the UK metadata "fragment files" from the /entities directory.
-
-        Each fragment file contains a single EntityDescriptor.  The name of each
-        eligible file matches a particular regular expression.
+        *******************************************
+        ***                                     ***
+        ***   M E M B E R S   D O C U M E N T   ***
+        ***                                     ***
+        *******************************************
     -->
-    <bean id="uk_fetchFragmentFiles" parent="mda.DOMFilesystemSourceStage">
-        <property name="parserPool" ref="parserPool"/>
-        <property name="source">
-            <bean parent="File">
-                <constructor-arg value="${entities.dir}"/>
-            </bean>
-        </property>
-        <property name="sourceFileFilter">
-            <bean parent="ukf.RegexFileFilter">
-                <constructor-arg value="uk\d{6}.xml"/>
-            </bean>
-        </property>
-    </bean>
 
 
     <!--
@@ -161,12 +209,12 @@
 
 
     <!--
-        uk_fix_mailto
-
-        Adds "mailto:" to md:EmailAddress elements which don't already have it.
+        *************************************************
+        ***                                           ***
+        ***   U K f - S P E C I F I C   C H E C K S   ***
+        ***                                           ***
+        *************************************************
     -->
-    <bean id="uk_fix_mailto" parent="mda.XSLTransformationStage"
-        p:XSLResource="classpath:uk/fix_mailto.xsl"/>
 
 
     <!--
@@ -214,49 +262,68 @@
 
 
     <!--
-        uk_processFragment
+        check_uk_mdui_dn_en_match
 
-        This stage performs any standard cleanup required for UK federation fragment files.
+        If an IdP has both an OrganizationDisplayName in English, and an
+        mdui:DisplayName in English, they must be identical.
+
+        UKFTS 1.4 section 3.3
     -->
-    <bean id="uk_processFragment" parent="mda.XSLTransformationStage"
-        p:XSLResource="classpath:uk/fragment.xsl"/>
+    <bean id="check_uk_mdui_dn_en_match" parent="mda.XSLValidationStage"
+        p:XSLResource="classpath:uk/check_uk_mdui_dn_en_match.xsl"/>
 
 
     <!--
-        uk_stripAdminContacts
+        check_uk_mdui_dn_en_present
 
-        Remove any md:ContactPerson elements with contactType of "administrative".
+        If an entity has mdui:UIInfo, then that must include at least an
+        mdui:DisplayName with an English name.
     -->
-    <bean id="uk_stripAdminContacts" parent="mda.ContactPersonFilterStage">
-        <property name="designatedTypes">
-            <list>
-                <value>administrative</value>
-            </list>
-        </property>
-        <property name="whitelistingTypes" value="false"/>
-    </bean>
+    <bean id="check_uk_mdui_dn_en_present" parent="mda.XSLValidationStage"
+        p:XSLResource="classpath:uk/check_uk_mdui_dn_en_present.xsl"/>
 
 
     <!--
-        Populate UKId values from entities.
+        ***************************************
+        ***                                 ***
+        ***   F R A G M E N T   F I L E S   ***
+        ***                                 ***
+        ***************************************
     -->
-    <bean id="uk_populateIds" parent="ukf.EntityDescriptorUKIdPopulationStage"/>
 
 
     <!--
-        UK federation named EntitiesDescriptor assembler pipeline stage.
+        uk_processFragment
 
-        Name attribute is set to the federation URI.  UK ordering is applied.
+        This stage performs any standard cleanup required for UK federation fragment files.
     -->
-    <bean id="uk_assemble" parent="mda.EntitiesDescriptorAssemblerStage">
-        <property name="descriptorName" ref="uk_federation_uri"/>
-        <property name="itemOrderingStrategy">
-            <bean parent="ukf.UKEntityOrderingStrategy"/>
+    <bean id="uk_processFragment" parent="mda.XSLTransformationStage"
+        p:XSLResource="classpath:uk/fragment.xsl"/>
+
+
+    <!--
+        uk_fetchFragmentFiles
+
+        Collects all the UK metadata "fragment files" from the /entities directory.
+
+        Each fragment file contains a single EntityDescriptor.  The name of each
+        eligible file matches a particular regular expression.
+    -->
+    <bean id="uk_fetchFragmentFiles" parent="mda.DOMFilesystemSourceStage">
+        <property name="parserPool" ref="parserPool"/>
+        <property name="source">
+            <bean parent="File">
+                <constructor-arg value="${entities.dir}"/>
+            </bean>
+        </property>
+        <property name="sourceFileFilter">
+            <bean parent="ukf.RegexFileFilter">
+                <constructor-arg value="uk\d{6}.xml"/>
+            </bean>
         </property>
     </bean>
 
 
-
     <!--
         Fetch and process the registered entities as a collection.
     -->
@@ -294,20 +361,23 @@
                 <ref bean="check_uk_mdattr"/>
                 <ref bean="check_uk_mdrps"/>
                 <ref bean="check_uk_urlenc"/>
-                <ref bean="mdui_dn_en_present"/>
-                <ref bean="mdui_dn_en_match"/>
+                <ref bean="check_uk_mdui_dn_en_present"/>
+                <ref bean="check_uk_mdui_dn_en_match"/>
                 <ref bean="check_dup_display"/>
 
                 <bean id="checkCertificates" parent="mda.X509ValidationStage">
                     <property name="validators">
                         <list>
+                            <!-- Error on DSA keys. -->
+                            <bean p:id="DSA" parent="ukf.X509DSADetector"/>
+
                             <!-- Error on RSA key length less than 2048 bits. -->
-                            <bean parent="mda.X509RSAKeyLengthValidator"
+                            <bean p:id="RSAKeyLength" parent="mda.X509RSAKeyLengthValidator"
                                 p:warningBoundary="0" p:errorBoundary="2048"/>
                             <!-- Error on small RSA public exponents. -->
-                            <bean parent="mda.X509RSAExponentValidator"/>
-                            <!-- Error on inconsistent subjectAltNames. -->
-                            <bean parent="ukf.X509ConsistentNameValidator"/>
+                            <bean p:id="RSAExponent" parent="mda.X509RSAExponentValidator"/>
+                            <!-- Error on keys vulnerable to ROCA. -->
+                            <bean p:id="ROCA" parent="ukf.X509ROCAValidator"/>
 
                             <!--
                                 Debian weak key blacklists.
diff --git a/mdx/_rules/mdui_dn_en_match.xsl b/mdx/uk/check_uk_mdui_dn_en_match.xsl
similarity index 93%
rename from mdx/_rules/mdui_dn_en_match.xsl
rename to mdx/uk/check_uk_mdui_dn_en_match.xsl
index 7ecb8015..c2ad96d2 100644
--- a/mdx/_rules/mdui_dn_en_match.xsl
+++ b/mdx/uk/check_uk_mdui_dn_en_match.xsl
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-    mdui_dn_en_match.xsl
+    check_uk_mdui_dn_en_match.xsl
 
     If an IdP has both an OrganizationDisplayName in English, and an
     mdui:DisplayName in English, they must be identical.
@@ -20,7 +20,7 @@
     <!--
         Common support functions.
     -->
-    <xsl:import href="check_framework.xsl"/>
+    <xsl:import href="../_rules/check_framework.xsl"/>
 
     <xsl:template match="md:EntityDescriptor[md:IDPSSODescriptor]">
         <xsl:variable name="mdui" select="md:IDPSSODescriptor/md:Extensions/mdui:UIInfo/mdui:DisplayName[@xml:lang='en']"/>
diff --git a/mdx/_rules/mdui_dn_en_present.xsl b/mdx/uk/check_uk_mdui_dn_en_present.xsl
similarity index 90%
rename from mdx/_rules/mdui_dn_en_present.xsl
rename to mdx/uk/check_uk_mdui_dn_en_present.xsl
index e5364e11..b8d11d36 100644
--- a/mdx/_rules/mdui_dn_en_present.xsl
+++ b/mdx/uk/check_uk_mdui_dn_en_present.xsl
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-    mdui_dn_en_present.xsl
+    check_uk_mdui_dn_en_present.xsl
 
     If an entity has mdui:UIInfo, then that must include at least an
     mdui:DisplayName with an English name.
@@ -18,7 +18,7 @@
     <!--
         Common support functions.
     -->
-    <xsl:import href="check_framework.xsl"/>
+    <xsl:import href="../_rules/check_framework.xsl"/>
 
     <xsl:template match="mdui:UIInfo[not(mdui:DisplayName[@xml:lang='en'])]">
         <xsl:call-template name="error">
diff --git a/mdx/uk/final_tweak.xsl b/mdx/uk/final_tweak.xsl
index c52acc4c..76d4353a 100644
--- a/mdx/uk/final_tweak.xsl
+++ b/mdx/uk/final_tweak.xsl
@@ -44,30 +44,23 @@
         This parameter determines the number of days between the aggregation instant and the
         end of validity of the signed metadata.
     -->
-    <xsl:param name="validityDays" select="14"/>
+    <xsl:param name="validityDays"/>
 
     <xsl:variable name="now" select="date:date-time()"/>
-    <xsl:variable name="validUntil" select="mdxDates:dateAdd($now, $validityDays)"/>
     <xsl:variable name="normalisedNow" select="mdxDates:dateAdd($now, 0)"/>
 
-    <!--
-        Document root.
-    -->
-    <xsl:template match="/">
-        <xsl:call-template name="document.comment"/>
-        <xsl:apply-templates/>
-    </xsl:template>
-
     <!--
         Document element.
     -->
     <xsl:template match="/md:EntitiesDescriptor">
+        <xsl:call-template name="document.comment">
+            <xsl:with-param name="validUntil" select="@validUntil"/>
+        </xsl:call-template>
         <EntitiesDescriptor>
-            <xsl:attribute name="validUntil">
-                <xsl:value-of select="$validUntil"/>
-            </xsl:attribute>
             <xsl:apply-templates select="@*"/>
-            <xsl:call-template name="document.comment"/>
+            <xsl:call-template name="document.comment">
+                <xsl:with-param name="validUntil" select="@validUntil"/>
+            </xsl:call-template>
 
             <!--
                 Add an Extensions element if there isn't one, but we need one
@@ -92,6 +85,7 @@
         Comment to be added to the top of the document, and just inside the document element.
     -->
     <xsl:template name="document.comment">
+        <xsl:param name="validUntil"/>
         <xsl:text>&#10;</xsl:text>
         <xsl:comment>
             <xsl:text>&#10;&#9;U K   F E D E R A T I O N   M E T A D A T A&#10;</xsl:text>
diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index 0c679ef1..459f39d2 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -37,6 +37,19 @@
         *****************************
     -->
 
+    <!-- This bean MUST be called "conversionService" to work properly. -->
+    <bean id="conversionService" class="org.springframework.context.support.ConversionServiceFactoryBean">
+        <property name="converters">
+            <set>
+                <bean class="net.shibboleth.ext.spring.config.DurationToLongConverter" />
+                <bean class="net.shibboleth.ext.spring.config.StringToIPRangeConverter" />
+                <bean class="net.shibboleth.ext.spring.config.BooleanToPredicateConverter" />
+                <bean class="net.shibboleth.ext.spring.config.StringBooleanToPredicateConverter" />
+                <bean class="net.shibboleth.ext.spring.config.StringToResourceConverter" />
+            </set>
+        </property>
+    </bean>
+
     <!--
         stripEntityScopes
 
