From 9d3fd0ebd06e51767ae95ac6db11efe7b5bdaeb6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Oudot?= <clement@oodo.net>
Date: Mon, 31 May 2010 10:37:43 +0000
Subject: [PATCH] SAML: * Add Attribute Authority metadata (#3) * Clean
 existing metadata (remove NameID management, and set NameIDFormat directly in
 XML)

---
 .../Lemonldap/NG/Common/Conf/SAML/Metadata.pm | 12 +--
 .../lib/Lemonldap/NG/Manager/_Struct.pm       | 98 ++++++-------------
 .../lib/Lemonldap/NG/Manager/_i18n.pm         | 46 ++++-----
 .../example/skins/common/saml2-metadata.tpl   | 52 +++++-----
 4 files changed, 79 insertions(+), 129 deletions(-)

diff --git a/modules/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/SAML/Metadata.pm b/modules/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/SAML/Metadata.pm
index 1d01be386..09d37e744 100644
--- a/modules/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/SAML/Metadata.pm
+++ b/modules/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/SAML/Metadata.pm
@@ -137,14 +137,6 @@ sub serviceToXML {
       samlOrganizationName
       samlOrganizationDisplayName
       samlOrganizationURL
-      samlSPSSODescriptorProtocolSupportEnumeration
-      samlSPSSODescriptorNameIDFormatX509SubjectName
-      samlSPSSODescriptorNameIDFormatPersistent
-      samlSPSSODescriptorNameIDFormatTransient
-      samlIDPSSODescriptorProtocolSupportEnumeration
-      samlIDPSSODescriptorNameIDFormatX509SubjectName
-      samlIDPSSODescriptorNameIDFormatPersistent
-      samlIDPSSODescriptorNameIDFormatTransient
     );
 
     foreach (@param_auto) {
@@ -156,6 +148,7 @@ sub serviceToXML {
     # Boolean parameters
     my @param_boolean = qw(
       samlSPSSODescriptorAuthnRequestsSigned
+      samlSPSSODescriptorWantAssertionsSigned
       samlIDPSSODescriptorWantAuthnRequestsSigned
     );
 
@@ -205,8 +198,7 @@ sub serviceToXML {
       samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect
       samlIDPSSODescriptorSingleLogoutServiceHTTPPost
       samlIDPSSODescriptorSingleLogoutServiceSOAP
-      samlIDPSSODescriptorManageNameIDServiceHTTP
-      samlIDPSSODescriptorManageNameIDServiceSOAP
+      samlAttributeAuthorityDescriptorAttributeServiceSOAP
     );
 
     foreach (@param_service) {
diff --git a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
index 516db0af5..9bb2257d3 100644
--- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
+++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
@@ -616,7 +616,8 @@ sub struct {
                   n:samlNameIDFormatMap
                   n:samlOrganization
                   n:samlSPSSODescriptor
-                  n:samlIDPSSODescriptor)
+                  n:samlIDPSSODescriptor
+                  n:samlAttributeAuthorityDescriptor)
             ],
             _help => 'default',
 
@@ -624,6 +625,8 @@ sub struct {
             samlEntityID => 'text:/samlEntityID',
             samlServicePrivateKey =>
               'filearea:/samlServicePrivateKey:samlServicePrivateKey:filearea',
+
+            # NAMEID FORMAT MAP
             samlNameIDFormatMap => {
                 _nodes => [
                     qw(samlNameIDFormatMapEmail samlNameIDFormatMapX509 samlNameIDFormatMapWindows samlNameIDFormatMapKerberos)
@@ -636,6 +639,8 @@ sub struct {
                 samlNameIDFormatMapKerberos =>
                   'text:/samlNameIDFormatMapKerberos',
             },
+
+            # ORGANIZATION
             samlOrganization => {
                 _nodes => [
                     qw(samlOrganizationDisplayName
@@ -653,16 +658,19 @@ sub struct {
             'samlSPSSODescriptor' => {
                 _nodes => [
                     qw(samlSPSSODescriptorAuthnRequestsSigned
+                      samlSPSSODescriptorWantAssertionsSigned
                       samlSPSSODescriptorKeyDescriptorSigning
                       n:samlSPSSODescriptorSingleLogoutService
                       n:samlSPSSODescriptorAssertionConsumerService
                       n:samlSPSSODescriptorArtifactResolutionService
-                      n:samlSPSSODescriptorNameIDFormat)
+                      )
                 ],
                 _help => 'default',
 
