From 2b6ae2fef21281f44a7a07b8331c8eed65842b24 Mon Sep 17 00:00:00 2001
From: oadham <omar.adham@first8.nl>
Date: Wed, 13 Aug 2025 16:02:39 +0200
Subject: [PATCH 01/16] update gitignore

---
 .gitignore | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.gitignore b/.gitignore
index db75fcc..b6a886e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -151,6 +151,8 @@ fabric.properties
 
 !.idea/codeStyles
 !.idea/runConfigurations
+/.idea/codeStyles/codeStyleConfig.xml
+/.idea/codeStyles/Project.xml
 
 ### Maven ###
 target/
@@ -173,3 +175,4 @@ buildNumber.properties
 
 # End of https://www.toptal.com/developers/gitignore/api/maven,intellij+all,eclipse
 /patch-tool/.work/
+

From d50fabc6cdf18ce7268cf588d5c4267c0171a799 Mon Sep 17 00:00:00 2001
From: oadham <omar.adham@first8.nl>
Date: Tue, 3 Mar 2026 13:29:16 +0100
Subject: [PATCH 02/16] .gitignore .idea folder entirely

---
 .gitignore | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/.gitignore b/.gitignore
index df6cd6e..8253d04 100644
--- a/.gitignore
+++ b/.gitignore
@@ -98,12 +98,7 @@ local.properties
 # When using Gradle or Maven with auto-import, you should exclude module files,
 # since they will be recreated, and may cause churn.  Uncomment if using
 # auto-import.
-.idea/artifacts
-.idea/compiler.xml
-.idea/jarRepositories.xml
-.idea/modules.xml
-.idea/*.iml
-.idea/modules
+.idea
 *.iml
 *.ipr
 

From cde6fe156c7f8691122a28bb5bc96c45135333e1 Mon Sep 17 00:00:00 2001
From: oadham <omar.adham@first8.nl>
Date: Fri, 22 May 2026 11:58:35 +0200
Subject: [PATCH 03/16] Frontend: No longer prefill "metadata validUntil" field
 at all, instead of default value 0 days aka the past.

---
 .../resources/saml-extended-frontend/pages/addprovider.html     | 2 +-
 .../resources/saml-extended-frontend/pages/editprovider.html    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/resources/saml-extended-frontend/pages/addprovider.html b/src/main/resources/saml-extended-frontend/pages/addprovider.html
index c417d61..ebead45 100644
--- a/src/main/resources/saml-extended-frontend/pages/addprovider.html
+++ b/src/main/resources/saml-extended-frontend/pages/addprovider.html
@@ -874,7 +874,7 @@ <h5>Metadata expires in
                     </h5>
                 </div>
                 <div class="quantity-container">
-                    <input type="number" id="Metadata_expires_in" value="0" min="0">
+                    <input type="number" id="Metadata_expires_in" min="0">
                     <i class="fas fa-arrow-down arrow-icon" onclick="changeQuantity(-1)"></i>
                     <select class="selector" id="metadataValidUntilPeriod">
                         <option value="6">Day(s)</option>
diff --git a/src/main/resources/saml-extended-frontend/pages/editprovider.html b/src/main/resources/saml-extended-frontend/pages/editprovider.html
index 08c7bb1..70033a8 100644
--- a/src/main/resources/saml-extended-frontend/pages/editprovider.html
+++ b/src/main/resources/saml-extended-frontend/pages/editprovider.html
@@ -837,7 +837,7 @@ <h5>Metadata expires in
             </h5>
         </div>
         <div class="quantity-container">
-            <input type="number" id="Metadata_expires_in" value="0" min="0">
+            <input type="number" id="Metadata_expires_in" min="0">
             <i class="fas fa-arrow-down arrow-icon" onclick="changeQuantity(-1)"></i>
             <select class="selector" id="metadataValidUntilPeriod">
                 <option value="6">Day(s)</option>

From bf7d814d23d35632ea0eb283a4b8c2d7019872e2 Mon Sep 17 00:00:00 2001
From: oadham <omar.adham@first8.nl>
Date: Fri, 22 May 2026 13:41:01 +0200
Subject: [PATCH 04/16] Fix signature validation by adding fix id setup and
 improve logging if there are signature fails

---
 .../keycloak/broker/saml/SAMLEndpoint.java    |  88 +++++++-----
 .../protocol/saml/SamlProtocolUtils.java      |  12 +-
 .../api/saml/v2/sig/SAML2Signature.java       |  18 +--
 .../core/util/XMLSignatureUtil.java           | 126 ++++++++----------
 4 files changed, 121 insertions(+), 123 deletions(-)

diff --git a/src/main/java/nl/first8/keycloak/broker/saml/SAMLEndpoint.java b/src/main/java/nl/first8/keycloak/broker/saml/SAMLEndpoint.java
index 3d88877..fed534d 100644
--- a/src/main/java/nl/first8/keycloak/broker/saml/SAMLEndpoint.java
+++ b/src/main/java/nl/first8/keycloak/broker/saml/SAMLEndpoint.java
@@ -271,7 +271,7 @@ protected Response handleSamlRequest(String samlRequest, String relayState) {
             RequestAbstractType requestAbstractType = (RequestAbstractType) holder.getSamlObject();
             // validate destination
             if (isDestinationRequired() &&
-                    requestAbstractType.getDestination() == null && containsUnencryptedSignature(holder)) {
+                requestAbstractType.getDestination() == null && containsUnencryptedSignature(holder)) {
                 event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
                 event.detail(Details.REASON, Errors.MISSING_REQUIRED_DESTINATION);
                 event.error(Errors.INVALID_REQUEST);
@@ -313,10 +313,10 @@ protected Response logoutRequest(LogoutRequestType request, String relayState) {
             if (request.getSessionIndex() == null || request.getSessionIndex().isEmpty()) {
                 AtomicReference<LogoutRequestType> ref = new AtomicReference<>(request);
                 session.sessions().getUserSessionByBrokerUserIdStream(realm, brokerUserId)
-                        .filter(userSession -> userSession.getState() != UserSessionModel.State.LOGGING_OUT &&
-                                userSession.getState() != UserSessionModel.State.LOGGED_OUT)
-                        .collect(Collectors.toList()) // collect to avoid concurrent modification as backchannelLogout removes the user sessions.
-                        .forEach(processLogout(ref));
+                    .filter(userSession -> userSession.getState() != UserSessionModel.State.LOGGING_OUT &&
+                        userSession.getState() != UserSessionModel.State.LOGGED_OUT)
+                    .collect(Collectors.toList()) // collect to avoid concurrent modification as backchannelLogout removes the user sessions.
+                    .forEach(processLogout(ref));
                 request = ref.get();
 
             } else {
@@ -347,14 +347,14 @@ protected Response logoutRequest(LogoutRequestType request, String relayState) {
             builder.destination(config.getSingleLogoutServiceUrl());
             builder.issuer(issuerURL);
             org.keycloak.protocol.saml.JaxrsSAML2BindingBuilder binding = new org.keycloak.protocol.saml.JaxrsSAML2BindingBuilder(session)
-                    .relayState(relayState);
+                .relayState(relayState);
             boolean postBinding = config.isPostBindingLogout();
             if (config.isWantAuthnRequestsSigned()) {
                 KeyManager.ActiveRsaKey keys = session.keys().getActiveRsaKey(realm);
                 String keyName = config.getXmlSigKeyInfoKeyNameTransformer().getKeyName(keys.getKid(), keys.getCertificate());
                 binding.signWith(keyName, keys.getPrivateKey(), keys.getPublicKey(), keys.getCertificate())
-                        .signatureAlgorithm(provider.getSignatureAlgorithm())
-                        .signDocument();
+                    .signatureAlgorithm(provider.getSignatureAlgorithm())
+                    .signDocument();
                 if (!postBinding && config.isAddExtensionsElementWithKeyInfo()) {    // Only include extension if REDIRECT binding and signing whole SAML protocol message
                     builder.addExtension(new KeycloakKeySamlExtensionGenerator(keyName));
                 }
@@ -394,7 +394,6 @@ private String getEntityId(UriInfo uriInfo, RealmModel realm) {
         }
 
         protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder holder, ResponseType responseType, String relayState, String clientId) {
-
             try {
                 AuthenticationSessionModel authSession;
                 if (StringUtil.isNotBlank(clientId)) {
@@ -446,11 +445,12 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
                     logger.debug("Verify and get assertion!");
                     assertionElement = DocumentUtil.getElement(holder.getSamlDocument(), new QName(JBossSAMLConstants.ASSERTION.get()));
                 }
+                logger.trace("before Validate the response Issuer");
 
                 // Validate the response Issuer
                 final String responseIssuer = responseType.getIssuer() != null ? responseType.getIssuer().getValue() : null;
                 final boolean responseIssuerValidationSuccess = config.getIdpEntityId() == null ||
-                        (responseIssuer != null && responseIssuer.equals(config.getIdpEntityId()));
+                    (responseIssuer != null && responseIssuer.equals(config.getIdpEntityId()));
                 if (!responseIssuerValidationSuccess) {
                     logger.errorf("Response Issuer validation failed: expected %s, actual %s", config.getIdpEntityId(), responseIssuer);
                     event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
@@ -458,6 +458,8 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
                     return ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, Messages.INVALID_REQUESTER);
                 }
 
+                logger.trace("before Validate InResponseTo attribute");
+
                 // Validate InResponseTo attribute: must match the generated request ID
                 String expectedRequestId = authSession.getClientNote(SamlProtocol.SAML_REQUEST_ID_BROKER);
                 final boolean inResponseToValidationSuccess = validateInResponseToAttribute(responseType, expectedRequestId);
@@ -473,6 +475,8 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
                 final boolean signatureNotValid = signed && config.isValidateSignature() && !AssertionUtil.isSignatureValid(assertionElement, getIDPKeyLocator());
                 final boolean hasNoSignatureWhenRequired = !signed && config.isValidateSignature() && !containsUnencryptedSignature(holder);
 
+                logger.trace("before if (assertionSignatureNotExistsWhenRequired || (...)");
+
                 if (assertionSignatureNotExistsWhenRequired || signatureNotValid || hasNoSignatureWhenRequired) {
                     logger.error("validation failed");
                     event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
@@ -480,6 +484,8 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
                     return ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, Messages.INVALID_REQUESTER);
                 }
 
+                logger.trace("after if (assertionSignatureNotExistsWhenRequired || (...)");
+
                 if (AssertionUtil.isIdEncrypted(responseType)) {
                     try {
                         XMLEncryptionUtil.DecryptionKeyLocator decryptionKeyLocator = new SAMLDecryptionKeysLocator(session, realm, config.getEncryptionAlgorithm());
@@ -492,10 +498,12 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
 
                 AssertionType assertion = responseType.getAssertions().get(0).getAssertion();
 
+                logger.trace("before Validate the assertion issuer");
+
                 // Validate the assertion Issuer
                 final String assertionIssuer = assertion.getIssuer() != null ? assertion.getIssuer().getValue() : null;
                 final boolean assertionIssuerValidationSuccess = config.getIdpEntityId() == null ||
-                        (assertionIssuer != null && assertionIssuer.equals(config.getIdpEntityId()));
+                    (assertionIssuer != null && assertionIssuer.equals(config.getIdpEntityId()));
                 if (!assertionIssuerValidationSuccess) {
                     logger.errorf("Assertion Issuer validation failed: expected %s, actual %s", config.getIdpEntityId(), assertionIssuer);
                     event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
@@ -506,6 +514,8 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
                 NameIDType subjectNameID = getSubjectNameID(assertion);
                 String principal = getPrincipal(assertion);
 
+                logger.trace("before if (principal == null)");
+
                 if (principal == null) {
                     logger.errorf("no principal in assertion; expected: %s", expectedPrincipalType());
                     event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
@@ -513,13 +523,14 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
                     return ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, Messages.INVALID_REQUESTER);
                 }
 
-                BrokeredIdentityContext identity = new BrokeredIdentityContext(principal,config);
+                BrokeredIdentityContext identity = new BrokeredIdentityContext(principal, config);
                 identity.getContextData().put(SAML_LOGIN_RESPONSE, responseType);
                 identity.getContextData().put(SAML_ASSERTION, assertion);
                 identity.setAuthenticationSession(authSession);
 
                 identity.setUsername(principal);
 
+                logger.trace("before if (subjectNameID != null && (...)");
                 //SAML Spec 2.2.2 Format is optional
                 if (subjectNameID != null && subjectNameID.getFormat() != null && subjectNameID.getFormat().toString().equals(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get())) {
                     identity.setEmail(subjectNameID.getValue());
@@ -529,8 +540,10 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
                     identity.setToken(samlResponse);
                 }
 
+                logger.trace("before if (subjectNameID != null && (...)");
+
                 ConditionsValidator.Builder cvb = new ConditionsValidator.Builder(assertion.getID(), assertion.getConditions(), destinationValidator)
-                        .clockSkewInMillis(1000 * config.getAllowedClockSkew());
+                    .clockSkewInMillis(1000 * config.getAllowedClockSkew());
                 try {
                     String issuerURL = getEntityId(session.getContext().getUri(), realm);
                     cvb.addAllowedAudience(URI.create(issuerURL));
@@ -541,6 +554,7 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
                 } catch (IllegalArgumentException ex) {
                     // warning has been already emitted in DeploymentBuilder
                 }
+                logger.trace("before if (! cvb.build().isValid())");
                 if (!cvb.build().isValid()) {
                     logger.error("Assertion expired.");
                     event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
@@ -548,6 +562,8 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
                     return ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, Messages.EXPIRED_CODE);
                 }
 
+                logger.trace("before for (Object statement : (...)");
+
                 AuthnStatementType authn = null;
                 for (Object statement : assertion.getStatements()) {
                     if (statement instanceof AuthnStatementType) {
@@ -557,6 +573,9 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
                         break;
                     }
                 }
+
+                logger.trace("before if (assertion.getAttributeStatements() != null");
+
                 if (assertion.getAttributeStatements() != null) {
                     String email = getX500Attribute(assertion, X500SAMLProfileConstants.EMAIL);
                     if (email != null) {
@@ -568,6 +587,9 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
                 String brokerUserId = config.getAlias() + "." + principal;
                 identity.setBrokerUserId(brokerUserId);
                 identity.setIdp(provider);
+
+                logger.trace("before if (authn != null && (...)");
+
                 if (authn != null && authn.getSessionIndex() != null) {
                     String brokerSessionId = config.getAlias() + "." + authn.getSessionIndex();
                     logger.debugf("Set broker SessionID to \"%s\".", brokerSessionId);
@@ -595,8 +617,8 @@ private AuthenticationSessionModel samlIdpInitiatedSSO(final String clientUrlNam
             event.event(EventType.LOGIN);
             CacheControlUtil.noBackButtonCacheControlHeader(session);
             Optional<ClientModel> oClient = SAMLEndpoint.this.session.clients()
-                    .searchClientsByAttributes(realm, Collections.singletonMap(SamlProtocol.SAML_IDP_INITIATED_SSO_URL_NAME, clientUrlName), 0, 1)
-                    .findFirst();
+                .searchClientsByAttributes(realm, Collections.singletonMap(SamlProtocol.SAML_IDP_INITIATED_SSO_URL_NAME, clientUrlName), 0, 1)
+                .findFirst();
 
             if (!oClient.isPresent()) {
                 event.error(Errors.CLIENT_NOT_FOUND);
@@ -619,10 +641,10 @@ private AuthenticationSessionModel samlIdpInitiatedSSO(final String clientUrlNam
 
         private boolean isSuccessfulSamlResponse(ResponseType responseType) {
             return responseType != null
-                    && responseType.getStatus() != null
-                    && responseType.getStatus().getStatusCode() != null
-                    && responseType.getStatus().getStatusCode().getValue() != null
-                    && Objects.equals(responseType.getStatus().getStatusCode().getValue().toString(), JBossSAMLURIConstants.STATUS_SUCCESS.get());
+                && responseType.getStatus() != null
+                && responseType.getStatus().getStatusCode() != null
+                && responseType.getStatus().getStatusCode().getValue() != null
+                && Objects.equals(responseType.getStatus().getStatusCode().getValue().toString(), JBossSAMLURIConstants.STATUS_SUCCESS.get());
         }
 
 
@@ -649,7 +671,7 @@ public Response handleSamlResponse(String samlResponse, String relayState, Strin
 
             // validate destination
             if (isDestinationRequired()
-                    && statusResponse.getDestination() == null && containsUnencryptedSignature(holder)) {
+                && statusResponse.getDestination() == null && containsUnencryptedSignature(holder)) {
                 logger.warnf("Destination %s required, destination (%s) is NULL or Holder contains unencrypted signature (%s)", (isDestinationRequired()) ? "is" : "is not", statusResponse.getDestination(), containsUnencryptedSignature(holder));
                 event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
                 event.detail(Details.REASON, Errors.MISSING_REQUIRED_DESTINATION);
@@ -663,7 +685,9 @@ public Response handleSamlResponse(String samlResponse, String relayState, Strin
                 event.error(Errors.INVALID_SAML_RESPONSE);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
             }
+            logger.trace("Right before handleSamlResponse's  if (config.isValidateSignature())");
             if (config.isValidateSignature()) {
+                logger.trace("TRUE: if (config.isValidateSignature())");
                 try {
                     if (isArtifactResponse) {
                         logger.debugf("Verifying signature for %s", GeneralConstants.SAML_ARTIFACT_RESPONSE_KEY);
@@ -687,15 +711,13 @@ public Response handleSamlResponse(String samlResponse, String relayState, Strin
                 logger.debug("SAML Response was NOT of type ResponseType so calling logout.");
                 return handleLogoutResponse(holder, statusResponse, relayState);
             }
-
-
         }
 
         private ResponseType convertToResponseType(StatusResponseType statusResponse) {
             ResponseType responseType;
             if (statusResponse instanceof org.keycloak.dom.saml.v2.protocol.ResponseType) {
                 org.keycloak.dom.saml.v2.protocol.ResponseType kcResponseType =
-                        (org.keycloak.dom.saml.v2.protocol.ResponseType) ((ArtifactResponseType) statusResponse).getAny();
+                    (org.keycloak.dom.saml.v2.protocol.ResponseType) ((ArtifactResponseType) statusResponse).getAny();
                 responseType = new ResponseType(kcResponseType.getID(), kcResponseType.getIssueInstant());
                 responseType.setExtensions(kcResponseType.getExtensions());
                 responseType.setInResponseTo(kcResponseType.getInResponseTo());
@@ -787,6 +809,7 @@ protected void verifySignature(String key, SAMLDocumentHolder documentHolder) th
         protected SAMLDocumentHolder extractRequestDocument(String samlRequest) {
             return SAMLRequestParser.parseRequestPostBinding(samlRequest);
         }
+
         @Override
         protected SAMLDocumentHolder extractResponseDocument(String response) {
             byte[] samlBytes = response.getBytes();
@@ -893,15 +916,15 @@ private String getPrincipal(AssertionType assertion) {
 
     private String getFirstMatchingAttribute(AssertionType assertion, Predicate<AttributeType> predicate) {
         return assertion.getAttributeStatements().stream()
-                .map(AttributeStatementType::getAttributes)
-                .flatMap(Collection::stream)
-                .map(AttributeStatementType.ASTChoiceType::getAttribute)
-                .filter(predicate)
-                .map(AttributeType::getAttributeValue)
-                .flatMap(Collection::stream)
-                .findFirst()
-                .map(Object::toString)
-                .orElse(null);
+            .map(AttributeStatementType::getAttributes)
+            .flatMap(Collection::stream)
+            .map(AttributeStatementType.ASTChoiceType::getAttribute)
+            .filter(predicate)
+            .map(AttributeType::getAttributeValue)
+            .flatMap(Collection::stream)
+            .findFirst()
+            .map(Object::toString)
+            .orElse(null);
     }
 
     private String expectedPrincipalType() {
@@ -979,7 +1002,6 @@ private boolean validateInResponseToAttribute(ResponseType responseType, String
                 }
             }
         }
-
         return true;
     }
 }
diff --git a/src/main/java/nl/first8/keycloak/protocol/saml/SamlProtocolUtils.java b/src/main/java/nl/first8/keycloak/protocol/saml/SamlProtocolUtils.java
index 11edd99..2fb4299 100644
--- a/src/main/java/nl/first8/keycloak/protocol/saml/SamlProtocolUtils.java
+++ b/src/main/java/nl/first8/keycloak/protocol/saml/SamlProtocolUtils.java
@@ -9,6 +9,7 @@
 import java.security.cert.X509Certificate;
 import jakarta.ws.rs.core.MultivaluedMap;
 import jakarta.ws.rs.core.UriInfo;
+import nl.first8.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature;
 import org.jboss.logging.Logger;
 import org.keycloak.common.VerificationException;
 import org.keycloak.common.util.PemUtils;
@@ -34,7 +35,6 @@
 import org.keycloak.saml.common.util.DocumentUtil;
 import org.keycloak.saml.common.util.StaxUtil;
 import org.keycloak.saml.processing.api.saml.v2.request.SAML2Request;
-import org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature;
 import org.keycloak.saml.processing.core.saml.v2.common.IDGenerator;
 import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
 import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
@@ -44,10 +44,8 @@
 import org.keycloak.saml.processing.web.util.RedirectBindingUtil;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
-public class SamlProtocolUtils {
-
-    private static final Logger logger = Logger.getLogger(org.keycloak.protocol.saml.SamlProtocolUtils.class);
 
+public class SamlProtocolUtils {
     /**
      * Verifies a signature of the given SAML document using settings for the given client.
      * Throws an exception if the client signature is expected to be present as per the client
@@ -151,7 +149,7 @@ public static void verifyRedirectSignature(SAMLDocumentHolder documentHolder, Ke
             String decodedAlgorithm = RedirectBindingUtil.urlDecode(encodedParams.getFirst(GeneralConstants.SAML_SIG_ALG_REQUEST_KEY));
             SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.getFromXmlMethod(decodedAlgorithm);
             if (!RedirectBindingSignatureUtil.validateRedirectBindingSignature(signatureAlgorithm,
-                    rawQuery.getBytes("UTF-8"), decodedSignature, locator, keyId)) {
+                rawQuery.getBytes("UTF-8"), decodedSignature, locator, keyId)) {
                 throw new VerificationException("Invalid query param signature");
             }
         } catch (Exception e) {
@@ -199,7 +197,7 @@ private static String getMessageSigningKeyId(SAML2Object doc) {
      */
     public static ArtifactResponseType buildArtifactResponse(SAML2Object samlObject, NameIDType issuer, URI statusCode) throws ConfigurationException, ProcessingException {
         ArtifactResponseType artifactResponse = new ArtifactResponseType(IDGenerator.create("ID_"),
-                XMLTimeUtil.getIssueInstant());
+            XMLTimeUtil.getIssueInstant());
 
         // Status
         StatusType statusType = new StatusType();
@@ -254,7 +252,7 @@ public static ArtifactResponseType buildArtifactResponse(Document document) thro
      * @throws ProcessingException
      */
     public static Document convert(ArtifactResponseType responseType) throws ProcessingException, ConfigurationException,
-            ParsingException {
+        ParsingException {
         ByteArrayOutputStream bos = new ByteArrayOutputStream();
         SAMLResponseWriter writer = new SAMLResponseWriter(StaxUtil.getXMLStreamWriter(bos));
         writer.write(responseType);
diff --git a/src/main/java/nl/first8/keycloak/saml/processing/api/saml/v2/sig/SAML2Signature.java b/src/main/java/nl/first8/keycloak/saml/processing/api/saml/v2/sig/SAML2Signature.java
index 47e9a86..c6344b7 100644
--- a/src/main/java/nl/first8/keycloak/saml/processing/api/saml/v2/sig/SAML2Signature.java
+++ b/src/main/java/nl/first8/keycloak/saml/processing/api/saml/v2/sig/SAML2Signature.java
@@ -24,7 +24,7 @@
 
 public class SAML2Signature {
 
-    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+    private static final PicketLinkLogger picketLogger = PicketLinkLoggerFactory.getLogger();
 
     private String signatureMethod = SignatureMethod.RSA_SHA1;
 
@@ -97,7 +97,7 @@ public void setX509Certificate(X509Certificate x509Certificate) {
      * @throws GeneralSecurityException
      */
     public Document sign(Document doc, String referenceID, String keyName, KeyPair keyPair, String canonicalizationMethodType) throws ParserConfigurationException,
-            GeneralSecurityException, MarshalException, XMLSignatureException {
+        GeneralSecurityException, MarshalException, XMLSignatureException {
         String referenceURI = "#" + referenceID;
 
         configureIdAttribute(doc);
@@ -132,7 +132,7 @@ public void signSAMLDocument(Document samlDocument, String keyName, KeyPair keyp
         try {
             sign(samlDocument, id, keyName, keypair, canonicalizationMethodType);
         } catch (ParserConfigurationException | GeneralSecurityException | MarshalException | XMLSignatureException e) {
-            throw new ProcessingException(logger.signatureError(e));
+            throw new ProcessingException(picketLogger.signatureError(e));
         }
     }
 
@@ -147,16 +147,11 @@ public void signSAMLDocument(Document samlDocument, String keyName, KeyPair keyp
      * @throws ProcessingException
      */
     public boolean validate(Document signedDocument, KeyLocator keyLocator) throws ProcessingException {
-        logger.warn("Called without configuration for Saml Advice Nodes: defaulting to false.");
-        return validate(signedDocument, keyLocator, false);
-    }
-
-    public boolean validate(Document signedDocument, KeyLocator keyLocator, boolean ignoreSamlAdviceNodes) throws ProcessingException {
         try {
             configureIdAttribute(signedDocument);
-            return XMLSignatureUtil.validate(signedDocument, keyLocator, ignoreSamlAdviceNodes);
+            return XMLSignatureUtil.validate(signedDocument, keyLocator);
         } catch (MarshalException | XMLSignatureException me) {
-            throw new ProcessingException(logger.signatureError(me));
+            throw new ProcessingException(picketLogger.signatureError(me));
         }
     }
 
@@ -188,11 +183,12 @@ public Node getNextSiblingOfIssuer(Document doc) {
      * @param document SAML document to have its ID attribute configured.
      */
     public static void configureIdAttribute(Document document) {
+        picketLogger.trace("configureIdAttribute() begin");
         // Estabilish the IDness of the ID attribute.
         configureIdAttribute(document.getDocumentElement());
 
         NodeList nodes = document.getElementsByTagNameNS(JBossSAMLURIConstants.ASSERTION_NSURI.get(),
-                JBossSAMLConstants.ASSERTION.get());
+            JBossSAMLConstants.ASSERTION.get());
 
         for (int i = 0; i < nodes.getLength(); i++) {
             configureIdAttribute((Element) nodes.item(i));
diff --git a/src/main/java/nl/first8/keycloak/saml/processing/core/util/XMLSignatureUtil.java b/src/main/java/nl/first8/keycloak/saml/processing/core/util/XMLSignatureUtil.java
index 7893bdb..3c1b69e 100644
--- a/src/main/java/nl/first8/keycloak/saml/processing/core/util/XMLSignatureUtil.java
+++ b/src/main/java/nl/first8/keycloak/saml/processing/core/util/XMLSignatureUtil.java
@@ -11,7 +11,6 @@
 import org.keycloak.saml.common.PicketLinkLogger;
 import org.keycloak.saml.common.PicketLinkLoggerFactory;
 import org.keycloak.saml.common.constants.WSTrustConstants;
-import org.keycloak.saml.common.exceptions.ConfigurationException;
 import org.keycloak.saml.common.exceptions.ParsingException;
 import org.keycloak.saml.common.exceptions.ProcessingException;
 import org.keycloak.saml.common.util.*;
@@ -92,7 +91,8 @@ public KeySelectorResult select(KeyInfo keyInfo, KeySelector.Purpose purpose, Al
                 final Key key = locator.getKey(keyInfo);
                 this.keyLocated = key != null;
                 return new KeySelectorResult() {
-                    @Override public Key getKey() {
+                    @Override
+                    public Key getKey() {
                         return key;
                     }
                 };
@@ -199,7 +199,7 @@ public static void setIncludeKeyInfoInSignature(boolean includeKeyInfoInSignatur
     public static Document sign(Document doc, Node nodeToBeSigned, String keyName, KeyPair keyPair, String digestMethod,
                                 String signatureMethod, String referenceURI, X509Certificate x509Certificate,
                                 String canonicalizationMethodType) throws ParserConfigurationException, GeneralSecurityException,
-            MarshalException, XMLSignatureException {
+        MarshalException, XMLSignatureException {
         if (nodeToBeSigned == null) {
             logger.error("Node to be signed is null");
             throw logger.nullArgumentError("Node to be signed");
@@ -225,7 +225,7 @@ public static Document sign(Document doc, Node nodeToBeSigned, String keyName, K
         // if the signed element is a SAMLv2.0 assertion we need to move the signature element to the position
         // specified in the schema (before the assertion subject element).
         if (nodeToBeSigned.getLocalName().equals("Assertion")
-                && WSTrustConstants.SAML2_ASSERTION_NS.equals(nodeToBeSigned.getNamespaceURI())) {
+            && WSTrustConstants.SAML2_ASSERTION_NS.equals(nodeToBeSigned.getNamespaceURI())) {
             Node signatureNode = DocumentUtil.getElement(newDoc, new QName(WSTrustConstants.DSIG_NS, "Signature"));
             Node subjectNode = DocumentUtil.getElement(newDoc, new QName(WSTrustConstants.SAML2_ASSERTION_NS, "Subject"));
             if (signatureNode != null && subjectNode != null) {
@@ -263,7 +263,7 @@ public static Document sign(Document doc, Node nodeToBeSigned, String keyName, K
      */
     public static void sign(Element elementToSign, Node nextSibling, String keyName, KeyPair keyPair, String digestMethod,
                             String signatureMethod, String referenceURI, String canonicalizationMethodType)
-            throws GeneralSecurityException, MarshalException, XMLSignatureException {
+        throws GeneralSecurityException, MarshalException, XMLSignatureException {
         sign(elementToSign, nextSibling, keyName, keyPair, digestMethod, signatureMethod, referenceURI, null, canonicalizationMethodType);
     }
 
@@ -285,7 +285,7 @@ public static void sign(Element elementToSign, Node nextSibling, String keyName,
      */
     public static void sign(Element elementToSign, Node nextSibling, String keyName, KeyPair keyPair, String digestMethod,
                             String signatureMethod, String referenceURI, X509Certificate x509Certificate, String canonicalizationMethodType)
-            throws GeneralSecurityException, MarshalException, XMLSignatureException {
+        throws GeneralSecurityException, MarshalException, XMLSignatureException {
         PrivateKey signingKey = keyPair.getPrivate();
         PublicKey publicKey = keyPair.getPublic();
 
@@ -311,19 +311,28 @@ public static void propagateIDAttributeSetup(Node sourceNode, Element destElemen
         }
     }
 
-    public static void fixIDAttributeSetup(Node sourceNode, Element destElement) {
-        if(sourceNode == null) {
-            logger.debug("Cannot fix AttributeSetup as sourcenode is NULL");
+    public static void fixIDAttributeSetup(Element element) {
+        if (element == null) {
+            logger.info("Cannot fix AttributeSetup as element is NULL");
             return;
         }
-        NamedNodeMap nnm = sourceNode.getAttributes();
+        NamedNodeMap nnm = element.getAttributes();
         for (int i = 0; i < nnm.getLength(); i++) {
             Attr attr = (Attr) nnm.item(i);
             if (attr.getName().equals("ID")) {
-                destElement.setIdAttribute(attr.getName(), true);
+                element.setIdAttribute(attr.getName(), true);
                 break;
             }
         }
+
+        // recursively fix
+        NodeList childNodes = element.getChildNodes();
+        for (int i = 0; i < childNodes.getLength(); i++) {
+            Node item = childNodes.item(i);
+            if (item instanceof Element) {
+                fixIDAttributeSetup((Element) item);
+            }
+        }
     }
 
     /**
@@ -341,7 +350,7 @@ public static void fixIDAttributeSetup(Node sourceNode, Element destElement) {
      * @throws MarshalException
      */
     public static Document sign(Document doc, String keyName, KeyPair keyPair, String digestMethod, String signatureMethod, String referenceURI, String canonicalizationMethodType)
-            throws GeneralSecurityException, MarshalException, XMLSignatureException {
+        throws GeneralSecurityException, MarshalException, XMLSignatureException {
         return sign(doc, keyName, keyPair, digestMethod, signatureMethod, referenceURI, null, canonicalizationMethodType);
     }
 
@@ -362,7 +371,7 @@ public static Document sign(Document doc, String keyName, KeyPair keyPair, Strin
      */
     public static Document sign(Document doc, String keyName, KeyPair keyPair, String digestMethod, String signatureMethod, String referenceURI,
                                 X509Certificate x509Certificate, String canonicalizationMethodType)
-            throws GeneralSecurityException, MarshalException, XMLSignatureException {
+        throws GeneralSecurityException, MarshalException, XMLSignatureException {
         if (logger.isTraceEnabled()) {
             logger.trace("Document to be signed=" + DocumentUtil.asString(doc));
         }
@@ -387,7 +396,7 @@ public static Document sign(Document doc, String keyName, KeyPair keyPair, Strin
      * @throws MarshalException
      */
     public static Document sign(SignatureUtilTransferObject dto, String canonicalizationMethodType) throws GeneralSecurityException, MarshalException,
-            XMLSignatureException {
+        XMLSignatureException {
         Document doc = dto.getDocumentToBeSigned();
         String keyName = dto.getKeyName();
         KeyPair keyPair = dto.getKeyPair();
@@ -414,34 +423,16 @@ public static Document sign(SignatureUtilTransferObject dto, String canonicaliza
         return doc;
     }
 
-    /**
-     * Validate a signed document with the given public key. All elements that contain a Signature are checked,
-     * this way both assertions and the containing document are verified when signed.
-     *
-     * @param signedDoc
-     * @param locator
-     *
-     * @return
-     *
-     * @throws MarshalException
-     * @throws XMLSignatureException
-     */
-    @SuppressWarnings("unchecked")
     public static boolean validate(Document signedDoc, final KeyLocator locator) throws MarshalException, XMLSignatureException {
-        logger.warn("Called without configuration for Saml Advice Nodes: defaulting to false.");
-        return validate(signedDoc, locator, false);
-    }
-
-    public static boolean validate(Document signedDoc, final KeyLocator locator, boolean ignoreAdviceNodes) throws MarshalException, XMLSignatureException {
-        logger.debug("Validate document " + signedDoc.getDocumentURI());
         if (signedDoc == null)
             throw logger.nullArgumentError("Signed Document");
 
+        fixIDAttributeSetup(signedDoc.getDocumentElement());
         propagateIDAttributeSetup(signedDoc.getDocumentElement(), signedDoc.getDocumentElement());
 
         NodeList nl = signedDoc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
         if (nl == null || nl.getLength() == 0) {
-            logger.debug("Cannot find Signature element");
+            logger.warn("Cannot find Signature element, returning false");
             return false;
         }
 
@@ -450,45 +441,51 @@ public static boolean validate(Document signedDoc, final KeyLocator locator, boo
 
         HashSet<Node> signedNodes = new HashSet<>();
 
+        // Change from keycloak: always check all signatures and report all failed signatures to make debugging easier.
+        boolean signatureValid = true;
         for (int i = 0; i < nl.getLength(); i++) {
             Node signatureNode = nl.item(i);
-            if (!validateSingleNode(signatureNode, locator, signedNodes)) {
-                return false;
+            logger.debug("Validating signature node #%d: %s".formatted((i + 1),  signatureNode.getLocalName()));
+
+            boolean nodeSignatureValid = validateSingleNode(signatureNode, locator, signedNodes);
+            if (nodeSignatureValid) {
+                logger.debug("Successfully validated SignatureNode #%d".formatted(i + 1));
+            } else {
+                logger.warn("signatureNode #%d INVALID".formatted(i + 1));
             }
+            signatureValid &= nodeSignatureValid;
+        }
+        if (!signatureValid) {
+            logger.warn("XMLSignatureUtil.validate returning false because one of the signatures was invalid");
+            return false;
         }
 
         if (signedNodes.contains(signedDoc.getDocumentElement())) {
-            logger.trace("All signatures are OK and root document is signed");
+            logger.trace("All signatures are OK and root document is signed, returning true");
             return true;
         }
 
         NodeList assertions = signedDoc.getElementsByTagNameNS(JBossSAMLURIConstants.ASSERTION_NSURI.get(), JBossSAMLConstants.ASSERTION.get());
 
         if (assertions.getLength() > 0) {
-            // if document is not fully signed check if all the assertions are signed
+            logger.trace("The document is not fully signed, checking that all assertions are signed");
             for (int i = 0; i < assertions.getLength(); i++) {
                 if (!signedNodes.contains(assertions.item(i))) {
-                    logger.debug("SAML Response document may contain malicious assertions. Signature validation will fail.");
-                    // there are unsigned assertions mixed with signed ones
+                    logger.warn("There are unsigned assertions mixed with signed ones, document may contain malicious assertions, returning false for signature validation");
                     return false;
                 }
             }
-            logger.trace("Document not signed but all assertions are signed OK");
+            logger.trace("Document is not signed but all assertions are signed OK, returning true");
             return true;
         }
 
+        logger.warn("fall-through reached, this is unexpected, signature validation returning false");
         return false;
     }
 
-    private static Node getSamlReponseNode(Document signedDoc) {
-        Node samlReponseNode = signedDoc.getElementsByTagName("saml2p:Response").item(0);
-        if(samlReponseNode == null) {
-            samlReponseNode = signedDoc.getElementsByTagName("samlp:Response").item(0);
-        }
-        return samlReponseNode;
-    }
-
-    public static boolean validateSingleNode(Node signatureNode, final KeyLocator locator) throws MarshalException, XMLSignatureException {
+    public static boolean validateSingleNode(Node signatureNode, final KeyLocator locator) throws
+        MarshalException, XMLSignatureException {
+        logger.debug("validateSingleNode called without Set<Node> signedNodes, using new HashSet<>() for that.");
         return validateSingleNode(signatureNode, locator, new HashSet<>());
     }
 
@@ -499,6 +496,7 @@ public static boolean validateSingleNode(Node signatureNode, final KeyLocator lo
                 return true;
             }
             if (sel.wasKeyLocated()) {
+                logger.warn("the key was located, could not validate node, validateSingleNode returns false");
                 return false;
             }
         } catch (XMLSignatureException ex) { // pass through MarshalException
@@ -506,8 +504,7 @@ public static boolean validateSingleNode(Node signatureNode, final KeyLocator lo
             logger.trace(ex);
         }
 
-        logger.trace("Could not validate signature using ds:KeyInfo/ds:KeyName hint.");
-
+        logger.debug("Could not validate signature using ds:KeyInfo/ds:KeyName hint.");
         logger.trace("Trying hard to validate XML signature using all available keys.");
 
         for (Key key : locator) {
@@ -521,19 +518,15 @@ public static boolean validateSingleNode(Node signatureNode, final KeyLocator lo
             }
         }
 
+        logger.warn("validateSingleNode fall through reached, no key could validate the signature, returning false ");
         return false;
     }
 
+
     private static boolean validateUsingKeySelector(Node signatureNode, KeySelector validationKeySelector, Set<Node> signedNodes) throws XMLSignatureException, MarshalException {
         DOMValidateContext valContext = new DOMValidateContext(validationKeySelector, signatureNode);
         XMLSignature signature = fac.unmarshalXMLSignature(valContext);
-        if(logger.isDebugEnabled()) {
-            try {
-                logger.debug("ValContext: " + DocumentUtil.getNodeAsString(signatureNode) + " signature: " + signature.getSignatureValue().getId());
-            } catch (ProcessingException | ConfigurationException e) {
-                logger.warn("Could not print DEBUG information about ValContext. Will continue");
-            }
-        }
+
         boolean coreValidity = signature.validate(valContext);
 
         if (coreValidity) {
@@ -565,17 +558,6 @@ private static boolean validateUsingKeySelector(Node signatureNode, KeySelector
         return coreValidity;
     }
 
-    private static void setIdAttributeNS(String tagName, Node signatureNode, DOMValidateContext valContext) {
-        NodeList elements = signatureNode.getOwnerDocument().getElementsByTagName(tagName);
-        for (int index = 0; index < elements.getLength(); index++) {
-            Element element = (Element) elements.item(index);
-            if(logger.isDebugEnabled()) {
-                logger.debug("Setting ID ("+element.getAttributeNode("ID").getValue()+") attribute on "+element.getTagName()+" as ID Attribute");
-            }
-            valContext.setIdAttributeNS(element, null, "ID");
-        }
-    }
-
     /**
      * Marshall a SignatureType to output stream
      *
@@ -749,7 +731,7 @@ public static KeyValueType createKeyValue(PublicKey key) {
 
     private static void signImpl(DOMSignContext dsc, String digestMethod, String signatureMethod, String referenceURI, String keyName, PublicKey publicKey,
                                  X509Certificate x509Certificate, String canonicalizationMethodType)
-            throws GeneralSecurityException, MarshalException, XMLSignatureException {
+        throws GeneralSecurityException, MarshalException, XMLSignatureException {
         dsc.setDefaultNamespacePrefix("dsig");
 
         DigestMethod digestMethodObj = fac.newDigestMethod(digestMethod, null);
@@ -763,7 +745,7 @@ private static void signImpl(DOMSignContext dsc, String digestMethod, String sig
         Reference ref = fac.newReference(referenceURI, digestMethodObj, transformList, null, null);
 
         CanonicalizationMethod canonicalizationMethod = fac.newCanonicalizationMethod(canonicalizationMethodType,
-                (C14NMethodParameterSpec) null);
+            (C14NMethodParameterSpec) null);
 
         List<Reference> referenceList = Collections.singletonList(ref);
         SignatureMethod signatureMethodObj = fac.newSignatureMethod(signatureMethod, null);

From a68af99e801617e974458dc97b55aeb1517c3777 Mon Sep 17 00:00:00 2001
From: oadham <omar.adham@first8.nl>
Date: Fri, 22 May 2026 13:48:56 +0200
Subject: [PATCH 05/16] Proper placement of git.commit.id.abbrev in jar name.

---
 pom.xml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index 64e3125..5b1208f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -7,11 +7,11 @@
 
     <groupId>nl.first8.keycloak.broker</groupId>
     <artifactId>idp-saml2-extended</artifactId>
-    <name>KeyCloak: SAML v2.0 - Extended</name>
+    <name>Keycloak: SAML v2.0 - Extended</name>
     <description>
         SAML v2.0 extensions that adds more configuration options to connect to SAML Service Providers.
     </description>
-    <version>1.1-SNAPSHOT-26</version>
+    <version>26.0</version>
 
     <properties>
         <maven.compiler.source>17</maven.compiler.source>
@@ -29,6 +29,7 @@
     </properties>
 
     <build>
+        <finalName>${project.artifactId}-${project.version}-${git.commit.id.abbrev}</finalName>
         <sourceDirectory>${project.basedir}/src/main/java</sourceDirectory>
         <directory>${project.basedir}/target</directory>
         <resources>
@@ -46,6 +47,7 @@
                         <goals>
                             <goal>revision</goal>
                         </goals>
+                        <phase>validate</phase>
                     </execution>
                 </executions>
 

From 8f00418d9429a2fcf854a2215d59addc1261ef2c Mon Sep 17 00:00:00 2001
From: oadham <omar.adham@first8.nl>
Date: Fri, 22 May 2026 14:15:19 +0200
Subject: [PATCH 06/16] Added to our frontend: e2e tests and Keycloak's default
 ArtifactBinding solution; Make PicketLinkLogger show each class' name

---
 .gitignore                                    |    7 +
 pom.xml                                       |    6 +
 .../saml/SAMLIdentityProviderConfig.java      |   13 +-
 .../keycloak/saml/SAMLRequestParser.java      |    4 +-
 .../saml/common/DefaultPicketLinkLogger.java  | 2386 +++++++++++++++++
 .../saml/common/PicketLinkLoggerFactory.java  |   10 +
 .../api/saml/v2/request/SAML2Request.java     |   13 +-
 .../api/saml/v2/response/SAML2Response.java   |   19 +-
 .../api/saml/v2/sig/SAML2Signature.java       |    5 +-
 .../assertion/SAMLAttributeValueParser.java   |    5 +-
 .../saml/xmlsec/CipherValueParser.java        |    5 +-
 .../JBossSAMLAuthnResponseFactory.java        |    5 +-
 .../core/saml/v2/util/AssertionUtil.java      |   23 +-
 .../core/saml/v2/writers/BaseWriter.java      |   13 +-
 .../core/util/XMLSignatureUtil.java           |   40 +-
 .../saml-extended-frontend/js/AddProvider.js  |  269 +-
 .../js/CheckBoxControllerAddProvider.js       |  496 ++--
 .../js/CheckBoxControllerEditProvider.js      |  675 +++--
 .../saml-extended-frontend/js/EditProvider.js |  183 +-
 .../pages/addprovider.html                    |  169 +-
 .../pages/editprovider.html                   |  305 +--
 src/test/e2e/.env.example                     |    4 +
 src/test/e2e/config.js                        |   17 +
 src/test/e2e/package-lock.json                |   72 +
 src/test/e2e/package.json                     |   14 +
 src/test/e2e/test-add-provider.js             |  188 ++
 src/test/e2e/test-artifact-binding.js         |  123 +
 .../saml/SAMLIdentityProviderConfigTest.java  |  339 +++
 .../dom/saml/v2/assertion/EncryptionTest.java |   31 +-
 src/test/resources/logging.properties         |   17 +
 30 files changed, 4319 insertions(+), 1137 deletions(-)
 create mode 100644 src/main/java/nl/first8/keycloak/saml/common/DefaultPicketLinkLogger.java
 create mode 100644 src/main/java/nl/first8/keycloak/saml/common/PicketLinkLoggerFactory.java
 create mode 100644 src/test/e2e/.env.example
 create mode 100644 src/test/e2e/config.js
 create mode 100644 src/test/e2e/package-lock.json
 create mode 100644 src/test/e2e/package.json
 create mode 100644 src/test/e2e/test-add-provider.js
 create mode 100644 src/test/e2e/test-artifact-binding.js
 create mode 100644 src/test/java/nl/first8/keycloak/broker/saml/SAMLIdentityProviderConfigTest.java
 create mode 100644 src/test/resources/logging.properties

diff --git a/.gitignore b/.gitignore
index 8253d04..d672038 100644
--- a/.gitignore
+++ b/.gitignore
@@ -167,3 +167,10 @@ buildNumber.properties
 .classpath
 
 # End of https://www.toptal.com/developers/gitignore/api/maven,intellij+all,eclipse
+
+# E2E test credentials
+src/test/e2e/.env
+src/test/e2e/node_modules/
+
+# Claude Code
+.claude/
diff --git a/pom.xml b/pom.xml
index 5b1208f..a36d12f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -158,6 +158,9 @@
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
                 <version>3.2.5</version>
+                <configuration>
+                    <argLine>-Djava.util.logging.manager=org.jboss.logmanager.LogManager</argLine>
+                </configuration>
             </plugin>
 
             <plugin>
@@ -170,6 +173,9 @@
                         <goals>
                             <goal>spotbugs</goal>
                         </goals>
+                        <configuration>
+                            <skip>${skipSpotBugs}</skip>
+                        </configuration>
                     </execution>
                 </executions>
                 <configuration>
diff --git a/src/main/java/nl/first8/keycloak/broker/saml/SAMLIdentityProviderConfig.java b/src/main/java/nl/first8/keycloak/broker/saml/SAMLIdentityProviderConfig.java
index f68aaaa..287eece 100644
--- a/src/main/java/nl/first8/keycloak/broker/saml/SAMLIdentityProviderConfig.java
+++ b/src/main/java/nl/first8/keycloak/broker/saml/SAMLIdentityProviderConfig.java
@@ -60,6 +60,7 @@ public class SAMLIdentityProviderConfig extends org.keycloak.broker.saml.SAMLIde
     public static final String CHAR_SET = "charSet";
     public static final String METADATA_VALID_UNTIL_UNIT = "metadataValidUntilUnit";
     public static final String METADATA_VALID_UNTIL_PERIOD = "metadataValidUntilPeriod";
+    public static final String ARTIFACT_BINDING_RESPONSE = "artifactBindingResponse";
     public static final String ARTIFACT_RESOLUTION_MUTUAL_TLS = "mutualTls";
     public static final String IGNORE_SAML_ADVICE_NODES = "ignoreSamlAdviceNodes";
     public static final String AUTHN_REQUEST_SCOPING = "scoping";
@@ -114,6 +115,14 @@ public void setArtifactResolution(boolean artifactResolution) {
         getConfig().put(ARTIFACT_RESOLUTION, String.valueOf(artifactResolution));
     }
 
+    public boolean isArtifactBindingResponse() {
+        return Boolean.parseBoolean(getConfig().get(ARTIFACT_BINDING_RESPONSE));
+    }
+
+    public void setArtifactBindingResponse(boolean artifactBindingResponse) {
+        getConfig().put(ARTIFACT_BINDING_RESPONSE, String.valueOf(artifactBindingResponse));
+    }
+
     public boolean isIncludeArtifactResolutionServiceMetadata() {
         return Boolean.parseBoolean(getConfig().get(ARTIFACT_RESOLUTION_SERVICE_METADATA));
     }
@@ -167,7 +176,7 @@ public Integer getMetadataValidUntilPeriod() {
     }
 
     public void setMetadataValidUntilPeriod(Integer period) {
-        getConfig().put(METADATA_VALID_UNTIL_UNIT, String.valueOf(period));
+        getConfig().put(METADATA_VALID_UNTIL_PERIOD, String.valueOf(period));
     }
 
     public boolean isMutualTLS() {
@@ -245,8 +254,6 @@ public Integer getAttributeConsumingServiceIndex() {
             }
         }
         return result;
-
-
     }
 
     public void setAttributeConsumingServiceIndex(Integer attributeConsumingServiceIndex) {
diff --git a/src/main/java/nl/first8/keycloak/saml/SAMLRequestParser.java b/src/main/java/nl/first8/keycloak/saml/SAMLRequestParser.java
index e7b22d9..9f58fe9 100644
--- a/src/main/java/nl/first8/keycloak/saml/SAMLRequestParser.java
+++ b/src/main/java/nl/first8/keycloak/saml/SAMLRequestParser.java
@@ -7,7 +7,7 @@
 
 import org.keycloak.common.util.StreamUtil;
 import org.keycloak.saml.common.PicketLinkLogger;
-import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import nl.first8.keycloak.saml.common.PicketLinkLoggerFactory;
 import org.keycloak.saml.processing.api.saml.v2.request.SAML2Request;
 import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
 import org.keycloak.saml.processing.web.util.PostBindingUtil;
@@ -18,7 +18,7 @@
 import java.io.InputStream;
 
 public class SAMLRequestParser {
-    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger(Logger.getLogger(SAMLRequestParser.class));
     protected static Logger log = Logger.getLogger(SAMLRequestParser.class);
 