@@ -53,11 +66,29 @@
         final tweaks on the document.
     -->
     <bean id="finalise_parent" abstract="true" parent="mda.XSLTransformationStage"
-        p:XSLResource="classpath:uk/final_tweak.xsl">
-        <property name="transformParameters">
-            <map>
-                <entry key="publisher" value-ref="uk_federation_uri"/>
-            </map>
+        p:XSLResource="classpath:uk/final_tweak.xsl"/>
+
+    <!--
+        assembleAggregate
+
+        Assemble a UK-style aggregate with an appropriate validUntil and ID.
+    -->
+    <bean id="assembleAggregate" parent="mda.CompositeStage">
+        <property name="composedStages">
+            <list>
+                <ref bean="uk_assemble"/>
+                <bean parent="mda.SetValidUntilStage" p:validityDuration="${validUntil.aggregate.duration}"/>
+                <!--
+                    setStaticID
+
+                    Set the item's ID attribute to the static string "_".
+                -->
+                <bean id="setStaticID" parent="mda.GenerateIdStage">
+                    <constructor-arg>
+                        <bean parent="ukf.FixedStringIdentifierGenerationStrategy" c:_="_"/>
+                    </constructor-arg>
+                </bean>
+            </list>
         </property>
     </bean>
 
@@ -80,17 +111,6 @@
         </property>
     </bean>
 
-    <!--
-        setStaticID
-
-        Set the item's ID attribute to the static string "_".
-    -->
-    <bean id="setStaticID" parent="mda.GenerateIdStage">
-        <constructor-arg>
-            <bean parent="ukf.FixedStringIdentifierGenerationStrategy" c:_="_"/>
-        </constructor-arg>
-    </bean>
-
 
     <!--
         *****************************************
@@ -257,6 +277,7 @@
         <property name="transformParameters">
             <map>
                 <entry key="publisher" value-ref="uk_federation_uri"/>
+                <entry key="validityDays" value="${validUntil.aggregate.days}"/>
             </map>
         </property>
     </bean>
@@ -279,9 +300,8 @@
                 <ref bean="check_dup_display"/>
                 <ref bean="errorTerminatingFilter"/>
 
-                <ref bean="uk_assemble"/>
+                <ref bean="assembleAggregate"/>
                 <ref bean="uk_finaliseProduction"/>
-                <ref bean="setStaticID"/>
                 <ref bean="uk_normaliseNamespaces"/>
 
                 <!-- production aggregate MUST pass publishability test -->
@@ -340,7 +360,7 @@
                 <ref bean="check_dup_display"/>
                 <ref bean="errorTerminatingFilter"/>
 
-                <ref bean="uk_assemble"/>
+                <ref bean="assembleAggregate"/>
 
                 <!--
                     Remove embedded images used in mdui:Logo elements.
@@ -351,7 +371,6 @@
 
                 <ref bean="stripMdattrNamespace"/>
                 <ref bean="uk_finaliseProduction"/>
-                <ref bean="setStaticID"/>
                 <ref bean="uk_normaliseNamespaces"/>
 
                 <!-- WAYF aggregate MUST pass publishability test -->
@@ -412,6 +431,7 @@
                 <entry key="extraText"
                     value="Central Discovery Service metadata; not for end entity use"/>
                 <entry key="publisher" value-ref="uk_federation_uri"/>
+                <entry key="validityDays" value="${validUntil.aggregate.days}"/>
             </map>
         </property>
     </bean>
@@ -456,7 +476,7 @@
                 <ref bean="errorTerminatingFilter"/>
 
                 <!-- make an aggregate first so that we're only traversing one item -->
-                <ref bean="uk_assemble"/>
+                <ref bean="assembleAggregate"/>
 
                 <!-- remove many things that the CDS doesn't look at -->
                 <ref bean="CDSStripUnwanted"/>
@@ -469,7 +489,6 @@
                 <ref bean="stripEmptyExtensions"/>
 
                 <ref bean="CDSFinalise"/>
-                <ref bean="setStaticID"/>
                 <ref bean="CDSNormaliseNamespaces"/>
 
                 <!-- schema validity check MUST pass -->
@@ -494,6 +513,7 @@
             <map>
                 <entry key="extraText" value="Feature fallback metadata; not for production use"/>
                 <entry key="publisher" value-ref="uk_federation_uri"/>
+                <entry key="validityDays" value="${validUntil.aggregate.days}"/>
             </map>
         </property>
     </bean>
@@ -519,10 +539,9 @@
                 <ref bean="check_dup_display"/>
                 <ref bean="errorTerminatingFilter"/>
 
-                <ref bean="uk_assemble"/>
+                <ref bean="assembleAggregate"/>
                 <ref bean="stripEmptyExtensions"/>
                 <ref bean="uk_finaliseFallback"/>
-                <ref bean="setStaticID"/>
                 <ref bean="uk_normaliseFallback"/>
 
                 <!-- fallback aggregate MUST pass publishability test -->
@@ -547,6 +566,7 @@
             <map>
                 <entry key="extraText" value="Feature test metadata; not for production use"/>
                 <entry key="publisher" value-ref="uk_federation_uri"/>
+                <entry key="validityDays" value="${validUntil.aggregate.days}"/>
             </map>
         </property>
     </bean>
@@ -573,10 +593,9 @@
                 <ref bean="errorTerminatingFilter"/>
 
                 <ref bean="uk_strip_UKFederationMember"/>
-                <ref bean="uk_assemble"/>
+                <ref bean="assembleAggregate"/>
                 <ref bean="stripEntityScopes"/>
                 <ref bean="uk_finaliseTest"/>
-                <ref bean="setStaticID"/>
                 <ref bean="uk_normaliseTest"/>
 
                 <!-- test aggregate MUST pass publishability test -->
@@ -601,6 +620,7 @@
             <map>
                 <entry key="extraText" value="Export metadata for use by partner federations"/>
                 <entry key="publisher" value-ref="uk_federation_uri"/>
+                <entry key="validityDays" value="${validUntil.aggregate.days}"/>
             </map>
         </property>
     </bean>
@@ -697,11 +717,10 @@
                 <ref bean="errorTerminatingFilter"/>
 
                 <ref bean="stripUkfedlabelNamespace"/>
-                <ref bean="uk_assemble"/>
+                <ref bean="assembleAggregate"/>
                 <ref bean="stripEntityScopes"/>
                 <ref bean="stripEmptyExtensions"/>
                 <ref bean="uk_finaliseExport"/>
-                <ref bean="setStaticID"/>
 
                 <bean id="uk_normaliseExport" parent="mda.XSLTransformationStage"
                     p:XSLResource="classpath:uk/ns_norm_export.xsl"/>
@@ -813,11 +832,10 @@
                 <ref bean="errorTerminatingFilter"/>
 
                 <ref bean="stripUkfedlabelNamespace"/>
-                <ref bean="uk_assemble"/>
+                <ref bean="assembleAggregate"/>
                 <ref bean="stripEntityScopes"/>
                 <ref bean="stripEmptyExtensions"/>
                 <ref bean="uk_finaliseExport"/>
-                <ref bean="setStaticID"/>
 
                 <bean id="uk_normaliseExportPreview" parent="mda.XSLTransformationStage"
                     p:XSLResource="classpath:uk/ns_norm_export_preview.xsl"/>
@@ -898,6 +916,15 @@
                 <ref bean="uk_stripAdminContacts"/>
                 <ref bean="stripEmptyExtensions"/>
 
+                <!--
+                    odn_to_mdui
+
+                    Ensure that beyond this point, all UKf-registered identity providers
+                    have mdui:DisplayName and mdui:Description elements.
+                -->
+                <bean id="odn_to_mdui" parent="mda.XSLTransformationStage"
+                    p:XSLResource="classpath:uk/odn_to_mdui.xsl"/>
+
                 <!--
                     ***********************************************
                     ***                                         ***
diff --git a/mdx/uk/import.xsl b/mdx/uk/import.xsl
index 900cd105..8c557668 100644
--- a/mdx/uk/import.xsl
+++ b/mdx/uk/import.xsl
@@ -316,6 +316,17 @@
     <xsl:template match="mdrpi:RegistrationInfo"/>
 
 
+    <!--
+        *************************************
+        ***                               ***
+        ***   X S I   N A M E S P A C E   ***
+        ***                               ***
+        *************************************
+    -->
+
+    <!-- Remove xsi:type from any entity attribute values. -->
+    <xsl:template match="saml:AttributeValue/@xsi:type"/>
+
     <!--
         *********************************************
         ***                                       ***
diff --git a/mdx/uk/mdq-multisign.xml b/mdx/uk/mdq-multisign.xml
index f97e91d3..bdd11292 100644
--- a/mdx/uk/mdq-multisign.xml
+++ b/mdx/uk/mdq-multisign.xml
@@ -54,6 +54,15 @@
                 <!-- Remove UKFederationLabel elements. -->
                 <ref bean="uk_strip_UKFederationMember"/>
 
+                <!--
+                    Remove xsi elements and attributes.
+
+                    In practice, this just cleans up the results we get in
+                    a development environment, as the normal UKf aggregate
+                    already excludes this namespace.
+                -->
+                <ref bean="stripXsiNamespace"/>
+
                 <!-- Break down into individual entities. -->
                 <ref bean="disassemble"/>
 
@@ -67,7 +76,7 @@
                     </constructor-arg>
                 </bean>
                 <bean parent="mda.SetCacheDurationStage" p:cacheDuration="PT6H"/>
-                <bean parent="mda.SetValidUntilStage" p:validityDuration="P14D"/>
+                <bean parent="mda.SetValidUntilStage" p:validityDuration="${validUntil.perEntity.duration}"/>
 
                 <!-- Identity transform fixes signing issues. -->
                 <bean parent="mda.XSLTransformationStage"
diff --git a/mdx/uk/odn_to_mdui.xsl b/mdx/uk/odn_to_mdui.xsl
new file mode 100644
index 00000000..6512cb8b
--- /dev/null
+++ b/mdx/uk/odn_to_mdui.xsl
@@ -0,0 +1,114 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    odn_to_mdui.xsl
+
+    If an identity provider does not have at least one MDUI-based discovery
+    name, give it mdui:DisplayName and mdui:Description by copying data from
+    its md:OrganizationDisplayName.
+
+    This transform will only be applied to UKf-registered entities.
+
+    This allows us to assume:
+
+    * The entity will have an md:Organization and therefore (by schema)
+      at least one md:OrganizationDisplayName
+
+    * It will either not have an mdui:UIInfo at all, or will have one
+      with at least one mdui:DisplayName. This means we don't need to
+      handle the case of filling in a partial mdui:UIInfo container,
+      and can always create one from scratch.
+
+    * The entity's md:IDPSSODescriptor has an md:Extensions element,
+      because UKf-registered IdPs are required to have
+      at least one shibmd:Scope element.
+
+-->
+<xsl:stylesheet version="1.0"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+    <!--Force UTF-8 encoding for the output.-->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+
+
+    <!--
+        Match the md:IDPSSODescriptor/md:Extensions element of an identity provider
+        which does not have mdui:UIInfo.
+
+        We must fabricate the mdui:UIInfo as well as the mdui:DisplayName and
+        mdui:Description elements.
+    -->
+    <xsl:template match="/md:EntityDescriptor/md:IDPSSODescriptor/md:Extensions[not(mdui:UIInfo)]">
+        <xsl:variable name="odns" select="../../md:Organization/md:OrganizationDisplayName"/>
+        <xsl:copy>
+            <xsl:text>&#10;&#9;&#9;&#9;</xsl:text>
+            <mdui:UIInfo>
+                <xsl:call-template name="generateDisplayNames">
+                    <xsl:with-param name="odns" select="$odns"/>
+                </xsl:call-template>
+                <xsl:text>&#10;&#9;&#9;&#9;</xsl:text>
+            </mdui:UIInfo>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
+
+    <!--
+        Make a new mdui:DisplayName and mdui:Description for each of the
+        md:OrganizationDisplayName elements in the $odns parameter.
+
+        Each of the new elements copies the value and xml:lang attribute of
+        the md:OrganizationDisplayName, and is indented appropriately to
+        appearing at the start of the enclosing mdui:UIInfo.
+    -->
+    <xsl:template name="generateDisplayNames">
+        <xsl:param name="odns"/>
+        <!-- Generate mdui:DisplayName elements. -->
+        <xsl:for-each select="$odns">
+            <xsl:text>&#10;&#9;&#9;&#9;&#9;</xsl:text>
+            <mdui:DisplayName>
+                <xsl:attribute name="xml:lang">
+                    <xsl:value-of select="@xml:lang"/>
+                </xsl:attribute>
+                <xsl:value-of select="."/>
+            </mdui:DisplayName>
+        </xsl:for-each>
+        <!-- Generate mdui:Description elements. -->
+        <xsl:for-each select="$odns">
+            <xsl:text>&#10;&#9;&#9;&#9;&#9;</xsl:text>
+            <mdui:Description>
+                <xsl:attribute name="xml:lang">
+                    <xsl:value-of select="@xml:lang"/>
+                </xsl:attribute>
+                <xsl:value-of select="."/>
+            </mdui:Description>
+        </xsl:for-each>
+    </xsl:template>
+
+
+    <!--
+        *********************************************
+        ***                                       ***
+        ***   D E F A U L T   T E M P L A T E S   ***
+        ***                                       ***
+        *********************************************
+    -->
+
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
+
+</xsl:stylesheet>
diff --git a/mdx/uk/statistics-charting.xsl b/mdx/uk/statistics-charting.xsl
index c8cf91fe..abebbcef 100644
--- a/mdx/uk/statistics-charting.xsl
+++ b/mdx/uk/statistics-charting.xsl
@@ -144,7 +144,7 @@
 