                 samlSPSSODescriptorAuthnRequestsSigned =>
                   'bool:/samlSPSSODescriptorAuthnRequestsSigned',
+                samlSPSSODescriptorWantAssertionsSigned =>
+                  'bool:/samlSPSSODescriptorWantAssertionsSigned',
                 samlSPSSODescriptorKeyDescriptorSigning =>
                   'filearea:/samlSPSSODescriptorKeyDescriptorSigning',
 
@@ -704,21 +712,6 @@ sub struct {
                     samlSPSSODescriptorArtifactResolutionServiceArtifact =>
 'samlAssertion:/samlSPSSODescriptorArtifactResolutionServiceArtifact',
                 },
-
-                samlSPSSODescriptorNameIDFormat => {
-                    _nodes => [
-                        qw(samlSPSSODescriptorNameIDFormatX509SubjectName
-                          samlSPSSODescriptorNameIDFormatPersistent
-                          samlSPSSODescriptorNameIDFormatTransient)
-                    ],
-                    _help => 'default',
-                    samlSPSSODescriptorNameIDFormatX509SubjectName =>
-'bool:/samlSPSSODescriptorNameIDFormatX509SubjectName:samlNameIDFormatX509SubjectName:bool',
-                    samlSPSSODescriptorNameIDFormatPersistent =>
-'bool:/samlSPSSODescriptorNameIDFormatPersistent:samlNameIDFormatPersistent:bool',
-                    samlSPSSODescriptorNameIDFormatTransient =>
-'bool:/samlSPSSODescriptorNameIDFormatTransient:samlNameIDFormatTransient:bool',
-                },
             },
 
             # IDENTITY PROVIDER
@@ -728,9 +721,7 @@ sub struct {
                       samlIDPSSODescriptorKeyDescriptorSigning
                       n:samlIDPSSODescriptorSingleSignOnService
                       n:samlIDPSSODescriptorSingleLogoutService
-                      n:samlIDPSSODescriptorArtifactResolutionService
-                      n:samlIDPSSODescriptorNameIDFormat
-                      n:samlIDPSSODescriptorManageNameIDService)
+                      n:samlIDPSSODescriptorArtifactResolutionService)
                 ],
                 _help => 'default',
 
@@ -778,33 +769,22 @@ sub struct {
 'samlAssertion:/samlIDPSSODescriptorArtifactResolutionServiceArtifact',
                 },
 
-                samlIDPSSODescriptorNameIDFormat => {
-                    _nodes => [
-                        qw(samlIDPSSODescriptorNameIDFormatX509SubjectName
-                          samlIDPSSODescriptorNameIDFormatPersistent
-                          samlIDPSSODescriptorNameIDFormatTransient)
-                    ],
-                    _help => 'default',
-                    samlIDPSSODescriptorNameIDFormatX509SubjectName =>
-'bool:/samlIDPSSODescriptorNameIDFormatX509SubjectName:samlNameIDFormatX509SubjectName:bool',
-                    samlIDPSSODescriptorNameIDFormatPersistent =>
-'bool:/samlIDPSSODescriptorNameIDFormatPersistent:samlNameIDFormatPersistent:bool',
-                    samlIDPSSODescriptorNameIDFormatTransient =>
-'bool:/samlIDPSSODescriptorNameIDFormatTransient:samlNameIDFormatTransient:bool',
                 },
 
