Structure cleanup + docker compose

23 files changed, 394 insertions, 596 deletions

diff --git a/apache-sp/apache-conf/sp.conf b/apache-sp/apache-conf/sp.conf
index 5e32cbc..6678f8e 100644
--- a/apache-sp/apache-conf/sp.conf
+++ b/apache-sp/apache-conf/sp.conf
@@ -37,6 +37,8 @@ SSLHonorCipherOrder     on
         CustomLog /proc/self/fd/1 combined
         ServerSignature off
 
+        DirectoryIndex index.html index.shtml
+
 
         <Location /secure>
            AuthType shibboleth
diff --git a/apache-sp/entrypoint.sh b/apache-sp/entrypoint.sh
index 156b5ac..34589e3 100644
--- a/apache-sp/entrypoint.sh
+++ b/apache-sp/entrypoint.sh
@@ -29,7 +29,13 @@ if [ ! -f "$KEYDIR/private/${SP_HOSTNAME}.key" -o ! -f "$KEYDIR/certs/${SP_HOSTN
 fi
 
 # Fetch metadata
-curl http://shibboleth-docker:8080/idp/shibboleth -o /var/www/metadata.xml
+if [ -z "$SKIP_METADATA" ]; then
+  until curl http://shibboleth-docker:8080/idp/shibboleth -o /var/www/metadata.xml
+  do
+    sleep 5
+  done
+fi
+
 chown -R www-data:www-data /var/www/
 chmod -R a+r /var/www/
 
diff --git a/compose-dev.yml b/compose-dev.yml
new file mode 100644
index 0000000..ea227a3
--- /dev/null
+++ b/compose-dev.yml
@@ -0,0 +1,19 @@
+version: '3'
+services:
+  shibboleth-docker:
+    build: ./idp
+    environment:
+      JAVA_OPTIONS: '-Xmx1g'
+    volumes:
+      - ./data/idp/metadata:/metadata
+  sp:
+    build: ./apache-sp
+    volumes:
+      - ./data/apache-sp:/metadata/apache-sp
+    environment:
+      - SP_HOSTNAME=sp.nordu.dev
+    links:
+      - shibboleth-docker
+    ports:
+      - '80:80'
+      - '443:443'
diff --git a/Dockerfile b/idp/Dockerfile
index 824481c..a411674 100644
--- a/Dockerfile
+++ b/idp/Dockerfile
@@ -16,16 +16,18 @@ RUN apk --no-cache add bash apache-ant sqlite curl && \
     sha256sum -c shibboleth-identity-provider-$IDP_VERSION.tar.gz.sha256 && \
     tar xf shibboleth-identity-provider-$IDP_VERSION.tar.gz && \
     mv shibboleth-identity-provider-$IDP_VERSION shibboleth-identity-provider && \
-    cp /tmp/nordunet.png ./shibboleth-identity-provider/webapp/images/dummylogo.png && \
     ./shibboleth-identity-provider/bin/install.sh -propertyfile install.properties && \
     apk --no-cache del apache-ant && \
     cp /opt/template-config/*.xml /opt/shibboleth-idp/conf && \
+    sed -i '/p:postAuthenticationFlows=/ s/p:postAuthenticationFlows="attribute-release" //' /opt/shibboleth-idp/conf/relying-party.xml && \
     rm -rf shibboleth-identity-provider* install.properties nordu-ldap.properties
+ADD https://mds.swamid.se/md/md-signer2.crt /opt/shibboleth-idp/credentials/
 
 RUN chown -R jetty:jetty /opt/shibboleth-idp
 
-
 #RUN mkdir -p persistent-id && sqlite3 persistent-id/shibboleth.db < /tmp/shibboleth.db.ddl && rm -f /tmp/shibboleth.db.ddl
 