             <xsl:variable name="charting.sps.algsupport" select="$sps[descendant::alg:* or descendant::md:EncryptionMethod]"/>
             <xsl:variable name="charting.sps.algsupport.count" select="count($charting.sps.algsupport)"/>
-            <xsl:text>Algorithm support:</xsl:text>
+            <xsl:text>Algorithm support: </xsl:text>
             <xsl:value-of select="format-number($charting.sps.algsupport.count div $spCount, '0.00%')"/>
             <xsl:text> of SP entities</xsl:text>
             <xsl:text>&#10;</xsl:text>
@@ -207,6 +207,37 @@
                 <xsl:with-param name="entities" select="$nosaml2.idps"/>
             </xsl:call-template>
 
+            <!-- MDUI statistics -->
+            <xsl:text>&#10;</xsl:text>
+
+            <xsl:variable name="entities.mdui" select="$entities[descendant::mdui:UIInfo]"/>
+            <xsl:variable name="entities.mdui.count" select="count($entities.mdui)"/>
+            <xsl:text>Entities with mdui:UIInfo: </xsl:text>
+            <xsl:value-of select="$entities.mdui.count"/>
+            <xsl:text> (</xsl:text>
+            <xsl:value-of select="format-number($entities.mdui.count div $entityCount, '0.0%')"/>
+            <xsl:text>)</xsl:text>
+            <xsl:text>&#10;</xsl:text>
+
+            <xsl:variable name="idps.mdui" select="$idps[descendant::mdui:UIInfo]"/>
+            <xsl:variable name="idps.mdui.count" select="count($idps.mdui)"/>
+            <xsl:text>IdPs with mdui:UIInfo: </xsl:text>
+            <xsl:value-of select="$idps.mdui.count"/>
+            <xsl:text> (</xsl:text>
+            <xsl:value-of select="format-number($idps.mdui.count div $idpCount, '0.0%')"/>
+            <xsl:text>)</xsl:text>
+            <xsl:text>&#10;</xsl:text>
+
+            <xsl:variable name="sps.mdui" select="$sps[descendant::mdui:UIInfo]"/>
+            <xsl:variable name="sps.mdui.count" select="count($sps.mdui)"/>
+            <xsl:text>SPs with mdui:UIInfo: </xsl:text>
+            <xsl:value-of select="$sps.mdui.count"/>
+            <xsl:text> (</xsl:text>
+            <xsl:value-of select="format-number($sps.mdui.count div $spCount, '0.0%')"/>
+            <xsl:text>)</xsl:text>
+            <xsl:text>&#10;</xsl:text>
+
+            <xsl:text>&#10;</xsl:text>
         </pre>
     </xsl:template>
 
diff --git a/mdx/uk/verbs.xml b/mdx/uk/verbs.xml
index cfed773c..c5a88d82 100644
--- a/mdx/uk/verbs.xml
+++ b/mdx/uk/verbs.xml
@@ -259,6 +259,32 @@
                 <ref bean="fetchImportMetadata"/>
                 <ref bean="populateItemIds"/>
 
+                <!--
+                    Strip all elements and attributes that are in namespaces
+                    we don't accept from registrants.
+                -->
+                <bean id="whitelistImportedNamespaces" parent="mda.NamespacesStrippingStage"
+                    p:whitelisting="true">
+                    <property name="namespaces">
+                        <set>
+                            <ref bean="alg_namespace"/>
+                            <ref bean="ds_namespace"/>
+                            <ref bean="hoksso_namespace"/>
+                            <ref bean="idpdisc_namespace"/>
+                            <ref bean="init_namespace"/>
+                            <ref bean="md_namespace"/>
+                            <ref bean="mdattr_namespace"/>
+                            <ref bean="mdrpi_namespace"/>
+                            <ref bean="mdui_namespace"/>
+                            <ref bean="remd_namespace"/>
+                            <ref bean="saml_namespace"/>
+                            <ref bean="shibmd_namespace"/>
+                            <ref bean="xenc_namespace"/>
+                            <ref bean="xml_namespace"/>
+                        </set>
+                    </property>
+                </bean>
+
                 <!-- perform schema validation and stop immediately if this fails -->
                 <ref bean="checkSchemas"/>
                 <ref bean="errorTerminatingFilter"/>
@@ -309,13 +335,16 @@
                 <bean id="checkCertificates" parent="mda.X509ValidationStage">
                     <property name="validators">
                         <list>
+                            <!-- Error on DSA keys. -->
+                            <bean p:id="DSA" parent="ukf.X509DSADetector"/>
+
                             <!-- Error on RSA key length less than 2048 bits. -->
-                            <bean parent="mda.X509RSAKeyLengthValidator"
+                            <bean p:id="RSAKeyLength" parent="mda.X509RSAKeyLengthValidator"
                                 p:warningBoundary="0" p:errorBoundary="2048"/>
                             <!-- Error on small RSA public exponents. -->
-                            <bean parent="mda.X509RSAExponentValidator"/>
-                            <!-- Error on inconsistent subjectAltNames. -->
-                            <bean parent="ukf.X509ConsistentNameValidator"/>
+                            <bean p:id="RSAExponent" parent="mda.X509RSAExponentValidator"/>
+                            <!-- Error on keys vulnerable to ROCA. -->
+                            <bean p:id="ROCA" parent="ukf.X509ROCAValidator"/>
 
                             <!--
                                 Debian weak key blacklists.
@@ -342,6 +371,9 @@
                 <ref bean="check_vhosts"/>
                 <ref bean="errorTerminatingFilter"/>
 
+                <!-- If there are no errors, log any warnings. -->
+                <ref bean="warningAnnouncer"/>
+
                 <!-- write output file -->
                 <ref bean="serializeImportedMetadata"/>
             </list>
diff --git a/mdx/validation-beans.xml b/mdx/validation-beans.xml
index f7ed527f..980bd328 100644
--- a/mdx/validation-beans.xml
+++ b/mdx/validation-beans.xml
@@ -220,36 +220,10 @@
     <bean id="check_mdui_xslt" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_mdui.xsl"/>
 
-    <!--
-        mdui_dn_en_match
-
-        If an IdP has both an OrganizationDisplayName in English, and an
-        mdui:DisplayName in English, they must be identical.
-
-        UKFTS 1.4 section 3.3
-    -->
-    <bean id="mdui_dn_en_match" parent="mda.XSLValidationStage"
-        p:XSLResource="classpath:_rules/mdui_dn_en_match.xsl"/>
-
-    <!--
-        mdui_dn_en_present
-
-        If an entity has mdui:UIInfo, then that must include at least an
-        mdui:DisplayName with an English name.
-    -->
-    <bean id="mdui_dn_en_present" parent="mda.XSLValidationStage"
-        p:XSLResource="classpath:_rules/mdui_dn_en_present.xsl"/>
-
     <!--
         check_mdui
 
         Composite check for the MDUI specification.
-
-        Omitted the following, which are only applied to
-        UK-registered metadata:
-
-            mdui_dn_en_present
-            mdui_dn_en_match
     -->
     <bean id="check_mdui" parent="mda.CompositeStage">
         <property name="composedStages">
diff --git a/preprod.properties b/preprod.properties
index ef97e089..75d6c668 100644
--- a/preprod.properties
+++ b/preprod.properties
@@ -46,3 +46,10 @@ md.dist.path.name=/
 #
 mdq.dist.name=mdq-test.ukfederation.org.uk
 mdq.cache=mdqcache-test.tar.gz
+
+#
+# Preprod T&I CDI uses different settings for temp location and
+#
+cdi-master.temploc.name=/tmp/legacy-ukf-test
+cdi-master.md.path.name=/legacy-ukf-test-md/
+cdi-master.mdq.path.name=/legacy-ukf-test-mdq/
diff --git a/tools/ukf-mda/ukf-mda-0.9.5.jar b/tools/ukf-mda/ukf-mda-0.9.5.jar
deleted file mode 100644
index de2941e6..00000000
Binary files a/tools/ukf-mda/ukf-mda-0.9.5.jar and /dev/null differ
diff --git a/tools/ukf-mda/ukf-mda-0.9.8.jar b/tools/ukf-mda/ukf-mda-0.9.8.jar
new file mode 100644
index 00000000..7e672883
Binary files /dev/null and b/tools/ukf-mda/ukf-mda-0.9.8.jar differ
diff --git a/utilities/addresses.pl b/utilities/addresses.pl
index 1c9772d5..bc605208 100755
--- a/utilities/addresses.pl
+++ b/utilities/addresses.pl
@@ -1,8 +1,5 @@
 #!/usr/bin/perl
 
-use lib "../build";
-use Xalan;
-
 #
 # Load extra addresses.
 #
@@ -24,7 +21,7 @@
 #
 # UK addresses
 #
-open(XML, xalanCall . " -IN ../mdx/uk/collected.xml -XSL ../build/extract_addresses.xsl|") || die "could not open input file";
+open(XML, "xsltproc ../build/extract_addresses.xsl ../mdx/uk/collected.xml|") || die "could not open input file";
 while (<XML>) {
 	if (/<EmailAddress>(mailto:)?(.*)<\/EmailAddress>/) {
 		$metadata{$2} = 1;
diff --git a/utilities/check_embedded.pl b/utilities/check_embedded.pl
index 6919014b..f630b871 100755
--- a/utilities/check_embedded.pl
+++ b/utilities/check_embedded.pl
@@ -32,20 +32,20 @@
 my $longExpiredDays = 30*3; # about three months
 
 sub error {
-	my($s) = @_;
-	push(@olines, '   *** ' . $s . ' ***');
-	$printme = 1;
+    my($s) = @_;
+    push(@olines, '   *** ' . $s . ' ***');
+    $printme = 1;
 }
 
 sub warning {
-	my ($s) = @_;
-	push(@olines, '   ' . $s);
-	$printme = 1;
+    my ($s) = @_;
+    push(@olines, '   ' . $s);
+    $printme = 1;
 }
 
 sub comment {
-	my($s) = @_;
-	push(@olines, '   (' . $s . ')');
+    my($s) = @_;
+    push(@olines, '   (' . $s . ')');
 }
 
