diff --git a/Dockerfile b/Dockerfile
index 99ff8c10..9a51e21e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -59,6 +59,9 @@ COPY dockerbuild/ssp-overrides/saml20-sp-remote.php $SSP_PATH/metadata/saml20-sp
 COPY dockerbuild/config/* $SSP_PATH/config/
 COPY dockerbuild/ssp-overrides/id.php $SSP_PATH/public/id.php
 COPY dockerbuild/ssp-overrides/announcement.php $SSP_PATH/announcement/announcement.php
+COPY dockerbuild/ssp-overrides/sp-php.patch sp-php.patch
+RUN patch /data/vendor/simplesamlphp/simplesamlphp/modules/saml/src/Auth/Source/SP.php sp-php.patch
+
 COPY tests /data/tests
 
 RUN chmod a+x /data/run.sh /data/run-tests.sh
diff --git a/actions-services.yml b/actions-services.yml
deleted file mode 100644
index bb62a63f..00000000
--- a/actions-services.yml
+++ /dev/null
@@ -1,313 +0,0 @@
-services:
-
-  # the db container is used by the silauth module
-  db:
-    image: mariadb:10
-    environment:
-      MYSQL_ROOT_PASSWORD: r00tp@ss!
-      MYSQL_DATABASE: silauth
-      MYSQL_USER: silauth
-      MYSQL_PASSWORD: silauth
-
-  test:
-    build:
-      context: .
-      args:
-        COMPOSER_FLAGS: "--no-interaction --no-progress"
-    depends_on:
-      - ssp-hub.local
-      - ssp-idp1.local
-      - ssp-idp2.local
-      - ssp-idp3.local
-      - ssp-sp1.local
-      - ssp-sp2.local
-      - ssp-sp3.local
-      - pwmanager.local
-      - test-browser
-    environment:
-      MYSQL_HOST: db
-      MYSQL_DATABASE: silauth
-      MYSQL_USER: silauth
-      MYSQL_PASSWORD: silauth
-      PROFILE_URL_FOR_TESTS: http://pwmanager.local/module.php/core/authenticate.php?as=ssp-hub
-      ADMIN_PASS: b
-      SECRET_SALT: abc123
-      IDP_NAME: x
-    volumes:
-      - ./dockerbuild/run-integration-tests.sh:/data/run-integration-tests.sh
-      - ./dockerbuild/run-metadata-tests.sh:/data/run-metadata-tests.sh
-      - ./dockerbuild/run-tests.sh:/data/run-tests.sh
-      - ./features:/data/features
-      - ./behat.yml:/data/behat.yml
-      - ./tests:/data/tests
-
-  test-browser:
-    image: justinribeiro/chrome-headless:stable
-    cap_add:
-      - SYS_ADMIN
-
-  ssp-hub.local:
-    build: .
-    volumes:
-      # Utilize custom certs
-      - ./development/hub/cert:/data/vendor/simplesamlphp/simplesamlphp/cert
-
-      # Utilize custom configs
-      - ./development/hub/config/authsources.php:/data/vendor/simplesamlphp/simplesamlphp/config/authsources.php
-      - ./development/announcement.php:/data/vendor/simplesamlphp/simplesamlphp/announcement/announcement.php
-
-      # Utilize custom metadata
-      - ./development/hub/metadata/:/data/vendor/simplesamlphp/simplesamlphp/metadata/
-
-      # Enable checking our test metadata
-      - ./dockerbuild/run-metadata-tests.sh:/data/run-metadata-tests.sh
-    environment:
-      ADMIN_PASS: "abc123"
-      SECRET_SALT: "not-secret-h57fjemb&dn^nsJFGNjweJ"
-      IDP_NAME: "Hub"
-      SECURE_COOKIE: "false"
-      SHOW_SAML_ERRORS: "true"
-      THEME_COLOR_SCHEME: "orange-light_blue"
-      HUB_MODE: "true"
-
-  ssp-idp1.local:
-    build: .
-    depends_on:
-      - db
-    volumes:
-      # Utilize custom certs
-      - ./development/idp-local/cert:/data/vendor/simplesamlphp/simplesamlphp/cert
-
-      # Utilize custom configs
-      - ./development/idp-local/config/authsources.php:/data/vendor/simplesamlphp/simplesamlphp/config/authsources.php
-      - ./development/announcement.php:/data/vendor/simplesamlphp/simplesamlphp/announcement/announcement.php
-      - ./development/enable-exampleauth.sh:/data/enable-exampleauth.sh
-
-      # Utilize custom metadata
-      - ./development/idp-local/metadata/saml20-idp-hosted.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-hosted.php
-      - ./development/idp-local/metadata/saml20-sp-remote.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/saml20-sp-remote.php
-
-      # Customized SSP code -- TODO: make a better solution that doesn't require hacking SSP code
-      - ./development/UserPass.php:/data/vendor/simplesamlphp/simplesamlphp/modules/exampleauth/src/Auth/Source/UserPass.php
-
-      # Enable checking our test metadata
-      - ./dockerbuild/run-metadata-tests.sh:/data/run-metadata-tests.sh
-
-      # Include the features folder (for the FakeIdBrokerClient class)
-      - ./features:/data/features
-    command: >
-      bash -c "whenavail db 3306 60 /data/vendor/simplesamlphp/simplesamlphp/modules/silauth/src/Auth/Source/yii migrate --interactive=0 &&
-      /data/enable-exampleauth.sh &&
-      /data/run.sh"
-    environment:
-      ADMIN_PASS: "a"
-      SECRET_SALT: "not-secret-h57fjemb&dn^nsJFGNjweJ"
-      IDP_NAME: "IDP 1"
-      IDP_DOMAIN_NAME: "mfaidp"
-      ID_BROKER_ACCESS_TOKEN: "dummy"
-      ID_BROKER_ASSERT_VALID_IP: "false"
-      ID_BROKER_BASE_URI: "dummy"
-      ID_BROKER_TRUSTED_IP_RANGES: "192.168.0.1/8"
-      MFA_SETUP_URL: "http://pwmanager.local/module.php/core/authenticate.php?as=ssp-hub-custom-port"
-      REMEMBER_ME_SECRET: "12345"
-      PROFILE_URL: "http://pwmanager.local/module.php/core/authenticate.php?as=ssp-hub-custom-port"
-      PROFILE_URL_FOR_TESTS: "http://pwmanager.local/module.php/core/authenticate.php?as=ssp-hub"
-      SECURE_COOKIE: "false"
-      SHOW_SAML_ERRORS: "true"
-      MYSQL_HOST: "db"
-      MYSQL_DATABASE: "silauth"
-      MYSQL_USER: "silauth"
-      MYSQL_PASSWORD: "silauth"
-      BASE_URL_PATH: "http://ssp-idp1.local/"
-
-  ssp-idp2.local:
-    build: .
-    depends_on:
-      - db
-      - broker
-    volumes:
-      # Utilize custom certs
-      - ./development/idp2-local/cert:/data/vendor/simplesamlphp/simplesamlphp/cert
-
-      # Utilize custom configs
-      - ./development/idp2-local/config/authsources.php:/data/vendor/simplesamlphp/simplesamlphp/config/authsources.php
-      - ./development/enable-exampleauth.sh:/data/enable-exampleauth.sh
-
-      # Utilize custom metadata
-      - ./development/idp2-local/metadata/saml20-idp-hosted.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-hosted.php
-      - ./development/idp2-local/metadata/saml20-sp-remote.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/saml20-sp-remote.php
-
-      # Customized SSP code -- TODO: make a better solution that doesn't require hacking SSP code
-      - ./development/UserPass.php:/data/vendor/simplesamlphp/simplesamlphp/modules/exampleauth/src/Auth/Source/UserPass.php
-
-    command: bash -c "/data/enable-exampleauth.sh && /data/run.sh"
-    environment:
-      ADMIN_PASS: "b"
-      SECRET_SALT: "h57fjemb&dn^nsJFGNjweJ"
-      IDP_NAME: "IDP 2"
-      IDP_DOMAIN_NAME: "ssp-idp1.local"
-      ID_BROKER_ACCESS_TOKEN: "test-cli-abc123"
-      ID_BROKER_ASSERT_VALID_IP: "true"
-      ID_BROKER_BASE_URI: "http://broker"
-      ID_BROKER_TRUSTED_IP_RANGES: "10.20.38.0/24"
-      MYSQL_HOST: "db"
-      MYSQL_DATABASE: "silauth"
-      MYSQL_USER: "silauth"
-      MYSQL_PASSWORD: "silauth"
-      SECURE_COOKIE: "false"
-      SHOW_SAML_ERRORS: "true"
-
-  ssp-idp3.local:
-    build: .
-    volumes:
-      # Utilize custom certs
-      - ./development/idp3-local/cert:/data/vendor/simplesamlphp/simplesamlphp/cert
-
-      # Utilize custom configs
-      - ./development/idp3-local/config/authsources.php:/data/vendor/simplesamlphp/simplesamlphp/config/authsources.php
-
-      # Utilize custom metadata
-      - ./development/idp3-local/metadata/saml20-idp-hosted.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-hosted.php
-      - ./development/idp3-local/metadata/saml20-sp-remote.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/saml20-sp-remote.php
-
-    environment:
-      ADMIN_PASS: "c"
-      SECRET_SALT: "h57fjem34fh*nsJFGNjweJ"
-      SECURE_COOKIE: "false"
-      SHOW_SAML_ERRORS: "true"
-      IDP_NAME: "IdP3"
-
-  ssp-sp1.local:
-    image: silintl/ssp-base:9.3.0
-    volumes:
-      # Utilize custom certs
-      - ./development/sp-local/cert:/data/vendor/simplesamlphp/simplesamlphp/cert
-
-      # Utilize custom configs
-      - ./development/sp-local/config/authsources.php:/data/vendor/simplesamlphp/simplesamlphp/config/authsources.php
-
-      # Utilize custom metadata
-      - ./development/sp-local/metadata/saml20-idp-remote.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php
-
-      # Enable checking our test metadata
-      - ./dockerbuild/run-metadata-tests.sh:/data/run-metadata-tests.sh
-    environment:
-      ADMIN_EMAIL: "john_doe@there.com"
-      ADMIN_PASS: "sp1"
-      IDP_NAME: "NA"
-      SECRET_SALT: "not-secret-h57fjemb&dn^nsJFGNjweJz1"
-      SECURE_COOKIE: "false"
-      SHOW_SAML_ERRORS: "true"
-      SAML20_IDP_ENABLE: "false"
-      ADMIN_PROTECT_INDEX_PAGE: "false"
-
-  ssp-sp2.local:
-    image: silintl/ssp-base:9.3.0
-    volumes:
-      # Utilize custom certs
-      - ./development/sp2-local/cert:/data/vendor/simplesamlphp/simplesamlphp/cert
-
-      # Utilize custom configs
-      - ./development/sp2-local/config/authsources.php:/data/vendor/simplesamlphp/simplesamlphp/config/authsources.php
-
-      # Utilize custom metadata
-      - ./development/sp2-local/metadata/saml20-idp-remote.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php
-
-    environment:
-      ADMIN_EMAIL: "john_doe@there.com"
-      ADMIN_PASS: sp2
-      IDP_NAME: "NA"
-      SECRET_SALT: h57fjemb&dn^nsJFGNjweJz2
-      SECURE_COOKIE: "false"
-      SHOW_SAML_ERRORS: "true"
-      SAML20_IDP_ENABLE: "false"
-      ADMIN_PROTECT_INDEX_PAGE: "false"
-
-  ssp-sp3.local:
-    image: silintl/ssp-base:9.3.0
-    volumes:
-      # Utilize custom certs
-      - ./development/sp3-local/cert:/data/vendor/simplesamlphp/simplesamlphp/cert
-
-      # Utilize custom configs
-      - ./development/sp3-local/config/authsources.php:/data/vendor/simplesamlphp/simplesamlphp/config/authsources.php
-
-      # Utilize custom metadata
-      - ./development/sp3-local/metadata/saml20-idp-remote.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php
-
-    environment:
-      ADMIN_EMAIL: "john_doe@there.com"
-      ADMIN_PASS: sp3
-      IDP_NAME: "NA"
-      SECRET_SALT: h57fjemb&dn^nsJFGNjweJz3
-      SECURE_COOKIE: "false"
-      SHOW_SAML_ERRORS: "true"
-      SAML20_IDP_ENABLE: "false"
-      ADMIN_PROTECT_INDEX_PAGE: "false"
-
-
-  pwmanager.local:
-    image: silintl/ssp-base:9.3.0
-    volumes:
-      # Utilize custom certs
-      - ./development/sp-local/cert:/data/vendor/simplesamlphp/simplesamlphp/cert
-
-      # Utilize custom configs
-      - ./development/sp-local/config/authsources-pwmanager.php:/data/vendor/simplesamlphp/simplesamlphp/config/authsources.php
-
-      # Utilize custom metadata
-      - ./development/sp-local/metadata/saml20-idp-remote.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php
-    environment:
-      ADMIN_EMAIL: "john_doe@there.com"
-      ADMIN_PASS: sp1
-      IDP_NAME: THIS VARIABLE IS REQUIRED BUT PROBABLY NOT USED
-      SECRET_SALT: NOT-a-secret-k49fjfkw73hjf9t87wjiw
-      SECURE_COOKIE: "false"
-      SHOW_SAML_ERRORS: "true"
-      SAML20_IDP_ENABLE: "false"
-      ADMIN_PROTECT_INDEX_PAGE: "false"
-
-  # the broker and brokerDb containers are used by the silauth module
-  broker:
-    image: silintl/idp-id-broker:latest
-    depends_on:
-      - brokerDb
-    environment:
-      IDP_NAME: "idp"
-      MYSQL_HOST: "brokerDb"
-      MYSQL_DATABASE: "broker"
-      MYSQL_USER: "user"
-      MYSQL_PASSWORD: "pass"
-      EMAIL_SERVICE_accessToken: "dummy"
-      EMAIL_SERVICE_assertValidIp: "false"
-      EMAIL_SERVICE_baseUrl: "dummy"
-      EMAILER_CLASS: Sil\SilIdBroker\Behat\Context\fakes\FakeEmailer
-      HELP_CENTER_URL: "https://example.org/help"
-      PASSWORD_FORGOT_URL: "https://example.org/forgot"
-      PASSWORD_PROFILE_URL: "https://example.org/profile"
-      SUPPORT_EMAIL: "support@example.org"
-      EMAIL_SIGNATURE: "one red pill, please"
-      API_ACCESS_KEYS: "test-cli-abc123"
-      APP_ENV: "prod"
-      RP_ORIGINS: "https://ssp-idp1.local,https://ssp-idp3.local,https://ssp-idp3.local"
-      HIBP_CHECK_ON_LOGIN: "false"
-      MFA_TOTP_apiBaseUrl: dummy
-      MFA_TOTP_apiKey: 10345678-1234-1234-1234-123456789012
-      MFA_TOTP_apiSecret: 11345678-1234-1234-1234-12345678
-      MFA_WEBAUTHN_apiBaseUrl: dummy
-      MFA_WEBAUTHN_apiKey: 10345678-1234-1234-1234-123456789012
-      MFA_WEBAUTHN_apiSecret: 11345678-1234-1234-1234-12345678
-      MFA_WEBAUTHN_appId: ourApp99
-      MFA_WEBAUTHN_rpDisplayName: Our App
-      MFA_WEBAUTHN_rpId: http://app99
-    volumes:
-      - ./development/m991231_235959_insert_test_users.php:/data/console/migrations/m991231_235959_insert_test_users.php
-    command: "bash -c 'whenavail brokerDb 3306 60 ./yii migrate --interactive=0 && ./run.sh'"
-
-  brokerDb:
-    image: mariadb:10
-    environment:
-      MYSQL_ROOT_PASSWORD: "r00tp@ss!"
-      MYSQL_DATABASE: "broker"
-      MYSQL_USER: "user"
-      MYSQL_PASSWORD: "pass"
diff --git a/behat.yml b/behat.yml
index 4ef546fd..0e4f8ffb 100644
--- a/behat.yml
+++ b/behat.yml
@@ -18,16 +18,15 @@ default:
     profilereview_features:
       paths:    [ '%paths.base%//features//profilereview.feature' ]
       contexts: [ 'ProfileReviewContext' ]
-#    sildisco_features:
-#      contexts: ['SilDiscoContext']
-#      paths:
-#        - '%paths.base%//features//Sp1Idp1Sp2Idp2Sp3.feature'
-#        - '%paths.base%//features//Sp1Idp2Sp2Sp3Idp1.feature'
-#        - '%paths.base%//features//Sp2Idp2Sp1Idp1Sp3.feature'
-#        - '%paths.base%//features//Sp2Idp2Sp1Idp2Sp3.feature'
-#        - '%paths.base%//features//Sp3Idp1Sp1Idp1Sp2Idp2.feature'
+    sildisco_features:
+      contexts: ['SilDiscoContext']
+      paths:
+        - '%paths.base%//features//Sp1Idp1Sp2Idp2Sp3.feature'
+        - '%paths.base%//features//Sp1Idp2Sp2Sp3Idp1.feature'
+        - '%paths.base%//features//Sp2Idp2Sp1Idp1Sp3.feature'
+        - '%paths.base%//features//Sp2Idp2Sp1Idp2Sp3.feature'
+        - '%paths.base%//features//Sp3Idp1Sp1Idp1Sp2Idp2.feature'
 #        - '%paths.base%//features//WwwMetadataCept.feature'
-#        - '%paths.base%//features//ZSp1Idp1BetaSp1Idp3.feature'
     status_features:
       paths:    [ '%paths.base%//features//status.feature' ]
       contexts: [ 'StatusContext' ]
diff --git a/development/UserPass.php b/development/UserPass.php
index 8c3b6b3e..e55c91fa 100644
--- a/development/UserPass.php
+++ b/development/UserPass.php
@@ -13,7 +13,6 @@
 use SimpleSAML\Error;
 use SimpleSAML\Logger;
 use SimpleSAML\Module\core\Auth\UserPassBase;
-use SimpleSAML\Utils;
 
 /**
  * Example authentication source - username & password.
@@ -23,7 +22,7 @@
  *
  * @package SimpleSAMLphp
  */
-class UserPass extends \SimpleSAML\Module\core\Auth\UserPassBase // GTIS
+class UserPass extends UserPassBase // GTIS
 {
     /**
      * Our users, stored in an associative array. The key of the array is "<username>:<password>",
diff --git a/development/hub/config/authsources.php b/development/hub/config/authsources.php
index b348f3bf..c3a20cbf 100644
--- a/development/hub/config/authsources.php
+++ b/development/hub/config/authsources.php
@@ -12,7 +12,7 @@
 
         // The URL to the discovery service.
         // Can be NULL/unset, in which case a builtin discovery service will be used.
-//        'discoURL'  => 'http://ssp-hub.local/module.php/sildisco/disco.php',
+        'discoURL' => 'http://ssp-hub.local/module.php/sildisco/disco.php',
 
     ],
 
diff --git a/development/hub/metadata/idp-remote.php b/development/hub/metadata/idp-remote.php
new file mode 100644
index 00000000..cfb91c19
--- /dev/null
+++ b/development/hub/metadata/idp-remote.php
@@ -0,0 +1,139 @@
+<?php
+/**
+ * SAML 2.0 remote IdP metadata for SimpleSAMLphp.
+ *
+ * Remember to remove the IdPs you don't use from this file.
+ *
+ * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote
+ */
+return [
+    /*
+     * IdP 1
+     */
+    'http://ssp-idp1.local:8085' => [
+        'metadata-set' => 'saml20-idp-remote',
+        'entityid' => 'http://ssp-idp1.local:8085',
+        'name' => [
+            'en' => 'IDP 1:8085',
+        ],
+        'IDPNamespace' => 'IDP-1-custom-port',
+        'logoCaption' => 'IDP-1:8085 staff',
+        'enabled' => true,
+        'logoURL' => 'https://dummyimage.com/125x125/0f4fbd/ffffff.png&text=IDP+1+8085',
+
+        'description' => 'Local IDP for testing SSP Hub (custom port)',
+
+        'SingleSignOnService' => 'http://ssp-idp1.local:8085/saml2/idp/SSOService.php',
+        'SingleLogoutService' => 'http://ssp-idp1.local:8085/saml2/idp/SingleLogoutService.php',
+        'certData' => 'MIIDzzCCAregAwIBAgIJAPlZYTAQSIbHMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE3MTIzMTQ1WhcNMjYxMDE3MTIzMTQ1WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArssOaeKbdOQFpN6bBolwSJ/6QFBXA73Sotg60anx9v6aYdUTmi+b7SVtvOmHDgsD5X8pN/6Z11QCZfTYg2nW3ZevGZsj8W/R6C8lRLHzWUr7e7DXKfj8GKZptHlUs68kn0ndNVt9r/+irJe9KBdZ+4kAihykomNdeZg06bvkklxVcvpkOfLTQzEqJAmISPPIeOXes6hXORdqLuRNTuIKarcZ9rstLnpgAs2TE4XDOrSuUg3XFnM05eDpFQpUb0RXWcD16mLCPWw+CPrGoCfoftD5ZGfll+W2wZ7d0kQ4TbCpNyxQH35q65RPVyVNPgSNSsFFkmdcqP9DsFqjJ8YC6wIDAQABo1AwTjAdBgNVHQ4EFgQUD6oyJKOPPhvLQpDCC3027QcuQwUwHwYDVR0jBBgwFoAUD6oyJKOPPhvLQpDCC3027QcuQwUwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAA6tCLHJQGfXGdFerQ3J0wUu8YDSLb0WJqPtGdIuyeiywR5ooJf8G/jjYMPgZArepLQSSi6t8/cjEdkYWejGnjMG323drQ9M1sKMUhOJF4po9R3t7IyvGAL3fSqjXA8JXH5MuGuGtChWxaqhduA0dBJhFAtAXQ61IuIQF7vSFxhTwCvJnaWdWD49sG5OqjCfgIQdY/mw70e45rLnR/bpfoigL67sTJxy+Kx2ogbvMR6lITByOEQFMt7BYpMtXrwvKUM7k9NOo1jREmJacC8PTx//jRhCWwzUj1RsfIri24BuITrawwqMsYl8DZiiwMpjUf9m4NPaf4E7+QRpzo+MCcg==',
+
+        // NOTE: This breaks being able to test the hub's authentication sources
+        //       since the hub doesn't create an SP entry in the session
+        'SPList' => ['http://ssp-sp1.local:8081', 'http://ssp-sp2.local:8082', 'http://ssp-sp3.local:8083'],
+    ],
+    'http://ssp-idp1.local' => [
+        'metadata-set' => 'saml20-idp-remote',
+        'entityid' => 'http://ssp-idp1.local',
+        'name' => [
+            'en' => 'IDP 1',
+        ],
+        'IDPNamespace' => 'IDP-1',
+        'logoCaption' => 'IDP-1 staff',
+        'enabled' => true,
+        'logoURL' => 'https://dummyimage.com/125x125/0f4fbd/ffffff.png&text=IDP+1',
+
+        'description' => 'Local IDP for testing SSP Hub (default port)',
+
+        'SingleSignOnService' => 'http://ssp-idp1.local/saml2/idp/SSOService.php',
+        'SingleLogoutService' => 'http://ssp-idp1.local/saml2/idp/SingleLogoutService.php',
+        //  'certFingerprint'      => 'c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb'
+        'certData' => 'MIIDzzCCAregAwIBAgIJAPlZYTAQSIbHMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE3MTIzMTQ1WhcNMjYxMDE3MTIzMTQ1WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArssOaeKbdOQFpN6bBolwSJ/6QFBXA73Sotg60anx9v6aYdUTmi+b7SVtvOmHDgsD5X8pN/6Z11QCZfTYg2nW3ZevGZsj8W/R6C8lRLHzWUr7e7DXKfj8GKZptHlUs68kn0ndNVt9r/+irJe9KBdZ+4kAihykomNdeZg06bvkklxVcvpkOfLTQzEqJAmISPPIeOXes6hXORdqLuRNTuIKarcZ9rstLnpgAs2TE4XDOrSuUg3XFnM05eDpFQpUb0RXWcD16mLCPWw+CPrGoCfoftD5ZGfll+W2wZ7d0kQ4TbCpNyxQH35q65RPVyVNPgSNSsFFkmdcqP9DsFqjJ8YC6wIDAQABo1AwTjAdBgNVHQ4EFgQUD6oyJKOPPhvLQpDCC3027QcuQwUwHwYDVR0jBBgwFoAUD6oyJKOPPhvLQpDCC3027QcuQwUwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAA6tCLHJQGfXGdFerQ3J0wUu8YDSLb0WJqPtGdIuyeiywR5ooJf8G/jjYMPgZArepLQSSi6t8/cjEdkYWejGnjMG323drQ9M1sKMUhOJF4po9R3t7IyvGAL3fSqjXA8JXH5MuGuGtChWxaqhduA0dBJhFAtAXQ61IuIQF7vSFxhTwCvJnaWdWD49sG5OqjCfgIQdY/mw70e45rLnR/bpfoigL67sTJxy+Kx2ogbvMR6lITByOEQFMt7BYpMtXrwvKUM7k9NOo1jREmJacC8PTx//jRhCWwzUj1RsfIri24BuITrawwqMsYl8DZiiwMpjUf9m4NPaf4E7+QRpzo+MCcg==',
+
+        // NOTE: This breaks being able to test the hub's authentication sources
+        //       since the hub doesn't create an SP entry in the session
+        'SPList' => ['http://ssp-sp1.local', 'http://ssp-sp2.local', 'http://ssp-sp3.local'],
+    ],
+
+    /*
+     * IdP 2
+     */
+    'http://ssp-idp2.local:8086' => [
+        'metadata-set' => 'saml20-idp-remote',
+        'entityid' => 'http://ssp-idp2.local:8086',
+        'name' => [
+            'en' => 'IDP 2:8086',
+        ],
+        'IDPNamespace' => 'IDP-2-custom-port',
+        'logoCaption' => 'IDP-2:8086 staff',
+        'enabled' => true,
+        'logoURL' => 'https://dummyimage.com/125x125/0f4fbd/ffffff.png&text=IDP+2+8086',
+
+        'description' => 'Local IDP2 for testing SSP Hub (custom port)',
+
+        'SingleSignOnService' => 'http://ssp-idp2.local:8086/saml2/idp/SSOService.php',
+        'SingleLogoutService' => 'http://ssp-idp2.local:8086/saml2/idp/SingleLogoutService.php',
+        'certData' => 'MIIDzzCCAregAwIBAgIJALBaUrvz1X5DMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE4MTQwMDUxWhcNMjYxMDE4MTQwMDUxWjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx5mZNwjEnakJho+5etuFyx+2g9rs96iLX/LDC24aBAsdNxTNuIc1jJ7pxBxGrepEND4LkietLNBlOr1q50nq2+ddTrCfmoJB+9BqBOxcm9qWeqWbp8/arUjaxPzK3DfZrxJxIVFjzqFF7gI91y9yvEW/fqLRMhvnH1ns+N1ne59zr1y6h9mmHfBffGr1YXAfyEAuV1ich4AfTfjqhdwFwxhFLLCVnxA0bDbNw/0eGCSiA13N7a013xTurLeJu0AQaZYssMqvc/17UphH4gWDMEZAwy0EfRSBOsDOYCxeNxVajnWX1834VDpBDfpnZj996Gh8tzRQxQgT9/plHKhGiwIDAQABo1AwTjAdBgNVHQ4EFgQUApxlUQg26GrG3eH8lEG3SkqbH/swHwYDVR0jBBgwFoAUApxlUQg26GrG3eH8lEG3SkqbH/swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANhbm8WgIqBDlF7DIRVUbq04TEA9nOJG8wdjJYdoKrPX9f/E9slkFuD2StcK99RTcowa8Z2OmW7tksa+onyH611Lq21QXh4aHzQUAm2HbsmPQRZnkByeYoCJ/1tuEho+x+VGanaUICSBVWYiebAQVKHR6miFypRElibNBizm2nqp6Q9B87V8COzyDVngR1DlWDduxYaNOBgvht3Rk9Y2pVHqym42dIfN+pprcsB1PGBkY/BngIuS/aqTENbmoC737vcb06e8uzBsbCpHtqUBjPpL2psQZVJ2Y84JmHafC3B7nFQrjdZBbc9eMHfPo240Rh+pDLwxdxPqRAZdeLaUkCQ==',
+
+        // limit which Sps can use this IdP
+        'SPList' => ['http://ssp-sp1.local:8081', 'http://ssp-sp2.local:8082'],
+    ],
+    'http://ssp-idp2.local' => [
+        'metadata-set' => 'saml20-idp-remote',
+        'entityid' => 'http://ssp-idp2.local',
+        'name' => [
+            'en' => 'IDP 2',
+        ],
+        'IDPNamespace' => 'IDP-2',
+        'logoCaption' => 'IDP-2 staff',
+        'enabled' => true,
+        'logoURL' => 'https://dummyimage.com/125x125/0f4fbd/ffffff.png&text=IDP+2',
+
+        'description' => 'Local IDP2 for testing SSP Hub (normal port)',
+
+        'SingleSignOnService' => 'http://ssp-idp2.local/saml2/idp/SSOService.php',
+        'SingleLogoutService' => 'http://ssp-idp2.local/saml2/idp/SingleLogoutService.php',
+        'certData' => 'MIIDzzCCAregAwIBAgIJALBaUrvz1X5DMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE4MTQwMDUxWhcNMjYxMDE4MTQwMDUxWjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx5mZNwjEnakJho+5etuFyx+2g9rs96iLX/LDC24aBAsdNxTNuIc1jJ7pxBxGrepEND4LkietLNBlOr1q50nq2+ddTrCfmoJB+9BqBOxcm9qWeqWbp8/arUjaxPzK3DfZrxJxIVFjzqFF7gI91y9yvEW/fqLRMhvnH1ns+N1ne59zr1y6h9mmHfBffGr1YXAfyEAuV1ich4AfTfjqhdwFwxhFLLCVnxA0bDbNw/0eGCSiA13N7a013xTurLeJu0AQaZYssMqvc/17UphH4gWDMEZAwy0EfRSBOsDOYCxeNxVajnWX1834VDpBDfpnZj996Gh8tzRQxQgT9/plHKhGiwIDAQABo1AwTjAdBgNVHQ4EFgQUApxlUQg26GrG3eH8lEG3SkqbH/swHwYDVR0jBBgwFoAUApxlUQg26GrG3eH8lEG3SkqbH/swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANhbm8WgIqBDlF7DIRVUbq04TEA9nOJG8wdjJYdoKrPX9f/E9slkFuD2StcK99RTcowa8Z2OmW7tksa+onyH611Lq21QXh4aHzQUAm2HbsmPQRZnkByeYoCJ/1tuEho+x+VGanaUICSBVWYiebAQVKHR6miFypRElibNBizm2nqp6Q9B87V8COzyDVngR1DlWDduxYaNOBgvht3Rk9Y2pVHqym42dIfN+pprcsB1PGBkY/BngIuS/aqTENbmoC737vcb06e8uzBsbCpHtqUBjPpL2psQZVJ2Y84JmHafC3B7nFQrjdZBbc9eMHfPo240Rh+pDLwxdxPqRAZdeLaUkCQ==',
+
+        // limit which Sps can use this IdP
+        'SPList' => ['http://ssp-sp1.local', 'http://ssp-sp2.local'],
+    ],
+
+    /*
+     * IdP 3
+     */
+    'http://ssp-idp3.local:8087' => [
+        'metadata-set' => 'saml20-idp-remote',
+        'entityid' => 'http://ssp-idp3.local:8087',
+        'name' => [
+            'en' => 'IDP 3:8087',
+        ],
+        'IDPNamespace' => 'IDP-3-custom-port',
+        'logoCaption' => 'IDP-3:8087 staff',
+        'enabled' => false,
+        'logoURL' => 'https://dummyimage.com/125x125/0f4fbd/ffffff.png&text=IDP+3+8087',
+
+        'description' => 'Local IDP3 for testing SSP Hub (custom port)',
+
+        'SingleSignOnService' => 'http://ssp-idp3.local:8087/saml2/idp/SSOService.php',
+        'SingleLogoutService' => 'http://ssp-idp3.local:8087/saml2/idp/SingleLogoutService.php',
+        'certData' => 'MIIDzzCCAregAwIBAgIJALBaUrvz1X5DMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE4MTQwMDUxWhcNMjYxMDE4MTQwMDUxWjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx5mZNwjEnakJho+5etuFyx+2g9rs96iLX/LDC24aBAsdNxTNuIc1jJ7pxBxGrepEND4LkietLNBlOr1q50nq2+ddTrCfmoJB+9BqBOxcm9qWeqWbp8/arUjaxPzK3DfZrxJxIVFjzqFF7gI91y9yvEW/fqLRMhvnH1ns+N1ne59zr1y6h9mmHfBffGr1YXAfyEAuV1ich4AfTfjqhdwFwxhFLLCVnxA0bDbNw/0eGCSiA13N7a013xTurLeJu0AQaZYssMqvc/17UphH4gWDMEZAwy0EfRSBOsDOYCxeNxVajnWX1834VDpBDfpnZj996Gh8tzRQxQgT9/plHKhGiwIDAQABo1AwTjAdBgNVHQ4EFgQUApxlUQg26GrG3eH8lEG3SkqbH/swHwYDVR0jBBgwFoAUApxlUQg26GrG3eH8lEG3SkqbH/swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANhbm8WgIqBDlF7DIRVUbq04TEA9nOJG8wdjJYdoKrPX9f/E9slkFuD2StcK99RTcowa8Z2OmW7tksa+onyH611Lq21QXh4aHzQUAm2HbsmPQRZnkByeYoCJ/1tuEho+x+VGanaUICSBVWYiebAQVKHR6miFypRElibNBizm2nqp6Q9B87V8COzyDVngR1DlWDduxYaNOBgvht3Rk9Y2pVHqym42dIfN+pprcsB1PGBkY/BngIuS/aqTENbmoC737vcb06e8uzBsbCpHtqUBjPpL2psQZVJ2Y84JmHafC3B7nFQrjdZBbc9eMHfPo240Rh+pDLwxdxPqRAZdeLaUkCQ==',
+    ],
+    'http://ssp-idp3.local' => [
+        'metadata-set' => 'saml20-idp-remote',
+        'entityid' => 'http://ssp-idp3.local',
+        'name' => [
+            'en' => 'IDP 3',
+        ],
+        'IDPNamespace' => 'IDP-3',
+        'logoCaption' => 'IDP-3 staff',
+        'enabled' => false,
+        'logoURL' => 'https://dummyimage.com/125x125/0f4fbd/ffffff.png&text=IDP+3',
+
+        'description' => 'Local IDP3 for testing SSP Hub',
+
+        'SingleSignOnService' => 'http://ssp-idp3.local/saml2/idp/SSOService.php',
+        'SingleLogoutService' => 'http://ssp-idp3.local/saml2/idp/SingleLogoutService.php',
+        'certData' => 'MIIDzzCCAregAwIBAgIJALBaUrvz1X5DMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE4MTQwMDUxWhcNMjYxMDE4MTQwMDUxWjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx5mZNwjEnakJho+5etuFyx+2g9rs96iLX/LDC24aBAsdNxTNuIc1jJ7pxBxGrepEND4LkietLNBlOr1q50nq2+ddTrCfmoJB+9BqBOxcm9qWeqWbp8/arUjaxPzK3DfZrxJxIVFjzqFF7gI91y9yvEW/fqLRMhvnH1ns+N1ne59zr1y6h9mmHfBffGr1YXAfyEAuV1ich4AfTfjqhdwFwxhFLLCVnxA0bDbNw/0eGCSiA13N7a013xTurLeJu0AQaZYssMqvc/17UphH4gWDMEZAwy0EfRSBOsDOYCxeNxVajnWX1834VDpBDfpnZj996Gh8tzRQxQgT9/plHKhGiwIDAQABo1AwTjAdBgNVHQ4EFgQUApxlUQg26GrG3eH8lEG3SkqbH/swHwYDVR0jBBgwFoAUApxlUQg26GrG3eH8lEG3SkqbH/swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANhbm8WgIqBDlF7DIRVUbq04TEA9nOJG8wdjJYdoKrPX9f/E9slkFuD2StcK99RTcowa8Z2OmW7tksa+onyH611Lq21QXh4aHzQUAm2HbsmPQRZnkByeYoCJ/1tuEho+x+VGanaUICSBVWYiebAQVKHR6miFypRElibNBizm2nqp6Q9B87V8COzyDVngR1DlWDduxYaNOBgvht3Rk9Y2pVHqym42dIfN+pprcsB1PGBkY/BngIuS/aqTENbmoC737vcb06e8uzBsbCpHtqUBjPpL2psQZVJ2Y84JmHafC3B7nFQrjdZBbc9eMHfPo240Rh+pDLwxdxPqRAZdeLaUkCQ==',
+    ],
+
+];
diff --git a/development/hub/metadata/saml20-idp-hosted.php b/development/hub/metadata/saml20-idp-hosted.php
index ba8cd8b8..3d26b31c 100644
--- a/development/hub/metadata/saml20-idp-hosted.php
+++ b/development/hub/metadata/saml20-idp-hosted.php
@@ -6,6 +6,8 @@
  */
 
