+ <xsl:template match="oldconf:Sessions">
+  <Sessions exportLocation="http://localhost/{@handlerURL}/GetAssertion">
+ <xsl:apply-templates select="@*"/>
+
+  <xsl:comment>
+ <xsl:text>
+  SessionInitiators handle session requests and relay them to a Discovery page,
+  or to an IdP if possible. Automatic session setup will use the default or first
+  element (or requireSessionWith can specify a specific one to use).
+ </xsl:text>
+ </xsl:comment>
+ <xsl:for-each select="oldconf:SessionInitiator">
+ <xsl:text> </xsl:text>
+ <xsl:apply-templates select="."/>
+ </xsl:for-each>
+
+  <xsl:comment>
+ <xsl:text>
+  md:AssertionConsumerService locations handle specific SSO protocol bindings,
+  such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes
+  are used when sessions are initiated to determine how to tell the IdP where and
+  how to return the response.
+ </xsl:text>
+ </xsl:comment>
+  <md:AssertionConsumerService Location="/SAML2/POST" index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+  <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
+  <md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+  <md:AssertionConsumerService Location="/SAML2/ECP" index="4"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
+  <md:AssertionConsumerService Location="/SAML/POST" index="5"
+ Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
+  <md:AssertionConsumerService Location="/SAML/Artifact" index="6"
+ Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
+
+ <!-- Turn the old local SLO location into the new LogoutInitiator location. -->
+ <xsl:variable name="LogoutLocation">
+ <xsl:choose>
+ <xsl:when test="md:SingleLogoutService[1]">
+ <xsl:value-of select="md:SingleLogoutService[1]/@Location"/>
+ </xsl:when>
+ <xsl:otherwise>/Logout</xsl:otherwise>
+ </xsl:choose>
+ </xsl:variable>
+
+  <xsl:comment>
+ <xsl:text> LogoutInitiators enable SP-initiated local or global/single logout of sessions. </xsl:text>
+ </xsl:comment>
+  <LogoutInitiator type="Chaining" Location="{$LogoutLocation}" relayState="cookie">
+  <LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
+  <LogoutInitiator type="Local"/>
+  </LogoutInitiator>
+
+  <xsl:comment>
+ <xsl:text> md:SingleLogoutService locations handle single logout (SLO) protocol messages. </xsl:text>
+ </xsl:comment>
+  <md:SingleLogoutService Location="/SLO/SOAP"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+  <md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
+  <md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+  <md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+
+  <xsl:comment>
+ <xsl:text> md:ManageNameIDService locations handle NameID management (NIM) protocol messages. </xsl:text>
+ </xsl:comment>
+  <md:ManageNameIDService Location="/NIM/SOAP"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+  <md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
+  <md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+  <md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+
+  <xsl:comment>
+ <xsl:text>
+  md:ArtifactResolutionService locations resolve artifacts issued when using the
+  SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.
+ </xsl:text>
+ </xsl:comment>
+  <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+
+  <xsl:comment>
+ <xsl:text> Extension service that generates "approximate" metadata based on SP configuration. </xsl:text>
+ </xsl:comment>
+  <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+  <xsl:comment>
+ <xsl:text> Status reporting service. </xsl:text>
+ </xsl:comment>
+  <Handler type="Status" Location="Status" acl="127.0.0.1"/>
+
+  <xsl:comment>
+ <xsl:text> Session diagnostic service. </xsl:text>
+ </xsl:comment>
+  <Handler type="Session" Location="/Session"/>
+
+  </Sessions>
+ </xsl:template>
+
+ <xsl:template match="oldconf:SessionInitiator">
+  <SessionInitiator type="Chaining" Location="{@Location}" acsByIndex="false" relayState="cookie">
+ <xsl:if test="@id">
+ <xsl:attribute name="id"><xsl:value-of select="@id"/></xsl:attribute>
+ </xsl:if>
+ <xsl:if test="@isDefault">
+ <xsl:attribute name="isDefault"><xsl:value-of select="@isDefault"/></xsl:attribute>
+ </xsl:if>
+ <xsl:if test="@Location=../oldconf:SessionInitiator[1]/@Location">
+ <xsl:if test="$idp">
+ <xsl:attribute name="entityID"><xsl:value-of select="$idp"/></xsl:attribute>
+ </xsl:if>
+ </xsl:if>
+  <SessionInitiator type="SAML2" defaultACSIndex="1" ECP="true" template="bindingTemplate.html"/>
+  <SessionInitiator type="Shib1" defaultACSIndex="4"/>
+ <xsl:if test="@wayfURL">
+ <xsl:if test="@wayfBinding='urn:mace:shibboleth:1.0:profiles:AuthnRequest'">
+  <SessionInitiator type="WAYF" URL="{@wayfURL}"/>
+ </xsl:if>
+ </xsl:if>
+  </SessionInitiator>
+ </xsl:template>
+
+ <!-- Map <Errors> element across, adding logout templates. -->
+ <xsl:template match="oldconf:Errors">
+  <Errors>
+ <xsl:apply-templates select="@*"/>
+ <xsl:attribute name="localLogout">localLogout.html</xsl:attribute>
+ <xsl:attribute name="globalLogout">globalLogout.html</xsl:attribute>
+  </Errors>
+ </xsl:template>
+
+ <!-- Map <CredentialUse> element content into relying party overrides. -->
+ <xsl:template match="oldconf:CredentialUse">
+ <xsl:for-each select="oldconf:RelyingParty">
+  <RelyingParty Name="{@Name}">
+ <xsl:if test="@TLS">
+ <xsl:attribute name="keyName"><xsl:value-of select="@TLS"/></xsl:attribute>
+ </xsl:if>
+  </RelyingParty>
+ </xsl:for-each>
+ </xsl:template>
+