     public static SAMLDocumentHolder parseRequestRedirectBinding(String samlMessage) {
diff --git a/src/main/java/nl/first8/keycloak/saml/common/DefaultPicketLinkLogger.java b/src/main/java/nl/first8/keycloak/saml/common/DefaultPicketLinkLogger.java
new file mode 100644
index 0000000..f6ed462
--- /dev/null
+++ b/src/main/java/nl/first8/keycloak/saml/common/DefaultPicketLinkLogger.java
@@ -0,0 +1,2386 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package nl.first8.keycloak.saml.common;
+
+import jakarta.xml.ws.WebServiceException;
+import org.jboss.logging.Logger;
+import org.keycloak.saml.common.ErrorCodes;
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.constants.GeneralConstants;
+import org.keycloak.saml.common.constants.WSTrustConstants;
+import org.keycloak.saml.common.exceptions.*;
+import org.keycloak.saml.common.exceptions.fed.*;
+import org.w3c.dom.Element;
+
+import javax.security.auth.login.LoginException;
+import javax.xml.crypto.dsig.XMLSignatureException;
+import javax.xml.stream.Location;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Silva</a>
+ *
+ */
+
+/**@author <a href="mailto:psilva@redhat.com">Pedro Silva</a> */
+public class DefaultPicketLinkLogger implements PicketLinkLogger {
+
+    private final Logger logger;
+
+    DefaultPicketLinkLogger() {
+        logger = Logger.getLogger(PicketLinkLogger.class.getPackage().getName());
+    }
+
+    public DefaultPicketLinkLogger(Logger logger) {
+        this.logger = logger;
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#info(java.lang.String)
+     */
+    @Override
+    public void info(String message) {
+        if (logger.isInfoEnabled()) {
+            logger.info(message);
+        }
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#debug(java.lang.String)
+     */
+    @Override
+    public void debug(String message) {
+        if (logger.isDebugEnabled()) {
+            logger.debug(message);
+        }
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#trace(java.lang.String)
+     */
+    @Override
+    public void trace(String message) {
+        if (logger.isTraceEnabled()) {
+            logger.trace(message);
+        }
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     * @see org.picketlink.identity.federation.PicketLinkLogger#trace(java.lang.String, java.lang.Throwable)
+     */
+    @Override
+    public void trace(String message, Throwable t) {
+        if (logger.isTraceEnabled()) {
+            logger.trace(message, t);
+        }
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#trace(java.lang.Throwable)
+     */
+    @Override
+    public void trace(Throwable t) {
+        if (logger.isTraceEnabled()) {
+            logger.trace(t.getMessage(), t);
+        }
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#error(java.lang.Throwable)
+     */
+    @Override
+    public void error(Throwable t) {
+        logger.error("Unexpected error", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#nullArgument(java.lang.String)
+     */
+    @Override
+    public IllegalArgumentException nullArgumentError(String argument) {
+        return new IllegalArgumentException(ErrorCodes.NULL_ARGUMENT + argument);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#shouldNotBeTheSame(java.lang.String)
+     */
+    @Override
+    public IllegalArgumentException shouldNotBeTheSameError(String string) {
+        return new IllegalArgumentException(ErrorCodes.SHOULD_NOT_BE_THE_SAME
+            + "Only one of isSigningKey and isEncryptionKey should be true");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#resourceNotFound(java.lang.String)
+     */
+    @Override
+    public ProcessingException resourceNotFound(String resource) {
+        return new ProcessingException(ErrorCodes.RESOURCE_NOT_FOUND + resource + " could not be loaded");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#processingError(java.lang.Throwable)
+     */
+    @Override
+    public ProcessingException processingError(Throwable t) {
+        return new ProcessingException(ErrorCodes.PROCESSING_EXCEPTION, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#unsupportedType(java.lang.String)
+     */
+    @Override
+    public RuntimeException unsupportedType(String name) {
+        return new RuntimeException(ErrorCodes.UNSUPPORTED_TYPE + name);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#signatureError(java.lang.Throwable)
+     */
+    @Override
+    public XMLSignatureException signatureError(Throwable e) {
+        return new XMLSignatureException(ErrorCodes.SIGNING_PROCESS_FAILURE, e);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#nullValue(java.lang.String)
+     */
+    @Override
+    public RuntimeException nullValueError(String nullValue) {
+        return new RuntimeException(ErrorCodes.NULL_VALUE + nullValue);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#notImplementedYet()
+     */
+    @Override
+    public RuntimeException notImplementedYet(String feature) {
+        return new RuntimeException(ErrorCodes.NOT_IMPLEMENTED_YET + feature);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#auditNullAuditManager()
+     */
+    @Override
+    public IllegalStateException auditNullAuditManager() {
+        return new IllegalStateException(ErrorCodes.AUDIT_MANAGER_NULL);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#isInfoEnabled()
+     */
+    @Override
+    public boolean isInfoEnabled() {
+        return logger.isInfoEnabled();
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#auditEvent(java.lang.String)
+     */
+    @Override
+    public void auditEvent(String auditEvent) {
+        this.info(auditEvent);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#injectedValueMissing(java.lang.String)
+     */
+    @Override
+    public RuntimeException injectedValueMissing(String value) {
+        return new RuntimeException(ErrorCodes.INJECTED_VALUE_MISSING + value);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#keystoreSetup()
+     */
+    @Override
+    public void keyStoreSetup() {
+        this.trace("getPublicKey::Keystore is null. so setting it up");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#keyStoreNullStore()
+     */
+    @Override
+    public IllegalStateException keyStoreNullStore() {
+        return new IllegalStateException(ErrorCodes.KEYSTOREKEYMGR_NULL_KEYSTORE);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#keyStoreNullPublicKeyForAlias(java.lang.String)
+     */
+    @Override
+    public void keyStoreNullPublicKeyForAlias(String alias) {
+        this.trace("No public key found for alias=" + alias);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#keyStoreConfigurationError(java.lang.Throwable)
+     */
+    @Override
+    public TrustKeyConfigurationException keyStoreConfigurationError(Throwable t) {
+        return new TrustKeyConfigurationException(t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#keyStoreProcessingError(java.lang.Throwable)
+     */
+    @Override
+    public TrustKeyProcessingException keyStoreProcessingError(Throwable t) {
+        return new TrustKeyProcessingException(t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#keyStoreMissingDomainAlias(java.lang.String)
+     */
+    @Override
+    public IllegalStateException keyStoreMissingDomainAlias(String domain) {
+        return new IllegalStateException(ErrorCodes.KEYSTOREKEYMGR_DOMAIN_ALIAS_MISSING + domain);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#keyStoreNullSigningKeyPass()
+     */
+    @Override
+    public RuntimeException keyStoreNullSigningKeyPass() {
+        return new RuntimeException(ErrorCodes.KEYSTOREKEYMGR_NULL_SIGNING_KEYPASS);
+    }
+
+    @Override
+    public RuntimeException keyStoreNullEncryptionKeyPass() {
+        return new RuntimeException(ErrorCodes.KEYSTOREKEYMGR_NULL_ENCRYPTION_KEYPASS);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#keyStoreNotLocated(java.lang.String)
+     */
+    @Override
+    public RuntimeException keyStoreNotLocated(String keyStore) {
+        return new RuntimeException(ErrorCodes.KEYSTOREKEYMGR_KEYSTORE_NOT_LOCATED + keyStore);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#keyStoreNullAlias()
+     */
+    @Override
+    public IllegalStateException keyStoreNullAlias() {
+        return new IllegalStateException(ErrorCodes.KEYSTOREKEYMGR_NULL_ALIAS);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parserUnknownEndElement(java.lang.String)
+     */
+    @Override
+    public RuntimeException parserUnknownEndElement(String endElementName, Location location) {
+        return new RuntimeException(ErrorCodes.UNKNOWN_END_ELEMENT + endElementName + "::location=" + location);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parseUnknownTag(java.lang.String, javax.xml.stream.Location)
+     */
+    @Override
+    public RuntimeException parserUnknownTag(String tag, Location location) {
+        return new RuntimeException(ErrorCodes.UNKNOWN_TAG + tag + "::location=" + location);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parseRequiredAttribute(java.lang.String)
+     */
+    @Override
+    public ParsingException parserRequiredAttribute(String string) {
+        return new ParsingException(ErrorCodes.REQD_ATTRIBUTE + string);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parserUnknownStartElement(java.lang.String,
+     *javax.xml.stream.Location)
+     */
+    @Override
+    public RuntimeException parserUnknownStartElement(String elementName, Location location) {
+        return new RuntimeException(ErrorCodes.UNKNOWN_START_ELEMENT + elementName + "::location=" + location);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parserNullStartElement()
+     */
+    @Override
+    public IllegalStateException parserNullStartElement() {
+        return new IllegalStateException(ErrorCodes.NULL_START_ELEMENT);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parserUnknownXSI(java.lang.String)
+     */
+    @Override
+    public ParsingException parserUnknownXSI(String xsiTypeValue) {
+        return new ParsingException(ErrorCodes.UNKNOWN_XSI + xsiTypeValue);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parserExpectedEndTag(java.lang.String)
+     */
+    @Override
+    public ParsingException parserExpectedEndTag(String tagName) {
+        return new ParsingException(ErrorCodes.EXPECTED_END_TAG + tagName);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parserException(java.lang.Exception)
+     */
+    @Override
+    public ParsingException parserException(Throwable t) {
+        return new ParsingException(t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parserExpectedTextValue(java.lang.String)
+     */
+    @Override
+    public ParsingException parserExpectedTextValue(String string) {
+        return new ParsingException(ErrorCodes.EXPECTED_TEXT_VALUE + "SigningAlias");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parserExpectedXSI(java.lang.String)
+     */
+    @Override
+    public RuntimeException parserExpectedXSI(String expectedXsi) {
+        return new RuntimeException(expectedXsi);
+    }
+
+    @Override
+    public RuntimeException parserExpectedTag(String tag, String foundElementTag, Integer line, Integer column) {
+        return new RuntimeException(ErrorCodes.EXPECTED_TAG + " " + tag + ".  Found " + foundElementTag +
+            " at line " + line.toString() + ", column " + column);
+    }
+
+    @Override
+    public RuntimeException parserExpectedNamespace(String ns, String foundElementNs) {
+        return new RuntimeException(ErrorCodes.EXPECTED_NAMESPACE + ns + ">.  Found <" + foundElementNs + ">");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parserFailed()
+     */
+    @Override
+    public RuntimeException parserFailed(String elementName) {
+        return new RuntimeException(ErrorCodes.FAILED_PARSING + elementName);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parserUnableParsingNullToken()
+     */
+    @Override
+    public ParsingException parserUnableParsingNullToken() {
+        return new ParsingException(ErrorCodes.UNABLE_PARSING_NULL_TOKEN);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parserError(java.lang.Exception)
+     */
+    @Override
+    public ParsingException parserError(Throwable t) {
+        return new ParsingException(ErrorCodes.PARSING_ERROR + t.getMessage(), t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#pdpMessageProcessingError(java.lang.Exception)
+     */
+    @Override
+    public RuntimeException xacmlPDPMessageProcessingError(Throwable t) {
+        return new RuntimeException(t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#fileNotLocated(java.lang.String)
+     */
+    @Override
+    public IllegalStateException fileNotLocated(String policyConfigFileName) {
+        return new IllegalStateException(ErrorCodes.FILE_NOT_LOCATED + policyConfigFileName);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#optionNotSet(java.lang.String)
+     */
+    @Override
+    public IllegalStateException optionNotSet(String option) {
+        return new IllegalStateException(ErrorCodes.OPTION_NOT_SET + option);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#securityTokenRegistryNotSpecified()
+     */
+    @Override
+    public void stsTokenRegistryNotSpecified() {
+        this.warn("Security Token registry option not specified: Issued Tokens will not be persisted!");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#securityTokenRegistryInvalidType(java.lang.String)
+     */
+    @Override
+    public void stsTokenRegistryInvalidType(String tokenRegistryOption) {
+        logger.warn(tokenRegistryOption + " is not an instance of SecurityTokenRegistry - using default registry");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#securityTokenRegistryInstantiationError()
+     */
+    @Override
+    public void stsTokenRegistryInstantiationError() {
+        logger.warn("Error instantiating token registry class - using default registry");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#revocationRegistryNotSpecified()
+     */
+    @Override
+    public void stsRevocationRegistryNotSpecified() {
+        this.debug("Revocation registry option not specified: cancelled ids will not be persisted!");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#revocationRegistryInvalidType(java.lang.String)
+     */
+    @Override
+    public void stsRevocationRegistryInvalidType(String registryOption) {
+        logger.warn(registryOption + " is not an instance of RevocationRegistry - using default registry");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#revocationRegistryInstantiationError()
+     */
+    @Override
+    public void stsRevocationRegistryInstantiationError() {
+        logger.warn("Error instantiating revocation registry class - using default registry");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#assertionExpiredError()
+     */
+    @Override
+    public ProcessingException samlAssertionExpiredError() {
+        return new ProcessingException(ErrorCodes.EXPIRED_ASSERTION);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#assertionInvalidError()
+     */
+    @Override
+    public ProcessingException assertionInvalidError() {
+        return new ProcessingException(ErrorCodes.INVALID_ASSERTION);
+    }
+
+    @Override
+    public RuntimeException writerUnknownTypeError(String name) {
+        return new RuntimeException(ErrorCodes.WRITER_UNKNOWN_TYPE + name);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#writerNullValueError(java.lang.String)
+     */
+    @Override
+    public ProcessingException writerNullValueError(String value) {
+        return new ProcessingException(ErrorCodes.WRITER_NULL_VALUE + value);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#writerUnsupportedAttributeValueError(java.lang.String)
+     */
+    @Override
+    public RuntimeException writerUnsupportedAttributeValueError(String value) {
+        return new RuntimeException(ErrorCodes.WRITER_UNSUPPORTED_ATTRIB_VALUE + value);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#issuerInfoMissingStatusCodeError()
+     */
+    @Override
+    public IllegalArgumentException issuerInfoMissingStatusCodeError() {
+        return new IllegalArgumentException(ErrorCodes.ISSUER_INFO_MISSING_STATUS_CODE);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#classNotLoadedError(java.lang.String)
+     */
+    @Override
+    public ProcessingException classNotLoadedError(String fqn) {
+        return new ProcessingException(ErrorCodes.CLASS_NOT_LOADED + fqn);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#couldNotCreateInstance(java.lang.String, java.lang.Exception)
+     */
+    @Override
+    public ProcessingException couldNotCreateInstance(String fqn, Throwable t) {
+        return new ProcessingException(ErrorCodes.CANNOT_CREATE_INSTANCE + fqn, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#systemPropertyMissingError(java.lang.String)
+     */
+    @Override
+    public RuntimeException systemPropertyMissingError(String property) {
+        return new RuntimeException(ErrorCodes.SYSTEM_PROPERTY_MISSING + property);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#metaDataIdentityProviderLoadingError(java.lang.Exception)
+     */
+    @Override
+    public void samlMetaDataIdentityProviderLoadingError(Throwable t) {
+        logger.error("Exception loading the identity providers:", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#metaDataServiceProviderLoadingError(java.lang.Throwable)
+     */
+    @Override
+    public void samlMetaDataServiceProviderLoadingError(Throwable t) {
+        logger.error("Exception loading the service providers:", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#signatureAssertionValidationError(java.lang.Exception)
+     */
+    @Override
+    public void signatureAssertionValidationError(Throwable t) {
+        logger.error("Cannot validate signature of assertion", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#assertionExpired(java.lang.String)
+     */
+    @Override
+    public void samlAssertionExpired(String id) {
+        this.info("Assertion has expired with id=" + id);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#unknownObjectType(java.lang.Object)
+     */
+    @Override
+    public RuntimeException unknownObjectType(Object attrValue) {
+        return new RuntimeException(ErrorCodes.UNKNOWN_OBJECT_TYPE + attrValue);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see
+     *org.picketlink.identity.federation.PicketLinkLogger#configurationError(javax.xml.parsers.ParserConfigurationException)
+     */
+    @Override
+    public ConfigurationException configurationError(Throwable t) {
+        return new ConfigurationException(t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#signatureUnknownAlgo(java.lang.String)
+     */
+    @Override
+    public RuntimeException signatureUnknownAlgo(String algo) {
+        return new RuntimeException(ErrorCodes.UNKNOWN_SIG_ALGO + algo);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#invalidArgumentError(java.lang.String)
+     */
+    @Override
+    public IllegalArgumentException invalidArgumentError(String message) {
+        return new IllegalArgumentException(message);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsNoTokenProviderError(java.lang.String)
+     */
+    @Override
+    public ProcessingException stsNoTokenProviderError(String configuration, String protocolContext) {
+        return new ProcessingException(ErrorCodes.STS_NO_TOKEN_PROVIDER + configuration + "][ProtoCtx=" + protocolContext + "]");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsConfigurationFileNotFoundTCL(java.lang.String)
+     */
+    @Override
+    public void stsConfigurationFileNotFoundTCL(String fileName) {
+        logger.warn(fileName + " configuration file not found using TCCL");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsConfigurationFileNotFoundClassLoader(java.lang.String)
+     */
+    @Override
+    public void stsConfigurationFileNotFoundClassLoader(String fileName) {
+        logger.warn(fileName + " configuration file not found using class loader");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsUsingDefaultConfiguration(java.lang.String)
+     */
+    @Override
+    public void stsUsingDefaultConfiguration(String fileName) {
+        logger.warn(fileName + " configuration file not found using URL. Using default configuration values");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsConfigurationFileLoaded(java.lang.String)
+     */
+    @Override
+    public void stsConfigurationFileLoaded(String fileName) {
+        this.info(fileName + " configuration file loaded");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsConfigurationFileParsingError(java.lang.Throwable)
+     */
+    @Override
+    public ConfigurationException stsConfigurationFileParsingError(Throwable t) {
+        return new ConfigurationException(ErrorCodes.STS_CONFIGURATION_FILE_PARSING_ERROR, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#notSerializableError(java.lang.String)
+     */
+    @Override
+    public IOException notSerializableError(String message) {
+        return new IOException(ErrorCodes.NOT_SERIALIZABLE + message);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#trustKeyCreationError()
+     */
+    @Override
+    public void trustKeyManagerCreationError(Throwable t) {
+        logger.error("Exception creating TrustKeyManager:", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#error(java.lang.String)
+     */
+    @Override
+    public void error(String message) {
+        logger.error(message);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#couldNotGetXMLSchema(java.lang.Throwable)
+     */
+    @Override
+    public void xmlCouldNotGetSchema(Throwable t) {
+        logger.error("Cannot get schema", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#isTraceEnabled()
+     */
+    @Override
+    public boolean isTraceEnabled() {
+        return logger.isTraceEnabled();
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#isDebugEnabled()
+     */
+    @Override
+    public boolean isDebugEnabled() {
+        return logger.isDebugEnabled();
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#jceProviderCouldNotBeLoaded(java.lang.Throwable)
+     */
+    @Override
+    public void jceProviderCouldNotBeLoaded(String name, Throwable t) {
+        logger.debug("The provider " + name + " could not be added: ", t);
+        logger.debug("Check addJceProvider method of org.picketlink.identity.federation.core.util.ProvidersUtil for more info.");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#writerInvalidKeyInfoNullContent()
+     */
+    @Override
+    public ProcessingException writerInvalidKeyInfoNullContentError() {
+        return new ProcessingException(ErrorCodes.WRITER_INVALID_KEYINFO_NULL_CONTENT);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#notEqualError(java.lang.String, java.lang.String)
+     */
+    @Override
+    public RuntimeException notEqualError(String first, String second) {
+        return new RuntimeException(ErrorCodes.NOT_EQUAL + first + " and " + second);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#wrongTypeError(java.lang.String)
+     */
+    @Override
+    public IllegalArgumentException wrongTypeError(String message) {
+        return new IllegalArgumentException(ErrorCodes.WRONG_TYPE + "xmlSource should be a stax source");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#encryptUnknownAlgoError(java.lang.String)
+     */
+    @Override
+    public RuntimeException encryptUnknownAlgoError(String certAlgo) {
+        return new RuntimeException(ErrorCodes.UNKNOWN_ENC_ALGO + certAlgo);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#domMissingDocElementError(java.lang.String)
+     */
+    @Override
+    public IllegalStateException domMissingDocElementError(String element) {
+        return new IllegalStateException(ErrorCodes.DOM_MISSING_DOC_ELEMENT + element);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#domMissingElementError(java.lang.String)
+     */
+    @Override
+    public IllegalStateException domMissingElementError(String element) {
+        return new IllegalStateException(ErrorCodes.DOM_MISSING_ELEMENT + element);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsWSInvalidTokenRequestError()
+     */
+    @Override
+    public WebServiceException stsWSInvalidTokenRequestError() {
+        return new WebServiceException(ErrorCodes.STS_INVALID_TOKEN_REQUEST);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsWSError(java.lang.Throwable)
+     */
+    @Override
+    public WebServiceException stsWSError(Throwable t) {
+        return new WebServiceException("Security Token Service Exception", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsWSConfigurationError(java.lang.Throwable)
+     */
+    @Override
+    public WebServiceException stsWSConfigurationError(Throwable t) {
+        return new WebServiceException(ErrorCodes.STS_CONFIGURATION_EXCEPTION, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsWSInvalidRequestTypeError(java.lang.String)
+     */
+    @Override
+    public WSTrustException stsWSInvalidRequestTypeError(String requestType) {
+        return new WSTrustException(ErrorCodes.STS_INVALID_REQUEST_TYPE + requestType);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsWSHandlingTokenRequestError(java.lang.Throwable)
+     */
+    @Override
+    public WebServiceException stsWSHandlingTokenRequestError(Throwable t) {
+        return new WebServiceException(ErrorCodes.STS_EXCEPTION_HANDLING_TOKEN_REQ + t.getMessage(), t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsWSResponseWritingError(java.lang.Throwable)
+     */
+    @Override
+    public WebServiceException stsWSResponseWritingError(Throwable t) {
+        return new WebServiceException(ErrorCodes.STS_RESPONSE_WRITING_ERROR + t.getMessage(), t);
+    }
+
+    @Override
+    public RuntimeException stsUnableToConstructKeyManagerError(Throwable t) {
+        return new RuntimeException(ErrorCodes.STS_UNABLE_TO_CONSTRUCT_KEYMGR, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsPublicKeyError(java.lang.String, java.lang.Throwable)
+     */
+    @Override
+    public RuntimeException stsPublicKeyError(String serviceName, Throwable t) {
+        return new RuntimeException(ErrorCodes.STS_PUBLIC_KEY_ERROR + serviceName, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsSigningKeyPairError(java.lang.Exception)
+     */
+    @Override
+    public RuntimeException stsSigningKeyPairError(Throwable t) {
+        return new RuntimeException(ErrorCodes.STS_SIGNING_KEYPAIR_ERROR, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsPublicKeyCertError(java.lang.Throwable)
+     */
+    @Override
+    public RuntimeException stsPublicKeyCertError(Throwable t) {
+        return new RuntimeException(ErrorCodes.STS_PUBLIC_KEY_CERT, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#tokenTimeoutNotSpecified()
+     */
+    @Override
+    public void stsTokenTimeoutNotSpecified() {
+        this.warn("Lifetime has not been specified. Using the default timeout value.");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsCombinedSecretKeyError(java.lang.Throwable)
+     */
+    @Override
+    public WSTrustException wsTrustCombinedSecretKeyError(Throwable t) {
+        return new WSTrustException(ErrorCodes.STS_COMBINED_SECRET_KEY_ERROR, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsClientPublicKeyError()
+     */
+    @Override
+    public WSTrustException wsTrustClientPublicKeyError() {
+        return new WSTrustException(ErrorCodes.STS_CLIENT_PUBLIC_KEY_ERROR);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsError(java.lang.Throwable)
+     */
+    @Override
+    public WSTrustException stsError(Throwable t) {
+        return new WSTrustException(t.getMessage(), t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#signatureInvalidError(java.lang.String, java.lang.Throwable)
+     */
+    @Override
+    public XMLSignatureException signatureInvalidError(String message, Throwable t) {
+        return new XMLSignatureException(ErrorCodes.INVALID_DIGITAL_SIGNATURE + message);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsSecurityTokenSignatureNotVerified()
+     */
+    @Override
+    public void stsSecurityTokenSignatureNotVerified() {
+        this.warn("Security Token digital signature has NOT been verified. Either the STS has been configured"
+            + "not to sign tokens or the STS key pair has not been properly specified.");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#encryptProcessError(java.lang.Throwable)
+     */
+    @Override
+    public RuntimeException encryptProcessError(Throwable t) {
+        return new RuntimeException(t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsSecurityTokenShouldBeEncrypted()
+     */
+    @Override
+    public void stsSecurityTokenShouldBeEncrypted() {
+        logger.warn("Security token should be encrypted but no encrypting key could be found");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsUnableToDecodePasswordError(java.lang.String)
+     */
+    @Override
+    public RuntimeException unableToDecodePasswordError(String password) {
+        return new RuntimeException(ErrorCodes.PROCESSING_EXCEPTION + "Unable to decode password:" + password);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#couldNotLoadProperties(java.lang.String)
+     */
+    @Override
+    public IllegalStateException couldNotLoadProperties(String configFile) {
+        return new IllegalStateException(ErrorCodes.PROCESSING_EXCEPTION + "Could not load properties from " + configFile);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsKeyInfoTypeCreationError(java.lang.Throwable)
+     */
+    @Override
+    public WSTrustException stsKeyInfoTypeCreationError(Throwable t) {
+        return new WSTrustException(ErrorCodes.PROCESSING_EXCEPTION + "Error creating KeyInfoType", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsSecretKeyNotEncrypted()
+     */
+    @Override
+    public void stsSecretKeyNotEncrypted() {
+        logger.warn("Secret key could not be encrypted because the endpoint's PKC has not been specified");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authCouldNotIssueSAMLToken()
+     */
+    @Override
+    public LoginException authCouldNotIssueSAMLToken() {
+        return new LoginException(ErrorCodes.PROCESSING_EXCEPTION + "Could not issue a SAML Security Token");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authLoginError(java.lang.Throwable)
+     */
+    @Override
+    public LoginException authLoginError(Throwable t) {
+        LoginException loginException = new LoginException("Error during login/authentication");
+
+        loginException.initCause(t);
+
+        return loginException;
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authCouldNotCreateWSTrustClient(java.lang.Throwable)
+     */
+    @Override
+    public IllegalStateException authCouldNotCreateWSTrustClient(Throwable t) {
+        return new IllegalStateException(ErrorCodes.PROCESSING_EXCEPTION + "Could not create WSTrustClient:", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authSAMLAssertionWithoutExpiration(java.lang.String)
+     */
+    @Override
+    public void samlAssertionWithoutExpiration(String id) {
+        logger.warn("SAML Assertion has been found to have no expiration: ID = " + id);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authCouldNotValidateSAMLToken(org.w3c.dom.Element)
+     */
+    @Override
+    public LoginException authCouldNotValidateSAMLToken(Element token) {
+        return new LoginException(ErrorCodes.PROCESSING_EXCEPTION + "Could not validate the SAML Security Token :" + token);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authCouldNotLocateSecurityToken()
+     */
+    @Override
+    public LoginException authCouldNotLocateSecurityToken() {
+        return new LoginException(ErrorCodes.NULL_VALUE + "Could not locate a Security Token from the callback.");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#wsTrustNullCancelTargetError()
+     */
+    @Override
+    public ProcessingException wsTrustNullCancelTargetError() {
+        return new ProcessingException(ErrorCodes.NULL_VALUE + "Invalid cancel request: missing required CancelTarget");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#saml11MarshallError(java.lang.Throwable)
+     */
+    @Override
+    public ProcessingException samlAssertionMarshallError(Throwable t) {
+        return new ProcessingException(ErrorCodes.PROCESSING_EXCEPTION + "Failed to marshall assertion", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#wsTrustNullRenewTargetError()
+     */
+    @Override
+    public ProcessingException wsTrustNullRenewTargetError() {
+        return new ProcessingException(ErrorCodes.NULL_VALUE + "Invalid renew request: missing required RenewTarget");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#saml11UnmarshallError(java.lang.Throwable)
+     */
+    @Override
+    public ProcessingException samlAssertionUnmarshallError(Throwable t) {
+        return new ProcessingException(ErrorCodes.PROCESSING_EXCEPTION + "Error unmarshalling assertion", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlAssertionRevokedCouldNotRenew()
+     */
+    @Override
+    public ProcessingException samlAssertionRevokedCouldNotRenew(String id) {
+        return new ProcessingException(ErrorCodes.ASSERTION_RENEWAL_EXCEPTION + "SAMLV1.1 Assertion with id " + id
+            + " has been canceled and cannot be renewed");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#wsTrustNullValidationTargetError()
+     */
+    @Override
+    public ProcessingException wsTrustNullValidationTargetError() {
+        return new ProcessingException(ErrorCodes.NULL_VALUE + "Bad validate request: missing required ValidateTarget");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsWrongAttributeProviderTypeNotInstalled(java.lang.String)
+     */
+    @Override
+    public void stsWrongAttributeProviderTypeNotInstalled(String attributeProviderClassName) {
+        logger.warn("Attribute provider not installed: " + attributeProviderClassName
+            + "is not an instance of SAML20TokenAttributeProvider");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsAttributeProviderInstationError(java.lang.Throwable)
+     */
+    @Override
+    public void attributeProviderInstationError(Throwable t) {
+        logger.warn("Error instantiating attribute provider: " + t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlAssertion(java.lang.String)
+     */
+    @Override
+    public void samlAssertion(String nodeAsString) {
+        trace("SAML Assertion Element=" + nodeAsString);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#wsTrustUnableToGetDataTypeFactory(javax.xml.datatype.
+     *DatatypeConfigurationException)
+     */
+    @Override
+    public RuntimeException wsTrustUnableToGetDataTypeFactory(Throwable t) {
+        return new RuntimeException(ErrorCodes.PROCESSING_EXCEPTION + "Unable to get DatatypeFactory instance", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#wsTrustValidationStatusCodeMissing()
+     */
+    @Override
+    public ProcessingException wsTrustValidationStatusCodeMissing() {
+        return new ProcessingException(ErrorCodes.NULL_VALUE + "Validation status code is missing");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#identityServerActiveSessionCount(int)
+     */
+    @Override
+    public void samlIdentityServerActiveSessionCount(int activeSessionCount) {
+        info("Active Session Count=" + activeSessionCount);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#identityServerSessionCreated(java.lang.String, int)
+     */
+    @Override
+    public void samlIdentityServerSessionCreated(String id, int activeSessionCount) {
+        trace("Session Created with id=" + id + "::active session count=" + activeSessionCount);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#identityServerSessionDestroyed(java.lang.String, int)
+     */
+    @Override
+    public void samlIdentityServerSessionDestroyed(String id, int activeSessionCount) {
+        trace("Session Destroyed with id=" + id + "::active session count=" + activeSessionCount);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#unknowCredentialType(java.lang.String)
+     */
+    @Override
+    public RuntimeException unknowCredentialType(String name) {
+        return new RuntimeException(ErrorCodes.UNSUPPORTED_TYPE + "Unknown credential type:" + name);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerRoleGeneratorSetupError(java.lang.Throwable)
+     */
+    @Override
+    public void samlHandlerRoleGeneratorSetupError(Throwable t) {
+        logger.error("Exception initializing role generator:", t);
+    }
+
+    @Override
+    public RuntimeException samlHandlerAssertionNotFound() {
+        return new RuntimeException(ErrorCodes.NULL_VALUE + "Assertion not found in the handler request");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerAuthnRequestIsNull()
+     */
+    @Override
+    public ProcessingException samlHandlerAuthnRequestIsNull() {
+        return new ProcessingException(ErrorCodes.NULL_VALUE + "AuthnRequest is null");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerAuthenticationError(java.lang.Throwable)
+     */
+    @Override
+    public void samlHandlerAuthenticationError(Throwable t) {
+        logger.error("Exception in processing authentication:", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerNoAssertionFromIDP()
+     */
+    @Override
+    public IllegalArgumentException samlHandlerNoAssertionFromIDP() {
+        return new IllegalArgumentException(ErrorCodes.NULL_VALUE + "No assertions in reply from IDP");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerNullEncryptedAssertion()
+     */
+    @Override
+    public ProcessingException samlHandlerNullEncryptedAssertion() {
+        return new ProcessingException(ErrorCodes.NULL_VALUE + "Null encrypted assertion element");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerIDPAuthenticationFailedError()
+     */
+    @Override
+    public SecurityException samlHandlerIDPAuthenticationFailedError() {
+        return new SecurityException(ErrorCodes.IDP_AUTH_FAILED + "IDP forbid the user");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see
+     *org.picketlink.identity.federation.PicketLinkLogger#assertionExpiredError(org.picketlink.identity.federation.core.saml
+     *.v2.exceptions.AssertionExpiredException)
+     */
+    @Override
+    public ProcessingException assertionExpiredError(AssertionExpiredException aee) {
+        return new ProcessingException(ErrorCodes.EXPIRED_ASSERTION + "Assertion has expired", aee);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#unsupportedRoleType(java.lang.Object)
+     */
+    @Override
+    public RuntimeException unsupportedRoleType(Object attrValue) {
+        return new RuntimeException(ErrorCodes.UNSUPPORTED_TYPE + "Unknown role object type : " + attrValue);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerFailedInResponseToVerification(java.lang.String,
+     *java.lang.String)
+     */
+    @Override
+    public void samlHandlerFailedInResponseToVerification(String inResponseTo, String authnRequestId) {
+        trace("Verification of InResponseTo failed. InResponseTo from SAML response is " + inResponseTo
+            + ". Value of request Id from HTTP session is " + authnRequestId);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerFailedInResponseToVerificarionError()
+     */
+    @Override
+    public ProcessingException samlHandlerFailedInResponseToVerificarionError() {
+        return new ProcessingException(ErrorCodes.AUTHN_REQUEST_ID_VERIFICATION_FAILED);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerIssuerNotTrustedError(java.lang.String)
+     */
+    @Override
+    public IssuerNotTrustedException samlIssuerNotTrustedError(String issuer) {
+        return new IssuerNotTrustedException("Issuer not Trusted: " + issuer);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerIssuerNotTrustedError(java.lang.Throwable)
+     */
+    @Override
+    public IssuerNotTrustedException samlIssuerNotTrustedException(Throwable t) {
+        return new IssuerNotTrustedException(t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerTrustElementMissingError()
+     */
+    @Override
+    public ConfigurationException samlHandlerTrustElementMissingError() {
+        return new ConfigurationException(ErrorCodes.NULL_VALUE + "trust element missing");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerIdentityServerNotFound()
+     */
+    @Override
+    public ProcessingException samlHandlerIdentityServerNotFoundError() {
+        return new ProcessingException(ErrorCodes.NULL_VALUE + "Identity Server not found");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerPrincipalNotFoundError()
+     */
+    @Override
+    public ProcessingException samlHandlerPrincipalNotFoundError() {
+        return new ProcessingException(ErrorCodes.PRINCIPAL_NOT_FOUND);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerKeyPairNotFound()
+     */
+    @Override
+    public void samlHandlerKeyPairNotFound() {
+        trace("Key Pair cannot be found");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerKeyPairNotFoundError()
+     */
+    @Override
+    public ProcessingException samlHandlerKeyPairNotFoundError() {
+        return new ProcessingException("Key Pair cannot be found");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see
+     *org.picketlink.identity.federation.PicketLinkLogger#samlHandlerErrorSigningRedirectBindingMessage(java.lang.Throwable)
+     */
+    @Override
+    public void samlHandlerErrorSigningRedirectBindingMessage(Throwable t) {
+        logger.error("Error when trying to sign message for redirection", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see
+     *org.picketlink.identity.federation.PicketLinkLogger#samlHandlerSigningRedirectBindingMessageError(org.picketlink.identity
+     *.federation.core.exceptions.ConfigurationException)
+     */
+    @Override
+    public RuntimeException samlHandlerSigningRedirectBindingMessageError(Throwable t) {
+        return new RuntimeException(t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#signatureValidationError()
+     */
+    @Override
+    public SignatureValidationException samlHandlerSignatureValidationFailed() {
+        return new SignatureValidationException(ErrorCodes.INVALID_DIGITAL_SIGNATURE + "Signature Validation Failed");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerErrorValidatingSignature(java.lang.Throwable)
+     */
+    @Override
+    public void samlHandlerErrorValidatingSignature(Throwable t) {
+        logger.error("Error validating signature:", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerInvalidSignatureError()
+     */
+    @Override
+    public ProcessingException samlHandlerInvalidSignatureError() {
+        return new ProcessingException(ErrorCodes.INVALID_DIGITAL_SIGNATURE + "Error validating signature.");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerSignatureNorPresentError()
+     */
+    @Override
+    public ProcessingException samlHandlerSignatureNotPresentError() {
+        return new ProcessingException(ErrorCodes.INVALID_DIGITAL_SIGNATURE
+            + "Signature Validation failed. Signature is not present. Check if the IDP is supporting signatures.");
+    }
+
+    @Override
+    public ProcessingException samlHandlerSignatureValidationError(Throwable t) {
+        return new ProcessingException(ErrorCodes.INVALID_DIGITAL_SIGNATURE + "Signature Validation failed", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerChainProcessingError(java.lang.Throwable)
+     */
+    @Override
+    public RuntimeException samlHandlerChainProcessingError(Throwable t) {
+        return new RuntimeException("Error during processing the SAML Handler Chain.", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#trustKeyManagerMissing()
+     */
+    @Override
+    public TrustKeyConfigurationException trustKeyManagerMissing() {
+        return new TrustKeyConfigurationException(ErrorCodes.TRUST_MANAGER_MISSING);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlBase64DecodingError(java.lang.Throwable)
+     */
+    @Override
+    public void samlBase64DecodingError(Throwable t) {
+        logger.error("Error in base64 decoding saml message.", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlParsingError(java.lang.Throwable)
+     */
+    @Override
+    public void samlParsingError(Throwable t) {
+        logger.error("Exception in parsing saml message:", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#attributeManagerMappingContextNull()
+     */
+    @Override
+    public void mappingContextNull() {
+        logger.error("Mapping Context returned is null");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#attributeManagerError(java.lang.Throwable)
+     */
+    @Override
+    public void attributeManagerError(Throwable t) {
+        logger.error("Exception in attribute mapping:", t);
+    }
+
+    @Override
+    public void couldNotObtainSecurityContext() {
+        logger.error("Could not obtain security context.");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authFailedToCreatePrincipal(java.lang.Throwable)
+     */
+    @Override
+    public LoginException authFailedToCreatePrincipal(Throwable t) {
+        LoginException loginException = new LoginException(ErrorCodes.PROCESSING_EXCEPTION + "Failed to create principal: "
+            + t.getMessage());
+
+        loginException.initCause(t);
+
+        return loginException;
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authSharedCredentialIsNotSAMLCredential()
+     */
+    @Override
+    public LoginException authSharedCredentialIsNotSAMLCredential(String className) {
+        return new LoginException(ErrorCodes.WRONG_TYPE
+            + "SAML2STSLoginModule: Shared credential is not a SAML credential. Got " + className);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authSTSConfigFileNotFound()
+     */
+    @Override
+    public LoginException authSTSConfigFileNotFound() {
+        return new LoginException(ErrorCodes.SAML2STSLM_CONF_FILE_MISSING);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authErrorHandlingCallback(java.lang.Throwable)
+     */
+    @Override
+    public LoginException authErrorHandlingCallback(Throwable t) {
+        LoginException loginException = new LoginException("Error handling callback.");
+
+        loginException.initCause(t);
+
+        return loginException;
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authInvalidSAMLAssertionBySTS()
+     */
+    @Override
+    public LoginException authInvalidSAMLAssertionBySTS() {
+        return new LoginException(ErrorCodes.INVALID_ASSERTION
+            + "SAML2STSLoginModule: Supplied assertion was considered invalid by the STS");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authAssertionValidationValies(java.lang.Throwable)
+     */
+    @Override
+    public LoginException authAssertionValidationError(Throwable t) {
+        LoginException loginException = new LoginException("Failed to validate assertion using STS");
+
+        loginException.initCause(t);
+
+        return loginException;
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authFailedToParseSAMLAssertion(java.lang.Throwable)
+     */
+    @Override
+    public LoginException authFailedToParseSAMLAssertion(Throwable t) {
+        LoginException exception = new LoginException("PL00044: SAML2STSLoginModule: Failed to parse assertion element:"
+            + t.getMessage());
+        exception.initCause(t);
+        return exception;
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authSAMLAssertionPasingFailed(java.lang.Throwable)
+     */
+    @Override
+    public void samlAssertionPasingFailed(Throwable t) {
+        logger.error("SAML Assertion parsing failed", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authNullKeyStoreFromSecurityDomainError(java.lang.String)
+     */
+    @Override
+    public LoginException authNullKeyStoreFromSecurityDomainError(String name) {
+        return new LoginException(ErrorCodes.NULL_VALUE + "SAML2STSLoginModule: null truststore for " + name);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authNullKeyStoreAliasFromSecurityDomain(java.lang.String)
+     */
+    @Override
+    public LoginException authNullKeyStoreAliasFromSecurityDomainError(String name) {
+        return new LoginException(ErrorCodes.NULL_VALUE + "SAML2STSLoginModule: null KeyStoreAlias for " + name
+            + "; set 'KeyStoreAlias' in '" + name + "' security domain configuration");
+    }
+
+    @Override
+    public LoginException authNoCertificateFoundForAliasError(String alias, String name) {
+        return new LoginException(ErrorCodes.NULL_VALUE + "No certificate found for alias '" + alias + "' in the '" + name
+            + "' security domain");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authSAMLInvalidSignature()
+     */
+    @Override
+    public LoginException authSAMLInvalidSignatureError() {
+        return new LoginException(ErrorCodes.INVALID_DIGITAL_SIGNATURE + "SAML2STSLoginModule: "
+            + WSTrustConstants.STATUS_CODE_INVALID + " : invalid SAML V2.0 assertion signature");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authSAMLAssertionExpiredError()
+     */
+    @Override
+    public LoginException authSAMLAssertionExpiredError() {
+        return new LoginException(ErrorCodes.EXPIRED_ASSERTION + "SAML2STSLoginModule: " + WSTrustConstants.STATUS_CODE_INVALID
+            + "::assertion expired or used before its lifetime period");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authSAMLAssertionIssuingFailed(java.lang.Throwable)
+     */
+    @Override
+    public void authSAMLAssertionIssuingFailed(Throwable t) {
+        logger.error("Unable to issue assertion", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#jbossWSUnableToCreateBinaryToken(java.lang.Throwable)
+     */
+    @Override
+    public void jbossWSUnableToCreateBinaryToken(Throwable t) {
+        logger.error("Unable to create binary token", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#jbossWSUnableToCreateSecurityToken()
+     */
+    @Override
+    public void jbossWSUnableToCreateSecurityToken() {
+        logger.warn("Was not able to create security token. Just sending message without binary token");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#jbossWSUnableToWriteSOAPMessage(java.lang.Exception)
+     */
+    @Override
+    public void jbossWSUnableToWriteSOAPMessage(Throwable t) {
+        logger.error("Exception writing SOAP Message", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#jbossWSUnableToLoadJBossWSSEConfigError()
+     */
+    @Override
+    public RuntimeException jbossWSUnableToLoadJBossWSSEConfigError() {
+        return new RuntimeException(ErrorCodes.RESOURCE_NOT_FOUND + "unable to load jboss-wsse.xml");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#jbossWSAuthorizationFailed()
+     */
+    @Override
+    public RuntimeException jbossWSAuthorizationFailed() {
+        return new RuntimeException(ErrorCodes.PROCESSING_EXCEPTION + "Authorization Failed");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#jbossWSErrorGettingOperationName(java.lang.Throwable)
+     */
+    @Override
+    public void jbossWSErrorGettingOperationName(Throwable t) {
+        logger.error("Exception using backup method to get op name=", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authSAMLCredentialNotAvailable()
+     */
+    @Override
+    public LoginException authSAMLCredentialNotAvailable() {
+        return new LoginException(ErrorCodes.NULL_VALUE + "SamlCredential is not available in subject");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#unableToInstantiateHandler(java.lang.String,
+     *java.lang.Throwable)
+     */
+    @Override
+    public RuntimeException authUnableToInstantiateHandler(String token, Throwable t) {
+        return new RuntimeException(ErrorCodes.CANNOT_CREATE_INSTANCE + "Unable to instantiate handler:" + token, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#jbossWSUnableToCreateSSLSocketFactory(java.lang.Throwable)
+     */
+    @Override
+    public RuntimeException jbossWSUnableToCreateSSLSocketFactory(Throwable t) {
+        return new RuntimeException(ErrorCodes.PROCESSING_EXCEPTION + "Unable to create SSL Socket Factory:", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#jbossWSUnableToFindSSLSocketFactory()
+     */
+    @Override
+    public RuntimeException jbossWSUnableToFindSSLSocketFactory() {
+        return new RuntimeException("We did not find SSL Socket Factory");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authUnableToGetIdentityFromSubject()
+     */
+    @Override
+    public RuntimeException authUnableToGetIdentityFromSubject() {
+        return new RuntimeException(ErrorCodes.PROCESSING_EXCEPTION + "Unable to get the Identity from the subject.");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authSAMLAssertionNullOrEmpty()
+     */
+    @Override
+    public RuntimeException authSAMLAssertionNullOrEmpty() {
+        return new RuntimeException("SAML Assertion is null or empty");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#jbossWSUncheckedAndRolesCannotBeTogether()
+     */
+    @Override
+    public ProcessingException jbossWSUncheckedAndRolesCannotBeTogether() {
+        return new ProcessingException(ErrorCodes.PROCESSING_EXCEPTION + "unchecked and role(s) cannot be together");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlIDPHandlingSAML11Error(java.lang.Throwable)
+     */
+    @Override
+    public void samlIDPHandlingSAML11Error(Throwable t) {
+        logger.error("Exception handling saml 11 use case:", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlIDPValidationCheckFailed()
+     */
+    @Override
+    public GeneralSecurityException samlIDPValidationCheckFailed() {
+        return new GeneralSecurityException(ErrorCodes.VALIDATION_CHECK_FAILED);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlIDPRequestProcessingError(java.lang.Throwable)
+     */
+    @Override
+    public void samlIDPRequestProcessingError(Throwable t) {
+        logger.error("Exception in processing request:", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see
+     *org.picketlink.identity.federation.PicketLinkLogger#samlIDPUnableToSetParticipantStackUsingDefault(java.lang.Throwable)
+     */
+    @Override
+    public void samlIDPUnableToSetParticipantStackUsingDefault(Throwable t) {
+        logger.warn("Unable to set the Identity Participant Stack Class. Will just use the default");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerConfigurationError(java.lang.Throwable)
+     */
+    @Override
+    public void samlHandlerConfigurationError(Throwable t) {
+        logger.error("Exception dealing with handler configuration:", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlIDPSettingCanonicalizationMethod(java.lang.String)
+     */
+    @Override
+    public void samlIDPSettingCanonicalizationMethod(String canonicalizationMethod) {
+        logger.debug("Setting the CanonicalizationMethod on XMLSignatureUtil::" + canonicalizationMethod);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlIDPConfigurationError(java.lang.Throwable)
+     */
+    @Override
+    public RuntimeException samlIDPConfigurationError(Throwable t) {
+        return new RuntimeException(ErrorCodes.PROCESSING_EXCEPTION + t.getMessage(), t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#configurationFileMissing(java.lang.String)
+     */
+    @Override
+    public RuntimeException configurationFileMissing(String configFile) {
+        return new RuntimeException(ErrorCodes.IDP_WEBBROWSER_VALVE_CONF_FILE_MISSING + configFile);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlIDPInstallingDefaultSTSConfig()
+     */
+    @Override
+    public void samlIDPInstallingDefaultSTSConfig() {
+        logger.info("Did not find picketlink-sts.xml. We will install default configuration");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#warn(java.lang.String)
+     */
+    @Override
+    public void warn(String message) {
+        logger.warn(message);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlSPFallingBackToLocalFormAuthentication()
+     */
+    @Override
+    public void samlSPFallingBackToLocalFormAuthentication() {
+        logger.error("Falling back on local Form Authentication if available");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#unableLocalAuthentication(java.lang.Throwable)
+     */
+    @Override
+    public IOException unableLocalAuthentication(Throwable t) {
+        return new IOException(ErrorCodes.UNABLE_LOCAL_AUTH, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlSPUnableToGetIDPDescriptorFromMetadata()
+     */
+    @Override
+    public void samlSPUnableToGetIDPDescriptorFromMetadata() {
+        logger.error("Unable to obtain the IDP SSO Descriptor from metadata");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlSPConfigurationError(java.lang.Throwable)
+     */
+    @Override
+    public RuntimeException samlSPConfigurationError(Throwable t) {
+        return new RuntimeException(t.getMessage(), t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlSPSettingCanonicalizationMethod(java.lang.String)
+     */
+    @Override
+    public void samlSPSettingCanonicalizationMethod(String canonicalizationMethod) {
+        logger.info("Service Provider is setting the CanonicalizationMethod on XMLSignatureUtil::" + canonicalizationMethod);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlSPCouldNotDispatchToLogoutPage(java.lang.String)
+     */
+    @Override
+    public void samlSPCouldNotDispatchToLogoutPage(String logOutPage) {
+        logger.errorf("Cannot dispatch to the logout page: no request dispatcher" + logOutPage);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#usingLoggerImplementation(java.lang.String)
+     */
+    @Override
+    public void usingLoggerImplementation(String className) {
+        logger.debugf("Using logger implementation: " + className);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlResponseFromIDPParsingFailed()
+     */
+    @Override
+    public void samlResponseFromIDPParsingFailed() {
+        logger.error("Error parsing the response from the IDP. Check the strict post binding configuration on both IDP and SP side.");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#auditSecurityDomainNotFound(java.lang.Throwable)
+     */
+    @Override
+    public ConfigurationException auditSecurityDomainNotFound(Throwable t) {
+        return new ConfigurationException(
+            "Could not find a security domain configuration. Check if it is defined in WEB-INF/jboss-web.xml or set the "
+                + GeneralConstants.AUDIT_SECURITY_DOMAIN + " system property.", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#auditAuditManagerNotFound(java.lang.String, java.lang.Throwable)
+     */
+    @Override
+    public ConfigurationException auditAuditManagerNotFound(String location, Throwable t) {
+        return new ConfigurationException("Could not find a audit manager configuration. Location: " + location, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlIssueInstantMissingError()
+     */
+    @Override
+    public IssueInstantMissingException samlIssueInstantMissingError() {
+        return new IssueInstantMissingException(ErrorCodes.NULL_ISSUE_INSTANT);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlSPResponseNotCatalinaResponse()
+     */
+    @Override
+    public RuntimeException samlSPResponseNotCatalinaResponseError(Object response) {
+        return new RuntimeException(ErrorCodes.SERVICE_PROVIDER_NOT_CATALINA_RESPONSE + ". Received: " + response);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlLogoutError(java.lang.Throwable)
+     */
+    @Override
+    public void samlLogoutError(Throwable t) {
+        logger.error("Error during the logout.", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlErrorPageForwardError(java.lang.String, java.lang.Throwable)
+     */
+    @Override
+    public void samlErrorPageForwardError(String errorPage, Throwable t) {
+        logger.error("Error forwarding to the error page: " + errorPage);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlSPHandleRequestError(java.lang.Throwable)
+     */
+    @Override
+    public void samlSPHandleRequestError(Throwable t) {
+        logger.error("Service Provider could not handle the request.", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlSPProcessingExceptionError()
+     */
+    @Override
+    public IOException samlSPProcessingExceptionError(Throwable t) {
+        return new IOException(ErrorCodes.SERVICE_PROVIDER_SERVER_EXCEPTION, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlInvalidProtocolBinding()
+     */
+    @Override
+    public IllegalArgumentException samlInvalidProtocolBinding() {
+        return new IllegalArgumentException("Invalid SAML Protocol Binding. Expected POST or REDIRECT.");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerServiceProviderConfigNotFound()
+     */
+    @Override
+    public IllegalStateException samlHandlerServiceProviderConfigNotFound() {
+        return new IllegalStateException("Service Provider configuration not found. Check if the "
+            + GeneralConstants.CONFIGURATION + " parameter is defined in the handler chain config.");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlSecurityTokenAlreadyPersisted(java.lang.String)
+     */
+    @Override
+    public void samlSecurityTokenAlreadyPersisted(String id) {
+        warn("Security Token with id=" + id + " has already been persisted.");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlSecurityTokenNotFoundInRegistry(java.lang.String)
+     */
+    @Override
+    public void samlSecurityTokenNotFoundInRegistry(String id) {
+        warn("Security Token with id=" + id + " was not found in the registry.");
+    }
+
+    /*(non-Javadoc)
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlMetaDataFailedToCreateCacheDuration(java.lang.String)
+     */
+    @Override
+    public IllegalArgumentException samlMetaDataFailedToCreateCacheDuration(String timeValue) {
+        return new IllegalArgumentException("Cache duration could not be created using '" + timeValue
+            + "'. This value must be an ISO-8601 period or a numeric value representing the duration in milliseconds.");
+    }
+
+    @Override
+    public ConfigurationException samlMetaDataNoIdentityProviderDefined() {
+        return new ConfigurationException("No configuration provided for the Identity Provider.");
+    }
+
+    @Override
+    public ConfigurationException samlMetaDataNoServiceProviderDefined() {
+        return new ConfigurationException("No configuration provided for the Service Provider.");
+    }
+
+    /*(non-Javadoc)
+     *@see org.picketlink.identity.federation.PicketLinkLogger#securityDomainNotFound()
+     */
+    @Override
+    public ConfigurationException securityDomainNotFound() {
+        return new ConfigurationException("The security domain name could not be found. Check your jboss-web.xml.");
+    }
+
+    /*(non-Javadoc)
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authenticationManagerError(org.picketlink.identity.federation.core.exceptions.ConfigurationException)
+     */
+    @Override
+    public void authenticationManagerError(ConfigurationException e) {
+        error("Error loading the AuthenticationManager.", e);
+    }
+
+    private void error(String msg, ConfigurationException e) {
+        logger.error(msg, e);
+    }
+
+    /*(non-Javadoc)
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authorizationManagerError(org.picketlink.identity.federation.core.exceptions.ConfigurationException)
+     */
+    @Override
+    public void authorizationManagerError(ConfigurationException e) {
+        error("Error loading AuthorizationManager.", e);
+    }
+
+    public IllegalStateException jbdcInitializationError(Throwable throwable) {
+        return new IllegalStateException(throwable);
+    }
+
+    public RuntimeException errorUnmarshallingToken(Throwable e) {
+        return new RuntimeException(e);
+    }
+
+    public RuntimeException runtimeException(String msg, Throwable e) {
+        return new RuntimeException(msg, e);
+    }
+
+    public IllegalStateException datasourceIsNull() {
+        return new IllegalStateException();
+    }
+
+    @Override
+    public IllegalArgumentException cannotParseParameterValue(String parameter, Throwable e) {
+        return new IllegalArgumentException("Cannot parse: " + parameter, e);
+    }
+
+    @Override
+    public RuntimeException cannotGetFreeClientPoolKey(String key) {
+        return new RuntimeException("Cannot get free client pool key: " + key);
+    }
+
+    @Override
+    public RuntimeException cannotGetSTSConfigByKey(String key) {
+        return new RuntimeException("Cannot get STS config by key: " + key + ". The pool for given key has to be initialized first by calling STSClientPool.initialize method.");
+    }
+
+    @Override
+    public RuntimeException cannotGetUsedClientsByKey(String key) {
+        return new RuntimeException("Cannot get used clients by key: " + key);
+    }
+
+    @Override
+    public RuntimeException removingNonExistingClientFromUsedClientsByKey(String key) {
+        return new RuntimeException("removing non existing client from used clients by key: " + key);
+    }
+
+    @Override
+    public RuntimeException freePoolAlreadyContainsGivenKey(String key) {
+        return new RuntimeException("Free pool already contains given key: " + key);
+    }
+
+    @Override
+    public RuntimeException maximumNumberOfClientsReachedforPool(String max) {
+        return new RuntimeException("Pool reached maximum number of clients within the pool (" + max + ")");
+    }
+
+    @Override
+    public RuntimeException cannotSetMaxPoolSizeToNegative(String max) {
+        return new RuntimeException("Cannot set maximum STS client pool size to negative number (" + max + ")");
+    }
+
+    @Override
+    public RuntimeException parserFeatureNotSupported(String feature) {
+        return new RuntimeException("Parser feature " + feature + " not supported.");
+    }
+
+    @Override
+    public ProcessingException samlAssertionWrongAudience(String serviceURL) {
+        return new ProcessingException("Wrong audience [" + serviceURL + "].");
+    }
+
+    @Override
+    public ProcessingException samlExtensionUnknownChild(Class<?> clazz) {
+        return new ProcessingException("Unknown child type specified for extension: "
+            + (clazz == null ? "<null>" : clazz.getSimpleName())
+            + ".");
+    }
+}
diff --git a/src/main/java/nl/first8/keycloak/saml/common/PicketLinkLoggerFactory.java b/src/main/java/nl/first8/keycloak/saml/common/PicketLinkLoggerFactory.java
new file mode 100644
index 0000000..f3ae78c
--- /dev/null
+++ b/src/main/java/nl/first8/keycloak/saml/common/PicketLinkLoggerFactory.java
@@ -0,0 +1,10 @@
+package nl.first8.keycloak.saml.common;
+
+import org.jboss.logging.Logger;
+import org.keycloak.saml.common.PicketLinkLogger;
+
+public class PicketLinkLoggerFactory {
+    public static PicketLinkLogger getLogger(Logger logger) {
+        return new DefaultPicketLinkLogger(logger);
+    }
+}
diff --git a/src/main/java/nl/first8/keycloak/saml/processing/api/saml/v2/request/SAML2Request.java b/src/main/java/nl/first8/keycloak/saml/processing/api/saml/v2/request/SAML2Request.java
index ef8ac89..92e2bf7 100644
--- a/src/main/java/nl/first8/keycloak/saml/processing/api/saml/v2/request/SAML2Request.java
+++ b/src/main/java/nl/first8/keycloak/saml/processing/api/saml/v2/request/SAML2Request.java
@@ -14,7 +14,8 @@
 import org.keycloak.dom.saml.v2.assertion.NameIDType;
 import org.keycloak.dom.saml.v2.protocol.*;
 import org.keycloak.saml.common.PicketLinkLogger;
-import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import nl.first8.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.jboss.logging.Logger;
 import org.keycloak.saml.common.constants.GeneralConstants;
 import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
 import org.keycloak.saml.common.exceptions.ConfigurationException;
@@ -38,7 +39,7 @@
  */
 public class SAML2Request {
 
-    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger(Logger.getLogger(SAML2Request.class));
 
     private SAMLDocumentHolder samlDocumentHolder = null;
     private String nameIDFormat = JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get();
@@ -118,7 +119,7 @@ public AuthnRequestType createAuthnRequestType(String id, String assertionConsum
      *                                  is null
      */
     public AuthnRequestType getAuthnRequestType(String fileName) throws ConfigurationException, ProcessingException,
-            ParsingException {
+        ParsingException {
         if (fileName == null)
             throw logger.nullArgumentError("fileName");
         URL resourceURL = SecurityActions.loadResource(getClass(), fileName);
@@ -143,7 +144,7 @@ public AuthnRequestType getAuthnRequestType(String fileName) throws Configuratio
      * @throws ParsingException
      */
     public static SAMLDocumentHolder getSAML2ObjectFromStream(InputStream is) throws ConfigurationException, ParsingException,
-            ProcessingException {
+        ProcessingException {
         if (is == null)
             throw logger.nullArgumentError("InputStream");
 
@@ -178,7 +179,7 @@ public static SAMLDocumentHolder getSAML2ObjectFromDocument(Document samlDocumen
      * @throws IllegalArgumentException inputstream is null
      */
     public RequestAbstractType getRequestType(InputStream is) throws ParsingException, ConfigurationException,
-            ProcessingException {
+        ProcessingException {
         if (is == null)
             throw logger.nullArgumentError("InputStream");
 
@@ -203,7 +204,7 @@ public RequestAbstractType getRequestType(InputStream is) throws ParsingExceptio
      * @throws IllegalArgumentException inputstream is null
      */
     public AuthnRequestType getAuthnRequestType(InputStream is) throws ConfigurationException, ProcessingException,
-            ParsingException {
+        ParsingException {
         if (is == null)
             throw logger.nullArgumentError("InputStream");
 
diff --git a/src/main/java/nl/first8/keycloak/saml/processing/api/saml/v2/response/SAML2Response.java b/src/main/java/nl/first8/keycloak/saml/processing/api/saml/v2/response/SAML2Response.java
index f1158d8..e20f0e7 100644
--- a/src/main/java/nl/first8/keycloak/saml/processing/api/saml/v2/response/SAML2Response.java
+++ b/src/main/java/nl/first8/keycloak/saml/processing/api/saml/v2/response/SAML2Response.java
@@ -7,7 +7,8 @@
 import org.keycloak.dom.saml.v2.protocol.ResponseType;
 import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
 import org.keycloak.saml.common.PicketLinkLogger;
-import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import nl.first8.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.jboss.logging.Logger;
 import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
 import org.keycloak.saml.common.exceptions.ConfigurationException;
 import org.keycloak.saml.common.exceptions.ParsingException;
@@ -42,7 +43,7 @@
 
 public class SAML2Response {
 
-    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger(Logger.getLogger(SAML2Response.class));
     private final long ASSERTION_VALIDITY = 5000; // 5secs in milis
 
     private final long CLOCK_SKEW = 2000; // 2secs
@@ -122,7 +123,7 @@ public AuthzDecisionStatementType createAuthzDecisionStatementType(String resour
      * @throws ProcessingException
      */
     public ResponseType createResponseType(String ID, SPInfoHolder sp, IDPInfoHolder idp, IssuerInfoHolder issuerInfo)
-            throws ProcessingException {
+        throws ProcessingException {
         String responseDestinationURI = sp.getResponseDestinationURI();
 
         XMLGregorianCalendar issueInstant = XMLTimeUtil.getIssueInstant();
@@ -162,7 +163,7 @@ public ResponseType createResponseType(String ID, SPInfoHolder sp, IDPInfoHolder
         String assertionID = IDGenerator.create("ID_");
 
         assertionType = SAMLAssertionFactory.createAssertion(assertionID, issuerID, issueInstant, conditions,
-                subjectType, statements);
+            subjectType, statements);
 
         try {
             AssertionUtil.createTimedConditions(assertionType, ASSERTION_VALIDITY, CLOCK_SKEW);
@@ -213,7 +214,7 @@ public ResponseType createResponseType(String ID, IssuerInfoHolder issuerInfo, A
      * @throws ConfigurationException
      */
     public ResponseType createResponseType(String ID, IssuerInfoHolder issuerInfo, Element encryptedAssertion)
-            throws ConfigurationException {
+        throws ConfigurationException {
         return JBossSAMLAuthnResponseFactory.createResponseType(ID, issuerInfo, encryptedAssertion);
     }
 
@@ -226,7 +227,7 @@ public ResponseType createResponseType(String ID, IssuerInfoHolder issuerInfo, E
      * @throws IssueInstantMissingException
      */
     public void createTimedConditions(AssertionType assertion, long durationInMilis) throws ConfigurationException,
-            IssueInstantMissingException {
+        IssueInstantMissingException {
         AssertionUtil.createTimedConditions(assertion, durationInMilis);
     }
 
@@ -240,7 +241,7 @@ public void createTimedConditions(AssertionType assertion, long durationInMilis)
      * @throws ConfigurationException
      */
     public EncryptedAssertionType getEncryptedAssertion(InputStream is) throws ParsingException, ConfigurationException,
-            ProcessingException {
+        ProcessingException {
         if (is == null)
             throw logger.nullArgumentError("InputStream");
 
@@ -313,7 +314,7 @@ public ResponseType getResponseType(InputStream is) throws ParsingException, Con
      * @throws ProcessingException
      */
     public SAML2Object getSAML2ObjectFromStream(InputStream is) throws ParsingException, ConfigurationException,
-            ProcessingException {
+        ProcessingException {
         if (is == null)
             throw logger.nullArgumentError("InputStream");
 
@@ -376,7 +377,7 @@ public Document convert(EncryptedElementType encryptedElementType) throws Config
      * @throws ProcessingException
      */
     public static Document convert(StatusResponseType responseType) throws ProcessingException, ConfigurationException,
-            ParsingException {
+        ParsingException {
         ByteArrayOutputStream bos = new ByteArrayOutputStream();
 
         SAMLResponseWriter writer = new SAMLResponseWriter(StaxUtil.getXMLStreamWriter(bos));
diff --git a/src/main/java/nl/first8/keycloak/saml/processing/api/saml/v2/sig/SAML2Signature.java b/src/main/java/nl/first8/keycloak/saml/processing/api/saml/v2/sig/SAML2Signature.java
index c6344b7..aa0a9fd 100644
--- a/src/main/java/nl/first8/keycloak/saml/processing/api/saml/v2/sig/SAML2Signature.java
+++ b/src/main/java/nl/first8/keycloak/saml/processing/api/saml/v2/sig/SAML2Signature.java
@@ -2,7 +2,8 @@
 
 import nl.first8.keycloak.saml.processing.core.util.XMLSignatureUtil;
 import org.keycloak.saml.common.PicketLinkLogger;
-import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import nl.first8.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.jboss.logging.Logger;
 import org.keycloak.saml.common.constants.JBossSAMLConstants;
 import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
 import org.keycloak.saml.common.exceptions.ProcessingException;
@@ -24,7 +25,7 @@
 
 public class SAML2Signature {
 
-    private static final PicketLinkLogger picketLogger = PicketLinkLoggerFactory.getLogger();
+    private static final PicketLinkLogger picketLogger = PicketLinkLoggerFactory.getLogger(Logger.getLogger(SAML2Signature.class));
 
     private String signatureMethod = SignatureMethod.RSA_SHA1;
 
diff --git a/src/main/java/nl/first8/keycloak/saml/processing/core/parsers/saml/assertion/SAMLAttributeValueParser.java b/src/main/java/nl/first8/keycloak/saml/processing/core/parsers/saml/assertion/SAMLAttributeValueParser.java
index 52ef7b6..1a1558c 100644
--- a/src/main/java/nl/first8/keycloak/saml/processing/core/parsers/saml/assertion/SAMLAttributeValueParser.java
+++ b/src/main/java/nl/first8/keycloak/saml/processing/core/parsers/saml/assertion/SAMLAttributeValueParser.java
@@ -9,7 +9,8 @@
 import javax.xml.stream.XMLStreamException;
 import javax.xml.stream.events.Namespace;
 import org.keycloak.saml.common.PicketLinkLogger;
-import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import nl.first8.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.jboss.logging.Logger;
 import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
 import org.keycloak.saml.common.exceptions.ParsingException;
 import org.keycloak.saml.common.parsers.StaxParser;
@@ -30,7 +31,7 @@
 
 public class SAMLAttributeValueParser implements StaxParser {
 
-    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger(Logger.getLogger(SAMLAttributeValueParser.class));
 
     private static final SAMLAttributeValueParser INSTANCE = new SAMLAttributeValueParser();
     private static final QName NIL = new QName(JBossSAMLURIConstants.XSI_NSURI.get(), "nil", JBossSAMLURIConstants.XSI_PREFIX.get());
diff --git a/src/main/java/nl/first8/keycloak/saml/processing/core/parsers/saml/xmlsec/CipherValueParser.java b/src/main/java/nl/first8/keycloak/saml/processing/core/parsers/saml/xmlsec/CipherValueParser.java
index 06f4e85..91e9200 100644
--- a/src/main/java/nl/first8/keycloak/saml/processing/core/parsers/saml/xmlsec/CipherValueParser.java
+++ b/src/main/java/nl/first8/keycloak/saml/processing/core/parsers/saml/xmlsec/CipherValueParser.java
@@ -2,7 +2,8 @@
 
 import nl.first8.keycloak.saml.processing.core.parsers.saml.assertion.SAMLAssertionQNames;
 import org.keycloak.saml.common.PicketLinkLogger;
-import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import nl.first8.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.jboss.logging.Logger;
 import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
 import org.keycloak.saml.common.exceptions.ParsingException;
 import org.keycloak.saml.common.parsers.StaxParser;
@@ -19,7 +20,7 @@
  */
 public class CipherValueParser implements StaxParser {
 
