From 844d0ff640b1a6cc47a3451d21f2a06ea59fdbcc Mon Sep 17 00:00:00 2001
From: cantor <cantor@cb58f699-b61c-0410-a6fe-9272a202ed29>
Date: Sat, 17 Nov 2007 03:59:34 +0000
Subject: [PATCH] Change some defaults to reduce DoS opportunities out of the
 box. Convert sample metadata to an IdP only static example.

git-svn-id: https://svn.middleware.georgetown.edu/cpp-sp/trunk@2627 cb58f699-b61c-0410-a6fe-9272a202ed29
---
 configs/Makefile.am                    |  11 +-
 configs/example-metadata.xml           | 188 +++++++++++++++++++
 configs/example-metadata.xml.in        | 322 ---------------------------------
 configs/shibboleth2.xml.in             |  63 ++++---
 msi/scripts/shib_edit_config_files.vbs |  10 -
 postinstall                            |   3 +-
 6 files changed, 233 insertions(+), 364 deletions(-)
 create mode 100644 configs/example-metadata.xml
 delete mode 100644 configs/example-metadata.xml.in

diff --git a/configs/Makefile.am b/configs/Makefile.am
index 26d969e..6e70da7 100644
--- a/configs/Makefile.am
+++ b/configs/Makefile.am
@@ -26,12 +26,12 @@ BUILTCONFIGFILES = \
 	native.logger \
 	shibd.logger \
 	attribute-map.xml \
-	attribute-policy.xml \
-	example-metadata.xml
+	attribute-policy.xml
 
 # While BUILTCONFIGFILES are processed, these are not; so we should pull
 # them from SRCDIR.
 CONFIGFILES = \
+    example-metadata.xml \
 	console.logger \
 	syslog.logger \
 	accessError.html \
@@ -96,9 +96,6 @@ attribute-map.xml: ${srcdir}/attribute-map.xml.in Makefile ${top_builddir}/confi
 attribute-policy.xml: ${srcdir}/attribute-policy.xml.in Makefile ${top_builddir}/config.status
 	$(MAKE) do-build-file FILE=$@
 
-example-metadata.xml: ${srcdir}/example-metadata.xml.in Makefile ${top_builddir}/config.status
-	$(MAKE) do-build-file FILE=$@
-
 all-data-local: $(BUILTCONFIGFILES)
 
 install-data-local:	all-data-local
@@ -132,14 +129,12 @@ CLEANFILES = \
 	native.logger \
 	shibboleth2.xml \
 	attribute-map.xml \
-	attribute-policy.xml \
-	example-metadata.xml
+	attribute-policy.xml
 
