save temp

shibauth/Dockerfile

@@ -35,5 +35,6 @@ LABEL name="prism view server cache" \
       version="0.0.1"
 
 COPY shibboleth-conf /etc/shibboleth/
+COPY etc-httpd/ /etc/httpd/
 COPY index.html /var/www/html/
-COPY conf.d /etc/httpd/etc-httpd/
+

shibauth/conf.d/sp.conf → shibauth/etc-httpd/conf.d/shib.conf

-ServerName idptestbed
+ServerName shib-testing
 
 <VirtualHost *:80>
-    ServerName https://idptestbed:443
+    ServerName http://shib.pdas.prism.eox.at
     UseCanonicalName On
 
     DocumentRoot "/var/www/html"

shibauth/shibboleth-conf/idp-metadata.xml

 <!-- The entity describing the SAMLtest IdP, named by the entityID below --> 
-
 <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="SAMLtestIdP" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://samltest.id/saml/idp">
-
     <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
-
         <Extensions>
-<!-- An enumeration of the domains this IdP is able to assert scoped attributes, which are
-typically those with a @ delimiter, like mail.  Most IdP's serve only a single domain.  It's crucial
-for the SP to check received attribute values match permitted domains to prevent a recognized IdP from 
-sending attribute values for which a different recognized IdP is authoritative. -->
             <shibmd:Scope regexp="false">samltest.id</shibmd:Scope>
-
-<!-- Display information about this IdP that can be used by SP's and discovery
-services to identify the IdP meaningfully for end users --> 
             <mdui:UIInfo>
                 <mdui:DisplayName xml:lang="en">SAMLtest IdP</mdui:DisplayName>
                 <mdui:Description xml:lang="en">A free and basic IdP for testing SAML deployments</mdui:Description>
@@ -44,7 +34,6 @@ voQR2qr2xJBixsg+MIORKtmKHLfU
                         </ds:X509Certificate>
                     </ds:X509Data>
             </ds:KeyInfo>
-
         </KeyDescriptor>
         <KeyDescriptor use="signing">
             <ds:KeyInfo>
@@ -70,7 +59,6 @@ ZOpx4swtgGdeoSpeRyrtMvRwdcciNBp9UZome44qZAYH1iqrpmmjsfI9pJItsgWu
                         </ds:X509Certificate>
                     </ds:X509Data>
             </ds:KeyInfo>
-
         </KeyDescriptor>
         <KeyDescriptor use="encryption">
             <ds:KeyInfo>
@@ -96,27 +84,15 @@ zBDsMIEzRtQZm4GIoHJae4zmnCekkQ==
                         </ds:X509Certificate>
                     </ds:X509Data>
             </ds:KeyInfo>
-
         </KeyDescriptor>
-
-<!-- An endpoint for artifact resolution.  Please see Wikipedia for more details about SAML
-     artifacts and when you may find them useful. -->
-
         <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://samltest.id/idp/profile/SAML2/SOAP/ArtifactResolution" index="1" />
-
-<!-- A set of endpoints where the IdP can receive logout messages. These must match the public
-facing addresses if this IdP is hosted behind a reverse proxy.  --> 
         <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltest.id/idp/profile/SAML2/Redirect/SLO"/>
         <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://samltest.id/idp/profile/SAML2/POST/SLO"/>
         <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://samltest.id/idp/profile/SAML2/POST-SimpleSign/SLO"/>
-
-<!-- A set of endpoints the SP can send AuthnRequests to in order to trigger user authentication. -->
         <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://samltest.id/idp/profile/Shibboleth/SSO"/>
         <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://samltest.id/idp/profile/SAML2/POST/SSO"/>
         <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://samltest.id/idp/profile/SAML2/POST-SimpleSign/SSO"/>
         <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltest.id/idp/profile/SAML2/Redirect/SSO"/>
         <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://samltest.id/idp/profile/SAML2/SOAP/ECP"/>
-
     </IDPSSODescriptor>
-
 </EntityDescriptor>
\ No newline at end of file