-    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger(Logger.getLogger(CipherValueParser.class));
 
     private static final CipherValueParser INSTANCE = new CipherValueParser();
     private static final QName NIL = new QName(JBossSAMLURIConstants.XSI_NSURI.get(), "nil", JBossSAMLURIConstants.XSI_PREFIX.get());
diff --git a/src/main/java/nl/first8/keycloak/saml/processing/core/saml/v2/factories/JBossSAMLAuthnResponseFactory.java b/src/main/java/nl/first8/keycloak/saml/processing/core/saml/v2/factories/JBossSAMLAuthnResponseFactory.java
index eccc621..6615ee1 100644
--- a/src/main/java/nl/first8/keycloak/saml/processing/core/saml/v2/factories/JBossSAMLAuthnResponseFactory.java
+++ b/src/main/java/nl/first8/keycloak/saml/processing/core/saml/v2/factories/JBossSAMLAuthnResponseFactory.java
@@ -24,7 +24,8 @@
 import org.keycloak.dom.saml.v2.protocol.StatusCodeType;
 import org.keycloak.dom.saml.v2.protocol.StatusType;
 import org.keycloak.saml.common.PicketLinkLogger;
-import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import nl.first8.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.jboss.logging.Logger;
 import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
 import org.keycloak.saml.common.exceptions.ConfigurationException;
 import org.keycloak.saml.processing.core.saml.v2.holders.IssuerInfoHolder;
@@ -42,7 +43,7 @@
  */
 public class JBossSAMLAuthnResponseFactory {
 
-    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger(Logger.getLogger(JBossSAMLAuthnResponseFactory.class));
 
     /**
      * Create a StatusType given the status code uri
diff --git a/src/main/java/nl/first8/keycloak/saml/processing/core/saml/v2/util/AssertionUtil.java b/src/main/java/nl/first8/keycloak/saml/processing/core/saml/v2/util/AssertionUtil.java
index f90d395..2dd8530 100644
--- a/src/main/java/nl/first8/keycloak/saml/processing/core/saml/v2/util/AssertionUtil.java
+++ b/src/main/java/nl/first8/keycloak/saml/processing/core/saml/v2/util/AssertionUtil.java
@@ -34,7 +34,8 @@
 import org.keycloak.rotation.KeyLocator;
 import org.keycloak.saml.common.ErrorCodes;
 import org.keycloak.saml.common.PicketLinkLogger;
-import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import nl.first8.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.jboss.logging.Logger;
 import org.keycloak.saml.common.exceptions.ConfigurationException;
 import org.keycloak.saml.common.exceptions.ParsingException;
 import org.keycloak.saml.common.exceptions.ProcessingException;
@@ -66,7 +67,7 @@
 
 public class AssertionUtil {
 
-    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger(Logger.getLogger(AssertionUtil.class));
 
     /**
      * Given {@code AssertionType}, convert it into a String
@@ -189,7 +190,7 @@ public static AttributeType createAttribute(String name, String nameFormat, Obje
      *      </p>
      */
     public static void createTimedConditions(AssertionType assertion, long durationInMilis) throws ConfigurationException,
-            IssueInstantMissingException {
+        IssueInstantMissingException {
         XMLGregorianCalendar issueInstant = assertion.getIssueInstant();
         if (issueInstant == null)
             throw new IssueInstantMissingException(ErrorCodes.NULL_ISSUE_INSTANT);
@@ -211,7 +212,7 @@ public static void createTimedConditions(AssertionType assertion, long durationI
      * @throws IssueInstantMissingException
      */
     public static void createTimedConditions(AssertionType assertion, long durationInMilis, long clockSkew)
-            throws ConfigurationException, IssueInstantMissingException {
+        throws ConfigurationException, IssueInstantMissingException {
         XMLGregorianCalendar issueInstant = assertion.getIssueInstant();
         if (issueInstant == null)
             throw logger.samlIssueInstantMissingError();
@@ -237,7 +238,7 @@ public static void createTimedConditions(AssertionType assertion, long durationI
      * @throws IssueInstantMissingException
      */
     public static void createSAML11TimedConditions(SAML11AssertionType assertion, long durationInMilis, long clockSkew)
-            throws ConfigurationException, IssueInstantMissingException {
+        throws ConfigurationException, IssueInstantMissingException {
         XMLGregorianCalendar issueInstant = assertion.getIssueInstant();
         if (issueInstant == null)
             throw new IssueInstantMissingException(ErrorCodes.NULL_ISSUE_INSTANT);
@@ -579,11 +580,11 @@ public static Element decryptAssertion(ResponseType responseType, PrivateKey pri
      */
     public static Element decryptAssertion(ResponseType responseType, XMLEncryptionUtil.DecryptionKeyLocator decryptionKeyLocator) throws ParsingException, ProcessingException, ConfigurationException {
         Element enc = responseType.getAssertions().stream()
-                .map(ResponseType.RTChoiceType::getEncryptedAssertion)
-                .filter(Objects::nonNull)
-                .findFirst()
-                .map(EncryptedElementType::getEncryptedElement)
-                .orElseThrow(() -> new ProcessingException("No encrypted assertion found."));
+            .map(ResponseType.RTChoiceType::getEncryptedAssertion)
+            .filter(Objects::nonNull)
+            .findFirst()
+            .map(EncryptedElementType::getEncryptedElement)
+            .orElseThrow(() -> new ProcessingException("No encrypted assertion found."));
 
         String oldID = enc.getAttribute(JBossSAMLConstants.ID.get());
         Document newDoc = DocumentUtil.createDocument();
@@ -595,7 +596,7 @@ public static Element decryptAssertion(ResponseType responseType, XMLEncryptionU
 
         JAXPValidationUtil.checkSchemaValidation(decryptedDocumentElement);
         AssertionType assertion = (AssertionType) parser.parse(parser.createEventReader(DocumentUtil
-                .getNodeAsStream(decryptedDocumentElement)));
+            .getNodeAsStream(decryptedDocumentElement)));
 
         responseType.replaceAssertion(oldID, new ResponseType.RTChoiceType(assertion));
 
diff --git a/src/main/java/nl/first8/keycloak/saml/processing/core/saml/v2/writers/BaseWriter.java b/src/main/java/nl/first8/keycloak/saml/processing/core/saml/v2/writers/BaseWriter.java
index 4ef3e6b..d4b1603 100644
--- a/src/main/java/nl/first8/keycloak/saml/processing/core/saml/v2/writers/BaseWriter.java
+++ b/src/main/java/nl/first8/keycloak/saml/processing/core/saml/v2/writers/BaseWriter.java
@@ -12,7 +12,8 @@
 import org.keycloak.dom.saml.v2.metadata.LocalizedNameType;
 import org.keycloak.dom.xmlsec.w3.xmldsig.KeyInfoType;
 import org.keycloak.saml.common.PicketLinkLogger;
-import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import nl.first8.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.jboss.logging.Logger;
 import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
 import org.keycloak.saml.common.exceptions.ProcessingException;
 import org.keycloak.saml.common.util.StaxUtil;
@@ -38,7 +39,7 @@
 
 public class BaseWriter {
 
-    protected static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+    protected static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger(Logger.getLogger(BaseWriter.class));
 
     protected static String PROTOCOL_PREFIX = "samlp";
 
@@ -176,7 +177,7 @@ public void writeAttributeTypeWithoutRootTag(AttributeType attributeType) throws
 
     private void writeElementAttributeValue(Element attributeValue) throws ProcessingException {
         StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.ATTRIBUTE_VALUE.get(),
-                ASSERTION_NSURI.get());
+            ASSERTION_NSURI.get());
         StaxUtil.writeDOMElement(writer, attributeValue);
         StaxUtil.writeEndElement(writer);
     }
@@ -221,7 +222,7 @@ public void writeDateAttributeValue(XMLGregorianCalendar attributeValue) throws
 
     public void writeLocalizedNameType(LocalizedNameType localizedNameType, QName startElement) throws ProcessingException {
         StaxUtil.writeStartElement(writer, startElement.getPrefix(), startElement.getLocalPart(),
-                startElement.getNamespaceURI());
+            startElement.getNamespaceURI());
         StaxUtil.writeAttribute(writer, new QName(JBossSAMLURIConstants.XML.get(), "lang", "xml"), localizedNameType.getLang());
         StaxUtil.writeCharacters(writer, localizedNameType.getValue());
         StaxUtil.writeEndElement(writer);
@@ -290,7 +291,7 @@ public void write(ExtensionsType extensions) throws ProcessingException {
 
     private void write(SubjectConfirmationType subjectConfirmationType) throws ProcessingException {
         StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.SUBJECT_CONFIRMATION.get(),
-                ASSERTION_NSURI.get());
+            ASSERTION_NSURI.get());
 
         StaxUtil.writeAttribute(writer, JBossSAMLConstants.METHOD.get(), subjectConfirmationType.getMethod());
 
@@ -311,7 +312,7 @@ private void write(SubjectConfirmationType subjectConfirmationType) throws Proce
 
     private void write(SubjectConfirmationDataType subjectConfirmationData) throws ProcessingException {
         StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.SUBJECT_CONFIRMATION_DATA.get(),
-                ASSERTION_NSURI.get());
+            ASSERTION_NSURI.get());
 
         // Let us look at attributes
         String inResponseTo = subjectConfirmationData.getInResponseTo();
diff --git a/src/main/java/nl/first8/keycloak/saml/processing/core/util/XMLSignatureUtil.java b/src/main/java/nl/first8/keycloak/saml/processing/core/util/XMLSignatureUtil.java
index 3c1b69e..c163e03 100644
--- a/src/main/java/nl/first8/keycloak/saml/processing/core/util/XMLSignatureUtil.java
+++ b/src/main/java/nl/first8/keycloak/saml/processing/core/util/XMLSignatureUtil.java
@@ -2,6 +2,7 @@
 
 import nl.first8.keycloak.saml.common.constants.GeneralConstants;
 import nl.first8.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.jboss.logging.Logger;
 import org.keycloak.common.util.Base64;
 import org.keycloak.common.util.PemUtils;
 import org.keycloak.dom.xmlsec.w3.xmldsig.DSAKeyValueType;
@@ -9,7 +10,7 @@
 import org.keycloak.dom.xmlsec.w3.xmldsig.RSAKeyValueType;
 import org.keycloak.dom.xmlsec.w3.xmldsig.SignatureType;
 import org.keycloak.saml.common.PicketLinkLogger;
-import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import nl.first8.keycloak.saml.common.PicketLinkLoggerFactory;
 import org.keycloak.saml.common.constants.WSTrustConstants;
 import org.keycloak.saml.common.exceptions.ParsingException;
 import org.keycloak.saml.common.exceptions.ProcessingException;
@@ -53,7 +54,8 @@
 
 public class XMLSignatureUtil {
 
-    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+    private static final PicketLinkLogger logger =
+        PicketLinkLoggerFactory.getLogger(Logger.getLogger(XMLSignatureUtil.class));
 
     // Set some system properties and Santuario providers. Run this block before any other class initialization.
     static {
@@ -172,7 +174,6 @@ public KeySelectorResult select(KeyInfo ki, KeySelector.Purpose prps, AlgorithmM
      * Use this method to not include the KeyInfo in the signature
      *
      * @param includeKeyInfoInSignature
-     *
      * @since v2.0.1
      */
     public static void setIncludeKeyInfoInSignature(boolean includeKeyInfoInSignature) {
@@ -188,9 +189,7 @@ public static void setIncludeKeyInfoInSignature(boolean includeKeyInfoInSignatur
      * @param digestMethod
      * @param signatureMethod
      * @param referenceURI
-     *
      * @return
-     *
      * @throws ParserConfigurationException
      * @throws XMLSignatureException
      * @throws MarshalException
@@ -250,13 +249,12 @@ public static Document sign(Document doc, Node nodeToBeSigned, String keyName, K
     /**
      * Sign only specified element (assumption is that it already has ID attribute set)
      *
-     * @param elementToSign element to sign with set ID
-     * @param nextSibling child of elementToSign, which will be used as next sibling of created signature
+     * @param elementToSign   element to sign with set ID
+     * @param nextSibling     child of elementToSign, which will be used as next sibling of created signature
      * @param keyPair
      * @param digestMethod
      * @param signatureMethod
      * @param referenceURI
-     *
      * @throws GeneralSecurityException
      * @throws MarshalException
      * @throws XMLSignatureException
@@ -270,14 +268,13 @@ public static void sign(Element elementToSign, Node nextSibling, String keyName,
     /**
      * Sign only specified element (assumption is that it already has ID attribute set)
      *
-     * @param elementToSign element to sign with set ID
-     * @param nextSibling child of elementToSign, which will be used as next sibling of created signature
+     * @param elementToSign   element to sign with set ID
+     * @param nextSibling     child of elementToSign, which will be used as next sibling of created signature
      * @param keyPair
      * @param digestMethod
      * @param signatureMethod
      * @param referenceURI
      * @param x509Certificate {@link X509Certificate} to be placed in SignedInfo
-     *
      * @throws GeneralSecurityException
      * @throws MarshalException
      * @throws XMLSignatureException
@@ -342,9 +339,7 @@ public static void fixIDAttributeSetup(Element element) {
      * @param digestMethod
      * @param signatureMethod
      * @param referenceURI
-     *
      * @return
-     *
      * @throws GeneralSecurityException
      * @throws XMLSignatureException
      * @throws MarshalException
@@ -361,9 +356,7 @@ public static Document sign(Document doc, String keyName, KeyPair keyPair, Strin
      * @param digestMethod
      * @param signatureMethod
      * @param referenceURI
-     *
      * @return
-     *
      * @throws GeneralSecurityException
      * @throws XMLSignatureException
      * @throws MarshalException
@@ -388,9 +381,7 @@ public static Document sign(Document doc, String keyName, KeyPair keyPair, Strin
     /**
      * Sign the root element
      *
-     *
      * @return
-     *
      * @throws GeneralSecurityException
      * @throws XMLSignatureException
      * @throws MarshalException
@@ -445,7 +436,7 @@ public static boolean validate(Document signedDoc, final KeyLocator locator) thr
         boolean signatureValid = true;
         for (int i = 0; i < nl.getLength(); i++) {
             Node signatureNode = nl.item(i);
-            logger.debug("Validating signature node #%d: %s".formatted((i + 1),  signatureNode.getLocalName()));
+            logger.debug("Validating signature node #%d: %s".formatted((i + 1), signatureNode.getLocalName()));
 
             boolean nodeSignatureValid = validateSingleNode(signatureNode, locator, signedNodes);
             if (nodeSignatureValid) {
@@ -563,7 +554,6 @@ private static boolean validateUsingKeySelector(Node signatureNode, KeySelector
      *
      * @param signature
      * @param os
-     *
      * @throws SAXException
      * @throws JAXBException
      */
@@ -580,7 +570,6 @@ public static void marshall(SignatureType signature, OutputStream os) throws JAX
      *
      * @param signedDocument
      * @param os
-     *
      * @throws TransformerException
      */
     public static void marshall(Document signedDocument, OutputStream os) throws TransformerException {
@@ -593,10 +582,8 @@ public static void marshall(Document signedDocument, OutputStream os) throws Tra
      * Given the X509Certificate in the keyinfo element, get a {@link X509Certificate}
      *
      * @param certificateString
-     *
      * @return
-     *
-     * @throws org.keycloak.saml.common.exceptions.ProcessingException
+     * @throws ProcessingException
      */
     public static X509Certificate getX509CertificateFromKeyInfoString(String certificateString) throws ProcessingException {
         X509Certificate cert = null;
@@ -622,9 +609,7 @@ public static X509Certificate getX509CertificateFromKeyInfoString(String certifi
      * Given a dsig:DSAKeyValue element, return {@link DSAKeyValueType}
      *
      * @param element
-     *
      * @return
-     *
      * @throws ProcessingException
      */
     public static DSAKeyValueType getDSAKeyValue(Element element) throws ParsingException {
@@ -663,9 +648,7 @@ public static DSAKeyValueType getDSAKeyValue(Element element) throws ParsingExce
      * Given a dsig:DSAKeyValue element, return {@link DSAKeyValueType}
      *
      * @param element
-     *
      * @return
-     *
      * @throws ProcessingException
      */
     public static RSAKeyValueType getRSAKeyValue(Element element) throws ParsingException {
@@ -698,9 +681,8 @@ public static RSAKeyValueType getRSAKeyValue(Element element) throws ParsingExce
      * </p>
      *
      * @param key the {@code PublicKey} that will be represented as a {@code KeyValueType}.
-     *
      * @return the constructed {@code KeyValueType} or {@code null} if the specified key is neither a DSA nor a RSA
-     *         key.
+     * key.
      */
     public static KeyValueType createKeyValue(PublicKey key) {
         if (key instanceof RSAPublicKey) {
diff --git a/src/main/resources/saml-extended-frontend/js/AddProvider.js b/src/main/resources/saml-extended-frontend/js/AddProvider.js
index e27ccbf..0d53232 100644
--- a/src/main/resources/saml-extended-frontend/js/AddProvider.js
+++ b/src/main/resources/saml-extended-frontend/js/AddProvider.js
@@ -3,7 +3,7 @@ import_data.addEventListener('click', async (event) => {
     event.preventDefault();
     let alias = alias_input.value;
     keycloak.updateToken(300).then(async (bool) => {
-
+        
         if (bool) {
             let isValid = true;
             hasFocused = false;
@@ -21,20 +21,20 @@ import_data.addEventListener('click', async (event) => {
             { handleValidInput(samlEntityDescriptor_input, samlEntityDescriptor_errorMessage_URL,"");
             }
             handleValidInput(Single_Sign_On_Service_URL_input, errorMessage_URL,"");
-
-
-
+            
+            
+            
             if (!isValid)
             {return}
             var newAccessToken = keycloak.token;
-
+            
             const checkPluginResponse = await fetch(`${ServerUrl}/admin/realms/${selectedrealm}/identity-provider/instances/${alias}`, {
                 method: 'GET',
                 headers: {
                     'Authorization': `Bearer ${newAccessToken}`
                 }
             });
-
+            
             if (checkPluginResponse.ok) {
                 alias_input.classList.remove('input_text');
                 alias_input.classList.add('red-border');
@@ -55,7 +55,7 @@ import_data.addEventListener('click', async (event) => {
                         fromUrl: `${samlEntityDescriptor.value}`
                     })
                 });
-
+                
                 if (updatePluginResponse.ok) {
                     const config = await updatePluginResponse.json();
                     samlEntityDescriptor_input.classList.remove('red-border');
@@ -64,13 +64,13 @@ import_data.addEventListener('click', async (event) => {
                     importClicked = true;
                     document.getElementById("submit").disabled = false
                     var data =
-                        {"alias": alias, "enabled": "true",
-                        "providerId": "saml-extended", "config": {
-                                "allowCreate": "true",
-                                ...config
-                    }
-
-                        };
+                      {"alias": alias, "enabled": "true",
+                          "providerId": "saml-extended", "config": {
+                              "allowCreate": "true",
+                              ...config
+                          }
+                          
+                      };
                     var script = document.createElement('script');
                     localStorage.setItem('pluginData', JSON.stringify(data));
                     script.src = '../../samlconfig/js/InfoUpdaterAdd';
@@ -102,21 +102,21 @@ add.addEventListener('click', () => {
         else
         { handleValidInput(samlEntityDescriptor_input, samlEntityDescriptor_errorMessage_URL,"");
         }
-
-            if (!Single_Sign_On_Service_URL_input.value || !Single_Sign_On_Service_URL_input.value.startsWith("https://")) {
-                handleInvalidInput(Single_Sign_On_Service_URL_input, errorMessage_URL, "Enter a valid URL");
-                isValid = false;
-            } else {
-                handleValidInput(Single_Sign_On_Service_URL_input, errorMessage_URL,"");
-            }
-
-            if (Single_Logout_Service_URL_input.value && !Single_Logout_Service_URL_input.value.startsWith("https://")) {
-                handleInvalidInput(Single_Logout_Service_URL_input, errorMessage_URL_logout, "Enter a valid URL");
-                isValid = false;
-            } else {
-                handleValidInput(Single_Logout_Service_URL_input, errorMessage_URL_logout,"");
-            }
-
+        
+        if (!Single_Sign_On_Service_URL_input.value || !Single_Sign_On_Service_URL_input.value.startsWith("https://")) {
+            handleInvalidInput(Single_Sign_On_Service_URL_input, errorMessage_URL, "Enter a valid URL");
+            isValid = false;
+        } else {
+            handleValidInput(Single_Sign_On_Service_URL_input, errorMessage_URL,"");
+        }
+        
+        if (Single_Logout_Service_URL_input.value && !Single_Logout_Service_URL_input.value.startsWith("https://")) {
+            handleInvalidInput(Single_Logout_Service_URL_input, errorMessage_URL_logout, "Enter a valid URL");
+            isValid = false;
+        } else {
+            handleValidInput(Single_Logout_Service_URL_input, errorMessage_URL_logout,"");
+        }
+        
         if (!isValid) {
             return;
         }
@@ -124,14 +124,14 @@ add.addEventListener('click', () => {
             handleInvalidInput(samlEntityDescriptor_input, samlEntityDescriptor_errorMessage_URL, "Make sure to press the import button first");
             return;
         }
-
+        
         const data = JSON.parse(localStorage.getItem('pluginData'));
-
+        
         keycloak.updateToken(300).then(async (bool) => {
             if (bool) {
                 var newAccessToken = keycloak.token;
                 var selectedrealm = localStorage.getItem('selectedRealm');
-
+                
                 const updatePluginResponse = await fetch(`${ServerUrl}/admin/realms/${selectedrealm}/identity-provider/instances`, {
                     method: 'POST',
                     headers: {
@@ -140,7 +140,7 @@ add.addEventListener('click', () => {
                     },
                     body: JSON.stringify(data),
                 });
-
+                
                 if (updatePluginResponse.ok) {
                     alert("Plugin added successfully.");
                     window.location.href = `${editprovider}`;
@@ -172,12 +172,12 @@ add.addEventListener('click', () => {
             var element = document.querySelector(selector);
             return element ? element.value.trim() : null;
         }
-
+        
         var serviceName = getValueFromElement('.serviceName');
         var attributeValue = getValueFromElement('.attributeValue');
         var friendlyName = getValueFromElement('.friendlyName');
         var attributeName = getValueFromElement('.attributeName');
-
+        
         var Single_Sign_On_Service_URL = Single_Sign_On_Service_URL_input.value;
         var Single_Logout_Service_URL = Single_Logout_Service_URL_input.value;
         var nameIdPolicy = nameIdPolicy_input.value;
@@ -200,6 +200,7 @@ add.addEventListener('click', () => {
                 "postBindingLogout": httpPostBindingLogout.value,
                 "authnContextClassRefs": authnContextClassRefs.length > 0 ? JSON.stringify(authnContextClassRefs) : undefined,
                 "postBindingResponse": httpPostBindingResponse.value,
+                "artifactBindingResponse": artifactBindingResponse.value,
                 "singleLogoutServiceUrl": Single_Logout_Service_URL,
                 "authnContextDeclRefs": authnContextDeclRefs.length > 0 ? JSON.stringify(authnContextDeclRefs) : undefined,
                 "backchannelSupported": backchannel.value,
@@ -246,106 +247,106 @@ add.addEventListener('click', () => {
                 "enabledFromMetadata": useEntityDescriptor.value,
                 "metadataDescriptorUrl": samlEntityDescriptor_input.value,
                 "attributeConsumingServiceMetadata":attributeServicesArray.length > 0 ? JSON.stringify(attributeServicesArray) : undefined
-
+                
             }}
-
-            let isValid = true;
-            hasFocused = false;
-            if (!alias_input.value) {
-                handleInvalidInput(alias_input, errorMessage, "Required field !");
-                isValid = false;
-            } else {
-                handleValidInput(alias_input, errorMessage,"");
-            }
-
-            if (!Single_Sign_On_Service_URL_input.value || !Single_Sign_On_Service_URL_input.value.startsWith("https://")) {
-                handleInvalidInput(Single_Sign_On_Service_URL_input, errorMessage_URL, "Enter a valid URL");
-                isValid = false;
-            } else {
-                handleValidInput(Single_Sign_On_Service_URL_input, errorMessage_URL,"");
-            }
-
-            if (Single_Logout_Service_URL_input.value && !Single_Logout_Service_URL_input.value.startsWith("https://")) {
-                handleInvalidInput(Single_Logout_Service_URL_input, errorMessage_URL_logout, "Enter a valid URL");
-                isValid = false;
-            } else {
-                handleValidInput(Single_Logout_Service_URL_input, errorMessage_URL_logout,"");
-            }
-
-            if (!isValid) {
-                return;
+        
+        let isValid = true;
+        hasFocused = false;
+        if (!alias_input.value) {
+            handleInvalidInput(alias_input, errorMessage, "Required field !");
+            isValid = false;
+        } else {
+            handleValidInput(alias_input, errorMessage,"");
+        }
+        
+        if (!Single_Sign_On_Service_URL_input.value || !Single_Sign_On_Service_URL_input.value.startsWith("https://")) {
+            handleInvalidInput(Single_Sign_On_Service_URL_input, errorMessage_URL, "Enter a valid URL");
+            isValid = false;
+        } else {
+            handleValidInput(Single_Sign_On_Service_URL_input, errorMessage_URL,"");
+        }
+        
+        if (Single_Logout_Service_URL_input.value && !Single_Logout_Service_URL_input.value.startsWith("https://")) {
+            handleInvalidInput(Single_Logout_Service_URL_input, errorMessage_URL_logout, "Enter a valid URL");
+            isValid = false;
+        } else {
+            handleValidInput(Single_Logout_Service_URL_input, errorMessage_URL_logout,"");
+        }
+        
+        if (!isValid) {
+            return;
+        }
+        
+        removeEmptyStrings(data);
+        
+        const configKeys = Object.keys(data.config);
+        for (const key of configKeys) {
+            if (typeof data.config[key] === 'string' && data.config[key].trim() === "") {
+                delete data.config[key];
             }
-
-    removeEmptyStrings(data);
-
-    const configKeys = Object.keys(data.config);
-    for (const key of configKeys) {
-        if (typeof data.config[key] === 'string' && data.config[key].trim() === "") {
-            delete data.config[key];
         }
-    }
-    if (Array.isArray(data.config.authnContextClassRefs) && data.config.authnContextClassRefs.length === 0) {
-        delete data.config.authnContextClassRefs;
-    }
-
-    if (Array.isArray(data.config.authnContextDeclRefs) && data.config.authnContextDeclRefs.length === 0) {
-        delete data.config.authnContextDeclRefs;
-    }
-
-    // Update token and execute the following code when the token is successfully updated 
-    keycloak.updateToken(300).then((bool) => {
-        if (bool) {
-
-            // Code to be executed after token update 
-            var newAccessToken = keycloak.token;
-           var selectedrealm= localStorage.getItem('selectedRealm');
-            // Sending a GET request to check if the plugin exists
-            fetch(`${ServerUrl}/admin/realms/${selectedrealm}/identity-provider/instances/${alias}`, {
-                method: 'GET',
-                headers: {
-                    'Authorization': ` Bearer ${newAccessToken}`, // Fix here
-                },
-            })
-                .then(async checkPluginResponse => {
-                    if (checkPluginResponse.ok) {
-                        handleInvalidInput(alias_input, errorMessage, "Choose a unique *alias* that does not exist");
-                        alert(`Could not create the identity provider: Identity Provider "${alias}" already exists.`);
-                        // Add your logic for updating the existing plugin if needed 
-                    } else if (checkPluginResponse.status === 404) {
-                        // Plugin not found, add it using a POST request 
-                        const updatePluginResponse = await fetch(`${ServerUrl}/admin/realms/${selectedrealm}/identity-provider/instances`, {
-                            method: 'POST',
-                            headers: {
-                                'Authorization': ` Bearer ${newAccessToken}`, // Fix here
-                                'Content-Type': 'application/json',
-                            },
-                            body: JSON.stringify(data),
-                        }
-
-                        );
-
-                        // Handle the response of the POST request 
-                        if (updatePluginResponse.ok) {
-                            alert("Plugin added successfully.");
-                            window.location.href =`${editprovider}`;
-                            localStorage.setItem('pluginData', JSON.stringify(data));
-                            localStorage.setItem('pluginalias', pluginData.alias);
-                            getAllPlugins(newAccessToken,selectedrealm);
-                        } else {
-                            console.error('Failed to add plugin:', updatePluginResponse.status, updatePluginResponse.statusText);
-                            alert("Failed to add plugin");
-                        }
-                    } else {
-                        // If there is another status, an error occurred 
-                        console.error(`Failed to retrieve the plugin. Response: ${checkPluginResponse.statusText}`);
-                        alert("Failed to retrieve the plugin");
-                        throw new Error(`Failed to retrieve the plugin. Response: ${checkPluginResponse.statusText}`);
-                    }
-                })
-                .catch(error => {
-                    console.error('Error during the process:', error);
-                });
+        if (Array.isArray(data.config.authnContextClassRefs) && data.config.authnContextClassRefs.length === 0) {
+            delete data.config.authnContextClassRefs;
         }
-
-    });
-}});
+        
+        if (Array.isArray(data.config.authnContextDeclRefs) && data.config.authnContextDeclRefs.length === 0) {
+            delete data.config.authnContextDeclRefs;
+        }
+        
+        // Update token and execute the following code when the token is successfully updated
+        keycloak.updateToken(300).then((bool) => {
+            if (bool) {
+                
+                // Code to be executed after token update
+                var newAccessToken = keycloak.token;
+                var selectedrealm= localStorage.getItem('selectedRealm');
+                // Sending a GET request to check if the plugin exists
+                fetch(`${ServerUrl}/admin/realms/${selectedrealm}/identity-provider/instances/${alias}`, {
+                    method: 'GET',
+                    headers: {
+                        'Authorization': ` Bearer ${newAccessToken}`, // Fix here
+                    },
+                })
+                  .then(async checkPluginResponse => {
+                      if (checkPluginResponse.ok) {
+                          handleInvalidInput(alias_input, errorMessage, "Choose a unique *alias* that does not exist");
+                          alert(`Could not create the identity provider: Identity Provider "${alias}" already exists.`);
+                          // Add your logic for updating the existing plugin if needed
+                      } else if (checkPluginResponse.status === 404) {
+                          // Plugin not found, add it using a POST request
+                          const updatePluginResponse = await fetch(`${ServerUrl}/admin/realms/${selectedrealm}/identity-provider/instances`, {
+                                method: 'POST',
+                                headers: {
+                                    'Authorization': ` Bearer ${newAccessToken}`, // Fix here
+                                    'Content-Type': 'application/json',
+                                },
+                                body: JSON.stringify(data),
+                            }
+                          
+                          );
+                          
+                          // Handle the response of the POST request
+                          if (updatePluginResponse.ok) {
+                              alert("Plugin added successfully.");
+                              window.location.href =`${editprovider}`;
+                              localStorage.setItem('pluginData', JSON.stringify(data));
+                              localStorage.setItem('pluginalias', pluginData.alias);
+                              getAllPlugins(newAccessToken,selectedrealm);
+                          } else {
+                              console.error('Failed to add plugin:', updatePluginResponse.status, updatePluginResponse.statusText);
+                              alert("Failed to add plugin");
+                          }
+                      } else {
+                          // If there is another status, an error occurred
+                          console.error(`Failed to retrieve the plugin. Response: ${checkPluginResponse.statusText}`);
+                          alert("Failed to retrieve the plugin");
+                          throw new Error(`Failed to retrieve the plugin. Response: ${checkPluginResponse.statusText}`);
+                      }
+                  })
+                  .catch(error => {
+                      console.error('Error during the process:', error);
+                  });
+            }
+            
+        });
+    }});
diff --git a/src/main/resources/saml-extended-frontend/js/CheckBoxControllerAddProvider.js b/src/main/resources/saml-extended-frontend/js/CheckBoxControllerAddProvider.js
index 640e2a7..cfca2d5 100644
--- a/src/main/resources/saml-extended-frontend/js/CheckBoxControllerAddProvider.js
+++ b/src/main/resources/saml-extended-frontend/js/CheckBoxControllerAddProvider.js
@@ -2,228 +2,228 @@
 document.addEventListener('DOMContentLoaded', function() {
     const formElements = document.getElementById('GeneralSetting').elements;
     samlEntityDescriptor.addEventListener('input', function() {
-    if (samlEntityDescriptor.value.trim() !== '') {
-        import_data.style.display = 'block';
-    } else {
-        import_data.style.display = 'none';
-    }
-});
-
-document.getElementById('showMetadataLink').addEventListener('click', function(event) {
-    event.preventDefault();
-    var data = document.getElementById('data');
-    if (data.style.display === 'none'|| data.style.display === '') {
-        data.style.display = 'block';
-        this.textContent = 'Hide Metadata';
-    } else {
-        data.style.display = 'none';
-        this.textContent = 'Show Metadata';
-    }
-});
-const useEntityDescriptor = document.getElementById("useEntityDescriptor");
-const entityDes=document.getElementById("entityDes")
-const showMetadataLink=document.getElementById("showMetadataLink")
-useEntityDescriptor.addEventListener("change", function () {
-    var data = document.getElementById('data');
-    if (useEntityDescriptor.checked) {
-        useEntityDescriptor.value = "true";
-        data.style.display = 'none';
-        entityDes.style.display='block'
-        showMetadataLink.style.display='block'
-        for (var i = 0; i < formElements.length; i++) {
-            formElements[i].readOnly = true;
-            formElements[i].disabled = true; // for select elements
+        if (samlEntityDescriptor.value.trim() !== '') {
+            import_data.style.display = 'block';
+        } else {
+            import_data.style.display = 'none';
         }
-
-    } else {
-        for (var i = 0; i < formElements.length; i++) {
-            formElements[i].readOnly = false;
-            formElements[i].disabled = false; // for select elements
+    });
+    
+    document.getElementById('showMetadataLink').addEventListener('click', function(event) {
+        event.preventDefault();
+        var data = document.getElementById('data');
+        if (data.style.display === 'none'|| data.style.display === '') {
+            data.style.display = 'block';
+            this.textContent = 'Hide Metadata';
+        } else {
+            data.style.display = 'none';
+            this.textContent = 'Show Metadata';
         }
-        useEntityDescriptor.value = "false";
-        data.style.display = 'block';
-        entityDes.style.display='none'
-        showMetadataLink.style.display='none'
-    }
-});
-
-const backchannel = document.getElementById("backchannel");
-storedData = localStorage.getItem('pluginData');
-var pluginData = JSON.parse(storedData);
-
-
-const enabled = document.getElementById("enabled");
-enabled.addEventListener("change", function () {
-    handleCheckboxValue(enabled);
-
-});
-
-const ArtifactResolutionService_in_metadata = document.getElementById("ArtifactResolutionService_in_metadata");
-ArtifactResolutionService_in_metadata.addEventListener("change", function () {
-    handleCheckboxValue(ArtifactResolutionService_in_metadata);
-});
-
-backchannel.addEventListener("change", function () {
-    handleCheckboxValue(backchannel);
-});
-
-
-const allowCreate = document.getElementById("allowCreate");
-allowCreate.addEventListener("change", function () {
-    handleCheckboxValue(allowCreate);
-
-});
-
-
-
-
-const httpPostBindingResponse = document.getElementById("httpPostBindingResponse");
-httpPostBindingResponse.addEventListener("change", function () {
-    handleCheckboxValue(httpPostBindingResponse);
-});
-
-
-
-
-
-
-const httpPostBindingAuthnRequest = document.getElementById("httpPostBindingAuthnRequest");
-httpPostBindingAuthnRequest.addEventListener("change", function () {
-    handleCheckboxValue(httpPostBindingAuthnRequest);
-
-});
-
-const httpPostBindingLogout = document.getElementById("httpPostBindingLogout");
-httpPostBindingLogout.addEventListener("change", function () {
-    handleCheckboxValue(httpPostBindingLogout);
-
-});
-
-
-const wantAssertionsSigned = document.getElementById("wantAssertionsSigned");
-wantAssertionsSigned.addEventListener("change", function () {
-    handleCheckboxValue(wantAssertionsSigned);
-
-});
-
-
-const wantAssertionsEncrypted = document.getElementById("wantAssertionsEncrypted");
-wantAssertionsEncrypted.addEventListener("change", function () {
-    handleCheckboxValue(wantAssertionsEncrypted);
-
-});
-
-
-const forceAuthentication = document.getElementById("forceAuthentication");
-forceAuthentication.addEventListener("change", function () {
-    handleCheckboxValue(forceAuthentication);
-
-});
-
-
-
-const signMetadata = document.getElementById("signMetadata");
-signMetadata.addEventListener("change", function () {
-    handleCheckboxValue(signMetadata);
-
-});
-
-
-const passSubject = document.getElementById("passSubject");
-passSubject.addEventListener("change", function () {
-    handleCheckboxValue(passSubject);
-
-});
-
-
-const storeToken = document.getElementById("storeToken");
-storeToken.addEventListener("change", function () {
-    handleCheckboxValue(storeToken);
-
-});
-const id_token_hint=document.getElementById("id_token_hint");
+    });
+    const useEntityDescriptor = document.getElementById("useEntityDescriptor");
+    const entityDes=document.getElementById("entityDes")
+    const showMetadataLink=document.getElementById("showMetadataLink")
+    useEntityDescriptor.addEventListener("change", function () {
+        var data = document.getElementById('data');
+        if (useEntityDescriptor.checked) {
+            useEntityDescriptor.value = "true";
+            data.style.display = 'none';
+            entityDes.style.display='block'
+            showMetadataLink.style.display='block'
+            for (var i = 0; i < formElements.length; i++) {
+                formElements[i].readOnly = true;
+                formElements[i].disabled = true; // for select elements
+            }
+            
+        } else {
+            for (var i = 0; i < formElements.length; i++) {
+                formElements[i].readOnly = false;
+                formElements[i].disabled = false; // for select elements
+            }
+            useEntityDescriptor.value = "false";
+            data.style.display = 'block';
+            entityDes.style.display='none'
+            showMetadataLink.style.display='none'
+        }
+    });
+    
+    const backchannel = document.getElementById("backchannel");
+    storedData = localStorage.getItem('pluginData');
+    var pluginData = JSON.parse(storedData);
+    
+    
+    const enabled = document.getElementById("enabled");
+    enabled.addEventListener("change", function () {
+        handleCheckboxValue(enabled);
+        
+    });
+    
+    const ArtifactResolutionService_in_metadata = document.getElementById("ArtifactResolutionService_in_metadata");
+    ArtifactResolutionService_in_metadata.addEventListener("change", function () {
+        handleCheckboxValue(ArtifactResolutionService_in_metadata);
+    });
+    
+    backchannel.addEventListener("change", function () {
+        handleCheckboxValue(backchannel);
+    });
+    
+    
+    const allowCreate = document.getElementById("allowCreate");
+    allowCreate.addEventListener("change", function () {
+        handleCheckboxValue(allowCreate);
+        
+    });
+    
+    
+    
+    
+    const httpPostBindingResponse = document.getElementById("httpPostBindingResponse");
+    httpPostBindingResponse.addEventListener("change", function () {
+        handleCheckboxValue(httpPostBindingResponse);
+    });
+    
+    const artifactBindingResponse = document.getElementById("artifactBindingResponse");
+    artifactBindingResponse.addEventListener("change", function () {
+        handleCheckboxValue(artifactBindingResponse);
+    });
+    
+    const httpPostBindingAuthnRequest = document.getElementById("httpPostBindingAuthnRequest");
+    httpPostBindingAuthnRequest.addEventListener("change", function () {
+        handleCheckboxValue(httpPostBindingAuthnRequest);
+        
+    });
+    
+    const httpPostBindingLogout = document.getElementById("httpPostBindingLogout");
+    httpPostBindingLogout.addEventListener("change", function () {
+        handleCheckboxValue(httpPostBindingLogout);
+        
+    });
+    
+    
+    const wantAssertionsSigned = document.getElementById("wantAssertionsSigned");
+    wantAssertionsSigned.addEventListener("change", function () {
+        handleCheckboxValue(wantAssertionsSigned);
+        
+    });
+    
+    
+    const wantAssertionsEncrypted = document.getElementById("wantAssertionsEncrypted");
+    wantAssertionsEncrypted.addEventListener("change", function () {
+        handleCheckboxValue(wantAssertionsEncrypted);
+        
+    });
+    
+    
+    const forceAuthentication = document.getElementById("forceAuthentication");
+    forceAuthentication.addEventListener("change", function () {
+        handleCheckboxValue(forceAuthentication);
+        
+    });
+    
+    
+    
+    const signMetadata = document.getElementById("signMetadata");
+    signMetadata.addEventListener("change", function () {
+        handleCheckboxValue(signMetadata);
+        
+    });
+    
+    
+    const passSubject = document.getElementById("passSubject");
+    passSubject.addEventListener("change", function () {
+        handleCheckboxValue(passSubject);
+        
+    });
+    
+    
+    const storeToken = document.getElementById("storeToken");
+    storeToken.addEventListener("change", function () {
+        handleCheckboxValue(storeToken);
+        
+    });
+    const id_token_hint=document.getElementById("id_token_hint");
     id_token_hint.addEventListener("change", function () {
         handleCheckboxValue(id_token_hint);
-
+        
     });
-   const client_id_in_logout_requests=document.getElementById("client_id_in_logout_requests")
+    const client_id_in_logout_requests=document.getElementById("client_id_in_logout_requests")
     client_id_in_logout_requests.addEventListener("change", function () {
         handleCheckboxValue(client_id_in_logout_requests);
-
+        
     });
-
-const storedTokensReadable = document.getElementById("storedTokensReadable");
-storedTokensReadable.addEventListener("change", function () {
-    handleCheckboxValue(storedTokensReadable);
-
-});
-
-
-const trustEmail = document.getElementById("trustEmail");
-trustEmail.addEventListener("change", function () {
-    handleCheckboxValue(trustEmail);
-
-});
-
-
-
-
-const accountLinkingOnly = document.getElementById("accountLinkingOnly");
-accountLinkingOnly.addEventListener("change", function () {
-    handleCheckboxValue(accountLinkingOnly);
-
-});
-
-
-const hideLoginPage = document.getElementById("hideLoginPage");
-hideLoginPage.addEventListener("change", function () {
-    handleCheckboxValue(hideLoginPage);
-
-});
-
-
-var SignatureAlgorithm = document.getElementById("SignatureAlgorithm");
-var SAMLSignatureKeyName = document.getElementById("SAMLSignatureKeyName");
-
-const wantAuthnRequestsSigned = document.getElementById("wantAuthnRequestsSigned");
-wantAuthnRequestsSigned.addEventListener("change", function () {
-    if (wantAuthnRequestsSigned.checked) {
-        wantAuthnRequestsSigned.value = true;
-        SignatureAlgorithm.removeAttribute("disabled");
-        SAMLSignatureKeyName.removeAttribute("disabled");
-        encryption_algorithm.removeAttribute("disabled");
-
-    }
-    else {
-        wantAuthnRequestsSigned.value = false;
-        SignatureAlgorithm.setAttribute("disabled", "true");
-        SAMLSignatureKeyName.setAttribute("disabled", "true");
-        encryption_algorithm.setAttribute("disabled", "true");
-
-
-        ;
-    }
-});
-
-
+    
+    const storedTokensReadable = document.getElementById("storedTokensReadable");
+    storedTokensReadable.addEventListener("change", function () {
+        handleCheckboxValue(storedTokensReadable);
+        
+    });
+    
+    
+    const trustEmail = document.getElementById("trustEmail");
+    trustEmail.addEventListener("change", function () {
+        handleCheckboxValue(trustEmail);
+        
+    });
+    
+    
+    
+    
+    const accountLinkingOnly = document.getElementById("accountLinkingOnly");
+    accountLinkingOnly.addEventListener("change", function () {
+        handleCheckboxValue(accountLinkingOnly);
+        
+    });
+    
+    
+    const hideLoginPage = document.getElementById("hideLoginPage");
+    hideLoginPage.addEventListener("change", function () {
+        handleCheckboxValue(hideLoginPage);
+        
+    });
+    
+    
+    var SignatureAlgorithm = document.getElementById("SignatureAlgorithm");
+    var SAMLSignatureKeyName = document.getElementById("SAMLSignatureKeyName");
+    
+    const wantAuthnRequestsSigned = document.getElementById("wantAuthnRequestsSigned");
+    wantAuthnRequestsSigned.addEventListener("change", function () {
+        if (wantAuthnRequestsSigned.checked) {
+            wantAuthnRequestsSigned.value = true;
+            SignatureAlgorithm.removeAttribute("disabled");
+            SAMLSignatureKeyName.removeAttribute("disabled");
+            encryption_algorithm.removeAttribute("disabled");
+            
+        }
+        else {
+            wantAuthnRequestsSigned.value = false;
+            SignatureAlgorithm.setAttribute("disabled", "true");
+            SAMLSignatureKeyName.setAttribute("disabled", "true");
+            encryption_algorithm.setAttribute("disabled", "true");
+            
+            
+            ;
+        }
+    });
+    
+    
     const deleteButtonsClassRefs = document.querySelectorAll(".delete");
     const addButtonClassRefs = document.getElementById("addClassRefs");
     const ClassRefs_items = document.getElementById("ClassRefs_items");
-
+    
     deleteButtonsClassRefs.forEach(function (button) {
         button.style.display = "inline";});
-
+    
     addButtonClassRefs.addEventListener("click", function (e) {
         deleteButtonsClassRefs.forEach(function (button) {
             button.style.display = "inline";
         });
-
+        
         const newItem = document.createElement("div");
         newItem.className = "next-referral col-4";
         newItem.innerHTML = '<input name="textinputClassRefs" type="text" class="input_text">';
         ClassRefs_items.appendChild(newItem);
     });
-
+    
     document.body.addEventListener("click", function (e) {
         if (e.target.classList.contains("delete")) {
             e.preventDefault();
@@ -240,39 +240,39 @@ wantAuthnRequestsSigned.addEventListener("change", function () {
     });
 });
 
-    const deleteButtonsDeclRefs = document.querySelectorAll(".delete1");
-    const addButtonDeclRefs = document.getElementById("addDeclRefs");
-    const DeclRefs_items = document.getElementById("DeclRefs_items");
+const deleteButtonsDeclRefs = document.querySelectorAll(".delete1");
+const addButtonDeclRefs = document.getElementById("addDeclRefs");
+const DeclRefs_items = document.getElementById("DeclRefs_items");
+
+deleteButtonsDeclRefs.forEach(function (button) {
+    button.style.display = "inline";
+});
 
+addButtonDeclRefs.addEventListener("click", function (e) {
     deleteButtonsDeclRefs.forEach(function (button) {
         button.style.display = "inline";
     });
+    
+    const newItem = document.createElement("div");
+    newItem.className = "next-referral col-4";
+    newItem.innerHTML = '<input name="textinputDeclRefs" type="text" class="input_text">';
+    DeclRefs_items.appendChild(newItem);
+});
 
-    addButtonDeclRefs.addEventListener("click", function (e) {
-        deleteButtonsDeclRefs.forEach(function (button) {
-            button.style.display = "inline";
-        });
-
-        const newItem = document.createElement("div");
-        newItem.className = "next-referral col-4";
-        newItem.innerHTML = '<input name="textinputDeclRefs" type="text" class="input_text">';
-        DeclRefs_items.appendChild(newItem);
-    });
-
-    document.body.addEventListener("click", function (e) {
-        if (e.target.classList.contains("delete1")) {
-            e.preventDefault();
-            const items = DeclRefs_items.querySelectorAll(".next-referral");
-            if (items.length > 0) {
-                items[items.length - 1].remove();
-                deleteButtonsDeclRefs.forEach(function (button, index) {
-                    if (index === items.length - 1) {
-                        button.style.display = "inline";
-                    }
-                });
-            }
+document.body.addEventListener("click", function (e) {
+    if (e.target.classList.contains("delete1")) {
+        e.preventDefault();
+        const items = DeclRefs_items.querySelectorAll(".next-referral");
+        if (items.length > 0) {
+            items[items.length - 1].remove();
+            deleteButtonsDeclRefs.forEach(function (button, index) {
+                if (index === items.length - 1) {
+                    button.style.display = "inline";
+                }
+            });
         }
-
+    }
+    
 });
 
 
@@ -284,8 +284,8 @@ validateSignatures.addEventListener("change", function () {
     if (validateSignatures.checked) {
         validateSignatures.value = true;
         additionalField1.removeAttribute("disabled");
-
-
+        
+        
     }
     else {
         validateSignatures.value = false;
@@ -298,31 +298,31 @@ var Artifact_Resolution = document.getElementById("Artifact_Resolution");
 
 
 Artifact_Resolution.addEventListener("change", function () {
-    if (Artifact_Resolution.checked) {
-        Artifact_Resolution.value = true;
-        additionalField_endpoint.removeAttribute("disabled");
-
-    }
-    else {
-        Artifact_Resolution.value = false;
-        additionalField_endpoint.setAttribute("disabled", "true");
-        additionalField_endpoint.value = '';
-        ;
-    }
-}
+      if (Artifact_Resolution.checked) {
+          Artifact_Resolution.value = true;
+          additionalField_endpoint.removeAttribute("disabled");
+          
+      }
+      else {
+          Artifact_Resolution.value = false;
+          additionalField_endpoint.setAttribute("disabled", "true");
+          additionalField_endpoint.value = '';
+          ;
+      }
+  }
 );
 
 
 const Sign_Artifact_Resolution_Request = document.getElementById("Sign_Artifact_Resolution_Request");
 Sign_Artifact_Resolution_Request.addEventListener("change", function () {
     handleCheckboxValue(Sign_Artifact_Resolution_Request);
-
+    
 });
 
 const ArtifactResolution_via_HTTP_ARTIFACT = document.getElementById("ArtifactResolution_via_HTTP_ARTIFACT");
 ArtifactResolution_via_HTTP_ARTIFACT.addEventListener("change", function () {
     handleCheckboxValue(ArtifactResolution_via_HTTP_ARTIFACT);
-
+    
 });
 
 
@@ -330,7 +330,7 @@ ArtifactResolution_via_HTTP_ARTIFACT.addEventListener("change", function () {
 const Artifact_Resolution_with_SOAP = document.getElementById("Artifact_Resolution_with_SOAP");
 Artifact_Resolution_with_SOAP.addEventListener("change", function () {
     handleCheckboxValue(Artifact_Resolution_with_SOAP);
-
+    
 });
 
 
@@ -338,7 +338,7 @@ Artifact_Resolution_with_SOAP.addEventListener("change", function () {
 const Artifact_Resolution_with_XML_header = document.getElementById("Artifact_Resolution_with_XML_header");
 Artifact_Resolution_with_XML_header.addEventListener("change", function () {
     handleCheckboxValue(Artifact_Resolution_with_XML_header);
-
+    
 });
 