 #
@@ -105,211 +105,211 @@ sub comment {
 
 while (<>) {
 
-	#
-	# Discard blank lines.
-	#
-	next if /^\s*$/;
-
-	#
-	# Handle Entity/KeyName header line.
-	#
-	if (/^Entity:/) {
-		@olines = ();
-		$printme = 0;
-		@args = split;
-		$entity = $args[1];
-		$keyname = $args[3];
-
-		#
-		# Tidy entity ID if it includes a UK ID as well.
-		#
-		if ($entity =~ /^\[(.+)\](.+)$/) {
-			$entity = $2 . ' (' . $1 . ')';
-		}
-
-		#
-		# Output header line.
-		#
-		$oline = "Entity $entity";
-		$hasKeyName = !($keyname eq '(none)');
-		push(@olines, $oline);
-		if ($hasKeyName) {
-			error("descriptor has unexpected KeyName $keyname");
-		}
-
-		#
-		# Start building a new blob.
-		#
-		# The blob contains the entity name, so de-duplication
-		# only occurs within a particular entity and not across
-		# entities.
-		#
-		$blob = $oline;
-
-		#
-		# Create a temporary file for this certificate in PEM format.
-		#
-		($fh, $filename) = tempfile(UNLINK => 1);
-		#print "temp file is: $filename\n";
-
-		# do not buffer output to the temporary file
-		select((select($fh), $|=1)[0]);
-		next;
-	}
-
-	#
-	# Put other lines into a temporary file.
-	#
-	print $fh $_;
-	$blob .= '|' . $_;
-
-	#
-	# If this is the last line of the certificate, actually do
-	# something with it.
-	#
-	if (/END CERTIFICATE/) {
-		#
-		# Have we seen this blob before?  If so, close (and delete) the
-		# temporary file, and go and look for a new certificate to process.
-		#
-		$total_certs++;
-		if (defined($blobs{$blob})) {
-			# print "skipping a blob\n";
-			close $fh;
-			next;
-		}
-
-		#
-		# Otherwise, remember this blob so that we won't process it again.
-		#
-		$blobs{$blob} = 1;
-		$distinct_certs++;
-
-		#
-		# Don't close the temporary file yet, because that would cause it
-		# to be deleted.  We've already arranged for buffering to be
-		# disabled, so the file can simply be passed to other applications
-		# as input, perhaps multiple times.
-		#
-
-		#
-		# Collection of names this certificate contains
-		#
-		my %names;
-
-		#
-		# Use openssl to convert the certificate to text
-		#
-		my(@lines, $subject, $issuer, $subjectCN, $issuerCN, $fingerprint);
-		$cmd = "openssl x509 -in $filename -noout -text -nameopt RFC2253 -modulus -fingerprint|";
-		open(SSL, $cmd) || die "could not open openssl subcommand";
-		while (<SSL>) {
-			push @lines, $_;
-
-			if (/^\s*Issuer:\s*(.*)$/) {
-				$issuer = $1;
-				if ($issuer =~ /CN=([^,]+)/) {
-					$issuerCN = $1;
-				} elsif ($issuer =~ /,OU=VeriSign International Server CA - Class 3,/) {
-					$issuerCN = 'VeriSign International Server CA - Class 3';
-				} else {
-					$issuerCN = $issuer;
-				}
-				next;
-			}
-
-			if (/^\s*Subject:\s*(.*)$/) {
-				$subject = $1;
-				if ($subject =~ /CN=([^,]+)/) {
-					$subjectCN = $1;
-					$names{lc $subjectCN}++;
-				} else {
-					$subjectCN = $1;
-				}
-				next;
-			}
-
-			#
-			# Extract the certificate fingerprint.
-			#
-			if (/^\s*SHA1 Fingerprint=(.+)$/) {
-				$fingerprint = uc $1;
-				if (defined($expiry_whitelist{$fingerprint})) {
-					$expiry_whitelist{$fingerprint} = 'used';
-				}
-			}
-
-			#
-			# Extract the public key size.  This is displayed differently
-			# in different versions of OpenSSL.
-			#
-			if (/RSA Public Key: \((\d+) bit\)/) { # OpenSSL 0.9x
-				$pubSize = $1;
-				next;
-			} elsif (/^\s*Public-Key: \((\d+) bit\)/) { # OpenSSL 1.0
-				$pubSize = $1;
-				next;
-			}
-
-			if (/Not After : (.*)$/) {
-				$notAfter = $1;
-				$notAfterTime = str2time($notAfter);
-
-				#
-				# Track certificate expiry year in a way that doesn't
-				# involve Unix epoch overflow.
-				#
-				if ($notAfter =~ /(\d\d\d\d)/) {
-					my $year = $1;
-					if ($year > $maxYear) {
-						$maxYear = $year;
-					}
-					if ($year >= 2038) {
-						$num2038++;
-					}
-				}
-
-				#
-				# Track most distant notAfter.
-				#
-				if ($notAfterTime > $lastNotAfterTime) {
-					$lastNotAfter = $notAfter;
-					$lastNotAfterTime = $notAfterTime;
-					$lastNotAfterEntity = $entity;
-				}
-
-				$days = ($notAfterTime-time())/86400.0;
-				next;
-			}
-
-			#
-			# subjectAlternativeName
-			#
-			if (/X509v3 Subject Alternative Name:/) {
-				#
-				# Steal the next line, which will look like this:
-				#
-				#    DNS:www.example.co.uk, DNS:example.co.uk, URI:http://example.co.uk/
-				#
-				my $next = <SSL>;
-
-				#
-				# Make an array of components, each something like "DNS:example.co.uk"
-				#
-				$next =~ s/\s*//g;
-				my @altNames = split /\s*,\s*/, $next;
-				# my $altSet = "{" . join(", ", @altNames) . "}";
-				# print "Alt set: $altSet\n";
-
-				#
-				# Each "DNS" component is an additional name for this certificate.
-				#
-				while (@altNames) {
-					my ($type, $altName) = split(":", pop @altNames);
-					$names{lc $altName}++ if $type eq 'DNS';
-				}
-				next;
-			}
+    #
+    # Discard blank lines.
+    #
+    next if /^\s*$/;
+
+    #
+    # Handle Entity/KeyName header line.
+    #
+    if (/^Entity:/) {
+        @olines = ();
+        $printme = 0;
+        @args = split;
+        $entity = $args[1];
+        $keyname = $args[3];
+
+        #
+        # Tidy entity ID if it includes a UK ID as well.
+        #
+        if ($entity =~ /^\[(.+)\](.+)$/) {
+            $entity = $2 . ' (' . $1 . ')';
+        }
+
+        #
+        # Output header line.
+        #
+        $oline = "Entity $entity";
+        $hasKeyName = !($keyname eq '(none)');
+        push(@olines, $oline);
+        if ($hasKeyName) {
+            error("descriptor has unexpected KeyName $keyname");
+        }
+
+        #
+        # Start building a new blob.
+        #
+        # The blob contains the entity name, so de-duplication
+        # only occurs within a particular entity and not across
+        # entities.
+        #
+        $blob = $oline;
+
+        #
+        # Create a temporary file for this certificate in PEM format.
+        #
+        ($fh, $filename) = tempfile(UNLINK => 1);
+        #print "temp file is: $filename\n";
+
+        # do not buffer output to the temporary file
+        select((select($fh), $|=1)[0]);
+        next;
+    }
+
+    #
+    # Put other lines into a temporary file.
+    #
+    print $fh $_;
+    $blob .= '|' . $_;
+
+    #
+    # If this is the last line of the certificate, actually do
+    # something with it.
+    #
+    if (/END CERTIFICATE/) {
+        #
+        # Have we seen this blob before?  If so, close (and delete) the
+        # temporary file, and go and look for a new certificate to process.
+        #
+        $total_certs++;
+        if (defined($blobs{$blob})) {
+            # print "skipping a blob\n";
+            close $fh;
+            next;
+        }
+
+        #
+        # Otherwise, remember this blob so that we won't process it again.
+        #
+        $blobs{$blob} = 1;
+        $distinct_certs++;
+
+        #
+        # Don't close the temporary file yet, because that would cause it
+        # to be deleted.  We've already arranged for buffering to be
+        # disabled, so the file can simply be passed to other applications
+        # as input, perhaps multiple times.
+        #
+
+        #
+        # Collection of names this certificate contains
+        #
+        my %names;
+
+        #
+        # Use openssl to convert the certificate to text
+        #
+        my(@lines, $subject, $issuer, $subjectCN, $issuerCN, $fingerprint);
+        $cmd = "openssl x509 -in $filename -noout -text -nameopt RFC2253 -modulus -fingerprint|";
+        open(SSL, $cmd) || die "could not open openssl subcommand";
+        while (<SSL>) {
+            push @lines, $_;
+
+            if (/^\s*Issuer:\s*(.*)$/) {
+                $issuer = $1;
+                if ($issuer =~ /CN=([^,]+)/) {
+                    $issuerCN = $1;
+                } elsif ($issuer =~ /,OU=VeriSign International Server CA - Class 3,/) {
+                    $issuerCN = 'VeriSign International Server CA - Class 3';
+                } else {
+                    $issuerCN = $issuer;
+                }
+                next;
+            }
+
+            if (/^\s*Subject:\s*(.*)$/) {
+                $subject = $1;
+                if ($subject =~ /CN=([^,]+)/) {
+                    $subjectCN = $1;
+                    $names{lc $subjectCN}++;
+                } else {
+                    $subjectCN = $1;
+                }
+                next;
+            }
+
+            #
+            # Extract the certificate fingerprint.
+            #
+            if (/^\s*SHA1 Fingerprint=(.+)$/) {
+                $fingerprint = uc $1;
+                if (defined($expiry_whitelist{$fingerprint})) {
+                    $expiry_whitelist{$fingerprint} = 'used';
+                }
+            }
+
+            #
+            # Extract the public key size.  This is displayed differently
+            # in different versions of OpenSSL.
+            #
+            if (/RSA Public Key: \((\d+) bit\)/) { # OpenSSL 0.9x
+                $pubSize = $1;
+                next;
+            } elsif (/^\s*Public-Key: \((\d+) bit\)/) { # OpenSSL 1.0
+                $pubSize = $1;
+                next;
+            }
+
+            if (/Not After : (.*)$/) {
+                $notAfter = $1;
+                $notAfterTime = str2time($notAfter);
+
+                #
+                # Track certificate expiry year in a way that doesn't
+                # involve Unix epoch overflow.
+                #
+                if ($notAfter =~ /(\d\d\d\d)/) {
+                    my $year = $1;
+                    if ($year > $maxYear) {
+                        $maxYear = $year;
+                    }
+                    if ($year >= 2038) {
+                        $num2038++;
+                    }
+                }
+
+                #
+                # Track most distant notAfter.
+                #
+                if ($notAfterTime > $lastNotAfterTime) {
+                    $lastNotAfter = $notAfter;
+                    $lastNotAfterTime = $notAfterTime;
+                    $lastNotAfterEntity = $entity;
+                }
+
+                $days = ($notAfterTime-time())/86400.0;
+                next;
+            }
+
+            #
+            # subjectAlternativeName
+            #
+            if (/X509v3 Subject Alternative Name:/) {
+                #
+                # Steal the next line, which will look like this:
+                #
+                #    DNS:www.example.co.uk, DNS:example.co.uk, URI:http://example.co.uk/
+                #
+                my $next = <SSL>;
+
+                #
+                # Make an array of components, each something like "DNS:example.co.uk"
+                #
+                $next =~ s/\s*//g;
+                my @altNames = split /\s*,\s*/, $next;
+                # my $altSet = "{" . join(", ", @altNames) . "}";
+                # print "Alt set: $altSet\n";
+
+                #
+                # Each "DNS" component is an additional name for this certificate.
+                #
+                while (@altNames) {
+                    my ($type, $altName) = split(":", pop @altNames);
+                    $names{lc $altName}++ if $type eq 'DNS';
+                }
+                next;
+            }
 