 EXTRA_DIST = \
 	shibboleth2.xml.in \
 	attribute-map.xml.in \
 	attribute-policy.xml.in \
-	example-metadata.xml.in \
 	native.logger.in \
 	shibd.logger.in \
 	apache.config.in \
diff --git a/configs/example-metadata.xml b/configs/example-metadata.xml
new file mode 100644
index 0000000..1387df9
--- /dev/null
+++ b/configs/example-metadata.xml
@@ -0,0 +1,188 @@
+<!--
+This is example IdP metadata for demonstration purposes. Each party
+in a Shibboleth/SAML deployment requires metadata from its opposite(s).
+Thus, your metadata describes you and is given to your partners, and your
+partners' metadata is fed into your configuration.
+
+This particular file isn't used for anything directly, it's just an example
+to help with constructing metadata for an IdP that may not supply its
+metadata to you properly.
+-->
+
+<EntityDescriptor
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd"
+    validUntil="2010-01-01T00:00:00Z"
+    entityID="https://idp.example.org/shibboleth">
+    <!--
+    The entityID above looks like a location, but it's actually just a name.
+    Each entity is assigned a URI name. By convention, it will often be a
+    URL, but it should never contain a physical machine hostname that you
+    would not otherwise publish to users of the service. For example, if your
+    installation runs on a machine named "gryphon.example.org", you would
+    generally register that machine in DNS under a second, logical name
+    (such as idp.example.org). This logical name should be used in favor
+    of the real hostname when you assign an entityID. You should use a name
+    like this even if you don't actually register the server in DNS using it.
+    The URL does not have to resolve into anything to use it as a name, although
+    it is useful if it does in fact point to your metadata. The key point is
+    for the name you choose to be stable, which is why including hostnames is
+    generally bad, since they tend to change.
+    -->
+	
+	<!-- A Shibboleth 1.x and SAML 2.0 IdP contains this element with protocol support as shown. -->
+	<IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+		<Extensions>
+			<!-- This is a Shibboleth extension to express attribute scope rules. -->
+			<shibmd:Scope>example.org</shibmd:Scope>
+		</Extensions>
+		
+		<!--
+		One or more KeyDescriptors tell your SP how the IdP will authenticate itself. A single
+		descriptor can be used for both signing and for server-TLS if its use attribute
+		is set to "signing". You can place an X.509 certificate directly in this element
+		to specify the public key to use. This only reflects the public half of the keypair
+		used by the IdP. A different key, or the same key, can be specified for enabling
+		the SP to encrypt XML it sends to the IdP. 
+		-->
+		<KeyDescriptor use="signing">
+		    <ds:KeyInfo>
+		        <ds:X509Data>
+		        	<ds:X509Certificate>
+                    MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
+                    BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
+                    Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
+                    AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
+                    ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
+                    Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
+                    4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
+                    lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
+                    v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
+                    CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
+                    eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
+                    BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
+                    Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
+                    w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
+		        	</ds:X509Certificate>
+		        </ds:X509Data>
+		    </ds:KeyInfo>
+		</KeyDescriptor>
+
+        <KeyDescriptor use="encryption">
+            <ds:KeyInfo>
+                <ds:X509Data>
+                    <ds:X509Certificate>
+                    MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
+                    BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
+                    Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
+                    AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
+                    ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
+                    Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
+                    4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
+                    lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
+                    v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
+                    CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
+                    eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
+                    BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
+                    Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
+                    w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
+                    </ds:X509Certificate>
+                </ds:X509Data>
+            </ds:KeyInfo>
+        </KeyDescriptor>
+
+		<!-- This tells the SP where/how to resolve SAML 1.x artifacts into SAML assertions. -->
+		<ArtifactResolutionService index="1"
+			Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
+			Location="https://idp.example.org:8443/shibboleth/profile/saml1/soap/ArtifactResolution"/>
+
+        <!-- This tells the SP where/how to resolve SAML 2.0 artifacts into SAML messages. -->
+        <ArtifactResolutionService index="1"
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+            Location="https://idp.example.org:8443/shibboleth/profile/saml2/soap/ArtifactResolution"/>
+
+		<!-- This tells the SP how and where to request authentication. -->
+		<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
+		    Location="https://idp.example.org/shibboleth/profile/shibboleth/SSO"/>
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+            Location="https://idp.example.org/shibboleth/profile/saml2/Redirect/SSO"/>
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+            Location="https://idp.example.org/shibboleth/profile/saml2/POST/SSO"/>
+	</IDPSSODescriptor>
+	
+	<!-- Most Shibboleth IdPs also support SAML attribute queries, so this role is also included. -->
+	<AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+		<Extensions>
+			<!-- This is a Shibboleth extension to express attribute scope rules. -->
+			<shibmd:Scope>example.org</shibmd:Scope>
+		</Extensions>
+		
+		<!-- The certificate has to be repeated here (or a different one specified if necessary). -->
+		<KeyDescriptor use="signing">