 COPY jetty_base $JETTY_BASE
+COPY shib-entrypoint.sh /shib-entrypoint.sh
+ENTRYPOINT /shib-entrypoint.sh
 WORKDIR $JETTY_BASE
diff --git a/install.properties b/idp/install.properties
index 13ca6ad..13ca6ad 100644
--- a/install.properties
+++ b/idp/install.properties
diff --git a/jetty_base/etc/jetty-http-forwarded.xml b/idp/jetty_base/etc/jetty-http-forwarded.xml
index 50b8097..50b8097 100644
--- a/jetty_base/etc/jetty-http-forwarded.xml
+++ b/idp/jetty_base/etc/jetty-http-forwarded.xml
diff --git a/jetty_base/start.d/http.ini b/idp/jetty_base/start.d/http.ini
index cda6a26..cda6a26 100644
--- a/jetty_base/start.d/http.ini
+++ b/idp/jetty_base/start.d/http.ini
diff --git a/jetty_base/webapps/idp.xml b/idp/jetty_base/webapps/idp.xml
index dbe3671..dbe3671 100644
--- a/jetty_base/webapps/idp.xml
+++ b/idp/jetty_base/webapps/idp.xml
diff --git a/nordu-ldap.properties b/idp/nordu-ldap.properties
index d265541..d265541 100644
--- a/nordu-ldap.properties
+++ b/idp/nordu-ldap.properties
diff --git a/idp/shib-entrypoint.sh b/idp/shib-entrypoint.sh
new file mode 100755
index 0000000..eec7dcd
--- /dev/null
+++ b/idp/shib-entrypoint.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+ 
+# if there is a metadata file for the test sp, enable it.
+if [ -f /metadata/sp-metadata.xml ]; then
+  sed -i -e '/sp.nordu.dev/ s/<!--//' -e '/sp.nordu.dev/ s/-->//' /opt/shibboleth-idp/conf/metadata-providers.xml
+fi
+
+/docker-entrypoint.sh "$@"
diff --git a/shibboleth-identity-provider-3.3.0.tar.gz b/idp/shibboleth-identity-provider-3.3.0.tar.gz
index d076c1d..d076c1d 100644
--- a/shibboleth-identity-provider-3.3.0.tar.gz
+++ b/idp/shibboleth-identity-provider-3.3.0.tar.gz
diff --git a/shibboleth-identity-provider-3.3.0.tar.gz.sha256 b/idp/shibboleth-identity-provider-3.3.0.tar.gz.sha256
index ea5cafa..ea5cafa 100644
--- a/shibboleth-identity-provider-3.3.0.tar.gz.sha256
+++ b/idp/shibboleth-identity-provider-3.3.0.tar.gz.sha256
diff --git a/shibboleth.db.ddl b/idp/shibboleth.db.ddl
index 3799b91..3799b91 100644
--- a/shibboleth.db.ddl
+++ b/idp/shibboleth.db.ddl
diff --git a/shibboleth.properties b/idp/shibboleth.properties
index da0a7e7..da0a7e7 100644
--- a/shibboleth.properties
+++ b/idp/shibboleth.properties
diff --git a/template-config/README.md b/idp/template-config/README.md
index 6002238..6002238 100644
--- a/template-config/README.md
+++ b/idp/template-config/README.md
diff --git a/idp/template-config/attribute-filter.xml b/idp/template-config/attribute-filter.xml
new file mode 100644
index 0000000..4543e99
--- /dev/null
+++ b/idp/template-config/attribute-filter.xml
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    This file is an EXAMPLE policy file.  While the policy presented in this
+    example file is illustrative of some simple cases, it relies on the names of
+    non-existent example services and the example attributes demonstrated in the
+    default attribute-resolver.xml file.
+
+    Deployers should refer to the documentation for a complete list of components
+    and their options.
+-->
+<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
+        xmlns="urn:mace:shibboleth:2.0:afp"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
+
+        <!-- Release some attributes to an SP. -->
+        <!-- Note: requester seems to need the path /shibboleth to be included to match this! -->
+        <AttributeFilterPolicy id="sp.nordu.dev">
+            <PolicyRequirementRule xsi:type="Requester" value="https://sp.nordu.dev/shibboleth" />
+            <!-- <PolicyRequirementRule xsi:type="ANY" /> -->
+            <AttributeRule attributeID="eduPersonPrincipalName">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="uid">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="mail">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="givenName">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="surname">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="displayName">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="commonName">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="employeeType">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="email">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="eduPersonEntitlement">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="mailLocalAddress">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+
+        </AttributeFilterPolicy>
+</AttributeFilterPolicyGroup>
diff --git a/idp/template-config/attribute-resolver.xml b/idp/template-config/attribute-resolver.xml
new file mode 100644
index 0000000..e761920
--- /dev/null
+++ b/idp/template-config/attribute-resolver.xml
@@ -0,0 +1,227 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    This file is an EXAMPLE configuration file. While the configuration
+    presented in this example file is semi-functional, it isn't very
+    interesting. It is here only as a starting point for your deployment
+    process.
+
+    Very few attribute definitions and data connectors are demonstrated,
+    and the data is derived statically from the logged-in username and a
+    static example connector.
+
+    Attribute-resolver-full.xml contains more examples of attributes,
+    encoders, and data connectors. Deployers should refer to the Shibboleth
+    documentation for a complete list of components and their options.
+
+    NOTE: This file is from the Nordunet template-config
+
+-->
+<AttributeResolver
+        xmlns="urn:mace:shibboleth:2.0:resolver"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
+
+
+    <!-- ========================================== -->
+    <!--      Attribute Definitions                 -->
+    <!-- ========================================== -->
+
+    <!--
+    The EPPN is the "standard" federated username in higher ed.
+    For guidelines on the implementation of this attribute, refer
+    to the Shibboleth and eduPerson documentation. Above all, do
+    not expose a value for this attribute without considering the
+    long term implications.
+    -->
+    <!-- This version not used at NORDUnet, see below
+    <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
+    </AttributeDefinition>
+    -->
+    <!--
+    The uid is the closest thing to a "standard" LDAP attribute
+    representing a local username, but you should generally *never*
+    expose uid to federated services, as it is rarely globally unique.
+    -->
+    <AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
+    </AttributeDefinition>
+
+    <!--
+    In the rest of the world, the email address is the standard identifier,
+    despite the problems with that practice. Consider making the EPPN value
+    the same as your official email addresses whenever possible.
+    -->