shibauth/shibboleth-conf/shibboleth2.xml

@@ -4,122 +4,28 @@
     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
     clockSkew="180">
-
-    <!--
-    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
-    are used. See example-shibboleth2.xml for samples of explicitly configuring them.
-    -->
-
-    <!--
-    To customize behavior for specific resources on Apache, and to link vhosts or
-    resources to ApplicationOverride settings below, use web server options/commands.
-    See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
-    
-    For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
-    file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
-    -->
-
-    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
-    <ApplicationDefaults entityID="https://sp.idptestbed/shibboleth"
+    <ApplicationDefaults entityID="https://pass.copernicus.eu"
                          REMOTE_USER="eppn uid persistent-id targeted-id">
-
-        <!--
-        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
-        You MUST supply an effectively unique handlerURL value for each of your applications.
-        The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
-        a relative value based on the virtual host. Using handlerSSL="true", the default, will force
-        the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
-        Note that while we default checkAddress to "false", this has a negative impact on the
-        security of your site. Stealing sessions via cookie theft is much easier with this disabled.
-        -->
         <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                   checkAddress="false" handlerSSL="true" cookieProps="https">
-
-            <!--
-            Configures SSO for a default IdP. To allow for >1 IdP, remove
-            entityID property and adjust discoveryURL to point to discovery service.
-            (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
-            You can also override entityID on /Login query string, or in RequestMap/htaccess.
-            -->
             <SSO entityID="https://idptestbed/idp/shibboleth">
               SAML2 SAML1
             </SSO>
-
-            <!-- SAML and local-only logout. -->
             <Logout>SAML2 Local</Logout>
-            
-            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
             <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
-
-            <!-- Status reporting service. -->
-            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
-
-            <!-- Session diagnostic service. -->
+            <Handler type="Status" Location="/Status" acl="10.0.0.0/24 127.0.0.1 ::1"/>
             <Handler type="Session" Location="/Session" showAttributeValues="false"/>
-
-            <!-- JSON feed of discovery information. -->
             <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
         </Sessions>
-
-        <!--
-        Allows overriding of error template information/filenames. You can
-        also add attributes with values that can be plugged into the templates.
-        -->
-        <Errors supportContact="admin@idptestbed"
-            helpLocation="/about.html"
-            styleSheet="/shibboleth-sp/main.css"/>
-        
-        <!-- Example of remotely supplied batch of signed metadata. -->
-        <!--
-        <MetadataProvider type="XML" validate="true"
-	      url="http://federation.org/federation-metadata.xml"
-              backingFilePath="federation-metadata.xml" reloadInterval="7200">
-            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
-            <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
-            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
-              attributeName="http://macedir.org/entity-category"
-              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
-              attributeValue="http://refeds.org/category/hide-from-discovery" />
-        </MetadataProvider>
-        -->
-
-        <!-- Example of locally maintained metadata. -->
-        <!--
-        <MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/>
-        -->
-        
+        <Errors supportContact="admin@eox.at"
+            helpLocation="/about.html"/>
         <MetadataProvider type="XML" validate="true" path="idp-metadata.xml"/>
-
-        <!-- Map to extract attributes from SAML assertions. -->
         <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
-        
-        <!-- Use a SAML query if no attributes are supplied during SSO. -->
         <AttributeResolver type="Query" subjectMatch="true"/>
-
-        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
         <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
-
-        <!-- Simple file-based resolver for using a single keypair. -->
-        <CredentialResolver type="File" key="sp-signing-key-test.pem" certificate="sp-encrypt-cert-test.pem"/>
-
-        <!--
-        The default settings can be overridden by creating ApplicationOverride elements (see
-        the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
-        Resource requests are mapped by web server commands, or the RequestMapper, to an
-        applicationId setting.
-        
-        Example of a second application (for a second vhost) that has a different entityID.
-        Resources on the vhost would map to an applicationId of "admin":
-        -->
-        <!--
-        <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
-        -->
+        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
     </ApplicationDefaults>
-    
-    <!-- Policies that determine how to process and authenticate runtime messages. -->
     <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
-
-    <!-- Low-level configuration about protocols and bindings available for use. -->
     <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
 