+		    <ds:KeyInfo>
+		        <ds:X509Data>
+		        	<ds:X509Certificate>
+                    MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
+                    BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
+                    Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
+                    AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
+                    ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
+                    Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
+                    4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
+                    lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
+                    v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
+                    CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
+                    eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
+                    BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
+                    Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
+                    w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
+		        	</ds:X509Certificate>
+		        </ds:X509Data>
+		    </ds:KeyInfo>
+		</KeyDescriptor>
+
+        <KeyDescriptor use="encryption">
+            <ds:KeyInfo>
+                <ds:X509Data>
+                    <ds:X509Certificate>
+                    MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
+                    BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
+                    Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
+                    AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
+                    ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
+                    Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
+                    4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
+                    lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
+                    v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
+                    CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
+                    eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
+                    BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
+                    Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
+                    w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
+                    </ds:X509Certificate>
+                </ds:X509Data>
+            </ds:KeyInfo>
+        </KeyDescriptor>
+
+		<!-- This tells the SP how and where to send queries. -->
+		<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
+		    Location="https://idp.example.org:8443/shibboleth/profiles/saml1/soap/AttributeQuery"/>
+        <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+            Location="https://idp.example.org:8443/shibboleth/profiles/saml2/soap/AttributeQuery"/>
+	</AttributeAuthorityDescriptor>
+
+	<!-- This is just information about the entity in human terms. -->
+	<Organization>
+	    <OrganizationName xml:lang="en">Example Identity Provider</OrganizationName>
+	    <OrganizationDisplayName xml:lang="en">Identities 'R' Us</OrganizationDisplayName>
+	    <OrganizationURL xml:lang="en">http://idp.example.org/</OrganizationURL>
+	</Organization>
+	<ContactPerson contactType="technical">
+	    <SurName>Technical Support</SurName>
+	    <EmailAddress>support@idp.example.org</EmailAddress>
+	</ContactPerson>
+
+</EntityDescriptor>
diff --git a/configs/example-metadata.xml.in b/configs/example-metadata.xml.in
deleted file mode 100644
index d7a9d2c..0000000
--- a/configs/example-metadata.xml.in
+++ /dev/null
@@ -1,322 +0,0 @@
-<EntitiesDescriptor
-    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-    xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd"
-    Name="urn:mace:shibboleth:examples"
-    validUntil="2010-01-01T00:00:00Z">
-
-	<!--
-	This is a starter set of metadata for testing Shibboleth. It shows
-	a pair of example entities, one an IdP and one an SP. Each party
-	requires metadata from its opposite in order to interact with it.
-	Thus, your metadata describes you, and your partner(s)' metadata
-	is fed into your configuration.
-	
-	The software components do not configure themselves using metadata
-	(e.g. the IdP does not configure itself using IdP metadata). Instead,
-	metadata about SPs is fed into IdPs and metadata about IdPs is fed into
-	SPs. Other metadata is ignored, so the software does not look for
-	conflicts between its own configuration and the metadata that might
-	be present about itself. Metadata is instead maintained based on the
-	external details of your configuration.
-	-->
-
-	<EntityDescriptor entityID="https://idp.example.org/shibboleth">
-	<!--
-	The entityID above looks like a location, but it's actually just a name.
-	Each entity is assigned a URI name. By convention, it will often be a
-	URL, but it should never contain a physical machine hostname that you
-	would not otherwise publish to users of the service. For example, if your
-	installation runs on a machine named "gryphon.example.org", you would
-	generally register that machine in DNS under a second, logical name
-	(such as idp.example.org). This logical name should be used in favor
-	of the real hostname when you assign an entityID. You should use a name
-	like this even if you don't actually register the server in DNS using it.
-	The URL does *not* have to resolve into anything to use it as a name.
-	The point is for the name you choose to be stable, which is why including
-	hostnames is generally bad, since they tend to change.
-	-->
-		
-		<!-- A Shib IdP contains this element with protocol support as shown. -->
-		<IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
-			<Extensions>
-				<!-- This is a Shibboleth extension to express attribute scope rules. -->
-				<shibmd:Scope>example.org</shibmd:Scope>
-			</Extensions>
-			
-			<!--
-			One or more KeyDescriptors tell SPs how the IdP will authenticate itself. A single
-			descriptor can be used for both signing and for server-TLS if its use attribute
-			is set to "signing". You can place an X.509 certificate directly in this element
-			to specify the exact public key certificate to use. This only reflects the public
-			half of the keypair used by the IdP.
-			
-			When the IdP signs XML, it uses the private key included in its Credentials
-			configuration element, and when TLS is used, the web server will use the
-			certificate and private key defined by the web server's configuration.
-			An SP will then try to match the certificates in the KeyDescriptors here
-			to the ones presented in the XML Signature or SSL session.
-			
-			When an inline certificate is used, do not assume that an expired certificate
-			will be detected and rejected. Often only the key will be extracted without