-                samlIDPSSODescriptorManageNameIDService => {
+            # ATTRIBUTE AUTHORITY
+            samlAttributeAuthorityDescriptor => {
+                _nodes =>
+                  [qw(n:samlAttributeAuthorityDescriptorAttributeService)],
+                _help                                            => 'default',
+                samlAttributeAuthorityDescriptorAttributeService => {
                     _nodes => [
-                        qw(samlIDPSSODescriptorManageNameIDServiceHTTP
-                          samlIDPSSODescriptorManageNameIDServiceSOAP)
+                        qw(samlAttributeAuthorityDescriptorAttributeServiceSOAP)
                     ],
-                    _help => 'default',
-                    samlIDPSSODescriptorManageNameIDServiceHTTP =>
-'samlService:/samlIDPSSODescriptorManageNameIDServiceHTTP',
-                    samlIDPSSODescriptorManageNameIDServiceSOAP =>
-'samlService:/samlIDPSSODescriptorManageNameIDServiceSOAP',
+                    samlAttributeAuthorityDescriptorAttributeServiceSOAP =>
+'samlService:/samlAttributeAuthorityDescriptorAttributeServiceSOAP',
                 },
             },
+
         },
     };
 }
@@ -1133,6 +1113,7 @@ sub testStruct {
         samlOrganizationName                       => $testNotDefined,
         samlOrganizationURL                        => $testNotDefined,
         samlSPSSODescriptorAuthnRequestsSigned     => $boolean,
+        samlSPSSODescriptorWantAssertionsSigned            => $boolean,
         samlSPSSODescriptorKeyDescriptorSigning    => $testNotDefined,
         samlSPSSODescriptorSingleLogoutServiceHTTPRedirect => $testNotDefined,
         samlSPSSODescriptorSingleLogoutServiceHTTPPost     => $testNotDefined,
@@ -1143,9 +1124,6 @@ sub testStruct {
         samlSPSSODescriptorAssertionConsumerServiceHTTPRedirect =>
           $testNotDefined,
         samlSPSSODescriptorArtifactResolutionServiceArtifact => $testNotDefined,
-        samlSPSSODescriptorNameIDFormatX509SubjectName       => $boolean,
-        samlSPSSODescriptorNameIDFormatPersistent            => $boolean,
-        samlSPSSODescriptorNameIDFormatTransient             => $boolean,
         samlIDPSSODescriptorWantAuthnRequestsSigned          => $boolean,
         samlIDPSSODescriptorKeyDescriptorSigning             => $testNotDefined,
         samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect  => $testNotDefined,
@@ -1156,15 +1134,11 @@ sub testStruct {
         samlIDPSSODescriptorSingleLogoutServiceSOAP          => $testNotDefined,
         samlIDPSSODescriptorArtifactResolutionServiceArtifact =>
           $testNotDefined,
-        samlIDPSSODescriptorNameIDFormatX509SubjectName => $boolean,
-        samlIDPSSODescriptorNameIDFormatPersistent      => $boolean,
-        samlIDPSSODescriptorNameIDFormatTransient       => $boolean,
-        samlIDPSSODescriptorManageNameIDServiceHTTP     => $testNotDefined,
-        samlIDPSSODescriptorManageNameIDServiceSOAP     => $testNotDefined,
         samlNameIDFormatMapEmail                        => $testNotDefined,
         samlNameIDFormatMapX509                         => $testNotDefined,
         samlNameIDFormatMapWindows                      => $testNotDefined,
         samlNameIDFormatMapKerberos                     => $testNotDefined,
+        samlAttributeAuthorityDescriptorAttributeServiceSOAP => $testNotDefined,
 