+    <AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="mail">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="email" xsi:type="Simple" sourceAttributeID="mail">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="commonName" xsi:type="Simple" sourceAttributeID="cn">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:cn" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="displayName" xsi:type="Simple" sourceAttributeID="cn"><!-- yes for ndn ldap this is correct -->
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="surname" xsi:type="Simple" sourceAttributeID="sn">
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="organizationName" xsi:type="Simple" sourceAttributeID="o">
+      <Dependency ref="staticAttributes" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" encodeType="false" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="givenName" xsi:type="Simple" sourceAttributeID="givenName">
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
+    </AttributeDefinition>
+
+    <!-- Schema: inetOrgPerson attributes-->
+    <AttributeDefinition id="employeeType" xsi:type="Simple" sourceAttributeID="employeeType">
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" encodeType="false" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" encodeType="false" />
+    </AttributeDefinition>
+
+    <!-- Schema: eduPerson attributes -->
+    <AttributeDefinition id="memberOf" xsi:type="Simple" sourceAttributeID="memberOf">
+      <Dependency ref="myLDAP" />
+    </AttributeDefinition>
+	  <!-- Idp-Installer: the source for this attribute is from the database StoredId and no longer the classic computedID  -->
+    <!--
+    <AttributeDefinition xsi:type="ad:SAML2NameID" id="eduPersonTargetedID"
+                                  nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" sourceAttributeID="persistentId">
+        <Dependency ref="StoredId" />
+        <AttributeEncoder xsi:type="enc:SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
+        <AttributeEncoder xsi:type="enc:SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
+    </AttributeDefinition>
+    -->
+
+
+<AttributeDefinition id="eduPersonPrimaryAffiliation" xsi:type="Simple" sourceAttributeID="eduPersonPrimaryAffiliation">
+    <Dependency ref="myLDAP" />
+    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" encodeType="false" />
+    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" encodeType="false" />
+</AttributeDefinition>
+
+<AttributeDefinition id="eduPersonPrincipalName" xsi:type="Simple" sourceAttributeID="uid"><!-- In ndn it is uid -->
+    <Dependency ref="myLDAP" />
+    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
+    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
+</AttributeDefinition>
+
+<AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="nordu.net" sourceAttributeID="employeeType">
+    <Dependency ref="myLDAP" />
+    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
+    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
+</AttributeDefinition>
+
+	<!-- from swamid installer -->
+  <AttributeDefinition id="norEduOrgAcronym" xsi:type="Simple" sourceAttributeID="norEduOrgAcronym">
+    <Dependency ref="staticAttributes" />
+    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:norEduOrgAcronym" />
+    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.2428.90.1.6" friendlyName="norEduOrgAcronym" />
+  </AttributeDefinition>
+
+	<AttributeDefinition id="schacHomeOrganization" xsi:type="Simple" sourceAttributeID="schacHomeOrganization">
+		<Dependency ref="staticAttributes" />
+		<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" />
+		<AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" />
+	</AttributeDefinition>
+
+	<AttributeDefinition id="schacHomeOrganizationType" xsi:type="Simple" sourceAttributeID="schacHomeOrganizationType">
+		<Dependency ref="staticAttributes" />
+		<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" />
+		<AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" />
+	</AttributeDefinition>
+
+	<!-- If we want to use google apps at some point we need: friendlyCountryName, countryName and principal -->
+
+
+
+    <!-- ========================================== -->
+    <!--      Data Connectors                       -->
+    <!-- ========================================== -->
+
+    <!--
+    Example LDAP Connector
+
+    The connectivity details can be specified in ldap.properties to
+    share them with your authentication settings if desired.
+    -->
+    <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
+        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+        baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
+        <FilterTemplate>
+            <![CDATA[
+                %{idp.attribute.resolver.LDAP.searchFilter}
+            ]]>
+        </FilterTemplate>
+    </DataConnector>
+
+  	<DataConnector id="staticAttributes" xsi:type="Static">
+			<Attribute id="o">
+				<Value>NORDUnet A/S</Value>
+			</Attribute>
+  	  <Attribute id="schacHomeOrganization">
+  	    <Value>nordu.net</Value>
+  	  </Attribute>
+  	  <Attribute id="schacHomeOrganizationType">
+  	    <Value>urn:schac:homeOrganizationType:int:NREN</Value>
+  	  </Attribute>
+			<Attribute id="norEduOrgAcronym">
+				<Value>NORDUNet</Value>
+			</Attribute>
+  	</DataConnector>
+
+
+  <!-- Computed targeted ID connector -->
+<!--  The V3 IdP uses a new dedicated service for configuring NameID generation. The legacy V2 approach of encoding attributes into identifiers using attribute-resolver.xml and special attribute encoders that generate NameIdentifiers or NameIDs instead of Attributes is supported for compatibility purposes, but is deprecated and may be removed from a future version.-->
+
+<!--  <DataConnector id="ComputedId" xsi:type="ComputedId"
+      generatedAttributeID="computedId"
+      sourceAttributeID="uid"
+      salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym">
+      <resolver:Dependency ref="myLDAP" />
+  </DataConnector>
+
+also in old format the next block
+<resolver:DataConnector id="StoredId"
+    xsi:type="StoredId"
+    xmlns="urn:mace:shibboleth:2.0:resolver:dc"
+    generatedAttributeID="persistentId"
+    sourceAttributeID="uid"
+    salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym">
+    <resolver:Dependency ref="uid" />
+    <ApplicationManagedConnection
+        jdbcDriver="com.mysql.jdbc.Driver"
+        jdbcURL="jdbc:mysql://mysql:3306/shibboleth?autoReconnect=true&amp;useSSL=false"
+        jdbcUserName="idp"
+        jdbcPassword="shibboleth" />
+</resolver:DataConnector>
+-->
+
+
+</AttributeResolver>
diff --git a/template-config/metadata-providers.xml b/idp/template-config/metadata-providers.xml
index 71b5967..d813c06 100644
--- a/template-config/metadata-providers.xml
+++ b/idp/template-config/metadata-providers.xml
@@ -25,18 +25,6 @@
     <!-- ========================================================================================== -->
 