-			regard for the certificate, but at the same time, it may be risky to include
-			an expired certificate and assume it will work. Your SAML implementation
-			may provide specific guidance on this.
-			-->
-			<KeyDescriptor use="signing">
-			    <ds:KeyInfo>
-			        <ds:X509Data>
-			        	<ds:X509Certificate>
-MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
-BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
-Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
-AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
-ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
-Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
-4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
-lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
-v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
-CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
-eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
-BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
-Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
-w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
-			        	</ds:X509Certificate>
-			        </ds:X509Data>
-			    </ds:KeyInfo>
-			</KeyDescriptor>
-
-            <KeyDescriptor use="encryption">
-                <ds:KeyInfo>
-                    <ds:X509Data>
-                        <ds:X509Certificate>
-MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
-BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
-Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
-AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
-ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
-Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
-4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
-lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
-v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
-CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
-eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
-BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
-Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
-w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
-                        </ds:X509Certificate>
-                    </ds:X509Data>
-                </ds:KeyInfo>
-            </KeyDescriptor>
-
-			<!-- This tells SPs where/how to resolve SAML 1.x artifacts into SAML assertions. -->
-			<ArtifactResolutionService index="1"
-				Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
-				Location="https://idp.example.org:8443/shibboleth/profile/saml1/soap/ArtifactResolution"/>
-
-            <!-- This tells SPs where/how to resolve SAML 2.0 artifacts into SAML messages. -->
-            <ArtifactResolutionService index="1"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
-                Location="https://idp.example.org:8443/shibboleth/profile/saml2/soap/ArtifactResolution"/>
-
-            <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
-			<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
-			
-			<!-- This tells SPs how and where to request authentication. -->
-			<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
-			    Location="https://idp.example.org/shibboleth/profile/shibboleth/SSO"/>
-            <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-                Location="https://idp.example.org/shibboleth/profile/saml2/Redirect/SSO"/>
-            <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-                Location="https://idp.example.org/shibboleth/profile/saml2/POST/SSO"/>
-		</IDPSSODescriptor>
-		
-		<!-- Most Shib IdPs also support SAML attribute queries, so this role is also included. -->
-		<AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
-			<Extensions>
-				<!-- This is a Shibboleth extension to express attribute scope rules. -->
-				<shibmd:Scope>example.org</shibmd:Scope>
-			</Extensions>
-			
-			<!-- The certificate has to be repeated here (or a different one specified if necessary). -->
-			<KeyDescriptor use="signing">
-			    <ds:KeyInfo>
-			        <ds:X509Data>
-			        	<ds:X509Certificate>
-MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
-BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
-Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
-AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
-ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
-Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
-4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
-lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
-v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
-CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
-eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
-BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
-Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
-w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
-			        	</ds:X509Certificate>
-			        </ds:X509Data>
-			    </ds:KeyInfo>
-			</KeyDescriptor>
-
-            <KeyDescriptor use="encryption">
-                <ds:KeyInfo>
-                    <ds:X509Data>
-                        <ds:X509Certificate>
-MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
-BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
-Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
-AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
-ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
-Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
-4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
-lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
-v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
-CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
-eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
-BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
-Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
-w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
-                        </ds:X509Certificate>
-                    </ds:X509Data>
-                </ds:KeyInfo>
-            </KeyDescriptor>
-
-			<!-- This tells SPs how and where to send queries. -->
-			<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
-			    Location="https://idp.example.org:8443/shibboleth/profiles/saml1/soap/AttributeQuery"/>
-            <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
-                Location="https://idp.example.org:8443/shibboleth/profiles/saml2/soap/AttributeQuery"/>
-
-			<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
-			<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
-		</AttributeAuthorityDescriptor>
-
-		<!-- This is just information about the entity in human terms. -->
-		<Organization>
-		    <OrganizationName xml:lang="en">Example Identity Provider</OrganizationName>
-		    <OrganizationDisplayName xml:lang="en">Identities 'R' Us</OrganizationDisplayName>
-		    <OrganizationURL xml:lang="en">http://idp.example.org/</OrganizationURL>