         # SSL
         SSLVar       => $testNotDefined,
@@ -1312,7 +1286,8 @@ sub defaultConf {
         samlSPMetaDataOptionsCheckSSOMessageSignature  => '1',
         samlSPMetaDataOptionsSignSLOMessage            => '1',
         samlSPMetaDataOptionsCheckSLOMessageSignature  => '1',
-        samlSPSSODescriptorAuthnRequestsSigned         => '0',
+        samlSPSSODescriptorAuthnRequestsSigned         => '1',
+        samlSPSSODescriptorWantAssertionsSigned        => '1',
         samlSPSSODescriptorKeyDescriptorSigning        => '',
         samlSPSSODescriptorSingleLogoutServiceHTTPRedirect =>
           'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;' 
@@ -1346,10 +1321,7 @@ sub defaultConf {
           '1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;' 
           . $portal
           . '/saml/artifact',
-        samlSPSSODescriptorNameIDFormatX509SubjectName => '0',
-        samlSPSSODescriptorNameIDFormatPersistent      => '1',
-        samlSPSSODescriptorNameIDFormatTransient       => '0',
-        samlIDPSSODescriptorWantAuthnRequestsSigned    => '0',
+        samlIDPSSODescriptorWantAuthnRequestsSigned => '1',
         samlIDPSSODescriptorKeyDescriptorSigning       => '',
         samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect =>
           'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;' 
@@ -1383,23 +1355,15 @@ sub defaultConf {
           '1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;' 
           . $portal
           . '/saml/artifact',
-        samlIDPSSODescriptorManageNameIDServiceHTTP =>
-          'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;' 
-          . $portal
-          . '/saml/manageNameId;'
-          . $portal
-          . '/saml/manageNameIdReturn',
-        samlIDPSSODescriptorManageNameIDServiceSOAP =>
-          'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;' 
-          . $portal
-          . '/saml/manageNameIdSOAP;',
-        samlIDPSSODescriptorNameIDFormatX509SubjectName => '0',
-        samlIDPSSODescriptorNameIDFormatPersistent      => '1',
-        samlIDPSSODescriptorNameIDFormatTransient       => '0',
         samlNameIDFormatMapEmail                        => 'mail',
         samlNameIDFormatMapX509                         => 'mail',
         samlNameIDFormatMapWindows                      => 'uid',
         samlNameIDFormatMapKerberos                     => 'uid',
+        samlAttributeAuthorityDescriptorAttributeServiceSOAP =>
+          'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;' 
+          . $portal
+          . '/saml/AA/SOAP;',
+
     };
 }
 
diff --git a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
index c10e85643..672b1d83e 100644
--- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
+++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
@@ -268,6 +268,7 @@ sub en {
         samlSPSSODescriptor              => 'Service Provider',
         samlSPSSODescriptorAuthnRequestsSigned =>
           'Signed Authentication Request',
+        samlSPSSODescriptorWantAssertionsSigned => 'Want Assertions Signed',
         samlSPSSODescriptorKeyDescriptorSigning     => 'Signing Key',
         samlSPSSODescriptorSingleLogoutService      => 'Single Logout',
         samlSPSSODescriptorSingleLogoutServiceHTTPRedirect => 'HTTP Redirect',
@@ -282,15 +283,11 @@ sub en {
         samlSPSSODescriptorArtifactResolutionService => 'Artifact Resolution',
         samlSPSSODescriptorArtifactResolutionServiceArtifact =>
           'Artifact Service',
-        samlSPSSODescriptorNameIDFormat                => 'NameID Format',
-        samlSPSSODescriptorNameIDFormatX509SubjectName => 'x509',
-        samlSPSSODescriptorNameIDFormatPersistent      => 'Persistent',
-        samlSPSSODescriptorNameIDFormatTransient       => 'Transient',
         samlIDPSSODescriptor                           => 'Identity Provider',
         samlIDPSSODescriptorWantAuthnRequestsSigned =>
-          'Signed Authentication Request',
+          'Want Authentication Request Signed',
         samlIDPSSODescriptorKeyDescriptorSigning      => 'Signing Key',
-        samlIDPSSODescriptorSingleSignOnService       => 'Single Sign on',
+        samlIDPSSODescriptorSingleSignOnService             => 'Single Sign On',
         samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect => 'HTTP Redirect',
         samlIDPSSODescriptorSingleSignOnServiceHTTPPost     => 'HTTP POST',
         samlIDPSSODescriptorSingleSignOnServiceSOAP         => 'SOAP',
@@ -301,13 +298,9 @@ sub en {
         samlIDPSSODescriptorArtifactResolutionService => 'Artifact Resolution',
         samlIDPSSODescriptorArtifactResolutionServiceArtifact =>
           'Artifact Service',
-        samlIDPSSODescriptorNameIDFormat                => 'NameID Format',
-        samlIDPSSODescriptorNameIDFormatX509SubjectName => 'x509',
-        samlIDPSSODescriptorNameIDFormatPersistent      => 'Persistent',
-        samlIDPSSODescriptorNameIDFormatTransient       => 'Transient',
-        samlIDPSSODescriptorManageNameIDService         => 'NameID Manager',
-        samlIDPSSODescriptorManageNameIDServiceHTTP     => 'HTTP Redirect',
-        samlIDPSSODescriptorManageNameIDServiceSOAP     => 'SOAP',
+        samlAttributeAuthorityDescriptor => 'Attribute Authority',
+        samlAttributeAuthorityDescriptorAttributeService => 'Attribute Service',
+        samlAttributeAuthorityDescriptorAttributeServiceSOAP => 'SOAP',
     };
 }
 