     <!--
-    Example HTTP metadata provider.  Use this if you want to download the metadata
-    from a remote source.
-
-    You *MUST* provide the SignatureValidationFilter in order to function securely.
-    Get the public key certificate from the party publishing the metadata, and validate
-    it with them via some out of band mechanism (e.g., a fingerprint on a secure page).
-
-    The EntityRoleWhiteList saves memory by only loading metadata from SAML roles
-    that the IdP needs to interoperate with.
-    -->
-
-    <!--
     <MetadataProvider id="HTTPMetadata"
                       xsi:type="FileBackedHTTPMetadataProvider"
                       backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
@@ -50,15 +38,20 @@
     </MetadataProvider>
     -->
 
-    <!--
-    Example file metadata provider.  Use this if you want to load metadata
-    from a local file.  You might use this if you have some local SPs
-    which are not "federated" but you wish to offer a service to.
+    <MetadataProvider id="SWAMID2"
+                      xsi:type="FileBackedHTTPMetadataProvider"
+                      metadataURL="https://mds.swamid.se/md/swamid-2.0.xml"
+                      backingFile="%{idp.home}/metadata/swamid-2.0.xml">
+
+      <MetadataFilter xsi:type="SignatureValidation"
+                      requireSignedRoot="true"
+                      certificateFile="%{idp.home}/credentials/md-signer2.crt" />
+      <MetadataFilter xsi:type="EntityRoleWhiteList">
+        <RetainedRole>md:SPSSODescriptor</RetainedRole>
+      </MetadataFilter>
+    </MetadataProvider>
 
-    If you do not provide a SignatureValidation filter, then you have the
-    responsibility to ensure that the contents on disk are trustworthy.
-    -->
 
-    <MetadataProvider id="sp.nordu.dev"  xsi:type="FilesystemMetadataProvider" metadataFile="/metadata/apache-sp/sp-metadata.xml"/>
+    <!--<MetadataProvider id="sp.nordu.dev" xsi:type="FilesystemMetadataProvider" metadataFile="/metadata/sp-metadata.xml" /> -->
 
 </MetadataProvider>
diff --git a/idp/template-config/test.xml b/idp/template-config/test.xml
new file mode 100644
index 0000000..ea5c36e
--- /dev/null
+++ b/idp/template-config/test.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>

+<!-- This file is an EXAMPLE metadata configuration file. 

+<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"

+    xmlns="urn:mace:shibboleth:2.0:metadata"

+    xmlns:resource="urn:mace:shibboleth:2.0:resource"

+    xmlns:security="urn:mace:shibboleth:2.0:security"

+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"

+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

+    xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd

+                        urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd

+                        urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd

+                        urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">

+

+    <!-- ========================================================================================== 

+    <!--                             Metadata Configuration                                         

+    <!--                                                                                            

+    <!--  Below you place the mechanisms which define how to load the metadata for SP(s) you will   

+    <!--  provide service to.                                                                       

+    <!--                                                                                            

+    <!--  Two examples are provided.  The Shibboleth Documentation at                               

+    <!--  https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration                

+    <!--  provides more details.                                                                    

+    <!--                                                                                            

+    <!--  NOTE.  This file SHOULD NOT contain the metadata for this IdP.                            