 $metadata['ssp-hub.local'] = [
+    'entityid' => 'ssp-hub.local',
+
     /*
      * The hostname of the server (VHOST) that will use this SAML entity.
      *
diff --git a/development/hub/metadata/saml20-idp-remote.php b/development/hub/metadata/saml20-idp-remote.php
deleted file mode 100644
index ce8c6a93..00000000
--- a/development/hub/metadata/saml20-idp-remote.php
+++ /dev/null
@@ -1,140 +0,0 @@
-<?php
-/**
- * SAML 2.0 remote IdP metadata for SimpleSAMLphp.
- *
- * Remember to remove the IdPs you don't use from this file.
- *
- * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote
- */
-
-/*
- * IdP 1
- */
-$metadata['http://ssp-idp1.local:8085'] = [
-    'metadata-set' => 'saml20-idp-remote',
-    'entityid' => 'http://ssp-idp1.local:8085',
-    'name' => [
-        'en' => 'IDP 1:8085',
-    ],
-    'IDPNamespace' => 'IDP-1-custom-port',
-    'logoCaption' => 'IDP-1:8085 staff',
-    'enabled' => true,
-    'logoURL' => 'https://dummyimage.com/125x125/0f4fbd/ffffff.png&text=IDP+1+8085',
-
-    'description' => 'Local IDP for testing SSP Hub (custom port)',
-
-    'SingleSignOnService' => 'http://ssp-idp1.local:8085/saml2/idp/SSOService.php',
-    'SingleLogoutService' => 'http://ssp-idp1.local:8085/saml2/idp/SingleLogoutService.php',
-    'certData' => 'MIIDzzCCAregAwIBAgIJAPlZYTAQSIbHMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE3MTIzMTQ1WhcNMjYxMDE3MTIzMTQ1WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArssOaeKbdOQFpN6bBolwSJ/6QFBXA73Sotg60anx9v6aYdUTmi+b7SVtvOmHDgsD5X8pN/6Z11QCZfTYg2nW3ZevGZsj8W/R6C8lRLHzWUr7e7DXKfj8GKZptHlUs68kn0ndNVt9r/+irJe9KBdZ+4kAihykomNdeZg06bvkklxVcvpkOfLTQzEqJAmISPPIeOXes6hXORdqLuRNTuIKarcZ9rstLnpgAs2TE4XDOrSuUg3XFnM05eDpFQpUb0RXWcD16mLCPWw+CPrGoCfoftD5ZGfll+W2wZ7d0kQ4TbCpNyxQH35q65RPVyVNPgSNSsFFkmdcqP9DsFqjJ8YC6wIDAQABo1AwTjAdBgNVHQ4EFgQUD6oyJKOPPhvLQpDCC3027QcuQwUwHwYDVR0jBBgwFoAUD6oyJKOPPhvLQpDCC3027QcuQwUwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAA6tCLHJQGfXGdFerQ3J0wUu8YDSLb0WJqPtGdIuyeiywR5ooJf8G/jjYMPgZArepLQSSi6t8/cjEdkYWejGnjMG323drQ9M1sKMUhOJF4po9R3t7IyvGAL3fSqjXA8JXH5MuGuGtChWxaqhduA0dBJhFAtAXQ61IuIQF7vSFxhTwCvJnaWdWD49sG5OqjCfgIQdY/mw70e45rLnR/bpfoigL67sTJxy+Kx2ogbvMR6lITByOEQFMt7BYpMtXrwvKUM7k9NOo1jREmJacC8PTx//jRhCWwzUj1RsfIri24BuITrawwqMsYl8DZiiwMpjUf9m4NPaf4E7+QRpzo+MCcg==',
-
-    // NOTE: This breaks being able to test the hub's authentication sources
-    //       since the hub doesn't create an SP entry in the session
-    'SPList' => ['http://ssp-sp1.local:8081', 'http://ssp-sp2.local:8082', 'http://ssp-sp3.local:8083'],
-];
-$metadata['http://ssp-idp1.local'] = [
-    'metadata-set' => 'saml20-idp-remote',
-    'entityid' => 'http://ssp-idp1.local',
-    'name' => [
-        'en' => 'IDP 1',
-    ],
-    'IDPNamespace' => 'IDP-1',
-    'logoCaption' => 'IDP-1 staff',
-    'enabled' => true,
-    'logoURL' => 'https://dummyimage.com/125x125/0f4fbd/ffffff.png&text=IDP+1',
-
-    'description' => 'Local IDP for testing SSP Hub (default port)',
-
-    'SingleSignOnService' => 'http://ssp-idp1.local/saml2/idp/SSOService.php',
-    'SingleLogoutService' => 'http://ssp-idp1.local/saml2/idp/SingleLogoutService.php',
-    'certData' => 'MIIDzzCCAregAwIBAgIJAPlZYTAQSIbHMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE3MTIzMTQ1WhcNMjYxMDE3MTIzMTQ1WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArssOaeKbdOQFpN6bBolwSJ/6QFBXA73Sotg60anx9v6aYdUTmi+b7SVtvOmHDgsD5X8pN/6Z11QCZfTYg2nW3ZevGZsj8W/R6C8lRLHzWUr7e7DXKfj8GKZptHlUs68kn0ndNVt9r/+irJe9KBdZ+4kAihykomNdeZg06bvkklxVcvpkOfLTQzEqJAmISPPIeOXes6hXORdqLuRNTuIKarcZ9rstLnpgAs2TE4XDOrSuUg3XFnM05eDpFQpUb0RXWcD16mLCPWw+CPrGoCfoftD5ZGfll+W2wZ7d0kQ4TbCpNyxQH35q65RPVyVNPgSNSsFFkmdcqP9DsFqjJ8YC6wIDAQABo1AwTjAdBgNVHQ4EFgQUD6oyJKOPPhvLQpDCC3027QcuQwUwHwYDVR0jBBgwFoAUD6oyJKOPPhvLQpDCC3027QcuQwUwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAA6tCLHJQGfXGdFerQ3J0wUu8YDSLb0WJqPtGdIuyeiywR5ooJf8G/jjYMPgZArepLQSSi6t8/cjEdkYWejGnjMG323drQ9M1sKMUhOJF4po9R3t7IyvGAL3fSqjXA8JXH5MuGuGtChWxaqhduA0dBJhFAtAXQ61IuIQF7vSFxhTwCvJnaWdWD49sG5OqjCfgIQdY/mw70e45rLnR/bpfoigL67sTJxy+Kx2ogbvMR6lITByOEQFMt7BYpMtXrwvKUM7k9NOo1jREmJacC8PTx//jRhCWwzUj1RsfIri24BuITrawwqMsYl8DZiiwMpjUf9m4NPaf4E7+QRpzo+MCcg==',
-
-    // NOTE: This breaks being able to test the hub's authentication sources
-    //       since the hub doesn't create an SP entry in the session
-    'SPList' => ['http://ssp-sp1.local', 'http://ssp-sp2.local', 'http://ssp-sp3.local'],
-];
-
-/*
- * IdP 2
- */
-$metadata['http://ssp-idp2.local:8086'] = [
-    'metadata-set' => 'saml20-idp-remote',
-    'entityid' => 'http://ssp-idp2.local:8086',
-    'name' => [
-        'en' => 'IDP 2:8086',
-    ],
-    'IDPNamespace' => 'IDP-2-custom-port',
-    'logoCaption' => 'IDP-2:8086 staff',
-    'enabled' => true,
-    'betaEnabled' => true,
-    'logoURL' => 'https://dummyimage.com/125x125/0f4fbd/ffffff.png&text=IDP+2+8086',
-
-    'description' => 'Local IDP2 for testing SSP Hub (custom port)',
-
-    'SingleSignOnService' => 'http://ssp-idp2.local:8086/saml2/idp/SSOService.php',
-    'SingleLogoutService' => 'http://ssp-idp2.local:8086/saml2/idp/SingleLogoutService.php',
-    'certData' => 'MIIDzzCCAregAwIBAgIJALBaUrvz1X5DMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE4MTQwMDUxWhcNMjYxMDE4MTQwMDUxWjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx5mZNwjEnakJho+5etuFyx+2g9rs96iLX/LDC24aBAsdNxTNuIc1jJ7pxBxGrepEND4LkietLNBlOr1q50nq2+ddTrCfmoJB+9BqBOxcm9qWeqWbp8/arUjaxPzK3DfZrxJxIVFjzqFF7gI91y9yvEW/fqLRMhvnH1ns+N1ne59zr1y6h9mmHfBffGr1YXAfyEAuV1ich4AfTfjqhdwFwxhFLLCVnxA0bDbNw/0eGCSiA13N7a013xTurLeJu0AQaZYssMqvc/17UphH4gWDMEZAwy0EfRSBOsDOYCxeNxVajnWX1834VDpBDfpnZj996Gh8tzRQxQgT9/plHKhGiwIDAQABo1AwTjAdBgNVHQ4EFgQUApxlUQg26GrG3eH8lEG3SkqbH/swHwYDVR0jBBgwFoAUApxlUQg26GrG3eH8lEG3SkqbH/swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANhbm8WgIqBDlF7DIRVUbq04TEA9nOJG8wdjJYdoKrPX9f/E9slkFuD2StcK99RTcowa8Z2OmW7tksa+onyH611Lq21QXh4aHzQUAm2HbsmPQRZnkByeYoCJ/1tuEho+x+VGanaUICSBVWYiebAQVKHR6miFypRElibNBizm2nqp6Q9B87V8COzyDVngR1DlWDduxYaNOBgvht3Rk9Y2pVHqym42dIfN+pprcsB1PGBkY/BngIuS/aqTENbmoC737vcb06e8uzBsbCpHtqUBjPpL2psQZVJ2Y84JmHafC3B7nFQrjdZBbc9eMHfPo240Rh+pDLwxdxPqRAZdeLaUkCQ==',
-
-    // limit which Sps can use this IdP
-    'SPList' => ['http://ssp-sp1.local:8081', 'http://ssp-sp2.local:8082'],
-];
-$metadata['http://ssp-idp2.local'] = [
-    'metadata-set' => 'saml20-idp-remote',
-    'entityid' => 'http://ssp-idp2.local',
-    'name' => [
-        'en' => 'IDP 2',
-    ],
-    'IDPNamespace' => 'IDP-2',
-    'logoCaption' => 'IDP-2 staff',
-    'enabled' => true,
-    'betaEnabled' => true,
-    'logoURL' => 'https://dummyimage.com/125x125/0f4fbd/ffffff.png&text=IDP+2',
-
-    'description' => 'Local IDP2 for testing SSP Hub (normal port)',
-
-    'SingleSignOnService' => 'http://ssp-idp2.local/saml2/idp/SSOService.php',
-    'SingleLogoutService' => 'http://ssp-idp2.local/saml2/idp/SingleLogoutService.php',
-    'certData' => 'MIIDzzCCAregAwIBAgIJALBaUrvz1X5DMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE4MTQwMDUxWhcNMjYxMDE4MTQwMDUxWjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx5mZNwjEnakJho+5etuFyx+2g9rs96iLX/LDC24aBAsdNxTNuIc1jJ7pxBxGrepEND4LkietLNBlOr1q50nq2+ddTrCfmoJB+9BqBOxcm9qWeqWbp8/arUjaxPzK3DfZrxJxIVFjzqFF7gI91y9yvEW/fqLRMhvnH1ns+N1ne59zr1y6h9mmHfBffGr1YXAfyEAuV1ich4AfTfjqhdwFwxhFLLCVnxA0bDbNw/0eGCSiA13N7a013xTurLeJu0AQaZYssMqvc/17UphH4gWDMEZAwy0EfRSBOsDOYCxeNxVajnWX1834VDpBDfpnZj996Gh8tzRQxQgT9/plHKhGiwIDAQABo1AwTjAdBgNVHQ4EFgQUApxlUQg26GrG3eH8lEG3SkqbH/swHwYDVR0jBBgwFoAUApxlUQg26GrG3eH8lEG3SkqbH/swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANhbm8WgIqBDlF7DIRVUbq04TEA9nOJG8wdjJYdoKrPX9f/E9slkFuD2StcK99RTcowa8Z2OmW7tksa+onyH611Lq21QXh4aHzQUAm2HbsmPQRZnkByeYoCJ/1tuEho+x+VGanaUICSBVWYiebAQVKHR6miFypRElibNBizm2nqp6Q9B87V8COzyDVngR1DlWDduxYaNOBgvht3Rk9Y2pVHqym42dIfN+pprcsB1PGBkY/BngIuS/aqTENbmoC737vcb06e8uzBsbCpHtqUBjPpL2psQZVJ2Y84JmHafC3B7nFQrjdZBbc9eMHfPo240Rh+pDLwxdxPqRAZdeLaUkCQ==',
-
-    // limit which Sps can use this IdP
-    'SPList' => ['http://ssp-sp1.local', 'http://ssp-sp2.local'],
-];
-
-/*
- * IdP 3
- */
-$metadata['http://ssp-idp3.local:8087'] = [
-    'metadata-set' => 'saml20-idp-remote',
-    'entityid' => 'http://ssp-idp3.local:8087',
-    'name' => [
-        'en' => 'IDP 3:8087',
-    ],
-    'IDPNamespace' => 'IDP-3-custom-port',
-    'logoCaption' => 'IDP-3:8087 staff',
-    'enabled' => false,
-    'betaEnabled' => true,
-    'logoURL' => 'https://dummyimage.com/125x125/0f4fbd/ffffff.png&text=IDP+3+8087',
-
-    'description' => 'Local IDP3 for testing SSP Hub (custom port)',
-
-    'SingleSignOnService' => 'http://ssp-idp3.local:8087/saml2/idp/SSOService.php',
-    'SingleLogoutService' => 'http://ssp-idp3.local:8087/saml2/idp/SingleLogoutService.php',
-    'certData' => 'MIIDzzCCAregAwIBAgIJALBaUrvz1X5DMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE4MTQwMDUxWhcNMjYxMDE4MTQwMDUxWjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx5mZNwjEnakJho+5etuFyx+2g9rs96iLX/LDC24aBAsdNxTNuIc1jJ7pxBxGrepEND4LkietLNBlOr1q50nq2+ddTrCfmoJB+9BqBOxcm9qWeqWbp8/arUjaxPzK3DfZrxJxIVFjzqFF7gI91y9yvEW/fqLRMhvnH1ns+N1ne59zr1y6h9mmHfBffGr1YXAfyEAuV1ich4AfTfjqhdwFwxhFLLCVnxA0bDbNw/0eGCSiA13N7a013xTurLeJu0AQaZYssMqvc/17UphH4gWDMEZAwy0EfRSBOsDOYCxeNxVajnWX1834VDpBDfpnZj996Gh8tzRQxQgT9/plHKhGiwIDAQABo1AwTjAdBgNVHQ4EFgQUApxlUQg26GrG3eH8lEG3SkqbH/swHwYDVR0jBBgwFoAUApxlUQg26GrG3eH8lEG3SkqbH/swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANhbm8WgIqBDlF7DIRVUbq04TEA9nOJG8wdjJYdoKrPX9f/E9slkFuD2StcK99RTcowa8Z2OmW7tksa+onyH611Lq21QXh4aHzQUAm2HbsmPQRZnkByeYoCJ/1tuEho+x+VGanaUICSBVWYiebAQVKHR6miFypRElibNBizm2nqp6Q9B87V8COzyDVngR1DlWDduxYaNOBgvht3Rk9Y2pVHqym42dIfN+pprcsB1PGBkY/BngIuS/aqTENbmoC737vcb06e8uzBsbCpHtqUBjPpL2psQZVJ2Y84JmHafC3B7nFQrjdZBbc9eMHfPo240Rh+pDLwxdxPqRAZdeLaUkCQ==',
-];
-$metadata['http://ssp-idp3.local'] = [
-    'metadata-set' => 'saml20-idp-remote',
-    'entityid' => 'http://ssp-idp3.local',
-    'name' => [
-        'en' => 'IDP 3',
-    ],
-    'IDPNamespace' => 'IDP-3',
-    'logoCaption' => 'IDP-3 staff',
-    'enabled' => false,
-    'betaEnabled' => true,
-    'logoURL' => 'https://dummyimage.com/125x125/0f4fbd/ffffff.png&text=IDP+3',
-
-    'description' => 'Local IDP3 for testing SSP Hub',
-
-    'SingleSignOnService' => 'http://ssp-idp3.local/saml2/idp/SSOService.php',
-    'SingleLogoutService' => 'http://ssp-idp3.local/saml2/idp/SingleLogoutService.php',
-    'certData' => 'MIIDzzCCAregAwIBAgIJALBaUrvz1X5DMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE4MTQwMDUxWhcNMjYxMDE4MTQwMDUxWjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx5mZNwjEnakJho+5etuFyx+2g9rs96iLX/LDC24aBAsdNxTNuIc1jJ7pxBxGrepEND4LkietLNBlOr1q50nq2+ddTrCfmoJB+9BqBOxcm9qWeqWbp8/arUjaxPzK3DfZrxJxIVFjzqFF7gI91y9yvEW/fqLRMhvnH1ns+N1ne59zr1y6h9mmHfBffGr1YXAfyEAuV1ich4AfTfjqhdwFwxhFLLCVnxA0bDbNw/0eGCSiA13N7a013xTurLeJu0AQaZYssMqvc/17UphH4gWDMEZAwy0EfRSBOsDOYCxeNxVajnWX1834VDpBDfpnZj996Gh8tzRQxQgT9/plHKhGiwIDAQABo1AwTjAdBgNVHQ4EFgQUApxlUQg26GrG3eH8lEG3SkqbH/swHwYDVR0jBBgwFoAUApxlUQg26GrG3eH8lEG3SkqbH/swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANhbm8WgIqBDlF7DIRVUbq04TEA9nOJG8wdjJYdoKrPX9f/E9slkFuD2StcK99RTcowa8Z2OmW7tksa+onyH611Lq21QXh4aHzQUAm2HbsmPQRZnkByeYoCJ/1tuEho+x+VGanaUICSBVWYiebAQVKHR6miFypRElibNBizm2nqp6Q9B87V8COzyDVngR1DlWDduxYaNOBgvht3Rk9Y2pVHqym42dIfN+pprcsB1PGBkY/BngIuS/aqTENbmoC737vcb06e8uzBsbCpHtqUBjPpL2psQZVJ2Y84JmHafC3B7nFQrjdZBbc9eMHfPo240Rh+pDLwxdxPqRAZdeLaUkCQ==',
-];
diff --git a/development/hub/metadata/saml20-sp-remote.php b/development/hub/metadata/saml20-sp-remote.php
deleted file mode 100644
index 95b29601..00000000
--- a/development/hub/metadata/saml20-sp-remote.php
+++ /dev/null
@@ -1,85 +0,0 @@
-<?php
-/**
- * SAML 2.0 remote SP metadata for SimpleSAMLphp.
- *
- * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote
- */
-
-/*
- * Example SimpleSAMLphp SAML 2.0 SP
- */
-$metadata['http://ssp-sp1.local:8081'] = [
-    'name' => "SP1 (custom port)",
-    'AssertionConsumerService' => 'http://ssp-sp1.local:8081/module.php/saml/sp/saml2-acs.php/ssp-hub-custom-port',
-    'SingleLogoutService' => 'http://ssp-sp1.local:8081/module.php/saml/sp/saml2-logout.php/ssp-hub-custom-port',
-    'certData' => 'MIIDzzCCAregAwIBAgIJAPnOHgSgAeNrMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE3MTIyNzU2WhcNMjYxMDE3MTIyNzU2WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0u+mXWS8vUkKjtJcK1hd0iGW2vbTvYosgyDdqClcSzwpbWJg1A1ChuiQIf7S+5bWL2AN4zMoem/JTn7cE9octqU34ZJAyP/cesppA9G53F9gH4XdoPgnWsb8vdWooDDUk+asc7ah/XwKixQNcELPDZkOba5+pqoKGjMxfL7JQ6+P6LB+xItzvLBXU4+onbGPIF6pmZ8S74mt0J62Y6ne40BHx8FdrtBgdk5TFcDedW09rRJrTFpi3hGSUkcjqj84B+oLAb08Z0SHoELMp5Yh7Tg5QZ2c+S8I47tQjV72rNhUYhIyFuImzSg27R7aRJ6Jj6sK4zEg0Ai4VhO4RmgyzwIDAQABo1AwTjAdBgNVHQ4EFgQUgkYcMbT0o8kmxAz2O3+p1lDVj1MwHwYDVR0jBBgwFoAUgkYcMbT0o8kmxAz2O3+p1lDVj1MwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANgyTgMVRghgL8klqvZvQpfh80XDPTZotJCc8mZJZ98YkNC8jnR2RIUJpah+XrgotlKNDOK3HMNuyKGgYcqcno4PdDXKbqp4yXmywdNbbEHwPWDGqZXULw2az+UVwPUZJcJyJuwJjy3diCJT53N9G0LqXfeEsV0OPQPaB2PWgYNraBd59fckmBTc298HuvsHtxUcoXM53ms2Ck6GygGwH1vCg7qyIRRQFL4DiSlnoS8jxt3IIpZZs9FAl1ejtFBepSne9kEo7lLhAWY1TQqRrRXNHngG/L70ZkZonE9TNK/9xIHuaawqWkV6WLnkhT0DHCOw67GP97MWzceyFw+n9Vg==',
-    'IDPList' => [
-        'http://ssp-idp1.local:8085',
-        'http://ssp-idp2.local:8086',
-        'http://ssp-idp3.local:8087',
-    ],
-    'assertion.encryption' => true,
-];
-
-$metadata['http://ssp-sp1.local'] = [
-    'name' => "SP1",
-    'AssertionConsumerService' => 'http://ssp-sp1.local/module.php/saml/sp/saml2-acs.php/ssp-hub',
-    'SingleLogoutService' => 'http://ssp-sp1.local/module.php/saml/sp/saml2-logout.php/ssp-hub',
-    'certData' => 'MIIDzzCCAregAwIBAgIJAPnOHgSgAeNrMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE3MTIyNzU2WhcNMjYxMDE3MTIyNzU2WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0u+mXWS8vUkKjtJcK1hd0iGW2vbTvYosgyDdqClcSzwpbWJg1A1ChuiQIf7S+5bWL2AN4zMoem/JTn7cE9octqU34ZJAyP/cesppA9G53F9gH4XdoPgnWsb8vdWooDDUk+asc7ah/XwKixQNcELPDZkOba5+pqoKGjMxfL7JQ6+P6LB+xItzvLBXU4+onbGPIF6pmZ8S74mt0J62Y6ne40BHx8FdrtBgdk5TFcDedW09rRJrTFpi3hGSUkcjqj84B+oLAb08Z0SHoELMp5Yh7Tg5QZ2c+S8I47tQjV72rNhUYhIyFuImzSg27R7aRJ6Jj6sK4zEg0Ai4VhO4RmgyzwIDAQABo1AwTjAdBgNVHQ4EFgQUgkYcMbT0o8kmxAz2O3+p1lDVj1MwHwYDVR0jBBgwFoAUgkYcMbT0o8kmxAz2O3+p1lDVj1MwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANgyTgMVRghgL8klqvZvQpfh80XDPTZotJCc8mZJZ98YkNC8jnR2RIUJpah+XrgotlKNDOK3HMNuyKGgYcqcno4PdDXKbqp4yXmywdNbbEHwPWDGqZXULw2az+UVwPUZJcJyJuwJjy3diCJT53N9G0LqXfeEsV0OPQPaB2PWgYNraBd59fckmBTc298HuvsHtxUcoXM53ms2Ck6GygGwH1vCg7qyIRRQFL4DiSlnoS8jxt3IIpZZs9FAl1ejtFBepSne9kEo7lLhAWY1TQqRrRXNHngG/L70ZkZonE9TNK/9xIHuaawqWkV6WLnkhT0DHCOw67GP97MWzceyFw+n9Vg==',
-    'IDPList' => [
-        'http://ssp-idp1.local',
-        'http://ssp-idp2.local',
-        'http://ssp-idp3.local',
-    ],
-    'assertion.encryption' => true,
-];
-
-$metadata['http://ssp-sp2.local:8082'] = [
-    'AssertionConsumerService' => 'http://ssp-sp2.local:8082/module.php/saml/sp/saml2-acs.php/ssp-hub-custom-port',
-    'SingleLogoutService' => 'http://ssp-sp2.local:8082/module.php/saml/sp/saml2-logout.php/ssp-hub-custom-port',
-    'IDPList' => [
-        'http://ssp-idp2.local:8086',
-    ],
-    'name' => 'SP2 (custom port)',
-    'certData' => 'MIIDzzCCAregAwIBAgIJAPnOHgSgAeNrMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE3MTIyNzU2WhcNMjYxMDE3MTIyNzU2WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0u+mXWS8vUkKjtJcK1hd0iGW2vbTvYosgyDdqClcSzwpbWJg1A1ChuiQIf7S+5bWL2AN4zMoem/JTn7cE9octqU34ZJAyP/cesppA9G53F9gH4XdoPgnWsb8vdWooDDUk+asc7ah/XwKixQNcELPDZkOba5+pqoKGjMxfL7JQ6+P6LB+xItzvLBXU4+onbGPIF6pmZ8S74mt0J62Y6ne40BHx8FdrtBgdk5TFcDedW09rRJrTFpi3hGSUkcjqj84B+oLAb08Z0SHoELMp5Yh7Tg5QZ2c+S8I47tQjV72rNhUYhIyFuImzSg27R7aRJ6Jj6sK4zEg0Ai4VhO4RmgyzwIDAQABo1AwTjAdBgNVHQ4EFgQUgkYcMbT0o8kmxAz2O3+p1lDVj1MwHwYDVR0jBBgwFoAUgkYcMbT0o8kmxAz2O3+p1lDVj1MwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANgyTgMVRghgL8klqvZvQpfh80XDPTZotJCc8mZJZ98YkNC8jnR2RIUJpah+XrgotlKNDOK3HMNuyKGgYcqcno4PdDXKbqp4yXmywdNbbEHwPWDGqZXULw2az+UVwPUZJcJyJuwJjy3diCJT53N9G0LqXfeEsV0OPQPaB2PWgYNraBd59fckmBTc298HuvsHtxUcoXM53ms2Ck6GygGwH1vCg7qyIRRQFL4DiSlnoS8jxt3IIpZZs9FAl1ejtFBepSne9kEo7lLhAWY1TQqRrRXNHngG/L70ZkZonE9TNK/9xIHuaawqWkV6WLnkhT0DHCOw67GP97MWzceyFw+n9Vg==',
-    'assertion.encryption' => true,
-];
-
-$metadata['http://ssp-sp2.local'] = [
-    'AssertionConsumerService' => 'http://ssp-sp2.local/module.php/saml/sp/saml2-acs.php/ssp-hub',
-    'SingleLogoutService' => 'http://ssp-sp2.local/module.php/saml/sp/saml2-logout.php/ssp-hub',
-    'IDPList' => [
-        'http://ssp-idp2.local',
-    ],
-    'name' => 'SP2',
-    'certData' => 'MIIDzzCCAregAwIBAgIJAPnOHgSgAeNrMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE3MTIyNzU2WhcNMjYxMDE3MTIyNzU2WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0u+mXWS8vUkKjtJcK1hd0iGW2vbTvYosgyDdqClcSzwpbWJg1A1ChuiQIf7S+5bWL2AN4zMoem/JTn7cE9octqU34ZJAyP/cesppA9G53F9gH4XdoPgnWsb8vdWooDDUk+asc7ah/XwKixQNcELPDZkOba5+pqoKGjMxfL7JQ6+P6LB+xItzvLBXU4+onbGPIF6pmZ8S74mt0J62Y6ne40BHx8FdrtBgdk5TFcDedW09rRJrTFpi3hGSUkcjqj84B+oLAb08Z0SHoELMp5Yh7Tg5QZ2c+S8I47tQjV72rNhUYhIyFuImzSg27R7aRJ6Jj6sK4zEg0Ai4VhO4RmgyzwIDAQABo1AwTjAdBgNVHQ4EFgQUgkYcMbT0o8kmxAz2O3+p1lDVj1MwHwYDVR0jBBgwFoAUgkYcMbT0o8kmxAz2O3+p1lDVj1MwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANgyTgMVRghgL8klqvZvQpfh80XDPTZotJCc8mZJZ98YkNC8jnR2RIUJpah+XrgotlKNDOK3HMNuyKGgYcqcno4PdDXKbqp4yXmywdNbbEHwPWDGqZXULw2az+UVwPUZJcJyJuwJjy3diCJT53N9G0LqXfeEsV0OPQPaB2PWgYNraBd59fckmBTc298HuvsHtxUcoXM53ms2Ck6GygGwH1vCg7qyIRRQFL4DiSlnoS8jxt3IIpZZs9FAl1ejtFBepSne9kEo7lLhAWY1TQqRrRXNHngG/L70ZkZonE9TNK/9xIHuaawqWkV6WLnkhT0DHCOw67GP97MWzceyFw+n9Vg==',
-    'assertion.encryption' => true,
-];
-
-// for test purposes, SP3 should be on the SPList entry of idp2
-
-$metadata['http://ssp-sp3.local:8083'] = [
-    'AssertionConsumerService' => 'http://ssp-sp3.local:8083/module.php/saml/sp/saml2-acs.php/ssp-hub',
-    'SingleLogoutService' => 'http://ssp-sp3.local:8083/module.php/saml/sp/saml2-logout.php/ssp-hub',
-    'IDPList' => [
-        'http://ssp-idp1.local:8085',
-        'http://ssp-idp2.local:8086',  // overruled by Idp2
-        'http://ssp-idp3.local:8087'
-    ],
-    'name' => 'SP3 (custom port)',
-    'certData' => 'MIIDzzCCAregAwIBAgIJAPnOHgSgAeNrMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE3MTIyNzU2WhcNMjYxMDE3MTIyNzU2WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0u+mXWS8vUkKjtJcK1hd0iGW2vbTvYosgyDdqClcSzwpbWJg1A1ChuiQIf7S+5bWL2AN4zMoem/JTn7cE9octqU34ZJAyP/cesppA9G53F9gH4XdoPgnWsb8vdWooDDUk+asc7ah/XwKixQNcELPDZkOba5+pqoKGjMxfL7JQ6+P6LB+xItzvLBXU4+onbGPIF6pmZ8S74mt0J62Y6ne40BHx8FdrtBgdk5TFcDedW09rRJrTFpi3hGSUkcjqj84B+oLAb08Z0SHoELMp5Yh7Tg5QZ2c+S8I47tQjV72rNhUYhIyFuImzSg27R7aRJ6Jj6sK4zEg0Ai4VhO4RmgyzwIDAQABo1AwTjAdBgNVHQ4EFgQUgkYcMbT0o8kmxAz2O3+p1lDVj1MwHwYDVR0jBBgwFoAUgkYcMbT0o8kmxAz2O3+p1lDVj1MwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANgyTgMVRghgL8klqvZvQpfh80XDPTZotJCc8mZJZ98YkNC8jnR2RIUJpah+XrgotlKNDOK3HMNuyKGgYcqcno4PdDXKbqp4yXmywdNbbEHwPWDGqZXULw2az+UVwPUZJcJyJuwJjy3diCJT53N9G0LqXfeEsV0OPQPaB2PWgYNraBd59fckmBTc298HuvsHtxUcoXM53ms2Ck6GygGwH1vCg7qyIRRQFL4DiSlnoS8jxt3IIpZZs9FAl1ejtFBepSne9kEo7lLhAWY1TQqRrRXNHngG/L70ZkZonE9TNK/9xIHuaawqWkV6WLnkhT0DHCOw67GP97MWzceyFw+n9Vg==',
-    'assertion.encryption' => true,
-];
-
-$metadata['http://ssp-sp3.local'] = [
-    'AssertionConsumerService' => 'http://ssp-sp3.local/module.php/saml/sp/saml2-acs.php/ssp-hub',
-    'SingleLogoutService' => 'http://ssp-sp3.local/module.php/saml/sp/saml2-logout.php/ssp-hub',
-    'IDPList' => [
-        'http://ssp-idp1.local',
-        'http://ssp-idp2.local',  // overruled by Idp2
-        'http://ssp-idp3.local'
-    ],
-    'name' => 'SP3',
-    'certData' => 'MIIDzzCCAregAwIBAgIJAPnOHgSgAeNrMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE3MTIyNzU2WhcNMjYxMDE3MTIyNzU2WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0u+mXWS8vUkKjtJcK1hd0iGW2vbTvYosgyDdqClcSzwpbWJg1A1ChuiQIf7S+5bWL2AN4zMoem/JTn7cE9octqU34ZJAyP/cesppA9G53F9gH4XdoPgnWsb8vdWooDDUk+asc7ah/XwKixQNcELPDZkOba5+pqoKGjMxfL7JQ6+P6LB+xItzvLBXU4+onbGPIF6pmZ8S74mt0J62Y6ne40BHx8FdrtBgdk5TFcDedW09rRJrTFpi3hGSUkcjqj84B+oLAb08Z0SHoELMp5Yh7Tg5QZ2c+S8I47tQjV72rNhUYhIyFuImzSg27R7aRJ6Jj6sK4zEg0Ai4VhO4RmgyzwIDAQABo1AwTjAdBgNVHQ4EFgQUgkYcMbT0o8kmxAz2O3+p1lDVj1MwHwYDVR0jBBgwFoAUgkYcMbT0o8kmxAz2O3+p1lDVj1MwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANgyTgMVRghgL8klqvZvQpfh80XDPTZotJCc8mZJZ98YkNC8jnR2RIUJpah+XrgotlKNDOK3HMNuyKGgYcqcno4PdDXKbqp4yXmywdNbbEHwPWDGqZXULw2az+UVwPUZJcJyJuwJjy3diCJT53N9G0LqXfeEsV0OPQPaB2PWgYNraBd59fckmBTc298HuvsHtxUcoXM53ms2Ck6GygGwH1vCg7qyIRRQFL4DiSlnoS8jxt3IIpZZs9FAl1ejtFBepSne9kEo7lLhAWY1TQqRrRXNHngG/L70ZkZonE9TNK/9xIHuaawqWkV6WLnkhT0DHCOw67GP97MWzceyFw+n9Vg==',
-    'assertion.encryption' => true,
-];
diff --git a/development/hub/metadata/sp-remote.php b/development/hub/metadata/sp-remote.php
new file mode 100644
index 00000000..0bc515cf
--- /dev/null
+++ b/development/hub/metadata/sp-remote.php
@@ -0,0 +1,93 @@
+<?php
+/**
+ * SAML 2.0 remote SP metadata for SimpleSAMLphp.
+ *
+ * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote
+ */
+
+return [
+    /*
+     * Example SimpleSAMLphp SAML 2.0 SP
+     */
+    'http://ssp-sp1.local:8081' => [
+        'entityid' => 'http://ssp-sp1.local:8081',
+        'name' => ['en' => 'SP1 (custom port)'],
+        'AssertionConsumerService' => 'http://ssp-sp1.local:8081/module.php/saml/sp/saml2-acs.php/ssp-hub-custom-port',
+        'SingleLogoutService' => 'http://ssp-sp1.local:8081/module.php/saml/sp/saml2-logout.php/ssp-hub-custom-port',
+        'certData' => 'MIIDzzCCAregAwIBAgIJAPnOHgSgAeNrMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE3MTIyNzU2WhcNMjYxMDE3MTIyNzU2WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0u+mXWS8vUkKjtJcK1hd0iGW2vbTvYosgyDdqClcSzwpbWJg1A1ChuiQIf7S+5bWL2AN4zMoem/JTn7cE9octqU34ZJAyP/cesppA9G53F9gH4XdoPgnWsb8vdWooDDUk+asc7ah/XwKixQNcELPDZkOba5+pqoKGjMxfL7JQ6+P6LB+xItzvLBXU4+onbGPIF6pmZ8S74mt0J62Y6ne40BHx8FdrtBgdk5TFcDedW09rRJrTFpi3hGSUkcjqj84B+oLAb08Z0SHoELMp5Yh7Tg5QZ2c+S8I47tQjV72rNhUYhIyFuImzSg27R7aRJ6Jj6sK4zEg0Ai4VhO4RmgyzwIDAQABo1AwTjAdBgNVHQ4EFgQUgkYcMbT0o8kmxAz2O3+p1lDVj1MwHwYDVR0jBBgwFoAUgkYcMbT0o8kmxAz2O3+p1lDVj1MwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANgyTgMVRghgL8klqvZvQpfh80XDPTZotJCc8mZJZ98YkNC8jnR2RIUJpah+XrgotlKNDOK3HMNuyKGgYcqcno4PdDXKbqp4yXmywdNbbEHwPWDGqZXULw2az+UVwPUZJcJyJuwJjy3diCJT53N9G0LqXfeEsV0OPQPaB2PWgYNraBd59fckmBTc298HuvsHtxUcoXM53ms2Ck6GygGwH1vCg7qyIRRQFL4DiSlnoS8jxt3IIpZZs9FAl1ejtFBepSne9kEo7lLhAWY1TQqRrRXNHngG/L70ZkZonE9TNK/9xIHuaawqWkV6WLnkhT0DHCOw67GP97MWzceyFw+n9Vg==',
+        'IDPList' => [
+            'http://ssp-idp1.local:8085',
+            'http://ssp-idp2.local:8086',
+            'http://ssp-idp3.local:8087',
+        ],
+        'assertion.encryption' => true,
+    ],
+
+    'http://ssp-sp1.local' => [
+        'entityid' => 'http://ssp-sp1.local',
+        'name' => ['en' => 'SP1'],
+        'AssertionConsumerService' => 'http://ssp-sp1.local/module.php/saml/sp/saml2-acs.php/ssp-hub',
+        'SingleLogoutService' => 'http://ssp-sp1.local/module.php/saml/sp/saml2-logout.php/ssp-hub',
+        'certData' => 'MIIDzzCCAregAwIBAgIJAPnOHgSgAeNrMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE3MTIyNzU2WhcNMjYxMDE3MTIyNzU2WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0u+mXWS8vUkKjtJcK1hd0iGW2vbTvYosgyDdqClcSzwpbWJg1A1ChuiQIf7S+5bWL2AN4zMoem/JTn7cE9octqU34ZJAyP/cesppA9G53F9gH4XdoPgnWsb8vdWooDDUk+asc7ah/XwKixQNcELPDZkOba5+pqoKGjMxfL7JQ6+P6LB+xItzvLBXU4+onbGPIF6pmZ8S74mt0J62Y6ne40BHx8FdrtBgdk5TFcDedW09rRJrTFpi3hGSUkcjqj84B+oLAb08Z0SHoELMp5Yh7Tg5QZ2c+S8I47tQjV72rNhUYhIyFuImzSg27R7aRJ6Jj6sK4zEg0Ai4VhO4RmgyzwIDAQABo1AwTjAdBgNVHQ4EFgQUgkYcMbT0o8kmxAz2O3+p1lDVj1MwHwYDVR0jBBgwFoAUgkYcMbT0o8kmxAz2O3+p1lDVj1MwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANgyTgMVRghgL8klqvZvQpfh80XDPTZotJCc8mZJZ98YkNC8jnR2RIUJpah+XrgotlKNDOK3HMNuyKGgYcqcno4PdDXKbqp4yXmywdNbbEHwPWDGqZXULw2az+UVwPUZJcJyJuwJjy3diCJT53N9G0LqXfeEsV0OPQPaB2PWgYNraBd59fckmBTc298HuvsHtxUcoXM53ms2Ck6GygGwH1vCg7qyIRRQFL4DiSlnoS8jxt3IIpZZs9FAl1ejtFBepSne9kEo7lLhAWY1TQqRrRXNHngG/L70ZkZonE9TNK/9xIHuaawqWkV6WLnkhT0DHCOw67GP97MWzceyFw+n9Vg==',
+        'IDPList' => [
+            'http://ssp-idp1.local',
+            'http://ssp-idp2.local',
+            'http://ssp-idp3.local',
+        ],
+        'assertion.encryption' => true,
+    ],
+
+    'http://ssp-sp2.local:8082' => [
+        'entityid' => 'http://ssp-sp2.local:8082',
+        'name' => ['en' => 'SP2 (custom port)'],
+        'AssertionConsumerService' => 'http://ssp-sp2.local:8082/module.php/saml/sp/saml2-acs.php/ssp-hub-custom-port',
+        'SingleLogoutService' => 'http://ssp-sp2.local:8082/module.php/saml/sp/saml2-logout.php/ssp-hub-custom-port',
+        'IDPList' => [
+            'http://ssp-idp2.local:8086',
+        ],
+        'certData' => 'MIIDzzCCAregAwIBAgIJAPnOHgSgAeNrMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE3MTIyNzU2WhcNMjYxMDE3MTIyNzU2WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0u+mXWS8vUkKjtJcK1hd0iGW2vbTvYosgyDdqClcSzwpbWJg1A1ChuiQIf7S+5bWL2AN4zMoem/JTn7cE9octqU34ZJAyP/cesppA9G53F9gH4XdoPgnWsb8vdWooDDUk+asc7ah/XwKixQNcELPDZkOba5+pqoKGjMxfL7JQ6+P6LB+xItzvLBXU4+onbGPIF6pmZ8S74mt0J62Y6ne40BHx8FdrtBgdk5TFcDedW09rRJrTFpi3hGSUkcjqj84B+oLAb08Z0SHoELMp5Yh7Tg5QZ2c+S8I47tQjV72rNhUYhIyFuImzSg27R7aRJ6Jj6sK4zEg0Ai4VhO4RmgyzwIDAQABo1AwTjAdBgNVHQ4EFgQUgkYcMbT0o8kmxAz2O3+p1lDVj1MwHwYDVR0jBBgwFoAUgkYcMbT0o8kmxAz2O3+p1lDVj1MwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANgyTgMVRghgL8klqvZvQpfh80XDPTZotJCc8mZJZ98YkNC8jnR2RIUJpah+XrgotlKNDOK3HMNuyKGgYcqcno4PdDXKbqp4yXmywdNbbEHwPWDGqZXULw2az+UVwPUZJcJyJuwJjy3diCJT53N9G0LqXfeEsV0OPQPaB2PWgYNraBd59fckmBTc298HuvsHtxUcoXM53ms2Ck6GygGwH1vCg7qyIRRQFL4DiSlnoS8jxt3IIpZZs9FAl1ejtFBepSne9kEo7lLhAWY1TQqRrRXNHngG/L70ZkZonE9TNK/9xIHuaawqWkV6WLnkhT0DHCOw67GP97MWzceyFw+n9Vg==',
+        'assertion.encryption' => true,
+    ],
+
+    'http://ssp-sp2.local' => [
+        'entityid' => 'http://ssp-sp2.local',
+        'name' => ['en' => 'SP2'],
+        'AssertionConsumerService' => 'http://ssp-sp2.local/module.php/saml/sp/saml2-acs.php/ssp-hub',
+        'SingleLogoutService' => 'http://ssp-sp2.local/module.php/saml/sp/saml2-logout.php/ssp-hub',
+        'IDPList' => [
+            'http://ssp-idp2.local',
+        ],
+        'certData' => 'MIIDzzCCAregAwIBAgIJAPnOHgSgAeNrMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE3MTIyNzU2WhcNMjYxMDE3MTIyNzU2WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0u+mXWS8vUkKjtJcK1hd0iGW2vbTvYosgyDdqClcSzwpbWJg1A1ChuiQIf7S+5bWL2AN4zMoem/JTn7cE9octqU34ZJAyP/cesppA9G53F9gH4XdoPgnWsb8vdWooDDUk+asc7ah/XwKixQNcELPDZkOba5+pqoKGjMxfL7JQ6+P6LB+xItzvLBXU4+onbGPIF6pmZ8S74mt0J62Y6ne40BHx8FdrtBgdk5TFcDedW09rRJrTFpi3hGSUkcjqj84B+oLAb08Z0SHoELMp5Yh7Tg5QZ2c+S8I47tQjV72rNhUYhIyFuImzSg27R7aRJ6Jj6sK4zEg0Ai4VhO4RmgyzwIDAQABo1AwTjAdBgNVHQ4EFgQUgkYcMbT0o8kmxAz2O3+p1lDVj1MwHwYDVR0jBBgwFoAUgkYcMbT0o8kmxAz2O3+p1lDVj1MwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANgyTgMVRghgL8klqvZvQpfh80XDPTZotJCc8mZJZ98YkNC8jnR2RIUJpah+XrgotlKNDOK3HMNuyKGgYcqcno4PdDXKbqp4yXmywdNbbEHwPWDGqZXULw2az+UVwPUZJcJyJuwJjy3diCJT53N9G0LqXfeEsV0OPQPaB2PWgYNraBd59fckmBTc298HuvsHtxUcoXM53ms2Ck6GygGwH1vCg7qyIRRQFL4DiSlnoS8jxt3IIpZZs9FAl1ejtFBepSne9kEo7lLhAWY1TQqRrRXNHngG/L70ZkZonE9TNK/9xIHuaawqWkV6WLnkhT0DHCOw67GP97MWzceyFw+n9Vg==',
+        'assertion.encryption' => true,
+    ],
+
+    // for test purposes, SP3 should be on the SPList entry of idp2
+
+    'http://ssp-sp3.local:8083' => [
+        'entityid' => 'http://ssp-sp3.local:8083',
+        'name' => ['en' => 'SP3 (custom port)'],
+        'AssertionConsumerService' => 'http://ssp-sp3.local:8083/module.php/saml/sp/saml2-acs.php/ssp-hub',
+        'SingleLogoutService' => 'http://ssp-sp3.local:8083/module.php/saml/sp/saml2-logout.php/ssp-hub',
+        'IDPList' => [
+            'http://ssp-idp1.local:8085',
+            'http://ssp-idp2.local:8086',  // overruled by Idp2
+            'http://ssp-idp3.local:8087'
+        ],
+        'certData' => 'MIIDzzCCAregAwIBAgIJAPnOHgSgAeNrMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE3MTIyNzU2WhcNMjYxMDE3MTIyNzU2WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0u+mXWS8vUkKjtJcK1hd0iGW2vbTvYosgyDdqClcSzwpbWJg1A1ChuiQIf7S+5bWL2AN4zMoem/JTn7cE9octqU34ZJAyP/cesppA9G53F9gH4XdoPgnWsb8vdWooDDUk+asc7ah/XwKixQNcELPDZkOba5+pqoKGjMxfL7JQ6+P6LB+xItzvLBXU4+onbGPIF6pmZ8S74mt0J62Y6ne40BHx8FdrtBgdk5TFcDedW09rRJrTFpi3hGSUkcjqj84B+oLAb08Z0SHoELMp5Yh7Tg5QZ2c+S8I47tQjV72rNhUYhIyFuImzSg27R7aRJ6Jj6sK4zEg0Ai4VhO4RmgyzwIDAQABo1AwTjAdBgNVHQ4EFgQUgkYcMbT0o8kmxAz2O3+p1lDVj1MwHwYDVR0jBBgwFoAUgkYcMbT0o8kmxAz2O3+p1lDVj1MwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANgyTgMVRghgL8klqvZvQpfh80XDPTZotJCc8mZJZ98YkNC8jnR2RIUJpah+XrgotlKNDOK3HMNuyKGgYcqcno4PdDXKbqp4yXmywdNbbEHwPWDGqZXULw2az+UVwPUZJcJyJuwJjy3diCJT53N9G0LqXfeEsV0OPQPaB2PWgYNraBd59fckmBTc298HuvsHtxUcoXM53ms2Ck6GygGwH1vCg7qyIRRQFL4DiSlnoS8jxt3IIpZZs9FAl1ejtFBepSne9kEo7lLhAWY1TQqRrRXNHngG/L70ZkZonE9TNK/9xIHuaawqWkV6WLnkhT0DHCOw67GP97MWzceyFw+n9Vg==',
+        'assertion.encryption' => true,
+    ],
+
+    'http://ssp-sp3.local' => [
+        'entityid' => 'http://ssp-sp3.local',
+        'name' => ['en' => 'SP3'],
+        'AssertionConsumerService' => 'http://ssp-sp3.local/module.php/saml/sp/saml2-acs.php/ssp-hub',
+        'SingleLogoutService' => 'http://ssp-sp3.local/module.php/saml/sp/saml2-logout.php/ssp-hub',
+        'IDPList' => [
+            'http://ssp-idp1.local',
+            'http://ssp-idp2.local',  // overruled by Idp2
+            'http://ssp-idp3.local'
+        ],
+        'certData' => 'MIIDzzCCAregAwIBAgIJAPnOHgSgAeNrMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE3MTIyNzU2WhcNMjYxMDE3MTIyNzU2WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0u+mXWS8vUkKjtJcK1hd0iGW2vbTvYosgyDdqClcSzwpbWJg1A1ChuiQIf7S+5bWL2AN4zMoem/JTn7cE9octqU34ZJAyP/cesppA9G53F9gH4XdoPgnWsb8vdWooDDUk+asc7ah/XwKixQNcELPDZkOba5+pqoKGjMxfL7JQ6+P6LB+xItzvLBXU4+onbGPIF6pmZ8S74mt0J62Y6ne40BHx8FdrtBgdk5TFcDedW09rRJrTFpi3hGSUkcjqj84B+oLAb08Z0SHoELMp5Yh7Tg5QZ2c+S8I47tQjV72rNhUYhIyFuImzSg27R7aRJ6Jj6sK4zEg0Ai4VhO4RmgyzwIDAQABo1AwTjAdBgNVHQ4EFgQUgkYcMbT0o8kmxAz2O3+p1lDVj1MwHwYDVR0jBBgwFoAUgkYcMbT0o8kmxAz2O3+p1lDVj1MwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANgyTgMVRghgL8klqvZvQpfh80XDPTZotJCc8mZJZ98YkNC8jnR2RIUJpah+XrgotlKNDOK3HMNuyKGgYcqcno4PdDXKbqp4yXmywdNbbEHwPWDGqZXULw2az+UVwPUZJcJyJuwJjy3diCJT53N9G0LqXfeEsV0OPQPaB2PWgYNraBd59fckmBTc298HuvsHtxUcoXM53ms2Ck6GygGwH1vCg7qyIRRQFL4DiSlnoS8jxt3IIpZZs9FAl1ejtFBepSne9kEo7lLhAWY1TQqRrRXNHngG/L70ZkZonE9TNK/9xIHuaawqWkV6WLnkhT0DHCOw67GP97MWzceyFw+n9Vg==',
+        'assertion.encryption' => true,
+    ],
+];
diff --git a/development/idp-local/metadata/saml20-idp-hosted.php b/development/idp-local/metadata/saml20-idp-hosted.php
index 8bfbdd1e..796feea3 100644
--- a/development/idp-local/metadata/saml20-idp-hosted.php
+++ b/development/idp-local/metadata/saml20-idp-hosted.php
@@ -2,6 +2,8 @@
 