@@ -538,8 +531,10 @@ sub fr {
         samlOrganizationURL              => 'URL',
         samlSPSSODescriptor              => 'Fournisseur de service',
         samlSPSSODescriptorAuthnRequestsSigned =>
-          'Requête d\'authentification signé',
-        samlSPSSODescriptorKeyDescriptorSigning     => 'Clef de signature',
+          'Requêtes d\'authentification signées',
+        samlSPSSODescriptorWantAssertionsSigned =>
+          'Exige des assertions signées',
+        samlSPSSODescriptorKeyDescriptorSigning => 'Clé de signature',
         samlSPSSODescriptorSingleLogoutService      => 'Single Logout',
         samlSPSSODescriptorSingleLogoutServiceHTTPRedirect =>
           'Redirection HTTP',
@@ -555,15 +550,11 @@ sub fr {
           'Résolution d\'Artifact',
         samlSPSSODescriptorArtifactResolutionServiceArtifact =>
           'Service Artifact',
-        samlSPSSODescriptorNameIDFormat                => 'Format NameID',
-        samlSPSSODescriptorNameIDFormatX509SubjectName => 'x509',
-        samlSPSSODescriptorNameIDFormatPersistent      => 'Persistant',
-        samlSPSSODescriptorNameIDFormatTransient       => 'Temporaire',
         samlIDPSSODescriptor => 'Fournisseur d\'identité',
         samlIDPSSODescriptorWantAuthnRequestsSigned =>
-          'Requête d\'authentification signé',
-        samlIDPSSODescriptorKeyDescriptorSigning    => 'Clef de signature',
-        samlIDPSSODescriptorSingleSignOnService     => 'Single Sign on',
+          'Exige des requêtes d\'authentification signées',
+        samlIDPSSODescriptorKeyDescriptorSigning => 'Clé de signature',
+        samlIDPSSODescriptorSingleSignOnService  => 'Single Sign On',
         samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect =>
           'Redirection HTTP',
         samlIDPSSODescriptorSingleSignOnServiceHTTPPost => 'POST HTTP',
@@ -577,13 +568,10 @@ sub fr {
           'Résolution d\'Artifact',
         samlIDPSSODescriptorArtifactResolutionServiceArtifact =>
           'Service Artifact',
-        samlIDPSSODescriptorNameIDFormat                => 'Format NameID',
-        samlIDPSSODescriptorNameIDFormatX509SubjectName => 'x509',
-        samlIDPSSODescriptorNameIDFormatPersistent      => 'Persistant',
-        samlIDPSSODescriptorNameIDFormatTransient       => 'Temporaire',
-        samlIDPSSODescriptorManageNameIDService     => 'Gestionnaire de NameID',
-        samlIDPSSODescriptorManageNameIDServiceHTTP => 'Redirection HTTP',
-        samlIDPSSODescriptorManageNameIDServiceSOAP => 'SOAP',
+        samlAttributeAuthorityDescriptor => 'Autorité d\'attributs',
+        samlAttributeAuthorityDescriptorAttributeService =>
+          'Service d\'attributs',
+        samlAttributeAuthorityDescriptorAttributeServiceSOAP => 'SOAP',
     };
 }
 