 
@@ -350,11 +350,11 @@ Mutual_TLS.addEventListener("change", function () {
 principalType_input.addEventListener('change', function () {
     if (principalType_input.value == "ATTRIBUTE" || principalType_input.value == "FRIENDLY_ATTRIBUTE") {
         principalAttribute_input.removeAttribute("disabled");
-
+        
     } else {
         principalAttribute_input.value = '';
         principalAttribute_input.setAttribute("disabled", "true");
-
+        
     }
-
+    
 });
diff --git a/src/main/resources/saml-extended-frontend/js/CheckBoxControllerEditProvider.js b/src/main/resources/saml-extended-frontend/js/CheckBoxControllerEditProvider.js
index 1ef3631..f2d8223 100644
--- a/src/main/resources/saml-extended-frontend/js/CheckBoxControllerEditProvider.js
+++ b/src/main/resources/saml-extended-frontend/js/CheckBoxControllerEditProvider.js
@@ -1,368 +1,365 @@
 
 
 document.addEventListener('DOMContentLoaded', function() {
-storedData = localStorage.getItem('pluginData');
-var pluginData = JSON.parse(storedData);
-backchannel.value = pluginData.config.backchannelSupported ? pluginData.config.backchannelSupported : false;
-backchannel.addEventListener("change", function () {
-    handleCheckboxValue(backchannel);
-});
-
-
-const allowCreate = document.getElementById("allowCreate");
-allowCreate.value = pluginData.config.allowCreate ? pluginData.config.allowCreate : false;
-allowCreate.addEventListener("change", function () {
-    handleCheckboxValue(allowCreate);
-});
-
-
-
-
-const httpPostBindingResponse = document.getElementById("httpPostBindingResponse");
-httpPostBindingResponse.value = pluginData.config.postBindingResponse ? pluginData.config.postBindingResponse : false;
-httpPostBindingResponse.addEventListener("change", function () {
-    handleCheckboxValue(httpPostBindingResponse);
-
-
-});
-
-
-
-
-
-
-const httpPostBindingAuthnRequest = document.getElementById("httpPostBindingAuthnRequest");
-httpPostBindingAuthnRequest.value = pluginData.config.postBindingAuthnRequest ? pluginData.config.postBindingAuthnRequest : false;
-httpPostBindingAuthnRequest.addEventListener("change", function () {
-    handleCheckboxValue(httpPostBindingAuthnRequest);
-
-});
-
-const httpPostBindingLogout = document.getElementById("httpPostBindingLogout");
-httpPostBindingLogout.value = pluginData.config.postBindingLogout ? pluginData.config.postBindingLogout : false;
-httpPostBindingLogout.addEventListener("change", function () {
-    handleCheckboxValue(httpPostBindingLogout);
-
-});
-
-
-const wantAssertionsSigned = document.getElementById("wantAssertionsSigned");
-wantAssertionsSigned.value = pluginData.config.wantAssertionsSigned ? pluginData.config.wantAssertionsSigned : false;
-wantAssertionsSigned.addEventListener("change", function () {
-    handleCheckboxValue(wantAssertionsSigned);
-
-});
-
-
-const wantAssertionsEncrypted = document.getElementById("wantAssertionsEncrypted");
-wantAssertionsEncrypted.value = pluginData.config.wantAssertionsEncrypted ? pluginData.config.wantAssertionsEncrypted : false;
-wantAssertionsEncrypted.addEventListener("change", function () {
-    handleCheckboxValue(wantAssertionsEncrypted);
-
-});
-
-
-const forceAuthentication = document.getElementById("forceAuthentication");
-forceAuthentication.value = pluginData.config.forceAuthn ? pluginData.config.forceAuthn : false;
-forceAuthentication.addEventListener("change", function () {
-    handleCheckboxValue(forceAuthentication);
-});
-
-
-
-const signMetadata = document.getElementById("signMetadata");
-signMetadata.value = pluginData.config.signSpMetadata ? pluginData.config.signSpMetadata : false
-signMetadata.addEventListener("change", function () {
-    handleCheckboxValue(signMetadata);
-
-});
-
-
-const passSubject = document.getElementById("passSubject");
-passSubject.value = pluginData.config.loginHint ? pluginData.config.loginHint : false;
-passSubject.addEventListener("change", function () {
-    handleCheckboxValue(passSubject);
-
-});
-
-
-const storeToken = document.getElementById("storeToken");
-storeToken.value = pluginData.storeToken ? pluginData.storeToken : false;
-storeToken.addEventListener("change", function () {
-    handleCheckboxValue(storeToken);
-
-});
-
-
-const storedTokensReadable = document.getElementById("storedTokensReadable");
-storedTokensReadable.value = pluginData.addReadTokenRoleOnCreate ? pluginData.addReadTokenRoleOnCreate : false;
-storedTokensReadable.addEventListener("change", function () {
-    handleCheckboxValue(storedTokensReadable);
-
-});
-
+    storedData = localStorage.getItem('pluginData');
+    var pluginData = JSON.parse(storedData);
+    backchannel.value = pluginData.config.backchannelSupported ? pluginData.config.backchannelSupported : false;
+    backchannel.addEventListener("change", function () {
+        handleCheckboxValue(backchannel);
+    });
+    
+    
+    const allowCreate = document.getElementById("allowCreate");
+    allowCreate.value = pluginData.config.allowCreate ? pluginData.config.allowCreate : false;
+    allowCreate.addEventListener("change", function () {
+        handleCheckboxValue(allowCreate);
+    });
+    
+    const httpPostBindingResponse = document.getElementById("httpPostBindingResponse");
+    httpPostBindingResponse.value = pluginData.config.postBindingResponse ? pluginData.config.postBindingResponse : false;
+    httpPostBindingResponse.addEventListener("change", function () {
+        handleCheckboxValue(httpPostBindingResponse);
+    });
+    
+    const artifactBindingResponse = document.getElementById("artifactBindingResponse");
+    artifactBindingResponse.checked = pluginData.config.artifactBindingResponse === 'true';
+    artifactBindingResponse.value = artifactBindingResponse.checked;
+    artifactBindingResponse.addEventListener("change", function () {
+        handleCheckboxValue(artifactBindingResponse);
+    });
+    
+    const httpPostBindingAuthnRequest = document.getElementById("httpPostBindingAuthnRequest");
+    httpPostBindingAuthnRequest.value = pluginData.config.postBindingAuthnRequest ? pluginData.config.postBindingAuthnRequest : false;
+    httpPostBindingAuthnRequest.addEventListener("change", function () {
+        handleCheckboxValue(httpPostBindingAuthnRequest);
+        
+    });
+    
+    const httpPostBindingLogout = document.getElementById("httpPostBindingLogout");
+    httpPostBindingLogout.value = pluginData.config.postBindingLogout ? pluginData.config.postBindingLogout : false;
+    httpPostBindingLogout.addEventListener("change", function () {
+        handleCheckboxValue(httpPostBindingLogout);
+        
+    });
+    
+    
+    const wantAssertionsSigned = document.getElementById("wantAssertionsSigned");
+    wantAssertionsSigned.value = pluginData.config.wantAssertionsSigned ? pluginData.config.wantAssertionsSigned : false;
+    wantAssertionsSigned.addEventListener("change", function () {
+        handleCheckboxValue(wantAssertionsSigned);
+        
+    });
+    
+    
+    const wantAssertionsEncrypted = document.getElementById("wantAssertionsEncrypted");
+    wantAssertionsEncrypted.value = pluginData.config.wantAssertionsEncrypted ? pluginData.config.wantAssertionsEncrypted : false;
+    wantAssertionsEncrypted.addEventListener("change", function () {
+        handleCheckboxValue(wantAssertionsEncrypted);
+        
+    });
+    
+    
+    const forceAuthentication = document.getElementById("forceAuthentication");
+    forceAuthentication.value = pluginData.config.forceAuthn ? pluginData.config.forceAuthn : false;
+    forceAuthentication.addEventListener("change", function () {
+        handleCheckboxValue(forceAuthentication);
+    });
+    
+    
+    
+    const signMetadata = document.getElementById("signMetadata");
+    signMetadata.value = pluginData.config.signSpMetadata ? pluginData.config.signSpMetadata : false
+    signMetadata.addEventListener("change", function () {
+        handleCheckboxValue(signMetadata);
+        
+    });
+    
+    
+    const passSubject = document.getElementById("passSubject");
+    passSubject.value = pluginData.config.loginHint ? pluginData.config.loginHint : false;
+    passSubject.addEventListener("change", function () {
+        handleCheckboxValue(passSubject);
+        
+    });
+    
+    
+    const storeToken = document.getElementById("storeToken");
+    storeToken.value = pluginData.storeToken ? pluginData.storeToken : false;
+    storeToken.addEventListener("change", function () {
+        handleCheckboxValue(storeToken);
+        
+    });
+    
+    
+    const storedTokensReadable = document.getElementById("storedTokensReadable");
+    storedTokensReadable.value = pluginData.addReadTokenRoleOnCreate ? pluginData.addReadTokenRoleOnCreate : false;
+    storedTokensReadable.addEventListener("change", function () {
+        handleCheckboxValue(storedTokensReadable);
+        
+    });
+    
     const id_token_hint=document.getElementById("id_token_hint");
     id_token_hint.value = pluginData.config.sendIdTokenOnLogout ? pluginData.config.sendIdTokenOnLogout : false;
     id_token_hint.addEventListener("change", function () {
         handleCheckboxValue(id_token_hint);
     });
-
-const client_id_in_logout_requests=document.getElementById("client_id_in_logout_requests")
-client_id_in_logout_requests.value = pluginData.config.sendClientIdOnLogout ? pluginData.config.sendClientIdOnLogout : false;
-client_id_in_logout_requests.addEventListener("change", function () {
-    handleCheckboxValue(client_id_in_logout_requests);
-
-});
-
-const trustEmail = document.getElementById("trustEmail");
-trustEmail.value = pluginData.trustEmail ? pluginData.trustEmail : false;
-trustEmail.addEventListener("change", function () {
-    handleCheckboxValue(trustEmail);
-
-});
-
-
-
-
-const accountLinkingOnly = document.getElementById("accountLinkingOnly");
-accountLinkingOnly.value = pluginData.linkOnly ? pluginData.linkOnly : false;
-accountLinkingOnly.addEventListener("change", function () {
-    handleCheckboxValue(accountLinkingOnly);
-
-});
-
-
-const hideLoginPage = document.getElementById("hideLoginPage");
-hideLoginPage.value = pluginData.config.hideOnLoginPage ? pluginData.config.hideOnLoginPage : false;
-hideLoginPage.addEventListener("change", function () {
-    handleCheckboxValue(hideLoginPage);
-
-});
-
-
-var SignatureAlgorithm = document.getElementById("SignatureAlgorithm");
-var SAMLSignatureKeyName = document.getElementById("SAMLSignatureKeyName");
-
-const wantAuthnRequestsSigned = document.getElementById("wantAuthnRequestsSigned");
-wantAuthnRequestsSigned.value = pluginData.config.wantAuthnRequestsSigned ? pluginData.config.wantAuthnRequestsSigned : false;
-wantAuthnRequestsSigned.addEventListener("change", function () {
-    if (wantAuthnRequestsSigned.checked) {
-        wantAuthnRequestsSigned.value = true;
-        SignatureAlgorithm.removeAttribute("disabled");
-        SAMLSignatureKeyName.removeAttribute("disabled");
-        encryption_algorithm.removeAttribute("disabled");
-
-    }
-    else {
-        wantAuthnRequestsSigned.value = false;
-        SignatureAlgorithm.setAttribute("disabled", "true");
-        SAMLSignatureKeyName.setAttribute("disabled", "true");
-        encryption_algorithm.setAttribute("disabled", "true");
-
-
-        ;
-    }
-});
-
-const ArtifactResolutionService_in_metadata = document.getElementById("ArtifactResolutionService_in_metadata");
-ArtifactResolutionService_in_metadata.value = pluginData.config.includeArtifactResolutionServiceMetadata ? pluginData.config.includeArtifactResolutionServiceMetadata : false;
-ArtifactResolutionService_in_metadata.addEventListener("change", function () {
-    handleCheckboxValue(ArtifactResolutionService_in_metadata);
-
-});
-
-document.addEventListener("DOMContentLoaded", function () {
-    const deleteButtonsClassRefs = document.querySelectorAll(".delete");
-    const addButtonClassRefs = document.getElementById("addClassRefs");
-    const ClassRefs_items = document.getElementById("ClassRefs_items");
-
-    deleteButtonsClassRefs.forEach(function (button) {
-        button.style.display = "inline";
+    
+    const client_id_in_logout_requests=document.getElementById("client_id_in_logout_requests")
+    client_id_in_logout_requests.value = pluginData.config.sendClientIdOnLogout ? pluginData.config.sendClientIdOnLogout : false;
+    client_id_in_logout_requests.addEventListener("change", function () {
+        handleCheckboxValue(client_id_in_logout_requests);
+        
     });
-
-    addButtonClassRefs.addEventListener("click", function (e) {
+    
+    const trustEmail = document.getElementById("trustEmail");
+    trustEmail.value = pluginData.trustEmail ? pluginData.trustEmail : false;
+    trustEmail.addEventListener("change", function () {
+        handleCheckboxValue(trustEmail);
+        
+    });
+    
+    
+    
+    
+    const accountLinkingOnly = document.getElementById("accountLinkingOnly");
+    accountLinkingOnly.value = pluginData.linkOnly ? pluginData.linkOnly : false;
+    accountLinkingOnly.addEventListener("change", function () {
+        handleCheckboxValue(accountLinkingOnly);
+        
+    });
+    
+    
+    const hideLoginPage = document.getElementById("hideLoginPage");
+    hideLoginPage.value = pluginData.config.hideOnLoginPage ? pluginData.config.hideOnLoginPage : false;
+    hideLoginPage.addEventListener("change", function () {
+        handleCheckboxValue(hideLoginPage);
+        
+    });
+    
+    
+    var SignatureAlgorithm = document.getElementById("SignatureAlgorithm");
+    var SAMLSignatureKeyName = document.getElementById("SAMLSignatureKeyName");
+    
+    const wantAuthnRequestsSigned = document.getElementById("wantAuthnRequestsSigned");
+    wantAuthnRequestsSigned.value = pluginData.config.wantAuthnRequestsSigned ? pluginData.config.wantAuthnRequestsSigned : false;
+    wantAuthnRequestsSigned.addEventListener("change", function () {
+        if (wantAuthnRequestsSigned.checked) {
+            wantAuthnRequestsSigned.value = true;
+            SignatureAlgorithm.removeAttribute("disabled");
+            SAMLSignatureKeyName.removeAttribute("disabled");
+            encryption_algorithm.removeAttribute("disabled");
+            
+        }
+        else {
+            wantAuthnRequestsSigned.value = false;
+            SignatureAlgorithm.setAttribute("disabled", "true");
+            SAMLSignatureKeyName.setAttribute("disabled", "true");
+            encryption_algorithm.setAttribute("disabled", "true");
+            
+            
+            ;
+        }
+    });
+    
+    const ArtifactResolutionService_in_metadata = document.getElementById("ArtifactResolutionService_in_metadata");
+    ArtifactResolutionService_in_metadata.value = pluginData.config.includeArtifactResolutionServiceMetadata ? pluginData.config.includeArtifactResolutionServiceMetadata : false;
+    ArtifactResolutionService_in_metadata.addEventListener("change", function () {
+        handleCheckboxValue(ArtifactResolutionService_in_metadata);
+        
+    });
+    
+    document.addEventListener("DOMContentLoaded", function () {
+        const deleteButtonsClassRefs = document.querySelectorAll(".delete");
+        const addButtonClassRefs = document.getElementById("addClassRefs");
+        const ClassRefs_items = document.getElementById("ClassRefs_items");
+        
         deleteButtonsClassRefs.forEach(function (button) {
             button.style.display = "inline";
         });
-
-        const newItem = document.createElement("div");
-        newItem.className = "next-referral col-4";
-        newItem.innerHTML = '<input name="textinputClassRefs" type="text" class="input_text">';
-        ClassRefs_items.appendChild(newItem);
-    });
-
-    document.body.addEventListener("click", function (e) {
-        if (e.target.classList.contains("delete")) {
-            const items = ClassRefs_items.querySelectorAll(".next-referral");
-            if (items.length > 0) {
-                items[items.length - 1].remove();
-                deleteButtonsClassRefs.forEach(function (button, index) {
-                    if (index === items.length - 1) {
-                        button.style.display = "inline";
-                    }
-                });
+        
+        addButtonClassRefs.addEventListener("click", function (e) {
+            deleteButtonsClassRefs.forEach(function (button) {
+                button.style.display = "inline";
+            });
+            
+            const newItem = document.createElement("div");
+            newItem.className = "next-referral col-4";
+            newItem.innerHTML = '<input name="textinputClassRefs" type="text" class="input_text">';
+            ClassRefs_items.appendChild(newItem);
+        });
+        
+        document.body.addEventListener("click", function (e) {
+            if (e.target.classList.contains("delete")) {
+                const items = ClassRefs_items.querySelectorAll(".next-referral");
+                if (items.length > 0) {
+                    items[items.length - 1].remove();
+                    deleteButtonsClassRefs.forEach(function (button, index) {
+                        if (index === items.length - 1) {
+                            button.style.display = "inline";
+                        }
+                    });
+                }
             }
-        }
-    });
-});
-
-document.addEventListener("DOMContentLoaded", function () {
-    const deleteButtonsDeclRefs = document.querySelectorAll(".delete1");
-    const addButtonDeclRefs = document.getElementById("addDeclRefs");
-    const DeclRefs_items = document.getElementById("DeclRefs_items");
-
-    deleteButtonsDeclRefs.forEach(function (button) {
-        button.style.display = "inline";
+        });
     });
-
-    addButtonDeclRefs.addEventListener("click", function (e) {
+    
+    document.addEventListener("DOMContentLoaded", function () {
+        const deleteButtonsDeclRefs = document.querySelectorAll(".delete1");
+        const addButtonDeclRefs = document.getElementById("addDeclRefs");
+        const DeclRefs_items = document.getElementById("DeclRefs_items");
+        
         deleteButtonsDeclRefs.forEach(function (button) {
             button.style.display = "inline";
         });
-
-        const newItem = document.createElement("div");
-        newItem.className = "next-referral col-4";
-        newItem.innerHTML = '<input name="textinputDeclRefs" type="text" class="input_text">';
-        DeclRefs_items.appendChild(newItem);
-    });
-
-    document.body.addEventListener("click", function (e) {
-        if (e.target.classList.contains("delete1")) {
-            const items = DeclRefs_items.querySelectorAll(".next-referral");
-            if (items.length > 0) {
-                items[items.length - 1].remove();
-                deleteButtonsDeclRefs.forEach(function (button, index) {
-                    if (index === items.length - 1) {
-                        button.style.display = "inline";
-                    }
-                });
+        
+        addButtonDeclRefs.addEventListener("click", function (e) {
+            deleteButtonsDeclRefs.forEach(function (button) {
+                button.style.display = "inline";
+            });
+            
+            const newItem = document.createElement("div");
+            newItem.className = "next-referral col-4";
+            newItem.innerHTML = '<input name="textinputDeclRefs" type="text" class="input_text">';
+            DeclRefs_items.appendChild(newItem);
+        });
+        
+        document.body.addEventListener("click", function (e) {
+            if (e.target.classList.contains("delete1")) {
+                const items = DeclRefs_items.querySelectorAll(".next-referral");
+                if (items.length > 0) {
+                    items[items.length - 1].remove();
+                    deleteButtonsDeclRefs.forEach(function (button, index) {
+                        if (index === items.length - 1) {
+                            button.style.display = "inline";
+                        }
+                    });
+                }
             }
-        }
+        });
     });
-});
-
-
-
-var validateSignatures = document.getElementById("validateSignatures");
-var additionalField1 = document.getElementById("ValidatingX509Certificates");
-var saml_EntityDescriptor=document.getElementById("saml_EntityDescriptor")
-var Use_Metadata_Descriptor_URL=document.getElementById("Use_Metadata_Descriptor_URL")
-validateSignatures.value = pluginData.config.validateSignature ? pluginData.config.validateSignature : false;
+    
+    
+    
+    var validateSignatures = document.getElementById("validateSignatures");
+    var additionalField1 = document.getElementById("ValidatingX509Certificates");
+    var saml_EntityDescriptor=document.getElementById("saml_EntityDescriptor")
+    var Use_Metadata_Descriptor_URL=document.getElementById("Use_Metadata_Descriptor_URL")
+    validateSignatures.value = pluginData.config.validateSignature ? pluginData.config.validateSignature : false;
     var validateSignatures = document.getElementById("validateSignatures");
     var additionalField1 = document.getElementById("ValidatingX509Certificates");
     var saml_EntityDescriptor = document.getElementById("saml_EntityDescriptor");
     var Use_Metadata_Descriptor_URL = document.getElementById("Use_Metadata_Descriptor_URL");
-        validateSignatures.checked = pluginData.config.validateSignature ? pluginData.config.validateSignature : false;
-        validateSignatures.addEventListener("change", function () {
-            if (validateSignatures.checked) {
-                validateSignatures.value = true;
-                additionalField1.removeAttribute("disabled");
-                saml_EntityDescriptor.style.display = 'block';
-                Use_Metadata_Descriptor_URL.style.display = 'block';
-            } else {
-                additionalField1.setAttribute("disabled", "true");
-                additionalField1.value = '';
-                saml_EntityDescriptor.style.display = 'none';
-                Use_Metadata_Descriptor_URL.style.display = 'none';
-                validateSignatures.value = false;
-            }
-        });
-
-        validateSignatures.dispatchEvent(new Event("change"));
-
+    validateSignatures.checked = pluginData.config.validateSignature ? pluginData.config.validateSignature : false;
+    validateSignatures.addEventListener("change", function () {
+        if (validateSignatures.checked) {
+            validateSignatures.value = true;
+            additionalField1.removeAttribute("disabled");
+            saml_EntityDescriptor.style.display = 'block';
+            Use_Metadata_Descriptor_URL.style.display = 'block';
+        } else {
+            additionalField1.setAttribute("disabled", "true");
+            additionalField1.value = '';
+            saml_EntityDescriptor.style.display = 'none';
+            Use_Metadata_Descriptor_URL.style.display = 'none';
+            validateSignatures.value = false;
+        }
+    });
+    
+    validateSignatures.dispatchEvent(new Event("change"));
+    
     var UseMetadataDescriptorURL = document.getElementById("UseMetadataDescriptorURL");
     var Validating_X509_Certificates=document.getElementById("Validating_X509_Certificates");
     UseMetadataDescriptorURL.checked = pluginData.config.useMetadataDescriptorUrl ? pluginData.config.useMetadataDescriptorUrl : false;
     UseMetadataDescriptorURL.addEventListener("change", function () {
-            if (UseMetadataDescriptorURL.checked) {
-                UseMetadataDescriptorURL.value = true;
-                Validating_X509_Certificates.style.display='none'
-            }
-            else {
-                UseMetadataDescriptorURL.value = false;
-                Validating_X509_Certificates.style.display='block'
-                ;
-            }
-        }
-
+          if (UseMetadataDescriptorURL.checked) {
+              UseMetadataDescriptorURL.value = true;
+              Validating_X509_Certificates.style.display='none'
+          }
+          else {
+              UseMetadataDescriptorURL.value = false;
+              Validating_X509_Certificates.style.display='block'
+              ;
+          }
+      }
+    
     );
-
-
-var Artifact_Resolution = document.getElementById("Artifact_Resolution");
-Artifact_Resolution.value = pluginData.config.artifactResolution ? pluginData.config.artifactResolution : false;
-
-Artifact_Resolution.addEventListener("change", function () {
-    if (Artifact_Resolution.checked) {
-        Artifact_Resolution.value = true;
-        additionalField_endpoint.removeAttribute("disabled");
-
-    }
-    else {
-        Artifact_Resolution.value = false;
-        additionalField_endpoint.setAttribute("disabled", "true");
-        additionalField_endpoint.value = '';
-
-        ;
-    }
-}
-);
-
-
-const Sign_Artifact_Resolution_Request = document.getElementById("Sign_Artifact_Resolution_Request");
-Sign_Artifact_Resolution_Request.value = pluginData.config.signArtifactResolutionRequest ? pluginData.config.signArtifactResolutionRequest : false;
-Sign_Artifact_Resolution_Request.addEventListener("change", function () {
-    handleCheckboxValue(Sign_Artifact_Resolution_Request);
-
-});
-
-const ArtifactResolution_via_HTTP_ARTIFACT = document.getElementById("ArtifactResolution_via_HTTP_ARTIFACT");
-ArtifactResolution_via_HTTP_ARTIFACT.value = pluginData.config.artifactResolutionHTTPArtifact ? pluginData.config.artifactResolutionHTTPArtifact : false;
-ArtifactResolution_via_HTTP_ARTIFACT.addEventListener("change", function () {
-    handleCheckboxValue(ArtifactResolution_via_HTTP_ARTIFACT);
-
-});
-
-
-
-
-const Artifact_Resolution_with_SOAP = document.getElementById("Artifact_Resolution_with_SOAP");
-Artifact_Resolution_with_SOAP.value = pluginData.config.artifactResolutionSOAP ? pluginData.config.artifactResolutionSOAP : false;
-Artifact_Resolution_with_SOAP.addEventListener("change", function () {
-    handleCheckboxValue(Artifact_Resolution_with_SOAP);
-
-});
-
-
-
-const Artifact_Resolution_with_XML_header = document.getElementById("Artifact_Resolution_with_XML_header");
-Artifact_Resolution_with_XML_header.value = pluginData.config.artifactResolutionWithXmlHeader ? pluginData.config.artifactResolutionWithXmlHeader : false;
-Artifact_Resolution_with_XML_header.addEventListener("change", function () {
-    handleCheckboxValue(Artifact_Resolution_with_XML_header);
-
-});
-
-
-const Mutual_TLS = document.getElementById("Mutual_TLS");
-Mutual_TLS.value = pluginData.config.mutualTls ? pluginData.config.mutualTls : false;
-Mutual_TLS.addEventListener("change", function () {
-    handleCheckboxValue(Mutual_TLS);
-
-});
-const enabled = document.getElementById("enabled");
-enabled.value = pluginData.enabled ? pluginData.enabled : false;
-enabled.addEventListener("change", function () {
-    handleCheckboxValue(enabled);
-
-});
-
-principalType_input.addEventListener('change', function () {
-    if (principalType_input.value == "ATTRIBUTE" || principalType_input.value == "FRIENDLY_ATTRIBUTE") {
-        principalAttribute_input.removeAttribute("disabled");
-
-    } else {
-        principalAttribute_input.value = '';
-        principalAttribute_input.setAttribute("disabled", "true");
-
-    }
-}) ;
+    
+    
+    var Artifact_Resolution = document.getElementById("Artifact_Resolution");
+    Artifact_Resolution.value = pluginData.config.artifactResolution ? pluginData.config.artifactResolution : false;
+    
+    Artifact_Resolution.addEventListener("change", function () {
+          if (Artifact_Resolution.checked) {
+              Artifact_Resolution.value = true;
+              additionalField_endpoint.removeAttribute("disabled");
+              
+          }
+          else {
+              Artifact_Resolution.value = false;
+              additionalField_endpoint.setAttribute("disabled", "true");
+              additionalField_endpoint.value = '';
+              
+              ;
+          }
+      }
+    );
+    
+    
+    const Sign_Artifact_Resolution_Request = document.getElementById("Sign_Artifact_Resolution_Request");
+    Sign_Artifact_Resolution_Request.value = pluginData.config.signArtifactResolutionRequest ? pluginData.config.signArtifactResolutionRequest : false;
+    Sign_Artifact_Resolution_Request.addEventListener("change", function () {
+        handleCheckboxValue(Sign_Artifact_Resolution_Request);
+        
+    });
+    
+    const ArtifactResolution_via_HTTP_ARTIFACT = document.getElementById("ArtifactResolution_via_HTTP_ARTIFACT");
+    ArtifactResolution_via_HTTP_ARTIFACT.value = pluginData.config.artifactResolutionHTTPArtifact ? pluginData.config.artifactResolutionHTTPArtifact : false;
+    ArtifactResolution_via_HTTP_ARTIFACT.addEventListener("change", function () {
+        handleCheckboxValue(ArtifactResolution_via_HTTP_ARTIFACT);
+        
+    });
+    
+    
+    
+    
+    const Artifact_Resolution_with_SOAP = document.getElementById("Artifact_Resolution_with_SOAP");
+    Artifact_Resolution_with_SOAP.value = pluginData.config.artifactResolutionSOAP ? pluginData.config.artifactResolutionSOAP : false;
+    Artifact_Resolution_with_SOAP.addEventListener("change", function () {
+        handleCheckboxValue(Artifact_Resolution_with_SOAP);
+        
+    });
+    
+    
+    
+    const Artifact_Resolution_with_XML_header = document.getElementById("Artifact_Resolution_with_XML_header");
+    Artifact_Resolution_with_XML_header.value = pluginData.config.artifactResolutionWithXmlHeader ? pluginData.config.artifactResolutionWithXmlHeader : false;
+    Artifact_Resolution_with_XML_header.addEventListener("change", function () {
+        handleCheckboxValue(Artifact_Resolution_with_XML_header);
+        
+    });
+    
+    
+    const Mutual_TLS = document.getElementById("Mutual_TLS");
+    Mutual_TLS.value = pluginData.config.mutualTls ? pluginData.config.mutualTls : false;
+    Mutual_TLS.addEventListener("change", function () {
+        handleCheckboxValue(Mutual_TLS);
+        
+    });
+    const enabled = document.getElementById("enabled");
+    enabled.value = pluginData.enabled ? pluginData.enabled : false;
+    enabled.addEventListener("change", function () {
+        handleCheckboxValue(enabled);
+        
+    });
+    
+    principalType_input.addEventListener('change', function () {
+        if (principalType_input.value == "ATTRIBUTE" || principalType_input.value == "FRIENDLY_ATTRIBUTE") {
+            principalAttribute_input.removeAttribute("disabled");
+            
+        } else {
+            principalAttribute_input.value = '';
+            principalAttribute_input.setAttribute("disabled", "true");
+            
+        }
+    }) ;
 });
\ No newline at end of file
diff --git a/src/main/resources/saml-extended-frontend/js/EditProvider.js b/src/main/resources/saml-extended-frontend/js/EditProvider.js
index a31dca0..5897757 100644
--- a/src/main/resources/saml-extended-frontend/js/EditProvider.js
+++ b/src/main/resources/saml-extended-frontend/js/EditProvider.js
@@ -3,7 +3,7 @@ edit.addEventListener('click', () => {
     keycloak.updateToken(300).then((bool) => {
         if (bool) {
             newAccessToken = keycloak.token;
-
+            
             var authnContextClassRefs = []
             const ClassRefs_inputs = ClassRefs_items.querySelectorAll("input");
             ClassRefs_inputs.forEach(input => {
@@ -18,7 +18,7 @@ edit.addEventListener('click', () => {
                     authnContextDeclRefs.push(input.value);
                 }
             });
-
+            
             var Single_Sign_On_Service_URL = Single_Sign_On_Service_URL_input.value;
             var Single_Logout_Service_URL = Single_Logout_Service_URL_input.value;
             var nameIdPolicy = nameIdPolicy_input.value;
@@ -42,6 +42,7 @@ edit.addEventListener('click', () => {
                     "postBindingLogout": httpPostBindingLogout.value,
                     "authnContextClassRefs": authnContextClassRefs.length > 0 ? JSON.stringify(authnContextClassRefs) : undefined,
                     "postBindingResponse": httpPostBindingResponse.value,
+                    "artifactBindingResponse": artifactBindingResponse.value,
                     "singleLogoutServiceUrl": Single_Logout_Service_URL,
                     "authnContextDeclRefs": authnContextDeclRefs.length > 0 ? JSON.stringify(authnContextDeclRefs) : undefined,
                     "backchannelSupported": backchannel.value,
@@ -88,28 +89,28 @@ edit.addEventListener('click', () => {
                     "metadataDescriptorUrl":samlEntityDescriptor_input.value,
                     "useMetadataDescriptorUrl":UseMetadataDescriptorURL.value,
                     "attributeConsumingServiceMetadata":attributeServicesArray.length > 0 ? JSON.stringify(attributeServicesArray) : undefined
-
+                    
                 }
             };
-
-
+            
+            
             let isValid = true;
             hasFocused = false;
-
+            
             if (!Single_Sign_On_Service_URL_input.value || !Single_Sign_On_Service_URL_input.value.startsWith("https://")) {
                 handleInvalidInput(Single_Sign_On_Service_URL_input, errorMessage_URL, "Enter a valid URL");
                 isValid = false;
             } else {
                 handleValidInput(Single_Sign_On_Service_URL_input, errorMessage_URL,"");
             }
-
+            
             if (Single_Logout_Service_URL_input.value && !Single_Logout_Service_URL_input.value.startsWith("https://")) {
                 handleInvalidInput(Single_Logout_Service_URL_input, errorMessage_URL_logout, "Enter a valid URL");
                 isValid = false;
             } else {
                 handleValidInput(Single_Logout_Service_URL_input, errorMessage_URL_logout,"");
             }
-
+            
             if (UseMetadataDescriptorURL.checked) {
                 if (!samlEntityDescriptor_input.value ||!samlEntityDescriptor_input.value.startsWith("https://")) {
                     handleInvalidInput(samlEntityDescriptor_input, samlEntityDescriptor_errorMessage_URL, "Enter a valid URL!");
@@ -118,17 +119,17 @@ edit.addEventListener('click', () => {
                 else
                 { handleValidInput(samlEntityDescriptor_input, samlEntityDescriptor_errorMessage_URL,"");
                 }
-
-
+                
+                
             }
-
+            
             if (!isValid) {
                 return;
             }
-
-
+            
+            
             removeEmptyStrings(data);
-
+            
             const configKeys = Object.keys(data.config);
             for (const key of configKeys) {
                 if (typeof data.config[key] === 'string' && data.config[key].trim() === "") {
@@ -138,102 +139,98 @@ edit.addEventListener('click', () => {
             if (Array.isArray(data.config.authnContextClassRefs) && data.config.authnContextClassRefs.length === 0) {
                 delete data.config.authnContextClassRefs;
             }
-
+            
             if (Array.isArray(data.config.authnContextDeclRefs) && data.config.authnContextDeclRefs.length === 0) {
                 delete data.config.authnContextDeclRefs;
             }
-
-
-
+            
+            
+            
             var selectedrealm = localStorage.getItem('selectedRealm');
-           if(alias_input.value){
-            // Sending a GET request to check if the plugin exists
-            fetch(`${ServerUrl}/admin/realms/${selectedrealm}/identity-provider/instances/${alias_input.value}`, {
-                method: 'GET',
-                headers: {
-                    'Authorization': `Bearer ${newAccessToken}`,
-                },
-            })
-
-                // Handling the response of the GET request
-                .then(async checkPluginResponse => {
-                    if (checkPluginResponse.ok) {
-                        var pluginData = await checkPluginResponse.json();
-                        const updatePluginResponse = await fetch(`${ServerUrl}/admin/realms/${selectedrealm}/identity-provider/instances/${alias_input.value}`, {
-                            method: 'PUT',
-                            headers: {
-                                'Authorization': `Bearer ${newAccessToken}`,
-                                'Content-Type': 'application/json',
-                            },
-                            body: JSON.stringify(data),
-                        }
-
-                        );
-                        localStorage.setItem('pluginData', JSON.stringify(data));
-
-
-
-                        // Checking the response status for success
-                        if (updatePluginResponse.status === 204 || updatePluginResponse.status === 201) {
-                            console.log("Plugin updated successfully.");
-                            alert("Plugin updated successfully.");
-                            getAllPlugins(newAccessToken,selectedrealm);
-                            localStorage.setItem('pluginData', JSON.stringify(data));
-
-
-                        } else {
-                            console.error(`Failed to update/add the plugin. Response: ${updatePluginResponse.statusText}`);
-                            console.error("Error Details:", await updatePluginResponse.json());
-                            alert("Failed to update the plugin")
-                        }
-                    } else if (checkPluginResponse.status === 404) {
-                        // If the status is 404, the plugin does not exist, so send a POST request
-                        return fetch(`${ServerUrl}/admin/realms/${selectedrealm}/identity-provider/instances`, {
-                            method: 'POST',
-                            headers: {
-                                'Authorization': `Bearer ${newAccessToken}`,
-                                'Content-Type': 'application/json',
-                            },
-                            body: JSON.stringify(data),
-                        })
+            if(alias_input.value){
+                // Sending a GET request to check if the plugin exists
+                fetch(`${ServerUrl}/admin/realms/${selectedrealm}/identity-provider/instances/${alias_input.value}`, {
+                    method: 'GET',
+                    headers: {
+                        'Authorization': `Bearer ${newAccessToken}`,
+                    },
+                })
+                  
+                  // Handling the response of the GET request
+                  .then(async checkPluginResponse => {
+                      if (checkPluginResponse.ok) {
+                          var pluginData = await checkPluginResponse.json();
+                          const updatePluginResponse = await fetch(`${ServerUrl}/admin/realms/${selectedrealm}/identity-provider/instances/${alias_input.value}`, {
+                                method: 'PUT',
+                                headers: {
+                                    'Authorization': `Bearer ${newAccessToken}`,
+                                    'Content-Type': 'application/json',
+                                },
+                                body: JSON.stringify(data),
+                            }
+                          
+                          );
+                          localStorage.setItem('pluginData', JSON.stringify(data));
+                          
+                          // Checking the response status for success
+                          if (updatePluginResponse.status === 204 || updatePluginResponse.status === 201) {
+                              console.log("Plugin updated successfully.");
+                              alert("Plugin updated successfully.");
+                              getAllPlugins(newAccessToken,selectedrealm);
+                              localStorage.setItem('pluginData', JSON.stringify(data));
+                          } else {
+                              console.error(`Failed to update/add the plugin. Response: ${updatePluginResponse.statusText}`);
+                              console.error("Error Details:", await updatePluginResponse.json());
+                              alert("Failed to update the plugin")
+                          }
+                      } else if (checkPluginResponse.status === 404) {
+                          // If the status is 404, the plugin does not exist, so send a POST request
+                          return fetch(`${ServerUrl}/admin/realms/${selectedrealm}/identity-provider/instances`, {
+                              method: 'POST',
+                              headers: {
+                                  'Authorization': `Bearer ${newAccessToken}`,
+                                  'Content-Type': 'application/json',
+                              },
+                              body: JSON.stringify(data),
+                          })
                             .then(response => {
                                 if (response.ok) {
                                     alert("Plugin added successfully.");
-
+                                    
                                     localStorage.setItem('pluginData', JSON.stringify(data));
-
+                                    
                                 } else {
                                     console.error('Failed to add plugin:', response.status, response.statusText);
                                     alert("Failed to add plugin");
                                 }
                             })
                             .catch(error => {
-
+                                
                                 console.error('Network error or failed to send request:', error);
                             });
-
-
-                    } else {
-                        // If there is another status, an error occurred
-
-                        console.error(`Failed to retrieve the plugin. Response: ${checkPluginResponse.statusText}`);
-                        alert("Failed to retrieve the plugin");
-                        throw new Error(`Failed to retrieve the plugin. Response: ${checkPluginResponse.statusText}`);
-                    }
-                })
-
-                // Handling the response of the POST request (if executed)
-                .then(response => {
-                    // ... (Additional code that was commented out)
-                })
-                .catch(error => {
-                    // ... (Additional code that was commented out)
-                });
-        }else
-        {console.log('alias_input does not exist')}
-
+                          
+                          
+                      } else {
+                          // If there is another status, an error occurred
+                          
+                          console.error(`Failed to retrieve the plugin. Response: ${checkPluginResponse.statusText}`);
+                          alert("Failed to retrieve the plugin");
+                          throw new Error(`Failed to retrieve the plugin. Response: ${checkPluginResponse.statusText}`);
+                      }
+                  })
+                  
+                  // Handling the response of the POST request (if executed)
+                  .then(response => {
+                      // ... (Additional code that was commented out)
+                  })
+                  .catch(error => {
+                      // ... (Additional code that was commented out)
+                  });
+            }else
+            {console.log('alias_input does not exist')}
+            
             // Setting a form element value to an empty string
-
+            
         } else {
             console.log("Token is not updated");
         }
diff --git a/src/main/resources/saml-extended-frontend/pages/addprovider.html b/src/main/resources/saml-extended-frontend/pages/addprovider.html
index ebead45..475c4bb 100644
--- a/src/main/resources/saml-extended-frontend/pages/addprovider.html
+++ b/src/main/resources/saml-extended-frontend/pages/addprovider.html
@@ -356,8 +356,8 @@ <h1>Saml-extended</h1>
     <script src="../../samlconfig/js/Config"></script>
     </h1>
     <script>document.getElementById('List').addEventListener('click', function () {
-        var redirectUri = localStorage.getItem('redirectUri')
-        window.location.href = `${redirectUri}`;
+      var redirectUri = localStorage.getItem('redirectUri')
+      window.location.href = `${redirectUri}`;
     });
     </script>
     <div>
@@ -378,9 +378,9 @@ <h5>Redirect URI
            value="http://localhost:8080/realms/master/broker/saml-extended/endpoint" id="redirectUri" readonly>
 
     <script>
-        var selectedrealm = localStorage.getItem('selectedRealm');
-        var ServerUrl1 = localStorage.getItem('ServerUrl');
-        document.getElementById('redirectUri').value = `${ServerUrl1}/realms/${selectedrealm}/broker/saml-extended/endpoint`
+      var selectedrealm = localStorage.getItem('selectedRealm');
+      var ServerUrl1 = localStorage.getItem('ServerUrl');
+      document.getElementById('redirectUri').value = `${ServerUrl1}/realms/${selectedrealm}/broker/saml-extended/endpoint`
     </script>
     <h5>Alias *
         <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
@@ -389,20 +389,20 @@ <h5>Alias *
     <span class="error-message" id="errorMessage"></span>
     <input type="text" name="alias" id="alias" class="input_text" oninput="copyValue(event)" required>
     <script>
+      var selectedrealm = localStorage.getItem('selectedRealm');
+      var ServerUrl1 = localStorage.getItem('ServerUrl')
+      document.getElementById('redirectUri').value = `${ServerUrl1}/realms/${selectedrealm}/broker/saml-extended/endpoint`
+
+      function copyValue(event) {
+        var alias = event.target.value;
         var selectedrealm = localStorage.getItem('selectedRealm');
+        localStorage.setItem('alias_for_endpoint', alias)
         var ServerUrl1 = localStorage.getItem('ServerUrl')
-        document.getElementById('redirectUri').value = `${ServerUrl1}/realms/${selectedrealm}/broker/saml-extended/endpoint`
-
-        function copyValue(event) {
-            var alias = event.target.value;
-            var selectedrealm = localStorage.getItem('selectedRealm');
-            localStorage.setItem('alias_for_endpoint', alias)
-            var ServerUrl1 = localStorage.getItem('ServerUrl')
-            document.getElementById('redirectUri').value = `${ServerUrl1}/realms/${selectedrealm}/broker/${alias}/endpoint`
-            document.getElementById('metadataLink').onclick = function(event) {
-                event.preventDefault();
-                window.open(`${serverUrl}/realms/${selectedRealm}/broker/${alias}/endpoint/descriptor`, '_blank');}
-        }
+        document.getElementById('redirectUri').value = `${ServerUrl1}/realms/${selectedrealm}/broker/${alias}/endpoint`
+        document.getElementById('metadataLink').onclick = function(event) {
+          event.preventDefault();
+          window.open(`${serverUrl}/realms/${selectedRealm}/broker/${alias}/endpoint/descriptor`, '_blank');}
+      }
     </script>
     <h5>Display Name
         <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
@@ -426,12 +426,12 @@ <h5>Endpoints
         SAML 2.0 Service Provider Metadata </a>
     </section>
     <script>
-        var selectedRealm = localStorage.getItem('selectedRealm');
-        var serverUrl = localStorage.getItem('ServerUrl');
-        var alias_for_endpoint = localStorage.getItem('alias_for_endpoint');
-        document.getElementById('metadataLink').onclick = function(event) {
-            event.preventDefault();
-            window.open(`${serverUrl}/realms/${selectedRealm}/broker/${alias_for_endpoint}/endpoint/descriptor`, '_blank');}  </script>
+      var selectedRealm = localStorage.getItem('selectedRealm');
+      var serverUrl = localStorage.getItem('ServerUrl');
+      var alias_for_endpoint = localStorage.getItem('alias_for_endpoint');
+      document.getElementById('metadataLink').onclick = function(event) {
+        event.preventDefault();
+        window.open(`${serverUrl}/realms/${selectedRealm}/broker/${alias_for_endpoint}/endpoint/descriptor`, '_blank');}  </script>
 
     <h2 id="SAMLSettings">SAML settings</h2>
     <h5>Service Provider Entity ID
@@ -563,19 +563,22 @@ <h5>HTTP-POST Binding Response
                      onclick="alert('Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.')">
             </h5>
 
-
             <label class="switch">
                 <input type="checkbox" name="httpPostBindingResponse" value="false" id="httpPostBindingResponse">
                 <span class="slider round"></span>
             </label>
 
+            <h5>ARTIFACT binding response</h5>
+            <label class="switch">
+                <input type="checkbox" name="artifactBindingResponse" value="false" id="artifactBindingResponse">
+                <span class="slider round"></span>
+            </label>
 
             <h5>HTTP-POST Binding for AuthnRequest
                 <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
                      onclick="alert('Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used')">
             </h5>
 
-
             <label class="switch">
                 <input type="checkbox" name="httpPostBindingAuthnRequest" value="false"
                        id="httpPostBindingAuthnRequest">
@@ -702,7 +705,6 @@ <h5>Pass Subject
 
 
             <h5>Allowed Clock Skew
-
                 <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
                      onclick="alert('Clock skew in seconds that is tolerated when validating identity provider tokens. Default value is zero')">
             </h5>
@@ -711,10 +713,10 @@ <h5>Allowed Clock Skew
 
             <h5>Attribute Consuming Service Index
                 <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                     onclick="alert('Index of the Attribute Consuming Service profile to request during authentication.')">
+                     onclick="alert('Index of the Attribute Consuming Service profile to request during authentication. Use -1 to set no value.')">
             </h5>
 
-            <input type="number" min="0" value="0" name="attributeConsumingServiceIndex"
+            <input type="number" placeholder="-1" min="-1" name="attributeConsumingServiceIndex"
                    id="attributeConsumingServiceIndex">
 
             <h5>Attribute Consuming Service Name
@@ -750,7 +752,6 @@ <h5> AuthnContext ClassRefs <img src="../../samlconfig/images/question.png" clas
                     <div class="col-md-4 margin-bottom">
                         <input id="authnContextClassRefs" name="authnContextClassRefs" class="input_text" type="text"
                                class="form-control input-md">
-
                     </div>
                 </div>
                 <!--        </form>-->
@@ -891,17 +892,17 @@ <h5>Linked Providers
                 <input type="text" class="input_text" name="Linked Providers" id="Linked_Providers">
 
                 <script>
-                    var quantityField = document.getElementById("quantity");
+                  var quantityField = document.getElementById("quantity");
 
-                    function changeQuantity(change) {
-                        var currentValue = parseInt(quantityField.value);
+                  function changeQuantity(change) {
+                    var currentValue = parseInt(quantityField.value);
 
-                        if (!isNaN(currentValue)) {
-                            quantityField.value = currentValue + change >= 0 ? currentValue + change : 0;
-                        } else {
-                            quantityField.value = 0;
-                        }
+                    if (!isNaN(currentValue)) {
+                      quantityField.value = currentValue + change >= 0 ? currentValue + change : 0;
+                    } else {
+                      quantityField.value = 0;
                     }
+                  }
                 </script>
 
             </div>
@@ -1001,14 +1002,14 @@ <h2>Attribute Consuming Service</h2>
             <button onclick="addFields(event)" class="btn">Add Attribute Service</button>
 
             <script>
-                var attributeServicesArray = [];
-
-                function addFields(event) {
-                    event.preventDefault();
-                    var attributeServicesDiv = document.getElementById('attributeServices');
-                    var newFieldsDiv = document.createElement('div');
-                    newFieldsDiv.classList.add('attribute-consuming-service'); // Add class 'attribute-consuming-service'
-                    newFieldsDiv.innerHTML = `
+              var attributeServicesArray = [];
+
+              function addFields(event) {
+                event.preventDefault();
+                var attributeServicesDiv = document.getElementById('attributeServices');
+                var newFieldsDiv = document.createElement('div');
+                newFieldsDiv.classList.add('attribute-consuming-service'); // Add class 'attribute-consuming-service'
+                newFieldsDiv.innerHTML = `
             <label for="serviceName">Service Name:</label>
             <input type="text" class="serviceName" placeholder="Enter Service Name">
             <label for="friendlyName">Friendly Name:</label>
@@ -1019,41 +1020,41 @@ <h2>Attribute Consuming Service</h2>
             <input type="text" class="attributeValue" placeholder="Enter Attribute Value">
             <button onclick="deleteForm(this.parentNode)" class="btn">Delete</button>
         `;
-                    attributeServicesDiv.appendChild(newFieldsDiv);
-                }
-                function deleteForm(form, index) {
-                    form.remove(); // Remove the form element from the DOM
-                    attributeServicesArray.splice(index, 1); // Remove the form data from the array
-
-                    // Update the indices of remaining elements
-                    attributeServicesArray.forEach((element, i) => {
-                        element.querySelector('.btn').setAttribute('onclick', `deleteForm(this.parentNode, ${i})`);
-                     });}
-                // function deleteForm(form) {
-                //     form.remove(); // Remove the form element from the DOM
-                //     var index = Array.from(document.querySelectorAll('.attribute-consuming-service')).indexOf(form);
-                //     attributeServicesArray.splice(index, 1); // Remove the form data from the array
-                // }
-
-                function addAttributeService(form) {
-                    var serviceName = form.querySelector('.serviceName').value.trim();
-                    var attributeValue = form.querySelector('.attributeValue').value.trim();
-                    var friendlyName = form.querySelector('.friendlyName').value.trim();
-                    var attributeName=form.querySelector('.attributeName').value.trim();
-                    if (serviceName !== "" && attributeValue !== "" && friendlyName !== "") {
-                        var index = Array.from(document.querySelectorAll('.attribute-consuming-service')).indexOf(form);
-                        if (index !== -1) {
-                            attributeServicesArray[index] = {
-                                serviceName: serviceName,
-                                attributeValue: attributeValue,
-                                friendlyName: friendlyName,
-                                attributeName:attributeName
-                            };
-                        }
-                    } else {
-                        alert("Please enter valid values for Service Name, Attribute Value, and Friendly Name.");
-                    }
+                attributeServicesDiv.appendChild(newFieldsDiv);
+              }
+              function deleteForm(form, index) {
+                form.remove(); // Remove the form element from the DOM
+                attributeServicesArray.splice(index, 1); // Remove the form data from the array
+
+                // Update the indices of remaining elements
+                attributeServicesArray.forEach((element, i) => {
+                  element.querySelector('.btn').setAttribute('onclick', `deleteForm(this.parentNode, ${i})`);
+                });}
+              // function deleteForm(form) {
+              //     form.remove(); // Remove the form element from the DOM
+              //     var index = Array.from(document.querySelectorAll('.attribute-consuming-service')).indexOf(form);
+              //     attributeServicesArray.splice(index, 1); // Remove the form data from the array
+              // }
+
+              function addAttributeService(form) {
+                var serviceName = form.querySelector('.serviceName').value.trim();
+                var attributeValue = form.querySelector('.attributeValue').value.trim();
+                var friendlyName = form.querySelector('.friendlyName').value.trim();
+                var attributeName=form.querySelector('.attributeName').value.trim();
+                if (serviceName !== "" && attributeValue !== "" && friendlyName !== "") {
+                  var index = Array.from(document.querySelectorAll('.attribute-consuming-service')).indexOf(form);
+                  if (index !== -1) {
+                    attributeServicesArray[index] = {
+                      serviceName: serviceName,
+                      attributeValue: attributeValue,
+                      friendlyName: friendlyName,
+                      attributeName:attributeName
+                    };
+                  }
+                } else {
+                  alert("Please enter valid values for Service Name, Attribute Value, and Friendly Name.");
                 }
+              }
             </script>
         </form>
         <div>
@@ -1062,11 +1063,11 @@ <h2>Attribute Consuming Service</h2>
     </div>
 </div>
 <script>
-    const formElements = document.getElementById('GeneralSetting').elements;
-    for (var i = 0; i < formElements.length; i++) {
-        formElements[i].readOnly = true;
-        formElements[i].disabled = true; // for select elements
-    }
+  const formElements = document.getElementById('GeneralSetting').elements;
+  for (var i = 0; i < formElements.length; i++) {
+    formElements[i].readOnly = true;
+    formElements[i].disabled = true; // for select elements
+  }
 </script>
 <script src="../../samlconfig/js/Fielders"></script>
 <script src="../../samlconfig/js/inputValidation"></script>
diff --git a/src/main/resources/saml-extended-frontend/pages/editprovider.html b/src/main/resources/saml-extended-frontend/pages/editprovider.html
index 70033a8..dd8ac65 100644
--- a/src/main/resources/saml-extended-frontend/pages/editprovider.html
+++ b/src/main/resources/saml-extended-frontend/pages/editprovider.html
@@ -339,9 +339,9 @@
     </div>
     <h1>Saml-extended</h1>
     <script>document.getElementById('List').addEventListener('click', function () {
-            var redirectUri = localStorage.getItem('redirectUri')
-            window.location.href = `${redirectUri}`;
-        });
+      var redirectUri = localStorage.getItem('redirectUri')
+      window.location.href = `${redirectUri}`;
+    });
     </script>
     <div>
 
@@ -360,35 +360,35 @@ <h2 id="GeneralSettings">General Settings </h2>
     <form id="GeneralSetting">
         <h5>Redirect URI
             <img src=" ../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('The redirect uri to use when configuring the identity provider.')">
+                 onclick="alert('The redirect uri to use when configuring the identity provider.')">
         </h5>
         <input type="url" name="redirectUri" class="readonly"
-            value="http://localhost:8080/realms/master/broker/saml-extended/endpoint" id="redirectUri" readonly>
+               value="http://localhost:8080/realms/master/broker/saml-extended/endpoint" id="redirectUri" readonly>
 
 
         <h5>Alias *
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('The alias uniquely identifies an identity provider and it is also used to build the redirect uri.')">
+                 onclick="alert('The alias uniquely identifies an identity provider and it is also used to build the redirect uri.')">
         </h5>
 
         <input type="text" class="readonly" name="alias" id="alias" readonly>
         <form  action="">
-        <h5>Display Name
-            <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Friendly name for Identity Providers')">
-        </h5>
-        <input type="text" class="input_text" name="displayName" id="displayName" required/>
+            <h5>Display Name
+                <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
+                     onclick="alert('Friendly name for Identity Providers')">
+            </h5>
+            <input type="text" class="input_text" name="displayName" id="displayName" required/>
         </form>
         <h5>Display Order
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Number defining the order of the providers in GUI (for example, on the Login page). The lowest number will be applied first.')">
+                 onclick="alert('Number defining the order of the providers in GUI (for example, on the Login page). The lowest number will be applied first.')">
         </h5>
 
         <input type="number" name="displayOrder" id="displayOrder" min="0">
 
         <h5>Endpoints
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('The alias uniquely identifies an identity provider and it is also used to build the redirect uri.')">
+                 onclick="alert('The alias uniquely identifies an identity provider and it is also used to build the redirect uri.')">
 
         </h5>
 
@@ -397,48 +397,48 @@ <h5>Endpoints
         </a>
 
         <script>
-            var selectedRealm = localStorage.getItem('selectedRealm');
-            var serverUrl = localStorage.getItem('ServerUrl');
-            var pluginAlias = localStorage.getItem('pluginalias');
-            var link = document.getElementById('metadataLink');
-            document.getElementById('metadataLink').onclick = function(event) {
-                event.preventDefault();
-                window.open(`${serverUrl}/realms/${selectedRealm}/broker/${pluginAlias}/endpoint/descriptor`, '_blank');}
+          var selectedRealm = localStorage.getItem('selectedRealm');
+          var serverUrl = localStorage.getItem('ServerUrl');
+          var pluginAlias = localStorage.getItem('pluginalias');
+          var link = document.getElementById('metadataLink');
+          document.getElementById('metadataLink').onclick = function(event) {
+            event.preventDefault();
+            window.open(`${serverUrl}/realms/${selectedRealm}/broker/${pluginAlias}/endpoint/descriptor`, '_blank');}
         </script>
         </section>
         <h2 id="SAMLSettings">SAML settings</h2>
 
         <h5>Service Provider Entity ID
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('The Entity ID that will be used to uniquely identify this SAML Service Provider.')">
+                 onclick="alert('The Entity ID that will be used to uniquely identify this SAML Service Provider.')">
 
         </h5>
         <input type="text" class="input_text" name="spEntity" id="spEntityId">
 
         <h5>Identity Provider Entity ID
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('The Entity ID used to validate the Issuer for received SAML assertions. If empty, no Issuer validation is performed.')">
+                 onclick="alert('The Entity ID used to validate the Issuer for received SAML assertions. If empty, no Issuer validation is performed.')">
 
         </h5>
         <input type="text" class="input_text" name="idpEntityId" id="idpEntityId">
 
         <h5>Single Sign-On Service URL *
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('The Url that must be used to send authentication requests (SAML AuthnRequest).')">
+                 onclick="alert('The Url that must be used to send authentication requests (SAML AuthnRequest).')">
         </h5>
         <span class="error-message" id="errorMessage_URL"></span>
         <input type="url" name="ssoServiceUrl" id="ssoServiceUrl" class="input_text">
 
         <h5>Single Logout Service URL
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('The Url that must be used to send logout requests.')">
+                 onclick="alert('The Url that must be used to send logout requests.')">
         </h5>
         <span class="error-message" id="errorMessage_URL_logout"></span>
         <input type="url" name="sloServiceUrl" id="sloServiceUrl" class="input_text">
 
         <h5>Backchannel Logout
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Does the external IDP support backchannel logout?')">
+                 onclick="alert('Does the external IDP support backchannel logout?')">
         </h5>
 
         <label class="switch">
@@ -468,7 +468,7 @@ <h5>   Send 'client_id' in logout requests
 
         <h5>NameID Policy Format
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Specifies the URI reference corresponding to a name identifier format.')">
+                 onclick="alert('Specifies the URI reference corresponding to a name identifier format.')">
         </h5>
         <select name="nameIdPolicy" id="nameIdPolicy">
             <option value="persistent">Persistent</option>
@@ -482,7 +482,7 @@ <h5>NameID Policy Format
 
         <h5>Principal Type
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Way to identify and track external users from the assertion. Default is using Subject NameID, alternatively you can set up identifying attribute.')">
+                 onclick="alert('Way to identify and track external users from the assertion. Default is using Subject NameID, alternatively you can set up identifying attribute.')">
         </h5>
         <select name="principalType" id="principalType">
             <option value="SUBJECT">Subject NameID</option>
@@ -493,14 +493,14 @@ <h5>Principal Type
         <h5> Principal Attribute
 
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Name or Friendely Name of the attribute used to identify external users.d to send logout requests.')">
+                 onclick="alert('Name or Friendely Name of the attribute used to identify external users.d to send logout requests.')">
         </h5>
         <input type="text" name="principalAttribute" id="principalAttribute" class="input_text">
 
 
         <h5>Allow Create
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Allow the external identity provider to create a new identifier to represent the principal.')">
+                 onclick="alert('Allow the external identity provider to create a new identifier to represent the principal.')">
         </h5>
 
         <label class="switch">
@@ -510,7 +510,7 @@ <h5>Allow Create
 
         <h5>HTTP-POST Binding Response
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.')">
+                 onclick="alert('Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.')">
         </h5>
 
 
@@ -520,10 +520,15 @@ <h5>HTTP-POST Binding Response
             <span class="slider round"></span>
         </label>
 
+        <h5>ARTIFACT binding response</h5>
+        <label class="switch">
+            <input type="checkbox" name="artifactBindingResponse" id="artifactBindingResponse">
+            <span class="slider round"></span>
+        </label>
 
         <h5>HTTP-POST Binding for AuthnRequest
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used')">
+                 onclick="alert('Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used')">
         </h5>
 
 
@@ -536,7 +541,7 @@ <h5>HTTP-POST Binding for AuthnRequest
 
         <h5>HTTP-POST Binding Logout
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.')">
+                 onclick="alert('Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.')">
         </h5>
         <label class="switch">
             <input type="checkbox" name="httpPostBindingLogout" value="false" id="httpPostBindingLogout">
@@ -547,7 +552,7 @@ <h5>HTTP-POST Binding Logout
 
         <h5>Want AuthnRequests Signed
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Indicates whether the identity provider expects a signed AuthnRequest.')">
+                 onclick="alert('Indicates whether the identity provider expects a signed AuthnRequest.')">
         </h5>
 
         <label class="switch">
@@ -556,7 +561,7 @@ <h5>Want AuthnRequests Signed
         </label>
         <h5>Signature algorithm
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('The signature algorithm to use to sign documents. Note that *SHA1* based algorithms are deprecated and can be removed in the future. It is recommended to stick to some more secure algorithm instead of *_SHA1')">
+                 onclick="alert('The signature algorithm to use to sign documents. Note that *SHA1* based algorithms are deprecated and can be removed in the future. It is recommended to stick to some more secure algorithm instead of *_SHA1')">
         </h5>
         <select name="Signature algorithm" id="SignatureAlgorithm" disabled>
             <option value="RSA_SHA256">RSA_SHA256</option>
@@ -568,7 +573,7 @@ <h5>Signature algorithm
         </select>
         <h5>Encryption Algorithm
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Encryption algorithm, which is used by SAML IDP for encryption of SAML documents, assertions or IDs. The corresponding decryption key for decrypt SAML document parts will be chosen based on this configured algorithm and should be available in realm keys for the encryption (ENC) usage. If algorithm is not configured, then any supported algorithm is allowed and decryption key will be chosen based on the algorithm configured in SAML document itself')">
+                 onclick="alert('Encryption algorithm, which is used by SAML IDP for encryption of SAML documents, assertions or IDs. The corresponding decryption key for decrypt SAML document parts will be chosen based on this configured algorithm and should be available in realm keys for the encryption (ENC) usage. If algorithm is not configured, then any supported algorithm is allowed and decryption key will be chosen based on the algorithm configured in SAML document itself')">
         </h5>
         <select name="Encryption Algorithm" id="encryption_algorithm" disabled>
             <option value="RSA-OAEP">RSA-OAEP</option>
@@ -576,7 +581,7 @@ <h5>Encryption Algorithm
         </select>
         <h5>SAML signature key name
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Signed SAML documents contain identification of signing key in KeyName element. For Keycloak / RH-SSO counter-party, use KEY_ID, for MS AD FS use CERT_SUBJECT, for others check and use NONE if no other option works.')">
+                 onclick="alert('Signed SAML documents contain identification of signing key in KeyName element. For Keycloak / RH-SSO counter-party, use KEY_ID, for MS AD FS use CERT_SUBJECT, for others check and use NONE if no other option works.')">
         </h5>
         <select name="SAML signature key name " id="SAMLSignatureKeyName" disabled>
             <option value="KEY-ID">KEY-ID</option>
@@ -586,7 +591,7 @@ <h5>SAML signature key name
 
         <h5>Want Assertions Signed
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Indicates whether this service provider expects a signed Assertion.')">
+                 onclick="alert('Indicates whether this service provider expects a signed Assertion.')">
         </h5>
         <label class="switch">
             <input type="checkbox" name="wantAssertionsSigned" id="wantAssertionsSigned" value="false">
@@ -595,7 +600,7 @@ <h5>Want Assertions Signed
 
         <h5>Want Assertions Encrypted
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Indicates whether this service provider expects an encrypted Assertion.')">
+                 onclick="alert('Indicates whether this service provider expects an encrypted Assertion.')">
         </h5>
 
         <label class="switch">
@@ -606,7 +611,7 @@ <h5>Want Assertions Encrypted
 
         <h5>Force Authentication
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.')">
+                 onclick="alert('Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.')">
         </h5>
         <label class="switch">
             <input type="checkbox" name="forceAuthentication" id="forceAuthentication" value="false">
@@ -616,43 +621,43 @@ <h5>Force Authentication
 
         <h5>Validate Signatures
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Enable/disable signature validation of external IDP signatures.')">
+                 onclick="alert('Enable/disable signature validation of external IDP signatures.')">
         </h5>
         <label class="switch">
             <input type="checkbox" name="validateSignatures" value="false" id="validateSignatures" >
             <span class="slider round"></span>
         </label>
         <div id="saml_EntityDescriptor">
-        <h5>Metadata descriptor URL
-            <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                 onclick="alert('External URL where Identity Provider publishes the metadata information needed by the client (certificates, keys, other URLs,...)..')">
-        </h5>
-           <span class="error-message" id="samlEntityDescriptor_errorMessage_URL"></span>
-        <input type="url" class="input_text" name="samlEntityDescriptor" id="samlEntityDescriptor" required>
+            <h5>Metadata descriptor URL
+                <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
+                     onclick="alert('External URL where Identity Provider publishes the metadata information needed by the client (certificates, keys, other URLs,...)..')">
+            </h5>
+            <span class="error-message" id="samlEntityDescriptor_errorMessage_URL"></span>
+            <input type="url" class="input_text" name="samlEntityDescriptor" id="samlEntityDescriptor" required>
 