 use Sil\PhpEnv\Env;
 use Sil\Psr3Adapters\Psr3SamlLogger;
+use Sil\Psr3Adapters\Psr3StdOutLogger;
+use Sil\SspBase\Features\fakes\FakeIdBrokerClient;
 
 /**
  * SAML 2.0 IdP configuration for SimpleSAMLphp.
@@ -9,10 +11,9 @@
  * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted
  */
 
-use Sil\Psr3Adapters\Psr3StdOutLogger;
-use Sil\SspBase\Features\fakes\FakeIdBrokerClient;
-
 $metadata['http://ssp-idp1.local:8085'] = [
+    'entityid' => 'http://ssp-idp1.local:8085',
+
     /*
      * The hostname of the server (VHOST) that will use this SAML entity.
      *
@@ -64,8 +65,9 @@
     ],
 ];
 
-// Copy configuration for port 80 and modify host and profileUrl.
+// Copy configuration for port 80 and modify
 $metadata['http://ssp-idp1.local'] = $metadata['http://ssp-idp1.local:8085'];
+$metadata['http://ssp-idp1.local']['entityid'] = 'http://ssp-idp1.local';
 $metadata['http://ssp-idp1.local']['host'] = 'ssp-idp1.local';
 $metadata['http://ssp-idp1.local']['authproc'][10]['mfaSetupUrl'] = Env::get('PROFILE_URL_FOR_TESTS');
 $metadata['http://ssp-idp1.local']['authproc'][30]['profileUrl'] = Env::get('PROFILE_URL_FOR_TESTS');
diff --git a/development/idp-local/metadata/saml20-sp-remote.php b/development/idp-local/metadata/saml20-sp-remote.php
index 98114854..4720d9ad 100644
--- a/development/idp-local/metadata/saml20-sp-remote.php
+++ b/development/idp-local/metadata/saml20-sp-remote.php
@@ -9,6 +9,7 @@
  * Example SimpleSAMLphp SAML 2.0 SP
  */
 $metadata['ssp-hub.local'] = [
+    'entityid' => 'ssp-hub.local',
     'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
     'AssertionConsumerService' => 'http://ssp-hub.local/module.php/saml/sp/saml2-acs.php/hub-discovery',
     'SingleLogoutService' => 'http://ssp-hub.local/module.php/saml/sp/saml2-logout.php/hub-discovery',
diff --git a/development/idp2-local/metadata/saml20-idp-hosted.php b/development/idp2-local/metadata/saml20-idp-hosted.php
index e0d19e01..724dce30 100644
--- a/development/idp2-local/metadata/saml20-idp-hosted.php
+++ b/development/idp2-local/metadata/saml20-idp-hosted.php
@@ -6,6 +6,8 @@
  */
 
 $metadata['http://ssp-idp2.local:8086'] = [
+    'entityid' => 'http://ssp-idp2.local:8086',
+
     /*
      * The hostname of the server (VHOST) that will use this SAML entity.
      *
@@ -26,4 +28,5 @@
 
 // Copy configuration for port 80 and modify host.
 $metadata['http://ssp-idp2.local'] = $metadata['http://ssp-idp2.local:8086'];
+$metadata['http://ssp-idp2.local']['entityid'] = 'http://ssp-idp2.local';
 $metadata['http://ssp-idp2.local']['host'] = 'ssp-idp2.local';
diff --git a/development/idp2-local/metadata/saml20-sp-remote.php b/development/idp2-local/metadata/saml20-sp-remote.php
index 98114854..4720d9ad 100644
--- a/development/idp2-local/metadata/saml20-sp-remote.php
+++ b/development/idp2-local/metadata/saml20-sp-remote.php
@@ -9,6 +9,7 @@
  * Example SimpleSAMLphp SAML 2.0 SP
  */
 $metadata['ssp-hub.local'] = [
+    'entityid' => 'ssp-hub.local',
     'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
     'AssertionConsumerService' => 'http://ssp-hub.local/module.php/saml/sp/saml2-acs.php/hub-discovery',
     'SingleLogoutService' => 'http://ssp-hub.local/module.php/saml/sp/saml2-logout.php/hub-discovery',
diff --git a/development/idp3-local/metadata/saml20-idp-hosted.php b/development/idp3-local/metadata/saml20-idp-hosted.php
index cedd5362..2630be2c 100644
--- a/development/idp3-local/metadata/saml20-idp-hosted.php
+++ b/development/idp3-local/metadata/saml20-idp-hosted.php
@@ -6,6 +6,8 @@
  */
 
 $metadata['http://ssp-idp3.local:8087'] = [
+    'entityid' => 'http://ssp-idp3.local:8087',
+
     /*
      * The hostname of the server (VHOST) that will use this SAML entity.
      *
diff --git a/development/idp3-local/metadata/saml20-sp-remote.php b/development/idp3-local/metadata/saml20-sp-remote.php
index 98114854..4720d9ad 100644
--- a/development/idp3-local/metadata/saml20-sp-remote.php
+++ b/development/idp3-local/metadata/saml20-sp-remote.php
@@ -9,6 +9,7 @@
  * Example SimpleSAMLphp SAML 2.0 SP
  */
 $metadata['ssp-hub.local'] = [
+    'entityid' => 'ssp-hub.local',
     'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
     'AssertionConsumerService' => 'http://ssp-hub.local/module.php/saml/sp/saml2-acs.php/hub-discovery',
     'SingleLogoutService' => 'http://ssp-hub.local/module.php/saml/sp/saml2-logout.php/hub-discovery',
diff --git a/development/sp-local/metadata/saml20-idp-remote.php b/development/sp-local/metadata/saml20-idp-remote.php
index 8558a9f2..e1d53a62 100644
--- a/development/sp-local/metadata/saml20-idp-remote.php
+++ b/development/sp-local/metadata/saml20-idp-remote.php
@@ -11,6 +11,7 @@
  * Guest IdP. allows users to sign up and register. Great for testing!
  */
 $metadata['ssp-hub.local'] = [
+    'entityid' => 'ssp-hub.local',
     'SingleSignOnService' => 'http://ssp-hub.local/saml2/idp/SSOService.php',
     'SingleLogoutService' => 'http://ssp-hub.local/saml2/idp/SingleLogoutService.php',
     'certData' => 'MIIDzzCCAregAwIBAgIJANuvVcQPANecMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE3MTIzMTEyWhcNMjYxMDE3MTIzMTEyWjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxAimEkw4Teyf/gZelL7OuQYg/JbDIKHPXJhLPBm/HK6pM5ZZKydVXTdMgMqkl4xK+xZ2CnkozsUiMLhAuWBsX9Dcz1M4SkPRwk4puFhXzsp7fKIVP43zUhF7p2TmbernrrIQHjg6PuegKmCGyiKUpukcYvf2RXNwHwJx+Uq0zLP4PgBSrQ2t1eKZ1jQ+noBb1NqOuy969WRYmN4EmjXDuJB9d+b3GwtbZToWgiFxFjd/NN9BFJXZEaLzRj5LAq5bu2vPPDZDarHFMRUzVJ91eafoaz6zpR1iUGj9zR+y2sUPxD/fJMZ+4AHWA2LOrTBBIuuWbp96yvcJ4WjmlfhcFQIDAQABo1AwTjAdBgNVHQ4EFgQUkJFAMJdr2lXsuezS6pDXHnmJspMwHwYDVR0jBBgwFoAUkJFAMJdr2lXsuezS6pDXHnmJspMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAOEPbchaUr45L5i+ueookevsABYnltwJZ4rYJbF9VURPcEhB6JxTMZqb4s113ftHvVYfoAfLYZ9swETaHL+esx41yAebf0kWpQ3f63S5F2FcrTj+HP0XsvW/EDrvaTKM9jnKPNmbXrpq06eaUZfkVL0TAUsxYTKkttTSTiESEzp5wzYyhp7l3kpHhEvGOlh5suYjnZ2HN0uxscCR6PS47H6TMMEZuG032DWDC016/JniWvERtpf4Yw26V+I9xevp2E2MPcZne31Pe3sCh4Wpe4cV/SCFqZHlpnH96ncz4F+KvmmhbEx5VPhQSJNFIWEvI86k+lTNQOqj6YVvGvq95LQ==',
diff --git a/development/sp2-local/metadata/saml20-idp-remote.php b/development/sp2-local/metadata/saml20-idp-remote.php
index 8558a9f2..e1d53a62 100644
--- a/development/sp2-local/metadata/saml20-idp-remote.php
+++ b/development/sp2-local/metadata/saml20-idp-remote.php
@@ -11,6 +11,7 @@
  * Guest IdP. allows users to sign up and register. Great for testing!
  */
 $metadata['ssp-hub.local'] = [
+    'entityid' => 'ssp-hub.local',
     'SingleSignOnService' => 'http://ssp-hub.local/saml2/idp/SSOService.php',
     'SingleLogoutService' => 'http://ssp-hub.local/saml2/idp/SingleLogoutService.php',
     'certData' => 'MIIDzzCCAregAwIBAgIJANuvVcQPANecMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE3MTIzMTEyWhcNMjYxMDE3MTIzMTEyWjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxAimEkw4Teyf/gZelL7OuQYg/JbDIKHPXJhLPBm/HK6pM5ZZKydVXTdMgMqkl4xK+xZ2CnkozsUiMLhAuWBsX9Dcz1M4SkPRwk4puFhXzsp7fKIVP43zUhF7p2TmbernrrIQHjg6PuegKmCGyiKUpukcYvf2RXNwHwJx+Uq0zLP4PgBSrQ2t1eKZ1jQ+noBb1NqOuy969WRYmN4EmjXDuJB9d+b3GwtbZToWgiFxFjd/NN9BFJXZEaLzRj5LAq5bu2vPPDZDarHFMRUzVJ91eafoaz6zpR1iUGj9zR+y2sUPxD/fJMZ+4AHWA2LOrTBBIuuWbp96yvcJ4WjmlfhcFQIDAQABo1AwTjAdBgNVHQ4EFgQUkJFAMJdr2lXsuezS6pDXHnmJspMwHwYDVR0jBBgwFoAUkJFAMJdr2lXsuezS6pDXHnmJspMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAOEPbchaUr45L5i+ueookevsABYnltwJZ4rYJbF9VURPcEhB6JxTMZqb4s113ftHvVYfoAfLYZ9swETaHL+esx41yAebf0kWpQ3f63S5F2FcrTj+HP0XsvW/EDrvaTKM9jnKPNmbXrpq06eaUZfkVL0TAUsxYTKkttTSTiESEzp5wzYyhp7l3kpHhEvGOlh5suYjnZ2HN0uxscCR6PS47H6TMMEZuG032DWDC016/JniWvERtpf4Yw26V+I9xevp2E2MPcZne31Pe3sCh4Wpe4cV/SCFqZHlpnH96ncz4F+KvmmhbEx5VPhQSJNFIWEvI86k+lTNQOqj6YVvGvq95LQ==',
diff --git a/development/sp3-local/metadata/saml20-idp-remote.php b/development/sp3-local/metadata/saml20-idp-remote.php
index 8558a9f2..e1d53a62 100644
--- a/development/sp3-local/metadata/saml20-idp-remote.php
+++ b/development/sp3-local/metadata/saml20-idp-remote.php
@@ -11,6 +11,7 @@
  * Guest IdP. allows users to sign up and register. Great for testing!
  */
 $metadata['ssp-hub.local'] = [
+    'entityid' => 'ssp-hub.local',
     'SingleSignOnService' => 'http://ssp-hub.local/saml2/idp/SSOService.php',
     'SingleLogoutService' => 'http://ssp-hub.local/saml2/idp/SingleLogoutService.php',
     'certData' => 'MIIDzzCCAregAwIBAgIJANuvVcQPANecMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE3MTIzMTEyWhcNMjYxMDE3MTIzMTEyWjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxAimEkw4Teyf/gZelL7OuQYg/JbDIKHPXJhLPBm/HK6pM5ZZKydVXTdMgMqkl4xK+xZ2CnkozsUiMLhAuWBsX9Dcz1M4SkPRwk4puFhXzsp7fKIVP43zUhF7p2TmbernrrIQHjg6PuegKmCGyiKUpukcYvf2RXNwHwJx+Uq0zLP4PgBSrQ2t1eKZ1jQ+noBb1NqOuy969WRYmN4EmjXDuJB9d+b3GwtbZToWgiFxFjd/NN9BFJXZEaLzRj5LAq5bu2vPPDZDarHFMRUzVJ91eafoaz6zpR1iUGj9zR+y2sUPxD/fJMZ+4AHWA2LOrTBBIuuWbp96yvcJ4WjmlfhcFQIDAQABo1AwTjAdBgNVHQ4EFgQUkJFAMJdr2lXsuezS6pDXHnmJspMwHwYDVR0jBBgwFoAUkJFAMJdr2lXsuezS6pDXHnmJspMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAOEPbchaUr45L5i+ueookevsABYnltwJZ4rYJbF9VURPcEhB6JxTMZqb4s113ftHvVYfoAfLYZ9swETaHL+esx41yAebf0kWpQ3f63S5F2FcrTj+HP0XsvW/EDrvaTKM9jnKPNmbXrpq06eaUZfkVL0TAUsxYTKkttTSTiESEzp5wzYyhp7l3kpHhEvGOlh5suYjnZ2HN0uxscCR6PS47H6TMMEZuG032DWDC016/JniWvERtpf4Yw26V+I9xevp2E2MPcZne31Pe3sCh4Wpe4cV/SCFqZHlpnH96ncz4F+KvmmhbEx5VPhQSJNFIWEvI86k+lTNQOqj6YVvGvq95LQ==',
diff --git a/docker-compose.yml b/docker-compose.yml
index fc597778..05bca64c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -91,7 +91,10 @@ services:
       - ./development/announcement.php:/data/vendor/simplesamlphp/simplesamlphp/announcement/announcement.php
 
       # Utilize custom metadata
-      - ./development/hub/metadata/:/data/vendor/simplesamlphp/simplesamlphp/metadata/
+      - ./development/hub/metadata/idp-remote.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/idp-remote.php
+      - ./development/hub/metadata/saml20-idp-hosted.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-hosted.php
+      - ./development/hub/metadata/saml20-sp-hosted.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/saml20-sp-hosted.php
+      - ./development/hub/metadata/sp-remote.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/sp-remote.php
 
       # Enable checking our test metadata
       - ./dockerbuild/run-metadata-tests.sh:/data/run-metadata-tests.sh
diff --git a/dockerbuild/config/config.php b/dockerbuild/config/config.php
index e8837743..05cc9484 100644
--- a/dockerbuild/config/config.php
+++ b/dockerbuild/config/config.php
@@ -8,8 +8,10 @@
 
 use Sil\PhpEnv\Env;
 use Sil\PhpEnv\EnvVarNotFoundException;
+use SimpleSAML\Module\material\MaterialController;
+use SimpleSAML\Utils;
 
-$httpUtils = new \SimpleSAML\Utils\HTTP();
+$httpUtils = new Utils\HTTP();
 
 /*
  * Get config settings from ENV vars or set defaults
@@ -69,6 +71,7 @@
 $PASSWORD_CHANGE_URL = Env::get('PASSWORD_CHANGE_URL');
 $PASSWORD_FORGOT_URL = Env::get('PASSWORD_FORGOT_URL');
 $HELP_CENTER_URL = Env::get('HELP_CENTER_URL');
+$TRUSTED_URL_DOMAINS = Env::getArray('TRUSTED_URL_DOMAINS', []);
 
 $config = [
 
@@ -321,7 +324,7 @@
      * Example:
      *   'trusted.url.domains' => ['sp.example.com', 'app.example.com'],
      */
-    'trusted.url.domains' => null,
+    'trusted.url.domains' => $TRUSTED_URL_DOMAINS,
 
     /*
      * Enable regular expression matching of trusted.url.domains.
@@ -372,6 +375,7 @@
         'Referrer-Policy' => 'origin-when-cross-origin',
     ],
      */
+    'headers.security' => [],
 
 
     /************************
@@ -975,7 +979,7 @@
      * the 'theme.controller' configuration option to a class that implements the
      * \SimpleSAML\XHTML\TemplateControllerInterface interface to use it.
      */
-    //'theme.controller' => '',
+    'theme.controller' => MaterialController::class,
 
     /*
      * Templating options
@@ -1454,5 +1458,5 @@
 if ($HUB_MODE) {
     // prefix the 'member' (urn:oid:2.5.4.31) attribute elements with idp.idp_name.
     $config['authproc.idp'][48] = 'sildisco:TagGroup';
-//    $config['authproc.idp'][49] = 'sildisco:AddIdp2NameId';
+    $config['authproc.idp'][49] = 'sildisco:AddIdp2NameId';
 }
diff --git a/dockerbuild/run-tests.sh b/dockerbuild/run-tests.sh
index 37c21ec7..b4ec7739 100755
--- a/dockerbuild/run-tests.sh
+++ b/dockerbuild/run-tests.sh
@@ -9,6 +9,6 @@ set -e
 /data/run-metadata-tests.sh
 
 ./vendor/bin/phpunit -v tests/AnnouncementTest.php
-./vendor/bin/phpunit -v tests/IdpDiscoTest.php
+./vendor/bin/phpunit -v vendor/simplesamlphp/simplesamlphp/modules/sildisco/tests/
 
 /data/run-integration-tests.sh
diff --git a/dockerbuild/run.sh b/dockerbuild/run.sh
index f55cd465..d3c5dc65 100755
--- a/dockerbuild/run.sh
+++ b/dockerbuild/run.sh
@@ -6,9 +6,6 @@ set -x
 # exit if any command fails
 set -e
 
-# This is a temporary fix (bug workaround) until ssp 2.0 is in use
-sed -i 's_\(\\SimpleSAML\\Error\\Assertion::installHandler()\)_// \1 _' /data/vendor/simplesamlphp/simplesamlphp/public/_include.php
-
 # establish a signal handler to catch the SIGTERM from a 'docker stop'
 # reference: https://medium.com/@gchudnov/trapping-signals-in-docker-containers-7a57fdda7d86
 term_handler() {
diff --git a/dockerbuild/ssp-overrides/sp-php.patch b/dockerbuild/ssp-overrides/sp-php.patch
new file mode 100644
index 00000000..0a998704
--- /dev/null
+++ b/dockerbuild/ssp-overrides/sp-php.patch
@@ -0,0 +1,39 @@
+*** ../../vendor/simplesamlphp/simplesamlphp/modules/saml/src/Auth/Source/SP.php	2024-04-30 10:38:57.000000000 -0600
+--- SP.php	2024-07-11 17:07:40.000000000 -0600
+***************
+*** 809,814 ****
+--- 809,822 ----
+              $state[$k] = $v;
+          }
+  
++         /*
++          * If this SP is allowed to use more than one IdP, then send to discovery page
++          */
++         if (sizeof($state['saml:IDPList']) > 1) {
++             $state['LoginCompletedHandler'] = [SP::class, 'reauthPostLogin'];
++             $this->authenticate($state);
++         }
++ 
+          // check if we have an IDPList specified in the request
+          if (
+              isset($state['saml:IDPList'])
+***************
+*** 858,866 ****
+                  $state['core:SP']
+              ));
+  
+!             $state['saml:sp:IdPMetadata'] = $this->getIdPMetadata($state['saml:sp:IdP']);
+!             $state['saml:sp:AuthId'] = $this->authId;
+!             self::askForIdPChange($state);
+          }
+  
+          /*
+--- 866,873 ----
+                  $state['core:SP']
+              ));
+  
+!             $state['LoginCompletedHandler'] = [SP::class, 'reauthPostLogin'];
+!             $this->authenticate($state);
+          }
+  
+          /*
diff --git a/docs/the_hub.md b/docs/the_hub.md
index e366f45d..e9bab580 100644
--- a/docs/the_hub.md
+++ b/docs/the_hub.md
@@ -21,13 +21,6 @@ It is also used by the `TagGroup.php` Auth Proc to convert group names into the
 
 `idp|<IDPNamespace>|<group name>`.
 
-##### betaEnabled
-An optional metadata entry is `betaEnabled`.  
-This will allow the IdP to be marked as `'enable' => true` when the user has a certain cookie ('beta_tester') that they would get from visiting `hub_domain/module.php/sildisco/betatest.php`.  
-The user would need to manually remove that cookie to be free of this effect.
-
-Sildisco does not otherwise deal with looking at the `'enable'` value.  However, a theme for idp discovery may (e.g. simplesamlphp-module-material).
-
 ##### SPList
 In order to limit access to an IdP to only certain SP's, add an `'SPList'` array entry to the metadata for the IdP.  The values of this array should match the `entity_id` values from the `sp-remote.php` metadata.
 
diff --git a/features/ZSp1Idp1BetaSp1Idp3.feature b/features/ZSp1Idp1BetaSp1Idp3.feature
deleted file mode 100644
index b5d07091..00000000
--- a/features/ZSp1Idp1BetaSp1Idp3.feature
+++ /dev/null
@@ -1,13 +0,0 @@
-Feature: Ensure I don't see IdP 3 at first, but after I go to the Beta Tester page I can see and login through IdP 3.
-
-  Scenario: Normally the IdP3 is disabled
-    When I go to the "SP1" login page
-    And the url should match "sildisco/disco.php"
-    Then the "div" element should contain "IdP 3 coming soon"
-
-  Scenario: After going to the "Beta Test" page, IdP3 is available for use
-    When I go to "http://ssp-hub.local/module.php/sildisco/betatest.php"
-    And I go to the "SP1" login page
-    And I click on the "IDP 3" tile
-    And I log in using my "IDP 3" credentials
-    Then I should see "test_admin@idp3.org"
diff --git a/features/bootstrap/LoginContext.php b/features/bootstrap/LoginContext.php
index 2aea6768..531ad8a0 100644
--- a/features/bootstrap/LoginContext.php
+++ b/features/bootstrap/LoginContext.php
@@ -153,7 +153,7 @@ public function iShouldNotBeAllowedThrough()
             function () use ($authenticator) {
                 $authenticator->getUserAttributes();
             },
-            \Exception::class,
+            Exception::class,
             'The call to getUserAttributes() should have thrown an exception.'
         );
     }
diff --git a/features/bootstrap/SilDiscoContext.php b/features/bootstrap/SilDiscoContext.php
index 66da5f80..47740475 100644
--- a/features/bootstrap/SilDiscoContext.php
+++ b/features/bootstrap/SilDiscoContext.php
@@ -26,7 +26,7 @@ public function iLogInUsingMyIdpCredentials($idp)
                 break;
 
             default:
-                throw new \Exception('credential name not recognized');
+                throw new Exception('credential name not recognized');
         }
         $this->iLogIn();
     }
diff --git a/local.env.dist b/local.env.dist
index c09c0e96..a3a695eb 100644
--- a/local.env.dist
+++ b/local.env.dist
@@ -85,3 +85,6 @@ TRUSTED_IP_ADDRESSES=
 # See "https://developers.google.com/recaptcha/docs/faq" for test key/secret.
 RECAPTCHA_SITE_KEY=
 RECAPTCHA_SECRET=
+
+# A comma-separated list of domains trusted for redirect. Should include, at a minimum, all logout redirect URL domains.
+TRUSTED_URL_DOMAINS=
diff --git a/modules/expirychecker/public/about2expire.php b/modules/expirychecker/public/about2expire.php
index 3e64a7a7..7200a7b5 100644
--- a/modules/expirychecker/public/about2expire.php
+++ b/modules/expirychecker/public/about2expire.php
@@ -55,8 +55,6 @@
 $globalConfig = Configuration::getInstance();
 
 $t = new Template($globalConfig, 'expirychecker:about2expire');
-$t->data['theme_color_scheme'] = $globalConfig->getOptionalString('theme.color-scheme', null);
-$t->data['analytics_tracking_id'] = $globalConfig->getOptionalString('analytics.trackingId', '');
 $t->data['form_target'] = Module::getModuleURL('expirychecker/about2expire.php');
 $t->data['form_data'] = ['StateId' => $stateId];
 $t->data['days_left'] = $state['daysLeft'];
diff --git a/modules/expirychecker/public/expired.php b/modules/expirychecker/public/expired.php
index be4bfa97..95c42d4e 100644
--- a/modules/expirychecker/public/expired.php
+++ b/modules/expirychecker/public/expired.php
@@ -48,8 +48,6 @@
 $globalConfig = Configuration::getInstance();
 
 $t = new Template($globalConfig, 'expirychecker:expired');
-$t->data['theme_color_scheme'] = $globalConfig->getOptionalString('theme.color-scheme', null);
-$t->data['analytics_tracking_id'] = $globalConfig->getOptionalString('analytics.trackingId', '');
 $t->data['form_target'] = Module::getModuleURL('expirychecker/expired.php');
 $t->data['form_data'] = ['StateId' => $stateId];
 $t->send();
diff --git a/modules/expirychecker/src/Auth/Process/ExpiryDate.php b/modules/expirychecker/src/Auth/Process/ExpiryDate.php
index c055a208..3efd9e69 100644
--- a/modules/expirychecker/src/Auth/Process/ExpiryDate.php
+++ b/modules/expirychecker/src/Auth/Process/ExpiryDate.php
@@ -2,6 +2,7 @@
 
 namespace SimpleSAML\Module\expirychecker\Auth\Process;
 
+use Exception;
 use Psr\Log\LoggerInterface;
 use Sil\Psr3Adapters\Psr3SamlLogger;
 use SimpleSAML\Auth\ProcessingChain;
@@ -132,7 +133,7 @@ protected function getDaysLeftBeforeExpiry(int $expiryTimestamp): int
      *     expiration date (as a string) is stored.
      * @param array $state The state data.
      * @return int The expiration timestamp.
-     * @throws \Exception
+     * @throws Exception
      */
     protected function getExpiryTimestamp(string $expiryDateAttr, array $state): int
     {
@@ -141,7 +142,7 @@ protected function getExpiryTimestamp(string $expiryDateAttr, array $state): int
         // Ensure that EVERY user login provides a usable password expiration date.
         $expiryTimestamp = strtotime($expiryDateString) ?: null;
         if (empty($expiryTimestamp)) {
-            throw new \Exception(sprintf(
+            throw new Exception(sprintf(
                 "We could not understand the expiration date (%s, from %s) for "
                 . "the user's password, so we do not know whether their "
                 . "password is still valid.",
@@ -178,7 +179,7 @@ protected function initLogger(array $config): void
         $loggerClass = $config['loggerClass'] ?? Psr3SamlLogger::class;
         $this->logger = new $loggerClass();
         if (!$this->logger instanceof LoggerInterface) {
-            throw new \Exception(sprintf(
+            throw new Exception(sprintf(
                 'The specified loggerClass (%s) does not implement '
                 . '\\Psr\\Log\\LoggerInterface.',
                 var_export($loggerClass, true)
diff --git a/modules/material/dictionaries/logout.definition.json b/modules/material/dictionaries/logout.definition.json
deleted file mode 100644
index b59b325b..00000000
--- a/modules/material/dictionaries/logout.definition.json
+++ /dev/null
@@ -1,20 +0,0 @@
-{
-  "title": {
-    "en": "Logged out",
-    "es": "Desconectado",
-    "fr": "Déconnecté",
-    "ko": "로그 아웃 됨"
-  },
-  "header": {
-    "en": "Logged out",
-    "es": "Desconectado",
-    "fr": "Déconnecté",
-    "ko": "로그 아웃 됨"
-  },
-  "message": {
-    "en": "You have now been logged out.",
-    "es": "Se ha desconectado.",
-    "fr": "Vous êtes maintenant déconnecté.",
-    "ko": "이제 로그 아웃되었습니다."
-  }
-}
diff --git a/modules/material/dictionaries/review.definition.json b/modules/material/dictionaries/review.definition.json
deleted file mode 100644
index d51ced85..00000000
--- a/modules/material/dictionaries/review.definition.json
+++ /dev/null
@@ -1,74 +0,0 @@
-{
-  "title": {
-    "en": "Profile review",
-    "es": "Revisión del perfil",
-    "fr": "Examen du profil",
-    "ko": "프로필 검토"
-  },
-  "header": {
-    "en": "Profile review",
-    "es": "Revisión del perfil",
-    "fr": "Examen du profil",
-    "ko": "프로필 검토"
-  },
-  "info": {
-    "en": "Are these still correct?",
-    "es": "¿Siguen siendo correctos?",
-    "fr": "Sont-ils toujours corrects?",
-    "ko": "여전히 맞습니까?"
-  },
-  "mfa_header": {
-    "en": "2-Step Verification",
-    "es": "Verificación en 2 pasos",
-    "fr": "Vérification en 2 étapes",
-    "ko": "2 단계 인증"
-  },
-  "methods_header": {
-    "en": "Password Recovery Methods",
-    "es": "Métodos de recuperación de contraseña",
-    "fr": "Méthodes de récupération de mot de passe",
-    "ko": "비밀번호 복구 방법"
-  },
-  "remaining": {
-    "en": "({count} remaining)",
-    "es": "({count} restante)",
-    "fr": "({count} restant)",
-    "ko": "({count} 남음)"
-  },
-  "used": {
-    "en": "last used: {when}",
-    "es": "último uso: {when}",
-    "fr": "dernière utilisation: {when}",
-    "ko": "마지막 사용 시간 : {when}"
-  },
-  "used_never": {
-    "en": "last used: Never",
-    "es": "último uso: nunca",
-    "fr": "Dernière utilisation: Jamais",
-    "ko": "마지막 사용 : Never"
-  },
-  "verified": {
-    "en": "Verified",
-    "es": "Verificado",
-    "fr": "Vérifié",
-    "ko": "검증 된"
-  },
-  "unverified": {
-    "en": "Unverified",
-    "es": "Inconfirmado",
-    "fr": "Non vérifié",
-    "ko": "확인되지 않음"
-  },
-  "button_update": {
-    "en": "Some of these need updating",
-    "es": "Algunos de estos necesitan actualización",
-    "fr": "Certains ont besoin d'être mis à jour",
-    "ko": "이들 중 일부는 업데이트해야합니다."
-  },
-  "button_continue": {
-    "en": "These are still correct",
-    "es": "Estos siguen siendo correctos",
-    "fr": "Ceux-ci sont toujours corrects",
-    "ko": "이들은 여전히 정확하다."
-  }
-}
diff --git a/modules/material/dictionaries/selectidp.definition.json b/modules/material/dictionaries/selectidp.definition.json
deleted file mode 100644
index 898515c7..00000000
--- a/modules/material/dictionaries/selectidp.definition.json
+++ /dev/null
@@ -1,38 +0,0 @@
-{
-  "title": {
-    "en": "Choose an identity account",
-    "es": "Elige una cuenta de identidad",
-    "fr": "Choisissez un compte d'identité",
-    "ko": "ID 계정 선택"
-  },
-  "header": {
-    "en": "Choose an identity account",
-    "es": "Elige una cuenta de identidad",
-    "fr": "Choisissez un compte d'identité",
-    "ko": "ID 계정 선택"
-  },
-  "header-for-sp": {
-    "en": "Choose an identity account to continue to {spName}",
-    "es": "Elija una cuenta de identidad para continuar en {spName}",
-    "fr": "Choisissez un compte d'identité pour continuer vers {spName}",
-    "ko": "{spName}을 계속 진행하려면 신원 계정을 선택하십시오."
-  },
-  "enabled": {
-    "en": "Login with your {idpName} identity account",
-    "es": "Inicie sesión con su cuenta de identidad {idpName}",
-    "fr": "Connectez-vous avec votre compte d'identité {idpName}",
-    "ko": "{idpName} 신원 계정으로 로그인하십시오."
-  },
-  "disabled": {
-    "en": "{idpName} coming soon",
-    "es": "{IdpName} próximamente",
-    "fr": "{IdpName} à venir",
-    "ko": "{idpName} 곧 제공됨"
-  },
-  "help": {
-    "en": "Help",
-    "es": "Ayuda",
-    "fr": "Aidez-moi",
-    "ko": "도움"
-  }
-}
diff --git a/modules/material/src/MaterialController.php b/modules/material/src/MaterialController.php
new file mode 100644
index 00000000..e3c3a5f6
--- /dev/null
+++ b/modules/material/src/MaterialController.php
@@ -0,0 +1,34 @@
+<?php
+
+namespace SimpleSAML\Module\material;
+
+use SimpleSAML\Configuration;
+use SimpleSAML\XHTML\TemplateControllerInterface;
+use Twig\Environment;
+
+class MaterialController implements TemplateControllerInterface
+{
+    /**
+     * Modify the twig environment after its initialization (e.g. add filters or extensions).
+     *
+     * @param \Twig\Environment $twig The current twig environment.
+     * @return void
+     */
+    public function setUpTwig(Environment &$twig): void
+    {
+    }
+
+    /**
+     * Add, delete or modify the data passed to the template.
+     * This method will be called right before displaying the template.
+     *
+     * @param array $data The current data used by the template.
+     * @return void
+     */
+    public function display(array &$data): void
+    {
+        $globalConfig = Configuration::getInstance();
+        $data['theme_color_scheme'] = $globalConfig->getOptionalString('theme.color-scheme', null);
+        $data['analytics_tracking_id'] = $globalConfig->getOptionalString('analytics.trackingId', '');
+    }
+}
diff --git a/modules/material/themes/material/default/header.twig b/modules/material/themes/material/default/header.twig
index 36adee50..1c66c1f9 100644
--- a/modules/material/themes/material/default/header.twig
+++ b/modules/material/themes/material/default/header.twig
@@ -5,7 +5,7 @@
 