diff --git a/modules/lemonldap-ng-portal/example/skins/common/saml2-metadata.tpl b/modules/lemonldap-ng-portal/example/skins/common/saml2-metadata.tpl
index ee8e85a6e..987e124d7 100644
--- a/modules/lemonldap-ng-portal/example/skins/common/saml2-metadata.tpl
+++ b/modules/lemonldap-ng-portal/example/skins/common/saml2-metadata.tpl
@@ -41,15 +41,6 @@
       <TMPL_IF NAME="samlIDPSSODescriptorSingleLogoutServiceHTTPPostResponseLocation">
       ResponseLocation="<TMPL_VAR NAME="samlIDPSSODescriptorSingleLogoutServiceHTTPPostResponseLocation">"
       </TMPL_IF>/>
-    <ManageNameIDService
-      Binding="<TMPL_VAR NAME="samlIDPSSODescriptorManageNameIDServiceSOAPBinding">"
-      Location="<TMPL_VAR NAME="samlIDPSSODescriptorManageNameIDServiceSOAPLocation">" />
-    <ManageNameIDService
-      Binding="<TMPL_VAR NAME="samlIDPSSODescriptorManageNameIDServiceHTTPBinding">"
-      Location="<TMPL_VAR NAME="samlIDPSSODescriptorManageNameIDServiceHTTPLocation">"
-      <TMPL_IF NAME="samlIDPSSODescriptorManageNameIDServiceHTTPResponseLocation">
-      ResponseLocation="<TMPL_VAR NAME="samlIDPSSODescriptorManageNameIDServiceHTTPResponseLocation">"
-      </TMPL_IF>/>
     <SingleSignOnService
       Binding="<TMPL_VAR NAME="samlIDPSSODescriptorSingleSignOnServiceSOAPBinding">"
       Location="<TMPL_VAR NAME="samlIDPSSODescriptorSingleSignOnServiceSOAPLocation">" />
@@ -65,19 +56,17 @@
       <TMPL_IF NAME="samlIDPSSODescriptorSingleSignOnServiceHTTPPostResponseLocation">
       ResponseLocation="<TMPL_VAR NAME="samlIDPSSODescriptorSingleSignOnServiceHTTPPostResponseLocation">"
       </TMPL_IF>/>
-<TMPL_IF NAME="samlIDPSSODescriptorNameIDFormatX509SubjectName">
+    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
     <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
-</TMPL_IF>
-<TMPL_IF NAME="samlIDPSSODescriptorNameIDFormatPersistent">
-    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
-</TMPL_IF>
-<TMPL_IF NAME="samlIDPSSODescriptorNameIDFormatTransient">
+    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>
+    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
+    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:entity</NameIDFormat>
     <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
-</TMPL_IF>
   </IDPSSODescriptor>
 
   <SPSSODescriptor
       AuthnRequestsSigned="<TMPL_VAR NAME="samlSPSSODescriptorAuthnRequestsSigned">"
+      WantAssertionsSigned="<TMPL_VAR NAME="samlSPSSODescriptorWantAssertionsSigned">"
       protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
     <KeyDescriptor use="signing">
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
@@ -128,17 +117,34 @@
       index="<TMPL_VAR NAME="samlSPSSODescriptorAssertionConsumerServiceHTTPRedirectIndex">"
       Binding="<TMPL_VAR NAME="samlSPSSODescriptorAssertionConsumerServiceHTTPRedirectBinding">"
       Location="<TMPL_VAR NAME="samlSPSSODescriptorAssertionConsumerServiceHTTPRedirectLocation">" />
-<TMPL_IF NAME="samlSPSSODescriptorNameIDFormatX509SubjectName">
+    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
     <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
-</TMPL_IF>
-<TMPL_IF NAME="samlSPSSODescriptorNameIDFormatPersistent">
-    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
-</TMPL_IF>
-<TMPL_IF NAME="samlSPSSODescriptorNameIDFormatTransient">
+    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>
+    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
+    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:entity</NameIDFormat>
     <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
-</TMPL_IF>
   </SPSSODescriptor>
 
+  <AttributeAuthorityDescriptor
+    protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:KeyValue>
+          <TMPL_VAR NAME="samlIDPSSODescriptorKeyDescriptorSigning">
+        </ds:KeyValue>
+      </ds:KeyInfo>
+    </KeyDescriptor>
+    <AttributeService
+      Binding="<TMPL_VAR NAME="samlAttributeAuthorityDescriptorAttributeServiceSOAPBinding">"
+      Location="<TMPL_VAR NAME="samlAttributeAuthorityDescriptorAttributeServiceSOAPLocation">"/>
+    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
+    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
+    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>
+    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
+    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:entity</NameIDFormat>
+    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+  </AttributeAuthorityDescriptor>
+  
   <Organization>
     <OrganizationName xml:lang="en"><TMPL_VAR NAME="samlOrganizationName"></OrganizationName>
     <OrganizationDisplayName xml:lang="en"><TMPL_VAR NAME="samlOrganizationDisplayName"></OrganizationDisplayName>