-		</Organization>
-		<ContactPerson contactType="technical">
-		    <SurName>Technical Support</SurName>
-		    <EmailAddress>support@idp.example.org</EmailAddress>
-		</ContactPerson>
-
-	</EntityDescriptor>
-
-	<!-- See the comment earlier about how an entityID is chosen/created. -->
-	<EntityDescriptor entityID="https://sp.example.org/shibboleth">
-	
-		<!-- An SP supporting SAML 1 and 2 contains this element with protocol support as shown. -->
-		<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
-		
-			<Extensions>
-				<!-- Extension to permit the SP to receive IdP discovery responses. -->
-				<idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-					index="1" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-					Location="https://sp.example.org/Shibboleth.sso/DS"/>
-			</Extensions>
-		
-			<!--
-			One or more KeyDescriptors tell IdPs how the SP will authenticate itself. A single
-			descriptor can be used for signing, TLS, and encryption if its use attribute is
-			omitted. You can place an X.509 certificate directly in this element
-			to specify the exact public key certificate to use. This only reflects the public
-			half of the keypair used by the SP.
-			
-			The SP uses the private key included in its Credentials	configuration element
-			for both XML signing and client-side TLS. An IdP will then try to match the
-			certificates in the KeyDescriptors here to the ones presented in the XML
-			Signature or SSL session.
-			-->
-			<KeyDescriptor>
-			    <ds:KeyInfo>
-			        <ds:X509Data>
-			        	<ds:X509Certificate>
-						MIICjzCCAfigAwIBAgIJAKk8t1hYcMkhMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
-						BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxFzAVBgNVBAMTDnNwLmV4YW1wbGUu
-						b3JnMB4XDTA1MDYyMDE1NDgzNFoXDTMyMTEwNTE1NDgzNFowOjELMAkGA1UEBhMC
-						VVMxEjAQBgNVBAoTCUludGVybmV0MjEXMBUGA1UEAxMOc3AuZXhhbXBsZS5vcmcw
-						gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlZ1L1mKzYbUVKiMQLhZlfGDyYa
-						/jjCiaXP0WhLNgvJpOTeajvsrApYNnFX5MLNzuC3NeQIjXUNLN2Yo2MCSthBIOL5
-						qE5dka4z9W9zytoflW1LmJ8vXpx8Ay/meG4z//J5iCpYVEquA0xl28HUIlownZUF
-						7w7bx0cF/02qrR23AgMBAAGjgZwwgZkwHQYDVR0OBBYEFJZiO1qsyAyc3HwMlL9p
-						JpN6fbGwMGoGA1UdIwRjMGGAFJZiO1qsyAyc3HwMlL9pJpN6fbGwoT6kPDA6MQsw
-						CQYDVQQGEwJVUzESMBAGA1UEChMJSW50ZXJuZXQyMRcwFQYDVQQDEw5zcC5leGFt
-						cGxlLm9yZ4IJAKk8t1hYcMkhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQAD
-						gYEAMFq/UeSQyngE0GpZueyD2UW0M358uhseYOgGEIfm+qXIFQF6MYwNoX7WFzhC
-						LJZ2E6mEvZZFHCHUtl7mGDvsRwgZ85YCtRbvleEpqfgNQToto9pLYe+X6vvH9Z6p
-						gmYsTmak+kxO93JprrOd9xp8aZPMEprL7VCdrhbZEfyYER0=
-			        	</ds:X509Certificate>
-			        </ds:X509Data>
-			    </ds:KeyInfo>
-			</KeyDescriptor>
-			
-			<!-- This tells IdPs that Single Logout is supported and where/how to request it. -->
-			<SingleLogoutService Location="https://sp.example.org/Shibboleth.sso/SLO/SOAP"
-				Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
-			<SingleLogoutService Location="https://sp.example.org/Shibboleth.sso/SLO/Redirect"
-				Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
-			<SingleLogoutService Location="https://sp.example.org/Shibboleth.sso/SLO/POST"
-				Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
-			<SingleLogoutService Location="https://sp.example.org/Shibboleth.sso/SLO/Artifact"
-				Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
-
-            <!-- This tells IdPs that NameID Management is supported and where/how to request it. -->
-            <ManageNameIDService Location="https://sp.example.org/Shibboleth.sso/NIM/SOAP"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
-            <ManageNameIDService Location="https://sp.example.org/Shibboleth.sso/NIM/Redirect"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
-            <ManageNameIDService Location="https://sp.example.org/Shibboleth.sso/NIM/POST"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
-            <ManageNameIDService Location="https://sp.example.org/Shibboleth.sso/NIM/Artifact"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>			
-			
-			<!-- This tells IdPs that you only need transient identifiers. -->
-			<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
-			<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
-		    
-			<!--
-			This tells IdPs where and how to send authentication assertions. Mostly
-			the SP will tell the IdP what location to use in its request, but this
-			is how the IdP validates the location and also figures out which
-			SAML version/binding to use.
-			-->
-			<AssertionConsumerService index="1" isDefault="true"
-				Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-				Location="https://sp.example.org/Shibboleth.sso/SAML2/POST"/>
-			<AssertionConsumerService index="2"
-				Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
-				Location="https://sp.example.org/Shibboleth.sso/SAML2/POST-SimpleSign"/>
-			<AssertionConsumerService index="3"
-				Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
-				Location="https://sp.example.org/Shibboleth.sso/SAML2/Artifact"/>
-			<AssertionConsumerService index="4"
-				Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
-				Location="https://sp.example.org/Shibboleth.sso/SAML/POST"/>
-			<AssertionConsumerService index="5"
-				Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
-				Location="https://sp.example.org/Shibboleth.sso/SAML/Artifact"/>
-
-		</SPSSODescriptor>
-
-		<!-- This is just information about the entity in human terms. -->
-		<Organization>
-			<OrganizationName xml:lang="en">Example Service Provider</OrganizationName>
-			<OrganizationDisplayName xml:lang="en">Services 'R' Us</OrganizationDisplayName>
-			<OrganizationURL xml:lang="en">http://sp.example.org/</OrganizationURL>
-		</Organization>
-		<ContactPerson contactType="technical">
-			<SurName>Technical Support</SurName>
-			<EmailAddress>support@sp.example.org</EmailAddress>
-		</ContactPerson>
-		
-	</EntityDescriptor>
-
-</EntitiesDescriptor>
diff --git a/configs/shibboleth2.xml.in b/configs/shibboleth2.xml.in
index ceafe44..be31bc7 100644
--- a/configs/shibboleth2.xml.in
+++ b/configs/shibboleth2.xml.in
@@ -103,13 +103,12 @@
 		The system can compute a relative value based on the virtual host. Using handlerSSL="true"
 		will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
 		in that case. Note that while we default checkAddress to "false", this has a negative
-		impact on the security of the SP. Stealing cookies/sessions is much easier with this
-		disabled.
+		impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
 		-->
 		<Sessions lifetime="28800" timeout="3600" checkAddress="false"
 			handlerURL="/Shibboleth.sso" handlerSSL="false"
 			exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
-			idpHistory="true" idpHistoryDays="7">
+			idpHistory="false" idpHistoryDays="7">
 			