+    <!-- ========================================================================================== 

+

+    <!--

+    <MetadataProvider id="HTTPMetadata"

+                      xsi:type="FileBackedHTTPMetadataProvider"

+                      backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"

+                      metadataURL="http://WHATEVER">

+

+        <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />

+        <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>

+        <MetadataFilter xsi:type="EntityRoleWhiteList">

+            <RetainedRole>md:SPSSODescriptor</RetainedRole>

+        </MetadataFilter>

+    </MetadataProvider>

+    

+

+    <MetadataProvider id="SWAMID2"

+                      xsi:type="FileBackedHTTPMetadataProvider"

+                      metadataURL="https://mds.swamid.se/md/swamid-2.0.xml"

+                      backingFile="%{idp.home}/metadata/swamid-2.0.xml">

+

+      <MetadataFilter xsi:type="SignatureValidation"

+                      requireSignedRoot="true"

+                      certificateFile="%{idp.home}/credentials/md-signer2.crt" />

+      <MetadataFilter xsi:type="EntityRoleWhiteList">

+        <RetainedRole>md:SPSSODescriptor</RetainedRole>

+      </MetadataFilter>

+    </MetadataProvider>

+

+

+    <MetadataProvider id="sp.nordu.dev" xsi:type="FilesystemMetadataProvider" metadataFile="/metadata/sp-metadata.xml" /> 