 
         </div>
         <div id="Use_Metadata_Descriptor_URL">
-        <h5>Use metadata descriptor URL
-            <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                 onclick="alert('If the switch is on, the certificates to validate signatures will be downloaded and cached from the given *Metadata descriptor URL*. The *Reload keys* action can be used to refresh the certificates in the cache. If the switch is off, certificates from *Validating X509 certificates* option are used, they need to be manually updated when changed in the IDP.')">
-        </h5>
-        <label class="switch">
-            <input type="checkbox" name="UseMetadataDescriptorURL" value="false" id="UseMetadataDescriptorURL">
-            <span class="slider round"></span>
-        </label>
+            <h5>Use metadata descriptor URL
+                <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
+                     onclick="alert('If the switch is on, the certificates to validate signatures will be downloaded and cached from the given *Metadata descriptor URL*. The *Reload keys* action can be used to refresh the certificates in the cache. If the switch is off, certificates from *Validating X509 certificates* option are used, they need to be manually updated when changed in the IDP.')">
+            </h5>
+            <label class="switch">
+                <input type="checkbox" name="UseMetadataDescriptorURL" value="false" id="UseMetadataDescriptorURL">
+                <span class="slider round"></span>
+            </label>
         </div>
         <div id="Validating_X509_Certificates">
-        <h5>Validating X509 certificates
-            <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('The certificate in PEM format that must be used to check for signatures. Multiple certificates can be entered, separated by comma (,).')">
-        </h5>
-        <input type="text" class="input_text" id="ValidatingX509Certificates" name="ValidatingX509Certificates"
-            disabled>
+            <h5>Validating X509 certificates
+                <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
+                     onclick="alert('The certificate in PEM format that must be used to check for signatures. Multiple certificates can be entered, separated by comma (,).')">
+            </h5>
+            <input type="text" class="input_text" id="ValidatingX509Certificates" name="ValidatingX509Certificates"
+                   disabled>
         </div>
         <h5>Sign Service Provider Metadata
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Enable/disable signature of the provider SAML metadata.')">
+                 onclick="alert('Enable/disable signature of the provider SAML metadata.')">
         </h5>
         <label class="switch">
             <input type="checkbox" name="signMetadata" id="signMetadata" value="false">
@@ -662,7 +667,7 @@ <h5>Sign Service Provider Metadata
 
         <h5>Pass Subject
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('During login phase, forward an optional login_hint query parameter to SAML AuthnRequests Subject.')">
+                 onclick="alert('During login phase, forward an optional login_hint query parameter to SAML AuthnRequests Subject.')">
         </h5>
 
 
@@ -676,22 +681,22 @@ <h5>Pass Subject
         <h5>Allowed Clock Skew
 
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Clock skew in seconds that is tolerated when validating identity provider tokens. Default value is zero.')">
+                 onclick="alert('Clock skew in seconds that is tolerated when validating identity provider tokens. Default value is zero.')">
         </h5>
 
         <input type="number" min="0" value="0" name="allowedClockSkew" id="allowedClockSkew">
 
         <h5>Attribute Consuming Service Index
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Index of the Attribute Consuming Service profile to request during authentication.')">
+                 onclick="alert('Index of the Attribute Consuming Service profile to request during authentication. Use -1 to set no value.')">
         </h5>
 
-        <input type="number" min="0" value="0" name="attributeConsumingServiceIndex"
-            id="attributeConsumingServiceIndex">
+        <input type="number" placeholder="-1" min="-1" name="attributeConsumingServiceIndex"
+               id="attributeConsumingServiceIndex">
 
         <h5>Attribute Consuming Service Name
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Name of the Attribute Consuming Service profile to advertise in the SP metadata.')">
+                 onclick="alert('Name of the Attribute Consuming Service profile to advertise in the SP metadata.')">
         </h5>
 
         <input type="text" class="input_text" name="attributeConsumingServiceName" id="attributeConsumingServiceName">
@@ -700,7 +705,7 @@ <h2 id="RequestedAuthnContextConstraints">Requested AuthnContext Constraints</h2
 
         <h5>Comparison
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Specifies the comparison method used to evaluate the requested context classes or statements. The default is *Exact*.')">
+                 onclick="alert('Specifies the comparison method used to evaluate the requested context classes or statements. The default is *Exact*.')">
         </h5>
 
         <select name="comparison" id="comparison">
@@ -714,10 +719,10 @@ <h5>Comparison
             <!-- Text input-->
             <div id="ClassRefs_items" class="form-group">
                 <h5> AuthnContext ClassRefs <img src="../../samlconfig/images/question.png" class="image"
-                        alt="question mark" onclick="alert('Ordered list of requested AuthnContext ClassRefs.')"> </h5>
+                                                 alt="question mark" onclick="alert('Ordered list of requested AuthnContext ClassRefs.')"> </h5>
                 <div class="col-md-4 margin-bottom">
                     <input id="authnContextClassRefs" class="input_text" name="authnContextClassRefs" type="text"
-                        class="form-control input-md">
+                           class="form-control input-md">
 
                 </div>
             </div>
@@ -730,10 +735,10 @@ <h5> AuthnContext ClassRefs <img src="../../samlconfig/images/question.png" clas
             <!-- Text input-->
             <div id="DeclRefs_items" class="form-group">
                 <h5> AuthnContext DeclRefs <img src="../../samlconfig/images/question.png" class="image"
-                        alt="question mark" onclick="alert('Ordered list of requested AuthnContext DeclRefs.')"> </h5>
+                                                alt="question mark" onclick="alert('Ordered list of requested AuthnContext DeclRefs.')"> </h5>
                 <div class="col-md-4 margin-bottom">
                     <input id="authnContextDeclRefs" class="input_text" name="authnContextDeclRefs" type="text"
-                        class="form-control input-md">
+                           class="form-control input-md">
 
                 </div>
             </div>
@@ -746,7 +751,7 @@ <h2 id="AdvancedSettings">Advanced Settings</h2>
 
         <h5>Store Tokens
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Enable/disable if tokens must be stored after authenticating users')">
+                 onclick="alert('Enable/disable if tokens must be stored after authenticating users')">
         </h5>
         <label class="switch">
             <input type="checkbox" name="storeToken" id="storeToken" value="false">
@@ -755,7 +760,7 @@ <h5>Store Tokens
 
         <h5>Stored Tokens Readable
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.')">
+                 onclick="alert('Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.')">
         </h5>
         <label class="switch">
             <input type="checkbox" name="storedTokensReadable" id="storedTokensReadable" value="false">
@@ -765,7 +770,7 @@ <h5>Stored Tokens Readable
 
         <h5>Trust Email
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('If enabled, email provided by this provider is not verified even if verification is enabled for the realm.')">
+                 onclick="alert('If enabled, email provided by this provider is not verified even if verification is enabled for the realm.')">
         </h5>
         <label class="switch">
 
@@ -775,7 +780,7 @@ <h5>Trust Email
 
         <h5>Account Linking Only
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('If true, users cannot log in through this provider. They can only link to this provider. This is useful if you do not want to allow login from the provider, but want to integrate with a provider')">
+                 onclick="alert('If true, users cannot log in through this provider. They can only link to this provider. This is useful if you do not want to allow login from the provider, but want to integrate with a provider')">
         </h5>
         <label class="switch">
 
@@ -785,7 +790,7 @@ <h5>Account Linking Only
 
         <h5>Hide on Login Page
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('If hidden, login with this provider is possible only if requested explicitly, for example using the *kc_idp_hint* parameter.')">
+                 onclick="alert('If hidden, login with this provider is possible only if requested explicitly, for example using the *kc_idp_hint* parameter.')">
         </h5>
         <label class="switch">
             <input type="checkbox" name="hideLoginPage" id="hideLoginPage" value="false">
@@ -795,7 +800,7 @@ <h5>Hide on Login Page
 
         <h5>First Login Flow
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Alias of authentication flow, which is triggered after first login with this identity provider. Term *First Login* means that no Keycloak account is currently linked to the authenticated identity provider account.')">
+                 onclick="alert('Alias of authentication flow, which is triggered after first login with this identity provider. Term *First Login* means that no Keycloak account is currently linked to the authenticated identity provider account.')">
         </h5>
         <select name="firstLoginFlow" id="firstLoginFlow">
             <option value="browser">browser</option>
@@ -808,7 +813,7 @@ <h5>First Login Flow
 
         <h5>Post Login Flow
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this to *None* if you need no any additional authenticators to be triggered after login with this identity provider. Also note that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.')">
+                 onclick="alert('Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this to *None* if you need no any additional authenticators to be triggered after login with this identity provider. Also note that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.')">
         </h5>
         <select name="postLoginFlow" id="postLoginFlow">
             <option value="browser">browser</option>
@@ -821,7 +826,7 @@ <h5>Post Login Flow
 
         <h5>Sync Mode
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Default sync mode for all mappers. The sync mode determines when user data will be synced using the mappers. Possible values are: *legacy* to keep the behaviour before this option was introduced, *import* to only import the user once during first login of the user with this identity provider, *force* to always update the user during every login with this identity provider.')">
+                 onclick="alert('Default sync mode for all mappers. The sync mode determines when user data will be synced using the mappers. Possible values are: *legacy* to keep the behaviour before this option was introduced, *import* to only import the user once during first login of the user with this identity provider, *force* to always update the user during every login with this identity provider.')">
         </h5>
         <select name="syncMode" id="syncMode">
             <option value="IMPORT">Import</option>
@@ -833,7 +838,7 @@ <h2 id="Metadata">Metadata</h2>
             <i class="fas fa-arrow-up arrow-icon" onclick="changeQuantity(1)"></i>
             <h5>Metadata expires in
                 <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                    onclick="alert('When set, sets the vaildUntil with the current data + setting')">
+                     onclick="alert('When set, sets the vaildUntil with the current data + setting')">
             </h5>
         </div>
         <div class="quantity-container">
@@ -848,23 +853,23 @@ <h5>Metadata expires in
         </div>
         <h5>Linked Providers
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('List of aliases that are linked to this one(and will be in the generated metadata).')">
+                 onclick="alert('List of aliases that are linked to this one(and will be in the generated metadata).')">
 
         </h5>
         <input type="text" class="input_text" name="Linked Providers" id="Linked_Providers">
 
         <script>
-            var quantityField = document.getElementById("quantity");
+          var quantityField = document.getElementById("quantity");
 
-            function changeQuantity(change) {
-                var currentValue = parseInt(quantityField.value);
+          function changeQuantity(change) {
+            var currentValue = parseInt(quantityField.value);
 
-                if (!isNaN(currentValue)) {
-                    quantityField.value = currentValue + change >= 0 ? currentValue + change : 0;
-                } else {
-                    quantityField.value = 0;
-                }
+            if (!isNaN(currentValue)) {
+              quantityField.value = currentValue + change >= 0 ? currentValue + change : 0;
+            } else {
+              quantityField.value = 0;
             }
+          }
         </script>
 
 
@@ -872,7 +877,7 @@ <h5>Linked Providers
         <h2 id="ArtifactResolution">Artifact Resolution</h2>
         <h5>Artifact Resolution
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Enable/disable signature vaildation of SAML responses.')">
+                 onclick="alert('Enable/disable signature vaildation of SAML responses.')">
         </h5>
         <label class="switch">
             <input type="checkbox" name="ArtifactResolution " value="false" id="Artifact_Resolution">
@@ -881,65 +886,65 @@ <h5>Artifact Resolution
 
         <h5>Artifact Resolution Endpoint
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Specifies the url for Artifact Resolution')">
+                 onclick="alert('Specifies the url for Artifact Resolution')">
         </h5>
         <input type="text" class="input_text" id="Artifact_Resolution_Endpoint" name="Artifact_Resolution_Endpoint"
-            disabled>
+               disabled>
 
         <h5> Artifact Resolution Service in metadata
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('This will include an artifactResolutionService in your metadata (sometimes required)')">
+                 onclick="alert('This will include an artifactResolutionService in your metadata (sometimes required)')">
 
         </h5>
         <label class="switch">
             <input type="checkbox" name="ArtifactResolutionService_in_metadata"
-                id="ArtifactResolutionService_in_metadata" value="false">
+                   id="ArtifactResolutionService_in_metadata" value="false">
             <span class="slider round"></span>
         </label>
 
 
         <h5>Sign Artifact Resolution Request
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('indicates whether to sign the Artifact Resloution Request')">
+                 onclick="alert('indicates whether to sign the Artifact Resloution Request')">
         </h5>
         <label class="switch">
 
             <input type="checkbox" name="Sign Artifact Resolution Request " id="Sign_Artifact_Resolution_Request"
-                value="false">
+                   value="false">
             <span class="slider round"></span>
         </label>
 
         <h5>ArtifactResolution via HTTP-ARTIFACT
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Use HTTP-Artifact binding instead of the default HTTP-POST binding')">
+                 onclick="alert('Use HTTP-Artifact binding instead of the default HTTP-POST binding')">
         </h5>
         <label class="switch">
             <input type="checkbox" name="ArtifactResolution_via_HTTP-ARTIFACT "
-                id="ArtifactResolution_via_HTTP_ARTIFACT" value="false">
+                   id="ArtifactResolution_via_HTTP_ARTIFACT" value="false">
             <span class="slider round"></span>
         </label>
         <h5>Artifact Resolution with SOAP
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('indicates whether to use Artifact Resloution with SOAP envelope.')">
+                 onclick="alert('indicates whether to use Artifact Resloution with SOAP envelope.')">
         </h5>
         <label class="switch">
             <input type="checkbox" name="Artifact_Resolution_with_SOAP " id="Artifact_Resolution_with_SOAP"
-                value="false">
+                   value="false">
             <span class="slider round"></span>
         </label>
 
         <h5>Artifact Resolution with XML header
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('indicates whether to add an XML header')">
+                 onclick="alert('indicates whether to add an XML header')">
         </h5>
         <label class="switch">
             <input type="checkbox" name="Artifact_Resolution_with_XML_header " id="Artifact_Resolution_with_XML_header"
-                value="false">
+                   value="false">
             <span class="slider round"></span>
         </label>
         <h5>CharacterSet
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Alias ​​van de authenticatiestroom, die wordt geactiveerd na de eerste aanmelding bij deze identiteitsprovider. De term *Eerste Login* betekent dat er momenteel geen Keycloak-account is gekoppeld aan het geauthenticeerde identiteitsprovideraccount.')">
+                 onclick="alert('Alias ​​van de authenticatiestroom, die wordt geactiveerd na de eerste aanmelding bij deze identiteitsprovider. De term *Eerste Login* betekent dat er momenteel geen Keycloak-account is gekoppeld aan het geauthenticeerde identiteitsprovideraccount.')">
         </h5>
 
         <select name="CharacterSet" id="CharacterSet">
@@ -950,7 +955,7 @@ <h5>CharacterSet
         </select>
         <h5>Mutual TLS
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                onclick="alert('Use Mutual TLS for Artifact Resolution .')">
+                 onclick="alert('Use Mutual TLS for Artifact Resolution .')">
         </h5>
         <label class="switch">
             <input type="checkbox" name="Mutual_TLS" id="Mutual_TLS" value="false">
@@ -962,14 +967,14 @@ <h2>Edit Attribute Consuming Service</h2>
         </div>
         <script>
 
-            var attributeServicesArray = [];
+          var attributeServicesArray = [];
 
-            function addFields(event) {
-                event.preventDefault();
-                var attributeServicesDiv = document.getElementById('attributeServices');
-                var newFieldsDiv = document.createElement('div');
-                newFieldsDiv.classList.add('attribute-consuming-service'); // Add class 'attribute-consuming-service'
-                newFieldsDiv.innerHTML = `
+          function addFields(event) {
+            event.preventDefault();
+            var attributeServicesDiv = document.getElementById('attributeServices');
+            var newFieldsDiv = document.createElement('div');
+            newFieldsDiv.classList.add('attribute-consuming-service'); // Add class 'attribute-consuming-service'
+            newFieldsDiv.innerHTML = `
             <label for="serviceName">Service Name:</label>
             <input type="text" class="serviceName" placeholder="Enter Service Name">
             <label for="friendlyName">Friendly Name:</label>
@@ -980,45 +985,45 @@ <h2>Edit Attribute Consuming Service</h2>
             <input type="text" class="attributeValue" placeholder="Enter Attribute Value">
             <button onclick="deleteForm(this.parentNode)" class="btn">Delete</button>
         `;
-                attributeServicesDiv.appendChild(newFieldsDiv);
-            }
-
-
-            function deleteForm(form) {
-                form.remove(); // Remove the form element from the DOM
-                var index = form.dataset.index;
-
-                // Remove the form data from the array
-                attributeServicesArray = attributeServicesArray.filter(service => service.index !== parseInt(index));
-
-                // Update index for remaining forms
-                var forms = document.querySelectorAll('.attribute-consuming-service');
-                forms.forEach(function(form, idx) {
-                    form.dataset.index = idx;
-                });
-
-            }
-
-            function addAttributeService(form) {
-
-                var serviceName = form.querySelector('.serviceName').value.trim();
-                var attributeValue = form.querySelector('.attributeValue').value.trim();
-                var friendlyName = form.querySelector('.friendlyName').value.trim();
-                var attributeName=form.querySelector('.attributeName').value.trim();
-                if (serviceName !== "" && attributeValue !== "" && friendlyName !== "") {
-                    var index = Array.from(document.querySelectorAll('.attribute-consuming-service')).indexOf(form);
-                    if (index !== -1) {
-                        attributeServicesArray[index] = {
-                            serviceName: serviceName,
-                            attributeValue: attributeValue,
-                            friendlyName: friendlyName,
-                            attributeName:attributeName
-                        };
-                    }
-                } else {
-                    alert("Please enter valid values for Service Name, Attribute Value, and Friendly Name.");
-                }
+            attributeServicesDiv.appendChild(newFieldsDiv);
+          }
+
+
+          function deleteForm(form) {
+            form.remove(); // Remove the form element from the DOM
+            var index = form.dataset.index;
+
+            // Remove the form data from the array
+            attributeServicesArray = attributeServicesArray.filter(service => service.index !== parseInt(index));
+
+            // Update index for remaining forms
+            var forms = document.querySelectorAll('.attribute-consuming-service');
+            forms.forEach(function(form, idx) {
+              form.dataset.index = idx;
+            });
+
+          }
+
+          function addAttributeService(form) {
+
+            var serviceName = form.querySelector('.serviceName').value.trim();
+            var attributeValue = form.querySelector('.attributeValue').value.trim();
+            var friendlyName = form.querySelector('.friendlyName').value.trim();
+            var attributeName=form.querySelector('.attributeName').value.trim();
+            if (serviceName !== "" && attributeValue !== "" && friendlyName !== "") {
+              var index = Array.from(document.querySelectorAll('.attribute-consuming-service')).indexOf(form);
+              if (index !== -1) {
+                attributeServicesArray[index] = {
+                  serviceName: serviceName,
+                  attributeValue: attributeValue,
+                  friendlyName: friendlyName,
+                  attributeName:attributeName
+                };
+              }
+            } else {
+              alert("Please enter valid values for Service Name, Attribute Value, and Friendly Name.");
             }
+          }
 
 
         </script>
diff --git a/src/test/e2e/.env.example b/src/test/e2e/.env.example
new file mode 100644
index 0000000..1261a88
--- /dev/null
+++ b/src/test/e2e/.env.example
@@ -0,0 +1,4 @@
+KEYCLOAK_URL=http://localhost:8081
+KEYCLOAK_REALM=master
+KEYCLOAK_USER=
+KEYCLOAK_PASSWORD=
diff --git a/src/test/e2e/config.js b/src/test/e2e/config.js
new file mode 100644
index 0000000..3351c8f
--- /dev/null
+++ b/src/test/e2e/config.js
@@ -0,0 +1,17 @@
+require('dotenv').config();
+
+const required = ['KEYCLOAK_USER', 'KEYCLOAK_PASSWORD'];
+const missing = required.filter(k => !process.env[k]);
+if (missing.length > 0) {
+    console.error(`Missing required environment variables: ${missing.join(', ')}`);
+    console.error('Set them in src/test/e2e/.env or as environment variables.');
+    console.error('See src/test/e2e/.env.example for the expected format.');
+    process.exit(1);
+}
+
+module.exports = {
+    baseUrl:  process.env.KEYCLOAK_URL  || 'http://localhost:8081',
+    realm:    process.env.KEYCLOAK_REALM || 'master',
+    username: process.env.KEYCLOAK_USER,
+    password: process.env.KEYCLOAK_PASSWORD,
+};
diff --git a/src/test/e2e/package-lock.json b/src/test/e2e/package-lock.json
new file mode 100644
index 0000000..1fef921
--- /dev/null
+++ b/src/test/e2e/package-lock.json
@@ -0,0 +1,72 @@
+{
+  "name": "e2e-tests",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "e2e-tests",
+      "version": "1.0.0",
+      "dependencies": {
+        "dotenv": "^16.0.0",
+        "playwright": "*"
+      }
+    },
+    "node_modules/dotenv": {
+      "version": "16.6.1",
+      "resolved": "https://registry.npmjs.org/dotenv/-/dotenv-16.6.1.tgz",
+      "integrity": "sha512-uBq4egWHTcTt33a72vpSG0z3HnPuIl6NqYcTrKEg2azoEyl2hpW0zqlxysq2pK9HlDIHyHyakeYaYnSAwd8bow==",
+      "license": "BSD-2-Clause",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://dotenvx.com"
+      }
+    },
+    "node_modules/fsevents": {
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz",
+      "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==",
+      "hasInstallScript": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+      }
+    },
+    "node_modules/playwright": {
+      "version": "1.59.1",
+      "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.59.1.tgz",
+      "integrity": "sha512-C8oWjPR3F81yljW9o5OxcWzfh6avkVwDD2VYdwIGqTkl+OGFISgypqzfu7dOe4QNLL2aqcWBmI3PMtLIK233lw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "playwright-core": "1.59.1"
+      },
+      "bin": {
+        "playwright": "cli.js"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "optionalDependencies": {
+        "fsevents": "2.3.2"
+      }
+    },
+    "node_modules/playwright-core": {
+      "version": "1.59.1",
+      "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.59.1.tgz",
+      "integrity": "sha512-HBV/RJg81z5BiiZ9yPzIiClYV/QMsDCKUyogwH9p3MCP6IYjUFu/MActgYAvK0oWyV9NlwM3GLBjADyWgydVyg==",
+      "license": "Apache-2.0",
+      "bin": {
+        "playwright-core": "cli.js"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    }
+  }
+}
diff --git a/src/test/e2e/package.json b/src/test/e2e/package.json
new file mode 100644
index 0000000..a88ba45
--- /dev/null
+++ b/src/test/e2e/package.json
@@ -0,0 +1,14 @@
+{
+  "name": "e2e-tests",
+  "version": "1.0.0",
+  "private": true,
+  "scripts": {
+    "test": "node test-artifact-binding.js && node test-add-provider.js",
+    "test:edit": "node test-artifact-binding.js",
+    "test:add": "node test-add-provider.js"
+  },
+  "dependencies": {
+    "dotenv": "^16.0.0",
+    "playwright": "1.59.1"
+  }
+}
diff --git a/src/test/e2e/test-add-provider.js b/src/test/e2e/test-add-provider.js
new file mode 100644
index 0000000..a1bfb29
--- /dev/null
+++ b/src/test/e2e/test-add-provider.js
@@ -0,0 +1,188 @@
+const { firefox } = require('playwright');
+const { baseUrl, realm, username, password } = require('./config');
+
+const TEST_ALIAS = 'test-artifact-binding';
+const FAKE_SSO_URL = 'https://example.com/sso';
+const IDP_ENTITY_ID = 'test123';
+
+async function handleLoginIfPresent(page) {
+    const url = page.url();
+    if (url.includes('/protocol/openid-connect/auth') || url.includes('login-actions') || url.includes('/login')) {
+        console.log('Login page detected, logging in...');
+        await page.fill('#username', username);
+        await page.fill('#password', password);
+        await page.click('#kc-login');
+        await page.waitForTimeout(1000);
+        return true;
+    }
+    return false;
+}
+
+(async () => {
+    const browser = await firefox.launch({ headless: true });
+    const page = await browser.newPage();
+
+    page.on('framenavigated', async (frame) => {
+        if (frame === page.mainFrame()) console.log('Navigated to:', frame.url());
+    });
+
+    page.on('dialog', async dialog => {
+        console.log(`Dialog: "${dialog.message()}"`);
+        await dialog.accept();
+    });
+
+    page.on('response', async response => {
+        if (response.url().includes('/identity-provider/instances') && ['POST','DELETE'].includes(response.request().method())) {
+            const status = response.status();
+            console.log(`API ${response.request().method()} /identity-provider/instances → ${status}`);
+            if (status >= 400) {
+                try { console.log('API error:', await response.text()); } catch {}
+            }
+        }
+    });
+
+    // ── Login via realm page ──────────────────────────────────────────────────
+    console.log('Navigating to realm page...');
+    await page.goto(`${baseUrl}/realms/${realm}/samlconfig/pages/realm`);
+    await page.waitForTimeout(500);
+    await page.fill('#realmNameInput', 'master');
+    await page.click('button:has-text("Login with Keycloak")');
+    await page.waitForTimeout(1000);
+    await handleLoginIfPresent(page);
+    await page.waitForTimeout(1000);
+
+    // Reload so the Keycloak adapter initialises via the active session cookie
+    console.log('Reloading list page...');
+    await page.reload();
+    await page.waitForTimeout(1000);
+    await handleLoginIfPresent(page);
+
+    // Wait for realm dropdown to be populated, then select master
+    await page.waitForFunction(() => document.querySelector('#Realms option[value="master"]') !== null, { timeout: 10000 });
+    await page.selectOption('#Realms', 'master');
+
+    // ── Navigate to Add Provider via the Add button on the list page ──────────
+    console.log('\nOpening add provider page...');
+    const addBtn = await page.$('a[href*="addprovider"], button:has-text("Add provider"), a:has-text("Add")');
+    if (addBtn) {
+        await addBtn.click();
+    } else {
+        await page.goto(`${baseUrl}/realms/${realm}/samlconfig/pages/addprovider`);
+    }
+    await page.waitForTimeout(1000);
+    await handleLoginIfPresent(page);
+    await page.waitForTimeout(500);
+
+    // ── Disable "Use Entity Descriptor" ───────────────────────────────────────
+    console.log('Disabling use entity descriptor...');
+    const useEntityDescriptor = await page.$('#useEntityDescriptor');
+    if (useEntityDescriptor && await useEntityDescriptor.evaluate(el => el.checked)) {
+        const edLabel = await page.$('label:has(#useEntityDescriptor) span.slider');
+        if (edLabel) await edLabel.click();
+        else await useEntityDescriptor.evaluate(el => el.click());
+        await page.waitForTimeout(500);
+    }
+
+    // ── Fill required fields ──────────────────────────────────────────────────
+    console.log(`Filling alias: "${TEST_ALIAS}"`);
+    await page.fill('#alias', TEST_ALIAS);
+    console.log(`Filling IDP entity ID: "${IDP_ENTITY_ID}"`);
+    await page.fill('#idpEntityId', IDP_ENTITY_ID);
+    console.log(`Filling SSO URL: "${FAKE_SSO_URL}"`);
+    await page.fill('#ssoServiceUrl', FAKE_SSO_URL);
+
+    // ── Validate initial state of artifactBindingResponse ─────────────────────
+    const artifactCheckbox = await page.$('#artifactBindingResponse');
+    if (!artifactCheckbox) {
+        console.log('ERROR: #artifactBindingResponse not found!');
+        await browser.close();
+        return;
+    }
+    await artifactCheckbox.scrollIntoViewIfNeeded();
+    const initialState = await artifactCheckbox.evaluate(el => el.checked);
+    console.log(`\n  artifactBindingResponse initial state: ${initialState}`);
+    if (initialState !== false) {
+        console.log('FAIL: expected initial state to be false');
+    } else {
+        console.log('  initial state is false ✓');
+    }
+
+    // ── Toggle artifactBindingResponse to true ────────────────────────────────
+    const slider = await page.$('#artifactBindingResponse + span.slider');
+    if (slider) await slider.click();
+    else await artifactCheckbox.evaluate(el => el.click());
+    const afterToggle = await artifactCheckbox.evaluate(el => el.checked);
+    console.log(`  artifactBindingResponse after toggle: ${afterToggle}`);
+
+    // ── Save ──────────────────────────────────────────────────────────────────
+    console.log('\nSaving...');
+    const submitBtn = await page.$('#submit');
+    if (!submitBtn) {
+        console.log('ERROR: #submit not found');
+        await browser.close();
+        return;
+    }
+    await submitBtn.click({ force: true });
+    await page.waitForTimeout(1000);
+    await handleLoginIfPresent(page);
+    await page.waitForTimeout(1000);
+
+    // ── Verify on editprovider page ───────────────────────────────────────────
+    const currentUrl = page.url();
+    console.log(`\nCurrent URL after save: ${currentUrl}`);
+    if (!currentUrl.includes('editprovider')) {
+        console.log('WARNING: not on editprovider page, navigating there...');
+        await page.goto(`${baseUrl}/realms/${realm}/samlconfig/pages/list`);
+        await page.waitForTimeout(1000);
+        await handleLoginIfPresent(page);
+        await page.waitForTimeout(500);
+        await page.click(`text=${TEST_ALIAS}`);
+        await page.waitForTimeout(1000);
+        await handleLoginIfPresent(page);
+        await page.waitForTimeout(500);
+    }
+
+    const editCheckbox = await page.$('#artifactBindingResponse');
+    let allPassed = (initialState === false);
+    if (!editCheckbox) {
+        console.log('ERROR: #artifactBindingResponse not found on edit page!');
+        allPassed = false;
+    } else {
+        const persisted = await editCheckbox.evaluate(el => el.checked);
+        const pass = persisted === true;
+        console.log(`  artifactBindingResponse on edit page: ${persisted} — ${pass ? 'PASS' : 'FAIL (expected true)'}`);
+        allPassed = allPassed && pass;
+    }
+
+    // ── Delete from list page ─────────────────────────────────────────────────
+    console.log('\nDeleting test provider from list...');
+    await page.goto(`${baseUrl}/realms/${realm}/samlconfig/pages/list`);
+    await page.waitForTimeout(1000);
+    await handleLoginIfPresent(page);
+    await page.waitForTimeout(1000);
+
+    const deleteClicked = await page.evaluate((alias) => {
+        const rows = document.querySelectorAll('table tr');
+        for (const row of rows) {
+            const cells = row.querySelectorAll('td');
+            if (cells.length > 0 && cells[0].textContent.trim() === alias) {
+                const btn = Array.from(row.querySelectorAll('button')).find(b => b.textContent.trim() === 'Delete');
+                if (btn) { btn.click(); return true; }
+            }
+        }
+        return false;
+    }, TEST_ALIAS);
+
+    if (!deleteClicked) {
+        console.log('WARNING: could not find delete button for test provider');
+    }
+    await page.waitForTimeout(1000);
+
+    const providers = await page.$$eval('table tr td:first-child', els => els.map(e => e.textContent.trim()));
+    const deleted = !providers.includes(TEST_ALIAS);
+    console.log(`  provider deleted: ${deleted ? 'PASS' : 'FAIL (still present in list)'}`);
+    allPassed = allPassed && deleted;
+
+    console.log(`\n${allPassed ? 'ALL TESTS PASSED' : 'SOME TESTS FAILED'}`);
+    await browser.close();
+})();
diff --git a/src/test/e2e/test-artifact-binding.js b/src/test/e2e/test-artifact-binding.js
new file mode 100644
index 0000000..af39794
--- /dev/null
+++ b/src/test/e2e/test-artifact-binding.js
@@ -0,0 +1,123 @@
+const { firefox } = require('playwright');
+const { baseUrl, realm, username, password } = require('./config');
+
+async function handleLoginIfPresent(page) {
+    const url = page.url();
+    if (url.includes('/protocol/openid-connect/auth') || url.includes('login-actions') || url.includes('/login')) {
+        console.log('Login page detected, logging in...');
+        await page.fill('#username', username);
+        await page.fill('#password', password);
+        await page.click('#kc-login');
+        await page.waitForTimeout(1000);
+        return true;
+    }
+    return false;
+}
+
+async function openEditPage(page, providerName) {
+    await page.goto(`${baseUrl}/realms/${realm}/samlconfig/pages/list`);
+    await page.waitForTimeout(1000);
+    await handleLoginIfPresent(page);
+    await page.waitForTimeout(500);
+    await page.click(`text=${providerName}`);
+    await page.waitForTimeout(1000);
+    await handleLoginIfPresent(page);
+    await page.waitForTimeout(500);
+}
+
+async function toggleAndSave(page, providerName) {
+    const checkbox = await page.$('#artifactBindingResponse');
+    if (!checkbox) { console.log('ERROR: #artifactBindingResponse not found!'); return null; }
+
+    await checkbox.scrollIntoViewIfNeeded();
+    const before = await checkbox.evaluate(el => el.checked);
+    console.log(`  before: ${before}`);
+
+    const slider = await page.$('#artifactBindingResponse + span.slider');
+    if (slider) await slider.click();
+    else await checkbox.evaluate(el => el.click());
+    const after = await checkbox.evaluate(el => el.checked);
+    console.log(`  after toggle: ${after}`);
+
+    const saveBtn = await page.$('button:has-text("Save"), button:has-text("Edit"), input[type="submit"]');
+    if (saveBtn) { await saveBtn.click(); await page.waitForTimeout(1000); }
+    else { console.log('WARNING: save button not found'); }
+
+    return { before, after };
+}
+
+async function verifyPersisted(page, providerName, expected) {
+    await openEditPage(page, providerName);
+    const checkbox = await page.$('#artifactBindingResponse');
+    if (!checkbox) { console.log('ERROR: #artifactBindingResponse not found after reload!'); return false; }
+    const persisted = await checkbox.evaluate(el => el.checked);
+    const pass = persisted === expected;
+    console.log(`  after reload: ${persisted} — ${pass ? 'PASS' : `FAIL (expected ${expected})`}`);
+    return pass;
+}
+
+(async () => {
+    const browser = await firefox.launch({ headless: true });
+    const page = await browser.newPage();
+
+    page.on('framenavigated', async (frame) => {
+        if (frame === page.mainFrame()) console.log('Navigated to:', frame.url());
+    });
+
+    // Navigate to realm page, fill realm name and click login button
+    console.log('Navigating to realm page...');
+    await page.goto(`${baseUrl}/realms/${realm}/samlconfig/pages/realm`);
+    await page.waitForTimeout(500);
+    await page.fill('#realmNameInput', 'master');
+    await page.click('button:has-text("Login with Keycloak")');
+    await page.waitForTimeout(1000);
+    await handleLoginIfPresent(page);
+    await page.waitForTimeout(1000);
+
+    // Reload so the Keycloak adapter initialises via the active session cookie
+    console.log('Reloading list page...');
+    await page.reload();
+    await page.waitForTimeout(1000);
+    await handleLoginIfPresent(page);
+
+    // Wait for realm dropdown to be populated, then select master
+    await page.waitForFunction(() => document.querySelector('#Realms option[value="master"]') !== null, { timeout: 10000 });
+    await page.selectOption('#Realms', 'master');
+
+    // Wait for the providers table to appear
+    await page.waitForSelector('table tr td:first-child', { timeout: 10000 });
+    const providers = await page.$$eval('table tr td:first-child', els => els.map(e => e.textContent.trim()));
+    console.log('Providers found:', providers);
+    if (providers.length === 0) {
+        console.log('No providers found.');
+        await browser.close();
+        return;
+    }
+
+    const providerName = providers[0];
+    let allPassed = true;
+
+    // Transition 1: read current state, toggle it, verify
+    console.log(`\n--- Transition 1: toggle current state ---`);
+    await page.click(`text=${providerName}`);
+    await page.waitForTimeout(1000);
+    await handleLoginIfPresent(page);
+    await page.waitForTimeout(500);
+
+    const t1 = await toggleAndSave(page, providerName);
+    if (t1) {
+        const pass1 = await verifyPersisted(page, providerName, t1.after);
+        allPassed = allPassed && pass1;
+
+        // Transition 2: toggle back to original state, verify
+        console.log(`\n--- Transition 2: toggle back ---`);
+        const t2 = await toggleAndSave(page, providerName);
+        if (t2) {
+            const pass2 = await verifyPersisted(page, providerName, t2.after);
+            allPassed = allPassed && pass2;
+        }
+    }
+
+    console.log(`\n${allPassed ? 'ALL TESTS PASSED' : 'SOME TESTS FAILED'}`);
+    await browser.close();
+})();
diff --git a/src/test/java/nl/first8/keycloak/broker/saml/SAMLIdentityProviderConfigTest.java b/src/test/java/nl/first8/keycloak/broker/saml/SAMLIdentityProviderConfigTest.java
new file mode 100644
index 0000000..824bc0e
--- /dev/null
+++ b/src/test/java/nl/first8/keycloak/broker/saml/SAMLIdentityProviderConfigTest.java
@@ -0,0 +1,339 @@
+package nl.first8.keycloak.broker.saml;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.MethodSource;
+
+import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
+import java.util.function.BiConsumer;
+import java.util.function.Function;
+import java.util.function.Predicate;
+import java.util.stream.Stream;
+
+import static nl.first8.keycloak.broker.saml.SAMLIdentityProviderConfig.*;
+import static org.junit.jupiter.api.Assertions.*;
+
+class SAMLIdentityProviderConfigTest {
+
+    private SAMLIdentityProviderConfig config;
+
+    @BeforeEach
+    void setUp() {
+        config = new SAMLIdentityProviderConfig();
+    }
+
+    // -------------------------------------------------------------------------
+    // artifactBindingResponse (existing tests kept as-is)
+    // -------------------------------------------------------------------------
+
+    @Test
+    void artifactBindingResponseConstantHasExpectedKey() {
+        assertEquals("artifactBindingResponse", ARTIFACT_BINDING_RESPONSE);
+    }
+
+    @Test
+    void isArtifactBindingResponseReturnsFalseWhenNotSet() {
+        assertFalse(config.isArtifactBindingResponse());
+    }
+
+    @Test
+    void setArtifactBindingResponseTrueStoresStringInConfigMap() {
+        config.setArtifactBindingResponse(true);
+
+        assertEquals("true", config.getConfig().get(ARTIFACT_BINDING_RESPONSE));
+    }
+
+    @Test
+    void setArtifactBindingResponseFalseStoresStringInConfigMap() {
+        config.setArtifactBindingResponse(false);
+
+        assertEquals("false", config.getConfig().get(ARTIFACT_BINDING_RESPONSE));
+    }
+
+    @Test
+    void isArtifactBindingResponseReturnsTrueAfterSetTrue() {
+        config.setArtifactBindingResponse(true);
+
+        assertTrue(config.isArtifactBindingResponse());
+    }
+
+    @Test
+    void isArtifactBindingResponseReturnsFalseAfterSetFalse() {
+        config.setArtifactBindingResponse(true);
+        config.setArtifactBindingResponse(false);
+
+        assertFalse(config.isArtifactBindingResponse());
+    }
+
+    // -------------------------------------------------------------------------
+    // Group 1: simple boolean properties (parameterized)
+    // -------------------------------------------------------------------------
+
+    record BooleanProperty(
+        String key,
+        BiConsumer<SAMLIdentityProviderConfig, Boolean> setter,
+        Predicate<SAMLIdentityProviderConfig> getter
+    ) {}
+
+    static Stream<BooleanProperty> booleanProperties() {
+        return Stream.of(
+            new BooleanProperty(ARTIFACT_RESOLUTION,
+                SAMLIdentityProviderConfig::setArtifactResolution,
+                SAMLIdentityProviderConfig::isArtifactResolution),
+            new BooleanProperty(ARTIFACT_RESOLUTION_WITH_XML_HEADER,
+                SAMLIdentityProviderConfig::setArtifactResolutionWithXmlHeader,
+                SAMLIdentityProviderConfig::isArtifactResolutionWithXmlHeader),
+            new BooleanProperty(ARTIFACT_RESOLUTION_SERVICE_METADATA,
+                SAMLIdentityProviderConfig::setIncludeArtifactResolutionServiceMetadata,
+                SAMLIdentityProviderConfig::isIncludeArtifactResolutionServiceMetadata),
+            new BooleanProperty(ARTIFACT_RESOLUTION_SOAP,
+                SAMLIdentityProviderConfig::setArtifactResolutionSOAP,
+                SAMLIdentityProviderConfig::isArtifactResolutionSOAP),
+            new BooleanProperty(SIGN_ARTIFACT_RESOLUTION_REQUEST,
+                SAMLIdentityProviderConfig::setSignArtifactResolutionRequest,
+                SAMLIdentityProviderConfig::isSignArtifactResolutionRequest),
+            new BooleanProperty(ARTIFACT_RESOLUTION_MUTUAL_TLS,
+                SAMLIdentityProviderConfig::setMutualTls,
+                SAMLIdentityProviderConfig::isMutualTLS),
+            new BooleanProperty(IGNORE_SAML_ADVICE_NODES,
+                SAMLIdentityProviderConfig::setIgnoreSamlAdviceNodes,
+                SAMLIdentityProviderConfig::isIgnoreSamlAdviceNodes),
+            new BooleanProperty(SIGN_SP_METADATA,
+                SAMLIdentityProviderConfig::setSignSpMetadata,
+                SAMLIdentityProviderConfig::isSignSpMetadata),
+            new BooleanProperty(ALLOW_CREATE,
+                SAMLIdentityProviderConfig::setAllowCreated,
+                SAMLIdentityProviderConfig::isAllowCreate)
+        );
+    }
+
+    @ParameterizedTest(name = "{0}")
+    @MethodSource("booleanProperties")
+    void booleanPropertyDefaultsFalse(BooleanProperty prop) {
+        assertFalse(prop.getter().test(config));
+    }
+
+    @ParameterizedTest(name = "{0}")
+    @MethodSource("booleanProperties")
+    void booleanPropertySetTrueRoundTrips(BooleanProperty prop) {
+        prop.setter().accept(config, true);
+
+        assertTrue(prop.getter().test(config));
+        assertEquals("true", config.getConfig().get(prop.key()));
+    }
+
+    @ParameterizedTest(name = "{0}")
+    @MethodSource("booleanProperties")
+    void booleanPropertySetFalseRoundTrips(BooleanProperty prop) {
+        prop.setter().accept(config, true);
+        prop.setter().accept(config, false);
+
+        assertFalse(prop.getter().test(config));
+        assertEquals("false", config.getConfig().get(prop.key()));
+    }
+
+    // -------------------------------------------------------------------------
+    // Group 2: useMetadataDescriptorUrl (special: false/null removes key)
+    // -------------------------------------------------------------------------
+
+    @Test
+    void setUseMetadataDescriptorUrlTrueStoresKeyAndGetterReturnsTrue() {
+        config.setUseMetadataDescriptorUrl(true);
+
+        assertTrue(config.isUseMetadataDescriptorUrl());
+        assertEquals("true", config.getConfig().get(USE_METADATA_DESCRIPTOR_URL));
+    }
+
+    @Test
+    void setUseMetadataDescriptorUrlFalseRemovesKey() {
+        config.setUseMetadataDescriptorUrl(true);
+        config.setUseMetadataDescriptorUrl(false);
+
+        assertFalse(config.isUseMetadataDescriptorUrl());
+        assertFalse(config.getConfig().containsKey(USE_METADATA_DESCRIPTOR_URL));
+    }
+
+    @Test
+    void setUseMetadataDescriptorUrlNullRemovesKey() {
+        config.setUseMetadataDescriptorUrl(true);
+        config.setUseMetadataDescriptorUrl(null);
+
+        assertFalse(config.isUseMetadataDescriptorUrl());
+        assertFalse(config.getConfig().containsKey(USE_METADATA_DESCRIPTOR_URL));
+    }
+
+    // -------------------------------------------------------------------------
+    // Group 3: simple string properties (parameterized)
+    // -------------------------------------------------------------------------
+
+    record StringProperty(
+        String key,
+        BiConsumer<SAMLIdentityProviderConfig, String> setter,
+        Function<SAMLIdentityProviderConfig, String> getter
+    ) {}
+
+    static Stream<StringProperty> stringProperties() {
+        return Stream.of(
+            new StringProperty(ARTIFACT_RESOLUTION_ENDPOINT,
+                SAMLIdentityProviderConfig::setArtifactResolutionEndpoint,
+                SAMLIdentityProviderConfig::getArtifactResolutionEndpoint),
+            new StringProperty(AUTHN_REQUEST_SCOPING,
+                SAMLIdentityProviderConfig::setScoping,
+                SAMLIdentityProviderConfig::getScoping),
+            new StringProperty(ATTRIBUTE_CONSUMING_SERVICE_NAME,
+                SAMLIdentityProviderConfig::setAttributeConsumingServiceName,
+                SAMLIdentityProviderConfig::getAttributeConsumingServiceName),
+            new StringProperty(ATTRIBUTE_CONSUMING_SERVICE_METADATA,
+                SAMLIdentityProviderConfig::setAttributeConsumingServiceMetadata,
+                SAMLIdentityProviderConfig::getAttributeConsumingService)
+        );
+    }
+
+    @ParameterizedTest(name = "{0}")
+    @MethodSource("stringProperties")
+    void stringPropertyDefaultsNull(StringProperty prop) {
+        assertNull(prop.getter().apply(config));
+    }
+
+    @ParameterizedTest(name = "{0}")
+    @MethodSource("stringProperties")
+    void stringPropertyRoundTrips(StringProperty prop) {
+        prop.setter().accept(config, "test-value");
+
+        assertEquals("test-value", prop.getter().apply(config));
+        assertEquals("test-value", config.getConfig().get(prop.key()));
+    }
+
+    // -------------------------------------------------------------------------
+    // Group 4: charSet
+    // -------------------------------------------------------------------------
+
+    @Test
+    void getCharSetReturnsUtf8WhenNotSet() {
+        assertEquals(StandardCharsets.UTF_8, config.getCharSet());
+    }
+
+    @Test
+    void setCharSetRoundTrips() {
+        config.setCharSet("ISO-8859-1");
+
+        assertEquals(Charset.forName("ISO-8859-1"), config.getCharSet());
+    }
+
+    // -------------------------------------------------------------------------
+    // Group 5: assertionConsumingServiceIndex
+    // -------------------------------------------------------------------------
+
+    @Test
+    void getAssertionConsumingServiceIndexReturnsNullWhenNotSet() {
+        assertNull(config.getAssertionConsumingServiceIndex());
+    }
+
+    @Test
+    void setAssertionConsumingServiceIndexRoundTrips() {
+        config.setAssertionConsumingServiceIndex(5);
+
+        assertEquals(5, config.getAssertionConsumingServiceIndex());
+        assertEquals("5", config.getConfig().get(ASSERTION_CONSUMING_SERVICE_INDEX));
+    }
+
+    // -------------------------------------------------------------------------
+    // Group 6: metadataValidUntilUnit and metadataValidUntilPeriod
+    // NOTE: setMetadataValidUntilPeriod writes to METADATA_VALID_UNTIL_UNIT (wrong key)
+    //       — the failing test below documents this bug pending a fix.
+    // -------------------------------------------------------------------------
+
+    @Test
+    void getMetadataValidUntilUnitReturnsNullWhenNotSet() {
+        assertNull(config.getMetadataValidUntilUnit());
+    }
+
+    @Test
+    void setMetadataValidUntilUnitRoundTrips() {
+        config.setMetadataValidUntilUnit(3);
+
+        assertEquals(3, config.getMetadataValidUntilUnit());
+        assertEquals("3", config.getConfig().get(METADATA_VALID_UNTIL_UNIT));
+    }
+
+    @Test
+    void getMetadataValidUntilPeriodReturnsNullWhenNotSet() {
+        assertNull(config.getMetadataValidUntilPeriod());
+    }
+
+    @Test
+        // BUG: setMetadataValidUntilPeriod stores under METADATA_VALID_UNTIL_UNIT instead of METADATA_VALID_UNTIL_PERIOD
+    void setMetadataValidUntilPeriodRoundTrips() {
+        config.setMetadataValidUntilPeriod(7);
+
+        assertEquals(7, config.getMetadataValidUntilPeriod());
+        assertEquals("7", config.getConfig().get(METADATA_VALID_UNTIL_PERIOD));
+    }
+
+    // -------------------------------------------------------------------------
+    // Group 7: attributeConsumingServiceIndex (special: negative/null removes key)
+    // -------------------------------------------------------------------------
+
+    @Test
+    void getAttributeConsumingServiceIndexReturnsNullWhenNotSet() {
+        assertNull(config.getAttributeConsumingServiceIndex());
+    }
+
+    @Test
+    void setAttributeConsumingServiceIndexPositiveRoundTrips() {
+        config.setAttributeConsumingServiceIndex(3);
+
+        assertEquals(3, config.getAttributeConsumingServiceIndex());
+        assertEquals("3", config.getConfig().get(ATTRIBUTE_CONSUMING_SERVICE_INDEX));
+    }
+
+    @Test
+    void setAttributeConsumingServiceIndexZeroRoundTrips() {
+        config.setAttributeConsumingServiceIndex(0);
+
+        assertEquals(0, config.getAttributeConsumingServiceIndex());
+    }
+
+    @Test
+    void setAttributeConsumingServiceIndexNegativeRemovesKeyAndReturnsNull() {
+        config.setAttributeConsumingServiceIndex(3);
+        config.setAttributeConsumingServiceIndex(-1);
+
+        assertNull(config.getAttributeConsumingServiceIndex());
+        assertFalse(config.getConfig().containsKey(ATTRIBUTE_CONSUMING_SERVICE_INDEX));
+    }
+
+    @Test
+    void setAttributeConsumingServiceIndexNullRemovesKeyAndReturnsNull() {
+        config.setAttributeConsumingServiceIndex(3);
+        config.setAttributeConsumingServiceIndex(null);
+
+        assertNull(config.getAttributeConsumingServiceIndex());
+        assertFalse(config.getConfig().containsKey(ATTRIBUTE_CONSUMING_SERVICE_INDEX));
+    }
+
+    // -------------------------------------------------------------------------
+    // Group 8: linkedProviders
+    // -------------------------------------------------------------------------
+
+    @Test
+    void getLinkedProvidersReturnsEmptyListWhenNotSet() {
+        assertTrue(config.getLinkedProviders().isEmpty());
+    }
+
+    @Test
+    void setLinkedProvidersRoundTrips() {
+        config.setLinkedProviders("provider1");
+
+        assertEquals(java.util.List.of("provider1"), config.getLinkedProviders());
+    }
+
+    @Test
+    void setLinkedProvidersNullReturnsEmptyList() {
+        config.setLinkedProviders(null);
+
+        assertTrue(config.getLinkedProviders().isEmpty());
+    }
+}
diff --git a/src/test/java/nl/first8/keycloak/dom/saml/v2/assertion/EncryptionTest.java b/src/test/java/nl/first8/keycloak/dom/saml/v2/assertion/EncryptionTest.java
index ba3cfb3..cf578df 100644
--- a/src/test/java/nl/first8/keycloak/dom/saml/v2/assertion/EncryptionTest.java
+++ b/src/test/java/nl/first8/keycloak/dom/saml/v2/assertion/EncryptionTest.java
@@ -1,5 +1,6 @@
 package nl.first8.keycloak.dom.saml.v2.assertion;
 
+import org.jboss.logging.Logger;
 import org.junit.jupiter.api.Test;
 
 import javax.crypto.BadPaddingException;
@@ -17,37 +18,38 @@
 
 public class EncryptionTest {
 
+    private static final Logger logger = Logger.getLogger(EncryptionTest.class);
 
     private static String algorithm = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding";
 
     @Test
     void testEncryption() throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidAlgorithmParameterException, NoSuchPaddingException, IllegalBlockSizeException, BadPaddingException, InvalidKeyException {
-        System.out.println("RSA 2048 encryption OAEP SHA-256 string");
+        logger.debug("RSA 2048 encryption OAEP SHA-256 string");
 
         String dataToEncryptString = "The quick brown fox jumps over the lazy dog";
         byte[] dataToEncrypt = dataToEncryptString.getBytes(StandardCharsets.UTF_8);
-        System.out.println("plaintext: " + dataToEncryptString);
+        logger.debugf("plaintext: %s", dataToEncryptString);
 
         // encryption
-        System.out.println("\n* * * encrypt the plaintext with the RSA public key * * *");
+        logger.debug("* * * encrypt the plaintext with the RSA public key * * *");
         PublicKey publicKeyLoad = loadRsaPublicKeyPem();
         String ciphertextBase64 = base64Encoding(rsaEncryptionOaepSha256(publicKeyLoad, dataToEncrypt));
-        System.out.println("ciphertextBase64: " + ciphertextBase64);
+        logger.debugf("ciphertextBase64: %s", ciphertextBase64);
 
         // transport the encrypted data to recipient
 
         // receiving the encrypted data, decryption
-        System.out.println("\n* * * decrypt the ciphertext with the RSA private key * * *");
+        logger.debug("* * * decrypt the ciphertext with the RSA private key * * *");
         String ciphertextReceivedBase64 = ciphertextBase64;
-        System.out.println("ciphertextReceivedBase64: " + ciphertextReceivedBase64);
+        logger.debugf("ciphertextReceivedBase64: %s", ciphertextReceivedBase64);
         PrivateKey privateKeyLoad = loadRsaPrivateKeyPem();
         byte[] ciphertextReceived = base64Decoding(ciphertextReceivedBase64);
         byte[] decryptedtextByte = rsaDecryptionOaepSha256(privateKeyLoad, ciphertextReceived);
-        System.out.println("decryptedtext: " + new String(decryptedtextByte, StandardCharsets.UTF_8));
+        logger.debugf("decryptedtext: %s", new String(decryptedtextByte, StandardCharsets.UTF_8));
     }
 
     public static byte[] rsaEncryptionOaepSha256 (PublicKey publicKey, byte[] plaintextByte) throws NoSuchAlgorithmException,
-            InvalidKeyException, IllegalBlockSizeException, BadPaddingException, NoSuchPaddingException, InvalidAlgorithmParameterException {
+        InvalidKeyException, IllegalBlockSizeException, BadPaddingException, NoSuchPaddingException, InvalidAlgorithmParameterException {
         byte[] ciphertextByte = null;
         Cipher encryptCipher = Cipher.getInstance(algorithm);
         OAEPParameterSpec oaepParameterSpecJCE = new OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT);
@@ -57,7 +59,7 @@ public static byte[] rsaEncryptionOaepSha256 (PublicKey publicKey, byte[] plaint
     }
 
     public static byte[] rsaDecryptionOaepSha256 (PrivateKey privateKey, byte[] ciphertextByte) throws NoSuchAlgorithmException,
-            NoSuchPaddingException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException, InvalidAlgorithmParameterException {
+        NoSuchPaddingException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException, InvalidAlgorithmParameterException {
         byte[] decryptedtextByte = null;
         Cipher decryptCipher = Cipher.getInstance(algorithm);
         OAEPParameterSpec oaepParameterSpecJCE = new OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT);
@@ -90,13 +92,12 @@ private static PublicKey loadRsaPublicKeyPem() throws NoSuchAlgorithmException,
 
     private static byte[] getFileFromResource(String fileName) throws IOException {
         ClassLoader classLoader = EncryptionTest.class.getClassLoader();
-        try (InputStream inputStream = classLoader.getResourceAsStream(fileName)) {
+        InputStream inputStream = classLoader.getResourceAsStream(fileName);
 
-            if (inputStream == null) {
-                throw new IllegalArgumentException("file not found! " + fileName);
-            } else {
-                return inputStream.readAllBytes();
-            }
+        if (inputStream == null) {
+            throw new IllegalArgumentException("file not found! " + fileName);
+        } else {
+            return inputStream.readAllBytes();
         }
     }
 }
diff --git a/src/test/resources/logging.properties b/src/test/resources/logging.properties
new file mode 100644
index 0000000..4a4fdf0
--- /dev/null
+++ b/src/test/resources/logging.properties
@@ -0,0 +1,17 @@
+loggers=nl.first8
+
+logger.level=INFO
+logger.handlers=CONSOLE
+
+logger.nl.first8.level=DEBUG
+logger.nl.first8.handlers=CONSOLE
+logger.nl.first8.useParentHandlers=false
+
+handler.CONSOLE=org.jboss.logmanager.handlers.ConsoleHandler
+handler.CONSOLE.level=TRACE
+handler.CONSOLE.formatter=PATTERN
+handler.CONSOLE.target=SYSTEM_OUT
+
+formatter.PATTERN=org.jboss.logmanager.formatters.PatternFormatter
+formatter.PATTERN.properties=pattern
+formatter.PATTERN.pattern=%d{HH:mm:ss.SSS} %-5p [%c{1}] %m%n

From 18db73d947a38d594ff94dda83fe613abf8739b0 Mon Sep 17 00:00:00 2001
From: oadham <omar.adham@first8.nl>
Date: Fri, 22 May 2026 14:37:35 +0200
Subject: [PATCH 07/16] mostly frontend: (re)added
 "assertionConsumingServiceIndex"; removed unused
 "artifactResolutionHTTPArtifact"

---
 .../broker/saml/SAMLIdentityProvider.java     | 185 +++---
 .../saml-extended-frontend/js/AddProvider.js  |   2 +-
 .../js/CheckBoxControllerAddProvider.js       |   8 -
 .../js/CheckBoxControllerEditProvider.js      |   9 -
 .../saml-extended-frontend/js/EditProvider.js |   2 +-
 .../saml-extended-frontend/js/Fielders.js     |   1 +
 .../js/InfoUpdaterAdd.js                      | 591 +++++++++---------
 .../pages/addprovider.html                    |  16 +-
 .../pages/editprovider.html                   |  16 +-
 9 files changed, 408 insertions(+), 422 deletions(-)

diff --git a/src/main/java/nl/first8/keycloak/broker/saml/SAMLIdentityProvider.java b/src/main/java/nl/first8/keycloak/broker/saml/SAMLIdentityProvider.java
index 73b7829..c6c52ce 100644
--- a/src/main/java/nl/first8/keycloak/broker/saml/SAMLIdentityProvider.java
+++ b/src/main/java/nl/first8/keycloak/broker/saml/SAMLIdentityProvider.java
@@ -13,6 +13,7 @@
 import nl.first8.keycloak.saml.common.constants.GeneralConstants;
 import nl.first8.keycloak.saml.processing.api.saml.v2.request.SAML2Request;
 import nl.first8.keycloak.saml.processing.core.saml.v2.writers.SAMLMetadataWriter;
+import nl.first8.keycloak.saml.SAML2AuthnRequestBuilder;
 import org.jboss.logging.Logger;
 import org.keycloak.broker.provider.*;
 import org.keycloak.broker.provider.util.SimpleHttp;
@@ -104,8 +105,8 @@ public Response performLogin(AuthenticationRequest request) {
             }
 