 			<!--
 			SessionInitiators handle session requests and relay them to a Discovery page,
@@ -118,23 +117,26 @@
 			-->
 
 			<!-- Default example directs to a specific IdP's SSO service (favoring SAML 2 over Shib 1). -->
-			<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="idp.example.org"
+			<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
 					relayState="cookie" entityID="https://idp.example.org/shibboleth">
 				<SessionInitiator type="SAML2" defaultACSIndex="1" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
-				<SessionInitiator type="Shib1" defaultACSIndex="4"/>
+				<SessionInitiator type="Shib1" defaultACSIndex="5"/>
+				<!-- <SessionInitiator type="ADFS"/> -->
 			</SessionInitiator>
 			
 			<!-- An example using an old-style WAYF, which means Shib 1 only unless an entityID is provided. -->
 			<SessionInitiator type="Chaining" Location="/WAYF" id="WAYF" relayState="cookie">
 				<SessionInitiator type="SAML2" defaultACSIndex="1" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
-				<SessionInitiator type="Shib1" defaultACSIndex="4"/>
-				<SessionInitiator type="WAYF" defaultACSIndex="4" URL="https://wayf.example.org/WAYF"/>
+				<SessionInitiator type="Shib1" defaultACSIndex="5"/>
+                <!-- <SessionInitiator type="ADFS"/> -->
+				<SessionInitiator type="WAYF" defaultACSIndex="5" URL="https://wayf.example.org/WAYF"/>
 			</SessionInitiator>
 