+

+</MetadataProvider>

diff --git a/metadata/test-rw.txt b/metadata/test-rw.txt
deleted file mode 100644
index e69de29..0000000
--- a/metadata/test-rw.txt
+++ /dev/null
diff --git a/template-config/attribute-filter.xml b/template-config/attribute-filter.xml
deleted file mode 100644
index f2aa5f7..0000000
--- a/template-config/attribute-filter.xml
+++ /dev/null
@@ -1,122 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-    This file is an EXAMPLE policy file.  While the policy presented in this
-    example file is illustrative of some simple cases, it relies on the names of
-    non-existent example services and the example attributes demonstrated in the
-    default attribute-resolver.xml file.
-
-    Deployers should refer to the documentation for a complete list of components
-    and their options.
--->
-<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
-        xmlns="urn:mace:shibboleth:2.0:afp"
-        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
-
-        <!-- Release some attributes to an SP. -->
-        <!-- Note: requester seems to need the path /shibboleth to be included to match this! -->
-        <AttributeFilterPolicy id="sp.nordu.dev">
-            <PolicyRequirementRule xsi:type="Requester" value="https://sp.nordu.dev/shibboleth" />
-            <!-- <PolicyRequirementRule xsi:type="ANY" /> -->
-            <AttributeRule attributeID="eduPersonPrincipalName">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="uid">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="mail">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="givenName">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="surname">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="displayName">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="commonName">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="employeeType">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="email">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="eduPersonEntitlement">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="mailLocalAddress">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-
-        </AttributeFilterPolicy>
-
-        <!--  Release the transient ID to anyone -->
-<!--        <AttributeFilterPolicy id="releaseTransientAndPermanentIdToAnyone">
-            <PolicyRequirementRule xsi:type="ANY" />
-            <AttributeRule attributeID="transientId">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="persistentId">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="eduPersonTargetedID">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-        </AttributeFilterPolicy>
--->
-        <!-- recommended initial attribute filter policy for swamid.se + same rule for edugain, incommon, uk and kalmar2 -->
-<!--        <AttributeFilterPolicy id="releaseStandardAttributesToFederations">
-            <PolicyRequirementRule xsi:type="OR">
-                <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="urn:mace:incommon" />
-                <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="http://ukfederation.org.uk" />
-                <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="http://md.swamid.se/md/swamid-1.0.xml" />
-                <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="http://mds.swamid.se/md/swamid-2.0.xml" />
-                <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="kalmarcentral2" />
-                <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="edugain" />
-            </PolicyRequirementRule>
-            <AttributeRule attributeID="givenName">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="surname">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="displayName">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="commonName">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="eduPersonPrincipalName">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="email">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="eduPersonEntitlement">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="mailLocalAddress">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="eduPersonScopedAffiliation">
-                <PermitValueRule xsi:type="OR">
-                    <basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true" />
-                    <basic:Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true" />
-                    <basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true" />
-                    <basic:Rule xsi:type="basic:AttributeValueString" value="alum" ignoreCase="true" />
-                    <basic:Rule xsi:type="basic:AttributeValueString" value="member" ignoreCase="true" />
-                    <basic:Rule xsi:type="basic:AttributeValueString" value="affiliate" ignoreCase="true" />
-                    <basic:Rule xsi:type="basic:AttributeValueString" value="employee" ignoreCase="true" />
-                    <basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in" ignoreCase="true" />
-                </PermitValueRule>
-            </AttributeRule>
-            <AttributeRule attributeID="organizationName">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-        </AttributeFilterPolicy>-->
-
-</AttributeFilterPolicyGroup>
diff --git a/template-config/attribute-resolver.xml b/template-config/attribute-resolver.xml
deleted file mode 100644
index 9d7b8de..0000000
--- a/template-config/attribute-resolver.xml
+++ /dev/null
@@ -1,373 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-    This file is an EXAMPLE configuration file. While the configuration
-    presented in this example file is semi-functional, it isn't very
-    interesting. It is here only as a starting point for your deployment
-    process.
-
-    Very few attribute definitions and data connectors are demonstrated,
-    and the data is derived statically from the logged-in username and a
-    static example connector.
-
-    Attribute-resolver-full.xml contains more examples of attributes,
-    encoders, and data connectors. Deployers should refer to the Shibboleth
-    documentation for a complete list of components and their options.
-
-    NOTE: This file is from the Nordunet template-config
-
--->
-<AttributeResolver
-        xmlns="urn:mace:shibboleth:2.0:resolver"
-        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
-
-
-    <!-- ========================================== -->
-    <!--      Attribute Definitions                 -->
-    <!-- ========================================== -->
-
-    <!--
-    The EPPN is the "standard" federated username in higher ed.
-    For guidelines on the implementation of this attribute, refer
-    to the Shibboleth and eduPerson documentation. Above all, do
-    not expose a value for this attribute without considering the
-    long term implications.
-    -->
-    <!-- This version not used at NORDUnet, see below
-    <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid">
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
-    </AttributeDefinition>
-    -->
-    <!--
-    The uid is the closest thing to a "standard" LDAP attribute
-    representing a local username, but you should generally *never*
-    expose uid to federated services, as it is rarely globally unique.
-    -->
-    <AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid">
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
-    </AttributeDefinition>
-
-    <!--
-    In the rest of the world, the email address is the standard identifier,
-    despite the problems with that practice. Consider making the EPPN value
-    the same as your official email addresses whenever possible.
-    -->
-    <AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="mail">
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="mailLocalAddress" xsi:type="Simple" sourceAttributeID="mailLocalAddress">
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mailLocalAddress" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.13" friendlyName="mailLocalAddress" encodeType="false" />
-    </AttributeDefinition>
-
-<!-- old format from IDPv2 - still works? -->
-    <AttributeDefinition id="homePhone" xsi:type="Simple" sourceAttributeID="homePhone">