             #
             # Track distinct RSA moduli
@@ -319,114 +319,118 @@ sub comment {
                 # print "   modulus: '$modulus'\n";
                 $rsa_modulus{$modulus} = 1;
             }
-		}
-		close SSL;
-		#print "   text lines: $#lines\n";
-
-		#
-		# Deal with certificate expiry.
-		#
-		if ($days < -$longExpiredDays) {
-			my $d = floor(-$days);
-			if (defined($expiry_whitelist{$fingerprint})) {
-				comment("EXPIRED LONG AGO ($d days; $notAfter)");
-			} else {
-				error("EXPIRED LONG AGO ($d days; $notAfter)");
-				comment("fingerprint $fingerprint");
-			}
-		} elsif ($days < 0) {
-			if (defined($expiry_whitelist{$fingerprint})) {
-				comment("EXPIRED ($notAfter)");
-			} else {
-				error("EXPIRED ($notAfter)");
-				comment("fingerprint $fingerprint");
-			}
-		} elsif ($days < $daysBeforeError) {
-			$days = int($days);
-			error("expires in $days days ($notAfter)");
-		} elsif ($days < $daysBeforeWarning) {
-			$days = int($days);
-			warning("expires in $days days ($notAfter)");
-		}
-
-
-		#
-		# Handle public key size.
-		#
-		$pubSizeCount{$pubSize}++;
-		# print "   Public key size: $pubSize\n";
-
-		#
-		# Close the temporary file, which will also cause
-		# it to be deleted.
-		#
-		close $fh;
-
-		#
-		# Count issuers.
-		#
-		if ($issuer eq $subject) {
-			$issuers{'(self-signed certificate)'}++;
-		} else {
-			$issuers{'Other'}++;
-		}
-
-		#
-		# Print any interesting things related to this certificate.
-		#
-		if ($printme) {
-			foreach $oline (@olines) {
-				print $oline, "\n";
-			}
-			print "\n";
-		}
-
-	}
+        }
+        close SSL;
+        #print "   text lines: $#lines\n";
+
+        #
+        # Deal with certificate expiry.
+        #
+        if ($days < -$longExpiredDays) {
+            my $d = floor(-$days);
+            if (defined($expiry_whitelist{$fingerprint})) {
+                comment("EXPIRED LONG AGO ($d days; $notAfter)");
+            } else {
+                error("EXPIRED LONG AGO ($d days; $notAfter)");
+                comment("fingerprint $fingerprint");
+            }
+        } elsif ($days < 0) {
+            if (defined($expiry_whitelist{$fingerprint})) {
+                comment("EXPIRED ($notAfter)");
+            } else {
+                error("EXPIRED ($notAfter)");
+                comment("fingerprint $fingerprint");
+            }
+        } elsif ($days < $daysBeforeError) {
+            $days = int($days);
+            error("expires in $days days ($notAfter)");
+        } elsif ($days < $daysBeforeWarning) {
+            $days = int($days);
+            warning("expires in $days days ($notAfter)");
+        }
+
+
+        #
+        # Handle public key size.
+        #
+        $pubSizeCount{$pubSize}++;
+        # print "   Public key size: $pubSize\n";
+
+        #
+        # Close the temporary file, which will also cause
+        # it to be deleted.
+        #
+        close $fh;
+
+        #
+        # Count issuers.
+        #
+        if ($issuer eq $subject) {
+            $issuers{'(self-signed certificate)'}++;
+        } else {
+            $issuers{'Other'}++;
+        }
+
+        #
+        # Print any interesting things related to this certificate.
+        #
+        if ($printme) {
+            foreach $oline (@olines) {
+                print $oline, "\n";
+            }
+            print "\n";
+        }
+
+    }
 }
 
 if ($distinct_certs > 1) {
-	print "Total certificates: $total_certs\n";
-	if ($distinct_certs != $total_certs) {
-		print "Distinct certificate/entity combinations: $distinct_certs\n";
-	}
-	print "\n";
-
-	print "Key size distribution:\n";
-	for $pubSize (sort keys %pubSizeCount) {
-		$count = $pubSizeCount{$pubSize};
-		print "   $pubSize: $count\n";
-	}
-	print "\n";
-
-	print "Most distant certificate expiry: $lastNotAfter on $lastNotAfterEntity\n";
-	print "Maximum certificate expiry year: $maxYear\n";
-	if ($num2038 > 0) {
-		print "Certificates expiring during or after 2038: $num2038\n";
-	}
-	print "\n";
-
-	print "Certificate issuers:\n";
-	foreach $issuer (sort keys %issuers) {
-		my $count = $issuers{$issuer};
-		my $mark = $issuerMark{$issuer} ? $issuerMark{$issuer}: ' ';
-		print " $mark $issuer: $count\n";
-	}
-	print "\n";
+    print "Total certificates: $total_certs\n";
+    if ($distinct_certs != $total_certs) {
+        print "Distinct certificate/entity combinations: $distinct_certs\n";
+    }
+    print "\n";
+
+    print "Key size distribution:\n";
+    for $pubSize (sort keys %pubSizeCount) {
+        $count = $pubSizeCount{$pubSize};
+        print "   $pubSize: $count\n";
+    }
+    print "\n";
+
+    print "Most distant certificate expiry: $lastNotAfter on $lastNotAfterEntity\n";
+    print "Maximum certificate expiry year: $maxYear\n";
+    if ($num2038 > 0) {
+        print "Certificates expiring during or after 2038: $num2038\n";
+    }
+    print "\n";
+
+    print "Certificate issuers:\n";
+    foreach $issuer (sort keys %issuers) {
+        my $count = $issuers{$issuer};
+        my $mark = $issuerMark{$issuer} ? $issuerMark{$issuer}: ' ';
+        print " $mark $issuer: $count\n";
+    }
+    print "\n";
 
     $distinct_moduli = scalar keys %rsa_modulus;
     if ($distinct_moduli > 1) {
         print "Distinct RSA moduli: $distinct_moduli\n";
     }
 
-	my $first = 1;
-	foreach $fingerprint (sort keys %expiry_whitelist) {
-		if ($expiry_whitelist{$fingerprint} eq 'unused') {
-			if ($first) {
-				$first = 0;
-				print "\n";
-				print "Unused expiry whitelist fingerprints:\n";
-			}
-			print "   $fingerprint\n";
-		}
-	}
+    if (%expiry_whitelist) {
+        print "\n";
+        my $nwhite = scalar(keys(%expiry_whitelist));
+        print "Expiry whitelist size: $nwhite\n";
+    }
+    my $first = 1;
+    foreach $fingerprint (sort keys %expiry_whitelist) {
+        if ($expiry_whitelist{$fingerprint} eq 'unused') {
+            if ($first) {
+                $first = 0;
+                print "Unused expiry whitelist fingerprints:\n";
+            }
+            print "   $fingerprint\n";
+        }
+    }
 }
diff --git a/utilities/contacts-from-sf.sh b/utilities/contacts-from-sf.sh
new file mode 100755
index 00000000..18fb219e
--- /dev/null
+++ b/utilities/contacts-from-sf.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+# This script processes a Salesforce report "UKfed-contacts-export" which lists all contacts with
+# UK Federation Contact Roles and their corresponding Jisc Organisation ID (ukforg) and Organisation Name
+#
+# The current report can be found here https://eu3.salesforce.com/00Ow0000007MXhK, it needs to be exported as a CSV file
+# which ends up as 'reportnnnnnnnnnnnnn.csv'
+#
+# The input to the script is the above CSV file.
+#
+# The output of the script is as follows;
+#
+# * A copy of the Salesforce report in $CSVDEST
+# * A list of Management Contact email addresses in $MGMTDEST
+# * A list of all contact email addresses in $CONTACTDEST
+#
+# To use this script please follow the process here;
+#
+# https://repo.infr.ukfederation.org.uk/ukf/ukf-systems/wikis/HOW-to-process-UKfed-contacts-export-report
+#
+# Author: Jon Agland <jon.agland@jisc.ac.uk>
+#
+
+SFREPORTNAME="UKfed-contacts-export"
+CSVDEST=../../ukf-data/contacts/sf-contacts.csv
+CONTACTDEST=../../ukf-data/contacts/sf-contacts.txt
+MGMTDEST=../../ukf-data/contacts/sf-contacts-mc.txt
+
+if [ -z "$1" ]; then
+     echo "ERROR: No file name supplied"
+     exit 1
+fi
+
+if [ ! -f "$1" ]; then
+     echo "ERROR: file $1 does not exist"
+     exit 1
+fi
+
+if ! grep -q \"$SFREPORTNAME\" $1; then
+     echo "ERROR: this doesn't appear to be the output of $SFREPORTNAME"
+     exit 2
+fi
+
+cat $1 | awk -F\, '{ print $1 }' | grep @ | sed -e 's/\"//g' | sort -u  > $CONTACTDEST
+grep "\,\"UK Federation Management Contact\"" $1 | awk -F\, '{ print $1 }' | grep @ | sed -e 's/\"//g' | sort -u  > $MGMTDEST
+
+cp $1 $CSVDEST
+
diff --git a/utilities/list_addresses.pl b/utilities/list_addresses.pl
new file mode 100755
index 00000000..77841152
--- /dev/null
+++ b/utilities/list_addresses.pl
@@ -0,0 +1,164 @@
+#!/usr/bin/perl -w
+#
+# Script to extract technical and administrative contact email addresses
+# from a SAML metadata file, and add extra addresses from a well-known location.
+#
+# Author: Alex Stuart, alex.stuart@jisc.ac.uk
+#
+
+#
+# Parameters
+#
+
+# An EntitiesDescriptor of all UKF-registered entities
+$metadata = '../mdx/uk/collected.xml';
+
+# A file of email addresses for people who have opted-in to the list
+$extra_addresses = '../../ukf-data/members/extra_addresses.txt';
+
+# Default list of contacts from Salesforce, processed by contacts-from-sf.sh
+$sf_contacts = '../../ukf-data/contacts/sf-contacts-mc.txt';
+
+#
+# Subroutines
+#
+use Getopt::Long;
+use XML::LibXML;
+
+sub usage {
+    print <<EOF;
+
+    $0 [-h] [-f <metadata file>] [--security] [--mc] [-c <management contacts>]
+    
+    -h                       - prints this help text and exits
+    -f <metadata file>       - takes metadata from this file, not the pre-defined file
+    --security               - also extract the security contacts
+    --mc                     - add Management Contacts from a well-known location
+    -c <management contacts> - Use this contacts file not the well-known location
+        
+    Extracts email addresses of contacts in a metadata file.
+    
+    By default, this extracts the technical and administrative contacts
+    from the metadata file, and includes extra addresses.
+    
+EOF
+}
+
+#
+# Options processing
+#
+my $help;
+my $file;
+my $security;
+my $mc;
+my $contacts = $sf_contacts;
+GetOptions( "help" => \$help,
+            "file=s" => \$file,
+            "security" => \$security,
+            "mc" => \$mc,
+            "c:s" => \$contacts
+            );
+
+if ( $help ) {
+    usage();
+    exit 0;
+}
+
+if ( $file ) {
+    $metadata = $file;
+}
+
+if ( ! $metadata ) {
+        print "ERROR: could not find metadata file $metadata\n";
+        usage();
+        exit 1;
+}
+
+if ( ! -r $metadata ) {
+    print "ERROR: metadata file $metadata must be readable\n";
+    usage();
+    exit 2;
+}
+
+
+#
+# Extract addresses from metadata file
+#
+my $dom = XML::LibXML->load_xml( location => $metadata );
+my $xpc = XML::LibXML::XPathContext->new( $dom );
+$xpc->registerNs( 'md', 'urn:oasis:names:tc:SAML:2.0:metadata' );
+@tech_contacts = $xpc->findnodes( '//md:EntityDescriptor/md:ContactPerson/md:EmailAddress[../@contactType="technical"]');
+foreach( @tech_contacts ) { 
+    $email = ${_}->to_literal;
+    $email =~ s/^mailto://i;
+    $metadata{$email} = 1;
+}
+
+
+@admin_contacts = $xpc->findnodes( '//md:EntityDescriptor/md:ContactPerson/md:EmailAddress[../@contactType="administrative"]');
+foreach( @admin_contacts ) { 
+    $email = ${_}->to_literal;
+    $email =~ s/^mailto://i;
+    $metadata{$email} = 1;
+}
+
+if ( $security ) {
+    $xpc->registerNs( 'remd', 'http://refeds.org/metadata' );
+    @security_contacts = $xpc->findnodes(   '//md:EntityDescriptor/md:ContactPerson/md:EmailAddress
+                                            [../@contactType="other"]
+                                            [../@remd:contactType="http://refeds.org/metadata/contactType/security"]'
+                                        );
+    foreach( @security_contacts ) { 
+        $email = ${_}->to_literal;
+        $email =~ s/^mailto://i;
+        $metadata{$email} = 1;
+    }
+}
+
+#
+# Load extra addresses.
+#
+# One extra address per line.  Blank lines and lines starting with '#' are
+# ignored.
+#
+open(EXTRAS, "$extra_addresses") || die "could not open extra addresses file $extra_addresses";
+while (<EXTRAS>) {
+	chomp;	# remove \n
+	next if /^#/;
+	$extras{$_} = 1 unless $_ eq '';
+}
+close EXTRAS;
+
+#
+# Now figure out the addresses we want to see in the mailing list.
+# Make them lower case for comparisons.
+#
+foreach $addr (keys %extras) {
+	$wanted{lc $addr} = $addr;
+}
+foreach $addr (keys %metadata) {
+	$wanted{lc $addr} = $addr;
+}
+
+#
+# And if we want to include Management Contact emails too
+#
+if ( $mc ) {
+    open(SFCONTACTS, "$contacts") || die "could not open contacts file $contacts";
+    while (<SFCONTACTS>) {
+        chomp;
+        $sfcontacts{$_} = 1 unless $_ eq '';
+    }
+    close SFCONTACTS;
+    foreach $addr (keys %sfcontacts) {
+	    $wanted{lc $addr} = $addr;
+    }
+}
+
+#
+# List all wanted addresses.
+#
+foreach $addr (sort keys %wanted) {
+	my $a = $wanted{$addr};
+	print "$a\n";
+}
diff --git a/utilities/stats-generate.sh b/utilities/stats-generate.sh
index 2debef68..da9c4463 100755
--- a/utilities/stats-generate.sh
+++ b/utilities/stats-generate.sh
@@ -179,18 +179,18 @@ fi
 # Get the filesize of the latest uncompressed main aggregate.
 # Since this is just used for estimation, we'll just take the biggest
 # unique filesize for the relevant periods
-aggrfilesizebytes=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | grep -v "GZIP" | cut -f 10 -d " " | sort -r | uniq | head -1)
+aggrfilesizebytes=$(grep -s $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | grep -v "GZIP" | cut -f 10 -d " " | sort -r | uniq | head -1)
 