 			<!-- An example supporting the new-style of discovery service. -->
 			<SessionInitiator type="Chaining" Location="/DS" id="DS" relayState="cookie">
 				<SessionInitiator type="SAML2" defaultACSIndex="1" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
-				<SessionInitiator type="Shib1" defaultACSIndex="4"/>
+				<SessionInitiator type="Shib1" defaultACSIndex="5"/>
+                <!-- <SessionInitiator type="ADFS"/> -->
 				<SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS"/>
 			</SessionInitiator>
 			
@@ -150,14 +152,22 @@
 				Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
 			<md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
 				Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
-			<md:AssertionConsumerService Location="/SAML/POST" index="4"
+            <md:AssertionConsumerService Location="/SAML2/ECP" index="4"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
+			<md:AssertionConsumerService Location="/SAML/POST" index="5"
 				Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
-			<md:AssertionConsumerService Location="/SAML/Artifact" index="5"
+			<md:AssertionConsumerService Location="/SAML/Artifact" index="6"
 				Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
+		    
+		    <!--
+            <md:AssertionConsumerService Location="/ADFS" index="7"
+                Binding="http://schemas.xmlsoap.org/ws/2003/07/secext"/>
+            -->
 
 			<!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
 			<LogoutInitiator type="Chaining" Location="/Logout">
 				<LogoutInitiator type="SAML2" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
+				<!-- <LogoutInitiator type="ADFS"/>	-->
 				<LogoutInitiator type="Local"/>
 			</LogoutInitiator>
 
@@ -189,7 +199,7 @@
 				Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
 
             <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
-            <Handler type="MetadataGenerator" Location="/Metadata" signing="true"/>
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
 
             <!-- Status reporting service. -->
             <Handler type="Status" Location="/Status" acl="127.0.0.1"/>
@@ -211,18 +221,26 @@
 			styleSheet="/shibboleth-sp/main.css"/>
 		
 		<!-- Configure handling of outgoing messages and SOAP authentication. -->
-		<DefaultRelyingParty authType="TLS" artifactEndpointIndex="1" signing="front" encryption="front">
+		<DefaultRelyingParty authType="TLS" artifactEndpointIndex="1" signing="false" encryption="false">
 			<!-- Uncomment and modify to tweak settings for specific IdPs or groups. -->
-			<!--
-			<RelyingParty Name="SpecialFederation" keyName="SpecialKey"/>
-			-->
+			<!-- <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/> -->
 		</DefaultRelyingParty>
 