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:homePhone" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.20" friendlyName="homePhone" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="homePostalAddress" xsi:type="Simple" sourceAttributeID="homePostalAddress">
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:homePostalAddress" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.39" friendlyName="homePostalAddress" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="mobileNumber" xsi:type="Simple" sourceAttributeID="mobile">
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mobile" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.41" friendlyName="mobile" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="pagerNumber" xsi:type="Simple" sourceAttributeID="pager">
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:pager" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.42" friendlyName="pager" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="commonName" xsi:type="Simple" sourceAttributeID="cn">
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:cn" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="displayName" xsi:type="Simple" sourceAttributeID="cn"><!-- yes for ndn ldap this is correct -->
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
-    </AttributeDefinition>
-
-
-    <AttributeDefinition id="surname" xsi:type="Simple" sourceAttributeID="sn">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="locality" xsi:type="Simple" sourceAttributeID="l">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:l" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.7" friendlyName="l" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="stateProvince" xsi:type="Simple" sourceAttributeID="st">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:st" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.8" friendlyName="st" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="street" xsi:type="Simple" sourceAttributeID="street">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:street" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.9" friendlyName="street" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="organizationName" xsi:type="Simple" sourceAttributeID="o">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="organizationalUnit" xsi:type="Simple" sourceAttributeID="ou">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:ou" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.11" friendlyName="ou" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="title" xsi:type="Simple" sourceAttributeID="title">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:title" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.12" friendlyName="title" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="postalAddress" xsi:type="Simple" sourceAttributeID="postalAddress">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postalAddress" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.16" friendlyName="postalAddress" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="postalCode" xsi:type="Simple" sourceAttributeID="postalCode">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postalCode" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.17" friendlyName="postalCode" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="postOfficeBox" xsi:type="Simple" sourceAttributeID="postOfficeBox">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postOfficeBox" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.18" friendlyName="postOfficeBox" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="telephoneNumber" xsi:type="Simple" sourceAttributeID="telephoneNumber">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:telephoneNumber" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.20" friendlyName="telephoneNumber" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="givenName" xsi:type="Simple" sourceAttributeID="givenName">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="initials" xsi:type="Simple" sourceAttributeID="initials">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:initials" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.43" friendlyName="initials" encodeType="false" />
-    </AttributeDefinition>
-
-
-    <!-- Schema: inetOrgPerson attributes-->
-    <AttributeDefinition id="departmentNumber" xsi:type="Simple" sourceAttributeID="departmentNumber">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:departmentNumber" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.2" friendlyName="departmentNumber" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="employeeNumber" xsi:type="Simple" sourceAttributeID="employeeNumber">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeNumber" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.3" friendlyName="employeeNumber" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="employeeType" xsi:type="Simple" sourceAttributeID="employeeType">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="jpegPhoto" xsi:type="Simple" sourceAttributeID="jpegPhoto">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:jpegPhoto" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.60" friendlyName="jpegPhoto" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="preferredLanguage" xsi:type="Simple" sourceAttributeID="preferredLanguage">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:preferredLanguage" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.39" friendlyName="preferredLanguage" encodeType="false" />
-    </AttributeDefinition>
-
-    <!-- Schema: eduPerson attributes -->
-    <AttributeDefinition id="eduPersonAffiliation" xsi:type="Simple" sourceAttributeID="eduPersonAffiliation">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonAffiliation" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="memberOf" xsi:type="Simple" sourceAttributeID="memberOf">
-      <Dependency ref="myLDAPGROUPS" />
-    </AttributeDefinition>
-
-<!-- placeholder for scripted scriptEduPersonEntitlement -->
-
-<AttributeDefinition id="eduPersonNickname" xsi:type="Simple" sourceAttributeID="eduPersonNickname">
-    <Dependency ref="myLDAP" />
-    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonNickname" encodeType="false" />
-    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" friendlyName="eduPersonNickname" encodeType="false" />
-</AttributeDefinition>
-
-<AttributeDefinition id="eduPersonOrgDN" xsi:type="Simple" sourceAttributeID="eduPersonOrgDN">
-    <Dependency ref="myLDAP" />
-    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonOrgDN" encodeType="false" />
-    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" friendlyName="eduPersonOrgDN" encodeType="false" />
-</AttributeDefinition>
-
-<AttributeDefinition id="eduPersonOrgUnitDN" xsi:type="Simple" sourceAttributeID="eduPersonOrgUnitDN">
-    <Dependency ref="myLDAP" />
-    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" encodeType="false" />
-    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" friendlyName="eduPersonOrgUnitDN" encodeType="false" />
-</AttributeDefinition>
-
-<AttributeDefinition id="eduPersonPrimaryAffiliation" xsi:type="Simple" sourceAttributeID="eduPersonPrimaryAffiliation">
-    <Dependency ref="myLDAP" />
-    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" encodeType="false" />
-    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" encodeType="false" />
-</AttributeDefinition>
-
-<AttributeDefinition id="eduPersonPrimaryOrgUnitDN" xsi:type="Simple" sourceAttributeID="eduPersonPrimaryOrgUnitDN">
-    <Dependency ref="myLDAP" />
-    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" encodeType="false" />
-    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" friendlyName="eduPersonPrimaryOrgUnitDN" encodeType="false" />
-</AttributeDefinition>
-
-<AttributeDefinition id="eduPersonPrincipalName" xsi:type="Simple" sourceAttributeID="uid">
-    <Dependency ref="myLDAP" />
-    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
-    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
-</AttributeDefinition>
-