 #
 # Download counts
 #
 
 # Aggregate requests. Everything for .xml (HEAD/GET, 200 and 304)
-mdaggrcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | wc -l)
+mdaggrcount=$(grep -s $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | wc -l)
 mdaggrcountfriendly=$(echo $mdaggrcount | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Main Aggregate requests. Everything for ukfederation-metadata.xml (HEAD/GET, 200 and 304)
-mdaggrmaincount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-metadata.xml" | wc -l)
+mdaggrmaincount=$(grep -s $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-metadata.xml" | wc -l)
 mdaggrmaincountfriendly=$(echo $mdaggrmaincount | awk '{ printf ("%'"'"'d\n", $0) }')
 if [[ "$mdaggrmaincount" -ne "0" ]]; then
     mdaggrmainpc=$(echo "scale=4;($mdaggrmaincount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
@@ -200,42 +200,42 @@ fi
 
 # Other aggregate requests (don't calculate these if doing daily stats)
 if [[ "$timeperiod" != "day" ]]; then
-    mdaggrbackcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-back.xml" | wc -l)
+    mdaggrbackcount=$(grep -s $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-back.xml" | wc -l)
     mdaggrbackcountfriendly=$(echo $mdaggrbackcount | awk '{ printf ("%'"'"'d\n", $0) }')
     if [[ "$mdaggrbackcount" -ne "0" ]]; then
         mdaggrbackpc=$(echo "scale=4;($mdaggrbackcount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     else
         mdaggrbackpc="0.0"
     fi
-    mdaggrcdsallcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-cdsall.xml" | wc -l)
+    mdaggrcdsallcount=$(grep -s $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-cdsall.xml" | wc -l)
     mdaggrcdsallcountfriendly=$(echo $mdaggrcdsallcount | awk '{ printf ("%'"'"'d\n", $0) }')
     if [[ "$mdaggrcdsallcount" -ne "0" ]]; then
         mdaggrcdsallpc=$(echo "scale=4;($mdaggrcdsallcount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     else
         mdaggrcdsallpc="0.0"
     fi
-    mdaggrexportpreviewcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-export-preview.xml" | wc -l)
+    mdaggrexportpreviewcount=$(grep -s $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-export-preview.xml" | wc -l)
     mdaggrexportpreviewcountfriendly=$(echo $mdaggrexportpreviewcount | awk '{ printf ("%'"'"'d\n", $0) }')
     if [[ "$mdaggrexportpreviewkcount" -ne "0" ]]; then
         mdaggrexportpreviewpc=$(echo "scale=4;($mdaggrexportpreviewcount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     else
         mdaggrexportpreviewpc="0.0"
     fi
-    mdaggrexportcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-export.xml" | wc -l)
+    mdaggrexportcount=$(grep -s $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-export.xml" | wc -l)
     mdaggrexportcountfriendly=$(echo $mdaggrexportcount | awk '{ printf ("%'"'"'d\n", $0) }')
     if [[ "$mdaggrexportcount" -ne "0" ]]; then
         mdaggrexportpc=$(echo "scale=4;($mdaggrexportcount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     else
         mdaggrexportpc="0.0"
     fi
-    mdaggrtestcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-test.xml" | wc -l)
+    mdaggrtestcount=$(grep -s $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-test.xml" | wc -l)
     mdaggrtestcountfriendly=$(echo $mdaggrtestcount | awk '{ printf ("%'"'"'d\n", $0) }')
     if [[ "$mdaggrtestcount" -ne "0" ]]; then
         mdaggrtestpc=$(echo "scale=4;($mdaggrtestcount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     else
         mdaggrtestpc="0.0"
     fi
-    mdaggrwayfcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-wayf.xml" | wc -l)
+    mdaggrwayfcount=$(grep -s $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-wayf.xml" | wc -l)
     mdaggrwayfcountfriendly=$(echo $mdaggrwayfcount | awk '{ printf ("%'"'"'d\n", $0) }')
     if [[ "$mdaggrwayfcount" -ne "0" ]]; then
         mdaggrwayfpc=$(echo "scale=4;($mdaggrwayfcount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
@@ -245,11 +245,11 @@ if [[ "$timeperiod" != "day" ]]; then
 fi
 
 # Aggregate downloads (i.e. GETs with HTTP 200 responses only)
-mdaggrcountfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404| grep "\" 200" | grep "GET" | wc -l)
+mdaggrcountfull=$(grep -s $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404| grep "\" 200" | grep "GET" | wc -l)
 mdaggrcountfullfriendly=$(echo $mdaggrcountfull | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Main Aggregate downloads (i.e. GETs with HTTP 200 responses only)
-mdaggrmaincountfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | wc -l)
+mdaggrmaincountfull=$(grep -s $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | wc -l)
 mdaggrmaincountfullfriendly=$(echo $mdaggrmaincountfull | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Percentage of GETs with HTTP 200 responses compared to total requests
@@ -260,11 +260,11 @@ else
 fi
 
 # Compressed downloads for all
-mdaggrcountfullcompr=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | grep "\"GZIP\"" | wc -l)
+mdaggrcountfullcompr=$(grep -s $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | grep "\"GZIP\"" | wc -l)
 mdaggrcountfullcomprfriendly=$(echo $mdaggrcountfullcompr | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Compressed downloads for main aggregate
-mdaggrmaincountfullcompr=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | grep "\"GZIP\"" | wc -l)
+mdaggrmaincountfullcompr=$(grep -s $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | grep "\"GZIP\"" | wc -l)
 
 # Percentage of GZIPPED HTTP 200 responses compared to total full downloads
 if [[ "$mdaggrcountfull" -ne "0" ]]; then
@@ -274,18 +274,18 @@ else
 fi
 
 # Unique IP addresses requesting aggregates
-mdaggruniqueip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l)
+mdaggruniqueip=$(grep -s $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l)
 mdaggruniqueipfriendly=$(echo $mdaggruniqueip | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Unique IP addresses requesting aggregates, full D/Ls only
-mdaggruniqueipfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l)
+mdaggruniqueipfull=$(grep -s $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l)
 
 #
 # Data shipped
 #
 
 # Total data shipped, all .xml files
-mdaggrtotalbytes=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 10 -d " " | awk '{sum+=$1} END {print sum}')
+mdaggrtotalbytes=$(grep -s $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 10 -d " " | awk '{sum+=$1} END {print sum}')
 if [[ "$mdaggrtotalbytes" -gt "0" ]]; then
     mdaggrtotalhr=$(bytestohr $mdaggrtotalbytes)
 else
@@ -293,7 +293,7 @@ else
 fi
 
 # Total data shipped, ukfederation-metadata.xml file
-mdaggrmaintotalbytes=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | cut -f 10 -d " " | awk '{sum+=$1} END {print sum}')
+mdaggrmaintotalbytes=$(grep -s $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | cut -f 10 -d " " | awk '{sum+=$1} END {print sum}')
 if [[ "$mdaggrtotalbytes" -gt "0" ]]; then
     mdaggrmaintotalhr=$(bytestohr $mdaggrmaintotalbytes)
 else
@@ -323,32 +323,32 @@ fi
 # IPv4 vs IPv6 traffic (don't calculate these if doing daily stats)
 # Some v6 traffic has traditionally passed through v6v4proxy1/2, so to count v4 we're counting all accesses, minus those from the v4 proxy IP addresses, minus actual v6 addresses
 if [[ "$timeperiod" != "day" ]]; then
-    mdaggrv4count=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep -v ":" | wc -l)
+    mdaggrv4count=$(grep -s $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep -v ":" | wc -l)
     mdaggrv4pc=$(echo "scale=4;($mdaggrv4count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     mdaggrv6count=$(( mdaggrcount - mdaggrv4count ))
     mdaggrv6pc=$(echo "scale=4;($mdaggrv6count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
 