 <base href="{{ baseurlpath }}/module.php/material/">
 
-{% if analytics_tracking_id is defined and analytics_tracking_id is not empty %}
+{% if analytics_tracking_id is not empty %}
   <!-- Google tag (gtag.js) -->
   <script async src="https://www.googletagmanager.com/gtag/js?id={{ analytics_tracking_id }}"></script>
   <script>
diff --git a/modules/material/themes/material/default/selectidp-links.twig b/modules/material/themes/material/default/selectidp-links.twig
index 2f91b164..9a158232 100644
--- a/modules/material/themes/material/default/selectidp-links.twig
+++ b/modules/material/themes/material/default/selectidp-links.twig
@@ -1,5 +1,5 @@
 <!DOCTYPE html>
-<html>
+<html lang="{{ currentLanguage }}">
 <head>
   <title>{{ '{selectidp-links:title}'|trans }}</title>
 
@@ -10,7 +10,7 @@
       const idpInput = document.createElement('input');
 
       idpInput.type = 'hidden';
-      idpInput.name = '{{ returnIDParam|e('js')|raw }}';
+      idpInput.name = '{{ return_id_param|e('js')|raw }}';
       idpInput.value = id;
 
       document.querySelector('form').appendChild(idpInput);
@@ -28,10 +28,10 @@
   <header class="mdl-layout__header">
     <div class="mdl-layout__header-row">
       <span class="mdl-layout-title scale-to-parent">
-        {% if spName ?? '' is empty %}
+        {% if sp|entityDisplayName is empty %}
           {{ '{selectidp-links:header}'|trans }}
         {% else %}
-          {{ '{selectidp-links:header-for-sp}'|trans({'%spName%': spName})|e }}
+          {{ '{selectidp-links:header-for-sp}'|trans({'%spName%': sp|entityDisplayName})|e }}
         {% endif %}
       </span>
 
@@ -39,7 +39,7 @@
 
       {% if help_center_url is defined and help_center_url is not empty %}
         <nav class="mdl-navigation">
-          <a href="{{ help_center_url|e(html_attr) }}" target="_blank" rel="noopener" class="mdl-navigation__link">
+          <a href="{{ help_center_url|e('html_attr') }}" target="_blank" rel="noopener" class="mdl-navigation__link">
             {{ '{selectidp-links:help}'|trans }}
           </a>
         </nav>
@@ -51,35 +51,63 @@
     {{ include('announcement.twig') }}
 
     <form layout-children="row" child-spacing="space-around">
-      <input type="hidden" name="entityID" value="{{ entityID|e('html_attr') }}"/>
+      <input type="hidden" name="entityID" value="{{ entity_id|e('html_attr') }}"/>
       <input type="hidden" name="return" value="{{ return|e('html_attr') }}"/>
-      <input type="hidden" name="returnIDParam" value="{{ returnIDParam|e('html_attr') }}"/>
+      <input type="hidden" name="returnIDParam" value="{{ return_id_param|e('html_attr') }}"/>
 
-      {% for idp in idplist %}
+      {% for idp in enabled_idps %}
         <div
           class="mdl-card mdl-shadow--8dp row-aware"
-          title="{{ '{selectidp-links:enabled}'|trans({'%idpName%': idp.name|e}) }}"
+          title="{{ '{selectidp-links:enabled}'|trans({'%idpName%': idp|entityDisplayName}) }}"
         >
           <div class="mdl-card__media white-bg fixed-height">
-            <button
-              class="mdl-button logo-container fill-parent"
-              onclick="setSelectedIdp('{{ idp.entityid|e('js')|raw }}')"
-              name="idp_{{ idp.entityid|e('html_attr') }}"
-            >
+            <button class="mdl-button logo-container fill-parent" onclick="setSelectedIdp('{{ idp.entityid|e }}')">
               <div class="image-wrapper">
                 <img
                   class="logo"
-                  id="{{ idp.entityid|e('html_attr') }}"
-                  src="{{ idp.iconurl is defined ? idp.iconurl|e('html_attr') : 'default-logo.png' }}"
+                  id="{{ idp.entityid|e }}"
+                  src="{{ idp.logoURL|default('default-logo.png') }}"
                 >
               </div>
+
+              <span class="mdl-color-text--grey-600 logo-caption clickable-caption">
+                {{ idp.logoCaption|e|default('<br>') }}
+              </span>
             </button>
           </div>
         </div>
       {% endfor %}
+
+      {% for idp in disabled_idps %}
+        <div
+          class="mdl-card mdl-shadow--2dp disabled row-aware"
+          title="{{ '{selectidp-links:disabled}'|trans({'%idpName%': idp|entityDisplayName}) }}"
+          onclick="clickedAnyway('{{ idp|entityDisplayName }}')"
+        >
+          <div class="mdl-card__media white-bg fixed-height" layout-children="row" child-spacing="center">
+            <div class="logo-container fill-parent">
+              <div class="image-wrapper">
+                <img
+                  class="logo"
+                  id="{{ idp.entityid|e }}"
+                  src="{{ idp.logoURL|default('default-logo.png') }}"
+                >
+              </div>
+              <span class="mdl-color-text--grey-600 logo-caption">
+                {{ idp.logoCaption|e|default('<br>') }}
+              </span>
+            </div>
+          </div>
+        </div>
+      {% endfor %}
     </form>
   </main>
 
+  <script>
+    ga('send', 'event', 'hub', 'choices', 'enabled', {{ enabled_idps|length }});
+    ga('send', 'event', 'hub', 'choices', 'disabled', {{ disabled_idps|length }});
+  </script>
+
   {{ include('footer.twig') }}
 </div>
 <style>
diff --git a/modules/mfa/public/low-on-backup-codes.php b/modules/mfa/public/low-on-backup-codes.php
index 286c6447..eb048962 100644
--- a/modules/mfa/public/low-on-backup-codes.php
+++ b/modules/mfa/public/low-on-backup-codes.php
@@ -31,8 +31,6 @@
 $globalConfig = Configuration::getInstance();
 
 $t = new Template($globalConfig, 'mfa:low-on-backup-codes');
-$t->data['theme_color_scheme'] = $globalConfig->getOptionalString('theme.color-scheme', null);
-$t->data['analytics_tracking_id'] = $globalConfig->getOptionalString('analytics.trackingId', '');
 $t->data['num_backup_codes_remaining'] = $state['numBackupCodesRemaining'];
 $t->send();
 
diff --git a/modules/mfa/public/must-set-up-mfa.php b/modules/mfa/public/must-set-up-mfa.php
index 4c9028af..ddc8af1d 100644
--- a/modules/mfa/public/must-set-up-mfa.php
+++ b/modules/mfa/public/must-set-up-mfa.php
@@ -24,8 +24,6 @@
 $globalConfig = Configuration::getInstance();
 
 $t = new Template($globalConfig, 'mfa:must-set-up-mfa');
-$t->data['theme_color_scheme'] = $globalConfig->getOptionalString('theme.color-scheme', null);
-$t->data['analytics_tracking_id'] = $globalConfig->getOptionalString('analytics.trackingId', '');
 $t->send();
 
 $logger->info(sprintf(
diff --git a/modules/mfa/public/new-backup-codes.php b/modules/mfa/public/new-backup-codes.php
index ac1cb9d8..67e61fef 100644
--- a/modules/mfa/public/new-backup-codes.php
+++ b/modules/mfa/public/new-backup-codes.php
@@ -34,8 +34,6 @@
 $globalConfig = Configuration::getInstance();
 
 $t = new Template($globalConfig, 'mfa:new-backup-codes');
-$t->data['theme_color_scheme'] = $globalConfig->getOptionalString('theme.color-scheme', null);
-$t->data['analytics_tracking_id'] = $globalConfig->getOptionalString('analytics.trackingId', '');
 $t->data['mfa_setup_url'] = $state['mfaSetupUrl'];
 $t->data['new_backup_codes'] = $state['newBackupCodes'] ?? [];
 $t->data['idp_name'] = $globalConfig->getString('idp_display_name');
diff --git a/modules/mfa/public/out-of-backup-codes.php b/modules/mfa/public/out-of-backup-codes.php
index 8b30bcdc..70509f91 100644
--- a/modules/mfa/public/out-of-backup-codes.php
+++ b/modules/mfa/public/out-of-backup-codes.php
@@ -32,8 +32,6 @@
 $globalConfig = Configuration::getInstance();
 
 $t = new Template($globalConfig, 'mfa:out-of-backup-codes');
-$t->data['theme_color_scheme'] = $globalConfig->getOptionalString('theme.color-scheme', null);
-$t->data['analytics_tracking_id'] = $globalConfig->getOptionalString('analytics.trackingId', '');
 $t->data['has_other_mfa_options'] = $hasOtherMfaOptions;
 $t->send();
 
diff --git a/modules/mfa/public/prompt-for-mfa.php b/modules/mfa/public/prompt-for-mfa.php
index 89197b91..15e6bb61 100644
--- a/modules/mfa/public/prompt-for-mfa.php
+++ b/modules/mfa/public/prompt-for-mfa.php
@@ -42,7 +42,7 @@
 
     // This condition should never return
     ProcessingChain::resumeProcessing($state);
-    throw new \Exception('Failed to resume processing auth proc chain.');
+    throw new Exception('Failed to resume processing auth proc chain.');
 }
 
 $mfaId = filter_input(INPUT_GET, 'mfaId');
@@ -120,8 +120,6 @@
 $mfaTemplateToUse = Mfa::getTemplateFor($mfaOption['type']);
 
 $t = new Template($globalConfig, $mfaTemplateToUse);
-$t->data['theme_color_scheme'] = $globalConfig->getOptionalString('theme.color-scheme', null);
-$t->data['analytics_tracking_id'] = $globalConfig->getOptionalString('analytics.trackingId', '');
 $t->data['error_message'] = $errorMessage ?? null;
 $t->data['mfa_option_data'] = json_encode($mfaOption['data']);
 $t->data['mfa_options'] = $mfaOptions;
diff --git a/modules/mfa/public/send-manager-mfa.php b/modules/mfa/public/send-manager-mfa.php
index 10f41ab9..a777cf73 100644
--- a/modules/mfa/public/send-manager-mfa.php
+++ b/modules/mfa/public/send-manager-mfa.php
@@ -36,8 +36,6 @@
 $globalConfig = Configuration::getInstance();
 
 $t = new Template($globalConfig, 'mfa:send-manager-mfa');
-$t->data['theme_color_scheme'] = $globalConfig->getOptionalString('theme.color-scheme', null);
-$t->data['analytics_tracking_id'] = $globalConfig->getOptionalString('analytics.trackingId', '');
 $t->data['manager_email'] = $state['managerEmail'];
 $t->data['error_message'] = $errorMessage ?? null;
 $t->send();
diff --git a/modules/mfa/src/Auth/Process/Mfa.php b/modules/mfa/src/Auth/Process/Mfa.php
index 734e773f..8cb8b5c6 100644
--- a/modules/mfa/src/Auth/Process/Mfa.php
+++ b/modules/mfa/src/Auth/Process/Mfa.php
@@ -2,6 +2,8 @@
 
 namespace SimpleSAML\Module\mfa\Auth\Process;
 
+use Exception;
+use InvalidArgumentException;
 use Psr\Log\LoggerInterface;
 use Sil\Idp\IdBroker\Client\BaseClient;
 use Sil\PhpEnv\Env;
@@ -52,7 +54,7 @@ class Mfa extends ProcessingFilter
      *
      * @param array $config Configuration information about this filter.
      * @param mixed $reserved For future use.
-     * @throws \Exception
+     * @throws Exception
      */
     public function __construct(array $config, mixed $reserved)
     {
@@ -98,12 +100,12 @@ protected function loadValuesFromConfig(array $config, array $attributes): void
      * @param string $attribute The name of the attribute.
      * @param mixed $value The value to check.
      * @param LoggerInterface $logger The logger.
-     * @throws \Exception
+     * @throws Exception
      */
     public static function validateConfigValue(string $attribute, mixed $value, LoggerInterface $logger): void
     {
         if (empty($value) || !is_string($value)) {
-            $exception = new \Exception(sprintf(
+            $exception = new Exception(sprintf(
                 'The value we have for %s (%s) is empty or is not a string',
                 $attribute,
                 var_export($value, true)
@@ -184,13 +186,13 @@ protected static function getIdBrokerClient(array $idBrokerConfig): IdBrokerClie
      * @param array[] $mfaOptions The available MFA options.
      * @param int $mfaId The ID of the desired MFA option.
      * @return array The MFA option to use.
-     * @throws \InvalidArgumentException
-     * @throws \Exception
+     * @throws InvalidArgumentException
+     * @throws Exception
      */
     public static function getMfaOptionById(array $mfaOptions, int $mfaId): array
     {
         if (empty($mfaId)) {
-            throw new \Exception('No MFA ID was provided.');
+            throw new Exception('No MFA ID was provided.');
         }
 
         foreach ($mfaOptions as $mfaOption) {
@@ -199,7 +201,7 @@ public static function getMfaOptionById(array $mfaOptions, int $mfaId): array
             }
         }
 
-        throw new \Exception(
+        throw new Exception(
             'No MFA option has an ID of ' . var_export($mfaId, true)
         );
     }
@@ -211,13 +213,13 @@ public static function getMfaOptionById(array $mfaOptions, int $mfaId): array
      * @param string $userAgent The User-Agent sent by the user's browser, used
      *     for detecting WebAuthn support.
      * @return array The MFA option to use.
-     * @throws \InvalidArgumentException
-     * @throws \Exception
+     * @throws InvalidArgumentException
+     * @throws Exception
      */
     public static function getMfaOptionToUse(array $mfaOptions, string $userAgent): array
     {
         if (empty($mfaOptions)) {
-            throw new \Exception('No MFA options were provided.');
+            throw new Exception('No MFA options were provided.');
         }
 
         $recentMfa = self::getMostRecentUsedMfaOption($mfaOptions);
@@ -292,7 +294,7 @@ public static function getNumBackupCodesUserHad(array $mfaOptions): int
      *
      * @param string $mfaType The desired MFA type, such as 'webauthn', 'totp', or 'backupcode'.
      * @return string
-     * @throws \InvalidArgumentException
+     * @throws InvalidArgumentException
      */
     public static function getTemplateFor(string $mfaType): string
     {
@@ -305,7 +307,7 @@ public static function getTemplateFor(string $mfaType): string
         $template = $mfaOptionTemplates[$mfaType] ?? null;
 
         if ($template === null) {
-            throw new \InvalidArgumentException(sprintf(
+            throw new InvalidArgumentException(sprintf(
                 'No %s MFA template is available.',
                 var_export($mfaType, true)
             ), 1507219338);
@@ -515,14 +517,14 @@ public static function validateMfaSubmission(
 
             if ($numBackupCodesRemaining <= 0) {
                 self::redirectToOutOfBackupCodesMessage($state, $employeeId);
-                throw new \Exception('Failed to send user to out-of-backup-codes page.');
+                throw new Exception('Failed to send user to out-of-backup-codes page.');
             } elseif ($numBackupCodesRemaining < 4) {
                 self::redirectToLowOnBackupCodesNag(
                     $state,
                     $employeeId,
                     $numBackupCodesRemaining
                 );
-                throw new \Exception('Failed to send user to low-on-backup-codes page.');
+                throw new Exception('Failed to send user to low-on-backup-codes page.');
             }
         }
 
@@ -537,7 +539,7 @@ public static function validateMfaSubmission(
 
         // The following function call will never return.
         ProcessingChain::resumeProcessing($state);
-        throw new \Exception('Failed to resume processing auth proc chain.');
+        throw new Exception('Failed to resume processing auth proc chain.');
     }
 
     /**
@@ -647,7 +649,7 @@ protected function redirectToMfaNeededMessage(array &$state, string $employeeId,
      * @param array $state The state data.
      * @param string $employeeId The Employee ID of the user account.
      * @param array $mfaOptions Array of MFA options
-     * @throws \Exception
+     * @throws Exception
      */
     protected function redirectToMfaPrompt(array &$state, string $employeeId, array $mfaOptions): void
     {
@@ -884,7 +886,7 @@ public static function getManagerEmail(array $state): ?string
      *
      * @param array[] $mfaOptions The available MFA options.
      * @return array The manager MFA.
-     * @throws \InvalidArgumentException
+     * @throws InvalidArgumentException
      */
     public static function getManagerMfa(array $mfaOptions): ?array
     {
@@ -958,7 +960,7 @@ protected static function updateStateWithNewMfaData(array &$state, LoggerInterfa
 
         try {
             $newMfaOptions = $idBrokerClient->mfaList($state['employeeId']);
-        } catch (\Exception $e) {
+        } catch (Exception $e) {
             $log['status'] = 'failed: id-broker exception';
             $logger->error(json_encode($log));
             return;
diff --git a/modules/profilereview/public/nag.php b/modules/profilereview/public/nag.php
index 7dc2b09f..a020009b 100644
--- a/modules/profilereview/public/nag.php
+++ b/modules/profilereview/public/nag.php
@@ -31,8 +31,6 @@
 $globalConfig = Configuration::getInstance();
 
 $t = new Template($globalConfig, 'profilereview:' . $state['template']);
-$t->data['theme_color_scheme'] = $globalConfig->getOptionalString('theme.color-scheme', null);
-$t->data['analytics_tracking_id'] = $globalConfig->getOptionalString('analytics.trackingId', '');
 $t->data['profile_url'] = $state['profileUrl'];
 $t->data['method_options'] = $state['methodOptions'] ?? [];
 $t->data['mfa_options'] = $state['mfaOptions'] ?? [];
diff --git a/modules/profilereview/public/review.php b/modules/profilereview/public/review.php
index 1f8e6719..158374a9 100644
--- a/modules/profilereview/public/review.php
+++ b/modules/profilereview/public/review.php
@@ -35,8 +35,6 @@
 $globalConfig = Configuration::getInstance();
 
 $t = new Template($globalConfig, 'profilereview:review');
-$t->data['theme_color_scheme'] = $globalConfig->getOptionalString('theme.color-scheme', null);
-$t->data['analytics_tracking_id'] = $globalConfig->getOptionalString('analytics.trackingId', '');
 $t->data['profile_url'] = $state['profileUrl'];
 $t->data['method_options'] = $state['methodOptions'];
 $t->data['mfa_options'] = $state['mfaOptions'];
diff --git a/modules/profilereview/src/Auth/Process/ProfileReview.php b/modules/profilereview/src/Auth/Process/ProfileReview.php
index 64b452a9..5a4cb9bc 100644
--- a/modules/profilereview/src/Auth/Process/ProfileReview.php
+++ b/modules/profilereview/src/Auth/Process/ProfileReview.php
@@ -2,6 +2,7 @@
 
 namespace SimpleSAML\Module\profilereview\Auth\Process;
 
+use Exception;
 use Psr\Log\LoggerInterface;
 use Sil\Psr3Adapters\Psr3SamlLogger;
 use SimpleSAML\Auth\ProcessingFilter;
@@ -38,7 +39,7 @@ class ProfileReview extends ProcessingFilter
      *
      * @param array $config Configuration information about this filter.
      * @param mixed $reserved For future use.
-     * @throws \Exception
+     * @throws Exception
      */
     public function __construct(array $config, mixed $reserved)
     {
@@ -61,7 +62,7 @@ public function __construct(array $config, mixed $reserved)
     /**
      * @param $config
      * @param $attributes
-     * @throws \Exception
+     * @throws Exception
      */
     protected function loadValuesFromConfig(array $config, array $attributes): void
     {
@@ -82,12 +83,12 @@ protected function loadValuesFromConfig(array $config, array $attributes): void
      * @param string $attribute The name of the attribute.
      * @param mixed $value The value to check.
      * @param LoggerInterface $logger The logger.
-     * @throws \Exception
+     * @throws Exception
      */
     public static function validateConfigValue($attribute, $value, $logger)
     {
         if (empty($value) || !is_string($value)) {
-            $exception = new \Exception(sprintf(
+            $exception = new Exception(sprintf(
                 'The value we have for %s (%s) is empty or is not a string',
                 $attribute,
                 var_export($value, true)
diff --git a/modules/silauth/dictionaries/error.definition.json b/modules/silauth/dictionaries/error.definition.json
deleted file mode 100644
index 2c6e37b9..00000000
--- a/modules/silauth/dictionaries/error.definition.json
+++ /dev/null
@@ -1,50 +0,0 @@
-{
-  "generic_try_later": {
-    "en": "Hmm... something went wrong. Please try again later.",
-    "es": "",
-    "fr": "",
-    "ko": ""
-  },
-  "username_required": {
-    "en": "Please provide a username.",
-    "es": "",
-    "fr": "",
-    "ko": ""
-  },
-  "password_required": {
-    "en": "Please provide a password.",
-    "es": "",
-    "fr": "",
-    "ko": ""
-  },
-  "invalid_login": {
-    "en": "There was a problem with that username or password (or that account is disabled). Please try again or contact your organization's help desk.",
-    "es": "",
-    "fr": "",
-    "ko": ""
-  },
-  "need_to_set_acct_password": {
-    "en": "You need to set your password to finish setting up your account. Please use the forgot password link below.",
-    "es": "",
-    "fr": "",
-    "ko": ""
-  },
-  "rate_limit_seconds": {
-    "en": "There have been too many failed logins for this account. Please wait about {number} seconds, then try again.",
-    "es": "",
-    "fr": "",
-    "ko": ""
-  },
-  "rate_limit_1_minute": {
-    "en": "There have been too many failed logins for this account. Please wait a minute, then try again.",
-    "es": "",
-    "fr": "",
-    "ko": ""
-  },
-  "rate_limit_minutes": {
-    "en": "There have been too many failed logins for this account. Please wait about {number} minutes, then try again.",
-    "es": "",
-    "fr": "",
-    "ko": ""
-  }
-}
diff --git a/modules/silauth/public/loginuserpass.php b/modules/silauth/public/loginuserpass.php
index 378b3dcd..12fc066f 100644
--- a/modules/silauth/public/loginuserpass.php
+++ b/modules/silauth/public/loginuserpass.php
@@ -80,8 +80,6 @@
 }
 
 $t = new Template($globalConfig, 'silauth:loginuserpass');
-$t->data['theme_color_scheme'] = $globalConfig->getOptionalString('theme.color-scheme', null);
-$t->data['analytics_tracking_id'] = $globalConfig->getOptionalString('analytics.trackingId', '');
 $t->data['stateparams'] = array('AuthState' => $authStateId);
 $t->data['username'] = $username;
 $t->data['errorcode'] = $errorCode;
diff --git a/modules/silauth/public/status.php b/modules/silauth/public/status.php
index 9b345357..4f5573fd 100644
--- a/modules/silauth/public/status.php
+++ b/modules/silauth/public/status.php
@@ -28,5 +28,5 @@
         $t->getMessage(),
         $t->getCode()
     );
-    \http_response_code(500);
+    http_response_code(500);
 }
diff --git a/modules/silauth/src/Auth/Source/auth/Authenticator.php b/modules/silauth/src/Auth/Source/auth/Authenticator.php
index 73501785..926cbfa0 100644
--- a/modules/silauth/src/Auth/Source/auth/Authenticator.php
+++ b/modules/silauth/src/Auth/Source/auth/Authenticator.php
@@ -2,6 +2,7 @@
 
 namespace SimpleSAML\Module\silauth\Auth\Source\auth;
 
+use Exception;
 use Psr\Log\LoggerInterface;
 use SimpleSAML\Module\silauth\Auth\Source\auth\AuthError;
 use SimpleSAML\Module\silauth\Auth\Source\auth\IdBroker;
@@ -95,7 +96,7 @@ public function __construct(
                 $username,
                 $password
             );
-        } catch (\Exception $e) {
+        } catch (Exception $e) {
             $logger->critical(json_encode([
                 'event' => 'Problem communicating with ID Broker',
                 'errorCode' => $e->getCode(),
@@ -211,12 +212,12 @@ public static function getSecondsUntilUnblocked(
      *         // ...
      *     ]
      *     </pre>
-     * @throws \Exception
+     * @throws Exception
      */
     public function getUserAttributes(): array
     {
         if ($this->userAttributes === null) {
-            throw new \Exception(
+            throw new Exception(
                 "You cannot get the user's attributes until you have authenticated the user.",
                 1482270373
             );
diff --git a/modules/silauth/src/Auth/Source/captcha/Captcha.php b/modules/silauth/src/Auth/Source/captcha/Captcha.php
index 33b29cba..d825b7d0 100644
--- a/modules/silauth/src/Auth/Source/captcha/Captcha.php
+++ b/modules/silauth/src/Auth/Source/captcha/Captcha.php
@@ -2,6 +2,8 @@
 
 namespace SimpleSAML\Module\silauth\Auth\Source\captcha;
 
+use ReCaptcha\ReCaptcha;
+use RuntimeException;
 use SimpleSAML\Module\silauth\Auth\Source\http\Request;
 
 class Captcha
@@ -16,13 +18,13 @@ public function __construct(?string $secret = null)
     public function isValidIn(Request $request): bool
     {
         if (empty($this->secret)) {
-            throw new \RuntimeException('No captcha secret available.', 1487342411);
+            throw new RuntimeException('No captcha secret available.', 1487342411);
         }
 
         $captchaResponse = $request->getCaptchaResponse();
         $ipAddress = $request->getMostLikelyIpAddress();
 
-        $recaptcha = new \ReCaptcha\ReCaptcha($this->secret);
+        $recaptcha = new ReCaptcha($this->secret);
         $rcResponse = $recaptcha->verify($captchaResponse, $ipAddress);
 
         return $rcResponse->isSuccess();
diff --git a/modules/silauth/src/Auth/Source/config/ConfigManager.php b/modules/silauth/src/Auth/Source/config/ConfigManager.php
index a6c7b25e..9cb09544 100644
--- a/modules/silauth/src/Auth/Source/config/ConfigManager.php
+++ b/modules/silauth/src/Auth/Source/config/ConfigManager.php
@@ -3,7 +3,8 @@
 namespace SimpleSAML\Module\silauth\Auth\Source\config;
 
 use SimpleSAML\Module\silauth\Auth\Source\text\Text;
-use yii\console\Application;
+use yii\console\Application as ConsoleApplication;
+use yii\web\Application as WebApplication;
 
 class ConfigManager
 {
@@ -78,11 +79,11 @@ private static function initializeYiiClass(): void
         }
     }
 
-    public static function getYii2ConsoleApp(array $customConfig): Application
+    public static function getYii2ConsoleApp(array $customConfig): ConsoleApplication
     {
         self::initializeYiiClass();
         $mergedYii2Config = self::getMergedYii2Config($customConfig);
-        return new Application($mergedYii2Config);
+        return new ConsoleApplication($mergedYii2Config);
     }
 
     public static function initializeYii2WebApp(array $customConfig = []): void
@@ -93,7 +94,7 @@ public static function initializeYii2WebApp(array $customConfig = []): void
          * here, since we don't want Yii to handle the HTTP request. We just
          * want the Yii classes available for use (including database
          * models).  */
-        $app = new \yii\web\Application(self::getMergedYii2Config($customConfig));
+        $app = new WebApplication(self::getMergedYii2Config($customConfig));
 
         /*
          * Initialize the Yii logger. It doesn't want to initialize itself for some reason.
diff --git a/modules/silauth/src/Auth/Source/http/Request.php b/modules/silauth/src/Auth/Source/http/Request.php
index 14e3bbcd..5ef36afc 100644
--- a/modules/silauth/src/Auth/Source/http/Request.php
+++ b/modules/silauth/src/Auth/Source/http/Request.php
@@ -2,6 +2,7 @@
 
 namespace SimpleSAML\Module\silauth\Auth\Source\http;
 
+use InvalidArgumentException;
 use IP;
 use IPBlock;
 use SimpleSAML\Module\silauth\Auth\Source\text\Text;
@@ -197,7 +198,7 @@ public static function sanitizeInputString(int $inputType, string $variableName)
     public function trustIpAddress(string $ipAddress): void
     {
         if (!self::isValidIpAddress($ipAddress)) {
-            throw new \InvalidArgumentException(sprintf(
+            throw new InvalidArgumentException(sprintf(
                 '%s is not a valid IP address.',
                 var_export($ipAddress, true)
             ));
diff --git a/modules/silauth/src/Auth/Source/models/FailedLoginIpAddress.php b/modules/silauth/src/Auth/Source/models/FailedLoginIpAddress.php
index fd443ea3..e72fbe9e 100644
--- a/modules/silauth/src/Auth/Source/models/FailedLoginIpAddress.php
+++ b/modules/silauth/src/Auth/Source/models/FailedLoginIpAddress.php
@@ -2,19 +2,22 @@
 
 namespace SimpleSAML\Module\silauth\Auth\Source\models;
 
+use Exception;
+use InvalidArgumentException;
 use Psr\Log\LoggerAwareInterface;
 use Psr\Log\LoggerInterface;
 use SimpleSAML\Module\silauth\Auth\Source\auth\Authenticator;
 use SimpleSAML\Module\silauth\Auth\Source\behaviors\CreatedAtUtcBehavior;
 use SimpleSAML\Module\silauth\Auth\Source\http\Request;
 use SimpleSAML\Module\silauth\Auth\Source\time\UtcTime;
+use SimpleSAML\Module\silauth\Auth\Source\traits\LoggerAwareTrait;
+use Yii;
 use yii\base\Model;
 use yii\helpers\ArrayHelper;
-use Yii;
 
 class FailedLoginIpAddress extends FailedLoginIpAddressBase implements LoggerAwareInterface
 {
-    use \SimpleSAML\Module\silauth\Auth\Source\traits\LoggerAwareTrait;
+    use LoggerAwareTrait;
 
     /**
      * @inheritdoc
@@ -47,7 +50,7 @@ public static function countRecentFailedLoginsFor(string $ipAddress): int
             '>=', 'occurred_at_utc', UtcTime::format('-60 minutes')
         ])->count();
         if (!is_numeric($count)) {
-            throw new \Exception('expected a numeric value for recent failed logins by IP address, got ' . $count);
+            throw new Exception('expected a numeric value for recent failed logins by IP address, got ' . $count);
         }
         return (int)$count;
     }
@@ -55,7 +58,7 @@ public static function countRecentFailedLoginsFor(string $ipAddress): int
     public static function getFailedLoginsFor(string $ipAddress): array
     {
         if (!Request::isValidIpAddress($ipAddress)) {
-            throw new \InvalidArgumentException(sprintf(
+            throw new InvalidArgumentException(sprintf(
                 '%s is not a valid IP address.',
                 var_export($ipAddress, true)
             ));
diff --git a/modules/silauth/src/Auth/Source/models/FailedLoginIpAddressBase.php b/modules/silauth/src/Auth/Source/models/FailedLoginIpAddressBase.php
index 25f2b5b1..5f1f9e25 100644
--- a/modules/silauth/src/Auth/Source/models/FailedLoginIpAddressBase.php
+++ b/modules/silauth/src/Auth/Source/models/FailedLoginIpAddressBase.php
@@ -3,6 +3,7 @@
 namespace SimpleSAML\Module\silauth\Auth\Source\models;
 
 use Yii;
+use yii\db\ActiveRecord;
 
 /**
  * This is the model class for table "failed_login_ip_address".
@@ -11,7 +12,7 @@
  * @property string $ip_address
  * @property string $occurred_at_utc
  */
-class FailedLoginIpAddressBase extends \yii\db\ActiveRecord
+class FailedLoginIpAddressBase extends ActiveRecord
 {
     /**
      * @inheritdoc
diff --git a/modules/silauth/src/Auth/Source/models/FailedLoginUsername.php b/modules/silauth/src/Auth/Source/models/FailedLoginUsername.php
index e1bc4ff0..1391b6a1 100644
--- a/modules/silauth/src/Auth/Source/models/FailedLoginUsername.php
+++ b/modules/silauth/src/Auth/Source/models/FailedLoginUsername.php
@@ -2,18 +2,20 @@
 
 namespace SimpleSAML\Module\silauth\Auth\Source\models;
 
+use Exception;
 use Psr\Log\LoggerAwareInterface;
 use Psr\Log\LoggerInterface;
 use SimpleSAML\Module\silauth\Auth\Source\auth\Authenticator;
 use SimpleSAML\Module\silauth\Auth\Source\behaviors\CreatedAtUtcBehavior;
 use SimpleSAML\Module\silauth\Auth\Source\time\UtcTime;
+use SimpleSAML\Module\silauth\Auth\Source\traits\LoggerAwareTrait;
+use Yii;
 use yii\base\Model;
 use yii\helpers\ArrayHelper;
-use Yii;
 
 class FailedLoginUsername extends FailedLoginUsernameBase implements LoggerAwareInterface
 {
-    use \SimpleSAML\Module\silauth\Auth\Source\traits\LoggerAwareTrait;
+    use LoggerAwareTrait;
 
     /**
      * @inheritdoc
@@ -45,7 +47,7 @@ public static function countRecentFailedLoginsFor(string $username): int
             '>=', 'occurred_at_utc', UtcTime::format('-60 minutes')
         ])->count();
         if (!is_numeric($count)) {
-            throw new \Exception('expected a numeric value for recent failed logins by username, got ' . $count);
+            throw new Exception('expected a numeric value for recent failed logins by username, got ' . $count);
         }
         return (int)$count;
     }
diff --git a/modules/silauth/src/Auth/Source/models/FailedLoginUsernameBase.php b/modules/silauth/src/Auth/Source/models/FailedLoginUsernameBase.php
index a3c32cae..d7b79d36 100644
--- a/modules/silauth/src/Auth/Source/models/FailedLoginUsernameBase.php
+++ b/modules/silauth/src/Auth/Source/models/FailedLoginUsernameBase.php
@@ -3,6 +3,7 @@
 namespace SimpleSAML\Module\silauth\Auth\Source\models;
 
 use Yii;
+use yii\db\ActiveRecord;
 
 /**
  * This is the model class for table "failed_login_username".
@@ -11,7 +12,7 @@
  * @property string $username
  * @property string $occurred_at_utc
  */
-class FailedLoginUsernameBase extends \yii\db\ActiveRecord
+class FailedLoginUsernameBase extends ActiveRecord
 {
     /**
      * @inheritdoc
diff --git a/modules/silauth/src/Auth/Source/system/System.php b/modules/silauth/src/Auth/Source/system/System.php
index fb8d5584..d7dd282a 100644
--- a/modules/silauth/src/Auth/Source/system/System.php
+++ b/modules/silauth/src/Auth/Source/system/System.php
@@ -2,6 +2,7 @@
 
 namespace SimpleSAML\Module\silauth\Auth\Source\system;
 
+use Exception;
 use Psr\Log\LoggerInterface;
 use Psr\Log\NullLogger;
 use SimpleSAML\Configuration;
@@ -57,7 +58,7 @@ protected function isRequiredConfigPresent(): bool
      * show to the public) if any serious error conditions are found. Log any
      * problems, even if recoverable.
      *
-     * @throws \Exception
+     * @throws Exception
      */
     public function reportStatus(): void
     {
@@ -88,11 +89,11 @@ protected function logError(string $message): void
      *
      * @param string $message The error message.
      * @param int $code An error code.
-     * @throws \Exception
+     * @throws Exception
      */
     protected function reportError(string $message, int $code): void
     {
         $this->logError($message);
-        throw new \Exception($message, $code);
+        throw new Exception($message, $code);
     }
 }
diff --git a/modules/silauth/src/Auth/Source/tests/unit/http/DummyRequest.php b/modules/silauth/src/Auth/Source/tests/unit/http/DummyRequest.php
index a375e42c..c0c808d7 100644
--- a/modules/silauth/src/Auth/Source/tests/unit/http/DummyRequest.php
+++ b/modules/silauth/src/Auth/Source/tests/unit/http/DummyRequest.php
@@ -2,6 +2,7 @@
 
 namespace SimpleSAML\Module\silauth\Auth\Source\tests\unit\http;
 