             SAML2RequestedAuthnContextBuilder requestedAuthnContext =
-                    new SAML2RequestedAuthnContextBuilder()
-                            .setComparison(getConfig().getAuthnContextComparisonType());
+                new SAML2RequestedAuthnContextBuilder()
+                    .setComparison(getConfig().getAuthnContextComparisonType());
 
             for (String authnContextClassRef : getAuthnContextClassRefUris())
                 requestedAuthnContext.addAuthnContextClassRef(authnContextClassRef);
@@ -124,20 +125,26 @@ public Response performLogin(AuthenticationRequest request) {
             if (protocol.requireReauthentication(null, request.getAuthenticationSession()))
                 forceAuthn = Boolean.TRUE;
             SAML2AuthnRequestBuilder authnRequestBuilder = new SAML2AuthnRequestBuilder()
-                    .assertionConsumerUrl(assertionConsumerServiceUrl)
-                    .destination(destinationUrl)
-                    .issuer(issuerURL)
-                    .forceAuthn(forceAuthn)
-                    .protocolBinding(protocolBinding)
-                    .nameIdPolicy(SAML2NameIDPolicyBuilder
-                            .format(nameIDPolicyFormat)
-                            .setAllowCreate(allowCreate))
-                    .attributeConsumingServiceIndex(attributeConsumingServiceIndex)
-                    .requestedAuthnContext(requestedAuthnContext)
-                    .subject(loginHint);
+                .assertionConsumerUrl(assertionConsumerServiceUrl)
+                .destination(destinationUrl)
+                .issuer(issuerURL)
+                .forceAuthn(forceAuthn)
+                .protocolBinding(protocolBinding)
+                .nameIdPolicy(SAML2NameIDPolicyBuilder
+                    .format(nameIDPolicyFormat)
+                    .setAllowCreate(allowCreate))
+                .attributeConsumingServiceIndex(attributeConsumingServiceIndex)
+                .requestedAuthnContext(requestedAuthnContext)
+                .subject(loginHint);
+            Integer assertionConsumingServiceIndex = getConfig().getAssertionConsumingServiceIndex();
+            if(assertionConsumingServiceIndex != null) {
+                authnRequestBuilder.assertionConsumerIndex(assertionConsumingServiceIndex);
+            } else {
+                authnRequestBuilder.assertionConsumerUrl(assertionConsumerServiceUrl);
+            }
 
             org.keycloak.protocol.saml.JaxrsSAML2BindingBuilder binding = new org.keycloak.protocol.saml.JaxrsSAML2BindingBuilder(session)
-                    .relayState(request.getState().getEncoded());
+                .relayState(request.getState().getEncoded());
             boolean postBinding = getConfig().isPostBindingAuthnRequest();
 
             logger.debugf("Use %s for AuthNRequest", (postBinding ? "PostBinding" : "RedirectBinding"));
@@ -148,8 +155,8 @@ public Response performLogin(AuthenticationRequest request) {
                 String keyName = getConfig().getXmlSigKeyInfoKeyNameTransformer().getKeyName(keys.getKid(), keys.getCertificate());
                 logger.debugf("Signing using key: %s", keyName);
                 binding.signWith(keyName, keys.getPrivateKey(), keys.getPublicKey(), keys.getCertificate())
-                        .signatureAlgorithm(getSignatureAlgorithm())
-                        .signDocument();
+                    .signatureAlgorithm(getSignatureAlgorithm())
+                    .signDocument();
                 if (! postBinding && getConfig().isAddExtensionsElementWithKeyInfo()) {    // Only include extension if REDIRECT binding and signing whole SAML protocol message
                     authnRequestBuilder.addExtension(new KeycloakKeySamlExtensionGenerator(keyName));
                 }
@@ -246,8 +253,8 @@ public void backchannelLogout(KeycloakSession session, UserSessionModel userSess
                 singleLogoutServiceUrl = logoutRequest.getDestination().toString();
             }
             int status = SimpleHttp.doPost(singleLogoutServiceUrl, session)
-                    .param(GeneralConstants.SAML_REQUEST_KEY, binding.postBinding(SAML2Request.convert(logoutRequest)).encoded())
-                    .param(GeneralConstants.RELAY_STATE, userSession.getId()).asStatus();
+                .param(GeneralConstants.SAML_REQUEST_KEY, binding.postBinding(SAML2Request.convert(logoutRequest)).encoded())
+                .param(GeneralConstants.RELAY_STATE, userSession.getId()).asStatus();
             boolean success = status >= 200 && status < 400;
             if (!success) {
                 logger.warn("Failed saml backchannel broker logout to: " + singleLogoutServiceUrl);
@@ -290,11 +297,11 @@ protected LogoutRequestType buildLogoutRequest(UserSessionModel userSession,
                                                    String singleLogoutServiceUrl,
                                                    NodeGenerator... extensions) throws ConfigurationException {
         SAML2LogoutRequestBuilder logoutBuilder = new SAML2LogoutRequestBuilder()
-                .assertionExpiration(realm.getAccessCodeLifespan())
-                .issuer(getEntityId(uriInfo, realm))
-                .sessionIndex(userSession.getNote(SAMLEndpoint.SAML_FEDERATED_SESSION_INDEX))
-                .nameId(NameIDType.deserializeFromString(userSession.getNote(SAMLEndpoint.SAML_FEDERATED_SUBJECT_NAMEID)))
-                .destination(singleLogoutServiceUrl);
+            .assertionExpiration(realm.getAccessCodeLifespan())
+            .issuer(getEntityId(uriInfo, realm))
+            .sessionIndex(userSession.getNote(SAMLEndpoint.SAML_FEDERATED_SESSION_INDEX))
+            .nameId(NameIDType.deserializeFromString(userSession.getNote(SAMLEndpoint.SAML_FEDERATED_SUBJECT_NAMEID)))
+            .destination(singleLogoutServiceUrl);
         LogoutRequestType logoutRequest = logoutBuilder.createLogoutRequest();
         for (NodeGenerator extension : extensions) {
             logoutBuilder.addExtension(extension);
@@ -307,13 +314,13 @@ protected LogoutRequestType buildLogoutRequest(UserSessionModel userSession,
 
     private JaxrsSAML2BindingBuilder buildLogoutBinding(KeycloakSession session, UserSessionModel userSession, RealmModel realm) {
         JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder(session, getConfig())
-                .relayState(userSession.getId());
+            .relayState(userSession.getId());
         if (getConfig().isWantAuthnRequestsSigned()) {
             KeyManager.ActiveRsaKey keys = session.keys().getActiveRsaKey(realm);
             String keyName = getConfig().getXmlSigKeyInfoKeyNameTransformer().getKeyName(keys.getKid(), keys.getCertificate());
             binding.signWith(keyName, keys.getPrivateKey(), keys.getPublicKey(), keys.getCertificate())
-                    .signatureAlgorithm(getSignatureAlgorithm())
-                    .signDocument();
+                .signatureAlgorithm(getSignatureAlgorithm())
+                .signDocument();
         }
         return binding;
     }
@@ -324,8 +331,8 @@ public String resolveArtifact(String artifact, String issuerURL, RealmModel real
         String response = "";
         try {
             SAML2ArtifactResolutionBuilder builder = new SAML2ArtifactResolutionBuilder()
-                    .artifact(artifact)
-                    .issuer(issuerURL);
+                .artifact(artifact)
+                .issuer(issuerURL);
 
             JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder(session, getConfig());
             logger.debugf("Sign ArtifactResolve request? -> %s", getConfig().isSignArtifactResolutionRequest());
@@ -370,30 +377,30 @@ public Response export(UriInfo uriInfo, RealmModel realm, String format) {
 
             List<URI> endpoints = new ArrayList();
             endpoints.add(uriInfo.getBaseUriBuilder()
-                    .path("realms").path(realm.getName())
-                    .path("broker")
-                    .path(getConfig().getAlias())
-                    .path("endpoint")
-                    .build());
+                .path("realms").path(realm.getName())
+                .path("broker")
+                .path(getConfig().getAlias())
+                .path("endpoint")
+                .build());
             List<String> linkedProviders = getConfig().getLinkedProviders();
             logger.debugf("Found %d number of linked providers.", linkedProviders.size());
             if (!linkedProviders.isEmpty()) {
                 for (String linkedProvider : linkedProviders) {
                     endpoints.add(uriInfo.getBaseUriBuilder()
-                            .path("realms").path(realm.getName())
-                            .path("broker")
-                            .path(linkedProvider)
-                            .path("endpoint")
-                            .build());
+                        .path("realms").path(realm.getName())
+                        .path("broker")
+                        .path(linkedProvider)
+                        .path("endpoint")
+                        .build());
                 }
             }
 
             URI artifactEndpoint = uriInfo.getBaseUriBuilder()
-                    .path("realms").path(realm.getName())
-                    .path("broker")
-                    .path(getConfig().getAlias())
-                    .path("endpoint")
-                    .build();
+                .path("realms").path(realm.getName())
+                .path("broker")
+                .path(getConfig().getAlias())
+                .path("endpoint")
+                .build();
 
             boolean wantAuthnRequestsSigned = getConfig().isWantAuthnRequestsSigned();
             boolean wantAssertionsSigned = getConfig().isWantAssertionsSigned();
@@ -404,39 +411,39 @@ public Response export(UriInfo uriInfo, RealmModel realm, String format) {
             // We export all keys for algorithm RS256, both active and passive so IDP is able to verify signature even
             //  if a key rotation happens in the meantime
             List<KeyDescriptorType> signingKeys = session.keys().getKeysStream(realm, KeyUse.SIG, Algorithm.RS256)
-                    .filter(key -> key.getCertificate() != null)
-                    .sorted(SamlService::compareKeys)
-                    .map(key -> {
-                        try {
-                            return SPMetadataDescriptor.buildKeyInfoElement(key.getKid(), PemUtils.encodeCertificate(key.getCertificate()));
-                        } catch (ParserConfigurationException e) {
-                            logger.warn("Failed to export SAML SP Metadata!", e);
-                            throw new RuntimeException(e);
-                        }
-                    })
-                    .map(key -> SPMetadataDescriptor.buildKeyDescriptorType(key, KeyTypes.SIGNING, null))
-                    .collect(Collectors.toList());
+                .filter(key -> key.getCertificate() != null)
+                .sorted(SamlService::compareKeys)
+                .map(key -> {
+                    try {
+                        return SPMetadataDescriptor.buildKeyInfoElement(key.getKid(), PemUtils.encodeCertificate(key.getCertificate()));
+                    } catch (ParserConfigurationException e) {
+                        logger.warn("Failed to export SAML SP Metadata!", e);
+                        throw new RuntimeException(e);
+                    }
+                })
+                .map(key -> SPMetadataDescriptor.buildKeyDescriptorType(key, KeyTypes.SIGNING, null))
+                .collect(Collectors.toList());
 
             // We export only active ENC keys so IDP uses different key as soon as possible if a key rotation happens
             String encAlg = getConfig().getEncryptionAlgorithm();
             List<KeyDescriptorType> encryptionKeys = session.keys().getKeysStream(realm)
-                    .filter(key -> key.getStatus().isActive() && KeyUse.ENC.equals(key.getUse())
-                            && (encAlg == null || Objects.equals(encAlg, key.getAlgorithmOrDefault()))
-                            && SAMLEncryptionAlgorithms.forKeycloakIdentifier(key.getAlgorithm()) != null
-                            && key.getCertificate() != null)
-                    .sorted(SamlService::compareKeys)
-                    .map(key -> {
-                        Element keyInfo;
-                        try {
-                            keyInfo = SPMetadataDescriptor.buildKeyInfoElement(key.getKid(), PemUtils.encodeCertificate(key.getCertificate()));
-                        } catch (ParserConfigurationException e) {
-                            logger.warn("Failed to export SAML SP Metadata!", e);
-                            throw new RuntimeException(e);
-                        }
+                .filter(key -> key.getStatus().isActive() && KeyUse.ENC.equals(key.getUse())
+                    && (encAlg == null || Objects.equals(encAlg, key.getAlgorithmOrDefault()))
+                    && SAMLEncryptionAlgorithms.forKeycloakIdentifier(key.getAlgorithm()) != null
+                    && key.getCertificate() != null)
+                .sorted(SamlService::compareKeys)
+                .map(key -> {
+                    Element keyInfo;
+                    try {
+                        keyInfo = SPMetadataDescriptor.buildKeyInfoElement(key.getKid(), PemUtils.encodeCertificate(key.getCertificate()));
+                    } catch (ParserConfigurationException e) {
+                        logger.warn("Failed to export SAML SP Metadata!", e);
+                        throw new RuntimeException(e);
+                    }
 
-                        return SPMetadataDescriptor.buildKeyDescriptorType(keyInfo, KeyTypes.ENCRYPTION, SAMLEncryptionAlgorithms.forKeycloakIdentifier(key.getAlgorithm()).getXmlEncIdentifiers());
-                    })
-                    .collect(Collectors.toList());
+                    return SPMetadataDescriptor.buildKeyDescriptorType(keyInfo, KeyTypes.ENCRYPTION, SAMLEncryptionAlgorithms.forKeycloakIdentifier(key.getAlgorithm()).getXmlEncIdentifiers());
+                })
+                .collect(Collectors.toList());
             // Prepare the metadata descriptor model
             StringWriter sw = new StringWriter();
             XMLStreamWriter writer = StaxUtil.getXMLStreamWriter(sw);
@@ -448,28 +455,28 @@ public Response export(UriInfo uriInfo, RealmModel realm, String format) {
             }
 
             SPMetadataDescriptorBuilder spMetadataDescriptorBuilder = new SPMetadataDescriptorBuilder()
-                    .loginBinding(authnResponseBinding)
-                    .logoutBinding(logoutBinding)
-                    .assertionEndpoints(endpoints)
-                    .defaultAssertionEndpoint(defaultAssertionEndpointIndex)
-                    .logoutEndpoints(endpoints)
-                    .wantAuthnRequestsSigned(wantAuthnRequestsSigned)
-                    .wantAssertionsSigned(wantAssertionsSigned)
-                    .wantAssertionsEncrypted(wantAssertionsEncrypted)
-                    .entityId(entityId)
-                    .nameIDPolicyFormat(nameIDPolicyFormat)
-                    .signingCerts(signingKeys)
-                    .encryptionCerts(encryptionKeys);
+                .loginBinding(authnResponseBinding)
+                .logoutBinding(logoutBinding)
+                .assertionEndpoints(endpoints)
+                .defaultAssertionEndpoint(defaultAssertionEndpointIndex)
+                .logoutEndpoints(endpoints)
+                .wantAuthnRequestsSigned(wantAuthnRequestsSigned)
+                .wantAssertionsSigned(wantAssertionsSigned)
+                .wantAssertionsEncrypted(wantAssertionsEncrypted)
+                .entityId(entityId)
+                .nameIDPolicyFormat(nameIDPolicyFormat)
+                .signingCerts(signingKeys)
+                .encryptionCerts(encryptionKeys);
             if (getConfig().isIncludeArtifactResolutionServiceMetadata()) {
                 spMetadataDescriptorBuilder.artifactResolutionBinding(artifactBinding)
-                        .artifactResolutionEndpoint(artifactEndpoint);
+                    .artifactResolutionEndpoint(artifactEndpoint);
             }
             if (getConfig().getMetadataValidUntilUnit() != null && getConfig().getMetadataValidUntilPeriod() != null) {
                 logger.debugf("Valid Until set for Metadata. Setting valid until current date + %s %s",
-                        getConfig().getMetadataValidUntilUnit(), getConfig().getMetadataValidUntilPeriod());
+                    getConfig().getMetadataValidUntilUnit(), getConfig().getMetadataValidUntilPeriod());
                 spMetadataDescriptorBuilder
-                        .metadataValidUntilUnit(getConfig().getMetadataValidUntilUnit())
-                        .metadataValidUntilPeriod(getConfig().getMetadataValidUntilPeriod());
+                    .metadataValidUntilUnit(getConfig().getMetadataValidUntilUnit())
+                    .metadataValidUntilPeriod(getConfig().getMetadataValidUntilPeriod());
             }
             EntityDescriptorType entityDescriptor = spMetadataDescriptorBuilder.build();
 
@@ -510,8 +517,8 @@ public Response export(UriInfo uriInfo, RealmModel realm, String format) {
                     }
 
                     boolean alreadyPresent = attributeConsumingService.getRequestedAttribute().stream()
-                            .anyMatch(t -> (attributeName == null || attributeName.equalsIgnoreCase(t.getName())) &&
-                                    (attributeFriendlyName == null || attributeFriendlyName.equalsIgnoreCase(t.getFriendlyName())));
+                        .anyMatch(t -> (attributeName == null || attributeName.equalsIgnoreCase(t.getName())) &&
+                            (attributeFriendlyName == null || attributeFriendlyName.equalsIgnoreCase(t.getFriendlyName())));
 
                     if (!alreadyPresent) {
                         logger.debugf("%s not present adding to Attribute Consuming Service", attributeName);
diff --git a/src/main/resources/saml-extended-frontend/js/AddProvider.js b/src/main/resources/saml-extended-frontend/js/AddProvider.js
index 0d53232..99bbc23 100644
--- a/src/main/resources/saml-extended-frontend/js/AddProvider.js
+++ b/src/main/resources/saml-extended-frontend/js/AddProvider.js
@@ -227,6 +227,7 @@ add.addEventListener('click', () => {
                 "wantAssertionsSigned": wantAssertionsSigned.value,
                 "postBindingAuthnRequest":httpPostBindingAuthnRequest.value,
                 "forceAuthn": forceAuthentication.value,
+                "assertionConsumingServiceIndex": assertionConsumingServiceIndex_input.value,
                 "attributeConsumingServiceIndex": attributeConsumingServiceIndex_input.value,
                 "principalType": principalType_input.value,
                 "principalAttribute": principalAttribute_input.value,
@@ -236,7 +237,6 @@ add.addEventListener('click', () => {
                 "signArtifactResolutionRequest": Sign_Artifact_Resolution_Request.value,
                 "artifactResolutionSOAP": Artifact_Resolution_with_SOAP.value,
                 "artifactResolutionWithXmlHeader": Artifact_Resolution_with_XML_header.value,
-                "artifactResolutionHTTPArtifact": ArtifactResolution_via_HTTP_ARTIFACT.value,
                 "mutualTls": Mutual_TLS.value,
                 "charSet": CharacterSet_input.value,
                 "metadataValidUntilUnit": Metadata_expires_in_input.value,
diff --git a/src/main/resources/saml-extended-frontend/js/CheckBoxControllerAddProvider.js b/src/main/resources/saml-extended-frontend/js/CheckBoxControllerAddProvider.js
index cfca2d5..f810702 100644
--- a/src/main/resources/saml-extended-frontend/js/CheckBoxControllerAddProvider.js
+++ b/src/main/resources/saml-extended-frontend/js/CheckBoxControllerAddProvider.js
@@ -319,14 +319,6 @@ Sign_Artifact_Resolution_Request.addEventListener("change", function () {
     
 });
 
-const ArtifactResolution_via_HTTP_ARTIFACT = document.getElementById("ArtifactResolution_via_HTTP_ARTIFACT");
-ArtifactResolution_via_HTTP_ARTIFACT.addEventListener("change", function () {
-    handleCheckboxValue(ArtifactResolution_via_HTTP_ARTIFACT);
-    
-});
-
-
-
 const Artifact_Resolution_with_SOAP = document.getElementById("Artifact_Resolution_with_SOAP");
 Artifact_Resolution_with_SOAP.addEventListener("change", function () {
     handleCheckboxValue(Artifact_Resolution_with_SOAP);
diff --git a/src/main/resources/saml-extended-frontend/js/CheckBoxControllerEditProvider.js b/src/main/resources/saml-extended-frontend/js/CheckBoxControllerEditProvider.js
index f2d8223..9eb572d 100644
--- a/src/main/resources/saml-extended-frontend/js/CheckBoxControllerEditProvider.js
+++ b/src/main/resources/saml-extended-frontend/js/CheckBoxControllerEditProvider.js
@@ -312,15 +312,6 @@ document.addEventListener('DOMContentLoaded', function() {
         
     });
     
-    const ArtifactResolution_via_HTTP_ARTIFACT = document.getElementById("ArtifactResolution_via_HTTP_ARTIFACT");
-    ArtifactResolution_via_HTTP_ARTIFACT.value = pluginData.config.artifactResolutionHTTPArtifact ? pluginData.config.artifactResolutionHTTPArtifact : false;
-    ArtifactResolution_via_HTTP_ARTIFACT.addEventListener("change", function () {
-        handleCheckboxValue(ArtifactResolution_via_HTTP_ARTIFACT);
-        
-    });
-    
-    
-    
     
     const Artifact_Resolution_with_SOAP = document.getElementById("Artifact_Resolution_with_SOAP");
     Artifact_Resolution_with_SOAP.value = pluginData.config.artifactResolutionSOAP ? pluginData.config.artifactResolutionSOAP : false;
diff --git a/src/main/resources/saml-extended-frontend/js/EditProvider.js b/src/main/resources/saml-extended-frontend/js/EditProvider.js
index 5897757..bc7790f 100644
--- a/src/main/resources/saml-extended-frontend/js/EditProvider.js
+++ b/src/main/resources/saml-extended-frontend/js/EditProvider.js
@@ -69,6 +69,7 @@ edit.addEventListener('click', () => {
                     "wantAssertionsSigned": wantAssertionsSigned.value,
                     "postBindingAuthnRequest": httpPostBindingAuthnRequest.value,
                     "forceAuthn": forceAuthentication.value,
+                    "assertionConsumingServiceIndex": assertionConsumingServiceIndex_input.value,
                     "attributeConsumingServiceIndex": attributeConsumingServiceIndex_input.value,
                     "principalType": principalType_input.value,
                     "principalAttribute": principalAttribute_input.value,
@@ -78,7 +79,6 @@ edit.addEventListener('click', () => {
                     "signArtifactResolutionRequest": Sign_Artifact_Resolution_Request.value,
                     "artifactResolutionSOAP": Artifact_Resolution_with_SOAP.value,
                     "artifactResolutionWithXmlHeader": Artifact_Resolution_with_XML_header.value,
-                    "artifactResolutionHTTPArtifact": ArtifactResolution_via_HTTP_ARTIFACT.value,
                     "mutualTls": Mutual_TLS.value,
                     "charSet": CharacterSet_input.value,
                     "metadataValidUntilUnit": Metadata_expires_in_input.value,
diff --git a/src/main/resources/saml-extended-frontend/js/Fielders.js b/src/main/resources/saml-extended-frontend/js/Fielders.js
index 730be87..2796490 100644
--- a/src/main/resources/saml-extended-frontend/js/Fielders.js
+++ b/src/main/resources/saml-extended-frontend/js/Fielders.js
@@ -11,6 +11,7 @@ const Single_Sign_On_Service_URL_input = document.getElementById("ssoServiceUrl"
 const Single_Sign_On_Service_URL_inpu_edit = document.getElementById("ssoServiceUrl_edit");
 const Single_Logout_Service_URL_input = document.getElementById("sloServiceUrl");
 const allowedClockSkew_input = document.getElementById("allowedClockSkew");
+const assertionConsumingServiceIndex_input = document.getElementById("assertionConsumingServiceIndex");
 const attributeConsumingServiceIndex_input = document.getElementById("attributeConsumingServiceIndex");
 const attributeConsumingServiceName_input = document.getElementById("attributeConsumingServiceName");
 const authnContextClassRefs_input = document.getElementById("authnContextClassRefs");
diff --git a/src/main/resources/saml-extended-frontend/js/InfoUpdaterAdd.js b/src/main/resources/saml-extended-frontend/js/InfoUpdaterAdd.js
index a78d884..b61d1ea 100644
--- a/src/main/resources/saml-extended-frontend/js/InfoUpdaterAdd.js
+++ b/src/main/resources/saml-extended-frontend/js/InfoUpdaterAdd.js
@@ -1,137 +1,136 @@
 storedData = localStorage.getItem('pluginData');
+if (storedData) {
     if (storedData) {
-        if (storedData) {
-
-            var pluginData = JSON.parse(storedData);
-
-            function toggleCheckbox(configKey, checkbox) {
-
-                if (pluginData.config && pluginData.config[configKey]) {
-                    if (pluginData.config[configKey] == "true") {
-                        checkbox.checked = true;
-                    } else {
-                        checkbox.checked = false;
-
-                    }
-                }
-
-            }
-            function toggleCheckbox1(configKey1, checkbox1) {
-
-                if (pluginData && pluginData[configKey1]) {
-                    if (pluginData[configKey1] == true || pluginData[configKey1] == "true") {
-                        checkbox1.checked = true;
-                    } else {
-                        checkbox1.checked = false;
-
-                    }
-                }
-
-            }
-
-
-            toggleCheckbox('backchannelSupported', backchannel)
-            toggleCheckbox('allowCreate', allowCreate)
-            toggleCheckbox('postBindingResponse', httpPostBindingResponse)
-            toggleCheckbox('postBindingAuthnRequest', httpPostBindingAuthnRequest)
-            toggleCheckbox('postBindingLogout', httpPostBindingLogout)
-            toggleCheckbox('wantAssertionsSigned', wantAssertionsSigned)
-            toggleCheckbox('wantAssertionsEncrypted', wantAssertionsEncrypted)
-            toggleCheckbox('forceAuthn', forceAuthentication)
-            toggleCheckbox('signSpMetadata', signMetadata)
-            toggleCheckbox('loginHint', passSubject)
-            toggleCheckbox1('addReadTokenRoleOnCreate', storedTokensReadable)
-            toggleCheckbox1('storeToken', storeToken)
-            toggleCheckbox1('trustEmail', trustEmail)
-            toggleCheckbox1('linkOnly', accountLinkingOnly)
-            toggleCheckbox('hideOnLoginPage', hideLoginPage)
-            toggleCheckbox('includeArtifactResolutionServiceMetadata', ArtifactResolutionService_in_metadata)
-            toggleCheckbox('hideOnLoginPage', hideLoginPage)
-            toggleCheckbox('signArtifactResolutionRequest', Sign_Artifact_Resolution_Request)
-            toggleCheckbox('artifactResolutionHTTPArtifact', ArtifactResolution_via_HTTP_ARTIFACT)
-            toggleCheckbox('artifactResolutionSOAP', Artifact_Resolution_with_SOAP)
-            toggleCheckbox('artifactResolutionWithXmlHeader', Artifact_Resolution_with_XML_header)
-            toggleCheckbox('mutualTls', Mutual_TLS)
-            toggleCheckbox1('enabled', enabled)
-            toggleCheckbox('sendIdTokenOnLogout', id_token_hint)
-            toggleCheckbox('sendClientIdOnLogout', client_id_in_logout_requests)
-            if (pluginData.config && pluginData.config.wantAuthnRequestsSigned) {
-
-
-                if (pluginData.config.wantAuthnRequestsSigned == "true") {
-                    SignatureAlgorithm.removeAttribute("disabled");
-                    SAMLSignatureKeyName.removeAttribute("disabled");
-                    encryption_algorithm.removeAttribute("disabled")
-                    wantAuthnRequestsSigned.checked = true;
+        
+        var pluginData = JSON.parse(storedData);
+        
+        function toggleCheckbox(configKey, checkbox) {
+            
+            if (pluginData.config && pluginData.config[configKey]) {
+                if (pluginData.config[configKey] == "true") {
+                    checkbox.checked = true;
                 } else {
-                    SignatureAlgorithm.setAttribute("disabled", "true");
-                    SAMLSignatureKeyName.setAttribute("disabled", "true");
-                    encryption_algorithm.setAttribute("disabled", "true");
-                    wantAuthnRequestsSigned.checked = false;
-
+                    checkbox.checked = false;
+                    
                 }
             }
-
-            var additionalField1 = document.getElementById("ValidatingX509Certificates");
-            if (pluginData.config && pluginData.config.validateSignature) {
-                validateSignatures_value = pluginData.config.validateSignature;
-
-                if (pluginData.config.validateSignature === "true") {
-                    additionalField1.removeAttribute("disabled");
-                    validateSignatures.checked = true;
-
-                    if (pluginData.config.signingCertificate) {
-                        updateField('ValidatingX509Certificates', pluginData.config.signingCertificate);
-                    }
-                    if (pluginData.config.metadataDescriptorUrl) {
-                        updateField('samlEntityDescriptor', pluginData.config.metadataDescriptorUrl);
-                    }
-
-                    var samlEntityDescriptorElement = document.getElementById('saml_EntityDescriptor');
-                    if (samlEntityDescriptorElement) {
-                        samlEntityDescriptorElement.style.display = 'block';
-                    }
-
-                    var useMetadataDescriptorUrlElement = document.getElementById('Use_Metadata_Descriptor_URL');
-                    if (useMetadataDescriptorUrlElement) {
-                        useMetadataDescriptorUrlElement.style.display = 'block';
-                    }
+            
+        }
+        function toggleCheckbox1(configKey1, checkbox1) {
+            
+            if (pluginData && pluginData[configKey1]) {
+                if (pluginData[configKey1] == true || pluginData[configKey1] == "true") {
+                    checkbox1.checked = true;
                 } else {
-                    validateSignatures.checked = false;
-                    additionalField1.setAttribute("disabled", "true")
-
-                    var samlEntityDescriptorElement = document.getElementById('saml_EntityDescriptor');
-                    if (samlEntityDescriptorElement) {
-                        samlEntityDescriptorElement.style.display = 'none';
-                    }
-
-                    var useMetadataDescriptorUrlElement = document.getElementById('Use_Metadata_Descriptor_URL');
-                    if (useMetadataDescriptorUrlElement) {
-                        useMetadataDescriptorUrlElement.style.display = 'none';
-                    }
+                    checkbox1.checked = false;
+                    
                 }
-                validateSignatures.dispatchEvent(new Event("change"));
             }
-
-
-
-
-            if (pluginData.config.attributeConsumingServiceMetadata) {
-                attributeServicesArray = JSON.parse(pluginData.config.attributeConsumingServiceMetadata);
-                renderAttributeServices();
+            
+        }
+        
+        
+        toggleCheckbox('backchannelSupported', backchannel)
+        toggleCheckbox('allowCreate', allowCreate)
+        toggleCheckbox('postBindingResponse', httpPostBindingResponse)
+        toggleCheckbox('postBindingAuthnRequest', httpPostBindingAuthnRequest)
+        toggleCheckbox('postBindingLogout', httpPostBindingLogout)
+        toggleCheckbox('wantAssertionsSigned', wantAssertionsSigned)
+        toggleCheckbox('wantAssertionsEncrypted', wantAssertionsEncrypted)
+        toggleCheckbox('forceAuthn', forceAuthentication)
+        toggleCheckbox('signSpMetadata', signMetadata)
+        toggleCheckbox('loginHint', passSubject)
+        toggleCheckbox1('addReadTokenRoleOnCreate', storedTokensReadable)
+        toggleCheckbox1('storeToken', storeToken)
+        toggleCheckbox1('trustEmail', trustEmail)
+        toggleCheckbox1('linkOnly', accountLinkingOnly)
+        toggleCheckbox('hideOnLoginPage', hideLoginPage)
+        toggleCheckbox('includeArtifactResolutionServiceMetadata', ArtifactResolutionService_in_metadata)
+        toggleCheckbox('hideOnLoginPage', hideLoginPage)
+        toggleCheckbox('signArtifactResolutionRequest', Sign_Artifact_Resolution_Request)
+        toggleCheckbox('artifactResolutionSOAP', Artifact_Resolution_with_SOAP)
+        toggleCheckbox('artifactResolutionWithXmlHeader', Artifact_Resolution_with_XML_header)
+        toggleCheckbox('mutualTls', Mutual_TLS)
+        toggleCheckbox1('enabled', enabled)
+        toggleCheckbox('sendIdTokenOnLogout', id_token_hint)
+        toggleCheckbox('sendClientIdOnLogout', client_id_in_logout_requests)
+        if (pluginData.config && pluginData.config.wantAuthnRequestsSigned) {
+            
+            
+            if (pluginData.config.wantAuthnRequestsSigned == "true") {
+                SignatureAlgorithm.removeAttribute("disabled");
+                SAMLSignatureKeyName.removeAttribute("disabled");
+                encryption_algorithm.removeAttribute("disabled")
+                wantAuthnRequestsSigned.checked = true;
+            } else {
+                SignatureAlgorithm.setAttribute("disabled", "true");
+                SAMLSignatureKeyName.setAttribute("disabled", "true");
+                encryption_algorithm.setAttribute("disabled", "true");
+                wantAuthnRequestsSigned.checked = false;
+                
             }
-
-
-            function renderAttributeServices() {
-                var attributeServicesDiv = document.getElementById('attributeServices');
-                attributeServicesDiv.innerHTML = ''; // Clear previous content
-
-                attributeServicesArray.forEach(function(service, index) {
-                    var newFieldsDiv = document.createElement('div');
-                    newFieldsDiv.classList.add('attribute-consuming-service'); // Add class 'attribute-consuming-service'
-                    newFieldsDiv.dataset.index = index; // Set dataset index for form
-
-                    newFieldsDiv.innerHTML = `
+        }
+        
+        var additionalField1 = document.getElementById("ValidatingX509Certificates");
+        if (pluginData.config && pluginData.config.validateSignature) {
+            validateSignatures_value = pluginData.config.validateSignature;
+            
+            if (pluginData.config.validateSignature === "true") {
+                additionalField1.removeAttribute("disabled");
+                validateSignatures.checked = true;
+                
+                if (pluginData.config.signingCertificate) {
+                    updateField('ValidatingX509Certificates', pluginData.config.signingCertificate);
+                }
+                if (pluginData.config.metadataDescriptorUrl) {
+                    updateField('samlEntityDescriptor', pluginData.config.metadataDescriptorUrl);
+                }
+                
+                var samlEntityDescriptorElement = document.getElementById('saml_EntityDescriptor');
+                if (samlEntityDescriptorElement) {
+                    samlEntityDescriptorElement.style.display = 'block';
+                }
+                
+                var useMetadataDescriptorUrlElement = document.getElementById('Use_Metadata_Descriptor_URL');
+                if (useMetadataDescriptorUrlElement) {
+                    useMetadataDescriptorUrlElement.style.display = 'block';
+                }
+            } else {
+                validateSignatures.checked = false;
+                additionalField1.setAttribute("disabled", "true")
+                
+                var samlEntityDescriptorElement = document.getElementById('saml_EntityDescriptor');
+                if (samlEntityDescriptorElement) {
+                    samlEntityDescriptorElement.style.display = 'none';
+                }
+                
+                var useMetadataDescriptorUrlElement = document.getElementById('Use_Metadata_Descriptor_URL');
+                if (useMetadataDescriptorUrlElement) {
+                    useMetadataDescriptorUrlElement.style.display = 'none';
+                }
+            }
+            validateSignatures.dispatchEvent(new Event("change"));
+        }
+        
+        
+        
+        
+        if (pluginData.config.attributeConsumingServiceMetadata) {
+            attributeServicesArray = JSON.parse(pluginData.config.attributeConsumingServiceMetadata);
+            renderAttributeServices();
+        }
+        
+        
+        function renderAttributeServices() {
+            var attributeServicesDiv = document.getElementById('attributeServices');
+            attributeServicesDiv.innerHTML = ''; // Clear previous content
+            
+            attributeServicesArray.forEach(function(service, index) {
+                var newFieldsDiv = document.createElement('div');
+                newFieldsDiv.classList.add('attribute-consuming-service'); // Add class 'attribute-consuming-service'
+                newFieldsDiv.dataset.index = index; // Set dataset index for form
+                
+                newFieldsDiv.innerHTML = `
                 <label for="serviceName">Service Name:</label>
                 <input type="text" class="serviceName" value="${service.serviceName}">
                 <label for="friendlyName">Friendly Name:</label>
@@ -142,10 +141,10 @@ storedData = localStorage.getItem('pluginData');
                 <input type="text" class="attributeValue" value="${service.attributeValue}">
                 <button onclick="deleteForm(this.parentNode)" class="btn">Delete</button>
             `;
-                    attributeServicesDiv.appendChild(newFieldsDiv);
-                });
-            }
-            if(pluginData.config.attributeConsumingServiceMetadata) {
+                attributeServicesDiv.appendChild(newFieldsDiv);
+            });
+        }
+        if(pluginData.config.attributeConsumingServiceMetadata) {
             attributeServicesArray = JSON.parse(pluginData.config.attributeConsumingServiceMetadata);
             fetch('/realms/master/samlconfig/pages/data', {
                 method: 'POST',
@@ -154,192 +153,192 @@ storedData = localStorage.getItem('pluginData');
                 },
                 body: JSON.stringify(attributeServicesArray)
             })
-                .then(response => response.json())
-                .then(data => {
-                })
-                .catch(error => {
-                    console.error('Error:', error);
-                });}
-
-            var Validating_X509_Certificates=document.getElementById("Validating_X509_Certificates");
-
-            if (pluginData.config && pluginData.config.useMetadataDescriptorUrl) {
-                useMetadataDescriptorUrl_value = pluginData.config.useMetadataDescriptorUrl;
-
-                if (pluginData.config.useMetadataDescriptorUrl == "true") {
-                    document.getElementById("UseMetadataDescriptorURL").checked = true;
-                    Validating_X509_Certificates.style.display='none'
-                    document.getElementById("samlEntityDescriptor").setAttribute("required", "true");
-
-                } else {
-                    document.getElementById("UseMetadataDescriptorURL").checked = false;
-                    Validating_X509_Certificates.style.display='block'
-                    document.getElementById("samlEntityDescriptor").removeAttribute("required");
-                }
-                validateSignatures.dispatchEvent(new Event("change"));
-            }
-
-
-
-
-            if (pluginData.config && pluginData.config.artifactResolution) {
-                Artifact_Resolution_value = pluginData.config.artifactResolution;
-                if (pluginData.config.artifactResolution == "true") {
-                    Artifact_Resolution.checked = true;
-                    additionalField_endpoint.removeAttribute("disabled");
-                } else {
-                    Artifact_Resolution.checked = false;
-                    additionalField_endpoint.setAttribute("disabled", "true");
-                    additionalField_endpoint.value = '';
-
-
-                }
-            }
-
-        }
-
-
-        function processAuthnContextArray(id, container) {
-            var element = document.getElementById(id);
-            if (pluginData.config && pluginData.config[id]) {
-                var myArray = JSON.parse(pluginData.config[id]);
-                updateField(id, myArray[0]);
-                for (var i = 1; i < myArray.length; i++) {
-                    const newItem = document.createElement("div");
-                    newItem.className = "next-referral col-4";
-                    newItem.innerHTML = '<input id="textinput_' + i + '" name="textinput" type="text" class="input_text" value="' + myArray[i] + '">';
-                    container.appendChild(newItem);
-                }
-                console.log(pluginData.config[id]);
+              .then(response => response.json())
+              .then(data => {
+              })
+              .catch(error => {
+                  console.error('Error:', error);
+              });}
+        
+        var Validating_X509_Certificates=document.getElementById("Validating_X509_Certificates");
+        
+        if (pluginData.config && pluginData.config.useMetadataDescriptorUrl) {
+            useMetadataDescriptorUrl_value = pluginData.config.useMetadataDescriptorUrl;
+            
+            if (pluginData.config.useMetadataDescriptorUrl == "true") {
+                document.getElementById("UseMetadataDescriptorURL").checked = true;
+                Validating_X509_Certificates.style.display='none'
+                document.getElementById("samlEntityDescriptor").setAttribute("required", "true");
+                
+            } else {
+                document.getElementById("UseMetadataDescriptorURL").checked = false;
+                Validating_X509_Certificates.style.display='block'
+                document.getElementById("samlEntityDescriptor").removeAttribute("required");
             }
+            validateSignatures.dispatchEvent(new Event("change"));
         }
-
-
-
-        processAuthnContextArray("authnContextClassRefs", ClassRefs_items);
-        processAuthnContextArray("authnContextDeclRefs", DeclRefs_items);
-
-
-        if (pluginData.backchannelSupported) {
-            updateField('backchannel', pluginData.backchannelSupported);
-        }
-
-        if (pluginData.displayName) {
-            updateField('displayName', pluginData.displayName);
-        }
-        if (pluginData.config.guiOrder) {
-            updateField('displayOrder', pluginData.config.guiOrder);
-        }
-        if (pluginData.config.entityId) {
-            updateField('spEntityId', pluginData.config.entityId)
-        }
-
-        if (pluginData.config.idpEntityId) {
-            updateField('idpEntityId', pluginData.config.idpEntityId)
-        }
-        if (pluginData.config.singleSignOnServiceUrl) {
-            updateField('ssoServiceUrl', pluginData.config.singleSignOnServiceUrl);
-        }
-        if (pluginData.config.singleLogoutServiceUrl) {
-            updateField('sloServiceUrl', pluginData.config.singleLogoutServiceUrl);
-        }
-
-        if (pluginData.config.nameIDPolicyFormat) {
-            const valueAfterFormat = extractValueAfterFormat(pluginData.config.nameIDPolicyFormat);
-            updateField('nameIdPolicy', valueAfterFormat);
-        }
-        if (pluginData.config.principalType) {
-            updateField('principalType', pluginData.config.principalType);
-            if (pluginData.config.principalType == "ATTRIBUTE" || pluginData.config.principalType == "FRIENDLY_ATTRIBUTE") {
-                if (pluginData.config.principalAttribute) {
-                    updateField('principalAttribute', pluginData.config.principalAttribute);
-
-                }
-                principalAttribute_input.removeAttribute("disabled");
+        
+        
+        
+        
+        if (pluginData.config && pluginData.config.artifactResolution) {
+            Artifact_Resolution_value = pluginData.config.artifactResolution;
+            if (pluginData.config.artifactResolution == "true") {
+                Artifact_Resolution.checked = true;
+                additionalField_endpoint.removeAttribute("disabled");
             } else {
-                principalAttribute_input.setAttribute("disabled", "true");
-                principalAttribute_input.value = '';
-
+                Artifact_Resolution.checked = false;
+                additionalField_endpoint.setAttribute("disabled", "true");
+                additionalField_endpoint.value = '';
+                
+                
             }
-        };
-
-
-        if (pluginData.config.encryptionAlgorithm) {
-            updateField('encryption_algorithm', pluginData.config.encryptionAlgorithm);
         }
-
-        if (pluginData.config.signatureAlgorithm) {
-            updateField('SignatureAlgorithm', pluginData.config.signatureAlgorithm);
-        }
-        if (pluginData.config.xmlSigKeyInfoKeyNameTransformer) {
-            updateField('SAMLSignatureKeyName', pluginData.config.xmlSigKeyInfoKeyNameTransformer);
-        }
-
-        if (pluginData.config.metadataValidUntilUnit) {
-            updateField('Metadata_expires_in', pluginData.config.metadataValidUntilUnit);
-        }
-        if (pluginData.config.metadataValidUntilPeriod) {
-            updateField('metadataValidUntilPeriod', pluginData.config.metadataValidUntilPeriod);
-        }
-        if (pluginData.config.linkedProviders) {
-            updateField('Linked_Providers', pluginData.config.linkedProviders);
-        }
-        if (pluginData.config.artifactResolutionEndpoint) {
-            updateField('Artifact_Resolution_Endpoint', pluginData.config.artifactResolutionEndpoint);
-        }
-        if (pluginData.config.charSet) {
-            updateField('CharacterSet', pluginData.config.charSet);
-        }
-
-        if (pluginData.alias) {
-            updateField('alias', pluginData.alias);
-
-        }
-        var selectedrealm = localStorage.getItem('selectedRealm');
-        var ServerUrl1 = localStorage.getItem('ServerUrl')
-        var pluginalias=localStorage.setItem('pluginalias',`${pluginData.alias}`)
-        document.getElementById('redirectUri').value = `${ServerUrl1}/realms/${selectedrealm}/broker/${pluginData.alias}/endpoint`
-
-        if (pluginData.config.allowedClockSkew) {
-            updateField('allowedClockSkew', pluginData.config.allowedClockSkew);
-        }
-
-        if (pluginData.config.attributeConsumingServiceIndex) {
-            updateField('attributeConsumingServiceIndex', pluginData.config.attributeConsumingServiceIndex);
-        }
-
-        if (pluginData.config.attributeConsumingServiceName) {
-            updateField('attributeConsumingServiceName', pluginData.config.attributeConsumingServiceName);
-        }
-
-        if (pluginData.config.attributeConsumingServiceName) {
-            updateField('attributeConsumingServiceName', pluginData.config.attributeConsumingServiceName);
-        }
-        if (pluginData.config.authnContextComparisonType) {
-            updateField('comparison', pluginData.config.authnContextComparisonType);
+        
+    }
+    
+    
+    function processAuthnContextArray(id, container) {
+        var element = document.getElementById(id);
+        if (pluginData.config && pluginData.config[id]) {
+            var myArray = JSON.parse(pluginData.config[id]);
+            updateField(id, myArray[0]);
+            for (var i = 1; i < myArray.length; i++) {
+                const newItem = document.createElement("div");
+                newItem.className = "next-referral col-4";
+                newItem.innerHTML = '<input id="textinput_' + i + '" name="textinput" type="text" class="input_text" value="' + myArray[i] + '">';
+                container.appendChild(newItem);
+            }
+            console.log(pluginData.config[id]);
         }
-
-        if (pluginData.config.syncMode) {
-            updateField('syncMode', pluginData.config.syncMode);
+    }
+    
+    
+    
+    processAuthnContextArray("authnContextClassRefs", ClassRefs_items);
+    processAuthnContextArray("authnContextDeclRefs", DeclRefs_items);
+    
+    
+    if (pluginData.backchannelSupported) {
+        updateField('backchannel', pluginData.backchannelSupported);
+    }
+    
+    if (pluginData.displayName) {
+        updateField('displayName', pluginData.displayName);
+    }
+    if (pluginData.config.guiOrder) {
+        updateField('displayOrder', pluginData.config.guiOrder);
+    }
+    if (pluginData.config.entityId) {
+        updateField('spEntityId', pluginData.config.entityId)
+    }
+    
+    if (pluginData.config.idpEntityId) {
+        updateField('idpEntityId', pluginData.config.idpEntityId)
+    }
+    if (pluginData.config.singleSignOnServiceUrl) {
+        updateField('ssoServiceUrl', pluginData.config.singleSignOnServiceUrl);
+    }
+    if (pluginData.config.singleLogoutServiceUrl) {
+        updateField('sloServiceUrl', pluginData.config.singleLogoutServiceUrl);
+    }
+    
+    if (pluginData.config.nameIDPolicyFormat) {
+        const valueAfterFormat = extractValueAfterFormat(pluginData.config.nameIDPolicyFormat);
+        updateField('nameIdPolicy', valueAfterFormat);
+    }
+    if (pluginData.config.principalType) {
+        updateField('principalType', pluginData.config.principalType);
+        if (pluginData.config.principalType == "ATTRIBUTE" || pluginData.config.principalType == "FRIENDLY_ATTRIBUTE") {
+            if (pluginData.config.principalAttribute) {
+                updateField('principalAttribute', pluginData.config.principalAttribute);
+                
+            }
+            principalAttribute_input.removeAttribute("disabled");
+        } else {
+            principalAttribute_input.setAttribute("disabled", "true");
+            principalAttribute_input.value = '';
+            
         }
-
-
-
+    };
+    
+    
+    if (pluginData.config.encryptionAlgorithm) {
+        updateField('encryption_algorithm', pluginData.config.encryptionAlgorithm);
+    }
+    
+    if (pluginData.config.signatureAlgorithm) {
+        updateField('SignatureAlgorithm', pluginData.config.signatureAlgorithm);
+    }
+    if (pluginData.config.xmlSigKeyInfoKeyNameTransformer) {
+        updateField('SAMLSignatureKeyName', pluginData.config.xmlSigKeyInfoKeyNameTransformer);
+    }
+    
+    if (pluginData.config.metadataValidUntilUnit) {
+        updateField('Metadata_expires_in', pluginData.config.metadataValidUntilUnit);
+    }
+    if (pluginData.config.metadataValidUntilPeriod) {
+        updateField('metadataValidUntilPeriod', pluginData.config.metadataValidUntilPeriod);
+    }
+    if (pluginData.config.linkedProviders) {
+        updateField('Linked_Providers', pluginData.config.linkedProviders);
+    }
+    if (pluginData.config.artifactResolutionEndpoint) {
+        updateField('Artifact_Resolution_Endpoint', pluginData.config.artifactResolutionEndpoint);
+    }
+    if (pluginData.config.charSet) {
+        updateField('CharacterSet', pluginData.config.charSet);
+    }
+    
+    if (pluginData.alias) {
+        updateField('alias', pluginData.alias);
+        
+    }
+    var selectedrealm = localStorage.getItem('selectedRealm');
+    var ServerUrl1 = localStorage.getItem('ServerUrl')
+    var pluginalias=localStorage.setItem('pluginalias',`${pluginData.alias}`)
+    document.getElementById('redirectUri').value = `${ServerUrl1}/realms/${selectedrealm}/broker/${pluginData.alias}/endpoint`
+    
+    if (pluginData.config.allowedClockSkew) {
+        updateField('allowedClockSkew', pluginData.config.allowedClockSkew);
+    }
+    
+    if (pluginData.config.assertionConsumingServiceIndex) {
+        updateField('assertionConsumingServiceIndex', pluginData.config.assertionConsumingServiceIndex);
+    }
+    
+    if (pluginData.config.attributeConsumingServiceName) {
+        updateField('attributeConsumingServiceName', pluginData.config.attributeConsumingServiceName);
+    }
+    
+    if (pluginData.config.attributeConsumingServiceName) {
+        updateField('attributeConsumingServiceName', pluginData.config.attributeConsumingServiceName);
+    }
+    if (pluginData.config.authnContextComparisonType) {
+        updateField('comparison', pluginData.config.authnContextComparisonType);
+    }
+    
+    if (pluginData.config.syncMode) {
+        updateField('syncMode', pluginData.config.syncMode);
+    }
+    
+    
+    
 }
 
 
 
 function toggleCheckbox(configKey, checkbox) {
-
+    
     if (pluginData.config && pluginData.config[configKey]) {
         if (pluginData.config[configKey] == "true") {
             checkbox.checked = true;
         } else {
             checkbox.checked = false;
-
+            
         }
     }
-
+    
 }
 
 function extractValueAfterFormat(text) {
diff --git a/src/main/resources/saml-extended-frontend/pages/addprovider.html b/src/main/resources/saml-extended-frontend/pages/addprovider.html
index 475c4bb..c27b1a0 100644
--- a/src/main/resources/saml-extended-frontend/pages/addprovider.html
+++ b/src/main/resources/saml-extended-frontend/pages/addprovider.html
@@ -654,6 +654,13 @@ <h5>Want Assertions Encrypted
                 <span class="slider round"></span>
             </label>
 
+            <h5>Assertion Consuming Service Index
+                <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
+                     onclick="alert('Index of the Assertion Consuming Service URL to request during authentication and to make default in the metadata.')">
+            </h5>
+
+            <input type="number" min="1" name="assertionConsumingServiceIndex"
+                   id="assertionConsumingServiceIndex">
 
             <h5>Force Authentication
                 <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
@@ -948,15 +955,6 @@ <h5>Sign Artifact Resolution Request
                     <span class="slider round"></span>
                 </label>
 
-                <h5>ArtifactResolution via HTTP-ARTIFACT
-                    <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                         onclick="alert('Use HTTP-Artifact binding instead of the default HTTP-POST binding')">
-                </h5>
-                <label class="switch">
-                    <input type="checkbox" name="ArtifactResolution_via_HTTP-ARTIFACT "
-                           id="ArtifactResolution_via_HTTP_ARTIFACT" value="false">
-                    <span class="slider round"></span>
-                </label>
                 <h5>Artifact Resolution with SOAP
                     <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
                          onclick="alert('indicates whether to use Artifact Resloution with SOAP envelope.')">
diff --git a/src/main/resources/saml-extended-frontend/pages/editprovider.html b/src/main/resources/saml-extended-frontend/pages/editprovider.html
index dd8ac65..c7987d9 100644
--- a/src/main/resources/saml-extended-frontend/pages/editprovider.html
+++ b/src/main/resources/saml-extended-frontend/pages/editprovider.html
@@ -608,6 +608,13 @@ <h5>Want Assertions Encrypted
             <span class="slider round"></span>
         </label>
 
+        <h5>Assertion Consuming Service Index
+            <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
+                 onclick="alert('Index of the Assertion Consuming Service URL to request during authentication and to make default in the metadata.')">
+        </h5>
+
+        <input type="number" min="1" name="assertionConsumingServiceIndex"
+               id="assertionConsumingServiceIndex">
 
         <h5>Force Authentication
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
@@ -914,15 +921,6 @@ <h5>Sign Artifact Resolution Request
             <span class="slider round"></span>
         </label>
 
-        <h5>ArtifactResolution via HTTP-ARTIFACT
-            <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
-                 onclick="alert('Use HTTP-Artifact binding instead of the default HTTP-POST binding')">
-        </h5>
-        <label class="switch">
-            <input type="checkbox" name="ArtifactResolution_via_HTTP-ARTIFACT "
-                   id="ArtifactResolution_via_HTTP_ARTIFACT" value="false">
-            <span class="slider round"></span>
-        </label>
         <h5>Artifact Resolution with SOAP
             <img src="../../samlconfig/images/question.png" class="image" alt="question mark"
                  onclick="alert('indicates whether to use Artifact Resloution with SOAP envelope.')">

From 7f057480c97352cb4e6ac3e8a067970db9a201c2 Mon Sep 17 00:00:00 2001
From: oadham <omar.adham@first8.nl>
Date: Fri, 22 May 2026 14:43:14 +0200
Subject: [PATCH 08/16] removed folder "theme-resources" because that extends
 the v1 admin theme, which was removed in Keycloak 21.0