     # Per-server request count
-    mdaggrmd1count=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
+    mdaggrmd1count=$(grep -s $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
     mdaggrmd1pc=$(echo "scale=4;($mdaggrmd1count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    mdaggrmd2count=$(grep $apachesearchterm $logslocation/md/md2/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
+    mdaggrmd2count=$(grep -s $apachesearchterm $logslocation/md/md2/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
     mdaggrmd2pc=$(echo "scale=4;($mdaggrmd2count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    mdaggrmd3count=$(grep $apachesearchterm $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
+    mdaggrmd3count=$(grep -s $apachesearchterm $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
     mdaggrmd3pc=$(echo "scale=4;($mdaggrmd3count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    mdaggrmdne01count=$(grep $apachesearchterm $logslocation/md/md-ne-01/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
+    mdaggrmdne01count=$(grep -s $apachesearchterm $logslocation/md/md-ne-01/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
     mdaggrmdne01pc=$(echo "scale=4;($mdaggrmdne01count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    mdaggrmdne02count=$(grep $apachesearchterm $logslocation/md/md-ne-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
+    mdaggrmdne02count=$(grep -s $apachesearchterm $logslocation/md/md-ne-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
     mdaggrmdne02pc=$(echo "scale=4;($mdaggrmdne02count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    mdaggrmdwe01count=$(grep $apachesearchterm $logslocation/md/md-we-01/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
+    mdaggrmdwe01count=$(grep -s $apachesearchterm $logslocation/md/md-we-01/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
     mdaggrmdwe01pc=$(echo "scale=4;($mdaggrmdwe01count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    mdaggrmdwe02count=$(grep $apachesearchterm $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
+    mdaggrmdwe02count=$(grep -s $apachesearchterm $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
     mdaggrmdwe02pc=$(echo "scale=4;($mdaggrmdwe02count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
 fi
 
 
 # Min queries per IP
 if [[ $mdaggrcount -gt "0" ]]; then
-    mdaggrminqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | tail -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
+    mdaggrminqueriesperip=$(grep -s $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | tail -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
 else
     mdaggrinqueriesperip="0"
 fi
@@ -362,14 +362,14 @@ fi
 
 # Max queries per IP
 if [[ $mdaggrcount -gt "0" ]]; then
-    mdaggrmaxqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
+    mdaggrmaxqueriesperip=$(grep -s $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
 else
     mdaggrmaxqueriesperip="0"
 fi
 
 # Min queries per IP, full D/L only
 if [[ $mdaggrcountfull -gt "0" ]]; then
-    mdaggrminqueriesperipfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | tail -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
+    mdaggrminqueriesperipfull=$(grep -s $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | tail -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
 else
     mdaggrinqueriesperipfull="0"
 fi
@@ -383,7 +383,7 @@ fi
 
 # Max queries per IP, full D/L only
 if [[ $mdaggrcountfull -gt "0" ]]; then
-    mdaggrmaxqueriesperipfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
+    mdaggrmaxqueriesperipfull=$(grep -s $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
 else
     mdaggrmaxqueriesperipfull="0"
 fi
@@ -393,7 +393,7 @@ if [[ "$timeperiod" != "day" ]]; then
 
     # Top 10 downloaders and how many downloads / total data shipped (full downloads only)
     if [[ "$timeperiod" != "day" ]]; then
-        mdaggrtoptenipsbycount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -10)
+        mdaggrtoptenipsbycount=$(grep -s $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -10)
     fi
 
     #
@@ -415,7 +415,7 @@ if [[ "$timeperiod" != "day" ]]; then
         countfriendly=$(echo $count | awk '{ printf ("%'"'"'d\n", $0) }')
     
         # Figure out total traffic shipped to this IP
-        totaldataforthisip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | grep $ipaddr | cut -f 10 -d " " | grep -v - | awk '{sum+=$1} END {print sum}')
+        totaldataforthisip=$(grep -s $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | grep $ipaddr | cut -f 10 -d " " | grep -v - | awk '{sum+=$1} END {print sum}')
         if [[ "$totaldataforthisip" -gt "0" ]]; then
             totaldataforthisiphr=$(bytestohr $totaldataforthisip)
         else
@@ -443,11 +443,11 @@ fi
 # =====
 
 # MDQ requests
-mdqcount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep -v 404 | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | wc -l)
+mdqcount=$(grep -s $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep -v 404 | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | wc -l)
 mdqcountfriendly=$(echo $mdqcount | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # MDQ downloads (i.e. HTTP 200 responses only)
-mdqcountfull=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | grep "GET" | wc -l)
+mdqcountfull=$(grep -s $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | grep "GET" | wc -l)
 mdqcountfullfriendly=$(echo $mdqcountfull | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Percentage of HTTP 200 responses compared to total requests
@@ -458,7 +458,7 @@ else
 fi
 
 # Compressed downloads
-mdqfullcomprcount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | grep "GET" | grep "\"GZIP\"" | wc -l)
+mdqfullcomprcount=$(grep -s $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | grep "GET" | grep "\"GZIP\"" | wc -l)
 mdqfullcomprcountfriendly=$(echo $mdqfullcomprcount | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Percentage of GZIPPED HTTP 200 responses compared to total full downloads
@@ -474,7 +474,7 @@ fi
 if [[ "$timeperiod" != "day" ]]; then
     # Some v6 traffic has traditionally passed through v6v4proxy1/2, so to count v4 we're counting all accesses, minus those from the v4 proxy IP addresses, minus actual v6 addresses
     if [[ "$mdqcount" -ne "0" ]]; then
-        mdqv4count=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep -v ":" | wc -l)
+        mdqv4count=$(grep -s $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep -v ":" | wc -l)
         mdqv4pc=$(echo "scale=4;($mdqv4count/$mdqcount)*100" | bc | awk '{printf "%.1f\n", $0}')
         mdqv6count=$(( mdqcount - mdqv4count ))
         mdqv6pc=$(echo "scale=4;($mdqv6count/$mdqcount)*100" | bc | awk '{printf "%.1f\n", $0}')
@@ -485,8 +485,8 @@ if [[ "$timeperiod" != "day" ]]; then
 fi
 
 # MDQ requests for entityId based names
-mdqcountentityidhttp=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "/entities/http" | wc -l)
-mdqcountentityidurn=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "/entities/urn" | wc -l)
+mdqcountentityidhttp=$(grep -s $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "/entities/http" | wc -l)
+mdqcountentityidurn=$(grep -s $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "/entities/urn" | wc -l)
 mdqcountentityid=$((mdqcountentityidhttp+mdqcountentityidurn))
 if [[ "$mdqcount" -ne "0" ]]; then
     mdqcountentityidpc=$(echo "scale=3;($mdqcountentityid/$mdqcount)*100" | bc | awk '{printf "%.1f\n", $0}')
@@ -496,7 +496,7 @@ fi
 mdqcountentityidfriendly=$(echo $mdqcountentityid | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # MDQ requests for hash based names
-mdqcountsha1=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep sha1 | wc -l)
+mdqcountsha1=$(grep -s $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep sha1 | wc -l)
 if [[ "$mdqcount" -ne "0" ]]; then
     mdqcountsha1pc=$(echo "scale=3;($mdqcountsha1/$mdqcount)*100" | bc | awk '{printf "%.1f\n", $0}')
 else
@@ -506,14 +506,14 @@ mdqcountsha1friendly=$(echo $mdqcountsha1 | awk '{ printf ("%'"'"'d\n", $0) }')
 
 
 # MDQ requests for all entities
-mdqcountallentities=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities " | grep -v 404 | wc -l)
+mdqcountallentities=$(grep -s $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities " | grep -v 404 | wc -l)
 
 # Unique IP addresses requesting MDQ
-mdquniqueip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities/" | grep -v "/entities/ " | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l)
+mdquniqueip=$(grep -s $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities/" | grep -v "/entities/ " | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l)
 mdquniqueipfriendly=$(echo $mdquniqueip | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Total data shipped
-mdqtotalbytes=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities/" | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | cut -f 10 -d " " | grep -v - | awk '{sum+=$1} END {print sum}')
+mdqtotalbytes=$(grep -s $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities/" | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | cut -f 10 -d " " | grep -v - | awk '{sum+=$1} END {print sum}')
 if [[ "$mdqtotalbytes" -gt "0" ]]; then
     mdqtotalhr=$(bytestohr $mdqtotalbytes)
 else
@@ -522,7 +522,7 @@ fi
 
 # Min queries per IP
 if [[ $mdqcount -gt "0" ]]; then
-    mdqminqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | tail -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
+    mdqminqueriesperip=$(grep -s $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | tail -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
 else
     mdqminqueriesperip="0"
 fi
@@ -536,14 +536,14 @@ fi
 
 # Max queries per IP
 if [[ $mdqcount -gt "0" ]]; then
-    mdqmaxqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
+    mdqmaxqueriesperip=$(grep -s $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
 else
     mdqmaxqueriesperip="0"
 fi
 
 if [[ "$timeperiod" != "day" ]]; then
     # Top 10 downloaders and how many downloads / total data shipped
-    mdqtoptenipsbycount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep "/entities" | grep -v "/entities/ " | grep -v 404 | grep -v "/entities/ " | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -10)
+    mdqtoptenipsbycount=$(grep -s $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep "/entities" | grep -v "/entities/ " | grep -v 404 | grep -v "/entities/ " | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -10)
     
     #
     # Manipute results of the top 10
@@ -564,7 +564,7 @@ if [[ "$timeperiod" != "day" ]]; then
         countfriendly=$(echo $count | awk '{ printf ("%'"'"'d\n", $0) }')
     
         # Figure out total traffic shipped to this IP
-        totaldataforthisip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities/" | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | grep $ipaddr | cut -f 10 -d " " | grep -v - | awk '{sum+=$1} END {print sum}')
+        totaldataforthisip=$(grep -s $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities/" | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | grep $ipaddr | cut -f 10 -d " " | grep -v - | awk '{sum+=$1} END {print sum}')
         if [[ "$totaldataforthisip" -gt "0" ]]; then
             totaldataforthisiphr=$(bytestohr $totaldataforthisip)
         else
@@ -587,7 +587,7 @@ if [[ "$timeperiod" != "day" ]]; then
     
     
     # Top 10 queries and how many downloads / total data shipped
-    mdqtoptenqueriesbycount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep /entities/ | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | awk '{print $7}' | cut -f 3 -d "/" | sed "s@+@ @g;s@%@\\\\x@g" | printf "%b\n" $(</dev/stdin) | sort | uniq -c | sort -nr | head -10)
+    mdqtoptenqueriesbycount=$(grep -s $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep /entities/ | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | awk '{print $7}' | cut -f 3 -d "/" | sed "s@+@ @g;s@%@\\\\x@g" | printf "%b\n" $(</dev/stdin) | sort | uniq -c | sort -nr | head -10)
 fi
 