+use InvalidArgumentException;
 use SimpleSAML\Module\silauth\Auth\Source\http\Request;
 
 class DummyRequest extends Request
@@ -21,7 +22,7 @@ public function getIpAddresses(): array
     public function setDummyIpAddress(string $dummyIpAddress): void
     {
         if (!self::isValidIpAddress($dummyIpAddress)) {
-            throw new \InvalidArgumentException(sprintf(
+            throw new InvalidArgumentException(sprintf(
                 '%s is not a valid IP address.',
                 var_export($dummyIpAddress, true)
             ));
diff --git a/modules/silauth/src/Auth/Source/time/UtcTime.php b/modules/silauth/src/Auth/Source/time/UtcTime.php
index 20f69f80..04c55433 100644
--- a/modules/silauth/src/Auth/Source/time/UtcTime.php
+++ b/modules/silauth/src/Auth/Source/time/UtcTime.php
@@ -2,6 +2,10 @@
 
 namespace SimpleSAML\Module\silauth\Auth\Source\time;
 
+use DateTime;
+use DateTimeZone;
+use InvalidArgumentException;
+
 class UtcTime
 {
     const DATE_TIME_FORMAT = 'Y-m-d H:i:s';
@@ -21,8 +25,8 @@ class UtcTime
      */
     public function __construct(string $dateTimeString = 'now')
     {
-        $this->utc = new \DateTimeZone('UTC');
-        $this->dateTime = new \DateTime($dateTimeString, $this->utc);
+        $this->utc = new DateTimeZone('UTC');
+        $this->dateTime = new DateTime($dateTimeString, $this->utc);
     }
 
     public function __toString()
@@ -84,12 +88,12 @@ public function getSecondsSince(UtcTime $otherUtcTime): int
      * @return int The number of seconds that have elapsed since that date/time.
      * @throws Exception If an invalid date/time string is provided, an
      *     \Exception will be thrown.
-     * @throws \InvalidArgumentException
+     * @throws InvalidArgumentException
      */
     public static function getSecondsSinceDateTime(string $dateTimeString): int
     {
         if (empty($dateTimeString)) {
-            throw new \InvalidArgumentException(sprintf(
+            throw new InvalidArgumentException(sprintf(
                 'The given value (%s) is not a date/time string.',
                 var_export($dateTimeString, true)
             ));
diff --git a/modules/silauth/src/Auth/Source/time/WaitTime.php b/modules/silauth/src/Auth/Source/time/WaitTime.php
index baac8277..d43a3d2f 100644
--- a/modules/silauth/src/Auth/Source/time/WaitTime.php
+++ b/modules/silauth/src/Auth/Source/time/WaitTime.php
@@ -2,6 +2,8 @@
 
 namespace SimpleSAML\Module\silauth\Auth\Source\time;
 
+use InvalidArgumentException;
+
 /**
  * Class to enable assembling a human-friendly description of approximately how
  * long the user must wait before (at least) the given number of seconds have
@@ -52,7 +54,7 @@ public function getFriendlyNumber(): int
     public static function getLongestWaitTime(array $durationsInSeconds): WaitTime
     {
         if (empty($durationsInSeconds)) {
-            throw new \InvalidArgumentException('No durations given.', 1487605801);
+            throw new InvalidArgumentException('No durations given.', 1487605801);
         }
         return new WaitTime(max($durationsInSeconds));
     }
diff --git a/modules/sildisco/public/betatest.php b/modules/sildisco/public/betatest.php
deleted file mode 100644
index b4facf87..00000000
--- a/modules/sildisco/public/betatest.php
+++ /dev/null
@@ -1,12 +0,0 @@
-<?php
-ini_set('display_errors', 1);
-
-$sessionType = 'sildisco:authentication';
-$sessionKey = 'beta_tester';
-
-$session = \SimpleSAML\Session::getSessionFromRequest();
-$session->setData($sessionType, $sessionKey, 1, \SimpleSAML\Session::DATA_TIMEOUT_SESSION_END);
-
-echo "<h1>Start Beta Testing</h1>";
-echo "<p>You have been given a cookie to allow you to test beta-enabled IDPs.</p>";
-echo "<p>To remove the cookie, just close your browser.</p>";
diff --git a/modules/sildisco/public/disco.php b/modules/sildisco/public/disco.php
deleted file mode 100644
index bc2b8321..00000000
--- a/modules/sildisco/public/disco.php
+++ /dev/null
@@ -1,9 +0,0 @@
-<?php
-
-/**
- * Custom IdP discovery service. Built-in service is in modules/saml/public/disco.php
- */
-
-$discoHandler = new \SimpleSAML\Module\sildisco\IdPDisco(['saml20-idp-remote'], 'saml');
-
-$discoHandler->handleRequest();
diff --git a/modules/sildisco/public/metadata.php b/modules/sildisco/public/metadata.php
index 23b965b3..656d2691 100644
--- a/modules/sildisco/public/metadata.php
+++ b/modules/sildisco/public/metadata.php
@@ -6,14 +6,19 @@
 require_once('../public/_include.php');
 
 use SAML2\Constants;
+use SimpleSAML\Configuration;
+use SimpleSAML\Error;
+use SimpleSAML\Metadata\MetaDataStorageHandler;
+use SimpleSAML\Metadata\SAMLBuilder;
+use SimpleSAML\Metadata\Signer;
 use SimpleSAML\Utils;
 
 // load SimpleSAMLphp, configuration and metadata
-$config = \SimpleSAML\Configuration::getInstance();
-$metadata = \SimpleSAML\Metadata\MetaDataStorageHandler::getMetadataHandler();
+$config = Configuration::getInstance();
+$metadata = MetaDataStorageHandler::getMetadataHandler();
 
 if (!$config->getOptionalBoolean('enable.saml20-idp', false)) {
-    throw new \SimpleSAML\Error\Error('NOACCESS');
+    throw new Error\Error('NOACCESS');
 }
 
 // check if valid local session exists
@@ -145,7 +150,7 @@
         );
 
         if (!$idpmeta->hasValue('OrganizationURL')) {
-            throw new \SimpleSAML\Error\Exception('If OrganizationName is set, OrganizationURL must also be set.');
+            throw new Error\Exception('If OrganizationName is set, OrganizationURL must also be set.');
         }
         $metaArray['OrganizationURL'] = $idpmeta->getLocalizedString('OrganizationURL');
     }
@@ -200,7 +205,7 @@
         $metaArray['contacts'][] = $metadataUtils->getContact($techcontact);
     }
 
-    $metaBuilder = new \SimpleSAML\Metadata\SAMLBuilder($idpentityid);
+    $metaBuilder = new SAMLBuilder($idpentityid);
     $metaBuilder->addMetadataIdP20($metaArray);
     $metaBuilder->addOrganizationInfo($metaArray);
 
@@ -209,7 +214,7 @@
     $metaflat = '$metadata[' . var_export($idpentityid, true) . '] = ' . var_export($metaArray, true) . ';';
 
     // sign the metadata if enabled
-    $metaxml = \SimpleSAML\Metadata\Signer::sign($metaxml, $idpmeta->toArray(), 'SAML 2 IdP');
+    $metaxml = Signer::sign($metaxml, $idpmeta->toArray(), 'SAML 2 IdP');
 
     if (array_key_exists('format', $_GET) && $_GET['format'] == 'xml') {
         header('Content-Type: application/xml');
@@ -224,5 +229,5 @@
         exit(0);
     }
 } catch (Exception $exception) {
-    throw new \SimpleSAML\Error\Error('METADATA', $exception);
+    throw new Error\Error('METADATA', $exception);
 }
diff --git a/modules/sildisco/public/sp/discoresp.php b/modules/sildisco/public/sp/discoresp.php
deleted file mode 100644
index bd2ea150..00000000
--- a/modules/sildisco/public/sp/discoresp.php
+++ /dev/null
@@ -1,34 +0,0 @@
-<?php
-/**
- * Modified version of modules/saml/public/sp/discoresp.php
- * 2024-06-06 -- Merged with simplesamlphp 1.19.8, lines marked with GTIS are modified
- */
-
-/**
- * Handler for response from IdP discovery service.
- */
-
-if (!array_key_exists('AuthID', $_REQUEST)) {
-    throw new \SimpleSAML\Error\BadRequest('Missing AuthID to discovery service response handler');
-}
-
-if (!array_key_exists('idpentityid', $_REQUEST)) {
-    throw new \SimpleSAML\Error\BadRequest('Missing idpentityid to discovery service response handler');
-}
-
-/** @var array $state */
-$state = \SimpleSAML\Auth\State::loadState($_REQUEST['AuthID'], 'saml:sp:sso');
-
-// Find authentication source
-assert(array_key_exists('saml:sp:AuthId', $state));
-$sourceId = $state['saml:sp:AuthId'];
-
-$source = \SimpleSAML\Auth\Source::getById($sourceId);
-if ($source === null) {
-    throw new Exception('Could not find authentication source with id ' . $sourceId);
-}
-if (!($source instanceof \SimpleSAML\Module\sildisco\Auth\Source\SP)) { // GTIS
-    throw new \SimpleSAML\Error\Exception('Source type changed?');
-}
-
-$source->startSSO($_REQUEST['idpentityid'], $state);
diff --git a/modules/sildisco/public/sp/saml2-acs.php b/modules/sildisco/public/sp/saml2-acs.php
deleted file mode 100644
index 3f67e632..00000000
--- a/modules/sildisco/public/sp/saml2-acs.php
+++ /dev/null
@@ -1,273 +0,0 @@
-<?php
-
-/**
- * Assertion consumer service handler for SAML 2.0 SP authentication client.
- *
- * Similar to modules/saml/public/sp/saml2-acs.php
- * 2024-06-06 -- Merged with simplesamlphp 1.19.8, lines marked with GTIS are modified
- */
-
-if (!array_key_exists('PATH_INFO', $_SERVER)) {
-    throw new \SimpleSAML\Error\BadRequest('Missing authentication source ID in assertion consumer service URL');
-}
-
-$sourceId = substr($_SERVER['PATH_INFO'], 1);
-
-/** @var \SimpleSAML\Module\saml\Auth\Source\SP $source */
-$source = \SimpleSAML\Auth\Source::getById($sourceId, '\SimpleSAML\Module\sildisco\Auth\Source\SP'); // GTIS
-
-$spMetadata = $source->getMetadata();
-try {
-    $b = \SAML2\Binding::getCurrentBinding();
-} catch (Exception $e) {
-    // TODO: look for a specific exception
-    // This is dirty. Instead of checking the message of the exception, \SAML2\Binding::getCurrentBinding() should throw
-    // a specific exception when the binding is unknown, and we should capture that here
-    if ($e->getMessage() === 'Unable to find the current binding.') {
-        throw new \SimpleSAML\Error\Error('ACSPARAMS', $e, 400);
-    } else {
-        // do not ignore other exceptions!
-        throw $e;
-    }
-}
-
-if ($b instanceof \SAML2\HTTPArtifact) {
-    $b->setSPMetadata($spMetadata);
-}
-
-$response = $b->receive();
-if (!($response instanceof \SAML2\Response)) {
-    throw new \SimpleSAML\Error\BadRequest('Invalid message received to AssertionConsumerService endpoint.');
-}
-
-/** @psalm-var null|string|\SAML2\XML\saml\Issuer $issuer   Remove in SSP 2.0 */
-$issuer = $response->getIssuer();
-if ($issuer === null) {
-    // no Issuer in the response. Look for an unencrypted assertion with an issuer
-    foreach ($response->getAssertions() as $a) {
-        if ($a instanceof \SAML2\Assertion) {
-            // we found an unencrypted assertion, there should be an issuer here
-            $issuer = $a->getIssuer();
-            break;
-        }
-    }
-    /** @psalm-var string|null $issuer  Remove in SSP 2.0 */
-    if ($issuer === null) {
-        // no issuer found in the assertions
-        throw new Exception('Missing <saml:Issuer> in message delivered to AssertionConsumerService.');
-    }
-}
-
-if ($issuer instanceof \SAML2\XML\saml\Issuer) {
-    /** @psalm-var string|null $issuer */
-    $issuer = $issuer->getValue();
-    if ($issuer === null) {
-        // no issuer found in the assertions
-        throw new Exception('Missing <saml:Issuer> in message delivered to AssertionConsumerService.');
-    }
-}
-
-$session = \SimpleSAML\Session::getSessionFromRequest();
-$prevAuth = $session->getAuthData($sourceId, 'saml:sp:prevAuth');
-/** @psalm-var string $issuer */
-if ($prevAuth !== null && $prevAuth['id'] === $response->getId() && $prevAuth['issuer'] === $issuer) {
-    /* OK, it looks like this message has the same issuer
-     * and ID as the SP session we already have active. We
-     * therefore assume that the user has somehow triggered
-     * a resend of the message.
-     * In that case we may as well just redo the previous redirect
-     * instead of displaying a confusing error message.
-     */
-    SimpleSAML\Logger::info(
-        'Duplicate SAML 2 response detected - ignoring the response and redirecting the user to the correct page.'
-    );
-    if (isset($prevAuth['redirect'])) {
-        \SimpleSAML\Utils\HTTP::redirectTrustedURL($prevAuth['redirect']);
-    }
-
-    SimpleSAML\Logger::info('No RelayState or ReturnURL available, cannot redirect.');
-    throw new \SimpleSAML\Error\Exception('Duplicate assertion received.');
-}
-
-$idpMetadata = null;
-$state = null;
-$stateId = $response->getInResponseTo();
-
-if (!empty($stateId)) {
-    // this should be a response to a request we sent earlier
-    try {
-        $state = \SimpleSAML\Auth\State::loadState($stateId, 'saml:sp:sso');
-    } catch (Exception $e) {
-        // something went wrong,
-        SimpleSAML\Logger::warning('Could not load state specified by InResponseTo: ' . $e->getMessage() .
-            ' Processing response as unsolicited.');
-    }
-}
-
-if ($state) {
-    // check that the authentication source is correct
-    assert(array_key_exists('saml:sp:AuthId', $state));
-    if ($state['saml:sp:AuthId'] !== $sourceId) {
-        throw new \SimpleSAML\Error\Exception(
-            'The authentication source id in the URL does not match the authentication source which sent the request.'
-        );
-    }
-
-    // check that the issuer is the one we are expecting
-    assert(array_key_exists('ExpectedIssuer', $state));
-    if ($state['ExpectedIssuer'] !== $issuer) {
-        $idpMetadata = $source->getIdPMetadata($issuer);
-        $idplist = $idpMetadata->getArrayize('IDPList', []);
-        if (!in_array($state['ExpectedIssuer'], $idplist, true)) {
-            SimpleSAML\Logger::warning(
-                'The issuer of the response not match to the identity provider we sent the request to.'
-            );
-        }
-    }
-} else {
-    // this is an unsolicited response
-    $relaystate = $spMetadata->getString('RelayState', $response->getRelayState());
-    $state = [
-        'saml:sp:isUnsolicited' => true,
-        'saml:sp:AuthId'        => $sourceId,
-        'saml:sp:RelayState'    => $relaystate === null ? null : \SimpleSAML\Utils\HTTP::checkURLAllowed($relaystate),
-    ];
-}
-
-SimpleSAML\Logger::debug('Received SAML2 Response from ' . var_export($issuer, true) . '.');
-
-if (is_null($idpMetadata)) {
-    $idpMetadata = $source->getIdPmetadata($issuer);
-}
-
-try {
-    $assertions = \SimpleSAML\Module\saml\Message::processResponse($spMetadata, $idpMetadata, $response);
-} catch (\SimpleSAML\Module\saml\Error $e) {
-    // the status of the response wasn't "success"
-    $e = $e->toException();
-    \SimpleSAML\Auth\State::throwException($state, $e);
-}
-
-$authenticatingAuthority = null;
-$nameId = null;
-$sessionIndex = null;
-$expire = null;
-$attributes = [];
-$foundAuthnStatement = false;
-
-foreach ($assertions as $assertion) {
-    // check for duplicate assertion (replay attack)
-    $store = \SimpleSAML\Store::getInstance();
-    if ($store !== false) {
-        $aID = $assertion->getId();
-        if ($store->get('saml.AssertionReceived', $aID) !== null) {
-            $e = new \SimpleSAML\Error\Exception('Received duplicate assertion.');
-            \SimpleSAML\Auth\State::throwException($state, $e);
-        }
-
-        $notOnOrAfter = $assertion->getNotOnOrAfter();
-        if ($notOnOrAfter === null) {
-            $notOnOrAfter = time() + 24 * 60 * 60;
-        } else {
-            $notOnOrAfter += 60; // we allow 60 seconds clock skew, so add it here also
-        }
-
-        $store->set('saml.AssertionReceived', $aID, true, $notOnOrAfter);
-    }
-
-    if ($authenticatingAuthority === null) {
-        $authenticatingAuthority = $assertion->getAuthenticatingAuthority();
-    }
-    if ($nameId === null) {
-        $nameId = $assertion->getNameId();
-    }
-    if ($sessionIndex === null) {
-        $sessionIndex = $assertion->getSessionIndex();
-    }
-    if ($expire === null) {
-        $expire = $assertion->getSessionNotOnOrAfter();
-    }
-
-    $attributes = array_merge($attributes, $assertion->getAttributes());
-
-    if ($assertion->getAuthnInstant() !== null) {
-        // assertion contains AuthnStatement, since AuthnInstant is a required attribute
-        $foundAuthnStatement = true;
-    }
-}
-$assertion = end($assertions);
-
-if (!$foundAuthnStatement) {
-    $e = new \SimpleSAML\Error\Exception('No AuthnStatement found in assertion(s).');
-    \SimpleSAML\Auth\State::throwException($state, $e);
-}
-
-if ($expire !== null) {
-    $logoutExpire = $expire;
-} else {
-    // just expire the logout association 24 hours into the future
-    $logoutExpire = time() + 24 * 60 * 60;
-}
-
-if (!empty($nameId)) {
-    // register this session in the logout store
-    \SimpleSAML\Module\saml\SP\LogoutStore::addSession($sourceId, $nameId, $sessionIndex, $logoutExpire);
-
-    // we need to save the NameID and SessionIndex for logout
-    $logoutState = [
-        'saml:logout:Type'         => 'saml2',
-        'saml:logout:IdP'          => $issuer,
-        'saml:logout:NameID'       => $nameId,
-        'saml:logout:SessionIndex' => $sessionIndex,
-    ];
-
-    $state['saml:sp:NameID'] = $nameId; // no need to mark it as persistent, it already is
-} else {
-    /*
-     * No NameID provided, we can't logout from this IdP!
-     *
-     * Even though interoperability profiles "require" a NameID, the SAML 2.0 standard does not require it to be present
-     * in assertions. That way, we could have a Subject with only a SubjectConfirmation, or even no Subject element at
-     * all.
-     *
-     * In case we receive a SAML assertion with no NameID, we can be graceful and continue, but we won't be able to
-     * perform a Single Logout since the SAML logout profile mandates the use of a NameID to identify the individual we
-     * want to be logged out. In order to minimize the impact of this, we keep logout state information (without saving
-     * it to the store), marking the IdP as SAML 1.0, which does not implement logout. Then we can safely log the user
-     * out from the local session, skipping Single Logout upstream to the IdP.
-     */
-    $logoutState = [
-        'saml:logout:Type'         => 'saml1',
-    ];
-}
-
-$state['LogoutState'] = $logoutState;
-$state['saml:AuthenticatingAuthority'] = $authenticatingAuthority;
-$state['saml:AuthenticatingAuthority'][] = $issuer;
-$state['PersistentAuthData'][] = 'saml:AuthenticatingAuthority';
-$state['saml:AuthnInstant'] = $assertion->getAuthnInstant();
-$state['PersistentAuthData'][] = 'saml:AuthnInstant';
-$state['saml:sp:SessionIndex'] = $sessionIndex;
-$state['PersistentAuthData'][] = 'saml:sp:SessionIndex';
-$state['saml:sp:AuthnContext'] = $assertion->getAuthnContextClassRef();
-$state['PersistentAuthData'][] = 'saml:sp:AuthnContext';
-
-if ($expire !== null) {
-    $state['Expire'] = $expire;
-}
-
-// note some information about the authentication, in case we receive the same response again
-$state['saml:sp:prevAuth'] = [
-    'id'     => $response->getId(),
-    'issuer' => $issuer,
-    'inResponseTo' => $response->getInResponseTo(),
-];
-if (isset($state['\SimpleSAML\Auth\Source.ReturnURL'])) {
-    $state['saml:sp:prevAuth']['redirect'] = $state['\SimpleSAML\Auth\Source.ReturnURL'];
-} elseif (isset($state['saml:sp:RelayState'])) {
-    $state['saml:sp:prevAuth']['redirect'] = $state['saml:sp:RelayState'];
-}
-$state['PersistentAuthData'][] = 'saml:sp:prevAuth';
-
-$source->handleResponse($state, $issuer, $attributes);
-assert(false);
diff --git a/modules/sildisco/public/sp/saml2-logout.php b/modules/sildisco/public/sp/saml2-logout.php
deleted file mode 100644
index 36472c90..00000000
--- a/modules/sildisco/public/sp/saml2-logout.php
+++ /dev/null
@@ -1,156 +0,0 @@
-<?php
-
-/**
- * Logout endpoint handler for SAML SP authentication client.
- *
- * This endpoint handles both logout requests and logout responses.
- *
- * Similar to modules/saml/public/sp/saml2-logout.php
- * 2024-06-06 -- Merged with simplesamlphp 1.19.8, lines marked with GTIS are modified
- */
-
-if (!array_key_exists('PATH_INFO', $_SERVER)) {
-    throw new \SimpleSAML\Error\BadRequest('Missing authentication source ID in logout URL');
-}
-
-$sourceId = substr($_SERVER['PATH_INFO'], 1);
-
-/** @var \SimpleSAML\Module\saml\Auth\Source\SP $source */
-$source = \SimpleSAML\Auth\Source::getById($sourceId);
-if ($source === null) {
-    throw new \Exception('Could not find authentication source with id ' . $sourceId);
-} elseif (!($source instanceof \SimpleSAML\Module\sildisco\Auth\Source\SP)) { // GTIS
-    throw new \SimpleSAML\Error\Exception('Source type changed?');
-}
-
-try {
-    $binding = \SAML2\Binding::getCurrentBinding();
-} catch (\Exception $e) {
-    // TODO: look for a specific exception
-    // This is dirty. Instead of checking the message of the exception, \SAML2\Binding::getCurrentBinding() should throw
-    // an specific exception when the binding is unknown, and we should capture that here
-    if ($e->getMessage() === 'Unable to find the current binding.') {
-        throw new \SimpleSAML\Error\Error('SLOSERVICEPARAMS', $e, 400);
-    } else {
-        throw $e; // do not ignore other exceptions!
-    }
-}
-$message = $binding->receive();
-
-$issuer = $message->getIssuer();
-if ($issuer instanceof \SAML2\XML\saml\Issuer) {
-    $idpEntityId = $issuer->getValue();
-} else {
-    $idpEntityId = $issuer;
-}
-
-if ($idpEntityId === null) {
-    // Without an issuer we have no way to respond to the message.
-    throw new \SimpleSAML\Error\BadRequest('Received message on logout endpoint without issuer.');
-}
-
-/** @var \SimpleSAML\Module\saml\Auth\Source\SP $source */
-$spEntityId = $source->getEntityId();
-
-$metadata = \SimpleSAML\Metadata\MetaDataStorageHandler::getMetadataHandler();
-$idpMetadata = $source->getIdPMetadata($idpEntityId);
-$spMetadata = $source->getMetadata();
-
-\SimpleSAML\Module\saml\Message::validateMessage($idpMetadata, $spMetadata, $message);
-
-$httpUtils = new \SimpleSAML\Utils\HTTP();
-$destination = $message->getDestination();
-if ($destination !== null && $destination !== $httpUtils->getSelfURLNoQuery()) {
-    throw new \SimpleSAML\Error\Exception('Destination in logout message is wrong.');
-}
-
-if ($message instanceof \SAML2\LogoutResponse) {
-    $relayState = $message->getRelayState();
-    if ($relayState === null) {
-        // Somehow, our RelayState has been lost.
-        throw new \SimpleSAML\Error\BadRequest('Missing RelayState in logout response.');
-    }
-
-    if (!$message->isSuccess()) {
-        \SimpleSAML\Logger::warning(
-            'Unsuccessful logout. Status was: ' . \SimpleSAML\Module\saml\Message::getResponseError($message)
-        );
-    }
-
-    $state = \SimpleSAML\Auth\State::loadState($relayState, 'saml:slosent');
-    $state['saml:sp:LogoutStatus'] = $message->getStatus();
-    \SimpleSAML\Auth\Source::completeLogout($state);
-} elseif ($message instanceof \SAML2\LogoutRequest) {
-    \SimpleSAML\Logger::debug('module/sildisco/sp/logout: Request from ' . $idpEntityId); // GTIS
-    \SimpleSAML\Logger::stats('saml20-idp-SLO idpinit ' . $spEntityId . ' ' . $idpEntityId);
-
-    if ($message->isNameIdEncrypted()) {
-        try {
-            $keys = \SimpleSAML\Module\saml\Message::getDecryptionKeys($idpMetadata, $spMetadata);
-        } catch (\Exception $e) {
-            throw new \SimpleSAML\Error\Exception('Error decrypting NameID: ' . $e->getMessage());
-        }
-
-        $blacklist = \SimpleSAML\Module\saml\Message::getBlacklistedAlgorithms($idpMetadata, $spMetadata);
-
-        $lastException = null;
-        foreach ($keys as $i => $key) {
-            try {
-                $message->decryptNameId($key, $blacklist);
-                \SimpleSAML\Logger::debug('Decryption with key #' . $i . ' succeeded.');
-                $lastException = null;
-                break;
-            } catch (\Exception $e) {
-                \SimpleSAML\Logger::debug('Decryption with key #' . $i . ' failed with exception: ' . $e->getMessage());
-                $lastException = $e;
-            }
-        }
-        if ($lastException !== null) {
-            throw $lastException;
-        }
-    }
-
-    $nameId = $message->getNameId();
-    $sessionIndexes = $message->getSessionIndexes();
-
-    /** @psalm-suppress PossiblyNullArgument  This will be fixed in saml2 5.0 */
-    $numLoggedOut = \SimpleSAML\Module\saml\SP\LogoutStore::logoutSessions($sourceId, $nameId, $sessionIndexes);
-    if ($numLoggedOut === false) {
-        // This type of logout was unsupported. Use the old method
-        $source->handleLogout($idpEntityId);
-        $numLoggedOut = count($sessionIndexes);
-    }
-
-    // Create and send response
-    $lr = \SimpleSAML\Module\saml\Message::buildLogoutResponse($spMetadata, $idpMetadata);
-    $lr->setRelayState($message->getRelayState());
-    $lr->setInResponseTo($message->getId());
-
-    if ($numLoggedOut < count($sessionIndexes)) {
-        \SimpleSAML\Logger::warning('Logged out of ' . $numLoggedOut . ' of ' . count($sessionIndexes) . ' sessions.');
-    }
-
-    /** @var array $dst */
-    $dst = $idpMetadata->getEndpointPrioritizedByBinding(
-        'SingleLogoutService',
-        [
-            \SAML2\Constants::BINDING_HTTP_REDIRECT,
-            \SAML2\Constants::BINDING_HTTP_POST
-        ]
-    );
-
-    if (!($binding instanceof \SAML2\SOAP)) {
-        $binding = \SAML2\Binding::getBinding($dst['Binding']);
-        if (isset($dst['ResponseLocation'])) {
-            $dst = $dst['ResponseLocation'];
-        } else {
-            $dst = $dst['Location'];
-        }
-        $binding->setDestination($dst);
-    }
-    $lr->setDestination($dst);
-
-    $binding->send($lr);
-} else {
-    throw new \SimpleSAML\Error\BadRequest('Unknown message received on logout endpoint: ' . get_class($message));
-}
diff --git a/modules/sildisco/routing/routes/routes.yml b/modules/sildisco/routing/routes/routes.yml
new file mode 100644
index 00000000..145f4043
--- /dev/null
+++ b/modules/sildisco/routing/routes/routes.yml
@@ -0,0 +1,4 @@
+sildisco-main:
+  path: /disco.php
+  defaults: { _controller: 'SimpleSAML\Module\sildisco\Controller\SilDisco::main' }
+  methods: [ GET ]
diff --git a/modules/sildisco/src/Auth/Process/AddIdp2NameId.php b/modules/sildisco/src/Auth/Process/AddIdp2NameId.php
index 80c29ebc..1ec92324 100644
--- a/modules/sildisco/src/Auth/Process/AddIdp2NameId.php
+++ b/modules/sildisco/src/Auth/Process/AddIdp2NameId.php
@@ -4,6 +4,9 @@
 
 use SAML2\XML\saml\NameID;
 use Sil\SspUtils\Metadata;
+use SimpleSAML\Auth\ProcessingFilter;
+use SimpleSAML\Error;
+use SimpleSAML\Logger;
 
 /**
  * Attribute filter for appending IDPNamespace to the NameID.
@@ -17,7 +20,7 @@
  *   ],
  *
  */
-class AddIdp2NameId extends \SimpleSAML\Auth\ProcessingFilter
+class AddIdp2NameId extends ProcessingFilter
 {
 
     const IDP_KEY = "saml:sp:IdP"; // the key that points to the entity id in the state
@@ -56,7 +59,7 @@ class AddIdp2NameId extends \SimpleSAML\Auth\ProcessingFilter
      *
      * @var string|bool
      */
-    private sring|bool $spNameQualifier;
+    private string|bool $spNameQualifier;
 
 
     /**
@@ -124,7 +127,7 @@ public function process(array &$state): void
         $samlIDP = $state[self::IDP_KEY];
 
         if (empty($state[self::SP_NAMEID_ATTR])) {
-            \SimpleSAML\Logger::warning(
+            Logger::warning(
                 self::SP_NAMEID_ATTR . ' attribute not available from ' .
                 $samlIDP . '.'
             );
@@ -138,25 +141,25 @@ public function process(array &$state): void
         if (isset($state['metadataPath'])) {
             $metadataPath = $state['metadataPath'];
         }
-        $idpEntries = \Sil\SspUtils\Metadata::getIdpMetadataEntries($metadataPath);
+        $idpEntries = Metadata::getIdpMetadataEntries($metadataPath);
 
         $idpEntry = $idpEntries[$samlIDP];
 
         // The IDP metadata must have an IDPNamespace entry
         if (!isset($idpEntry[self::IDP_CODE_KEY])) {
-            throw new \SimpleSAML\Error\Exception(self::ERROR_PREFIX . "Missing required metadata entry: " .
+            throw new Error\Exception(self::ERROR_PREFIX . "Missing required metadata entry: " .
                 self::IDP_CODE_KEY . ".");
         }
 
         // IDPNamespace must be a non-empty string
         if (!is_string($idpEntry[self::IDP_CODE_KEY])) {
-            throw new \SimpleSAML\Error\Exception(self::ERROR_PREFIX . "Required metadata " .
+            throw new Error\Exception(self::ERROR_PREFIX . "Required metadata " .
                 "entry, " . self::IDP_CODE_KEY . ", must be a non-empty string.");
         }
 
         // IDPNamespace must not have special characters in it
         if (!preg_match("/^[A-Za-z0-9_-]+$/", $idpEntry[self::IDP_CODE_KEY])) {
-            throw new \SimpleSAML\Error\Exception(self::ERROR_PREFIX . "Required metadata " .
+            throw new Error\Exception(self::ERROR_PREFIX . "Required metadata " .
                 "entry, " . self::IDP_CODE_KEY . ", must not be empty or contain anything except " .
                 "letters, numbers, hyphens and underscores.");
         }
diff --git a/modules/sildisco/src/Auth/Process/LogUser.php b/modules/sildisco/src/Auth/Process/LogUser.php
index 8fa55449..c13f1c17 100644
--- a/modules/sildisco/src/Auth/Process/LogUser.php
+++ b/modules/sildisco/src/Auth/Process/LogUser.php
@@ -4,6 +4,9 @@
 
 use Aws\DynamoDb\Marshaler;
 use Aws\Sdk;
+use Sil\SspUtils\Metadata;
+use SimpleSAML\Auth\ProcessingFilter;
+use SimpleSAML\Logger;
 
 /**
  * This Auth Proc logs information about each successful login to an AWS Dynamodb table.
@@ -16,7 +19,7 @@
  *   'DynamoEndpoint' ex. http://dynamo:8000
  *
  */
-class LogUser extends \SimpleSAML\Auth\ProcessingFilter
+class LogUser extends ProcessingFilter
 {
 
     const AWS_ACCESS_KEY_ID_ENV = "DYNAMO_ACCESS_KEY_ID";
@@ -75,12 +78,12 @@ public function process(array &$state): void
 
         $awsKey = getenv(self::AWS_ACCESS_KEY_ID_ENV);
         if (!$awsKey) {
-            \SimpleSAML\Logger::error(self::AWS_ACCESS_KEY_ID_ENV . " environment variable is required for LogUser.");
+            Logger::error(self::AWS_ACCESS_KEY_ID_ENV . " environment variable is required for LogUser.");
             return;
         }
         $awsSecret = getenv(self::AWS_SECRET_ACCESS_KEY_ENV);
         if (!$awsSecret) {
-            \SimpleSAML\Logger::error(self::AWS_SECRET_ACCESS_KEY_ENV . " environment variable is required for LogUser.");
+            Logger::error(self::AWS_SECRET_ACCESS_KEY_ENV . " environment variable is required for LogUser.");
             return;
         }
 
@@ -135,7 +138,7 @@ public function process(array &$state): void
         try {
             $result = $dynamodb->putItem($params);
         } catch (\Exception $e) {
-            \SimpleSAML\Logger::error("Unable to add item: " . $e->getMessage());
+            Logger::error("Unable to add item: " . $e->getMessage());
         }
     }
 
@@ -144,12 +147,12 @@ private function configsAreValid(): bool
         $msg = ' config value not provided to LogUser.';
 
         if (empty($this->dynamoRegion)) {
-            \SimpleSAML\Logger::error(self::DYNAMO_REGION_KEY . $msg);
+            Logger::error(self::DYNAMO_REGION_KEY . $msg);
             return false;
         }
 
         if (empty($this->dynamoLogTable)) {
-            \SimpleSAML\Logger::error(self::DYNAMO_LOG_TABLE_KEY . $msg);
+            Logger::error(self::DYNAMO_LOG_TABLE_KEY . $msg);
             return false;
         }
 
@@ -171,7 +174,7 @@ private function getIdp(array &$state)
         if (isset($state['metadataPath'])) {
             $metadataPath = $state['metadataPath'];
         }
-        $idpEntries = \Sil\SspUtils\Metadata::getIdpMetadataEntries($metadataPath);
+        $idpEntries = Metadata::getIdpMetadataEntries($metadataPath);
 
         // Get the IDPNamespace or else just use the IDP's entity ID
         $idpEntry = $idpEntries[$samlIDP];
diff --git a/modules/sildisco/src/Auth/Process/TagGroup.php b/modules/sildisco/src/Auth/Process/TagGroup.php
index 3328c200..354244b0 100644
--- a/modules/sildisco/src/Auth/Process/TagGroup.php
+++ b/modules/sildisco/src/Auth/Process/TagGroup.php
@@ -3,12 +3,13 @@
 namespace SimpleSAML\Module\sildisco\Auth\Process;
 
 use Sil\SspUtils\Metadata;
+use SimpleSAML\Auth\ProcessingFilter;
 
 /**
  * Attribute filter for prefixing group names
  *
  */
-class TagGroup extends \SimpleSAML\Auth\ProcessingFilter
+class TagGroup extends ProcessingFilter
 {
 
     const IDP_NAME_KEY = 'name'; // the metadata key for the IDP's name
@@ -57,7 +58,7 @@ public function process(array &$state): void
             $metadataPath = $state['metadataPath'];
         }
 
-        $idpEntries = \Sil\SspUtils\Metadata::getIdpMetadataEntries($metadataPath);
+        $idpEntries = Metadata::getIdpMetadataEntries($metadataPath);
 
         $samlIDP = $state["saml:sp:IdP"];
 
diff --git a/modules/sildisco/src/Auth/Process/TrackIdps.php b/modules/sildisco/src/Auth/Process/TrackIdps.php
index 7903f569..e14a4158 100644
--- a/modules/sildisco/src/Auth/Process/TrackIdps.php
+++ b/modules/sildisco/src/Auth/Process/TrackIdps.php
@@ -2,11 +2,14 @@
 
 namespace SimpleSAML\Module\sildisco\Auth\Process;
 
+use SimpleSAML\Auth\ProcessingFilter;
+use SimpleSAML\Session;
+
 /**
  * Attribute filter for adding Idps to the session
  *
  */
-class TrackIdps extends \SimpleSAML\Auth\ProcessingFilter
+class TrackIdps extends ProcessingFilter
 {
 