 </SPConfig>
\ No newline at end of file

shibauth/shibboleth-conf/sp-metadata.xml

+<EntityDescriptor entityID="https://pass.copernicus.eu/shibboleth" validUntil="2040-01-01T00:00:00Z"
+                  xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+                  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+                  xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+
+        <KeyDescriptor>
+            <ds:KeyInfo>
+                <ds:X509Data>
+                    <ds:X509Certificate>
+MIIHijCCBnKgAwIBAgIQPWbuJob/1pRBDBHQrAelKDANBgkqhkiG9w0BAQsFADB4
+MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcGA1UECxMg
+U3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAMTHVN0YXJ0
+Q29tIENsYXNzIDMgT1YgU2VydmVyIENBMB4XDTE2MDUzMDIwMjAwNFoXDTE5MDUz
+MDIwMjAwNFowZDELMAkGA1UEBhMCQVQxDTALBgNVBAgMBFdpZW4xDTALBgNVBAcM
+BFdpZW4xHTAbBgNVBAoMFEVPWCBJVCBTZXJ2aWNlcyBHbWJIMRgwFgYDVQQDDA9l
+c2EubWFwcy5lb3guYXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCX
+GBReYwFVvkSrourZRd4zBBlo9apZHXxt+kk4bNbk1n70YNeFUaxJpwFQqkfwghrg
+9tctD2B9HLDZl+LMnO6IXAzXkn8OHzt9vf4lVLDYOSHcC/oAt4aQjr98Anl1q822
+/FJ6csFtFAmEIg8P6NHByHlwaSM1yxcrc7ZgR+xph0/sQijh4jxOlcNfCGRy0VBt
+lJE0rLSAmIN/LUX/hf1P4psbPlXNLl1U3Du6sh+pkgWV5gsKJBxAYJvptlahn9Ud
+b6FBFngM/Z9rk/M4R692z5WWLwfxFScEw3/FfF9aH5ztCAM1u3L5QjqANcdbVl86
+x2kUXZh9A7EjUhnI25xu4aEVJBHTcq46rZQw88lW/+Xxavon03dHuaHhrZXMF5mD
+rIGvumSlB1XzCz2lOQG4zrUnXtKw6rm7fr20Zn5KQEgiUD+d2Hs8lvkWmP0qKiP+
+EWdJrAfprv85tKqQMxldnrOK9FwH9TQh4TmhYlp+6vvsfZMZB4uDMlvKBtlI+7Yh
+O61HKIDSsEqq6tdy312ENOjZVZsPsNkZCdOm6irTTymB9Id1LJ+3jv+lakPzluW/
+rTeq2S0UMMvByRsTGiI3ettxgOwo/jWAJiMTWb26ldpxHqyvOIX7b40Wvk+KRx9T
+Vgx4kkuS5ycNi0YgUBs98imh8GXvBEufvpZCtcd5OQIDAQABo4IDIjCCAx4wDgYD
+VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAJBgNV
+HRMEAjAAMB0GA1UdDgQWBBRX3j8T9Ti5uurAxnFHSb/P6Q4Z9jAfBgNVHSMEGDAW
+gBSxPxySe5KwWiWzOPucB6QmUDLjUTBvBggrBgEFBQcBAQRjMGEwJAYIKwYBBQUH
+MAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5BggrBgEFBQcwAoYtaHR0cDov
+L2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLnNlcnZlcjMuY3J0MDgGA1UdHwQx
+MC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1zZXJ2ZXIzLmNy
+bDB4BgNVHREEcTBvgg9lc2EubWFwcy5lb3guYXSCFXRpbGVzLmVzYS5tYXBzLmVv
+eC5hdIIXKi50aWxlcy5lc2EubWFwcy5lb3guYXSCE29zbS5lc2EubWFwcy5lb3gu
+YXSCF3N0YWdpbmcuZXNhLm1hcHMuZW94LmF0MCMGA1UdEgQcMBqGGGh0dHA6Ly93
+d3cuc3RhcnRzc2wuY29tLzBRBgNVHSAESjBIMAgGBmeBDAECAjA8BgsrBgEEAYG1
+NwECBTAtMCsGCCsGAQUFBwIBFh9odHRwczovL3d3dy5zdGFydHNzbC5jb20vcG9s
+aWN5MIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHYAaPaY+B9kgr46jO65KB1M/HFR
+XWeT1ETRCmesu09P+8QAAAFVA3EKawAABAMARzBFAiAQMFKOGTFIZzbVuZ8R2C+u
+4QgL0vnSOBT3ylGgjAf+AQIhAOHkMTkhr0APu8jaCkos4c9k8vrn5DWq0k8WXT12
+ip4fAHUA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFVA3EMcwAA
+BAMARjBEAiASftiRTzUpe+IDonZidGHzHKlKwPZoaOE2zqsH1AW9jgIgM7Jmphm1
+rGkakcVooaUudEfCTN/fTJ7cs3kPiljWmkgwDQYJKoZIhvcNAQELBQADggEBAIp2
+QqqJ6+TRRr7cBeiMw+4MrQhbaf+Y0bAsPOF9KOnQ9JMavEki08JRLYLVSraqDW1+
+mrlk+mbvh9mEFkTIvwW5wt/S5tgbRE/fmDBTElRwLPVlvbwRNKNg/54lXhwgETM8
+oTOfxC+dK7bg+EFj3r71d7wf/qhPCBYmN9yk2z4tby1nYI6c+8xXVxnrKGIOOb/X
+MAB1eHNvjMHHmhlSV33Z6nqrTzeUEDS5R6X1v3lCtP/058o6NDdLmJ/hTy/So5eB
+8NwcilckyoYeI64QXg61KmH+9+scQ2bddWtuDJvnNo0NH1XPOuxl9HpaxBSzIflK
+2Wfpr7x/2VCKeO7Mfpo=
+                    </ds:X509Certificate>
+                </ds:X509Data>
+            </ds:KeyInfo>
+        </KeyDescriptor>
+
+        <!-- This tells IdPs that Single Logout is supported and where/how to request it. -->
+        <SingleLogoutService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+            Location="https://esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
+            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <SingleLogoutService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+            Location="https://tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
+            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <SingleLogoutService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+            Location="https://a.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