---
 .../messages/admin-messages_en.properties     |  36 --
 ...realm-identity-provider-saml-extended.html | 598 ------------------
 2 files changed, 634 deletions(-)
 delete mode 100644 src/main/resources/theme-resources/messages/admin-messages_en.properties
 delete mode 100644 src/main/resources/theme-resources/resources/partials/realm-identity-provider-saml-extended.html

diff --git a/src/main/resources/theme-resources/messages/admin-messages_en.properties b/src/main/resources/theme-resources/messages/admin-messages_en.properties
deleted file mode 100644
index 1a5aaeb..0000000
--- a/src/main/resources/theme-resources/messages/admin-messages_en.properties
+++ /dev/null
@@ -1,36 +0,0 @@
-# encoding: UTF-8
-identity-provider.saml.extended.assertion-consuming-service-index=Assertion Consuming Service Index
-identity-provider.saml.extended.assertion-consuming-service-index.tooltip=Index of the Assertion Consuming Service used in the AuthNRequest when multiple are available.
-identity-provider.saml-extended.days=Day(s)
-identity-provider.saml-extended.weeks=Week(s)
-identity-provider.saml-extended.months=Month(s)
-identity-provider.saml-extended.years=Year(s)
-identity-provider.saml.extended.metadata-valid-until=Metadata expires in
-identity-provider.saml.extended.metadata-valid-until.tooltip=When set, sets the validUntil with the current data + settings.
-identity-provider.saml.extended.ignore-saml-advice-nodes=Ignore Saml Advice
-identity-provider.saml.extended.ignore-saml-advice-nodes.tooltip=When set, ignore the Advice nodes in the Artifact Response when verifying the signature.
-identity-provider.saml-extended.scoping=AuthNRequest Scope
-identity-provider.saml-extended.scoping.tooltip=No clue!
-identity-provider.saml-extended.linked-providers=Linked Providers
-identity-provider.saml-extended.linked-providers.tooltip=List of aliases that are linked to this one (and will be in the generated metadata).
-
-saml.extended.assertion-consuming-service-index=Assertion Consuming Service Index
-saml.extended.assertion-consuming-service-index.tooltip=Index of the Assertion Consuming Service URL to request during authentication
-saml.extended.artifact-resolution=Artifact Resolution
-saml.extended.artifact-resolution.tooltip=Indicates whether to use Artifact Binding
-saml.extended.artifact-resolution-endpoint=Artifact Resolution Endpoint
-saml.extended.artifact-resolution-endpoint.tooltip=Specifies the url for Artifact Resolution
-saml.extended.sign-artifact-resolution-request=Sign Artifact Resolution Request
-saml.extended.sign-artifact-resolution-request.tooltip= Indicates whether to sign the Artifact Resolution Request
-saml.extended.artifact-resolution-soap=Artifact Resolution with SOAP
-saml.extended.artifact-resolution-soap.tooltip=Indicates whether to use Artifact Resolution with SOAP envelope
-saml.extended.artifact-resolution-xml-header=Artifact Resolution with XML header
-saml.extended.artifact-resolution-xml-header.tooltip=Indicates whether to add an XML header
-saml.extended.charSet=CharacterSet
-saml.extended.charSet.tooltip=CharSet that must be used to read and write the SAML
-saml.extended.include-artifact-resolution-service-metadata=ArtifactResolutionService in metadata.
-saml.extended.include-artifact-resolution-service-metadata.tooltip=This will include an artifactResolutionService in your metadata (sometimes required).
-saml.extended.metadata=Metadata
-saml.extended.metadata.tooltip=Metadata options
-saml.extended.artifact-resolution-mutual-tls=Mutual TLS
-saml.extended.artifact-resolution-mutual-tls.tooltip=Use Mutual TLS for Artifact Resolution
\ No newline at end of file
diff --git a/src/main/resources/theme-resources/resources/partials/realm-identity-provider-saml-extended.html b/src/main/resources/theme-resources/resources/partials/realm-identity-provider-saml-extended.html
deleted file mode 100644
index a09bf17..0000000
--- a/src/main/resources/theme-resources/resources/partials/realm-identity-provider-saml-extended.html
+++ /dev/null
@@ -1,598 +0,0 @@
-<div class="col-sm-9 col-md-10 col-sm-push-3 col-md-push-2" data-ng-init="initSamlProvider()">
-    <ol class="breadcrumb">
-        <li><a href="#/realms/{{realm.realm}}/identity-provider-settings">{{:: 'identity-providers' | translate}}</a></li>
-        <li data-ng-show="!newIdentityProvider && identityProvider.displayName">{{identityProvider.displayName}}</li>
-        <li data-ng-show="!newIdentityProvider && !identityProvider.displayName">{{identityProvider.alias}}</li>
-        <li data-ng-show="newIdentityProvider">{{:: 'add-identity-provider' | translate}}</li>
-    </ol>
-
-    <kc-tabs-identity-provider></kc-tabs-identity-provider>
-
-    <form class="form-horizontal" name="realmForm" novalidate kc-read-only="!access.manageIdentityProviders">
-        <fieldset>
-            <div class="form-group clearfix">
-                <label class="col-md-2 control-label" for="redirectUri">{{:: 'redirect-uri' | translate}}</label>
-                <div class="col-sm-6">
-                    <input class="form-control" id="redirectUri" type="text" value="{{callbackUrl}}{{identityProvider.alias}}/endpoint" readonly kc-select-action="click">
-                </div>
-                <kc-tooltip>{{:: 'redirect-uri.tooltip' | translate}}</kc-tooltip>
-            </div>
-        </fieldset>
-        <fieldset>
-            <div class="form-group clearfix">
-                <label class="col-md-2 control-label" for="identifier"><span class="required">*</span> {{:: 'alias' | translate}}</label>
-                <div class="col-md-6">
-                    <input kc-no-reserved-chars class="form-control" id="identifier" type="text" ng-model="identityProvider.alias" data-ng-readonly="!newIdentityProvider" required>
-                </div>
-                <kc-tooltip>{{:: 'identity-provider.alias.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group clearfix">
-                <label class="col-md-2 control-label" for="displayName"> {{:: 'display-name' | translate}}</label>
-                <div class="col-md-6">
-                    <input class="form-control" id="displayName" type="text" ng-model="identityProvider.displayName">
-                </div>
-                <kc-tooltip>{{:: 'identity-provider.display-name.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="enabled">{{:: 'enabled' | translate}}</label>
-                <div class="col-md-6">
-                    <input ng-model="identityProvider.enabled" id="enabled" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
-                </div>
-                <kc-tooltip>{{:: 'identity-provider.enabled.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="storeToken">{{:: 'store-tokens' | translate}}</label>
-                <div class="col-md-6">
-                    <input ng-model="identityProvider.storeToken" id="storeToken" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
-                </div>
-                <kc-tooltip>{{:: 'identity-provider.store-tokens.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="storedTokensReadable">{{:: 'stored-tokens-readable' | translate}}</label>
-                <div class="col-md-6">
-                    <input ng-model="identityProvider.addReadTokenRoleOnCreate" id="storedTokensReadable" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
-                </div>
-                <kc-tooltip>{{:: 'identity-provider.stored-tokens-readable.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="trustEmail">{{:: 'trust-email' | translate}}</label>
-                <div class="col-md-6">
-                    <input ng-model="identityProvider.trustEmail" name="identityProvider.trustEmail" id="trustEmail" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
-                </div>
-                <kc-tooltip>{{:: 'trust-email.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="linkOnly">{{:: 'link-only' | translate}}</label>
-                <div class="col-md-6">
-                    <input ng-model="identityProvider.linkOnly" name="identityProvider.trustEmail" id="linkOnly" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
-                </div>
-                <kc-tooltip>{{:: 'link-only.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="hideOnLoginPage">{{:: 'hide-on-login-page' | translate}}</label>
-                <div class="col-md-6">
-                    <input ng-model="identityProvider.config.hideOnLoginPage" name="identityProvider.config.hideOnLoginPage" id="hideOnLoginPage" onoffswitchvalue on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
-                </div>
-                <kc-tooltip>{{:: 'hide-on-login-page.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="guiOrder">{{:: 'gui-order' | translate}}</label>
-                <div class="col-md-6">
-                    <input class="form-control" id="guiOrder" type="text" ng-model="identityProvider.config.guiOrder">
-                </div>
-                <kc-tooltip>{{:: 'gui-order.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="firstBrokerLoginFlowAlias">{{:: 'first-broker-login-flow' | translate}}</label>
-                <div class="col-md-6">
-                    <div>
-                        <select class="form-control" id="firstBrokerLoginFlowAlias"
-                                ng-model="identityProvider.firstBrokerLoginFlowAlias"
-                                ng-options="flow.alias as flow.alias for flow in authFlows"
-                                required>
-                        </select>
-                    </div>
-                </div>
-                <kc-tooltip>{{:: 'first-broker-login-flow.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="postBrokerLoginFlowAlias">{{:: 'post-broker-login-flow' | translate}}</label>
-                <div class="col-md-6">
-                    <div>
-                        <select class="form-control" id="postBrokerLoginFlowAlias"
-                                ng-model="identityProvider.postBrokerLoginFlowAlias"
-                                ng-options="flow.alias as flow.alias for flow in postBrokerAuthFlows">
-                        </select>
-                    </div>
-                </div>
-                <kc-tooltip>{{:: 'post-broker-login-flow.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="syncMode">{{:: 'sync-mode' | translate}}</label>
-                <div class="col-md-6">
-                    <div>
-                        <select class="form-control" id="syncMode"
-                                ng-model="identityProvider.config.syncMode"
-                                required>
-                            <option id="syncMode_import" name="syncMode" value="IMPORT">{{:: 'sync-mode.import' | translate}}</option>
-                            <option id="syncMode_legacy" name="syncMode" value="LEGACY">{{:: 'sync-mode.legacy' | translate}}</option>
-                            <option id="syncMode_force" name="syncMode" value="FORCE">{{:: 'sync-mode.force' | translate}}</option>
-                        </select>
-                    </div>
-                </div>
-                <kc-tooltip>{{:: 'sync-mode.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group" data-ng-show="!importFile && !newIdentityProvider">
-                <label class="col-md-2 control-label">{{:: 'endpoints' | translate}}</label>
-                <div class="col-md-6">
-                    <a class="form-control" ng-href="{{callbackUrl}}{{identityProvider.alias}}/endpoint/descriptor" rel="noopener noreferrer" target="_blank">{{:: 'identity-provider.saml.protocol-endpoints.saml' | translate}}</a>
-                </div>
-                <kc-tooltip>{{:: 'identity-provider.saml.protocol-endpoints.saml.tooltip' | translate}}</kc-tooltip>
-            </div>
-        </fieldset>
-        <fieldset>
-            <legend uncollapsed><span class="text">{{:: 'saml-config' | translate}}</span> <kc-tooltip>{{:: 'identity-provider.saml-config.tooltip' | translate}}</kc-tooltip></legend>
-
-            <div class="form-group clearfix">
-                <label class="col-md-2 control-label" for="entityId"><span class="required">*</span> {{:: 'identity-provider.saml.entity-id' | translate}}</label>
-                <div class="col-md-6">
-                    <input kc-no-reserved-chars class="form-control" id="entityId" type="text" ng-model="identityProvider.config.entityId" required>
-                </div>
-                <kc-tooltip>{{:: 'identity-provider.saml.entity-id.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group clearfix">
-                <label class="col-md-2 control-label" for="idpEntityId">{{:: 'identity-provider.saml.idp-entity-id' | translate}}</label>
-                <div class="col-md-6">
-                    <input kc-no-reserved-chars class="form-control" id="idpEntityId" type="text" ng-model="identityProvider.config.idpEntityId">
-                </div>
-                <kc-tooltip>{{:: 'identity-provider.saml.idp-entity-id.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group clearfix">
-                <label class="col-md-2 control-label" for="singleSignOnServiceUrl"><span class="required">*</span> {{:: 'single-signon-service-url' | translate}}</label>
-                <div class="col-md-6">
-                    <input class="form-control" id="singleSignOnServiceUrl" type="text" ng-model="identityProvider.config.singleSignOnServiceUrl" required>
-                </div>
-                <kc-tooltip>{{:: 'saml.single-signon-service-url.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group clearfix">
-                <label class="col-md-2 control-label" for="singleSignOnServiceUrl">{{:: 'single-logout-service-url' | translate}}</label>
-                <div class="col-md-6">
-                    <input class="form-control" id="singleLogoutServiceUrl" type="text" ng-model="identityProvider.config.singleLogoutServiceUrl">
-                </div>
-                <kc-tooltip>{{:: 'saml.single-logout-service-url.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-sm-2 control-label" for="backchannelSupported">{{:: 'backchannel-logout' | translate}}</label>
-                <div class="col-sm-4">
-                    <input ng-model="identityProvider.config.backchannelSupported" id="backchannelSupported" onoffswitchvalue on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
-                </div>
-                <kc-tooltip>{{:: 'backchannel-logout.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group clearfix">
-                <label class="col-md-2 control-label" for="nameIDPolicyFormat">{{:: 'nameid-policy-format' | translate}}</label>
-                <div class="col-md-6">
-                    <select id="nameIDPolicyFormat" ng-model="identityProvider.config.nameIDPolicyFormat"
-                            ng-options="nameFormat.format as nameFormat.name for nameFormat in nameIdFormats">
-                     </select>
-                    <!-- <input class="form-control" id="nameIDPolicyFormat" type="text" ng-model="identityProvider.config.nameIDPolicyFormat"> -->
-                </div>
-                <kc-tooltip>{{:: 'nameid-policy-format.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group clearfix">
-                <label class="col-md-2 control-label" for="principalType">{{:: 'saml.principal-type' | translate}}</label>
-                <div class="col-md-6">
-                    <select id="principalType" ng-model="identityProvider.config.principalType"
-                            ng-options="pType.type as pType.name for pType in principalTypes">
-                     </select>
-                </div>
-                <kc-tooltip>{{:: 'saml.principal-type.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group clearfix" data-ng-show="identityProvider.config.principalType.endsWith('ATTRIBUTE')">
-                <label class="col-md-2 control-label" for="principalAttribute">{{:: 'saml.principal-attribute' | translate}}</label>
-                <div class="col-md-6">
-                    <input class="form-control" id="principalAttribute" type="text" ng-model="identityProvider.config.principalAttribute" ng-required="identityProvider.config.principalType.endsWith('ATTRIBUTE')">
-                </div>
-                <kc-tooltip>{{:: 'saml.principal-attribute.tooltip' | translate}}</kc-tooltip>
-            </div>
-             <div class="form-group">
-                <label class="col-md-2 control-label" for="allowCreate">{{:: 'saml.allow-create' | translate}}</label>
-                <div class="col-md-6">
-                    <input ng-model="identityProvider.config.allowCreate" id="allowCreate" onoffswitchvalue on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
-                </div>
-                <kc-tooltip>{{:: 'saml.allow-create.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="postBindingResponse">{{:: 'http-post-binding-response' | translate}}</label>
-                <div class="col-md-6">
-                    <input ng-model="identityProvider.config.postBindingResponse" id="postBindingResponse" onoffswitchvalue on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
-                </div>
-                <kc-tooltip>{{:: 'http-post-binding-response.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="postBindingAuthnRequest">{{:: 'http-post-binding-for-authn-request' | translate}}</label>
-                <div class="col-md-6">
-                    <input ng-model="identityProvider.config.postBindingAuthnRequest" id="postBindingAuthnRequest" onoffswitchvalue on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
-                </div>
-                <kc-tooltip>{{:: 'http-post-binding-for-authn-request.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="postBindingLogout">{{:: 'http-post-binding-logout' | translate}}</label>
-                <div class="col-md-6">
-                    <input ng-model="identityProvider.config.postBindingLogout" id="postBindingLogout" onoffswitchvalue on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
-                </div>
-                <kc-tooltip>{{:: 'http-post-binding-logout.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="wantAuthnRequestsSigned">{{:: 'want-authn-requests-signed' | translate}}</label>
-                <div class="col-md-6">
-                    <input ng-model="identityProvider.config.wantAuthnRequestsSigned" id="wantAuthnRequestsSigned" name="wantAuthnRequestsSigned" onoffswitchvalue on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
-                </div>
-                <kc-tooltip>{{:: 'want-authn-requests-signed.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="wantAssertionsSigned">{{:: 'want-assertions-signed' | translate}}</label>
-                <div class="col-md-6">
-                    <input ng-model="identityProvider.config.wantAssertionsSigned" id="wantAssertionsSigned" name="wantAssertionsSigned" onoffswitchvalue on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
-                </div>
-                <kc-tooltip>{{:: 'want-assertions-signed.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="wantAssertionsEncrypted">{{:: 'want-assertions-encrypted' | translate}}</label>
-                <div class="col-md-6">
-                    <input ng-model="identityProvider.config.wantAssertionsEncrypted" id="wantAssertionsEncrypted" name="wantAssertionsEncrypted" onoffswitchvalue on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
-                </div>
-                <kc-tooltip>{{:: 'want-assertions-encrypted.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="assertionConsumingServiceIndex">{{:: 'identity-provider.saml.extended.assertion-consuming-service-index' | translate}}</label>
-                <div class="col-md-6">
-                    <input class="form-control" string-to-number type="number" min="0" max="65535" step="1" ng-model="identityProvider.config.assertionConsumingServiceIndex" id="assertionConsumingServiceIndex"/>
-                </div>
-                <kc-tooltip>{{:: 'identity-provider.saml.extended.assertion-consuming-service-index.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group" data-ng-show="identityProvider.config.wantAuthnRequestsSigned == 'true'">
-                <label class="col-md-2 control-label" for="signatureAlgorithm">{{:: 'signature-algorithm' | translate}}</label>
-                <div class="col-sm-6">
-                    <div>
-                        <select class="form-control" id="signatureAlgorithm"
-                                ng-model="identityProvider.config.signatureAlgorithm"
-                                ng-options="alg for alg in signatureAlgorithms">
-                        </select>
-                    </div>
-                </div>
-                <kc-tooltip>{{:: 'signature-algorithm.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group clearfix block" data-ng-show="identityProvider.config.wantAuthnRequestsSigned == 'true'">
-                <label class="col-md-2 control-label" for="samlSigKeyNameTranformer">{{:: 'saml-signature-keyName-transformer' | translate}}</label>
-                <div class="col-md-6">
-                    <div>
-                        <select class="form-control" id="samlSigKeyNameTranformer"
-                                ng-model="identityProvider.config.xmlSigKeyInfoKeyNameTransformer"
-                                ng-options="xmlKeyNameTranformer for xmlKeyNameTranformer in xmlKeyNameTranformers">
-                        </select>
-                    </div>
-                </div>
-                <kc-tooltip>{{:: 'saml-signature-keyName-transformer.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="forceAuthn">{{:: 'force-authentication' | translate}}</label>
-                <div class="col-md-6">
-                    <input ng-model="identityProvider.config.forceAuthn" id="forceAuthn" name="forceAuthn" onoffswitchvalue on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
-                </div>
-                <kc-tooltip>{{:: 'identity-provider.force-authentication.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="validateSignature">{{:: 'validate-signature' | translate}}</label>
-                <div class="col-md-6">
-                    <input ng-model="identityProvider.config.validateSignature" id="validateSignature" onoffswitchvalue on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
-                </div>
-                <kc-tooltip>{{:: 'saml.validate-signature.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group clearfix" data-ng-show="identityProvider.config.validateSignature == 'true'">
-                <label class="col-md-2 control-label" for="signingCertificate">{{:: 'validating-x509-certificate' | translate}}</label>
-                <div class="col-md-6">
-                    <textarea class="form-control" id="signingCertificate" ng-model="identityProvider.config.signingCertificate"></textarea>
-                </div>
-                <kc-tooltip>{{:: 'validating-x509-certificate.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group clearfix" data-ng-show="identityProvider.config.validateSignature == 'true'">
-                <label class="col-md-2 control-label" for="ignoreSamlAdviceNodes">{{:: 'identity-provider.saml.extended.ignore-saml-advice-nodes' | translate}}</label>
-                <div class="col-md-6">
-                    <input ng-model="identityProvider.config.ignoreSamlAdviceNodes" id="ignoreSamlAdviceNodes" onoffswitchvalue on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
-                </div>
-                <kc-tooltip>{{:: 'identity-provider.saml.extended.ignore-saml-advice-nodes.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="signSpMetadata">{{:: 'identity-provider.saml.sign-sp-metadata' | translate}}</label>
-                <div class="col-md-6">
-                    <input ng-model="identityProvider.config.signSpMetadata" id="signSpMetadata" onoffswitchvalue on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
-                </div>
-                <kc-tooltip>{{:: 'identity-provider.saml.sign-sp-metadata.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-sm-2 control-label" for="loginHint">{{:: 'saml.loginHint' | translate}}</label>
-                <div class="col-sm-4">
-                    <input ng-model="identityProvider.config.loginHint" id="loginHint" onoffswitchvalue on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
-                </div>
-                <kc-tooltip>{{:: 'saml.loginHint.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="allowedClockSkew">{{:: 'allowed-clock-skew' | translate}}</label>
-                <div class="col-md-6 time-selector">
-                    <input class="form-control" string-to-number type="number" min="0" max="2147483" step="1" ng-model="identityProvider.config.allowedClockSkew" id="allowedClockSkew"/>
-                </div>
-                <kc-tooltip>{{:: 'identity-provider.allowed-clock-skew.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="attributeConsumingServiceIndex">{{:: 'identity-provider.saml.attribute-consuming-service-index' | translate}}</label>
-                <div class="col-md-6">
-                    <input class="form-control" string-to-number type="number" min="0" max="65535" step="1" ng-model="identityProvider.config.attributeConsumingServiceIndex" id="attributeConsumingServiceIndex"/>
-                </div>
-                <kc-tooltip>{{:: 'identity-provider.saml.attribute-consuming-service-index.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="attributeConsumingServiceName">{{:: 'identity-provider.saml.attribute-consuming-service-name' | translate}}</label>
-                <div class="col-md-6">
-                    <input class="form-control" type="text" ng-model="identityProvider.config.attributeConsumingServiceName" id="attributeConsumingServiceName"/>
-                </div>
-                <kc-tooltip>{{:: 'identity-provider.saml.attribute-consuming-service-name.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label for="newScope" class="col-md-2 control-label">{{:: 'identity-provider.saml-extended.scoping' | translate}}</label>
-                <div class="col-md-6">
-                    <input class="form-control" type="text" ng-model="identityProvider.config.scoping" id="newScope"/>
-                </div>
-<!--                <div class="col-sm-4">-->
-<!--                    <div class="input-group" ng-repeat="(i, scope) in scoping track by $index">-->
-<!--                        <input class="form-control" ng-model="scoping[i]">-->
-<!--                        <div class="input-group-btn">-->
-<!--                            <button class="btn btn-default" type="button" data-ng-click="deleteScope($index)">-->
-<!--                                <span class="fa fa-minus"></span>-->
-<!--                            </button>-->
-<!--                        </div>-->
-<!--                    </div>-->
-<!--                    <div class = "input-group">-->
-<!--                        <input class="form-control" ng-model="newScope" id="newScope">-->
-<!--                        <div class="input-group-btn">-->
-<!--                            <button class="btn btn-default" type="button" data-ng-click="newScope.length > 0 && addScope()">-->
-<!--                                <span class="fa fa-plus"></span>-->
-<!--                            </button>-->
-<!--                        </div>-->
-<!--                    </div>-->
-<!--                </div>-->
-                <kc-tooltip>{{:: 'identity-provider.saml-extended.scoping.tooltip' | translate}}</kc-tooltip>
-            </div>
-        </fieldset>
-        <fieldset>
-            <legend collapsed><span class="text">{{:: 'identity-provider.saml.requested-authncontext' | translate}}</span> <kc-tooltip>{{:: 'identity-provider.saml.requested-authncontext.tooltip' | translate}}</kc-tooltip></legend>
-
-            <div class="form-group clearfix">
-                <label class="col-md-2 control-label" for="authnContextComparisonType">{{:: 'identity-provider.saml.authncontext-comparison-type' | translate}}</label>
-                <div class="col-md-6">
-                    <div>
-                        <select class="form-control" id="authnContextComparisonType"
-                                ng-init="identityProvider.config.authnContextComparisonType = identityProvider.config.authnContextComparisonType || 'exact'"
-                                ng-model="identityProvider.config.authnContextComparisonType">
-                            <option value="exact">{{:: 'identity-provider.saml.authncontext-comparison-type.exact' | translate}}</option>
-                            <option value="minimum">{{:: 'identity-provider.saml.authncontext-comparison-type.minimum' | translate}}</option>
-                            <option value="maximum">{{:: 'identity-provider.saml.authncontext-comparison-type.maximum' | translate}}</option>
-                            <option value="better">{{:: 'identity-provider.saml.authncontext-comparison-type.better' | translate}}</option>
-                        </select>
-                    </div>
-                </div>
-                <kc-tooltip>{{:: 'identity-provider.saml.authncontext-comparison-type.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label for="type" class="col-md-2 control-label">{{:: 'identity-provider.saml.authncontext-class-ref' | translate}}</label>
-                <div class="col-sm-4">
-                    <div class="input-group" ng-repeat="(i, authnContextClassRef) in authnContextClassRefs track by $index">
-                        <input class="form-control" ng-model="authnContextClassRefs[i]">
-                        <div class="input-group-btn">
-                            <button class="btn btn-default" type="button" data-ng-click="deleteAuthnContextClassRef($index)">
-                                <span class="fa fa-minus"></span>
-                            </button>
-                        </div>
-                    </div>
-                    <div class = "input-group">
-                        <input class="form-control" ng-model="newAuthnContextClassRef" id="newAuthnContextClassRef">
-                        <div class="input-group-btn">
-                            <button class="btn btn-default" type="button" data-ng-click="newAuthnContextClassRef.length > 0 && addAuthnContextClassRef()">
-                                <span class="fa fa-plus"></span>
-                            </button>
-                        </div>
-                    </div>
-                </div>
-                <kc-tooltip>{{:: 'identity-provider.saml.authncontext-class-ref.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label for="type" class="col-md-2 control-label">{{:: 'identity-provider.saml.authncontext-decl-ref' | translate}}</label>
-                <div class="col-sm-4">
-                    <div class="input-group" ng-repeat="(i, authnContextDeclRef) in authnContextDeclRefs track by $index">
-                        <input class="form-control" ng-model="authnContextDeclRefs[i]">
-                        <div class="input-group-btn">
-                            <button class="btn btn-default" type="button" data-ng-click="deleteAuthnContextDeclRef($index)">
-                                <span class="fa fa-minus"></span>
-                            </button>
-                        </div>
-                    </div>
-                    <div class = "input-group">
-                        <input class="form-control" ng-model="newAuthnContextDeclRef" id="newAuthnContextDeclRef">
-                        <div class="input-group-btn">
-                            <button class="btn btn-default" type="button" data-ng-click="newAuthnContextDeclRef.length > 0 && addAuthnContextDeclRef()">
-                                <span class="fa fa-plus"></span>
-                            </button>
-                        </div>
-                    </div>
-                </div>
-                <kc-tooltip>{{:: 'identity-provider.saml.authncontext-decl-ref.tooltip' | translate}}</kc-tooltip>
-            </div>
-        </fieldset>
-        <fieldset>
-            <legend collapsed><span
-                    class="text">{{:: 'saml.extended.metadata' | translate}}</span>
-                <kc-tooltip>{{:: 'saml.extended.metadata.tooltip' | translate}}</kc-tooltip>
-            </legend>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="metadataValidUntilUnit">{{:: 'identity-provider.saml.extended.metadata-valid-until' | translate}}</label>
-                <div class="col-md-6 time-selector">
-                    <input class="form-control" string-to-number type="number" min="0" max="99" step="1" ng-model="identityProvider.config.metadataValidUntilUnit" id="metadataValidUntilUnit"/>
-                    <select class="form-control" id="metadataValidPeriod" ng-model="identityProvider.config.metadataValidUntilPeriod">
-                        <option value="6">{{:: 'identity-provider.saml-extended.days' | translate}}</option>
-                        <option value="3" ng-selected="selected">{{:: 'identity-provider.saml-extended.weeks' | translate}}</option>
-                        <option value="2">{{:: 'identity-provider.saml-extended.months' | translate}}</option>
-                        <option value="1">{{:: 'identity-provider.saml-extended.years' | translate}}</option>
-                    </select>
-                </div>
-                <kc-tooltip>{{:: 'identity-provider.saml.extended.metadata-valid-until.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label for="linkedProviders" class="col-md-2 control-label">{{:: 'identity-provider.saml-extended.linked-providers' | translate}}</label>
-                <div class="col-md-6">
-                    <input class="form-control" type="text" ng-model="identityProvider.config.linkedProviders" id="linkedProviders"/>
-                </div>
-                <kc-tooltip>{{:: 'identity-provider.saml-extended.linked-providers.tooltip' | translate}}</kc-tooltip>
-            </div>
-        </fieldset>
-        <fieldset>
-            <legend collapsed><span
-                    class="text">{{:: 'saml.extended.artifact-resolution' | translate}}</span>
-                <kc-tooltip>{{:: 'saml.extended.artifact-resolution.tooltip' | translate}}</kc-tooltip>
-            </legend>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="artifactResolution">{{:: 'saml.extended.artifact-resolution'
-                    |
-                    translate}}</label>
-                <div class="col-md-6">
-                    <input ng-model="identityProvider.config.artifactResolution" id="artifactResolution"
-                           onoffswitchvalue
-                           on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
-                </div>
-                <kc-tooltip>{{:: 'saml.validate-signature.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group clearfix" data-ng-show="identityProvider.config.artifactResolution == 'true'">
-                <label class="col-md-2 control-label" for="artifactResolutionEndpoint">
-                    <!--<span class="required">*</span>-->
-                    {{:: 'saml.extended.artifact-resolution-endpoint' | translate}}</label>
-                <div class="col-md-6">
-                    <input class="form-control" id="artifactResolutionEndpoint" type="text"
-                           ng-model="identityProvider.config.artifactResolutionEndpoint">
-                </div>
-                <kc-tooltip>{{:: 'saml.extended.artifact-resolution-endpoint.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="includeArtifactResolutionServiceMetadata">{{::
-                    'saml.extended.include-artifact-resolution-service-metadata' |
-                    translate}}</label>
-                <div class="col-md-6">
-                    <input ng-model="identityProvider.config.includeArtifactResolutionServiceMetadata"
-                           id="includeArtifactResolutionServiceMetadata" onoffswitchvalue
-                           on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
-                </div>
-                <kc-tooltip>{{:: 'saml.extended.include-artifact-resolution-service-metadata.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="signArtifactResolutionRequest">{{::
-                    'saml.extended.sign-artifact-resolution-request' |
-                    translate}}</label>
-                <div class="col-md-6">
-                    <input ng-model="identityProvider.config.signArtifactResolutionRequest"
-                           id="signArtifactResolutionRequest" onoffswitchvalue
-                           on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
-                </div>
-                <kc-tooltip>{{:: 'saml.extended.sign-artifact-resolution-request.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="artifactResolutionSOAP">{{::
-                    'saml.extended.artifact-resolution-soap' |
-                    translate}}</label>
-                <div class="col-md-6">
-                    <input ng-model="identityProvider.config.artifactResolutionSOAP"
-                           id="artifactResolutionSOAP" onoffswitchvalue
-                           on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
-                </div>
-                <kc-tooltip>{{:: 'saml.extended.artifact-resolution-soap.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="artifactResolutionWithXmlHeader">
-                    {{:: 'saml.extended.artifact-resolution-xml-header' | translate}}</label>
-                <div class="col-md-6">
-                    <input
-                            ng-model="identityProvider.config.artifactResolutionWithXmlHeader"
-                            id="artifactResolutionWithXmlHeader" onoffswitchvalue
-                            on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
-                </div>
-                <kc-tooltip>{{:: 'saml.extended.artifact-resolution-xml-header.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="charSet">{{:: 'saml.extended.charSet' |
-                    translate}}</label>
-                <div class="col-md-6">
-                    <div>
-                        <select class="form-control" id="charSet" ng-model="identityProvider.config.charSet">
-                            <option value="UTF-8" ng-selected="selected">UTF-8</option>
-                            <option value="UTF-16BE">UTF-16BE</option>
-                            <option value="UTF-16LE">UTF-16LE</option>
-                            <option value="UTF-16">UTF-16</option>
-                            <!--US_ASCII & ISO_8859_1 kunnen niet!-->
-                        </select>
-                    </div>
-                </div>
-                <kc-tooltip>{{:: 'first-broker-login-flow.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="mutualTls">
-                    {{:: 'saml.extended.artifact-resolution-mutual-tls' | translate}}</label>
-                <div class="col-md-6">
-                    <input
-                            ng-model="identityProvider.config.mutualTls"
-                            id="mutualTls" onoffswitchvalue
-                            on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
-                </div>
-                <kc-tooltip>{{:: 'saml.extended.artifact-resolution-mutual-tls.tooltip' | translate}}</kc-tooltip>
-            </div>
-        </fieldset>
-        <fieldset data-ng-show="newIdentityProvider">
-            <legend uncollapsed><span class="text">{{:: 'import-external-idp-config' | translate}}</span> <kc-tooltip>{{:: 'import-external-idp-config.tooltip' | translate}}</kc-tooltip></legend>
-            <div class="form-group" data-ng-show="newIdentityProvider">
-                <label class="col-md-2 control-label" for="fromUrl">{{:: 'import-from-url' | translate}}</label>
-                <div class="col-md-6">
-                    <input class="form-control" id="fromUrl" type="text" ng-model="fromUrl.data">
-                </div>
-                <kc-tooltip>{{:: 'saml.import-from-url.tooltip' | translate}}</kc-tooltip>
-            </div>
-            <div class="form-group">
-                <label class="col-md-2 control-label" for="importFrom"></label>
-                <div class="col-md-6">
-                    <button id="importFrom" type="button" data-ng-click="importFrom()" data-ng-show="importUrl" class="btn btn-primary">{{:: 'import' | translate}}</button>
-                </div>
-            </div>
-            <div class="form-group" data-ng-show="newIdentityProvider">
-                <label class="col-md-2 control-label">{{:: 'import-from-file' | translate}}</label>
-                <div class="col-md-6">
-                    <div class="controls kc-button-input-file" data-ng-show="!files || files.length == 0">
-                        <label for="import-file" class="btn btn-default">{{:: 'select-file' | translate}} <i class="pficon pficon-import"></i></label>
-                        <input id="import-file" type="file" class="hidden" ng-file-select="onFileSelect($files)">
-                    </div>
-                <span class="kc-uploaded-file" data-ng-show="files.length > 0">
-                    {{files[0].name}}
-                </span>
-                </div>
-                <div class="form-group">
-                    <label class="col-md-2 control-label" for="importFile"></label>
-                    <div class="col-sm-6" data-ng-show="importFile">
-                        <button id="importFile" type="button" data-ng-click="uploadFile()" data-ng-show="importFile" class="btn btn-primary">{{:: 'import' | translate}}</button>
-                    </div>
-                </div>
-            </div>
-        </fieldset>
-
-        <div class="form-group">
-            <div class="col-md-10 col-md-offset-2">
-                <button kc-save data-ng-disabled="!changed">{{:: 'save' | translate}}</button>
-                <button kc-cancel data-ng-click="cancel()" data-ng-disabled="!changed">{{:: 'cancel' | translate}}</button>
-            </div>
-        </div>
-    </form>
-</div>
-
-<kc-menu></kc-menu>

From 4754692be4341d96f3fce9e3a27cb78542c464ed Mon Sep 17 00:00:00 2001
From: oadham <omar.adham@first8.nl>
Date: Fri, 22 May 2026 14:49:24 +0200
Subject: [PATCH 09/16] config-frontend: minor bugfixes for "enabled" and "hide
 on login" not saving, and more e2e tests for it

---
 .gitignore                                    |   4 +-
 .../js/CheckBoxControllerEditProvider.js      |   2 +-
 .../saml-extended-frontend/js/EditProvider.js |   4 +-
 .../js/InfoUpdaterAdd.js                      |   3 +-
 src/test/e2e/{ => frontend}/.env.example      |   0
 src/test/e2e/{ => frontend}/config.js         |   0
 src/test/e2e/frontend/helpers.js              | 177 +++++++++++++++++
 src/test/e2e/{ => frontend}/package-lock.json |   0
 src/test/e2e/frontend/package.json            |  19 ++
 src/test/e2e/frontend/test-add-defaults.js    | 102 ++++++++++
 src/test/e2e/frontend/test-add-provider.js    |  77 +++++++
 .../e2e/frontend/test-artifact-resolution.js  |  45 +++++
 src/test/e2e/frontend/test-bindings.js        |  41 ++++
 src/test/e2e/frontend/test-security.js        |  44 ++++
 .../e2e/frontend/test-standard-options.js     |  50 +++++
 src/test/e2e/package.json                     |  14 --
 src/test/e2e/test-add-provider.js             | 188 ------------------
 src/test/e2e/test-artifact-binding.js         | 123 ------------
 18 files changed, 561 insertions(+), 332 deletions(-)
 rename src/test/e2e/{ => frontend}/.env.example (100%)
 rename src/test/e2e/{ => frontend}/config.js (100%)
 create mode 100644 src/test/e2e/frontend/helpers.js
 rename src/test/e2e/{ => frontend}/package-lock.json (100%)
 create mode 100644 src/test/e2e/frontend/package.json
 create mode 100644 src/test/e2e/frontend/test-add-defaults.js
 create mode 100644 src/test/e2e/frontend/test-add-provider.js
 create mode 100644 src/test/e2e/frontend/test-artifact-resolution.js
 create mode 100644 src/test/e2e/frontend/test-bindings.js
 create mode 100644 src/test/e2e/frontend/test-security.js
 create mode 100644 src/test/e2e/frontend/test-standard-options.js
 delete mode 100644 src/test/e2e/package.json
 delete mode 100644 src/test/e2e/test-add-provider.js
 delete mode 100644 src/test/e2e/test-artifact-binding.js

diff --git a/.gitignore b/.gitignore
index d672038..286ea18 100644
--- a/.gitignore
+++ b/.gitignore
@@ -169,8 +169,8 @@ buildNumber.properties
 # End of https://www.toptal.com/developers/gitignore/api/maven,intellij+all,eclipse
 
 # E2E test credentials
-src/test/e2e/.env
-src/test/e2e/node_modules/
+src/test/e2e/frontend/.env
+src/test/e2e/frontend/node_modules/
 
 # Claude Code
 .claude/
diff --git a/src/main/resources/saml-extended-frontend/js/CheckBoxControllerEditProvider.js b/src/main/resources/saml-extended-frontend/js/CheckBoxControllerEditProvider.js
index 9eb572d..26822ce 100644
--- a/src/main/resources/saml-extended-frontend/js/CheckBoxControllerEditProvider.js
+++ b/src/main/resources/saml-extended-frontend/js/CheckBoxControllerEditProvider.js
@@ -130,7 +130,7 @@ document.addEventListener('DOMContentLoaded', function() {
     
     
     const hideLoginPage = document.getElementById("hideLoginPage");
-    hideLoginPage.value = pluginData.config.hideOnLoginPage ? pluginData.config.hideOnLoginPage : false;
+    hideLoginPage.value = pluginData.hideOnLogin ? pluginData.hideOnLogin : false;
     hideLoginPage.addEventListener("change", function () {
         handleCheckboxValue(hideLoginPage);
         
diff --git a/src/main/resources/saml-extended-frontend/js/EditProvider.js b/src/main/resources/saml-extended-frontend/js/EditProvider.js
index bc7790f..514b3c6 100644
--- a/src/main/resources/saml-extended-frontend/js/EditProvider.js
+++ b/src/main/resources/saml-extended-frontend/js/EditProvider.js
@@ -29,13 +29,14 @@ edit.addEventListener('click', () => {
                 "alias": alias,
                 "displayName": Display_Name_input.value,
                 "providerId": "saml-extended",
-                "enabled": "true",
+                "enabled": String(enabled.checked),
                 "updateProfileFirstLoginMode": "on",
                 "trustEmail": trustEmail.value,
                 "storeToken": storeToken.value,
                 "addReadTokenRoleOnCreate": storedTokensReadable.value,
                 "authenticateByDefault": "false",
                 "linkOnly": accountLinkingOnly.value,
+                "hideOnLogin": hideLoginPage.value,
                 "firstBrokerLoginFlowAlias": firstLoginFlow_input.value,
                 "postBrokerLoginFlowAlias": postLoginFlow_input.value,
                 config: {
@@ -58,7 +59,6 @@ edit.addEventListener('click', () => {
                     "allowedClockSkew": allowedClockSkew_input.value,
                     "guiOrder": Display_Order_input.value,
                     "validateSignature": validateSignatures.value,
-                    "hideOnLoginPage": hideLoginPage.value,
                     "signingCertificate": ValidatingX509Certificates_input.value,
                     "nameIDPolicyFormat": nameIdPolicy1,
                     "entityId": Service_Provider_Entity_ID_input.value,
diff --git a/src/main/resources/saml-extended-frontend/js/InfoUpdaterAdd.js b/src/main/resources/saml-extended-frontend/js/InfoUpdaterAdd.js
index b61d1ea..7506dac 100644
--- a/src/main/resources/saml-extended-frontend/js/InfoUpdaterAdd.js
+++ b/src/main/resources/saml-extended-frontend/js/InfoUpdaterAdd.js
@@ -44,9 +44,8 @@ if (storedData) {
         toggleCheckbox1('storeToken', storeToken)
         toggleCheckbox1('trustEmail', trustEmail)
         toggleCheckbox1('linkOnly', accountLinkingOnly)
-        toggleCheckbox('hideOnLoginPage', hideLoginPage)
+        toggleCheckbox1('hideOnLogin', hideLoginPage)
         toggleCheckbox('includeArtifactResolutionServiceMetadata', ArtifactResolutionService_in_metadata)
-        toggleCheckbox('hideOnLoginPage', hideLoginPage)
         toggleCheckbox('signArtifactResolutionRequest', Sign_Artifact_Resolution_Request)
         toggleCheckbox('artifactResolutionSOAP', Artifact_Resolution_with_SOAP)
         toggleCheckbox('artifactResolutionWithXmlHeader', Artifact_Resolution_with_XML_header)
diff --git a/src/test/e2e/.env.example b/src/test/e2e/frontend/.env.example
similarity index 100%
rename from src/test/e2e/.env.example
rename to src/test/e2e/frontend/.env.example
diff --git a/src/test/e2e/config.js b/src/test/e2e/frontend/config.js
similarity index 100%
rename from src/test/e2e/config.js
rename to src/test/e2e/frontend/config.js
diff --git a/src/test/e2e/frontend/helpers.js b/src/test/e2e/frontend/helpers.js
new file mode 100644
index 0000000..ab0e650
--- /dev/null
+++ b/src/test/e2e/frontend/helpers.js
@@ -0,0 +1,177 @@
+const { firefox } = require('playwright');
+
+async function createBrowserSession() {
+    const browser = await firefox.launch({ headless: true, slowMo: 0 });
+    const page = await browser.newPage();
+
+    page.on('framenavigated', frame => {
+        if (frame === page.mainFrame()) console.log('Navigated to:', frame.url());
+    });
+    page.on('dialog', async dialog => {
+        console.log(`Dialog: "${dialog.message()}"`);
+        await dialog.accept();
+    });
+    page.on('response', async response => {
+        if (response.url().includes('/identity-provider/instances') &&
+            ['POST', 'DELETE'].includes(response.request().method())) {
+            const status = response.status();
+            console.log(`API ${response.request().method()} /identity-provider/instances → ${status}`);
+            if (status >= 400) {
+                try { console.log('API error:', await response.text()); } catch {}
+            }
+        }
+    });
+
+    return { browser, page };
+}
+
+async function handleLoginIfPresent(page, config) {
+    const url = page.url();
+    if (url.includes('/protocol/openid-connect/auth') || url.includes('login-actions') || url.includes('/login')) {
+        console.log('Login page detected, logging in...');
+        await page.fill('#username', config.username);
+        await page.fill('#password', config.password);
+        await page.click('#kc-login');
+        await page.waitForTimeout(1000);
+        return true;
+    }
+    return false;
+}
+
+async function login(page, config) {
+    console.log('Navigating to realm page...');
+    await page.goto(`${config.baseUrl}/realms/${config.realm}/samlconfig/pages/realm`);
+    await page.waitForTimeout(500);
+    await page.fill('#realmNameInput', config.realm);
+    await page.click('button:has-text("Login with Keycloak")');
+    await page.waitForTimeout(1000);
+    await handleLoginIfPresent(page, config);
+    await page.waitForTimeout(1000);
+
+    console.log('Reloading list page...');
+    await page.reload();
+    await page.waitForTimeout(1000);
+    await handleLoginIfPresent(page, config);
+
+    await page.waitForFunction(
+        r => document.querySelector(`#Realms option[value="${r}"]`) !== null,
+        config.realm,
+        { timeout: 10000 }
+    );
+    await page.selectOption('#Realms', config.realm);
+}
+
+async function navigateToEditProvider(page, config, providerName) {
+    await page.goto(`${config.baseUrl}/realms/${config.realm}/samlconfig/pages/list`);
+    await page.waitForTimeout(1000);
+    await handleLoginIfPresent(page, config);
+    await page.waitForTimeout(500);
+    await page.click(`text=${providerName}`);
+    await page.waitForTimeout(1000);
+    await handleLoginIfPresent(page, config);
+    await page.waitForTimeout(500);
+}
+
+async function navigateToAddProvider(page, config) {
+    const addBtn = await page.$('a[href*="addprovider"], button:has-text("Add provider"), a:has-text("Add")');
+    if (addBtn) {
+        await addBtn.click();
+    } else {
+        await page.goto(`${config.baseUrl}/realms/${config.realm}/samlconfig/pages/addprovider`);
+    }
+    await page.waitForTimeout(1000);
+    await handleLoginIfPresent(page, config);
+    await page.waitForTimeout(500);
+}
+
+async function deleteProvider(page, config, alias) {
+    await page.goto(`${config.baseUrl}/realms/${config.realm}/samlconfig/pages/list`);
+    await page.waitForTimeout(1000);
+    await handleLoginIfPresent(page, config);
+    await page.waitForTimeout(1000);
+
+    const deleteClicked = await page.evaluate(a => {
+        const rows = document.querySelectorAll('table tr');
+        for (const row of rows) {
+            const cells = row.querySelectorAll('td');
+            if (cells.length > 0 && cells[0].textContent.trim() === a) {
+                const btn = Array.from(row.querySelectorAll('button')).find(b => b.textContent.trim() === 'Delete');
+                if (btn) { btn.click(); return true; }
+            }
+        }
+        return false;
+    }, alias);
+
+    await page.waitForTimeout(1000);
+    return deleteClicked;
+}
+
+async function getCheckboxState(page, id) {
+    const checkbox = await page.$(`#${id}`);
+    if (!checkbox) throw new Error(`Checkbox #${id} not found`);
+    await checkbox.scrollIntoViewIfNeeded();
+    return checkbox.evaluate(el => el.checked);
+}
+
+async function toggleCheckbox(page, id) {
+    const checkbox = await page.$(`#${id}`);
+    if (!checkbox) throw new Error(`Checkbox #${id} not found`);
+    await checkbox.scrollIntoViewIfNeeded();
+    const slider = await page.$(`#${id} + span.slider`);
+    if (slider) await slider.click();
+    else await checkbox.evaluate(el => el.click());
+    return checkbox.evaluate(el => el.checked);
+}
+
+async function saveForm(page, config) {
+    const saveBtn = await page.$('button:has-text("Save"), button:has-text("Edit"), #submit, input[type="submit"]');
+    if (!saveBtn) throw new Error('Save button not found');
+    await saveBtn.click({ force: true });
+    await page.waitForTimeout(1000);
+    await handleLoginIfPresent(page, config);
+    await page.waitForTimeout(1000);
+}
+
+// Create a provider with all-default boolean settings, leaving the browser on the edit page.
+async function createProvider(page, config, alias) {
+    await navigateToAddProvider(page, config);
+    const useEntityDescriptor = await page.$('#useEntityDescriptor');
+    if (useEntityDescriptor && await useEntityDescriptor.evaluate(el => el.checked)) {
+        const slider = await page.$('#useEntityDescriptor + span.slider');
+        if (slider) await slider.click();
+        else await useEntityDescriptor.evaluate(el => el.click());
+        await page.waitForTimeout(500);
+    }
+    await page.fill('#alias', alias);
+    await page.fill('#idpEntityId', alias);
+    await page.fill('#ssoServiceUrl', 'https://example.com/sso');
+    await saveForm(page, config);
+}
+
+// Toggle checkbox on current edit page, save, navigate back to edit page, verify persisted.
+async function toggleAndPersist(page, config, providerName, checkboxId) {
+    const before = await getCheckboxState(page, checkboxId);
+    console.log(`  ${checkboxId} before: ${before}`);
+    const after = await toggleCheckbox(page, checkboxId);
+    console.log(`  ${checkboxId} after toggle: ${after}`);
+    await saveForm(page, config);
+    await navigateToEditProvider(page, config, providerName);
+    const persisted = await getCheckboxState(page, checkboxId);
+    const pass = persisted === after;
+    console.log(`  ${checkboxId} after reload: ${persisted} — ${pass ? 'PASS' : `FAIL (expected ${after})`}`);
+    return { before, after, persisted, pass };
+}
+
+module.exports = {
+    createBrowserSession,
+    handleLoginIfPresent,
+    login,
+    navigateToEditProvider,
+    navigateToAddProvider,
+    createProvider,
+    deleteProvider,
+    getCheckboxState,
+    toggleCheckbox,
+    saveForm,
+    toggleAndPersist,
+};
diff --git a/src/test/e2e/package-lock.json b/src/test/e2e/frontend/package-lock.json
similarity index 100%
rename from src/test/e2e/package-lock.json
rename to src/test/e2e/frontend/package-lock.json
diff --git a/src/test/e2e/frontend/package.json b/src/test/e2e/frontend/package.json
new file mode 100644
index 0000000..5ab7a3e
--- /dev/null
+++ b/src/test/e2e/frontend/package.json
@@ -0,0 +1,19 @@
+{
+  "name": "e2e-tests",
+  "version": "1.0.0",
+  "private": true,
+  "scripts": {
+    "test": "node test-artifact-binding.js && node test-add-provider.js && node test-add-defaults.js && node test-bindings.js && node test-security.js && node test-artifact-resolution.js && node test-standard-options.js",
+    "test:edit": "node test-artifact-binding.js",
+    "test:add": "node test-add-provider.js",
+    "test:defaults": "node test-add-defaults.js",
+    "test:bindings": "node test-bindings.js",
+    "test:security": "node test-security.js",
+    "test:artifact-resolution": "node test-artifact-resolution.js",
+    "test:standard-options": "node test-standard-options.js"
+  },
+  "dependencies": {
+    "dotenv": "^16.0.0",
+    "playwright": "1.59.1"
+  }
+}
diff --git a/src/test/e2e/frontend/test-add-defaults.js b/src/test/e2e/frontend/test-add-defaults.js
new file mode 100644
index 0000000..31dad4e
--- /dev/null
+++ b/src/test/e2e/frontend/test-add-defaults.js
@@ -0,0 +1,102 @@
+const { createBrowserSession, login, navigateToAddProvider, deleteProvider, getCheckboxState, saveForm } = require('./helpers');
+const config = require('./config');
+
+const TEST_ALIAS   = 'test-defaults';
+const FAKE_SSO_URL = 'https://example.com/sso';
+const IDP_ENTITY_ID = 'test-defaults-entity';
+
+// Expected default state of every boolean on the add-provider form.
+// Verified from addprovider.html: only 'enabled' and 'useEntityDescriptor' carry the 'checked' attribute.
+const EXPECTED_DEFAULTS = [
+    { id: 'enabled',                              expected: true  },
+    { id: 'useEntityDescriptor',                  expected: true  },
+    { id: 'backchannel',                          expected: false },
+    { id: 'id_token_hint',                        expected: false },
+    { id: 'client_id_in_logout_requests',         expected: false },
+    { id: 'allowCreate',                          expected: false },
+    { id: 'httpPostBindingResponse',              expected: false },
+    { id: 'artifactBindingResponse',              expected: false },
+    { id: 'httpPostBindingAuthnRequest',          expected: false },
+    { id: 'httpPostBindingLogout',                expected: false },
+    { id: 'wantAuthnRequestsSigned',              expected: false },
+    { id: 'wantAssertionsSigned',                 expected: false },
+    { id: 'wantAssertionsEncrypted',              expected: false },
+    { id: 'forceAuthentication',                  expected: false },
+    { id: 'validateSignatures',                   expected: false },
+    { id: 'signMetadata',                         expected: false },
+    { id: 'passSubject',                          expected: false },
+    { id: 'storeToken',                           expected: false },
+    { id: 'storedTokensReadable',                 expected: false },
+    { id: 'trustEmail',                           expected: false },
+    { id: 'accountLinkingOnly',                   expected: false },
+    { id: 'hideLoginPage',                        expected: false },
+    { id: 'Artifact_Resolution',                  expected: false },
+    { id: 'ArtifactResolutionService_in_metadata', expected: false },
+    { id: 'Sign_Artifact_Resolution_Request',     expected: false },
+    { id: 'Artifact_Resolution_with_SOAP',        expected: false },
+    { id: 'Artifact_Resolution_with_XML_header',  expected: false },
+    { id: 'Mutual_TLS',                           expected: false },
+];
+
+(async () => {
+    const { browser, page } = await createBrowserSession();
+    let allPassed = true;
+
+    await login(page, config);
+
+    console.log('\nOpening add provider page...');
+    await navigateToAddProvider(page, config);
+
+    // ── Check defaults of 'enabled' and 'useEntityDescriptor' before touching anything ──
+    console.log('\n--- Checking defaults (before disabling useEntityDescriptor) ---');
+    for (const { id, expected } of EXPECTED_DEFAULTS.slice(0, 2)) {
+        const actual = await getCheckboxState(page, id);
+        const pass = actual === expected;
+        console.log(`  #${id}: ${actual} — ${pass ? 'PASS' : `FAIL (expected ${expected})`}`);
+        allPassed = allPassed && pass;
+    }
+
+    // ── Disable useEntityDescriptor to reveal the remaining fields ────────────
+    console.log('\nDisabling useEntityDescriptor to reveal remaining fields...');
+    const useEntityDescriptor = await page.$('#useEntityDescriptor');
+    if (useEntityDescriptor && await useEntityDescriptor.evaluate(el => el.checked)) {
+        const slider = await page.$('#useEntityDescriptor + span.slider');
+        if (slider) await slider.click();
+        else await useEntityDescriptor.evaluate(el => el.click());
+        await page.waitForTimeout(500);
+    }
+
+    // ── Fill required fields ──────────────────────────────────────────────────
+    await page.fill('#alias', TEST_ALIAS);
+    await page.fill('#idpEntityId', IDP_ENTITY_ID);
+    await page.fill('#ssoServiceUrl', FAKE_SSO_URL);
+
+    // ── Check defaults of all remaining booleans ──────────────────────────────
+    console.log('\n--- Checking defaults (remaining fields) ---');
+    for (const { id, expected } of EXPECTED_DEFAULTS.slice(2)) {
+        const actual = await getCheckboxState(page, id);
+        const pass = actual === expected;
+        console.log(`  #${id}: ${actual} — ${pass ? 'PASS' : `FAIL (expected ${expected})`}`);
+        allPassed = allPassed && pass;
+    }
+
+    // ── Save so the provider exists in a known-default state ──────────────────
+    console.log('\nSaving provider with all defaults...');
+    await saveForm(page, config);
+
+    // ── Clean up ──────────────────────────────────────────────────────────────
+    console.log('\nDeleting test provider...');
+    const deleted = await deleteProvider(page, config, TEST_ALIAS);
+    if (!deleted) {
+        console.log('WARNING: could not find delete button for test provider');
+        allPassed = false;
+    } else {
+        const providers = await page.$$eval('table tr td:first-child', els => els.map(e => e.textContent.trim()));
+        const gone = !providers.includes(TEST_ALIAS);
+        console.log(`  provider deleted: ${gone ? 'PASS' : 'FAIL (still present in list)'}`);
+        allPassed = allPassed && gone;
+    }
+
+    console.log(`\n${allPassed ? 'ALL TESTS PASSED' : 'SOME TESTS FAILED'}`);
+    await browser.close();
+})();
diff --git a/src/test/e2e/frontend/test-add-provider.js b/src/test/e2e/frontend/test-add-provider.js
new file mode 100644
index 0000000..526db7a
--- /dev/null
+++ b/src/test/e2e/frontend/test-add-provider.js
@@ -0,0 +1,77 @@
+const { createBrowserSession, login, navigateToAddProvider, deleteProvider, getCheckboxState, toggleCheckbox, saveForm } = require('./helpers');
+const config = require('./config');
+
+const TEST_ALIAS = 'test-artifact-binding';
+const FAKE_SSO_URL = 'https://example.com/sso';
+const IDP_ENTITY_ID = 'test123';
+
+(async () => {
+    const { browser, page } = await createBrowserSession();
+
+    await login(page, config);
+
+    console.log('\nOpening add provider page...');
+    await navigateToAddProvider(page, config);
+
+    // Disable "Use Entity Descriptor" if it defaults to on
+    console.log('Disabling use entity descriptor...');
+    const useEntityDescriptor = await page.$('#useEntityDescriptor');
+    if (useEntityDescriptor && await useEntityDescriptor.evaluate(el => el.checked)) {
+        const edLabel = await page.$('label:has(#useEntityDescriptor) span.slider');
+        if (edLabel) await edLabel.click();
+        else await useEntityDescriptor.evaluate(el => el.click());
+        await page.waitForTimeout(500);
+    }
+
+    // Fill required fields
+    console.log(`Filling alias: "${TEST_ALIAS}"`);
+    await page.fill('#alias', TEST_ALIAS);
+    console.log(`Filling IDP entity ID: "${IDP_ENTITY_ID}"`);
+    await page.fill('#idpEntityId', IDP_ENTITY_ID);
+    console.log(`Filling SSO URL: "${FAKE_SSO_URL}"`);
+    await page.fill('#ssoServiceUrl', FAKE_SSO_URL);
+
+    // Validate initial state
+    const initialState = await getCheckboxState(page, 'artifactBindingResponse');
+    console.log(`\n  artifactBindingResponse initial state: ${initialState}`);
+    let allPassed = initialState === false;
+    if (!allPassed) console.log('FAIL: expected initial state to be false');
+    else console.log('  initial state is false ✓');
+
+    // Toggle to true
+    const afterToggle = await toggleCheckbox(page, 'artifactBindingResponse');
+    console.log(`  artifactBindingResponse after toggle: ${afterToggle}`);
+
+    // Save
+    console.log('\nSaving...');
+    await saveForm(page, config);
+
+    // Verify on edit page
+    const currentUrl = page.url();
+    console.log(`\nCurrent URL after save: ${currentUrl}`);
+    if (!currentUrl.includes('editprovider')) {
+        console.log('WARNING: not on editprovider page, navigating there...');
+        await page.goto(`${config.baseUrl}/realms/${config.realm}/samlconfig/pages/list`);
+        await page.waitForTimeout(1000);
+        await page.click(`text=${TEST_ALIAS}`);
+        await page.waitForTimeout(1000);
+    }
+
+    const persisted = await getCheckboxState(page, 'artifactBindingResponse');
+    const pass = persisted === true;
+    console.log(`  artifactBindingResponse on edit page: ${persisted} — ${pass ? 'PASS' : 'FAIL (expected true)'}`);
+    allPassed = allPassed && pass;
+
+    // Delete
+    console.log('\nDeleting test provider from list...');
+    const deleteClicked = await deleteProvider(page, config, TEST_ALIAS);
+    if (!deleteClicked) console.log('WARNING: could not find delete button for test provider');
+
+    const providers = await page.$$eval('table tr td:first-child', els => els.map(e => e.textContent.trim()));
+    const deleted = !providers.includes(TEST_ALIAS);
+    console.log(`  provider deleted: ${deleted ? 'PASS' : 'FAIL (still present in list)'}`);
+    allPassed = allPassed && deleted;
+
+    console.log(`\n${allPassed ? 'ALL TESTS PASSED' : 'SOME TESTS FAILED'}`);
+    await browser.close();
+})();
diff --git a/src/test/e2e/frontend/test-artifact-resolution.js b/src/test/e2e/frontend/test-artifact-resolution.js
new file mode 100644
index 0000000..8f0f48c
--- /dev/null
+++ b/src/test/e2e/frontend/test-artifact-resolution.js
@@ -0,0 +1,45 @@
+const { createBrowserSession, login, createProvider, deleteProvider, toggleAndPersist } = require('./helpers');
+const config = require('./config');
+
+const TEST_ALIAS = 'test-artifact-resolution';
+
+const CHECKBOXES = [
+    'Artifact_Resolution',
+    'ArtifactResolutionService_in_metadata',
+    'Sign_Artifact_Resolution_Request',
+    'Artifact_Resolution_with_SOAP',
+    'Artifact_Resolution_with_XML_header',
+    'Mutual_TLS',
+    'artifactBindingResponse',
+];
+
+(async () => {
+    const { browser, page } = await createBrowserSession();
+    let allPassed = true;
+
+    await login(page, config);
+
+    console.log(`\nCreating test provider "${TEST_ALIAS}"...`);
+    await createProvider(page, config, TEST_ALIAS);
+
+    for (const id of CHECKBOXES) {
+        console.log(`\n--- ${id} ---`);
+        const result = await toggleAndPersist(page, config, TEST_ALIAS, id);
+        allPassed = allPassed && result.pass;
+    }
+
+    console.log('\nDeleting test provider...');
+    const deleteClicked = await deleteProvider(page, config, TEST_ALIAS);
+    if (!deleteClicked) {
+        console.log('WARNING: could not find delete button');
+        allPassed = false;
+    } else {
+        const providers = await page.$$eval('table tr td:first-child', els => els.map(e => e.textContent.trim()));
+        const gone = !providers.includes(TEST_ALIAS);
+        console.log(`  provider deleted: ${gone ? 'PASS' : 'FAIL (still present in list)'}`);
+        allPassed = allPassed && gone;
+    }
+
+    console.log(`\n${allPassed ? 'ALL TESTS PASSED' : 'SOME TESTS FAILED'}`);
+    await browser.close();
+})();
diff --git a/src/test/e2e/frontend/test-bindings.js b/src/test/e2e/frontend/test-bindings.js
new file mode 100644
index 0000000..01741d1
--- /dev/null
+++ b/src/test/e2e/frontend/test-bindings.js
@@ -0,0 +1,41 @@
+const { createBrowserSession, login, createProvider, deleteProvider, toggleAndPersist } = require('./helpers');
+const config = require('./config');
+
+const TEST_ALIAS = 'test-bindings';
+
+const CHECKBOXES = [
+    'httpPostBindingResponse',
+    'httpPostBindingAuthnRequest',
+    'httpPostBindingLogout',
+];
+
+(async () => {
+    const { browser, page } = await createBrowserSession();
+    let allPassed = true;
+
+    await login(page, config);
+
+    console.log(`\nCreating test provider "${TEST_ALIAS}"...`);
+    await createProvider(page, config, TEST_ALIAS);
+
+    for (const id of CHECKBOXES) {
+        console.log(`\n--- ${id} ---`);
+        const result = await toggleAndPersist(page, config, TEST_ALIAS, id);
+        allPassed = allPassed && result.pass;
+    }
+
+    console.log('\nDeleting test provider...');
+    const deleteClicked = await deleteProvider(page, config, TEST_ALIAS);
+    if (!deleteClicked) {
+        console.log('WARNING: could not find delete button');
+        allPassed = false;
+    } else {
+        const providers = await page.$$eval('table tr td:first-child', els => els.map(e => e.textContent.trim()));
+        const gone = !providers.includes(TEST_ALIAS);
+        console.log(`  provider deleted: ${gone ? 'PASS' : 'FAIL (still present in list)'}`);
+        allPassed = allPassed && gone;
+    }
+
+    console.log(`\n${allPassed ? 'ALL TESTS PASSED' : 'SOME TESTS FAILED'}`);
+    await browser.close();
+})();
diff --git a/src/test/e2e/frontend/test-security.js b/src/test/e2e/frontend/test-security.js
new file mode 100644
index 0000000..94a1ca4
--- /dev/null
+++ b/src/test/e2e/frontend/test-security.js
@@ -0,0 +1,44 @@
+const { createBrowserSession, login, createProvider, deleteProvider, toggleAndPersist } = require('./helpers');
+const config = require('./config');
+
+const TEST_ALIAS = 'test-security';
+
+const CHECKBOXES = [
+    'wantAuthnRequestsSigned',
+    'wantAssertionsSigned',
+    'wantAssertionsEncrypted',
+    'forceAuthentication',
+    'validateSignatures',
+    'signMetadata',
+];
+
+(async () => {
+    const { browser, page } = await createBrowserSession();
+    let allPassed = true;
+
+    await login(page, config);
+
+    console.log(`\nCreating test provider "${TEST_ALIAS}"...`);
+    await createProvider(page, config, TEST_ALIAS);
+
+    for (const id of CHECKBOXES) {
+        console.log(`\n--- ${id} ---`);
+        const result = await toggleAndPersist(page, config, TEST_ALIAS, id);
+        allPassed = allPassed && result.pass;
+    }
+
+    console.log('\nDeleting test provider...');
+    const deleteClicked = await deleteProvider(page, config, TEST_ALIAS);
+    if (!deleteClicked) {
+        console.log('WARNING: could not find delete button');
+        allPassed = false;
+    } else {
+        const providers = await page.$$eval('table tr td:first-child', els => els.map(e => e.textContent.trim()));
+        const gone = !providers.includes(TEST_ALIAS);
+        console.log(`  provider deleted: ${gone ? 'PASS' : 'FAIL (still present in list)'}`);
+        allPassed = allPassed && gone;
+    }
+
+    console.log(`\n${allPassed ? 'ALL TESTS PASSED' : 'SOME TESTS FAILED'}`);
+    await browser.close();
+})();
diff --git a/src/test/e2e/frontend/test-standard-options.js b/src/test/e2e/frontend/test-standard-options.js
new file mode 100644
index 0000000..7226d5f
--- /dev/null
+++ b/src/test/e2e/frontend/test-standard-options.js
@@ -0,0 +1,50 @@
+const { createBrowserSession, login, createProvider, deleteProvider, toggleAndPersist } = require('./helpers');
+const config = require('./config');
+
+const TEST_ALIAS = 'test-standard-options';
+
+// 'enabled' is last: toggling it to false may affect list visibility for subsequent navigations.
+const CHECKBOXES = [
+    'backchannel',
+    'id_token_hint',
+    'client_id_in_logout_requests',
+    'allowCreate',
+    'passSubject',
+    'storeToken',
+    'storedTokensReadable',
+    'trustEmail',
+    'accountLinkingOnly',
+    'hideLoginPage',
+    'enabled',
+];
+
+(async () => {
+    const { browser, page } = await createBrowserSession();
+    let allPassed = true;
+
+    await login(page, config);
+
+    console.log(`\nCreating test provider "${TEST_ALIAS}"...`);
+    await createProvider(page, config, TEST_ALIAS);
+
+    for (const id of CHECKBOXES) {
+        console.log(`\n--- ${id} ---`);
+        const result = await toggleAndPersist(page, config, TEST_ALIAS, id);
+        allPassed = allPassed && result.pass;
+    }
+
+    console.log('\nDeleting test provider...');
+    const deleteClicked = await deleteProvider(page, config, TEST_ALIAS);
+    if (!deleteClicked) {
+        console.log('WARNING: could not find delete button');
+        allPassed = false;
+    } else {
+        const providers = await page.$$eval('table tr td:first-child', els => els.map(e => e.textContent.trim()));
+        const gone = !providers.includes(TEST_ALIAS);
+        console.log(`  provider deleted: ${gone ? 'PASS' : 'FAIL (still present in list)'}`);
+        allPassed = allPassed && gone;
+    }
+
+    console.log(`\n${allPassed ? 'ALL TESTS PASSED' : 'SOME TESTS FAILED'}`);
+    await browser.close();
+})();
diff --git a/src/test/e2e/package.json b/src/test/e2e/package.json
deleted file mode 100644
index a88ba45..0000000
--- a/src/test/e2e/package.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-  "name": "e2e-tests",
-  "version": "1.0.0",
-  "private": true,
-  "scripts": {
-    "test": "node test-artifact-binding.js && node test-add-provider.js",
-    "test:edit": "node test-artifact-binding.js",
-    "test:add": "node test-add-provider.js"
-  },
-  "dependencies": {
-    "dotenv": "^16.0.0",
-    "playwright": "1.59.1"
-  }
-}
diff --git a/src/test/e2e/test-add-provider.js b/src/test/e2e/test-add-provider.js
deleted file mode 100644
index a1bfb29..0000000
--- a/src/test/e2e/test-add-provider.js
+++ /dev/null
@@ -1,188 +0,0 @@
-const { firefox } = require('playwright');
-const { baseUrl, realm, username, password } = require('./config');
-
-const TEST_ALIAS = 'test-artifact-binding';
-const FAKE_SSO_URL = 'https://example.com/sso';
-const IDP_ENTITY_ID = 'test123';
-
-async function handleLoginIfPresent(page) {
-    const url = page.url();
-    if (url.includes('/protocol/openid-connect/auth') || url.includes('login-actions') || url.includes('/login')) {
-        console.log('Login page detected, logging in...');
-        await page.fill('#username', username);
-        await page.fill('#password', password);
-        await page.click('#kc-login');
-        await page.waitForTimeout(1000);
-        return true;
-    }
-    return false;
-}
-
-(async () => {
-    const browser = await firefox.launch({ headless: true });
-    const page = await browser.newPage();
-
-    page.on('framenavigated', async (frame) => {
-        if (frame === page.mainFrame()) console.log('Navigated to:', frame.url());
-    });
-
-    page.on('dialog', async dialog => {
-        console.log(`Dialog: "${dialog.message()}"`);
-        await dialog.accept();
-    });
-
-    page.on('response', async response => {
-        if (response.url().includes('/identity-provider/instances') && ['POST','DELETE'].includes(response.request().method())) {
-            const status = response.status();
-            console.log(`API ${response.request().method()} /identity-provider/instances → ${status}`);
-            if (status >= 400) {
-                try { console.log('API error:', await response.text()); } catch {}
-            }
-        }
-    });
-
-    // ── Login via realm page ──────────────────────────────────────────────────
-    console.log('Navigating to realm page...');
-    await page.goto(`${baseUrl}/realms/${realm}/samlconfig/pages/realm`);
-    await page.waitForTimeout(500);
-    await page.fill('#realmNameInput', 'master');
-    await page.click('button:has-text("Login with Keycloak")');
-    await page.waitForTimeout(1000);
-    await handleLoginIfPresent(page);
-    await page.waitForTimeout(1000);
-
-    // Reload so the Keycloak adapter initialises via the active session cookie
-    console.log('Reloading list page...');
-    await page.reload();
-    await page.waitForTimeout(1000);
-    await handleLoginIfPresent(page);
-
-    // Wait for realm dropdown to be populated, then select master
-    await page.waitForFunction(() => document.querySelector('#Realms option[value="master"]') !== null, { timeout: 10000 });
-    await page.selectOption('#Realms', 'master');
-
-    // ── Navigate to Add Provider via the Add button on the list page ──────────
-    console.log('\nOpening add provider page...');
-    const addBtn = await page.$('a[href*="addprovider"], button:has-text("Add provider"), a:has-text("Add")');
-    if (addBtn) {
-        await addBtn.click();
-    } else {
-        await page.goto(`${baseUrl}/realms/${realm}/samlconfig/pages/addprovider`);
-    }
-    await page.waitForTimeout(1000);
-    await handleLoginIfPresent(page);
-    await page.waitForTimeout(500);
-
-    // ── Disable "Use Entity Descriptor" ───────────────────────────────────────
-    console.log('Disabling use entity descriptor...');
-    const useEntityDescriptor = await page.$('#useEntityDescriptor');
-    if (useEntityDescriptor && await useEntityDescriptor.evaluate(el => el.checked)) {
-        const edLabel = await page.$('label:has(#useEntityDescriptor) span.slider');
-        if (edLabel) await edLabel.click();
-        else await useEntityDescriptor.evaluate(el => el.click());
-        await page.waitForTimeout(500);
-    }
-
-    // ── Fill required fields ──────────────────────────────────────────────────
-    console.log(`Filling alias: "${TEST_ALIAS}"`);
-    await page.fill('#alias', TEST_ALIAS);
-    console.log(`Filling IDP entity ID: "${IDP_ENTITY_ID}"`);
-    await page.fill('#idpEntityId', IDP_ENTITY_ID);
-    console.log(`Filling SSO URL: "${FAKE_SSO_URL}"`);
-    await page.fill('#ssoServiceUrl', FAKE_SSO_URL);
-
-    // ── Validate initial state of artifactBindingResponse ─────────────────────
-    const artifactCheckbox = await page.$('#artifactBindingResponse');
-    if (!artifactCheckbox) {
-        console.log('ERROR: #artifactBindingResponse not found!');
-        await browser.close();
-        return;
-    }
-    await artifactCheckbox.scrollIntoViewIfNeeded();
-    const initialState = await artifactCheckbox.evaluate(el => el.checked);
-    console.log(`\n  artifactBindingResponse initial state: ${initialState}`);
-    if (initialState !== false) {
-        console.log('FAIL: expected initial state to be false');
-    } else {
-        console.log('  initial state is false ✓');
-    }
-
-    // ── Toggle artifactBindingResponse to true ────────────────────────────────
-    const slider = await page.$('#artifactBindingResponse + span.slider');
-    if (slider) await slider.click();
-    else await artifactCheckbox.evaluate(el => el.click());
-    const afterToggle = await artifactCheckbox.evaluate(el => el.checked);
-    console.log(`  artifactBindingResponse after toggle: ${afterToggle}`);
-
-    // ── Save ──────────────────────────────────────────────────────────────────
-    console.log('\nSaving...');
-    const submitBtn = await page.$('#submit');
-    if (!submitBtn) {
-        console.log('ERROR: #submit not found');
-        await browser.close();
-        return;
-    }
-    await submitBtn.click({ force: true });
-    await page.waitForTimeout(1000);
-    await handleLoginIfPresent(page);
-    await page.waitForTimeout(1000);
-
-    // ── Verify on editprovider page ───────────────────────────────────────────
-    const currentUrl = page.url();
-    console.log(`\nCurrent URL after save: ${currentUrl}`);
-    if (!currentUrl.includes('editprovider')) {
-        console.log('WARNING: not on editprovider page, navigating there...');
-        await page.goto(`${baseUrl}/realms/${realm}/samlconfig/pages/list`);
-        await page.waitForTimeout(1000);
-        await handleLoginIfPresent(page);
-        await page.waitForTimeout(500);
-        await page.click(`text=${TEST_ALIAS}`);
-        await page.waitForTimeout(1000);
-        await handleLoginIfPresent(page);
-        await page.waitForTimeout(500);
-    }
-
-    const editCheckbox = await page.$('#artifactBindingResponse');
-    let allPassed = (initialState === false);
-    if (!editCheckbox) {
-        console.log('ERROR: #artifactBindingResponse not found on edit page!');
-        allPassed = false;
-    } else {
-        const persisted = await editCheckbox.evaluate(el => el.checked);
-        const pass = persisted === true;
-        console.log(`  artifactBindingResponse on edit page: ${persisted} — ${pass ? 'PASS' : 'FAIL (expected true)'}`);
-        allPassed = allPassed && pass;
-    }
-
-    // ── Delete from list page ─────────────────────────────────────────────────
-    console.log('\nDeleting test provider from list...');
-    await page.goto(`${baseUrl}/realms/${realm}/samlconfig/pages/list`);
-    await page.waitForTimeout(1000);
-    await handleLoginIfPresent(page);
-    await page.waitForTimeout(1000);
-
-    const deleteClicked = await page.evaluate((alias) => {
-        const rows = document.querySelectorAll('table tr');
-        for (const row of rows) {
-            const cells = row.querySelectorAll('td');
-            if (cells.length > 0 && cells[0].textContent.trim() === alias) {
-                const btn = Array.from(row.querySelectorAll('button')).find(b => b.textContent.trim() === 'Delete');
-                if (btn) { btn.click(); return true; }
-            }
-        }
-        return false;
-    }, TEST_ALIAS);
-
-    if (!deleteClicked) {
-        console.log('WARNING: could not find delete button for test provider');
-    }
-    await page.waitForTimeout(1000);
-
-    const providers = await page.$$eval('table tr td:first-child', els => els.map(e => e.textContent.trim()));
-    const deleted = !providers.includes(TEST_ALIAS);
-    console.log(`  provider deleted: ${deleted ? 'PASS' : 'FAIL (still present in list)'}`);
-    allPassed = allPassed && deleted;
-
-    console.log(`\n${allPassed ? 'ALL TESTS PASSED' : 'SOME TESTS FAILED'}`);
-    await browser.close();
-})();
diff --git a/src/test/e2e/test-artifact-binding.js b/src/test/e2e/test-artifact-binding.js
deleted file mode 100644
index af39794..0000000
--- a/src/test/e2e/test-artifact-binding.js
+++ /dev/null
@@ -1,123 +0,0 @@
-const { firefox } = require('playwright');
-const { baseUrl, realm, username, password } = require('./config');
-
-async function handleLoginIfPresent(page) {
-    const url = page.url();
-    if (url.includes('/protocol/openid-connect/auth') || url.includes('login-actions') || url.includes('/login')) {
-        console.log('Login page detected, logging in...');
-        await page.fill('#username', username);
-        await page.fill('#password', password);
-        await page.click('#kc-login');
-        await page.waitForTimeout(1000);
-        return true;
-    }
-    return false;
-}
-
-async function openEditPage(page, providerName) {
-    await page.goto(`${baseUrl}/realms/${realm}/samlconfig/pages/list`);
-    await page.waitForTimeout(1000);
-    await handleLoginIfPresent(page);
-    await page.waitForTimeout(500);
-    await page.click(`text=${providerName}`);
-    await page.waitForTimeout(1000);
-    await handleLoginIfPresent(page);
-    await page.waitForTimeout(500);
-}
-
-async function toggleAndSave(page, providerName) {
-    const checkbox = await page.$('#artifactBindingResponse');
-    if (!checkbox) { console.log('ERROR: #artifactBindingResponse not found!'); return null; }
-
-    await checkbox.scrollIntoViewIfNeeded();
-    const before = await checkbox.evaluate(el => el.checked);
-    console.log(`  before: ${before}`);
-
-    const slider = await page.$('#artifactBindingResponse + span.slider');
-    if (slider) await slider.click();
-    else await checkbox.evaluate(el => el.click());
-    const after = await checkbox.evaluate(el => el.checked);
-    console.log(`  after toggle: ${after}`);
-
-    const saveBtn = await page.$('button:has-text("Save"), button:has-text("Edit"), input[type="submit"]');
-    if (saveBtn) { await saveBtn.click(); await page.waitForTimeout(1000); }
-    else { console.log('WARNING: save button not found'); }
-
-    return { before, after };
-}
-
-async function verifyPersisted(page, providerName, expected) {
-    await openEditPage(page, providerName);
-    const checkbox = await page.$('#artifactBindingResponse');
-    if (!checkbox) { console.log('ERROR: #artifactBindingResponse not found after reload!'); return false; }
-    const persisted = await checkbox.evaluate(el => el.checked);
-    const pass = persisted === expected;
-    console.log(`  after reload: ${persisted} — ${pass ? 'PASS' : `FAIL (expected ${expected})`}`);
-    return pass;
-}
-
-(async () => {
-    const browser = await firefox.launch({ headless: true });
-    const page = await browser.newPage();
-
-    page.on('framenavigated', async (frame) => {
-        if (frame === page.mainFrame()) console.log('Navigated to:', frame.url());
-    });
-
-    // Navigate to realm page, fill realm name and click login button
-    console.log('Navigating to realm page...');
-    await page.goto(`${baseUrl}/realms/${realm}/samlconfig/pages/realm`);
-    await page.waitForTimeout(500);
-    await page.fill('#realmNameInput', 'master');
-    await page.click('button:has-text("Login with Keycloak")');
-    await page.waitForTimeout(1000);
-    await handleLoginIfPresent(page);
-    await page.waitForTimeout(1000);
-
-    // Reload so the Keycloak adapter initialises via the active session cookie
-    console.log('Reloading list page...');
-    await page.reload();
-    await page.waitForTimeout(1000);
-    await handleLoginIfPresent(page);
-
-    // Wait for realm dropdown to be populated, then select master
-    await page.waitForFunction(() => document.querySelector('#Realms option[value="master"]') !== null, { timeout: 10000 });
-    await page.selectOption('#Realms', 'master');
-
-    // Wait for the providers table to appear
-    await page.waitForSelector('table tr td:first-child', { timeout: 10000 });
-    const providers = await page.$$eval('table tr td:first-child', els => els.map(e => e.textContent.trim()));
-    console.log('Providers found:', providers);
-    if (providers.length === 0) {
-        console.log('No providers found.');
-        await browser.close();
-        return;
-    }
-
-    const providerName = providers[0];
-    let allPassed = true;
-
-    // Transition 1: read current state, toggle it, verify
-    console.log(`\n--- Transition 1: toggle current state ---`);
-    await page.click(`text=${providerName}`);
-    await page.waitForTimeout(1000);
-    await handleLoginIfPresent(page);
-    await page.waitForTimeout(500);
-
-    const t1 = await toggleAndSave(page, providerName);
-    if (t1) {
-        const pass1 = await verifyPersisted(page, providerName, t1.after);
-        allPassed = allPassed && pass1;
-
-        // Transition 2: toggle back to original state, verify
-        console.log(`\n--- Transition 2: toggle back ---`);
-        const t2 = await toggleAndSave(page, providerName);
-        if (t2) {
-            const pass2 = await verifyPersisted(page, providerName, t2.after);
-            allPassed = allPassed && pass2;
-        }
-    }
-
-    console.log(`\n${allPassed ? 'ALL TESTS PASSED' : 'SOME TESTS FAILED'}`);
-    await browser.close();
-})();