     /**
@@ -17,7 +20,7 @@ class TrackIdps extends \SimpleSAML\Auth\ProcessingFilter
     public function process(array &$state): void
     {
         // get the authenticating Idp and add it to the list of previous ones
-        $session = \SimpleSAML\Session::getSessionFromRequest();
+        $session = Session::getSessionFromRequest();
         $sessionDataType = "sildisco:authentication";
         $sessionKey = "authenticated_idps";
 
diff --git a/modules/sildisco/src/Auth/Source/SP.php b/modules/sildisco/src/Auth/Source/SP.php
deleted file mode 100644
index f5023267..00000000
--- a/modules/sildisco/src/Auth/Source/SP.php
+++ /dev/null
@@ -1,1240 +0,0 @@
-<?php
-
-/**
- * Modified from origin: modules/saml/src/Auth/Source/SP.php
- * 2024-06-06 -- Merged with simplesamlphp 1.19.8, lines/sections marked with GTIS are modified
- */
-
-declare(strict_types=1);
-
-namespace SimpleSAML\Module\sildisco\Auth\Source; // GTIS
-
-use sil\SspUtils\DiscoUtils; // GTIS
-
-use SAML2\AuthnRequest;
-use SAML2\Binding;
-use SAML2\Constants;
-use SAML2\XML\saml\NameID;
-use SimpleSAML\Auth;
-use SimpleSAML\Configuration;
-use SimpleSAML\Error;
-use SimpleSAML\IdP;
-use SimpleSAML\Logger;
-use SimpleSAML\Metadata\MetaDataStorageHandler;
-use SimpleSAML\Module;
-use SimpleSAML\Session;
-use SimpleSAML\Store;
-use SimpleSAML\Utils;
-use SimpleSAML\XML\Shib13;
-
-class SP extends \SimpleSAML\Auth\Source
-{
-    /**
-     * The entity ID of this SP.
-     *
-     * @var string
-     */
-    private $entityId;
-
-    /**
-     * The metadata of this SP.
-     *
-     * @var \SimpleSAML\Configuration
-     */
-    private $metadata;
-
-    /**
-     * The IdP the user is allowed to log into.
-     *
-     * @var string|null  The IdP the user can log into, or null if the user can log into all IdPs.
-     */
-    private $idp;
-
-    /**
-     * URL to discovery service.
-     *
-     * @var string|null
-     */
-    private $discoURL;
-
-    /**
-     * Flag to indicate whether to disable sending the Scoping element.
-     *
-     * @var bool
-     */
-    private $disable_scoping;
-
-    /**
-     * A list of supported protocols.
-     *
-     * @var string[]
-     */
-    private $protocols = [];
-
-
-    /**
-     * Constructor for SAML SP authentication source.
-     *
-     * @param array $info  Information about this authentication source.
-     * @param array $config  Configuration.
-     */
-    public function __construct($info, $config)
-    {
-        assert(is_array($info));
-        assert(is_array($config));
-
-        // Call the parent constructor first, as required by the interface
-        parent::__construct($info, $config);
-
-        if (!isset($config['entityID'])) {
-            $config['entityID'] = $this->getMetadataURL();
-        }
-
-        /* For compatibility with code that assumes that $metadata->getString('entityid')
-         * gives the entity id. */
-        $config['entityid'] = $config['entityID'];
-
-        $this->metadata = Configuration::loadFromArray(
-            $config,
-            'authsources[' . var_export($this->authId, true) . ']'
-        );
-        $this->entityId = $this->metadata->getString('entityID');
-        $this->idp = $this->metadata->getString('idp', null);
-        $this->discoURL = $this->metadata->getString('discoURL', null);
-        $this->disable_scoping = $this->metadata->getBoolean('disable_scoping', false);
-
-        if (empty($this->discoURL) && Module::isModuleEnabled('discojuice')) {
-            $this->discoURL = Module::getModuleURL('discojuice/central.php');
-        }
-    }
-
-
-    /**
-     * Retrieve the URL to the metadata of this SP.
-     *
-     * @return string  The metadata URL.
-     */
-    public function getMetadataURL()
-    {
-        return Module::getModuleURL('saml/sp/metadata.php/' . urlencode($this->authId));
-    }
-
-
-    /**
-     * Retrieve the entity id of this SP.
-     *
-     * @return string  The entity id of this SP.
-     */
-    public function getEntityId()
-    {
-        return $this->entityId;
-    }
-
-
-    /**
-     * Retrieve the metadata array of this SP, as a remote IdP would see it.
-     *
-     * @return array The metadata array for its use by a remote IdP.
-     */
-    public function getHostedMetadata()
-    {
-        $entityid = $this->getEntityId();
-        $metadata = [
-            'entityid' => $entityid,
-            'metadata-set' => 'saml20-sp-remote',
-            'SingleLogoutService' => $this->getSLOEndpoints(),
-            'AssertionConsumerService' => $this->getACSEndpoints(),
-        ];
-
-        // add NameIDPolicy
-        if ($this->metadata->hasValue('NameIDPolicy')) {
-            $format = $this->metadata->getValue('NameIDPolicy');
-            if (is_array($format)) {
-                $metadata['NameIDFormat'] = Configuration::loadFromArray($format)->getString(
-                    'Format',
-                    Constants::NAMEID_TRANSIENT
-                );
-            } elseif (is_string($format)) {
-                $metadata['NameIDFormat'] = $format;
-            }
-        }
-
-        // add attributes
-        $name = $this->metadata->getLocalizedString('name', null);
-        $attributes = $this->metadata->getArray('attributes', []);
-        if ($name !== null) {
-            if (!empty($attributes)) {
-                $metadata['name'] = $name;
-                $metadata['attributes'] = $attributes;
-                if ($this->metadata->hasValue('attributes.required')) {
-                    $metadata['attributes.required'] = $this->metadata->getArray('attributes.required');
-                }
-                if ($this->metadata->hasValue('description')) {
-                    $metadata['description'] = $this->metadata->getArray('description');
-                }
-                if ($this->metadata->hasValue('attributes.NameFormat')) {
-                    $metadata['attributes.NameFormat'] = $this->metadata->getString('attributes.NameFormat');
-                }
-                if ($this->metadata->hasValue('attributes.index')) {
-                    $metadata['attributes.index'] = $this->metadata->getInteger('attributes.index');
-                }
-                if ($this->metadata->hasValue('attributes.isDefault')) {
-                    $metadata['attributes.isDefault'] = $this->metadata->getBoolean('attributes.isDefault');
-                }
-            }
-        }
-
-        // add organization info
-        $org = $this->metadata->getLocalizedString('OrganizationName', null);
-        if ($org !== null) {
-            $metadata['OrganizationName'] = $org;
-            $metadata['OrganizationDisplayName'] = $this->metadata->getLocalizedString('OrganizationDisplayName', $org);
-            $metadata['OrganizationURL'] = $this->metadata->getLocalizedString('OrganizationURL', null);
-            if ($metadata['OrganizationURL'] === null) {
-                throw new Error\Exception(
-                    'If OrganizationName is set, OrganizationURL must also be set.'
-                );
-            }
-        }
-
-        // add contacts
-        $contacts = $this->metadata->getArray('contacts', []);
-        foreach ($contacts as $contact) {
-            $metadata['contacts'][] = Utils\Config\Metadata::getContact($contact);
-        }
-
-        // add technical contact
-        $globalConfig = Configuration::getInstance();
-        $email = $globalConfig->getString('technicalcontact_email', 'na@example.org');
-        if ($email && $email !== 'na@example.org') {
-            $contact = [
-                'emailAddress' => $email,
-                'name' => $globalConfig->getString('technicalcontact_name', null),
-                'contactType' => 'technical',
-            ];
-            $metadata['contacts'][] = Utils\Config\Metadata::getContact($contact);
-        }
-
-        // add certificate(s)
-        $certInfo = Utils\Crypto::loadPublicKey($this->metadata, false, 'new_');
-        $hasNewCert = false;
-        if ($certInfo !== null && array_key_exists('certData', $certInfo)) {
-            $hasNewCert = true;
-            $metadata['keys'][] = [
-                'type' => 'X509Certificate',
-                'signing' => true,
-                'encryption' => true,
-                'X509Certificate' => $certInfo['certData'],
-                'prefix' => 'new_',
-                'url' => Module::getModuleURL(
-                    'admin/federation/cert',
-                    [
-                        'set' => 'saml20-sp-hosted',
-                        'source' => $this->getAuthId(),
-                        'prefix' => 'new_'
-                    ]
-                ),
-                'name' => 'sp',
-            ];
-        }
-
-        $certInfo = Utils\Crypto::loadPublicKey($this->metadata);
-        if ($certInfo !== null && array_key_exists('certData', $certInfo)) {
-            $metadata['keys'][] = [
-                'type' => 'X509Certificate',
-                'signing' => true,
-                'encryption' => $hasNewCert ? false : true,
-                'X509Certificate' => $certInfo['certData'],
-                'prefix' => '',
-                'url' => Module::getModuleURL(
-                    'admin/federation/cert',
-                    [
-                        'set' => 'saml20-sp-hosted',
-                        'source' => $this->getAuthId(),
-                        'prefix' => ''
-                    ]
-                ),
-                'name' => 'sp',
-            ];
-        }
-
-        // add EntityAttributes extension
-        if ($this->metadata->hasValue('EntityAttributes')) {
-            $metadata['EntityAttributes'] = $this->metadata->getArray('EntityAttributes');
-        }
-
-        // add UIInfo extension
-        if ($this->metadata->hasValue('UIInfo')) {
-            $metadata['UIInfo'] = $this->metadata->getArray('UIInfo');
-        }
-
-        // add RegistrationInfo extension
-        if ($this->metadata->hasValue('RegistrationInfo')) {
-            $metadata['RegistrationInfo'] = $this->metadata->getArray('RegistrationInfo');
-        }
-
-        // add signature options
-        if ($this->metadata->hasValue('WantAssertionsSigned')) {
-            $metadata['saml20.sign.assertion'] = $this->metadata->getBoolean('WantAssertionsSigned');
-        }
-        if ($this->metadata->hasValue('redirect.sign')) {
-            $metadata['redirect.validate'] = $this->metadata->getBoolean('redirect.sign');
-        } elseif ($this->metadata->hasValue('sign.authnrequest')) {
-            $metadata['validate.authnrequest'] = $this->metadata->getBoolean('sign.authnrequest');
-        }
-
-        return $metadata;
-    }
-
-
-    /**
-     * Retrieve the metadata of an IdP.
-     *
-     * @param string $entityId  The entity id of the IdP.
-     * @return \SimpleSAML\Configuration  The metadata of the IdP.
-     */
-    public function getIdPMetadata($entityId)
-    {
-        assert(is_string($entityId));
-
-        if ($this->idp !== null && $this->idp !== $entityId) {
-            throw new Error\Exception('Cannot retrieve metadata for IdP ' .
-                var_export($entityId, true) . ' because it isn\'t a valid IdP for this SP.');
-        }
-
-        $metadataHandler = MetaDataStorageHandler::getMetadataHandler();
-
-        // First, look in saml20-idp-remote.
-        try {
-            return $metadataHandler->getMetaDataConfig($entityId, 'saml20-idp-remote');
-        } catch (\Exception $e) {
-            // Metadata wasn't found
-            Logger::debug('getIdpMetadata: ' . $e->getMessage());
-        }
-
-        // Not found in saml20-idp-remote, look in shib13-idp-remote
-        try {
-            return $metadataHandler->getMetaDataConfig($entityId, 'shib13-idp-remote');
-        } catch (\Exception $e) {
-            // Metadata wasn't found
-            Logger::debug('getIdpMetadata: ' . $e->getMessage());
-        }
-
-        // Not found
-        throw new Error\Exception('Could not find the metadata of an IdP with entity ID ' .
-            var_export($entityId, true));
-    }
-
-
-    /**
-     * Retrieve the metadata of this SP.
-     *
-     * @return \SimpleSAML\Configuration  The metadata of this SP.
-     */
-    public function getMetadata()
-    {
-        return $this->metadata;
-    }
-
-
-    /**
-     * Get a list with the protocols supported by this SP.
-     *
-     * @return array
-     */
-    public function getSupportedProtocols()
-    {
-        return $this->protocols;
-    }
-
-
-    /**
-     * Get the AssertionConsumerService endpoints for a given local SP.
-     *
-     * @return array
-     * @throws \Exception
-     */
-    private function getACSEndpoints(): array
-    {
-        // If a list of endpoints is specified in config, take that at face value
-        if ($this->metadata->hasValue('AssertionConsumerService')) {
-            return $this->metadata->getArray('AssertionConsumerService');
-        }
-
-        $endpoints = [];
-        $default = [
-            Constants::BINDING_HTTP_POST,
-            'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
-            Constants::BINDING_HTTP_ARTIFACT,
-            'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
-        ];
-        if ($this->metadata->getString('ProtocolBinding', '') === Constants::BINDING_HOK_SSO) {
-            $default[] = Constants::BINDING_HOK_SSO;
-        }
-
-        $bindings = $this->metadata->getArray('acs.Bindings', $default);
-        $index = 0;
-        foreach ($bindings as $service) {
-            switch ($service) {
-                case Constants::BINDING_HTTP_POST:
-                    $acs = [
-                        'Binding' => Constants::BINDING_HTTP_POST,
-                        'Location' => Module::getModuleURL('saml/sp/saml2-acs.php/' . $this->getAuthId()),
-                    ];
-                    if (!in_array(Constants::NS_SAMLP, $this->protocols, true)) {
-                        $this->protocols[] = Constants::NS_SAMLP;
-                    }
-                    break;
-                case 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post':
-                    $acs = [
-                        'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
-                        'Location' => Module::getModuleURL('saml/sp/saml1-acs.php/' . $this->getAuthId()),
-                    ];
-                    if (!in_array('urn:oasis:names:tc:SAML:1.0:profiles:browser-post', $this->protocols, true)) {
-                        $this->protocols[] = 'urn:oasis:names:tc:SAML:1.1:protocol';
-                    }
-                    break;
-                case Constants::BINDING_HTTP_ARTIFACT:
-                    $acs = [
-                        'Binding' => Constants::BINDING_HTTP_ARTIFACT,
-                        'Location' => Module::getModuleURL('saml/sp/saml2-acs.php/' . $this->getAuthId()),
-                    ];
-                    if (!in_array(Constants::NS_SAMLP, $this->protocols, true)) {
-                        $this->protocols[] = Constants::NS_SAMLP;
-                    }
-                    break;
-                case 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01':
-                    $acs = [
-                        'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
-                        'Location' => Module::getModuleURL(
-                            'saml/sp/saml1-acs.php/' . $this->getAuthId() . '/artifact'
-                        ),
-                    ];
-                    if (!in_array('urn:oasis:names:tc:SAML:1.1:protocol', $this->protocols, true)) {
-                        $this->protocols[] = 'urn:oasis:names:tc:SAML:1.1:protocol';
-                    }
-                    break;
-                case Constants::BINDING_HOK_SSO:
-                    $acs = [
-                        'Binding' => Constants::BINDING_HOK_SSO,
-                        'Location' => Module::getModuleURL('saml/sp/saml2-acs.php/' . $this->getAuthId()),
-                        'hoksso:ProtocolBinding' => Constants::BINDING_HTTP_REDIRECT,
-                    ];
-                    if (!in_array(Constants::NS_SAMLP, $this->protocols, true)) {
-                        $this->protocols[] = Constants::NS_SAMLP;
-                    }
-                    break;
-                default:
-                    $acs = [];
-            }
-            $acs['index'] = $index;
-            $endpoints[] = $acs;
-            $index++;
-        }
-        return $endpoints;
-    }
-
-
-    /**
-     * Get the SingleLogoutService endpoints available for a given local SP.
-     *
-     * @return array
-     * @throws \SimpleSAML\Error\CriticalConfigurationError
-     */
-    private function getSLOEndpoints(): array
-    {
-        $store = Store::getInstance();
-        $bindings = $this->metadata->getArray(
-            'SingleLogoutServiceBinding',
-            [
-                Constants::BINDING_HTTP_REDIRECT,
-                Constants::BINDING_SOAP,
-            ]
-        );
-        $defaultLocation = Module::getModuleURL('saml/sp/saml2-logout.php/' . $this->getAuthId());
-        $location = $this->metadata->getString('SingleLogoutServiceLocation', $defaultLocation);
-
-        $endpoints = [];
-        foreach ($bindings as $binding) {
-            if ($binding == Constants::BINDING_SOAP && !($store instanceof Store\SQL)) {
-                // we cannot properly support SOAP logout
-                continue;
-            }
-            $endpoints[] = [
-                'Binding' => $binding,
-                'Location' => $location,
-            ];
-        }
-        return $endpoints;
-    }
-
-
-    /**
-     * Send a SAML1 SSO request to an IdP.
-     *
-     * @param \SimpleSAML\Configuration $idpMetadata  The metadata of the IdP.
-     * @param array $state  The state array for the current authentication.
-     * @return void
-     * @deprecated will be removed in a future version
-     */
-    private function startSSO1(Configuration $idpMetadata, array $state): void
-    {
-        $idpEntityId = $idpMetadata->getString('entityid');
-
-        $state['saml:idp'] = $idpEntityId;
-
-        $ar = new Shib13\AuthnRequest();
-        $ar->setIssuer($this->entityId);
-
-        $id = Auth\State::saveState($state, 'saml:sp:sso');
-        $ar->setRelayState($id);
-
-        $useArtifact = $idpMetadata->getBoolean('saml1.useartifact', null);
-        if ($useArtifact === null) {
-            $useArtifact = $this->metadata->getBoolean('saml1.useartifact', false);
-        }
-
-        if ($useArtifact) {
-            $shire = Module::getModuleURL('saml/sp/saml1-acs.php/' . $this->authId . '/artifact');
-        } else {
-            $shire = Module::getModuleURL('saml/sp/saml1-acs.php/' . $this->authId);
-        }
-
-        $url = $ar->createRedirect($idpEntityId, $shire);
-
-        Logger::debug('Starting SAML 1 SSO to ' . var_export($idpEntityId, true) .
-            ' from ' . var_export($this->entityId, true) . '.');
-        Utils\HTTP::redirectTrustedURL($url);
-    }
-
-
-    /**
-     * Send a SAML2 SSO request to an IdP
-     *
-     * @param \SimpleSAML\Configuration $idpMetadata  The metadata of the IdP.
-     * @param array $state  The state array for the current authentication.
-     * @return void
-     */
-    private function startSSO2(Configuration $idpMetadata, array $state): void
-    {
-        if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] < 0) {
-            Auth\State::throwException(
-                $state,
-                new Module\saml\Error\ProxyCountExceeded(Constants::STATUS_RESPONDER)
-            );
-        }
-
-        $ar = Module\saml\Message::buildAuthnRequest($this->metadata, $idpMetadata);
-
-        // GTIS
-        $ar->setAssertionConsumerServiceURL(Module::getModuleURL('sildisco/sp/saml2-acs.php/'.$this->authId));
-
-        if (isset($state['\SimpleSAML\Auth\Source.ReturnURL'])) {
-            $ar->setRelayState($state['\SimpleSAML\Auth\Source.ReturnURL']);
-        }
-
-        $accr = null;
-        if ($idpMetadata->getString('AuthnContextClassRef', false)) {
-            $accr = Utils\Arrays::arrayize($idpMetadata->getString('AuthnContextClassRef'));
-        } elseif (isset($state['saml:AuthnContextClassRef'])) {
-            $accr = Utils\Arrays::arrayize($state['saml:AuthnContextClassRef']);
-        }
-
-        if ($accr !== null) {
-            $comp = Constants::COMPARISON_EXACT;
-            if ($idpMetadata->getString('AuthnContextComparison', false)) {
-                $comp = $idpMetadata->getString('AuthnContextComparison');
-            } elseif (
-                isset($state['saml:AuthnContextComparison'])
-                && in_array($state['saml:AuthnContextComparison'], [
-                    Constants::COMPARISON_EXACT,
-                    Constants::COMPARISON_MINIMUM,
-                    Constants::COMPARISON_MAXIMUM,
-                    Constants::COMPARISON_BETTER,
-                ], true)
-            ) {
-                $comp = $state['saml:AuthnContextComparison'];
-            }
-            $ar->setRequestedAuthnContext(['AuthnContextClassRef' => $accr, 'Comparison' => $comp]);
-        }
-
-        if (isset($state['saml:Audience'])) {
-            $ar->setAudiences($state['saml:Audience']);
-        }
-
-        if (isset($state['ForceAuthn'])) {
-            $ar->setForceAuthn((bool) $state['ForceAuthn']);
-        }
-
-        if (isset($state['isPassive'])) {
-            $ar->setIsPassive((bool) $state['isPassive']);
-        }
-
-        if (isset($state['saml:NameID'])) {
-            if (!is_array($state['saml:NameID']) && !is_a($state['saml:NameID'], NameID::class)) {
-                throw new Error\Exception('Invalid value of $state[\'saml:NameID\'].');
-            }
-
-            $nameId = $state['saml:NameID'];
-            if (is_array($nameId)) {
-                // Must be an array > convert to object
-
-                $nid = new NameID();
-                if (!array_key_exists('Value', $nameId)) {
-                    throw new \InvalidArgumentException('Missing "Value" in array, cannot create NameID from it.');
-                }
-
-                $nid->setValue($nameId['Value']);
-                if (array_key_exists('NameQualifier', $nameId) && $nameId['NameQualifier'] !== null) {
-                    $nid->setNameQualifier($nameId['NameQualifier']);
-                }
-                if (array_key_exists('SPNameQualifier', $nameId) && $nameId['SPNameQualifier'] !== null) {
-                    $nid->setSPNameQualifier($nameId['SPNameQualifier']);
-                }
-                if (array_key_exists('SPProvidedID', $nameId) && $nameId['SPProvidedId'] !== null) {
-                    $nid->setSPProvidedID($nameId['SPProvidedID']);
-                }
-                if (array_key_exists('Format', $nameId) && $nameId['Format'] !== null) {
-                    $nid->setFormat($nameId['Format']);
-                }
-            } else {
-                $nid = $nameId;
-            }
-
-            $ar->setNameId($nid);
-        }
-
-        if (isset($state['saml:NameIDPolicy'])) {
-            $policy = null;
-            if (is_string($state['saml:NameIDPolicy'])) {
-                $policy = [
-                    'Format' => (string) $state['saml:NameIDPolicy'],
-                    'AllowCreate' => true,
-                ];
-            } elseif (is_array($state['saml:NameIDPolicy'])) {
-                $policy = $state['saml:NameIDPolicy'];
-            } elseif ($state['saml:NameIDPolicy'] === null) {
-                $policy = ['Format' => Constants::NAMEID_TRANSIENT];
-            }
-            if ($policy !== null) {
-                $ar->setNameIdPolicy($policy);
-            }
-        }
-
-        $IDPList = [];
-        $requesterID = [];
-
-        /* Only check for real info for Scoping element if we are going to send Scoping element */
-        if ($this->disable_scoping !== true && $idpMetadata->getBoolean('disable_scoping', false) !== true) {
-            if (isset($state['saml:IDPList'])) {
-                $IDPList = $state['saml:IDPList'];
-            }
-
-            if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] !== null) {
-                $ar->setProxyCount($state['saml:ProxyCount']);
-            } elseif ($idpMetadata->getInteger('ProxyCount', null) !== null) {
-                $ar->setProxyCount($idpMetadata->getInteger('ProxyCount', null));
-            } elseif ($this->metadata->getInteger('ProxyCount', null) !== null) {
-                $ar->setProxyCount($this->metadata->getInteger('ProxyCount', null));
-            }
-
-            $requesterID = [];
-            if (isset($state['saml:RequesterID'])) {
-                $requesterID = $state['saml:RequesterID'];
-            }
-
-            if (isset($state['core:SP'])) {
-                $requesterID[] = $state['core:SP'];
-            }
-        } else {
-            Logger::debug('Disabling samlp:Scoping for ' . var_export($idpMetadata->getString('entityid'), true));
-        }
-
-        $ar->setIDPList(
-            array_unique(
-                array_merge(
-                    $this->metadata->getArray('IDPList', []),
-                    $idpMetadata->getArray('IDPList', []),
-                    (array) $IDPList
-                )
-            )
-        );
-
-        $ar->setRequesterID($requesterID);
-
-        // If the downstream SP has set extensions then use them.
-        // Otherwise use extensions that might be defined in the local SP (only makes sense in a proxy scenario)
-        if (isset($state['saml:Extensions']) && count($state['saml:Extensions']) > 0) {
-            $ar->setExtensions($state['saml:Extensions']);
-        } else if ($this->metadata->getArray('saml:Extensions', null) !== null) {
-            $ar->setExtensions($this->metadata->getArray('saml:Extensions'));
-        }
-
-        $providerName = $this->metadata->getString("ProviderName", null);
-        if ($providerName !== null) {
-            $ar->setProviderName($providerName);
-        }
-
-
-        // save IdP entity ID as part of the state
-        $state['ExpectedIssuer'] = $idpMetadata->getString('entityid');
-
-        $id = Auth\State::saveState($state, 'saml:sp:sso', true);
-        $ar->setId($id);
-
-        Logger::debug(
-            'Sending SAML 2 AuthnRequest to ' . var_export($idpMetadata->getString('entityid'), true)
-        );
-
-        // Select appropriate SSO endpoint
-        if ($ar->getProtocolBinding() === Constants::BINDING_HOK_SSO) {
-            /** @var array $dst */
-            $dst = $idpMetadata->getDefaultEndpoint(
-                'SingleSignOnService',
-                [
-                    Constants::BINDING_HOK_SSO
-                ]
-            );
-        } else {
-            /** @var array $dst */
-            $dst = $idpMetadata->getEndpointPrioritizedByBinding(
-                'SingleSignOnService',
-                [
-                    Constants::BINDING_HTTP_REDIRECT,
-                    Constants::BINDING_HTTP_POST,
-                ]
-            );
-        }
-        $ar->setDestination($dst['Location']);
-
-        $b = Binding::getBinding($dst['Binding']);
-
-        $this->sendSAML2AuthnRequest($state, $b, $ar);
-
-        assert(false);
-    }
-
-
-    /**
-     * Function to actually send the authentication request.
-     *
-     * This function does not return.
-     *
-     * @param array &$state  The state array.
-     * @param \SAML2\Binding $binding  The binding.
-     * @param \SAML2\AuthnRequest  $ar  The authentication request.
-     * @return void
-     */
-    public function sendSAML2AuthnRequest(array &$state, Binding $binding, AuthnRequest $ar)
-    {
-        $binding->send($ar);
-        assert(false);
-    }
-
-
-    /**
-     * Send a SSO request to an IdP.
-     *
-     * @param string $idp  The entity ID of the IdP.
-     * @param array $state  The state array for the current authentication.
-     * @return void
-     */
-    public function startSSO($idp, array $state)
-    {
-        assert(is_string($idp));
-
-        $idpMetadata = $this->getIdPMetadata($idp);
-
-        $type = $idpMetadata->getString('metadata-set');
-        switch ($type) {
-            case 'shib13-idp-remote':
-                $this->startSSO1($idpMetadata, $state);
-                assert(false); // Should not return
-            case 'saml20-idp-remote':
-                $this->startSSO2($idpMetadata, $state);
-                assert(false); // Should not return
-            default:
-                // Should only be one of the known types
-                assert(false);
-        }
-    }
-
-
-    /**
-     * Start an IdP discovery service operation.
-     *
-     * @param array $state  The state array.
-     * @return void
-     */
-    private function startDisco(array $state): void
-    {
-        $id = Auth\State::saveState($state, 'saml:sp:sso');
-
-        $discoURL = $this->discoURL;
-        if ($discoURL === null) {
-            // Fallback to internal discovery service
-            $discoURL = Module::getModuleURL('saml/disco.php');
-        }
-
-        $returnTo = Module::getModuleURL('sildisco/sp/discoresp.php', ['AuthID' => $id]); // GTIS
-
-        $params = [
-            'entityID' => $this->entityId,
-            'return' => $returnTo,
-            'returnIDParam' => 'idpentityid'
-        ];
-
-        if (isset($state['saml:IDPList'])) {
-            $params['IDPList'] = $state['saml:IDPList'];
-        }
-
-        if (isset($state['isPassive']) && $state['isPassive']) {
-            $params['isPassive'] = 'true';
-        }
-
-        Utils\HTTP::redirectTrustedURL($discoURL, $params);
-    }
-
-
-    /**
-     * Start login.
-     *
-     * This function saves the information about the login, and redirects to the IdP.
-     *
-     * @param array &$state  Information about the current authentication.
-     * @return void
-     */
-    public function authenticate(&$state)
-    {
-        assert(is_array($state));
-
-        // We are going to need the authId in order to retrieve this authentication source later
-        $state['saml:sp:AuthId'] = $this->authId;
-
-        $idp = $this->idp;
-
-        if (isset($state['saml:idp'])) {
-            $idp = (string) $state['saml:idp'];
-        }
-
-        if (isset($state['saml:IDPList']) && sizeof($state['saml:IDPList']) > 0) {
-            // we have a SAML IDPList (we are a proxy): filter the list of IdPs available
-            $mdh = MetaDataStorageHandler::getMetadataHandler();
-            $matchedEntities = $mdh->getMetaDataForEntities($state['saml:IDPList'], 'saml20-idp-remote');
-
-            if (empty($matchedEntities)) {
-                // all requested IdPs are unknown
-                throw new Module\saml\Error\NoSupportedIDP(
-                    Constants::STATUS_REQUESTER,
-                    'None of the IdPs requested are supported by this proxy.'
-                );
-            }
-
-            if (!is_null($idp) && !array_key_exists($idp, $matchedEntities)) {
-                // the IdP is enforced but not in the IDPList
-                throw new Module\saml\Error\NoAvailableIDP(
-                    Constants::STATUS_REQUESTER,
-                    'None of the IdPs requested are available to this proxy.'
-                );
-            }
-
-            if (is_null($idp) && sizeof($matchedEntities) === 1) {
-                // only one IdP requested or valid
-                $idp = key($matchedEntities);
-            }
-        }
-
-        if ($idp === null) {
-            $this->startDisco($state);
-            assert(false);
-        }
-
-        $this->startSSO($idp, $state);
-        assert(false);
-    }
-
-
-    /**
-     * Re-authenticate an user.
-     *
-     * This function is called by the IdP to give the authentication source a chance to
-     * interact with the user even in the case when the user is already authenticated.
-     *
-     * @param array &$state  Information about the current authentication.
-     * @return void
-     */
-    public function reauthenticate(array &$state)
-    {
-        $session = Session::getSessionFromRequest();
-        $data = $session->getAuthState($this->authId);
-        if ($data === null) {
-            throw new Error\NoState();
-        }
-
-        foreach ($data as $k => $v) {
-            $state[$k] = $v;
-        }
-
-        /*
-         * GTIS
-         * If this SP is allowed to use more than one IdP, then send to discovery page
-         */
-        $metadataPath = __DIR__ . '/../../../../../metadata';
-
-        $spEntityId = $state['SPMetadata']['entityid'];
-        $IDPList = array_keys(DiscoUtils::getIdpsForSp($spEntityId, $metadataPath));
-
-        if (sizeof($IDPList) > 1) {
-            $state['LoginCompletedHandler'] = array(SP::class, 'reauthPostLogin');
-            $this->authenticate($state);
-            assert(false);
-        }
-
-        // GTIS  Changed this if block to avoid logging out before authenticating
-        //    with a new IdP
-        if (sizeof($IDPList) > 0 &&
-            !in_array($state['saml:sp:IdP'], $IDPList, true)) {
-            /*
-             * The user has an existing, valid session. However, the list of IdPs
-             * accessible to this SP does not include the IdP from the existing
-             * session.
-             */
-
-            Logger::warning(
-                "Reauthentication is needed. The IdP '${state['saml:sp:IdP']}' is not in the IDPList ".
-                "accessible to this Service Provider '${state['core:SP']}'."
-            );
-
-            $state['LoginCompletedHandler'] = array(SP::class, 'reauthPostLogin');
-            $this->authenticate($state);
-        }
-        // End GTIS
-    }
-
-
-    /**
-     * Ask the user to log out before being able to log in again with a
-     * different identity provider. Note that this method is intended for
-     * instances of SimpleSAMLphp running as a SAML proxy, and therefore
-     * acting both as an SP and an IdP at the same time.
-     *
-     * This method will never return.
-     *
-     * @param array $state The state array.
-     * The following keys must be defined in the array:
-     * - 'saml:sp:IdPMetadata': a \SimpleSAML\Configuration object containing
-     *   the metadata of the IdP that authenticated the user in the current
-     *   session.
-     * - 'saml:sp:AuthId': the identifier of the current authentication source.
-     * - 'core:IdP': the identifier of the local IdP.
-     * - 'SPMetadata': an array with the metadata of this local SP.
-     *
-     * @return void
-     * @throws \SimpleSAML\Error\NoPassive In case the authentication request was passive.
-     */
-    public static function askForIdPChange(array &$state)
-    {
-        assert(array_key_exists('saml:sp:IdPMetadata', $state));
-        assert(array_key_exists('saml:sp:AuthId', $state));
-        assert(array_key_exists('core:IdP', $state));
-        assert(array_key_exists('SPMetadata', $state));
-
-        if (isset($state['isPassive']) && (bool) $state['isPassive']) {
-            // passive request, we cannot authenticate the user
-            throw new Module\saml\Error\NoPassive(
-                Constants::STATUS_REQUESTER,
-                'Reauthentication required'
-            );
-        }
-
-        // save the state WITHOUT a restart URL, so that we don't try an IdP-initiated login if something goes wrong
-        $id = Auth\State::saveState($state, 'saml:proxy:invalid_idp', true);
-        $url = Module::getModuleURL('saml/proxy/invalid_session.php');
-        Utils\HTTP::redirectTrustedURL($url, ['AuthState' => $id]);
-        assert(false);
-    }
-
-
-    /**
-     * Log the user out before logging in again.
-     *
-     * This method will never return.
-     *
-     * @param array $state The state array.
-     * @return void
-     */
-    public static function reauthLogout(array $state)
-    {
-        Logger::debug('Proxy: logging the user out before re-authentication.');
-
-        if (isset($state['Responder'])) {
-            $state['saml:proxy:reauthLogout:PrevResponder'] = $state['Responder'];
-        }
-        $state['Responder'] = [SP::class, 'reauthPostLogout'];
-
-        $idp = IdP::getByState($state);
-        $idp->handleLogoutRequest($state, null);
-        assert(false);
-    }
-
-
-    /**
-     * Complete login operation after re-authenticating the user on another IdP.
-     *
-     * @param array $state  The authentication state.
-     * @return void
-     */
-    public static function reauthPostLogin(array $state)
-    {
-        assert(isset($state['ReturnCallback']));
-
-        // Update session state
-        $session = Session::getSessionFromRequest();
-        $authId = $state['saml:sp:AuthId'];
-        $session->doLogin($authId, Auth\State::getPersistentAuthData($state));
-
-        // resume the login process
-        call_user_func($state['ReturnCallback'], $state);
-        assert(false);
-    }
-
-
-    /**
-     * Post-logout handler for re-authentication.
-     *
-     * This method will never return.
-     *
-     * @param \SimpleSAML\IdP $idp The IdP we are logging out from.
-     * @param array &$state The state array with the state during logout.
-     * @return void
-     */
-    public static function reauthPostLogout(IdP $idp, array $state)
-    {
-        assert(isset($state['saml:sp:AuthId']));
-
-        Logger::debug('Proxy: logout completed.');
-
-        if (isset($state['saml:proxy:reauthLogout:PrevResponder'])) {
-            $state['Responder'] = $state['saml:proxy:reauthLogout:PrevResponder'];
-        }
-
-        /** @var \SimpleSAML\Module\saml\Auth\Source\SP $sp */
-        $sp = Auth\Source::getById($state['saml:sp:AuthId'], Module\saml\Auth\Source\SP::class);
-
-        Logger::debug('Proxy: logging in again.');
-        $sp->authenticate($state);
-        assert(false);
-    }
-
-
-    /**
-     * Start a SAML 2 logout operation.
-     *
-     * @param array $state  The logout state.
-     * @return void
-     */
-    public function startSLO2(&$state)
-    {
-        assert(is_array($state));
-        assert(array_key_exists('saml:logout:IdP', $state));
-        assert(array_key_exists('saml:logout:NameID', $state));
-        assert(array_key_exists('saml:logout:SessionIndex', $state));
-
-        $id = Auth\State::saveState($state, 'saml:slosent');
-
-        $idp = $state['saml:logout:IdP'];
-        $nameId = $state['saml:logout:NameID'];
-        $sessionIndex = $state['saml:logout:SessionIndex'];
-
-        $idpMetadata = $this->getIdPMetadata($idp);
-
-        /** @var array $endpoint */
-        $endpoint = $idpMetadata->getEndpointPrioritizedByBinding(
-            'SingleLogoutService',
-            [
-                Constants::BINDING_HTTP_REDIRECT,
-                Constants::BINDING_HTTP_POST
-            ],
-            false
-        );
-        if ($endpoint === false) {
-            Logger::info('No logout endpoint for IdP ' . var_export($idp, true) . '.');
-            return;
-        }
-
-        $lr = Module\saml\Message::buildLogoutRequest($this->metadata, $idpMetadata);
-        $lr->setNameId($nameId);
-        $lr->setSessionIndex($sessionIndex);
-        $lr->setRelayState($id);
-        $lr->setDestination($endpoint['Location']);
-
-        $encryptNameId = $idpMetadata->getBoolean('nameid.encryption', null);
-        if ($encryptNameId === null) {
-            $encryptNameId = $this->metadata->getBoolean('nameid.encryption', false);
-        }
-        if ($encryptNameId) {
-            $lr->encryptNameId(Module\saml\Message::getEncryptionKey($idpMetadata));
-        }
-
-        $b = Binding::getBinding($endpoint['Binding']);
-        $b->send($lr);
-
-        assert(false);
-    }
-
-
-    /**
-     * Start logout operation.
-     *
-     * @param array $state  The logout state.
-     * @return void
-     */
-    public function logout(&$state)
-    {
-        assert(is_array($state));
-        assert(array_key_exists('saml:logout:Type', $state));
-
-        $logoutType = $state['saml:logout:Type'];
-        switch ($logoutType) {
-            case 'saml1':
-                // Nothing to do
-                return;
-            case 'saml2':
-                $this->startSLO2($state);
-                return;
-            default:
-                // Should never happen
-                assert(false);
-        }
-    }
-
-
-    /**
-     * Handle a response from a SSO operation.
-     *
-     * @param array $state  The authentication state.
-     * @param string $idp  The entity id of the IdP.
-     * @param array $attributes  The attributes.
-     * @return void
-     */
-    public function handleResponse(array $state, $idp, array $attributes)
-    {
-        assert(is_string($idp));
-        assert(array_key_exists('LogoutState', $state));
-        assert(array_key_exists('saml:logout:Type', $state['LogoutState']));
-
-        $idpMetadata = $this->getIdPMetadata($idp);
-
-        $spMetadataArray = $this->metadata->toArray();
-        $idpMetadataArray = $idpMetadata->toArray();
-
-        /* Save the IdP in the state array. */
-        $state['saml:sp:IdP'] = $idp;
-        $state['PersistentAuthData'][] = 'saml:sp:IdP';
-
-        $authProcState = [
-            'saml:sp:IdP' => $idp,
-            'saml:sp:State' => $state,
-            'ReturnCall' => [SP::class, 'onProcessingCompleted'],
-
-            'Attributes' => $attributes,
-            'Destination' => $spMetadataArray,
-            'Source' => $idpMetadataArray,
-        ];
-
-        if (isset($state['saml:sp:NameID'])) {
-            $authProcState['saml:sp:NameID'] = $state['saml:sp:NameID'];
-        }
-        if (isset($state['saml:sp:SessionIndex'])) {
-            $authProcState['saml:sp:SessionIndex'] = $state['saml:sp:SessionIndex'];
-        }
-
-        $pc = new Auth\ProcessingChain($idpMetadataArray, $spMetadataArray, 'sp');
-        $pc->processState($authProcState);
-
-        self::onProcessingCompleted($authProcState);
-    }
-
-
-    /**
-     * Handle a logout request from an IdP.
-     *
-     * @param string $idpEntityId  The entity ID of the IdP.
-     * @return void
-     */
-    public function handleLogout($idpEntityId)
-    {
-        assert(is_string($idpEntityId));
-
-        /* Call the logout callback we registered in onProcessingCompleted(). */
-        $this->callLogoutCallback($idpEntityId);
-    }
-
-
-    /**
-     * Handle an unsolicited login operations.
-     *
-     * This method creates a session from the information received. It will
-     * then redirect to the given URL. This is used to handle IdP initiated
-     * SSO. This method will never return.
-     *
-     * @param string $authId The id of the authentication source that received the request.
-     * @param array $state A state array.
-     * @param string $redirectTo The URL we should redirect the user to after updating
-     * the session. The function will check if the URL is allowed, so there is no need to
-     * manually check the URL on beforehand. Please refer to the 'trusted.url.domains'
-     * configuration directive for more information about allowing (or disallowing) URLs.
-     * @return void
-     */
-    public static function handleUnsolicitedAuth($authId, array $state, $redirectTo)
-    {
-        assert(is_string($authId));
-        assert(is_string($redirectTo));
-
-        $session = Session::getSessionFromRequest();
-        $session->doLogin($authId, Auth\State::getPersistentAuthData($state));
-
-        Utils\HTTP::redirectUntrustedURL($redirectTo);
-    }
-
-
-    /**
-     * Called when we have completed the procssing chain.
-     *
-     * @param array $authProcState  The processing chain state.
-     * @return void
-     */
-    public static function onProcessingCompleted(array $authProcState)
-    {
-        assert(array_key_exists('saml:sp:IdP', $authProcState));
-        assert(array_key_exists('saml:sp:State', $authProcState));
-        assert(array_key_exists('Attributes', $authProcState));
-
-        $idp = $authProcState['saml:sp:IdP'];
-        $state = $authProcState['saml:sp:State'];
-
-        $sourceId = $state['saml:sp:AuthId'];
-
-        /** @var \SimpleSAML\Module\saml\Auth\Source\SP $source */
-        $source = Auth\Source::getById($sourceId);
-        if ($source === null) {
-            throw new \Exception('Could not find authentication source with id ' . $sourceId);
-        }
-
-        // Register a callback that we can call if we receive a logout request from the IdP
-        $source->addLogoutCallback($idp, $state);
-
-        $state['Attributes'] = $authProcState['Attributes'];
-
-        if (isset($state['saml:sp:isUnsolicited']) && (bool) $state['saml:sp:isUnsolicited']) {
-            if (!empty($state['saml:sp:RelayState'])) {
-                $redirectTo = $state['saml:sp:RelayState'];
-            } else {
-                $redirectTo = $source->getMetadata()->getString('RelayState', '/');
-            }
-            self::handleUnsolicitedAuth($sourceId, $state, $redirectTo);
-        }
-
-        Auth\Source::completeAuth($state);
-    }
-}
diff --git a/modules/sildisco/src/Controller/SilDisco.php b/modules/sildisco/src/Controller/SilDisco.php
new file mode 100644
index 00000000..ba92fe31
--- /dev/null
+++ b/modules/sildisco/src/Controller/SilDisco.php
@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\sildisco\Controller;
+
+use Exception;
+use SimpleSAML\Error;
+use SimpleSAML\HTTP\RunnableResponse;
+use SimpleSAML\Module\sildisco\IdPDisco;
+use Symfony\Component\HttpFoundation\Request;
+
+class SilDisco
+{
+    /**
+     * @param \Symfony\Component\HttpFoundation\Request $request The current request.
+     * @return \SimpleSAML\HTTP\RunnableResponse
+     */
+    public function main(Request $request): RunnableResponse
+    {
+        try {
+            $discoHandler = new IdPDisco(['saml20-idp-remote'], 'saml');
+        } catch (Exception $exception) {
+            // An error here should be caused by invalid query parameters
+            throw new Error\Error('DISCOPARAMS', $exception);
+        }
+
+        try {
+            return new RunnableResponse([$discoHandler, 'handleRequest'], []);
+        } catch (Exception $exception) {
+            // An error here should be caused by metadata
+            throw new Error\Error('METADATA', $exception);
+        }
+    }
+}
diff --git a/modules/sildisco/src/IdP/SAML2.php b/modules/sildisco/src/IdP/SAML2.php
deleted file mode 100644
index 7898bb61..00000000
--- a/modules/sildisco/src/IdP/SAML2.php
+++ /dev/null
@@ -1,1515 +0,0 @@
-<?php
-
-/**
- *
- * Copied from the built-in simplesamlphp module modules/saml/src/IdP/SAML2.php with code inserted.
- *  See comment below about GTIS.
- *
- * 2024-06-06 -- Merged with simplesamlphp 1.19.8, lines marked with GTIS are modified
- */
-declare(strict_types=1);
-
-namespace SimpleSAML\Module\sildisco\IdP; // GTIS
-
-use Exception;
-use DOMNodeList;
-use RobRichards\XMLSecLibs\XMLSecurityKey;
-use SAML2\Assertion;
-use SAML2\AuthnRequest;
-use SAML2\Binding;
-use SAML2\Constants;
-use SAML2\DOMDocumentFactory;
-use SAML2\EncryptedAssertion;
-use SAML2\HTTPRedirect;
-use SAML2\LogoutRequest;
-use SAML2\LogoutResponse;
-use SAML2\Response;
-use SAML2\SOAP;
-use SAML2\XML\ds\X509Certificate;
-use SAML2\XML\ds\X509Data;
-use SAML2\XML\ds\KeyInfo;
-use SAML2\XML\saml\AttributeValue;
-use SAML2\XML\saml\Issuer;
-use SAML2\XML\saml\NameID;
-use SAML2\XML\saml\SubjectConfirmation;
-use SAML2\XML\saml\SubjectConfirmationData;
-use SimpleSAML\Auth;
-use SimpleSAML\Configuration;
-use SimpleSAML\Error;
-use SimpleSAML\IdP;
-use SimpleSAML\Logger;
-use SimpleSAML\Metadata\MetaDataStorageHandler;
-use SimpleSAML\Module;
-use SimpleSAML\Stats;
-use SimpleSAML\Utils;
-
-use Sil\SspUtils\DiscoUtils; // GTIS
-
-/**
- * IdP implementation for SAML 2.0 protocol.
- *
- * @package SimpleSAMLphp
- */
-class SAML2
-{
-    /**
-     * Send a response to the SP.
-     *
-     * @param array $state The authentication state.
-     * @return void
-     */
-    public static function sendResponse(array $state)
-    {
-        assert(isset($state['Attributes']));
-        assert(isset($state['SPMetadata']));
-        assert(isset($state['saml:ConsumerURL']));
-        assert(array_key_exists('saml:RequestId', $state)); // Can be NULL
-        assert(array_key_exists('saml:RelayState', $state)); // Can be NULL.
-
-        $spMetadata = $state["SPMetadata"];
-        $spEntityId = $spMetadata['entityid'];
-        $spMetadata = Configuration::loadFromArray(
-            $spMetadata,
-            '$metadata[' . var_export($spEntityId, true) . ']'
-        );
-
-        Logger::info('Sending SAML 2.0 Response to ' . var_export($spEntityId, true));
-
-        $requestId = $state['saml:RequestId'];
-        $relayState = $state['saml:RelayState'];
-        $consumerURL = $state['saml:ConsumerURL'];
-        $protocolBinding = $state['saml:Binding'];
-
-        $idp = IdP::getByState($state);
-
-        $idpMetadata = $idp->getConfig();
-
-        $assertion = self::buildAssertion($idpMetadata, $spMetadata, $state);
-
-        if (isset($state['saml:AuthenticatingAuthority'])) {
-            $assertion->setAuthenticatingAuthority($state['saml:AuthenticatingAuthority']);
-        }
-
-        // create the session association (for logout)
-        $association = [
-            'id'                => 'saml:' . $spEntityId,
-            'Handler'           => '\SimpleSAML\Module\saml\IdP\SAML2',
-            'Expires'           => $assertion->getSessionNotOnOrAfter(),
-            'saml:entityID'     => $spEntityId,
-            'saml:NameID'       => $state['saml:idp:NameID'],
-            'saml:SessionIndex' => $assertion->getSessionIndex(),
-        ];
-
-        // maybe encrypt the assertion
-        $assertion = self::encryptAssertion($idpMetadata, $spMetadata, $assertion);
-
-        // create the response
-        $ar = self::buildResponse($idpMetadata, $spMetadata, $consumerURL);
-        $ar->setInResponseTo($requestId);
-        $ar->setRelayState($relayState);
-        $ar->setAssertions([$assertion]);
-
-        // register the session association with the IdP
-        $idp->addAssociation($association);
-
-        $statsData = [
-            'spEntityID'  => $spEntityId,
-            'idpEntityID' => $idpMetadata->getString('entityid'),
-            'protocol'    => 'saml2',
-        ];
-        if (isset($state['saml:AuthnRequestReceivedAt'])) {
-            $statsData['logintime'] = microtime(true) - $state['saml:AuthnRequestReceivedAt'];
-        }
-        Stats::log('saml:idp:Response', $statsData);
-
-        // send the response
-        $binding = Binding::getBinding($protocolBinding);
-        $binding->send($ar);
-    }
-
-
-    /**
-     * Handle authentication error.
-     *
-     * \SimpleSAML\Error\Exception $exception  The exception.
-     *
-     * @param array $state The error state.
-     * @return void
-     */
-    public static function handleAuthError(Error\Exception $exception, array $state)
-    {
-        assert(isset($state['SPMetadata']));
-        assert(isset($state['saml:ConsumerURL']));
-        assert(array_key_exists('saml:RequestId', $state)); // Can be NULL.
-        assert(array_key_exists('saml:RelayState', $state)); // Can be NULL.
-
-        $spMetadata = $state["SPMetadata"];
-        $spEntityId = $spMetadata['entityid'];
-        $spMetadata = Configuration::loadFromArray(
-            $spMetadata,
-            '$metadata[' . var_export($spEntityId, true) . ']'
-        );
-
-        $requestId = $state['saml:RequestId'];
-        $relayState = $state['saml:RelayState'];
-        $consumerURL = $state['saml:ConsumerURL'];
-        $protocolBinding = $state['saml:Binding'];
-
-        $idp = IdP::getByState($state);
-
-        $idpMetadata = $idp->getConfig();
-
-        $error = \SimpleSAML\Module\saml\Error::fromException($exception);
-
-        Logger::warning("Returning error to SP with entity ID '" . var_export($spEntityId, true) . "'.");
-        $exception->log(Logger::WARNING);
-
-        $ar = self::buildResponse($idpMetadata, $spMetadata, $consumerURL);
-        $ar->setInResponseTo($requestId);
-        $ar->setRelayState($relayState);
-
-        $status = [
-            'Code'    => $error->getStatus(),
-            'SubCode' => $error->getSubStatus(),
-            'Message' => $error->getStatusMessage(),
-        ];
-        $ar->setStatus($status);
-
-        $statsData = [
-            'spEntityID'  => $spEntityId,
-            'idpEntityID' => $idpMetadata->getString('entityid'),
-            'protocol'    => 'saml2',
-            'error'       => $status,
-        ];
-        if (isset($state['saml:AuthnRequestReceivedAt'])) {
-            $statsData['logintime'] = microtime(true) - $state['saml:AuthnRequestReceivedAt'];
-        }
-        Stats::log('saml:idp:Response:error', $statsData);
-
-        $binding = Binding::getBinding($protocolBinding);
-        $binding->send($ar);
-    }
-
-
-    /**
-     * Find SP AssertionConsumerService based on parameter in AuthnRequest.
-     *
-     * @param array                     $supportedBindings The bindings we allow for the response.
-     * @param \SimpleSAML\Configuration $spMetadata The metadata for the SP.