 # =====
@@ -595,39 +595,39 @@ fi
 # =====
 
 # How many accesses to .ds.
-cdscount=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* $logslocation/cds/shibcds-ne-01/ssl_access_log* $logslocation/cds/shibcds-ne-02/ssl_access_log* $logslocation/cds/shibcds-we-01/ssl_access_log* $logslocation/cds/shibcds-we-02/ssl_access_log* | grep .ds? | wc -l)
+cdscount=$(grep -s $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* $logslocation/cds/shibcds-ne-01/ssl_access_log* $logslocation/cds/shibcds-ne-02/ssl_access_log* $logslocation/cds/shibcds-we-01/ssl_access_log* $logslocation/cds/shibcds-we-02/ssl_access_log* | grep .ds? | wc -l)
 cdscountfriendly=$(echo $cdscount | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # IPv4 vs IPv6 traffic (don't count these for daily stats)
 if [[ "$timeperiod" != "day" ]]; then
     # Some v6 traffic has traditionally passed through v6v4proxy1/2, so to count v4 we're counting all accesses, minus those from the v4 proxy IP addresses, minus actual v6 addresses
-    cdsv4count=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* $logslocation/cds/shibcds-ne-01/ssl_access_log* $logslocation/cds/shibcds-ne-02/ssl_access_log* $logslocation/cds/shibcds-we-01/ssl_access_log* $logslocation/cds/shibcds-we-02/ssl_access_log* | grep .ds? | cut -f 1 -d " " | cut -f 2-9 -d ":" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep -v ":" | wc -l)
+    cdsv4count=$(grep -s $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* $logslocation/cds/shibcds-ne-01/ssl_access_log* $logslocation/cds/shibcds-ne-02/ssl_access_log* $logslocation/cds/shibcds-we-01/ssl_access_log* $logslocation/cds/shibcds-we-02/ssl_access_log* | grep .ds? | cut -f 1 -d " " | cut -f 2-9 -d ":" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep -v ":" | wc -l)
     cdsv4pc=$(echo "scale=4;($cdsv4count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
     cdsv6count=$(( cdscount - cdsv4count ))
     cdsv6pc=$(echo "scale=4;($cdsv6count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
 
     # Per-server request count
-    cds1count=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* | grep .ds? | wc -l)
+    cds1count=$(grep -s $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* | grep .ds? | wc -l)
     cds1pc=$(echo "scale=4;($cds1count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    cds2count=$(grep $apachesearchterm $logslocation/cds/shib-cds2/ssl_access_log* | grep .ds? | wc -l)
+    cds2count=$(grep -s $apachesearchterm $logslocation/cds/shib-cds2/ssl_access_log* | grep .ds? | wc -l)
     cds2pc=$(echo "scale=4;($cds2count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    cds3count=$(grep $apachesearchterm $logslocation/cds/shib-cds3/ssl_access_log* | grep .ds? | wc -l)
+    cds3count=$(grep -s $apachesearchterm $logslocation/cds/shib-cds3/ssl_access_log* | grep .ds? | wc -l)
     cds3pc=$(echo "scale=4;($cds3count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    cdsne01count=$(grep $apachesearchterm $logslocation/cds/shibcds-ne-01/ssl_access_log* | grep .ds? | wc -l)
+    cdsne01count=$(grep -s $apachesearchterm $logslocation/cds/shibcds-ne-01/ssl_access_log* | grep .ds? | wc -l)
     cdsne01pc=$(echo "scale=4;($cdsne01count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    cdsne02count=$(grep $apachesearchterm $logslocation/cds/shibcds-ne-02/ssl_access_log* | grep .ds? | wc -l)
+    cdsne02count=$(grep -s $apachesearchterm $logslocation/cds/shibcds-ne-02/ssl_access_log* | grep .ds? | wc -l)
     cdsne02pc=$(echo "scale=4;($cdsne02count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    cdswe01count=$(grep $apachesearchterm $logslocation/cds/shibcds-we-01/ssl_access_log* | grep .ds? | wc -l)
+    cdswe01count=$(grep -s $apachesearchterm $logslocation/cds/shibcds-we-01/ssl_access_log* | grep .ds? | wc -l)
     cdswe01pc=$(echo "scale=4;($cdswe01count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    cdswe02count=$(grep $apachesearchterm $logslocation/cds/shibcds-we-02/ssl_access_log* | grep .ds? | wc -l)
+    cdswe02count=$(grep -s $apachesearchterm $logslocation/cds/shibcds-we-02/ssl_access_log* | grep .ds? | wc -l)
     cdswe02pc=$(echo "scale=4;($cdswe02count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
 fi
 
 # How many of these were to the DS (has entityId in the parameters)
-cdsdscount=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* $logslocation/cds/shibcds-ne-01/ssl_access_log* $logslocation/cds/shibcds-ne-02/ssl_access_log* $logslocation/cds/shibcds-we-01/ssl_access_log* $logslocation/cds/shibcds-we-02/ssl_access_log* | grep .ds? | grep entityID | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
+cdsdscount=$(grep -s $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* $logslocation/cds/shibcds-ne-01/ssl_access_log* $logslocation/cds/shibcds-ne-02/ssl_access_log* $logslocation/cds/shibcds-we-01/ssl_access_log* $logslocation/cds/shibcds-we-02/ssl_access_log* | grep .ds? | grep entityID | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # How many of these were to the WAYF (has shire in the parameters)
-cdswayfcount=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* $logslocation/cds/shibcds-ne-01/ssl_access_log* $logslocation/cds/shibcds-ne-02/ssl_access_log* $logslocation/cds/shibcds-we-01/ssl_access_log* $logslocation/cds/shibcds-we-02/ssl_access_log* | grep .ds? | grep shire | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
+cdswayfcount=$(grep -s $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* $logslocation/cds/shibcds-ne-01/ssl_access_log* $logslocation/cds/shibcds-ne-02/ssl_access_log* $logslocation/cds/shibcds-we-01/ssl_access_log* $logslocation/cds/shibcds-we-02/ssl_access_log* | grep .ds? | grep shire | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
 
 
 # =====
@@ -635,10 +635,11 @@ cdswayfcount=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log
 # =====
 
 # Total WAYFless URLs generated
-wugencount=$(grep $date $logslocation/wugen/urlgenerator-audit.* | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
+#wugencount=$(grep $date $logslocation/wugen/urlgenerator-audit.* $logslocation/wugen/wayfless-url-generator-audit.* | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
+wugencount=$(grep -s $date $logslocation/wugen/wayfless-url-generator-process.* | grep "Generated wayfless URL" | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # New subscribers to WAYFless URLs
-wugennewsubs=$(grep $date $logslocation/wugen/urlgenerator-process.* | grep "Subscribing user and service provider" | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
+wugennewsubs=$(grep -s $date $logslocation/wugen/urlgenerator-process.* $logslocation/wugen/wayfless-url-generator-process.* | grep "Subscribing user and service provider" | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
 
 
 # =====
@@ -669,12 +670,12 @@ fi
 testsplogincount=$(grep $date $logslocation/test-sp/shibd.log* | grep "new session created" | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # And from how many unique IdPs?
-testspidpcount=$(grep $date $logslocation/test-sp/shibd.log* | grep "new session created" | cut -f 12 -d " " | sort | uniq | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
+testspidpcount=$(grep $date $logslocation/test-sp/shibd.log* | grep "new session created" | cut -f 13 -d " " | sort | uniq | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Don't count these for daily stats
 if [[ "$timeperiod" != "day" ]]; then
     # Top 10 IdPs used to log into the Test SP
-    testsptoptenidpsbycount=$(grep $date $logslocation/test-sp/shibd.log* | grep "new session created" | awk '{print $12}' | cut -d "(" -f 2 | cut -d ")" -f 1 | sort | uniq -c | sort -nr | head -10)
+    testsptoptenidpsbycount=$(grep $date $logslocation/test-sp/shibd.log* | grep "new session created" | awk '{print $13}' | cut -d "(" -f 2 | cut -d ")" -f 1 | sort | uniq -c | sort -nr | head -10)
 fi
 
 
@@ -686,23 +687,23 @@ fi
 botstringlist="(Googlebot|Bingbo|DuckDuckBot|Baiduspider|Yandexbot|Sogou|Exabot|AhrefsBot|seoscanners)"
 
 # How many requests were there for the main content files?
-wwwaccesscount=$(grep $apachesearchterm $logslocation/www/web1/ssl_access_log* $logslocation/www/web2/ssl_access_log* $logslocation/www/www-ne-01/ssl_access_log* $logslocation/www/www-we-01/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep 200 | grep "/content/" | wc -l)
+wwwaccesscount=$(grep -s $apachesearchterm $logslocation/www/web1/ssl_access_log* $logslocation/www/web2/ssl_access_log* $logslocation/www/www-ne-01/ssl_access_log* $logslocation/www/www-we-01/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep 200 | grep "/content/" | wc -l)
 wwwaccesscountfriendly=$(echo $wwwaccesscount | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # And from how many unique IdPs?
-wwwaccessipcount=$(grep $apachesearchterm $logslocation/www/web1/ssl_access_log* $logslocation/www/web2/ssl_access_log* $logslocation/www/www-ne-01/ssl_access_log* $logslocation/www/www-we-01/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep 200 | grep "/content/" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
+wwwaccessipcount=$(grep -s $apachesearchterm $logslocation/www/web1/ssl_access_log* $logslocation/www/web2/ssl_access_log* $logslocation/www/www-ne-01/ssl_access_log* $logslocation/www/www-we-01/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep 200 | grep "/content/" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Don't count these when doing daily stats
 if [[ "$timeperiod" != "day" ]]; then
 
     # Per-server request count
-    wwwaccessweb1count=$(grep $apachesearchterm $logslocation/www/web1/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep 200 | grep "/content/" | wc -l)
+    wwwaccessweb1count=$(grep -s $apachesearchterm $logslocation/www/web1/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep 200 | grep "/content/" | wc -l)
     wwwaccessweb1pc=$(echo "scale=4;($wwwaccessweb1count/$wwwaccesscount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    wwwaccessweb2count=$(grep $apachesearchterm $logslocation/www/web2/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep 200 | grep "/content/" | wc -l)
+    wwwaccessweb2count=$(grep -s $apachesearchterm $logslocation/www/web2/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep 200 | grep "/content/" | wc -l)
     wwwaccessweb2pc=$(echo "scale=4;($wwwaccessweb2count/$wwwaccesscount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    wwwaccessne01count=$(grep $apachesearchterm $logslocation/www/www-ne-01/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep 200 | grep "/content/" | wc -l)
+    wwwaccessne01count=$(grep -s $apachesearchterm $logslocation/www/www-ne-01/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep 200 | grep "/content/" | wc -l)
     wwwaccessne01pc=$(echo "scale=4;($wwwaccessne01count/$wwwaccesscount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    wwwaccesswe01count=$(grep $apachesearchterm $logslocation/www/www-we-01/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep 200 | grep "/content/" | wc -l)
+    wwwaccesswe01count=$(grep -s $apachesearchterm $logslocation/www/www-we-01/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep 200 | grep "/content/" | wc -l)
     wwwaccesswe01pc=$(echo "scale=4;($wwwaccesswe01count/$wwwaccesscount)*100" | bc | awk '{printf "%.1f\n", $0}')
 fi
 
diff --git a/utilities/stats-sync.sh b/utilities/stats-sync.sh
index f2fdba77..1bf2b579 100755
--- a/utilities/stats-sync.sh
+++ b/utilities/stats-sync.sh
@@ -28,6 +28,7 @@ rsync -at --exclude modsec* stats@www-we-01:/var/log/httpd/* $logslocation/www/w
 # Logs from Wugen
 rsync -at --exclude modsec* stats@wugen:/var/log/httpd/* $logslocation/wugen/
 rsync -at stats@wugen:/opt/wugen/logs/urlgenerator-* $logslocation/wugen/
+rsync -at stats@wugen:/opt/wugen/logs/wayfless-* $logslocation/wugen/
 
 # Logs from Test IdP
 rsync -at --exclude modsec* stats@test-idp:/var/log/httpd/* $logslocation/test-idp/