-		<!-- Chains together all your metadata sources. -->
-		<MetadataProvider type="Chaining">
-			<!-- Dummy metadata for private testing, delete for production deployments. -->
-			<MetadataProvider type="XML" path="@-PKGSYSCONFDIR-@/example-metadata.xml"/>
-		</MetadataProvider>
+        <!-- Chains together all your metadata sources. -->
+        <MetadataProvider type="Chaining">
+        	<!-- Example of remotely supplied batch of signed metadata. -->
+        	<!--
+        	<MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
+        	     backingFilePath="@-PKGRUNDIR-@/federation-metadata.xml" reloadInterval="7200">
+        	   <SignatureMetadataFilter certificate="@-PKGSYSCONFDIR-@/fedsigner.pem"/>
+            </MetadataProvider>
+            -->
+
+            <!-- Example of locally maintained metadata. -->
+            <!--
+            <MetadataProvider type="XML" file="@-PKGSYSCONFDIR-@/partner-metadata.xml"/>
+            -->
+        </MetadataProvider>
 
 		<!-- Chain the two built-in trust engines together. -->
 		<TrustEngine type="Chaining">
@@ -272,11 +290,12 @@
 			</CredentialResolver>
 		</CredentialResolver>
 		-->
+		
 	</Applications>
 	
-	<!-- Each policy defines a set of rules to use to secure SAML and SOAP messages. -->
+	<!-- Each policy defines a set of rules to use to secure messages. -->
 	<SecurityPolicies>
-		<!-- The predefined policy handles SAML 1 and 2 protocols and permits signing and client TLS. -->
+		<!-- The predefined policy enforces replay/freshness and permits signing and client TLS. -->
 		<Policy id="default"
 			validate="false"
 			signedAssertions="false"
diff --git a/msi/scripts/shib_edit_config_files.vbs b/msi/scripts/shib_edit_config_files.vbs
index f8ffbbc..52fc73c 100644
--- a/msi/scripts/shib_edit_config_files.vbs
+++ b/msi/scripts/shib_edit_config_files.vbs
@@ -80,16 +80,6 @@ if (Err = 0) then
   End If
   FileSystemObj.MoveFile ConfigFile, DistDir & "attribute-policy.xml"
   
-  ConfigFile = DistDir & "example-metadata.xml.in"
-  ReplaceInFile ConfigFile, "@-PKGXMLDIR-@", ConvertedDir & "/share/xml/shibboleth"
-  If (NOT FileSystemObj.FileExists(ConfigDir & "example-metadata.xml")) then
-    FileSystemObj.CopyFile ConfigFile, ConfigDir & "example-metadata.xml", false
-  End If
-  If (FileSystemObj.FileExists(DistDir & "example-metadata.xml")) then
-    FileSystemObj.DeleteFile DistDir & "example-metadata.xml", true
-  End If
-  FileSystemObj.MoveFile ConfigFile, DistDir & "example-metadata.xml"
-
   ConfigFile = DistDir & "shibboleth2.xml.in"
   ReplaceInFile ConfigFile, "@-PKGXMLDIR-@", ConvertedDir & "/share/xml/shibboleth"
   ReplaceInFile ConfigFile, "@-PKGSYSCONFDIR-@", ConvertedDir & "/etc/shibboleth"
diff --git a/postinstall b/postinstall
index 5da87d8..df3c369 100644
--- a/postinstall
+++ b/postinstall
@@ -18,8 +18,7 @@ CONFIGFILES=" \
     sp-example.crt \
     attribute-map.xml \
     attribute-policy.xml \
-    shibboleth2.xml \
-    example-metadata.xml"
+    shibboleth2.xml"
 
 for f in $CONFIGFILES; do
     if test ! -f $f; then
-- 
2.1.4