-     * @param string|null               $AssertionConsumerServiceURL AssertionConsumerServiceURL from request.
-     * @param string|null               $ProtocolBinding ProtocolBinding from request.
-     * @param int|null                  $AssertionConsumerServiceIndex AssertionConsumerServiceIndex from request.
-     *
-     * @return array|null  Array with the Location and Binding we should use for the response.
-     */
-    private static function getAssertionConsumerService(
-        array $supportedBindings,
-        Configuration $spMetadata,
-        string $AssertionConsumerServiceURL = null,
-        string $ProtocolBinding = null,
-        int $AssertionConsumerServiceIndex = null
-    ): ?array {
-        /* We want to pick the best matching endpoint in the case where for example
-         * only the ProtocolBinding is given. We therefore pick endpoints with the
-         * following priority:
-         *  1. isDefault="true"
-         *  2. isDefault unset
-         *  3. isDefault="false"
-         */
-        $firstNotFalse = null;
-        $firstFalse = null;
-        foreach ($spMetadata->getEndpoints('AssertionConsumerService') as $ep) {
-            if ($AssertionConsumerServiceURL !== null && $ep['Location'] !== $AssertionConsumerServiceURL) {
-                continue;
-            }
-            if ($ProtocolBinding !== null && $ep['Binding'] !== $ProtocolBinding) {
-                continue;
-            }
-            if ($AssertionConsumerServiceIndex !== null && $ep['index'] !== $AssertionConsumerServiceIndex) {
-                continue;
-            }
-
-            if (!in_array($ep['Binding'], $supportedBindings, true)) {
-                /* The endpoint has an unsupported binding. */
-                continue;
-            }
-
-            // we have an endpoint that matches all our requirements. Check if it is the best one
-
-            if (array_key_exists('isDefault', $ep)) {
-                if ($ep['isDefault'] === true) {
-                    // this is the first matching endpoint with isDefault set to true
-                    return $ep;
-                }
-                // isDefault is set to FALSE, but the endpoint is still usable
-                if ($firstFalse === null) {
-                    // this is the first endpoint that we can use
-                    $firstFalse = $ep;
-                }
-            } else {
-                if ($firstNotFalse === null) {
-                    // this is the first endpoint without isDefault set
-                    $firstNotFalse = $ep;
-                }
-            }
-        }
-
-        if ($firstNotFalse !== null) {
-            return $firstNotFalse;
-        } elseif ($firstFalse !== null) {
-            return $firstFalse;
-        }
-
-        Logger::warning('Authentication request specifies invalid AssertionConsumerService:');
-        if ($AssertionConsumerServiceURL !== null) {
-            Logger::warning('AssertionConsumerServiceURL: ' . var_export($AssertionConsumerServiceURL, true));
-        }
-        if ($ProtocolBinding !== null) {
-            Logger::warning('ProtocolBinding: ' . var_export($ProtocolBinding, true));
-        }
-        if ($AssertionConsumerServiceIndex !== null) {
-            Logger::warning(
-                'AssertionConsumerServiceIndex: ' . var_export($AssertionConsumerServiceIndex, true)
-            );
-        }
-
-        // we have no good endpoints. Our last resort is to just use the default endpoint
-        return $spMetadata->getDefaultEndpoint('AssertionConsumerService', $supportedBindings);
-    }
-
-
-    /**
-     * Receive an authentication request.
-     *
-     * @param \SimpleSAML\IdP $idp The IdP we are receiving it for.
-     * @return void
-     * @throws \SimpleSAML\Error\BadRequest In case an error occurs when trying to receive the request.
-     */
-    public static function receiveAuthnRequest(\SimpleSAML\IdP $idp)
-    {
-        $metadata = MetaDataStorageHandler::getMetadataHandler();
-        $idpMetadata = $idp->getConfig();
-
-        $supportedBindings = [Constants::BINDING_HTTP_POST];
-        if ($idpMetadata->getBoolean('saml20.sendartifact', false)) {
-            $supportedBindings[] = Constants::BINDING_HTTP_ARTIFACT;
-        }
-        if ($idpMetadata->getBoolean('saml20.hok.assertion', false)) {
-            $supportedBindings[] = Constants::BINDING_HOK_SSO;
-        }
-        if ($idpMetadata->getBoolean('saml20.ecp', false)) {
-            $supportedBindings[] = Constants::BINDING_PAOS;
-        }
-
-        if (isset($_REQUEST['spentityid']) || isset($_REQUEST['providerId'])) {
-            /* IdP initiated authentication. */
-
-            if (isset($_REQUEST['cookieTime'])) {
-                $cookieTime = (int) $_REQUEST['cookieTime'];
-                if ($cookieTime + 5 > time()) {
-                    /*
-                     * Less than five seconds has passed since we were
-                     * here the last time. Cookies are probably disabled.
-                     */
-                    Utils\HTTP::checkSessionCookie(Utils\HTTP::getSelfURL());
-                }
-            }
-
-            $spEntityId = (string) isset($_REQUEST['spentityid']) ? $_REQUEST['spentityid'] : $_REQUEST['providerId'];
-            $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote');
-
-            if (isset($_REQUEST['RelayState'])) {
-                $relayState = (string) $_REQUEST['RelayState'];
-            } elseif (isset($_REQUEST['target'])) {
-                $relayState = (string) $_REQUEST['target'];
-            } else {
-                $relayState = null;
-            }
-
-            if (isset($_REQUEST['binding'])) {
-                $protocolBinding = (string) $_REQUEST['binding'];
-            } else {
-                $protocolBinding = null;
-            }
-
-            if (isset($_REQUEST['NameIDFormat'])) {
-                $nameIDFormat = (string) $_REQUEST['NameIDFormat'];
-            } else {
-                $nameIDFormat = null;
-            }
-
-            if (isset($_REQUEST['ConsumerURL'])) {
-                $consumerURL = (string)$_REQUEST['ConsumerURL'];
-            } elseif (isset($_REQUEST['shire'])) {
-                $consumerURL = (string)$_REQUEST['shire'];
-            } else {
-                $consumerURL = null;
-            }
-
-            $requestId = null;
-            $IDPList = [];
-            $ProxyCount = null;
-            $RequesterID = null;
-            $forceAuthn = false;
-            $isPassive = false;
-            $consumerIndex = null;
-            $extensions = null;
-            $allowCreate = true;
-            $authnContext = null;
-
-            $idpInit = true;
-
-            Logger::info(
-                'SAML2.0 - IdP.SSOService: IdP initiated authentication: ' . var_export($spEntityId, true)
-            );
-        } else {
-            try {
-                $binding = Binding::getCurrentBinding();
-            } catch (Exception $e) {
-                header($_SERVER["SERVER_PROTOCOL"]." 405 Method Not Allowed", true, 405);
-                exit;
-            }
-            $request = $binding->receive();
-
-            if (!($request instanceof AuthnRequest)) {
-                throw new Error\BadRequest(
-                    'Message received on authentication request endpoint wasn\'t an authentication request.'
-                );
-            }
-
-            /** @psalm-var null|string|\SAML2\XML\saml\Issuer $issuer   Remove in SSP 2.0 */
-            $issuer = $request->getIssuer();
-            if ($issuer === null) {
-                throw new Error\BadRequest(
-                    'Received message on authentication request endpoint without issuer.'
-                );
-            } elseif ($issuer instanceof Issuer) {
-                /** @psalm-var string|null $spEntityId */
-                $spEntityId = $issuer->getValue();
-                if ($spEntityId === null) {
-                    /* Without an issuer we have no way to respond to the message. */
-                    throw new Error\BadRequest('Received message on logout endpoint without issuer.');
-                }
-            } else { // we got a string, old case
-                $spEntityId = $issuer;
-            }
-            $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote');
-
-            \SimpleSAML\Module\saml\Message::validateMessage($spMetadata, $idpMetadata, $request);
-
-            $relayState = $request->getRelayState();
-
-            $requestId = $request->getId();
-            $IDPList = $request->getIDPList();
-            $ProxyCount = $request->getProxyCount();
-            if ($ProxyCount !== null) {
-                $ProxyCount--;
-            }
-            $RequesterID = $request->getRequesterID();
-            $forceAuthn = $request->getForceAuthn();
-            $isPassive = $request->getIsPassive();
-            $consumerURL = $request->getAssertionConsumerServiceURL();
-            $protocolBinding = $request->getProtocolBinding();
-            $consumerIndex = $request->getAssertionConsumerServiceIndex();
-            $extensions = $request->getExtensions();
-            $authnContext = $request->getRequestedAuthnContext();
-
-            $nameIdPolicy = $request->getNameIdPolicy();
-            if (isset($nameIdPolicy['Format'])) {
-                $nameIDFormat = $nameIdPolicy['Format'];
-            } else {
-                $nameIDFormat = null;
-            }
-            if (isset($nameIdPolicy['AllowCreate'])) {
-                $allowCreate = $nameIdPolicy['AllowCreate'];
-            } else {
-                $allowCreate = false;
-            }
-
-            $idpInit = false;
-
-            Logger::info(
-                'SAML2.0 - IdP.SSOService: incoming authentication request: ' . var_export($spEntityId, true)
-            );
-        }
-
-        Stats::log('saml:idp:AuthnRequest', [
-            'spEntityID'  => $spEntityId,
-            'idpEntityID' => $idpMetadata->getString('entityid'),
-            'forceAuthn'  => $forceAuthn,
-            'isPassive'   => $isPassive,
-            'protocol'    => 'saml2',
-            'idpInit'     => $idpInit,
-        ]);
-
-        $acsEndpoint = self::getAssertionConsumerService(
-            $supportedBindings,
-            $spMetadata,
-            $consumerURL,
-            $protocolBinding,
-            $consumerIndex
-        );
-        if ($acsEndpoint === null) {
-            throw new Exception('Unable to use any of the ACS endpoints found for SP \'' . $spEntityId . '\'');
-        }
-
-        $IDPList = array_unique(array_merge($IDPList, $spMetadata->getArrayizeString('IDPList', [])));
-        if ($ProxyCount === null) {
-            $ProxyCount = $spMetadata->getInteger('ProxyCount', null);
-        }
-
-        if (!$forceAuthn) {
-            $forceAuthn = $spMetadata->getBoolean('ForceAuthn', false);
-        }
-
-        $sessionLostParams = [
-            'spentityid' => $spEntityId,
-        ];
-        if ($relayState !== null) {
-            $sessionLostParams['RelayState'] = $relayState;
-        }
-        /*
-        Putting cookieTime as the last parameter makes unit testing easier since we don't need to handle a
-        changing time component in the middle of the url
-        */
-        $sessionLostParams['cookieTime'] = time();
-
-        $sessionLostURL = Utils\HTTP::addURLParameters(
-            Utils\HTTP::getSelfURLNoQuery(),
-            $sessionLostParams
-        );
-
-
-        /*
-          * Added by GTIS.
-          * This code is intended to ensure that a session from a new SP
-          * will be forced to reauthenticate if that SP is not allowed
-          * to authenticate through any of the IDP's that have so far
-          * been used for authentication.
-          *
-          * In order for this to avoid forcing authentication
-          * in every case, the hub's saml20-idp-hosted.php entry needs
-          * to include an authproc entry that adds each authenticating
-          * IDP to a list in the session.
-          * That list should be found in ...
-          *    sessionDataType: 'sildisco:authentication'
-          *    sessionKey: 'authenticated_idps'
-          *
-          * Another feature is that it forces the user to the discovery page,
-          * if the SP is allowed to use more than one IDP.  The reason for this
-          * is that we want the user to be able to pick which of his ID's
-          * to use for this session.  The way it is carried out is by expiring
-          * the user's session on the hub. (It does not log the user out from
-          * any of the IDP's.)
-          *
-          */
-        $session = \SimpleSAML\Session::getSessionFromRequest();
-        $sessionDataType = 'sildisco:authentication';
-        $spIdKey = 'spentityid';
-        $session->setData($sessionDataType, $spIdKey, $spEntityId);
-        $metadataPath = __DIR__ . '/../../../../metadata';
-        $IDPList = array_keys(DiscoUtils::getIdpsForSp($spEntityId, $metadataPath));
-        if ( ! $forceAuthn ) {
-            $sessionDataType = 'sildisco:authentication';
-            $sessionKey = 'authenticated_idps';
-            $authenticatedIdps = $session->getData($sessionDataType, $sessionKey);
-
-            if ($authenticatedIdps) {
-                $metadataPath = __DIR__ . '/../../../../metadata/';
-                $allowedIdps = DiscoUtils::getReducedIdpList(
-                    $authenticatedIdps,
-                    $metadataPath,
-                    $spEntityId
-                );
-                if ( ! $allowedIdps) {
-                    $IDPList = Null;
-                    $forceAuthn = True;
-                }
-            } else { // If there are no authenticated IDPs
-                $forceAuthn = True;
-            }
-        }
-        /*
-         *  End of GTIS addition
-         */
-
-        $state = [
-            'Responder' => ['\SimpleSAML\Module\saml\IdP\SAML2', 'sendResponse'],
-            Auth\State::EXCEPTION_HANDLER_FUNC => [
-                '\SimpleSAML\Module\saml\IdP\SAML2',
-                'handleAuthError'
-            ],
-            Auth\State::RESTART => $sessionLostURL,
-
-            'SPMetadata'                  => $spMetadata->toArray(),
-            'saml:RelayState'             => $relayState,
-            'saml:RequestId'              => $requestId,
-            'saml:IDPList'                => $IDPList,
-            'saml:ProxyCount'             => $ProxyCount,
-            'saml:RequesterID'            => $RequesterID,
-            'ForceAuthn'                  => $forceAuthn,
-            'isPassive'                   => $isPassive,
-            'saml:ConsumerURL'            => $acsEndpoint['Location'],
-            'saml:Binding'                => $acsEndpoint['Binding'],
-            'saml:NameIDFormat'           => $nameIDFormat,
-            'saml:AllowCreate'            => $allowCreate,
-            'saml:Extensions'             => $extensions,
-            'saml:AuthnRequestReceivedAt' => microtime(true),
-            'saml:RequestedAuthnContext'  => $authnContext,
-        ];
-
-        $idp->handleAuthenticationRequest($state);
-    }
-
-
-    /**
-     * Send a logout request to a given association.
-     *
-     * @param \SimpleSAML\IdP $idp The IdP we are sending a logout request from.
-     * @param array           $association The association that should be terminated.
-     * @param string|null     $relayState An id that should be carried across the logout.
-     * @return void
-     */
-    public static function sendLogoutRequest(IdP $idp, array $association, $relayState)
-    {
-        assert(is_string($relayState) || $relayState === null);
-
-        Logger::info('Sending SAML 2.0 LogoutRequest to: ' . var_export($association['saml:entityID'], true));
-
-        $metadata = MetaDataStorageHandler::getMetadataHandler();
-        $idpMetadata = $idp->getConfig();
-        $spMetadata = $metadata->getMetaDataConfig($association['saml:entityID'], 'saml20-sp-remote');
-
-        Stats::log('saml:idp:LogoutRequest:sent', [
-            'spEntityID'  => $association['saml:entityID'],
-            'idpEntityID' => $idpMetadata->getString('entityid'),
-        ]);
-
-        /** @var array $dst */
-        $dst = $spMetadata->getEndpointPrioritizedByBinding(
-            'SingleLogoutService',
-            [
-                Constants::BINDING_HTTP_REDIRECT,
-                Constants::BINDING_HTTP_POST
-            ]
-        );
-        $binding = Binding::getBinding($dst['Binding']);
-        $lr = self::buildLogoutRequest($idpMetadata, $spMetadata, $association, $relayState);
-        $lr->setDestination($dst['Location']);
-
-        $binding->send($lr);
-    }
-
-
-    /**
-     * Send a logout response.
-     *
-     * @param \SimpleSAML\IdP $idp The IdP we are sending a logout request from.
-     * @param array           &$state The logout state array.
-     * @return void
-     */
-    public static function sendLogoutResponse(IdP $idp, array $state)
-    {
-        assert(isset($state['saml:SPEntityId']));
-        assert(isset($state['saml:RequestId']));
-        assert(array_key_exists('saml:RelayState', $state)); // Can be NULL.
-
-        $spEntityId = $state['saml:SPEntityId'];
-
-        $metadata = MetaDataStorageHandler::getMetadataHandler();
-        $idpMetadata = $idp->getConfig();
-        $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote');
-
-        $lr = \SimpleSAML\Module\saml\Message::buildLogoutResponse($idpMetadata, $spMetadata);
-        $lr->setInResponseTo($state['saml:RequestId']);
-        $lr->setRelayState($state['saml:RelayState']);
-
-        if (isset($state['core:Failed']) && $state['core:Failed']) {
-            $partial = true;
-            $lr->setStatus([
-                'Code'    => Constants::STATUS_SUCCESS,
-                'SubCode' => Constants::STATUS_PARTIAL_LOGOUT,
-            ]);
-            Logger::info('Sending logout response for partial logout to SP ' . var_export($spEntityId, true));
-        } else {
-            $partial = false;
-            Logger::debug('Sending logout response to SP ' . var_export($spEntityId, true));
-        }
-
-        Stats::log('saml:idp:LogoutResponse:sent', [
-            'spEntityID'  => $spEntityId,
-            'idpEntityID' => $idpMetadata->getString('entityid'),
-            'partial'     => $partial
-        ]);
-
-        /** @var array $dst */
-        $dst = $spMetadata->getEndpointPrioritizedByBinding(
-            'SingleLogoutService',
-            [
-                Constants::BINDING_HTTP_REDIRECT,
-                Constants::BINDING_HTTP_POST
-            ]
-        );
-        $binding = Binding::getBinding($dst['Binding']);
-        if (isset($dst['ResponseLocation'])) {
-            $dst = $dst['ResponseLocation'];
-        } else {
-            $dst = $dst['Location'];
-        }
-        $lr->setDestination($dst);
-
-        $binding->send($lr);
-    }
-
-
-    /**
-     * Receive a logout message.
-     *
-     * @param \SimpleSAML\IdP $idp The IdP we are receiving it for.
-     * @return void
-     * @throws \SimpleSAML\Error\BadRequest In case an error occurs while trying to receive the logout message.
-     */
-    public static function receiveLogoutMessage(IdP $idp)
-    {
-        $binding = Binding::getCurrentBinding();
-        $message = $binding->receive();
-
-        /** @psalm-var null|string|\SAML2\XML\saml\Issuer  Remove in SSP 2.0 */
-        $issuer = $message->getIssuer();
-        if ($issuer === null) {
-            /* Without an issuer we have no way to respond to the message. */
-            throw new Error\BadRequest('Received message on logout endpoint without issuer.');
-        } elseif ($issuer instanceof Issuer) {
-            /** @psalm-var string|null $spEntityId */
-            $spEntityId = $issuer->getValue();
-            if ($spEntityId === null) {
-                /* Without an issuer we have no way to respond to the message. */
-                throw new Error\BadRequest('Received message on logout endpoint without issuer.');
-            }
-        } else {
-            $spEntityId = $issuer;
-        }
-
-        $metadata = MetaDataStorageHandler::getMetadataHandler();
-        $idpMetadata = $idp->getConfig();
-        $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote');
-
-        \SimpleSAML\Module\saml\Message::validateMessage($spMetadata, $idpMetadata, $message);
-
-        if ($message instanceof LogoutResponse) {
-            Logger::info('Received SAML 2.0 LogoutResponse from: ' . var_export($spEntityId, true));
-            $statsData = [
-                'spEntityID'  => $spEntityId,
-                'idpEntityID' => $idpMetadata->getString('entityid'),
-            ];
-            if (!$message->isSuccess()) {
-                $statsData['error'] = $message->getStatus();
-            }
-            Stats::log('saml:idp:LogoutResponse:recv', $statsData);
-
-            $relayState = $message->getRelayState();
-
-            if (!$message->isSuccess()) {
-                $logoutError = \SimpleSAML\Module\saml\Message::getResponseError($message);
-                Logger::warning('Unsuccessful logout. Status was: ' . $logoutError);
-            } else {
-                $logoutError = null;
-            }
-
-            $assocId = 'saml:' . $spEntityId;
-
-            $idp->handleLogoutResponse($assocId, $relayState, $logoutError);
-        } elseif ($message instanceof LogoutRequest) {
-            Logger::info('Received SAML 2.0 LogoutRequest from: ' . var_export($spEntityId, true));
-            Stats::log('saml:idp:LogoutRequest:recv', [
-                'spEntityID'  => $spEntityId,
-                'idpEntityID' => $idpMetadata->getString('entityid'),
-            ]);
-
-            $spStatsId = $spMetadata->getString('core:statistics-id', $spEntityId);
-            Logger::stats('saml20-idp-SLO spinit ' . $spStatsId . ' ' . $idpMetadata->getString('entityid'));
-
-            $state = [
-                'Responder'       => ['\SimpleSAML\Module\saml\IdP\SAML2', 'sendLogoutResponse'],
-                'saml:SPEntityId' => $spEntityId,
-                'saml:RelayState' => $message->getRelayState(),
-                'saml:RequestId'  => $message->getId(),
-            ];
-
-            $assocId = 'saml:' . $spEntityId;
-            $idp->handleLogoutRequest($state, $assocId);
-        } else {
-            throw new Error\BadRequest('Unknown message received on logout endpoint: ' . get_class($message));
-        }
-    }
-
-
-    /**
-     * Retrieve a logout URL for a given logout association.
-     *
-     * @param \SimpleSAML\IdP $idp The IdP we are sending a logout request from.
-     * @param array           $association The association that should be terminated.
-     * @param string|NULL     $relayState An id that should be carried across the logout.
-     *
-     * @return string The logout URL.
-     */
-    public static function getLogoutURL(IdP $idp, array $association, $relayState)
-    {
-        assert(is_string($relayState) || $relayState === null);
-
-        Logger::info('Sending SAML 2.0 LogoutRequest to: ' . var_export($association['saml:entityID'], true));
-
-        $metadata = MetaDataStorageHandler::getMetadataHandler();
-        $idpMetadata = $idp->getConfig();
-        $spMetadata = $metadata->getMetaDataConfig($association['saml:entityID'], 'saml20-sp-remote');
-
-        $bindings = [
-            Constants::BINDING_HTTP_REDIRECT,
-            Constants::BINDING_HTTP_POST
-        ];
-
-        /** @var array $dst */
-        $dst = $spMetadata->getEndpointPrioritizedByBinding('SingleLogoutService', $bindings);
-
-        if ($dst['Binding'] === Constants::BINDING_HTTP_POST) {
-            $params = ['association' => $association['id'], 'idp' => $idp->getId()];
-            if ($relayState !== null) {
-                $params['RelayState'] = $relayState;
-            }
-            return Module::getModuleURL('core/idp/logout-iframe-post.php', $params);
-        }
-
-        $lr = self::buildLogoutRequest($idpMetadata, $spMetadata, $association, $relayState);
-        $lr->setDestination($dst['Location']);
-
-        $binding = new HTTPRedirect();
-        return $binding->getRedirectURL($lr);
-    }
-
-
-    /**
-     * Retrieve the metadata for the given SP association.
-     *
-     * @param \SimpleSAML\IdP $idp The IdP the association belongs to.
-     * @param array           $association The SP association.
-     *
-     * @return \SimpleSAML\Configuration  Configuration object for the SP metadata.
-     */
-    public static function getAssociationConfig(IdP $idp, array $association)
-    {
-        $metadata = MetaDataStorageHandler::getMetadataHandler();
-        try {
-            return $metadata->getMetaDataConfig($association['saml:entityID'], 'saml20-sp-remote');
-        } catch (Exception $e) {
-            return Configuration::loadFromArray([], 'Unknown SAML 2 entity.');
-        }
-    }
-
-
-    /**
-     * Retrieve the metadata of a hosted SAML 2 IdP.
-     *
-     * @param string $entityid The entity ID of the hosted SAML 2 IdP whose metadata we want.
-     *
-     * @return array
-     * @throws \SimpleSAML\Error\CriticalConfigurationError
-     * @throws \SimpleSAML\Error\Exception
-     * @throws \SimpleSAML\Error\MetadataNotFound
-     */
-    public static function getHostedMetadata($entityid)
-    {
-        $handler = MetaDataStorageHandler::getMetadataHandler();
-        $config = $handler->getMetaDataConfig($entityid, 'saml20-idp-hosted');
-
-        // configure endpoints
-        $ssob = $handler->getGenerated('SingleSignOnServiceBinding', 'saml20-idp-hosted');
-        $slob = $handler->getGenerated('SingleLogoutServiceBinding', 'saml20-idp-hosted');
-        $ssol = $handler->getGenerated('SingleSignOnService', 'saml20-idp-hosted');
-        $slol = $handler->getGenerated('SingleLogoutService', 'saml20-idp-hosted');
-
-        $sso = [];
-        if (is_array($ssob)) {
-            foreach ($ssob as $binding) {
-                $sso[] = [
-                    'Binding'  => $binding,
-                    'Location' => $ssol,
-                ];
-            }
-        } else {
-            $sso[] = [
-                'Binding'  => $ssob,
-                'Location' => $ssol,
-            ];
-        }
-
-        $slo = [];
-        if (is_array($slob)) {
-            foreach ($slob as $binding) {
-                $slo[] = [
-                    'Binding'  => $binding,
-                    'Location' => $slol,
-                ];
-            }
-        } else {
-            $slo[] = [
-                'Binding'  => $slob,
-                'Location' => $slol,
-            ];
-        }
-
-        $metadata = [
-            'metadata-set' => 'saml20-idp-hosted',
-            'entityid' => $entityid,
-            'SingleSignOnService' => $sso,
-            'SingleLogoutService' => $slo,
-            'NameIDFormat' => $config->getArrayizeString('NameIDFormat', Constants::NAMEID_TRANSIENT),
-        ];
-
-        // add certificates
-        $keys = [];
-        $certInfo = Utils\Crypto::loadPublicKey($config, false, 'new_');
-        $hasNewCert = false;
-        if ($certInfo !== null) {
-            $keys[] = [
-                'type' => 'X509Certificate',
-                'signing' => true,
-                'encryption' => true,
-                'X509Certificate' => $certInfo['certData'],
-                'prefix' => 'new_',
-            ];
-            $hasNewCert = true;
-        }
-
-        /** @var array $certInfo */
-        $certInfo = Utils\Crypto::loadPublicKey($config, true);
-        $keys[] = [
-            'type' => 'X509Certificate',
-            'signing' => true,
-            'encryption' => $hasNewCert === false,
-            'X509Certificate' => $certInfo['certData'],
-            'prefix' => '',
-        ];
-
-        if ($config->hasValue('https.certificate')) {
-            /** @var array $httpsCert */
-            $httpsCert = Utils\Crypto::loadPublicKey($config, true, 'https.');
-            $keys[] = [
-                'type' => 'X509Certificate',
-                'signing' => true,
-                'encryption' => false,
-                'X509Certificate' => $httpsCert['certData'],
-                'prefix' => 'https.'
-            ];
-        }
-        $metadata['keys'] = $keys;
-
-        // add ArtifactResolutionService endpoint, if enabled
-        if ($config->getBoolean('saml20.sendartifact', false)) {
-            $metadata['ArtifactResolutionService'][] = [
-                'index' => 0,
-                'Binding' => Constants::BINDING_SOAP,
-                'Location' => Utils\HTTP::getBaseURL() . 'saml2/idp/ArtifactResolutionService.php'
-            ];
-        }
-
-        // add Holder of Key, if enabled
-        if ($config->getBoolean('saml20.hok.assertion', false)) {
-            array_unshift(
-                $metadata['SingleSignOnService'],
-                [
-                    'hoksso:ProtocolBinding' => Constants::BINDING_HTTP_REDIRECT,
-                    'Binding' => Constants::BINDING_HOK_SSO,
-                    'Location' => Utils\HTTP::getBaseURL() . 'saml2/idp/SSOService.php',
-                ]
-            );
-        }
-
-        // add ECP profile, if enabled
-        if ($config->getBoolean('saml20.ecp', false)) {
-            $metadata['SingleSignOnService'][] = [
-                'index' => 0,
-                'Binding' => Constants::BINDING_SOAP,
-                'Location' => Utils\HTTP::getBaseURL() . 'saml2/idp/SSOService.php',
-            ];
-        }
-
-        // add organization information
-        if ($config->hasValue('OrganizationName')) {
-            $metadata['OrganizationName'] = $config->getLocalizedString('OrganizationName');
-            $metadata['OrganizationDisplayName'] = $config->getLocalizedString(
-                'OrganizationDisplayName',
-                $metadata['OrganizationName']
-            );
-
-            if (!$config->hasValue('OrganizationURL')) {
-                throw new Error\Exception('If OrganizationName is set, OrganizationURL must also be set.');
-            }
-            $metadata['OrganizationURL'] = $config->getLocalizedString('OrganizationURL');
-        }
-
-        // add scope
-        if ($config->hasValue('scope')) {
-            $metadata['scope'] = $config->getArray('scope');
-        }
-
-        // add extensions
-        if ($config->hasValue('EntityAttributes')) {
-            $metadata['EntityAttributes'] = $config->getArray('EntityAttributes');
-
-            // check for entity categories
-            if (Utils\Config\Metadata::isHiddenFromDiscovery($metadata)) {
-                $metadata['hide.from.discovery'] = true;
-            }
-        }
-
-        if ($config->hasValue('UIInfo')) {
-            $metadata['UIInfo'] = $config->getArray('UIInfo');
-        }
-
-        if ($config->hasValue('DiscoHints')) {
-            $metadata['DiscoHints'] = $config->getArray('DiscoHints');
-        }
-
-        if ($config->hasValue('RegistrationInfo')) {
-            $metadata['RegistrationInfo'] = $config->getArray('RegistrationInfo');
-        }
-
-        // configure signature options
-        if ($config->hasValue('validate.authnrequest')) {
-            $metadata['sign.authnrequest'] = $config->getBoolean('validate.authnrequest');
-        }
-
-        if ($config->hasValue('redirect.validate')) {
-            $metadata['redirect.sign'] = $config->getBoolean('redirect.validate');
-        }
-
-        // add contact information
-        if ($config->hasValue('contacts')) {
-            $contacts = $config->getArray('contacts');
-            foreach ($contacts as $contact) {
-                $metadata['contacts'][] = Utils\Config\Metadata::getContact($contact);
-            }
-        }
-
-        $globalConfig = Configuration::getInstance();
-        $email = $globalConfig->getString('technicalcontact_email', false);
-        if ($email && $email !== 'na@example.org') {
-            $contact = [
-                'emailAddress' => $email,
-                'name' => $globalConfig->getString('technicalcontact_name', null),
-                'contactType' => 'technical',
-            ];
-            $metadata['contacts'][] = Utils\Config\Metadata::getContact($contact);
-        }
-
-        return $metadata;
-    }
-
-
-    /**
-     * Calculate the NameID value that should be used.
-     *
-     * @param \SimpleSAML\Configuration $idpMetadata The metadata of the IdP.
-     * @param \SimpleSAML\Configuration $spMetadata The metadata of the SP.
-     * @param array                     &$state The authentication state of the user.
-     *
-     * @return string|null The NameID value.
-     */
-    private static function generateNameIdValue(
-        Configuration $idpMetadata,
-        Configuration $spMetadata,
-        array &$state
-    ): ?string {
-        $attribute = $spMetadata->getString('simplesaml.nameidattribute', null);
-        if ($attribute === null) {
-            $attribute = $idpMetadata->getString('simplesaml.nameidattribute', null);
-            if ($attribute === null) {
-                if (!isset($state['UserID'])) {
-                    Logger::error('Unable to generate NameID. Check the userid.attribute option.');
-                    return null;
-                }
-                $attributeValue = $state['UserID'];
-                $idpEntityId = $idpMetadata->getString('entityid');
-                $spEntityId = $spMetadata->getString('entityid');
-
-                $secretSalt = Utils\Config::getSecretSalt();
-
-                $uidData = 'uidhashbase' . $secretSalt;
-                $uidData .= strlen($idpEntityId) . ':' . $idpEntityId;
-                $uidData .= strlen($spEntityId) . ':' . $spEntityId;
-                $uidData .= strlen($attributeValue) . ':' . $attributeValue;
-                $uidData .= $secretSalt;
-
-                return hash('sha1', $uidData);
-            }
-        }
-
-        $attributes = $state['Attributes'];
-        if (!array_key_exists($attribute, $attributes)) {
-            Logger::error('Unable to add NameID: Missing ' . var_export($attribute, true) .
-                ' in the attributes of the user.');
-            return null;
-        }
-
-        return $attributes[$attribute][0];
-    }
-
-
-    /**
-     * Helper function for encoding attributes.
-     *
-     * @param \SimpleSAML\Configuration $idpMetadata The metadata of the IdP.
-     * @param \SimpleSAML\Configuration $spMetadata The metadata of the SP.
-     * @param array $attributes The attributes of the user.
-     *
-     * @return array  The encoded attributes.
-     *
-     * @throws \SimpleSAML\Error\Exception In case an unsupported encoding is specified by configuration.
-     */
-    private static function encodeAttributes(
-        Configuration $idpMetadata,
-        Configuration $spMetadata,
-        array $attributes
-    ): array {
-        $base64Attributes = $spMetadata->getBoolean('base64attributes', null);
-        if ($base64Attributes === null) {
-            $base64Attributes = $idpMetadata->getBoolean('base64attributes', false);
-        }
-
-        if ($base64Attributes) {
-            $defaultEncoding = 'base64';
-        } else {
-            $defaultEncoding = 'string';
-        }
-
-        $srcEncodings = $idpMetadata->getArray('attributeencodings', []);
-        $dstEncodings = $spMetadata->getArray('attributeencodings', []);
-
-        /*
-         * Merge the two encoding arrays. Encodings specified in the target metadata
-         * takes precedence over the source metadata.
-         */
-        $encodings = array_merge($srcEncodings, $dstEncodings);
-
-        $ret = [];
-        foreach ($attributes as $name => $values) {
-            $ret[$name] = [];
-            if (array_key_exists($name, $encodings)) {
-                $encoding = $encodings[$name];
-            } else {
-                $encoding = $defaultEncoding;
-            }
-
-            foreach ($values as $value) {
-                // allow null values
-                if ($value === null) {
-                    $ret[$name][] = $value;
-                    continue;
-                }
-
-                $attrval = $value;
-                if ($value instanceof DOMNodeList) {
-                    /** @psalm-suppress PossiblyNullPropertyFetch */
-                    $attrval = new AttributeValue($value->item(0)->parentNode);
-                }
-
-                switch ($encoding) {
-                    case 'string':
-                        $value = (string) $attrval;
-                        break;
-                    case 'base64':
-                        $value = base64_encode((string) $attrval);
-                        break;
-                    case 'raw':
-                        if (is_string($value)) {
-                            $doc = DOMDocumentFactory::fromString('<root>' . $value . '</root>');
-                            $value = $doc->firstChild->childNodes;
-                        }
-                        assert($value instanceof DOMNodeList || $value instanceof NameID);
-                        break;
-                    default:
-                        throw new Error\Exception('Invalid encoding for attribute ' .
-                            var_export($name, true) . ': ' . var_export($encoding, true));
-                }
-                $ret[$name][] = $value;
-            }
-        }
-
-        return $ret;
-    }
-
-
-    /**
-     * Determine which NameFormat we should use for attributes.
-     *
-     * @param \SimpleSAML\Configuration $idpMetadata The metadata of the IdP.
-     * @param \SimpleSAML\Configuration $spMetadata The metadata of the SP.
-     *
-     * @return string  The NameFormat.
-     */
-    private static function getAttributeNameFormat(
-        Configuration $idpMetadata,
-        Configuration $spMetadata
-    ): string {
-        // try SP metadata first
-        $attributeNameFormat = $spMetadata->getString('attributes.NameFormat', null);
-        if ($attributeNameFormat !== null) {
-            return $attributeNameFormat;
-        }
-        $attributeNameFormat = $spMetadata->getString('AttributeNameFormat', null);
-        if ($attributeNameFormat !== null) {
-            return $attributeNameFormat;
-        }
-
-        // look in IdP metadata
-        $attributeNameFormat = $idpMetadata->getString('attributes.NameFormat', null);
-        if ($attributeNameFormat !== null) {
-            return $attributeNameFormat;
-        }
-        $attributeNameFormat = $idpMetadata->getString('AttributeNameFormat', null);
-        if ($attributeNameFormat !== null) {
-            return $attributeNameFormat;
-        }
-
-        // default
-        return Constants::NAMEFORMAT_BASIC;
-    }
-
-
-    /**
-     * Build an assertion based on information in the metadata.
-     *
-     * @param \SimpleSAML\Configuration $idpMetadata The metadata of the IdP.
-     * @param \SimpleSAML\Configuration $spMetadata The metadata of the SP.
-     * @param array &$state The state array with information about the request.
-     *
-     * @return \SAML2\Assertion  The assertion.
-     *
-     * @throws \SimpleSAML\Error\Exception In case an error occurs when creating a holder-of-key assertion.
-     */
-    private static function buildAssertion(
-        Configuration $idpMetadata,
-        Configuration $spMetadata,
-        array &$state
-    ): Assertion {
-        assert(isset($state['Attributes']));
-        assert(isset($state['saml:ConsumerURL']));
-
-        $now = time();
-
-        $signAssertion = $spMetadata->getBoolean('saml20.sign.assertion', null);
-        if ($signAssertion === null) {
-            $signAssertion = $idpMetadata->getBoolean('saml20.sign.assertion', true);
-        }
-
-        $config = Configuration::getInstance();
-
-        $a = new Assertion();
-        if ($signAssertion) {
-            \SimpleSAML\Module\saml\Message::addSign($idpMetadata, $spMetadata, $a);
-        }
-
-        $issuer = new Issuer();
-        $issuer->setValue($idpMetadata->getString('entityid'));
-        $issuer->setFormat(Constants::NAMEID_ENTITY);
-        $a->setIssuer($issuer);
-
-        $audience = array_merge([$spMetadata->getString('entityid')], $spMetadata->getArray('audience', []));
-        $a->setValidAudiences($audience);
-
-        $a->setNotBefore($now - 30);
-
-        $assertionLifetime = $spMetadata->getInteger('assertion.lifetime', null);
-        if ($assertionLifetime === null) {
-            $assertionLifetime = $idpMetadata->getInteger('assertion.lifetime', 300);
-        }
-        $a->setNotOnOrAfter($now + $assertionLifetime);
-
-        if (isset($state['saml:AuthnContextClassRef'])) {
-            $a->setAuthnContextClassRef($state['saml:AuthnContextClassRef']);
-        } elseif (Utils\HTTP::isHTTPS()) {
-            $a->setAuthnContextClassRef(Constants::AC_PASSWORD_PROTECTED_TRANSPORT);
-        } else {
-            $a->setAuthnContextClassRef(Constants::AC_PASSWORD);
-        }
-
-        $sessionStart = $now;
-        if (isset($state['AuthnInstant'])) {
-            $a->setAuthnInstant($state['AuthnInstant']);
-            $sessionStart = $state['AuthnInstant'];
-        }
-
-        $sessionLifetime = $config->getInteger('session.duration', 8 * 60 * 60);
-        $a->setSessionNotOnOrAfter($sessionStart + $sessionLifetime);
-
-        $a->setSessionIndex(Utils\Random::generateID());
-
-        $sc = new SubjectConfirmation();
-        $scd = new SubjectConfirmationData();
-        $scd->setNotOnOrAfter($now + $assertionLifetime);
-        $scd->setRecipient($state['saml:ConsumerURL']);
-        $scd->setInResponseTo($state['saml:RequestId']);
-        $sc->setSubjectConfirmationData($scd);
-
-        // ProtcolBinding of SP's <AuthnRequest> overwrites IdP hosted metadata configuration
-        $hokAssertion = null;
-        if ($state['saml:Binding'] === Constants::BINDING_HOK_SSO) {
-            $hokAssertion = true;
-        }
-        if ($hokAssertion === null) {
-            $hokAssertion = $idpMetadata->getBoolean('saml20.hok.assertion', false);
-        }
-
-        if ($hokAssertion) {
-            // Holder-of-Key
-            $sc->setMethod(Constants::CM_HOK);
-            if (Utils\HTTP::isHTTPS()) {
-                if (isset($_SERVER['SSL_CLIENT_CERT']) && !empty($_SERVER['SSL_CLIENT_CERT'])) {
-                    // extract certificate data (if this is a certificate)
-                    $clientCert = $_SERVER['SSL_CLIENT_CERT'];
-                    $pattern = '/^-----BEGIN CERTIFICATE-----([^-]*)^-----END CERTIFICATE-----/m';
-                    if (preg_match($pattern, $clientCert, $matches)) {
-                        // we have a client certificate from the browser which we add to the HoK assertion
-                        $x509Certificate = new X509Certificate();
-                        $x509Certificate->setCertificate(str_replace(["\r", "\n", " "], '', $matches[1]));
-
-                        $x509Data = new X509Data();
-                        $x509Data->addData($x509Certificate);
-
-                        $keyInfo = new KeyInfo();
-                        $keyInfo->addInfo($x509Data);
-
-                        $scd->addInfo($keyInfo);
-                    } else {
-                        throw new Error\Exception(
-                            'Error creating HoK assertion: No valid client certificate provided during '
-                            . 'TLS handshake with IdP'
-                        );
-                    }
-                } else {
-                    throw new Error\Exception(
-                        'Error creating HoK assertion: No client certificate provided during TLS handshake with IdP'
-                    );
-                }
-            } else {
-                throw new Error\Exception(
-                    'Error creating HoK assertion: No HTTPS connection to IdP, but required for Holder-of-Key SSO'
-                );
-            }
-        } else {
-            // Bearer
-            $sc->setMethod(Constants::CM_BEARER);
-        }
-        $sc->setSubjectConfirmationData($scd);
-        $a->setSubjectConfirmation([$sc]);
-
-        // add attributes
-        if ($spMetadata->getBoolean('simplesaml.attributes', true)) {
-            $attributeNameFormat = self::getAttributeNameFormat($idpMetadata, $spMetadata);
-            $a->setAttributeNameFormat($attributeNameFormat);
-            $attributes = self::encodeAttributes($idpMetadata, $spMetadata, $state['Attributes']);
-            $a->setAttributes($attributes);
-        }
-
-        $nameIdFormat = null;
-
-        // generate the NameID for the assertion
-        if (isset($state['saml:NameIDFormat'])) {
-            $nameIdFormat = $state['saml:NameIDFormat'];
-        }
-
-        if ($nameIdFormat === null || !isset($state['saml:NameID'][$nameIdFormat])) {
-            // either not set in request, or not set to a format we supply. Fall back to old generation method
-            $nameIdFormat = current($spMetadata->getArrayizeString('NameIDFormat', []));
-            if ($nameIdFormat === false) {
-                $nameIdFormat = current($idpMetadata->getArrayizeString('NameIDFormat', [Constants::NAMEID_TRANSIENT]));
-            }
-        }
-
-        if (isset($state['saml:NameID'][$nameIdFormat])) {
-            $nameId = $state['saml:NameID'][$nameIdFormat];
-            $nameId->setFormat($nameIdFormat);
-        } else {
-            $spNameQualifier = $spMetadata->getString('SPNameQualifier', null);
-            if ($spNameQualifier === null) {
-                $spNameQualifier = $spMetadata->getString('entityid');
-            }
-
-            if ($nameIdFormat === Constants::NAMEID_TRANSIENT) {
-                // generate a random id
-                $nameIdValue = Utils\Random::generateID();
-            } else {
-                /* this code will end up generating either a fixed assigned id (via nameid.attribute)
-                   or random id if not assigned/configured */
-                $nameIdValue = self::generateNameIdValue($idpMetadata, $spMetadata, $state);
-                if ($nameIdValue === null) {
-                    Logger::warning('Falling back to transient NameID.');
-                    $nameIdFormat = Constants::NAMEID_TRANSIENT;
-                    $nameIdValue = Utils\Random::generateID();
-                }
-            }
-
-            $nameId = new NameID();
-            $nameId->setFormat($nameIdFormat);
-            $nameId->setValue($nameIdValue);
-            $nameId->setSPNameQualifier($spNameQualifier);
-        }
-
-        $state['saml:idp:NameID'] = $nameId;
-
-        $a->setNameId($nameId);
-
-        $encryptNameId = $spMetadata->getBoolean('nameid.encryption', null);
-        if ($encryptNameId === null) {
-            $encryptNameId = $idpMetadata->getBoolean('nameid.encryption', false);
-        }
-        if ($encryptNameId) {
-            $a->encryptNameId(\SimpleSAML\Module\saml\Message::getEncryptionKey($spMetadata));
-        }
-
-        return $a;
-    }
-
-
-    /**
-     * Encrypt an assertion.
-     *
-     * This function takes in a \SAML2\Assertion and encrypts it if encryption of
-     * assertions are enabled in the metadata.
-     *
-     * @param \SimpleSAML\Configuration $idpMetadata The metadata of the IdP.
-     * @param \SimpleSAML\Configuration $spMetadata The metadata of the SP.
-     * @param \SAML2\Assertion $assertion The assertion we are encrypting.
-     *
-     * @return \SAML2\Assertion|\SAML2\EncryptedAssertion  The assertion.
-     *
-     * @throws \SimpleSAML\Error\Exception In case the encryption key type is not supported.
-     */
-    private static function encryptAssertion(
-        Configuration $idpMetadata,
-        Configuration $spMetadata,
-        Assertion $assertion
-    ) {
-        $encryptAssertion = $spMetadata->getBoolean('assertion.encryption', null);
-        if ($encryptAssertion === null) {
-            $encryptAssertion = $idpMetadata->getBoolean('assertion.encryption', false);
-        }
-        if (!$encryptAssertion) {
-            // we are _not_ encrypting this assertion, and are therefore done
-            return $assertion;
-        }
-
-
-        $sharedKey = $spMetadata->getString('sharedkey', null);
-        if ($sharedKey !== null) {
-            $algo = $spMetadata->getString('sharedkey_algorithm', null);
-            if ($algo === null) {
-                $algo = $idpMetadata->getString('sharedkey_algorithm');
-            }
-
-            $key = new XMLSecurityKey($algo);
-            $key->loadKey($sharedKey);
-        } else {
-            $keys = $spMetadata->getPublicKeys('encryption', true);
-            if (!empty($keys)) {
-                $key = $keys[0];
-                switch ($key['type']) {
-                    case 'X509Certificate':
-                        $pemKey = "-----BEGIN CERTIFICATE-----\n" .
-                            chunk_split($key['X509Certificate'], 64) .
-                            "-----END CERTIFICATE-----\n";
-                        break;
-                    default:
-                        throw new Error\Exception('Unsupported encryption key type: ' . $key['type']);
-                }
-
-                // extract the public key from the certificate for encryption
-                $key = new XMLSecurityKey(XMLSecurityKey::RSA_OAEP_MGF1P, ['type' => 'public']);
-                $key->loadKey($pemKey);
-            } else {
-                throw new Error\ConfigurationError(
-                    'Missing encryption key for entity `' . $spMetadata->getString('entityid') . '`',
-                    $spMetadata->getString('metadata-set') . '.php',
-                    null
-                );
-            }
-        }
-
-        $ea = new EncryptedAssertion();
-        $ea->setAssertion($assertion, $key);
-        return $ea;
-    }
-
-
-    /**
-     * Build a logout request based on information in the metadata.
-     *
-     * @param \SimpleSAML\Configuration $idpMetadata The metadata of the IdP.
-     * @param \SimpleSAML\Configuration $spMetadata The metadata of the SP.
-     * @param array $association The SP association.
-     * @param string|null $relayState An id that should be carried across the logout.
-     *
-     * @return \SAML2\LogoutRequest The corresponding SAML2 logout request.
-     */
-    private static function buildLogoutRequest(
-        Configuration $idpMetadata,
-        Configuration $spMetadata,
-        array $association,
-        string $relayState = null
-    ): LogoutRequest {
-        $lr = \SimpleSAML\Module\saml\Message::buildLogoutRequest($idpMetadata, $spMetadata);
-        $lr->setRelayState($relayState);
-        $lr->setSessionIndex($association['saml:SessionIndex']);
-        $lr->setNameId($association['saml:NameID']);
-
-        $assertionLifetime = $spMetadata->getInteger('assertion.lifetime', null);
-        if ($assertionLifetime === null) {
-            $assertionLifetime = $idpMetadata->getInteger('assertion.lifetime', 300);
-        }
-        $lr->setNotOnOrAfter(time() + $assertionLifetime);
-
-        $encryptNameId = $spMetadata->getBoolean('nameid.encryption', null);
-        if ($encryptNameId === null) {
-            $encryptNameId = $idpMetadata->getBoolean('nameid.encryption', false);
-        }
-        if ($encryptNameId) {
-            $lr->encryptNameId(\SimpleSAML\Module\saml\Message::getEncryptionKey($spMetadata));
-        }
-
-        return $lr;
-    }
-
-
-    /**
-     * Build a authentication response based on information in the metadata.
-     *
-     * @param \SimpleSAML\Configuration $idpMetadata The metadata of the IdP.
-     * @param \SimpleSAML\Configuration $spMetadata The metadata of the SP.
-     * @param string                    $consumerURL The Destination URL of the response.
-     *
-     * @return \SAML2\Response The SAML2 Response corresponding to the given data.
-     */
-    private static function buildResponse(
-        Configuration $idpMetadata,
-        Configuration $spMetadata,
-        string $consumerURL
-    ): Response {
-        $signResponse = $spMetadata->getBoolean('saml20.sign.response', null);
-        if ($signResponse === null) {
-            $signResponse = $idpMetadata->getBoolean('saml20.sign.response', true);
-        }
-
-        $r = new Response();
-        $issuer = new Issuer();
-        $issuer->setValue($idpMetadata->getString('entityid'));
-        $issuer->setFormat(Constants::NAMEID_ENTITY);
-        $r->setIssuer($issuer);
-        $r->setDestination($consumerURL);
-
-        if ($signResponse) {
-            \SimpleSAML\Module\saml\Message::addSign($idpMetadata, $spMetadata, $r);
-        }
-
-        return $r;
-    }
-}
diff --git a/modules/sildisco/src/IdPDisco.php b/modules/sildisco/src/IdPDisco.php
index a4bb5de0..b6f21f41 100644
--- a/modules/sildisco/src/IdPDisco.php
+++ b/modules/sildisco/src/IdPDisco.php
@@ -5,8 +5,11 @@
 use Sil\SspUtils\AnnouncementUtils;
 use Sil\SspUtils\DiscoUtils;
 use Sil\SspUtils\Metadata;
-use SimpleSAML\Utils\Arrays;
+use SimpleSAML\Auth;
+use SimpleSAML\Logger;
 use SimpleSAML\Utils\HTTP;
+use SimpleSAML\XHTML\IdPDisco as SSPIdPDisco;
+use SimpleSAML\XHTML\Template;
 