+            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <SingleLogoutService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+            Location="https://b.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
+            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <SingleLogoutService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+            Location="https://c.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
+            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <SingleLogoutService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+            Location="https://d.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
+            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <SingleLogoutService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+            Location="https://e.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
+            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <SingleLogoutService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+            Location="https://f.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
+            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+
+        <!--
+            This tells IdPs where and how to push assertions through the browser. Mostly
+            the SP will tell the IdP what location to use in its request, but this
+            is how the IdP validates the location and also figures out which
+            SAML version/binding to use.
+            -->
+        <AssertionConsumerService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+            Location="https://esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
+            index="1" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <AssertionConsumerService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+            Location="https://tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
+            index="2" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <AssertionConsumerService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+            Location="https://a.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
+            index="3" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <AssertionConsumerService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+            Location="https://b.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
+            index="4" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <AssertionConsumerService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+            Location="https://c.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
+            index="5" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <AssertionConsumerService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+            Location="https://d.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
+            index="6" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <AssertionConsumerService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+            Location="https://e.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
+            index="7" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <AssertionConsumerService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+            Location="https://f.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
+            index="8" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+
+        <!-- This tells IdPs that you only need transient identifiers. -->
+        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+
+    </SPSSODescriptor>
+
+    <Organization>
+        <OrganizationName xml:lang="en">eox</OrganizationName>
+        <OrganizationDisplayName xml:lang="en">EOX IT Services GmbH</OrganizationDisplayName>
+        <OrganizationURL xml:lang="en">http://eox.at</OrganizationURL>
+    </Organization>
+</EntityDescriptor>