-<AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="nordu.net" sourceAttributeID="employeeType">
-    <Dependency ref="myLDAP" />
-    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
-    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
-</AttributeDefinition>
-
-<!-- placeholder for eduPersonTargetedID and persistentId and transientId -->
-
-
-    <!-- ========================================== -->
-    <!--      Data Connectors                       -->
-    <!-- ========================================== -->
-
-    <!--
-    Example LDAP Connector
-
-    The connectivity details can be specified in ldap.properties to
-    share them with your authentication settings if desired.
-    -->
-    <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
-        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
-        baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
-        <FilterTemplate>
-            <![CDATA[
-                %{idp.attribute.resolver.LDAP.searchFilter}
-            ]]>
-        </FilterTemplate>
-        <!-- Do we even need a connection pool? Got this:
-        WARN [org.ldaptive.pool.BlockingConnectionPool:882] - org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy@6ec7349e failed validation
-
-        <ConnectionPool
-                  minPoolSize="%{idp.pool.LDAP.minSize:3}"
-                  maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
-                  blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
-                  validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
-                  validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
-                  expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
-                  failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />-->
-
-
-    </DataConnector>
-<!--    <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
-        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
-        baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
-        principal="%{idp.attribute.resolver.LDAP.bindDN}"
-        principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
-        useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
-        connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
-        trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
-        responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
-        <FilterTemplate>
-            <![CDATA[
-                %{idp.attribute.resolver.LDAP.searchFilter}
-            ]]>
-        </FilterTemplate>
-  <ConnectionPool
-            minPoolSize="%{idp.pool.LDAP.minSize:3}"
-            maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
-            blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
-            validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
-            validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
-            expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
-            failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
-    </DataConnector>
-  -->
-
-  <DataConnector id="myLDAPGROUPS" xsi:type="LDAPDirectory"
-      ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
-      baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
-      <FilterTemplate>
-          <![CDATA[
-              %{idp.attribute.resolver.LDAP.searchFilter}
-          ]]>
-      </FilterTemplate>
-      <ReturnAttributes>memberOf</ReturnAttributes>
-  </DataConnector>
-
-
-  <!-- Computed targeted ID connector -->
-<!--  The V3 IdP uses a new dedicated service for configuring NameID generation. The legacy V2 approach of encoding attributes into identifiers using attribute-resolver.xml and special attribute encoders that generate NameIdentifiers or NameIDs instead of Attributes is supported for compatibility purposes, but is deprecated and may be removed from a future version.-->
-
-<!--  <DataConnector id="ComputedId" xsi:type="ComputedId"
-      generatedAttributeID="computedId"
-      sourceAttributeID="uid"
-      salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym">
-      <resolver:Dependency ref="myLDAP" />
-  </DataConnector>
-
-also in old format the next block
-<resolver:DataConnector id="StoredId"
-    xsi:type="StoredId"
-    xmlns="urn:mace:shibboleth:2.0:resolver:dc"
-    generatedAttributeID="persistentId"
-    sourceAttributeID="uid"
-    salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym">
-    <resolver:Dependency ref="uid" />
-    <ApplicationManagedConnection
-        jdbcDriver="com.mysql.jdbc.Driver"
-        jdbcURL="jdbc:mysql://mysql:3306/shibboleth?autoReconnect=true&amp;useSSL=false"
-        jdbcUserName="idp"
-        jdbcPassword="shibboleth" />
-</resolver:DataConnector>
--->
-
-
-</AttributeResolver>
diff --git a/template-config/relying-party.xml b/template-config/relying-party.xml
deleted file mode 100644
index 327c8e2..0000000
--- a/template-config/relying-party.xml
+++ /dev/null
@@ -1,78 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
-       xmlns:context="http://www.springframework.org/schema/context"
-       xmlns:util="http://www.springframework.org/schema/util"
-       xmlns:p="http://www.springframework.org/schema/p"
-       xmlns:c="http://www.springframework.org/schema/c"
-       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
-                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
-                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
-       default-init-method="initialize"
-       default-destroy-method="destroy">
-
-    <!--
-    Unverified RP configuration, defaults to no support for any profiles. Add <ref> elements to the list
-    to enable specific default profile settings (as below), or create new beans inline to override defaults.
-
-    "Unverified" typically means the IdP has no metadata, or equivalent way of assuring the identity and
-    legitimacy of a requesting system. To run an "open" IdP, you can enable profiles here.
-    -->
-    <bean id="shibboleth.UnverifiedRelyingParty" parent="RelyingParty">
-        <property name="profileConfigurations">
-            <list>
-              <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
-              <ref bean="SAML1.AttributeQuery" />
-              <ref bean="SAML1.ArtifactResolution" />
-              <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" />
-              <ref bean="SAML2.ECP" />
-              <ref bean="SAML2.Logout" />
-              <ref bean="SAML2.AttributeQuery" />
-              <ref bean="SAML2.ArtifactResolution" />
-              <ref bean="Liberty.SSOS" />
-            </list>
-        </property>
-    </bean>
-
-    <!--
-    Default configuration, with default settings applied for all profiles, and enables
-    the attribute-release consent flow.
-    -->
-    <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
-        <property name="profileConfigurations">
-            <list>
-                <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
-                <ref bean="SAML1.AttributeQuery" />
-                <ref bean="SAML1.ArtifactResolution" />
-                <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" />
-                <ref bean="SAML2.ECP" />
-                <ref bean="SAML2.Logout" />
-                <ref bean="SAML2.AttributeQuery" />
-                <ref bean="SAML2.ArtifactResolution" />
-                <ref bean="Liberty.SSOS" />
-            </list>
-        </property>
-    </bean>
-
-    <!-- Container for any overrides you want to add. -->
-
-    <util:list id="shibboleth.RelyingPartyOverrides">
-
-        <!--
-        Override example that identifies a single RP by name and configures it
-        for SAML 2 SSO without encryption. This is a common "vendor" scenario.
-        -->
-        <!--
-        <bean parent="RelyingPartyByName" c:relyingPartyIds="https://sp.example.org">
-            <property name="profileConfigurations">
-                <list>
-                    <bean parent="SAML2.SSO" p:encryptAssertions="false" />
-                </list>
-            </property>
-        </bean>
-        -->
-
-    </util:list>
-
-</beans>