 /**
  * This class implements a custom IdP discovery service, for use with a ssp hub (proxy)
@@ -16,35 +19,21 @@
  * @author Steve Bagwell SIL GTIS
  * @package SimpleSAMLphp
  */
-class IdPDisco extends \SimpleSAML\XHTML\IdPDisco
+class IdPDisco extends SSPIdPDisco
 {
 
     /* The session type for this class */
     public static string $sessionType = 'sildisco:authentication';
 
-    /* The session key for checking if the current user has the beta_tester cookie */
-    public static string $betaTesterSessionKey = 'beta_tester';
-
-    /* The idp metadata key that says whether an IDP is betaEnabled */
-    public static string $betaEnabledMdKey = 'betaEnabled';
-
     /* The idp metadata key that says whether an IDP is enabled */
     public static string $enabledMdKey = 'enabled';
 
-    /* The sp metadata key that gives the name of the SP */
-    public static string $spNameMdKey = 'name';
-
-    /* Used to get the SP Entity ID, e.g. $spEntityId = $this->session->getData($sessionDataType, $sessionKeyForSP); */
-    public static string $sessionDataType = 'sildisco:authentication';
-    public static string $sessionKeyForSP = 'spentityid';
-
-
     /**
      * @inheritDoc
      */
     protected function log(string $message): void
     {
-        \SimpleSAML\Logger::info('SildiscoIdPDisco.' . $this->instance . ': ' . $message);
+        Logger::info('SildiscoIdPDisco.' . $this->instance . ': ' . $message);
     }
 
     /* Path to the folder with the SP and IdP metadata */
@@ -59,15 +48,26 @@ private function getSPEntityIDAndReducedIdpList(): array
         $idpList = $this->getIdPList();
         $idpList = $this->filterList($idpList);
 
-        $spEntityId = $this->session->getData(self::$sessionDataType, self::$sessionKeyForSP);
+        // Creative solution for getting the EntityID from the SPMetadata entry in the state
+        // Source: https://github.com/simplesamlphp/simplesamlphp-module-discopower/blob/5e2e5e9da751104d1553d273cfb2d0bd1e2b57df/src/PowerIdPDisco.php#L231
+        // Before the SimpleSAMLphp 2 upgrade, we added it to the state ourselves by overriding the SAML2.php file
+        parse_str(parse_url($_GET['return'], PHP_URL_QUERY), $returnState);
+        $state = Auth\State::loadState($returnState['AuthID'], 'saml:sp:sso');
+        if ($state && array_key_exists('SPMetadata', $state)) {
+            $spmd = $state['SPMetadata'];
+            $this->log('Updated SP metadata from ' . $this->spEntityId . ' to ' . $spmd['entityid']);
+        }
+        $spEntityId = $spmd['entityid'];
 
-        $idpList = DiscoUtils::getReducedIdpList(
-            $idpList,
-            $this->getMetadataPath(),
-            $spEntityId
-        );
+        if (!empty($spEntityId)) {
+            $idpList = DiscoUtils::getReducedIdpList(
+                $idpList,
+                $this->getMetadataPath(),
+                $spEntityId
+            );
+        }
 
-        return array($spEntityId, self::enableBetaEnabled($idpList));
+        return array($spEntityId, $idpList);
     }
 
     /**
@@ -75,7 +75,6 @@ private function getSPEntityIDAndReducedIdpList(): array
      */
     public function handleRequest(): void
     {
-
         $this->start();
         list($spEntityId, $idpList) = $this->getSPEntityIDAndReducedIdpList();
 
@@ -98,26 +97,18 @@ public function handleRequest(): void
             }
         }
 
-        // Get the SP's name
+        // Get the SP metadata entry
         $spEntries = Metadata::getSpMetadataEntries($this->getMetadataPath());
+        $sp = $spEntries[$spEntityId];
 
-        $t = new \SimpleSAML\XHTML\Template($this->config, 'selectidp-links', 'disco');
-
-        $spName = null;
-
-        $rawSPName = $spEntries[$spEntityId][self::$spNameMdKey] ?? null;
-        if ($rawSPName !== null) {
-            $arrayUtils = new Arrays();
-            $spName = htmlspecialchars($t->getTranslator()->getPreferredTranslation(
-                $arrayUtils->arrayize($rawSPName, 'en')
-            ));
-        }
+        $t = new Template($this->config, 'selectidp-links', 'disco');
 
         // in order to bypass some built-in simplesaml behavior, an extra idp
         // might've been added.  It's not meant to be displayed.
         unset($idpList['dummy']);
 
         $enabledIdps = [];
+        $disabledIdps = [];
         foreach ($idpList as $idp) {
             if ($idp['enabled'] === true) {
                 $enabledIdps[] = $idp;
@@ -126,51 +117,16 @@ public function handleRequest(): void
             }
         }
 
-        $t->data['enabledIdps'] = $enabledIdps;
-        $t->data['disabledIdps'] = $disabledIdps;
+        $t->data['enabled_idps'] = $enabledIdps;
+        $t->data['disabled_idps'] = $disabledIdps;
         $t->data['return'] = $this->returnURL;
-        $t->data['returnIDParam'] = $this->returnIdParam;
-        $t->data['entityID'] = $this->spEntityId;
-        $t->data['spName'] = $spName;
-        $t->data['urlpattern'] = htmlspecialchars($httpUtils->getSelfURLNoQuery());
+        $t->data['return_id_param'] = $this->returnIdParam;
+        $t->data['entity_id'] = $this->spEntityId;
+        $t->data['sp'] = $sp;
         $t->data['announcement'] = AnnouncementUtils::getAnnouncement();
-        $t->data['helpCenterUrl'] = $this->config->getOptionalString('helpCenterUrl', '');
-
-        $t->show();
-    }
-
-    /**
-     * @param array $idpList the IDPs with their metadata
-     * @param bool|null $isBetaTester optional (default=null) just for unit testing
-     * @return array $idpList
-     *
-     * If the current user has the beta_tester cookie, then for each IDP in
-     * the idpList that has 'betaEnabled' => true, give it 'enabled' => true
-     *
-     */
-    public static function enableBetaEnabled(array $idpList, ?bool $isBetaTester = null): array
-    {
-
-        if ($isBetaTester === null) {
-            $session = \SimpleSAML\Session::getSessionFromRequest();
-            $isBetaTester = $session->getData(
-                self::$sessionType,
-                self::$betaTesterSessionKey
-            );
-        }
-
-        if (!$isBetaTester) {
-            return $idpList;
-        }
-
-        foreach ($idpList as $idp => $idpMetadata) {
-            if (!empty($idpMetadata[self::$betaEnabledMdKey])) {
-                $idpMetadata[self::$enabledMdKey] = true;
-                $idpList[$idp] = $idpMetadata;
-            }
-        }
+        $t->data['help_center_url'] = $this->config->getOptionalString('helpCenterUrl', '');
 
-        return $idpList;
+        $t->send();
     }
 
     /**
diff --git a/modules/sildisco/src/SSOService.php b/modules/sildisco/src/SSOService.php
deleted file mode 100644
index 3bd604b2..00000000
--- a/modules/sildisco/src/SSOService.php
+++ /dev/null
@@ -1,47 +0,0 @@
-<?php
-/**
- *
- * Note: This has been copied from the core code (public/saml2/idp/SSOService.php version 1.19.6)
- *   and modified to call a different authentication class/method
- *
- * Original comments ...
- *
- * The SSOService is part of the SAML 2.0 IdP code, and it receives incoming Authentication Requests
- * from a SAML 2.0 SP, parses, and process it, and then authenticates the user and sends the user back
- * to the SP with an Authentication Response.
- *
- * @author Andreas Åkre Solberg, UNINETT AS. <andreas.solberg@uninett.no>
- * @package SimpleSAMLphp
- */
-
-require_once('../../_include.php');
-
-\SimpleSAML\Logger::info('SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOService');
-
-$metadata = \SimpleSAML\Metadata\MetaDataStorageHandler::getMetadataHandler();
-
-$config = \SimpleSAML\Configuration::getInstance();
-if (!$config->getBoolean('enable.saml20-idp', false) || !\SimpleSAML\Module::isModuleEnabled('saml')) {
-    throw new \SimpleSAML\Error\Error('NOACCESS', null, 403);
-}
-
-$idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
-$idp = \SimpleSAML\IdP::getById('saml2:' . $idpEntityId);
-
-$hubModeKey = 'hubmode';
-
-try {
-// If in hub mode, then use the sildisco entry script
-    if ($config->getOptionalBoolean($hubModeKey, false)) {
-        \SimpleSAML\Module\sildisco\IdP\SAML2::receiveAuthnRequest($idp);
-    } else {
-        \SimpleSAML\Module\saml\IdP\SAML2::receiveAuthnRequest($idp);
-    }
-} catch (\Exception $e) {
-    if ($e->getMessage() === "Unable to find the current binding.") {
-        throw new \SimpleSAML\Error\Error('SSOPARAMS', $e, 400);
-    } else {
-        throw $e; // do not ignore other exceptions!
-    }
-}
-assert(false);
diff --git a/modules/sildisco/tests/AddIdpTest.php b/modules/sildisco/tests/AddIdpTest.php
index 699003a6..686eb07e 100644
--- a/modules/sildisco/tests/AddIdpTest.php
+++ b/modules/sildisco/tests/AddIdpTest.php
@@ -1,7 +1,11 @@
 <?php
 
 
-class AddIdpTest extends PHPUnit_Framework_TestCase
+use PHPUnit\Framework\TestCase;
+use SAML2\XML\saml\NameID;
+use SimpleSAML\Module\sildisco\Auth\Process\AddIdp2NameId;
+
+class AddIdpTest extends TestCase
 {
 
     private static function getNameID($idp)
@@ -10,7 +14,7 @@ private static function getNameID($idp)
             'saml:sp:IdP' => $idp,
             'saml:sp:NameID' => [
                 [
-                    'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
+                    'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
                     'Value' => 'Tester1_Smith',
                     'SPNameQualifier' => 'http://ssp-sp1.local',
                 ],
@@ -29,7 +33,7 @@ private static function getNameID($idp)
      */
     private static function processAddIdp2NameId(array $config, array $request)
     {
-        $filter = new \SimpleSAML\Module\sildisco\Auth\Process\AddIdp2NameId($config, NULL);
+        $filter = new AddIdp2NameId($config, NULL);
         $filter->process($request);
         return $request;
     }
@@ -40,7 +44,7 @@ private static function processAddIdp2NameId(array $config, array $request)
      */
     public function testAddIdp2NameId_NoIDPNamespace()
     {
-        $this->setExpectedException('\SimpleSAML\Error\Exception');
+        $this->expectException('\SimpleSAML\Error\Exception');
         $config = ['test' => ['value1', 'value2'],];
         $request = self::getNameID('idp-bare');
 
@@ -54,7 +58,7 @@ public function testAddIdp2NameId_NoIDPNamespace()
      */
     public function testAddIdp2NameId_EmptyIDPNamespace()
     {
-        $this->setExpectedException('\SimpleSAML\Error\Exception');
+        $this->expectException('\SimpleSAML\Error\Exception');
         $config = ['test' => ['value1', 'value2'],];
         $request = self::getNameID('idp-empty');
         self::processAddIdp2NameId($config, $request);
@@ -66,7 +70,7 @@ public function testAddIdp2NameId_EmptyIDPNamespace()
      */
     public function testAddIdp2NameId_BadIDPNamespace()
     {
-        $this->setExpectedException('\SimpleSAML\Error\Exception');
+        $this->expectException('\SimpleSAML\Error\Exception');
         $config = [
             'test' => ['value1', 'value2'],
         ];
@@ -80,19 +84,21 @@ public function testAddIdp2NameId_BadIDPNamespace()
      */
     public function testAddIdp2NameId_GoodString()
     {
+        $nameID = new NameID();
+        $nameID->setValue('Tester1_SmithA');
         $config = ['test' => ['value1', 'value2']];
         $state = [
             'saml:sp:IdP' => 'idp-good',
-            'saml:sp:NameID' => 'Tester1_SmithA',
+            'saml:sp:NameID' => $nameID,
             'Attributes' => [],
             'metadataPath' => __DIR__ . '/fixtures/metadata/',
         ];
 
-        $newNameID = $state['saml:sp:NameID'];
-        $newNameID = 'Tester1_SmithA@idpGood';
+        $newNameID = new NameID();
+        $newNameID->setValue('Tester1_SmithA@idpGood');
 
         $expected = $state;
-        $expected['saml:NameID']['urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'] = $newNameID;
+        $expected['saml:NameID']['urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'] = $newNameID;
 
         $results = self::processAddIdp2NameId($config, $state);
         $this->assertEquals($expected, $results);
@@ -103,23 +109,24 @@ public function testAddIdp2NameId_GoodString()
      */
     public function testAddIdp2NameId_GoodArray()
     {
+        $nameID = new NameID();
+        $nameID->setValue('Tester1_SmithA');
+        $nameID->setFormat('urn:oasis:names:tc:SAML:2.0:nameid-format:persistent');
+        $nameID->setSPNameQualifier('http://ssp-sp1.local');
+
         $config = ['test' => ['value1', 'value2']];
         $state = [
             'saml:sp:IdP' => 'idp-good',
-            'saml:sp:NameID' => [
-                'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:transient',
-                'Value' => 'Tester1_SmithA',
-                'SPNameQualifier' => 'http://ssp-sp1.local',
-            ],
+            'saml:sp:NameID' => $nameID,
             'Attributes' => [],
             'metadataPath' => __DIR__ . '/fixtures/metadata/',
         ];
 
         $newNameID = $state['saml:sp:NameID'];
-        $newNameID['Value'] = 'Tester1_SmithA@idpGood';
+        $newNameID->setValue('Tester1_SmithA@idpGood');
 
         $expected = $state;
-        $expected['saml:NameID']['urn:oasis:names:tc:SAML:1.1:nameid-format:transient'] = $newNameID;
+        $expected['saml:NameID']['urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'] = $newNameID;
 
         $results = self::processAddIdp2NameId($config, $state);
 
diff --git a/modules/sildisco/tests/TagGroupTest.php b/modules/sildisco/tests/TagGroupTest.php
index cd67dc6e..c54b8c0a 100644
--- a/modules/sildisco/tests/TagGroupTest.php
+++ b/modules/sildisco/tests/TagGroupTest.php
@@ -1,7 +1,9 @@
 <?php
 
+use PHPUnit\Framework\TestCase;
+use SimpleSAML\Module\sildisco\Auth\Process\TagGroup;
 
-class TagGroupTest extends PHPUnit_Framework_TestCase
+class TagGroupTest extends TestCase
 {
     /**
      * Helper function to run the filter with a given configuration.
@@ -12,7 +14,7 @@ class TagGroupTest extends PHPUnit_Framework_TestCase
      */
     private static function processTagGroup(array $config, array $request)
     {
-        $filter = new \SimpleSAML\Module\sildisco\Auth\Process\TagGroup($config, NULL);
+        $filter = new TagGroup($config, NULL);
         $filter->process($request);
         return $request;
     }
diff --git a/sonar-project.properties b/sonar-project.properties
new file mode 100644
index 00000000..782160d7
--- /dev/null
+++ b/sonar-project.properties
@@ -0,0 +1,2 @@
+sonar.sources=modules,dockerbuild
+sonar.exclusions=modules/sildisco/tests/**/*
diff --git a/tests/IdpDiscoTest.php b/tests/IdpDiscoTest.php
deleted file mode 100644
index 4d6fa5fe..00000000
--- a/tests/IdpDiscoTest.php
+++ /dev/null
@@ -1,52 +0,0 @@
-<?php
-
-include __DIR__ . '/../vendor/autoload.php';
-include __DIR__ . '/../vendor/simplesamlphp/simplesamlphp/modules/sildisco/src/IdPDisco.php';
-
-use PHPUnit\Framework\TestCase;
-use SimpleSAML\Module\sildisco\IdPDisco;
-
-class IdpDiscoTest extends TestCase
-{
-
-//    public function testEnableBetaEnabledEmpty()
-//    {
-//        $idpList = [];
-//        $results = IdPDisco::enableBetaEnabled($idpList);
-//        $expected = [];
-//        $this->assertEquals($expected, $results);
-//    }
-//
-//    public function testEnableBetaEnabledNoChange()
-//    {
-//        $isBetaEnabled = 1;
-//        $enabledKey = IdPDisco::$enabledMdKey;
-//        $idpList = [
-//            'idp1' => [$enabledKey => false],
-//            'idp2' => [$enabledKey => true],
-//        ];
-//        $expected = $idpList;
-//
-//        $results = IdPDisco::enableBetaEnabled($idpList, $isBetaEnabled);
-//        $this->assertEquals($expected, $results);
-//    }
-//
-//    public function testEnableBetaEnabledChange()
-//    {
-//        $isBetaEnabled = 1;
-//        $enabledKey = IdPDisco::$enabledMdKey;
-//        $betaEnabledKey = IdPDisco::$betaEnabledMdKey;
-//        $idpList = [
-//            'idp1' => [$enabledKey => false],
-//            'idp2' => [$enabledKey => true, $betaEnabledKey => true],
-//            'idp3' => [$enabledKey => false, $betaEnabledKey => true],
-//            'idp4' => [$enabledKey => false, $betaEnabledKey => false],
-//        ];
-//        $expected = $idpList;
-//        $expected['idp3'][$enabledKey] = true;
-//
-//        $results = IdPDisco::enableBetaEnabled($idpList, $isBetaEnabled);
-//        $this->assertEquals($expected, $results);
-//    }
-
-}