From b918c9204cea38686896e9366c81b6db1699a95a Mon Sep 17 00:00:00 2001
From: oadham <omar.adham@first8.nl>
Date: Fri, 22 May 2026 15:02:13 +0200
Subject: [PATCH 10/16] More test classes: SAMLUtil.java, SAMLEndpointTest
 (testHandleSamlResponse) and SAMLDataMarshallerTest; minor improvements to
 other tests

---
 .../broker/saml/SAMLEndpointTest.java         | 287 +++++++++++
 .../saml/mappers/SAMLDataMarshallerTest.java  |  92 ++++
 .../mappers/UserAttributeValueMapperTest.java | 144 ------
 .../saml/SPMetadataDescriptorBuilderTest.java | 118 ++---
 .../SAML2ArtifactResolutionBuilderTest.java   |   4 -
 .../java/nl/first8/saml/util/SAMLUtil.java    | 467 ++++++++++++++++++
 6 files changed, 894 insertions(+), 218 deletions(-)
 create mode 100644 src/test/java/nl/first8/keycloak/broker/saml/SAMLEndpointTest.java
 create mode 100644 src/test/java/nl/first8/keycloak/broker/saml/mappers/SAMLDataMarshallerTest.java
 delete mode 100644 src/test/java/nl/first8/keycloak/broker/saml/mappers/UserAttributeValueMapperTest.java
 create mode 100644 src/test/java/nl/first8/saml/util/SAMLUtil.java

diff --git a/src/test/java/nl/first8/keycloak/broker/saml/SAMLEndpointTest.java b/src/test/java/nl/first8/keycloak/broker/saml/SAMLEndpointTest.java
new file mode 100644
index 0000000..fe6943d
--- /dev/null
+++ b/src/test/java/nl/first8/keycloak/broker/saml/SAMLEndpointTest.java
@@ -0,0 +1,287 @@
+package nl.first8.keycloak.broker.saml;
+
+import jakarta.ws.rs.core.Response;
+import java.lang.reflect.Field;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.security.cert.CertificateException;
+import java.util.stream.Stream;
+import nl.first8.saml.util.SAMLUtil;
+import org.bouncycastle.operator.OperatorCreationException;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import org.junit.jupiter.api.Test;
+import org.keycloak.broker.provider.BrokeredIdentityContext;
+import org.keycloak.broker.provider.IdentityProvider;
+import org.keycloak.common.ClientConnection;
+import org.keycloak.common.enums.SslRequired;
+import org.keycloak.forms.login.LoginFormsProvider;
+import org.keycloak.models.KeyManager;
+import org.keycloak.models.KeycloakContext;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.models.KeycloakTransactionManager;
+import org.keycloak.models.KeycloakUriInfo;
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.RealmProvider;
+import org.keycloak.saml.validators.DestinationValidator;
+import org.keycloak.services.messages.Messages;
+import org.keycloak.sessions.AuthenticationSessionModel;
+import org.mockito.ArgumentCaptor;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+import org.opensaml.core.xml.io.MarshallingException;
+import org.opensaml.xmlsec.encryption.support.EncryptionException;
+import org.opensaml.xmlsec.signature.support.SignatureException;
+
+class SAMLEndpointTest {
+
+
+    @Test
+    public void testHandleSamlResponse() throws URISyntaxException, IllegalAccessException, MarshallingException, SignatureException, EncryptionException {
+        KeycloakSession session = getMockKeycloakSession();
+        SAMLIdentityProvider provider = getMockSamlIdentityProvider();
+        SAMLIdentityProviderConfig config = getMockConfig();
+        IdentityProvider.AuthenticationCallback callback = getMockAuthenticationCallback();
+        DestinationValidator validator = getMockDestinationValidator();
+
+        SAMLEndpoint endpoint = new SAMLEndpoint(session, provider, config, callback, validator);
+
+        // clientConnection and session are @Context-injected in a real container; only the
+        // success path reaches code that reads them, so only this test needs to inject them.
+        boolean clientConnectionInjected = false;
+        boolean sessionInjected = false;
+        for (Field field : endpoint.getClass().getDeclaredFields()) {
+            if (field.getName().equals("clientConnection")) {
+                field.setAccessible(true);
+                field.set(endpoint, getMockClientConnection());
+                clientConnectionInjected = true;
+            } else if (field.getName().equals("session")) {
+                field.setAccessible(true);
+                field.set(endpoint, session);
+                sessionInjected = true;
+            }
+        }
+        // These assertions are here in case the implementation ever changes
+        assertTrue(clientConnectionInjected, "SAMLEndpoint no longer has a 'clientConnection' field - update this injection");
+        assertTrue(sessionInjected, "SAMLEndpoint no longer has a 'session' field - update this injection");
+
+        ArgumentCaptor<BrokeredIdentityContext> captor = ArgumentCaptor.forClass(BrokeredIdentityContext.class);
+
+        Response response = endpoint.postBinding("", "", "samlArtifact", "relayState");
+        assertEquals(Response.Status.Family.REDIRECTION, response.getStatusInfo().getFamily());
+
+        verify(callback).authenticated(captor.capture());
+
+        BrokeredIdentityContext identity = captor.getValue();
+        assertEquals("9170bd139d9b5e364290187482329e89bcb431ea", identity.getId());
+        assertEquals("test-alias.9170bd139d9b5e364290187482329e89bcb431ea", identity.getBrokerUserId());
+        assertNotNull(identity.getContextData().get(SAMLEndpoint.SAML_ASSERTION));
+        assertNotNull(identity.getContextData().get(SAMLEndpoint.SAML_LOGIN_RESPONSE));
+    }
+
+    @Test
+    public void testHandleSamlResponse_expiredAssertion() throws URISyntaxException, MarshallingException, SignatureException, EncryptionException {
+        KeycloakSession session = getMockKeycloakSession();
+        LoginFormsProvider loginFormsProvider = session.getProvider(LoginFormsProvider.class);
+        SAMLIdentityProvider provider = mock(SAMLIdentityProvider.class);
+        String expiredArtifactResponse = SAMLUtil.createArtifactResponseWithExpiredAssertionAsString();
+        when(provider.resolveArtifact(anyString(), anyString(), any(RealmModel.class))).thenReturn(expiredArtifactResponse);
+
+        SAMLIdentityProviderConfig config = getMockConfig();
+        IdentityProvider.AuthenticationCallback callback = getMockAuthenticationCallback();
+        DestinationValidator validator = getMockDestinationValidator();
+
+        SAMLEndpoint endpoint = new SAMLEndpoint(session, provider, config, callback, validator);
+
+        Response response = endpoint.postBinding("", "", "samlArtifact", "relayState");
+        assertEquals(Response.Status.Family.CLIENT_ERROR, response.getStatusInfo().getFamily());
+
+        verify(callback, never()).authenticated(any(BrokeredIdentityContext.class));
+        verify(loginFormsProvider).setError(eq(Messages.EXPIRED_CODE), any(Object[].class));
+    }
+
+    @Test
+    public void testHandleSamlResponse_wrongSignature() throws URISyntaxException, MarshallingException, SignatureException, EncryptionException, OperatorCreationException, CertificateException {
+        KeycloakSession session = getMockKeycloakSession();
+        LoginFormsProvider loginFormsProvider = session.getProvider(LoginFormsProvider.class);
+        SAMLIdentityProvider provider = mock(SAMLIdentityProvider.class);
+        String wrongSigArtResponse = SAMLUtil.createArtifactResponseSignedWithWrongKeyAsString();
+        when(provider.resolveArtifact(anyString(), anyString(), any(RealmModel.class))).thenReturn(wrongSigArtResponse);
+
+        SAMLIdentityProviderConfig config = getMockConfigWithSignatureValidation();
+        IdentityProvider.AuthenticationCallback callback = getMockAuthenticationCallback();
+        DestinationValidator validator = getMockDestinationValidator();
+
+        SAMLEndpoint endpoint = new SAMLEndpoint(session, provider, config, callback, validator);
+
+        // The response is signed with a key that does not match the trusted cert in the config.
+        // SAMLEndpoint.verifySignature() throws VerificationException, which is caught and
+        // turned into a BAD_REQUEST error page with IDENTITY_PROVIDER_INVALID_SIGNATURE.
+        Response response = endpoint.postBinding("", "", "samlArtifact", "relayState");
+        assertEquals(Response.Status.Family.CLIENT_ERROR, response.getStatusInfo().getFamily());
+
+        verify(callback, never()).authenticated(any(BrokeredIdentityContext.class));
+        verify(loginFormsProvider).setError(eq(Messages.IDENTITY_PROVIDER_INVALID_SIGNATURE), any(Object[].class));
+    }
+
+    /**
+     * Config variant that enables signature validation and supplies the correct public key.
+     * Used by the wrong-signature test, where the response is signed with a *different* key,
+     * so we need real validation to fire and produce IDENTITY_PROVIDER_INVALID_SIGNATURE.
+     */
+    private SAMLIdentityProviderConfig getMockConfigWithSignatureValidation() throws OperatorCreationException, CertificateException {
+        SAMLIdentityProviderConfig config = mock(SAMLIdentityProviderConfig.class);
+        when(config.getAlias()).thenReturn("test-alias");
+        when(config.isValidateSignature()).thenReturn(true);
+        when(config.getAllowedClockSkew()).thenReturn(15);
+        when(config.getSigningCertificates()).thenReturn(new String[]{SAMLUtil.getCorrectPublicKeyCertificateAsBase64()});
+        return config;
+    }
+
+    /**
+     * Stubs the broker callback so SAMLEndpoint can complete without a real Keycloak flow.
+     * Returns a redirect from authenticated() - used with ArgumentCaptor in the happy-path
+     * test to assert on the BrokeredIdentityContext that was handed to Keycloak.
+     */
+    private IdentityProvider.AuthenticationCallback getMockAuthenticationCallback() {
+        AuthenticationSessionModel authSession = mock(AuthenticationSessionModel.class);
+
+        IdentityProvider.AuthenticationCallback callback = mock(IdentityProvider.AuthenticationCallback.class);
+        when(callback.getAndVerifyAuthenticationSession(anyString())).thenReturn(authSession);
+        Response redirectResponse = mock(Response.class);
+        when(redirectResponse.getStatusInfo()).thenReturn(Response.Status.FOUND);
+        when(callback.authenticated(any(BrokeredIdentityContext.class))).thenReturn(redirectResponse);
+        return callback;
+    }
+
+    /**
+     * String overload always passes - skips the ACS URL check (no real server URL in tests).
+     * URI overload delegates to the real implementation so ConditionsValidator can still
+     * perform its audience restriction check against the base URI from the session mock.
+     */
+    private DestinationValidator getMockDestinationValidator() {
+        DestinationValidator validator = mock(DestinationValidator.class);
+        when(validator.validate(anyString(), anyString())).thenReturn(true);
+        // ConditionsValidator (called indirectly from SAMLEndpoint) uses the URI overload for audience checks
+        when(validator.validate(any(URI.class), any(URI.class))).thenCallRealMethod();
+        return validator;
+    }
+
+    /**
+     * Provides a loopback address so SSL-required checks and remote-address logging don't
+     * NPE. Injected both via the session context and directly into SAMLEndpoint via reflection
+     * in the happy-path test (the only test that reaches the authenticated() code path).
+     */
+    private ClientConnection getMockClientConnection() {
+        ClientConnection connection = mock(ClientConnection.class);
+        when(connection.getRemoteAddr()).thenReturn("127.0.0.1");
+        return connection;
+    }
+
+    /**
+     * Minimal config with signature validation disabled (there's a different test for that: SamlSignatureValidationTest).
+     * Used by tests that exercise parsing and session mapping but do not need to test cryptographic verification.
+     */
+    private SAMLIdentityProviderConfig getMockConfig() {
+        SAMLIdentityProviderConfig config = mock(SAMLIdentityProviderConfig.class);
+        when(config.getAlias()).thenReturn("test-alias");
+        when(config.isValidateSignature()).thenReturn(false);
+        when(config.getAllowedClockSkew()).thenReturn(15);
+        return config;
+    }
+
+    /**
+     * Stubs resolveArtifact to return a pre-built valid response, bypassing the actual
+     * SOAP call to the IdP's artifact resolution service. Happy-path test only.
+     */
+    private SAMLIdentityProvider getMockSamlIdentityProvider() throws MarshallingException, SignatureException, EncryptionException {
+        SAMLIdentityProvider provider = mock(SAMLIdentityProvider.class);
+        String artifactResponse = SAMLUtil.createArtifactResponseAsString();
+        // If you want to test an artifactResponse from a file, comment the line above and replace it by the line below, (a Response might also work)
+        // String artifactResponse = getFileFromResourceAsString("artifactResponse/<the-artifact-response-you-want>");
+        when(provider.resolveArtifact(anyString(), anyString(), any(RealmModel.class)))
+                .thenReturn(artifactResponse);
+        return provider;
+    }
+
+    /**
+     * Realm is the root context for most Keycloak calls. isEnabled() is checked at entry;
+     * getSslRequired() drives whether Keycloak rewrites the redirect to HTTPS.
+     * Kept in its own method because getMockKeycloakSession() needs it for the context stub.
+     */
+    private RealmModel getMockRealmModel() {
+        SslRequired sslRequired = mock(SslRequired.class);
+        when(sslRequired.isRequired(any(ClientConnection.class))).thenReturn(false);
+
+        RealmModel realm = mock(RealmModel.class);
+        when(realm.getName()).thenReturn("test-realm");
+        when(realm.getSslRequired()).thenReturn(sslRequired);
+        when(realm.isEnabled()).thenReturn(true);
+        return realm;
+    }
+
+    /**
+     * Assembles the full Keycloak session graph. Notable stubs:
+     * - sessionFactory / innerSession: Keycloak spawns a child session for certain operations
+     * - LoginFormsProvider: used by failure tests to assert on the error message rendered;
+     * returned via session.getProvider(LoginFormsProvider.class) so tests can verify it
+     */
+    private KeycloakSession getMockKeycloakSession() throws URISyntaxException {
+        KeycloakUriInfo uriInfo = mock(KeycloakUriInfo.class);
+        when(uriInfo.getBaseUri()).thenReturn(new URI("https://auth.testhost.lcl"));
+
+        KeycloakContext context = mock(KeycloakContext.class);
+        when(context.getUri()).thenReturn(uriInfo);
+
+        KeyManager keyManager = mock(KeyManager.class);
+        when(keyManager.getActiveRsaKey(any(RealmModel.class))).thenReturn(getActiveRsaKey());
+
+        RealmModel realm = getMockRealmModel();
+        ClientConnection connection = getMockClientConnection();
+        when(context.getRealm()).thenReturn(realm);
+        when(context.getConnection()).thenReturn(connection);
+
+        KeycloakSessionFactory sessionFactory = mock(KeycloakSessionFactory.class);
+        when(sessionFactory.getProviderFactoriesStream(any())).thenAnswer(inv -> Stream.empty());
+
+        // Keycloak's runJobInTransaction calls sessionFactory.create() to open a fresh child session;
+        // innerSession stubs that call so its transactionManager and realms() don't NPE.
+        KeycloakSession innerSession = mock(KeycloakSession.class);
+        KeycloakTransactionManager tm = mock(KeycloakTransactionManager.class);
+        when(innerSession.getTransactionManager()).thenReturn(tm);
+        RealmProvider realmProvider = mock(RealmProvider.class);
+        when(innerSession.realms()).thenReturn(realmProvider);
+        when(innerSession.getKeycloakSessionFactory()).thenReturn(sessionFactory);
+        when(sessionFactory.create()).thenReturn(innerSession);
+
+        LoginFormsProvider loginFormsProvider = mock(LoginFormsProvider.class);
+        when(loginFormsProvider.setAuthenticationSession(any())).thenReturn(loginFormsProvider);
+        when(loginFormsProvider.setError(anyString())).thenReturn(loginFormsProvider);
+        when(loginFormsProvider.setError(anyString(), any(Object[].class))).thenReturn(loginFormsProvider);
+        Response errorResponse = mock(Response.class);
+        when(errorResponse.getStatusInfo()).thenReturn(Response.Status.BAD_REQUEST);
+        when(loginFormsProvider.createErrorPage(any(Response.Status.class))).thenReturn(errorResponse);
+
+        KeycloakSession session = mock(KeycloakSession.class);
+        when(session.getContext()).thenReturn(context);
+        when(session.keys()).thenReturn(keyManager);
+        when(session.getKeycloakSessionFactory()).thenReturn(sessionFactory);
+        when(session.getProvider(LoginFormsProvider.class)).thenReturn(loginFormsProvider);
+        return session;
+    }
+
+    /**
+     * Wraps the shared TEST_KEY_PAIR as Keycloak's ActiveRsaKey. The same key is used by
+     * SAMLUtil to sign the test SAML responses, so end-to-end signature round-trips work.
+     */
+    private KeyManager.ActiveRsaKey getActiveRsaKey() {
+        return new KeyManager.ActiveRsaKey("kid", SAMLUtil.TEST_KEY_PAIR.getPrivate(), SAMLUtil.TEST_KEY_PAIR.getPublic(), null);
+    }
+}
diff --git a/src/test/java/nl/first8/keycloak/broker/saml/mappers/SAMLDataMarshallerTest.java b/src/test/java/nl/first8/keycloak/broker/saml/mappers/SAMLDataMarshallerTest.java
new file mode 100644
index 0000000..4b854cd
--- /dev/null
+++ b/src/test/java/nl/first8/keycloak/broker/saml/mappers/SAMLDataMarshallerTest.java
@@ -0,0 +1,92 @@
+package nl.first8.keycloak.broker.saml.mappers;
+
+import nl.first8.keycloak.broker.saml.SAMLDataMarshaller;
+import nl.first8.keycloak.dom.saml.v2.assertion.AssertionType;
+import nl.first8.keycloak.dom.saml.v2.metadata.RequestedAttributeValueType;
+import nl.first8.keycloak.dom.saml.v2.protocol.ResponseType;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.keycloak.dom.saml.v2.assertion.AuthnStatementType;
+import org.keycloak.dom.saml.v2.protocol.ArtifactResponseType;
+import org.keycloak.dom.saml.v2.protocol.StatusCodeType;
+import org.keycloak.dom.saml.v2.protocol.StatusType;
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.util.Collections;
+import java.util.List;
+
+import static org.junit.jupiter.api.Assertions.*;
+import static org.mockito.Mockito.mock;
+
+class SAMLDataMarshallerTest {
+
+    private SAMLDataMarshaller dataMarshaller;
+
+    @BeforeEach
+    public void setUp() {
+        dataMarshaller = new SAMLDataMarshaller();
+    }
+
+    @Test
+    void shouldDeserializeImmutableCollectionsListCorrectly() {
+        Class<?> immutableListClass = List.of().getClass();
+
+        Object result = dataMarshaller.deserialize("WyI4ODcyMzMxMyJd", immutableListClass);
+
+        assertInstanceOf(List.class, result, "Deserialized object should be a List.");
+        assertEquals(1, ((List<?>) result).size(), "List should contain one element.");
+
+        assertEquals("88723313", ((List<?>) result).get(0), "List should contain the expected element.");
+    }
+
+    @Test
+    void testSerializeResponseType() {
+        ResponseType responseType = new ResponseType("abc", mock(XMLGregorianCalendar.class));
+        StatusType statusType = new StatusType();
+        statusType.setStatusCode(new StatusCodeType());
+        responseType.setStatus(statusType);
+
+        String result = dataMarshaller.serialize(responseType);
+        String expectedXml = "<samlp:Response xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"abc\" Version=\"2.0\" IssueInstant=\"Mock for XMLGregorianCalendar, hashCode: .+\"><samlp:Status><samlp:StatusCode></samlp:StatusCode></samlp:Status></samlp:Response>";
+
+        assertTrue(result.matches(expectedXml));
+    }
+
+    @Test
+    void testSerializeAssertionType() {
+        AssertionType assertionType = new AssertionType("abc", mock(XMLGregorianCalendar.class));
+
+        String result = dataMarshaller.serialize(assertionType);
+        String expectedXml = "<saml:Assertion xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"abc\" Version=\"2.0\" IssueInstant=\"Mock for XMLGregorianCalendar, hashCode: .+\"></saml:Assertion>";
+
+        assertTrue(result.matches(expectedXml));
+    }
+
+    @Test
+    void testSerializeAuthStatementType() {
+        AuthnStatementType authnStatementType = new AuthnStatementType(mock(XMLGregorianCalendar.class));
+
+        String result = dataMarshaller.serialize(authnStatementType);
+        String expectedXml = "<saml:AuthnStatement xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" AuthnInstant=\"Mock for XMLGregorianCalendar, hashCode: .+\"></saml:AuthnStatement>";
+
+        assertTrue(result.matches(expectedXml));
+    }
+
+    @Test
+    void testSerializeArtifactResponseType() {
+        ArtifactResponseType artifactResponseType = new ArtifactResponseType("abc", mock(XMLGregorianCalendar.class));
+
+        String result = dataMarshaller.serialize(artifactResponseType);
+        String expectedXml = "<samlp:ArtifactResponse xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"abc\" Version=\"2.0\" IssueInstant=\"Mock for XMLGregorianCalendar, hashCode: .+\"></samlp:ArtifactResponse>";
+
+        assertTrue(result.matches(expectedXml));
+    }
+
+    @Test
+    void testSerializeUnknownObjectType() {
+        RequestedAttributeValueType unknownObject = new RequestedAttributeValueType("testname");
+
+        assertThrows(IllegalArgumentException.class, () -> {
+            dataMarshaller.serialize(unknownObject);
+        });
+    }
+}
diff --git a/src/test/java/nl/first8/keycloak/broker/saml/mappers/UserAttributeValueMapperTest.java b/src/test/java/nl/first8/keycloak/broker/saml/mappers/UserAttributeValueMapperTest.java
deleted file mode 100644
index d1742de..0000000
--- a/src/test/java/nl/first8/keycloak/broker/saml/mappers/UserAttributeValueMapperTest.java
+++ /dev/null
@@ -1,144 +0,0 @@
-package nl.first8.keycloak.broker.saml.mappers;
-
-import nl.first8.keycloak.dom.saml.v2.assertion.AssertionType;
-import nl.first8.keycloak.dom.saml.v2.assertion.AttributeStatementType;
-import nl.first8.keycloak.dom.saml.v2.assertion.XacmlResourceType;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.keycloak.broker.provider.BrokeredIdentityContext;
-import org.keycloak.dom.saml.v2.assertion.AttributeType;
-import org.keycloak.dom.saml.v2.assertion.NameIDType;
-import org.keycloak.models.IdentityProviderMapperModel;
-import org.keycloak.models.KeycloakSession;
-import org.keycloak.models.RealmModel;
-import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
-import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
-
-import java.util.*;
-
-import static org.mockito.Mockito.*;
-
-class UserAttributeValueMapperTest {
-
-    public static final String ATTRIBUTE_NAME = "urn:etoegang:core:LegalSubjectID";
-    public static final String USER_ATTRIBUTE_NAME = "LegalSubjectID";
-    public static final String ATTRIBUTE_VALUE_ATTRIBUTE_STATEMENT = "<saml:EncryptedID xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><xenc:EncryptedData xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\" Id=\"_eafaac3107634baeb7a41b4131c440e5\" Type=\"http://www.w3.org/2001/04/xmlenc#Element\"><xenc:EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes256-cbc\"/><ds:KeyInfo><ds:RetrievalMethod Type=\"http://www.w3.org/2001/04/xmlenc#EncryptedKey\" URI=\"#_c9034e8a48ac43dcbfcdef4ce0aec000\"/></ds:KeyInfo><xenc:CipherData><xenc:CipherValue> DFKsO9nqmQmi1cRiDHpY0kMSRLK8CFhdzX2pJh3gH5jgZPM3VS36AclLjLIIBvW2ln68qi5izMrcqIy5gWUqDxlrt5t7L5lSoppierATcxKHab9a0005FyYJl0kor9Z4TQouhr/bwZ2GBw4J88OiVwWrXWrjpqLIzbtJHiHsKkZ8Azh4FxR3xYlvFSdoJ3xHy4si2pQsCZ5KzGJislkNY/j/rKc2j2HX2aJXcJvJc0RvPqQT9yzKs3chJeSdujXaldK5FS/DBIkV0RMQ2nCzIpR+3pbxx+aMTmKx/YkvvhhEPi7xg5oXhOQ407LJCswHyjjj9Jx9274ocuaDNmdVAJyoMceL05awS5z/wLi8AyQ=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData><xenc:EncryptedKey xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\" Id=\"_c9034e8a48ac43dcbfcdef4ce0aec000\" Recipient=\"urn:etoegang:MR:0000000123456780000:entities:1234\"><xenc:EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\"><ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"/></xenc:EncryptionMethod><ds:KeyInfo><ds:KeyName>43005cb6118b950cbc6664945cec888debc594a0</ds:KeyName></ds:KeyInfo><xenc:CipherData><xenc:CipherValue> MGn0l8bj2mZJIFY/HfXZs69JLOdmwqnogieizFdOtSFdnYYflcWZ8KIIm48/DkdXeYlmEPjWHNlwPWnTnN5HeZiUL8Oe3K/T+PTHxq1IFFY5sVDWcE6CgUR4RWZgvsX2Sru841gb1in7HEeOkyIV/hzojiqlbs/MCbD5z+yX5Z8Vo4gbsFVHOiZDOgmpWDUXsPonYn3EIPz8oOslrqgln6cuwCCFXEhRpT3vqMsey+V95EcJmLu9KMXYzdfvikm4cmzlDe9iLk15aeQza2xN+G1y3adov3TsrfbL2NBsK6CJ8U5h0M1QPicvgmFQFFKIdL6y/u9FuGGoq+Gn6P4VXg==</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI=\"#_eafaac3107634baeb7a41b4131c440e5\"/></xenc:ReferenceList></xenc:EncryptedKey></saml:EncryptedID>";
-    public static final String ATTRIBUTE_VALUE_XACML_RESOURCE = "Value";
-
-    UserAttributeValueMapper mapper;
-
-    @BeforeEach
-    public void setUp() {
-        this.mapper = new UserAttributeValueMapper();
-    }
-
-    @Test
-    void preprocessFederatedIdentity_XmlElementAsBase64() {
-
-        RealmModel realm = mock(RealmModel.class);
-
-        KeycloakSession session = mock(KeycloakSession.class);
-
-        IdentityProviderMapperModel mapperModel = mock(IdentityProviderMapperModel.class);
-        Map<String, String> config = getConfig();
-        when(mapperModel.getConfig()).thenReturn(config);
-
-        BrokeredIdentityContext brokeredIdentityContext = mock(BrokeredIdentityContext.class);
-        Map<String, Object> context = getContext();
-        when(brokeredIdentityContext.getContextData()).thenReturn(context);
-
-        mapper.preprocessFederatedIdentity(session, realm, mapperModel, brokeredIdentityContext);
-    }
-
-    @Test
-    void read_attribute_from_attributeStatement() {
-        IdentityProviderMapperModel mapperModel = mock(IdentityProviderMapperModel.class);
-        Map<String, String> config = getConfig();
-        config.put("attribute.xacml-context", "false");
-        when(mapperModel.getConfig()).thenReturn(config);
-        BrokeredIdentityContext brokeredIdentityContext = mock(BrokeredIdentityContext.class);
-        Map<String, Object> context = getContext();
-        when(brokeredIdentityContext.getContextData()).thenReturn(context);
-
-        mapper.preprocessFederatedIdentity(null, null, mapperModel, brokeredIdentityContext);
-        verify(brokeredIdentityContext, times(1)).setUserAttribute(USER_ATTRIBUTE_NAME, List.of(ATTRIBUTE_VALUE_ATTRIBUTE_STATEMENT));
-    }
-
-    @Test
-    void read_attribute_from_xacmlRescource() {
-        IdentityProviderMapperModel mapperModel = mock(IdentityProviderMapperModel.class);
-        Map<String, String> config = getConfig();
-        config.put("attribute.xacml-context", "true");
-        when(mapperModel.getConfig()).thenReturn(config);
-        BrokeredIdentityContext brokeredIdentityContext = mock(BrokeredIdentityContext.class);
-        Map<String, Object> context = getContext();
-        when(brokeredIdentityContext.getContextData()).thenReturn(context);
-
-        mapper.preprocessFederatedIdentity(null, null, mapperModel, brokeredIdentityContext);
-        verify(brokeredIdentityContext, times(1)).setUserAttribute(USER_ATTRIBUTE_NAME, List.of(ATTRIBUTE_VALUE_XACML_RESOURCE));
-    }
-
-    private Map<String, Object> getContext() {
-
-        List<Object> attributeValues = new ArrayList<>();
-        attributeValues.add(ATTRIBUTE_VALUE_ATTRIBUTE_STATEMENT);
-
-        List<Object> attributeValuesXacml = new ArrayList<>();
-        attributeValuesXacml.add(ATTRIBUTE_VALUE_XACML_RESOURCE);
-
-        AttributeType attributeType = mock(AttributeType.class);
-        when(attributeType.getName()).thenReturn(ATTRIBUTE_NAME);
-        when(attributeType.getAttributeValue()).thenReturn(attributeValues);
-
-        AttributeType attributeTypeXacmlResource = mock(AttributeType.class);
-        when(attributeTypeXacmlResource.getName()).thenReturn(ATTRIBUTE_NAME);
-        when(attributeTypeXacmlResource.getAttributeValue()).thenReturn(attributeValuesXacml);
-
-        AttributeStatementType.ASTChoiceType astChoiceType = mock(AttributeStatementType.ASTChoiceType.class);
-        when(astChoiceType.getAttribute()).thenReturn(attributeType);
-
-        List<AttributeStatementType.ASTChoiceType> astChoiceTypes = new ArrayList<>();
-        astChoiceTypes.add(astChoiceType);
-
-        AttributeStatementType attributeStatement = mock(AttributeStatementType.class);
-        when(attributeStatement.getAttributes()).thenReturn(astChoiceTypes);
-
-        Set<AttributeStatementType> attributeStatements = new HashSet<>();
-        attributeStatements.add(attributeStatement);
-
-        XacmlResourceType xacmlResource = mock(XacmlResourceType.class);
-        when(xacmlResource.getAttributes()).thenReturn(Set.of(attributeTypeXacmlResource));
-
-        Set<XacmlResourceType> xacmlResources = new HashSet<>();
-        xacmlResources.add(xacmlResource);
-
-        AssertionType assertionType = mock(AssertionType.class);
-        when(assertionType.getID()).thenReturn("assertionTypeID");
-        when(assertionType.getIssueInstant()).thenReturn(XMLTimeUtil.getIssueInstant());
-        NameIDType nameIDType = new NameIDType();
-        nameIDType.setValue("nameIdValue");
-        nameIDType.setFormat(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.getUri());
-        when(assertionType.getIssuer()).thenReturn(nameIDType);
-        when(assertionType.getSignature()).thenReturn(null);
-        when(assertionType.getConditions()).thenReturn(null);
-        when(assertionType.getSubject()).thenReturn(null);
-        when(assertionType.getAdvice()).thenReturn(null);
-        when(assertionType.getAttributeStatements()).thenReturn(attributeStatements);
-        when(assertionType.getXacmlResources()).thenReturn(xacmlResources);
-
-        Map<String, Object> context = new HashMap<>();
-        context.put("SAML_ASSERTION", assertionType);
-
-        return context;
-    }
-
-    private Map<String, String> getConfig() {
-        Map<String, String> config = new HashMap<>();
-        config.put("user.attribute", USER_ATTRIBUTE_NAME);
-        config.put("attribute.name", ATTRIBUTE_NAME);
-        config.put("attribute.decrypt", "false");
-        config.put("attribute.xml.element", "true");
-
-        return config;
-    }
-}
\ No newline at end of file
diff --git a/src/test/java/nl/first8/keycloak/saml/SPMetadataDescriptorBuilderTest.java b/src/test/java/nl/first8/keycloak/saml/SPMetadataDescriptorBuilderTest.java
index 2963298..854a236 100644
--- a/src/test/java/nl/first8/keycloak/saml/SPMetadataDescriptorBuilderTest.java
+++ b/src/test/java/nl/first8/keycloak/saml/SPMetadataDescriptorBuilderTest.java
@@ -2,15 +2,12 @@
 
 import nl.first8.keycloak.dom.saml.v2.metadata.EntityDescriptorType;
 import nl.first8.keycloak.dom.saml.v2.metadata.SPSSODescriptorType;
-import org.jboss.logging.Logger;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.keycloak.dom.saml.v2.metadata.EndpointType;
 import org.keycloak.dom.saml.v2.metadata.IndexedEndpointType;
 import org.keycloak.dom.saml.v2.metadata.KeyDescriptorType;
 import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
-import org.mockito.Mock;
-import org.mockito.MockitoAnnotations;
 
 
 import javax.xml.datatype.XMLGregorianCalendar;
@@ -18,39 +15,31 @@
 import java.util.*;
 
 import static org.junit.jupiter.api.Assertions.*;
-import static org.mockito.Mockito.*;
 
 class SPMetadataDescriptorBuilderTest {
 
     private SPMetadataDescriptorBuilder builder;
 
-    @Mock
-    private Logger logger; // Mock logger
-
     @BeforeEach
     void setUp() {
-        MockitoAnnotations.openMocks(this);
         builder = new SPMetadataDescriptorBuilder();
 
-        SPMetadataDescriptorBuilder.logger = logger;
-
-        // Configure builder with valid values
         builder.entityId("test-entity")
-                .loginBinding(URI.create("https://example.com/login"))
-                .logoutBinding(URI.create("https://example.com/logout"))
-                .artifactResolutionBinding(URI.create("https://example.com/artifact"))
-                .assertionEndpoints(List.of(URI.create("https://example.com/assert")))
-                .artifactResolutionEndpoint(URI.create("https://example.com/artifact-resolution"))
-                .logoutEndpoints(List.of(URI.create("https://example.com/logout")))
-                .wantAuthnRequestsSigned(true)
-                .wantAssertionsSigned(true)
-                .wantAssertionsEncrypted(true)
-                .nameIDPolicyFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")
-                .signingCerts(List.of(new KeyDescriptorType()))
-                .encryptionCerts(List.of(new KeyDescriptorType()))
-                .metadataValidUntilUnit(Calendar.DAY_OF_MONTH)
-                .metadataValidUntilPeriod(7)
-                .defaultAssertionEndpoint(1);
+            .loginBinding(URI.create("https://example.com/login"))
+            .logoutBinding(URI.create("https://example.com/logout"))
+            .artifactResolutionBinding(URI.create("https://example.com/artifact"))
+            .assertionEndpoints(List.of(URI.create("https://example.com/assert")))
+            .artifactResolutionEndpoint(URI.create("https://example.com/artifact-resolution"))
+            .logoutEndpoints(List.of(URI.create("https://example.com/logout")))
+            .wantAuthnRequestsSigned(true)
+            .wantAssertionsSigned(true)
+            .wantAssertionsEncrypted(true)
+            .nameIDPolicyFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")
+            .signingCerts(List.of(new KeyDescriptorType()))
+            .encryptionCerts(List.of(new KeyDescriptorType()))
+            .metadataValidUntilUnit(Calendar.DAY_OF_MONTH)
+            .metadataValidUntilPeriod(7)
+            .defaultAssertionEndpoint(1);
     }
 
     @Test
@@ -60,16 +49,8 @@ void testBuild_ValidEntityDescriptor() {
         assertNotNull(entityDescriptor);
         assertEquals("test-entity", entityDescriptor.getEntityID());
         assertNotNull(entityDescriptor.getID());
-
-        // Validate 'validUntil' field
-        XMLGregorianCalendar validUntil = entityDescriptor.getValidUntil();
-        assertNotNull(validUntil);
-
-        // Ensure at least one choice type exists
+        assertNotNull(entityDescriptor.getValidUntil());
         assertFalse(entityDescriptor.getChoiceType().isEmpty());
-
-        // Verify logging behavior
-        verify(logger).info("Building SP Entity Descriptor");
     }
 
     @Test
@@ -78,18 +59,17 @@ void shouldSetSigningCerts() {
         List<KeyDescriptorType> signingCerts = Collections.singletonList(keyDescriptor);
 
         EntityDescriptorType entityDescriptor = builder
-                .signingCerts(signingCerts)
-                .wantAuthnRequestsSigned(true)
-                .entityId("https://test-sp.example.com")
-                .build();
+            .signingCerts(signingCerts)
+            .wantAuthnRequestsSigned(true)
+            .entityId("https://test-sp.example.com")
+            .build();
 
         assertNotNull(entityDescriptor);
         assertFalse(entityDescriptor.getChoiceType().isEmpty());
 
-        // Extract the SPSSODescriptor and check if the signing key is added
         SPSSODescriptorType spSSODescriptor = entityDescriptor.getChoiceType().get(0)
-                .getDescriptors().get(0)
-                .getSpDescriptor();
+            .getDescriptors().get(0)
+            .getSpDescriptor();
 
         assertNotNull(spSSODescriptor);
         assertTrue(spSSODescriptor.getKeyDescriptor().contains(keyDescriptor));
@@ -98,20 +78,20 @@ void shouldSetSigningCerts() {
     @Test
     void shouldSetLogoutEndpoints() throws Exception {
         List<URI> logoutEndpoints = List.of(
-                new URI("https://test-sp.example.com/logout1"),
-                new URI("https://test-sp.example.com/logout2")
+            new URI("https://test-sp.example.com/logout1"),
+            new URI("https://test-sp.example.com/logout2")
         );
 
         URI logoutBinding = new URI("https://test-sp.example.com/logout-binding");
 
         EntityDescriptorType entityDescriptor = builder
-                .logoutEndpoints(logoutEndpoints)
-                .logoutBinding(logoutBinding)
-                .entityId("https://test-sp.example.com")
-                .build();
+            .logoutEndpoints(logoutEndpoints)
+            .logoutBinding(logoutBinding)
+            .entityId("https://test-sp.example.com")
+            .build();
 
         SPSSODescriptorType spSSODescriptor = entityDescriptor.getChoiceType().get(0)
-                .getDescriptors().get(0).getSpDescriptor();
+            .getDescriptors().get(0).getSpDescriptor();
 
         assertEquals(logoutEndpoints.size(), spSSODescriptor.getSingleLogoutService().size());
 
@@ -128,14 +108,14 @@ void shouldSetArtifactResolutionService() throws Exception {
         URI artifactResolutionBinding = new URI("https://test-sp.example.com/artifact-binding");
 
         EntityDescriptorType entityDescriptor = builder
-                .artifactResolutionEndpoint(artifactResolutionEndpoint)
-                .artifactResolutionBinding(artifactResolutionBinding)
-                .entityId("https://test-sp.example.com")
-                .build();
+            .artifactResolutionEndpoint(artifactResolutionEndpoint)
+            .artifactResolutionBinding(artifactResolutionBinding)
+            .entityId("https://test-sp.example.com")
+            .build();
 
         SPSSODescriptorType spSSODescriptor = entityDescriptor.getChoiceType().get(0)
-                .getDescriptors().get(0)
-                .getSpDescriptor();
+            .getDescriptors().get(0)
+            .getSpDescriptor();
 
         assertEquals(1, spSSODescriptor.getArtifactResolutionService().size());
 
@@ -148,23 +128,23 @@ void shouldSetArtifactResolutionService() throws Exception {
     @Test
     void shouldSetAssertionConsumerServicesCorrectly() throws Exception {
         List<URI> assertionEndpoints = List.of(
-                new URI("https://test-sp.example.com/assertion1"),
-                new URI("https://test-sp.example.com/assertion2")
+            new URI("https://test-sp.example.com/assertion1"),
+            new URI("https://test-sp.example.com/assertion2")
         );
 
         URI loginBinding = new URI("https://test-sp.example.com/login-binding");
         int defaultAssertionIndex = 2;
 
         EntityDescriptorType entityDescriptor = builder
-                .assertionEndpoints(assertionEndpoints)
-                .defaultAssertionEndpoint(defaultAssertionIndex)
-                .loginBinding(loginBinding)
-                .entityId("https://test-sp.example.com")
-                .build();
+            .assertionEndpoints(assertionEndpoints)
+            .defaultAssertionEndpoint(defaultAssertionIndex)
+            .loginBinding(loginBinding)
+            .entityId("https://test-sp.example.com")
+            .build();
 
         SPSSODescriptorType spSSODescriptor = entityDescriptor.getChoiceType().get(0)
-                .getDescriptors().get(0)
-                .getSpDescriptor();
+            .getDescriptors().get(0)
+            .getSpDescriptor();
 
         int expectedServices = assertionEndpoints.size() * 2; // Each assertion endpoint gets two bindings
         assertEquals(expectedServices, spSSODescriptor.getAssertionConsumerService().size());
@@ -193,10 +173,10 @@ void shouldSetMetadataValidUntil() {
         int metadataValidUntilPeriod = Calendar.YEAR;
 
         EntityDescriptorType entityDescriptor = builder
-                .metadataValidUntilUnit(metadataValidUntilUnit)
-                .metadataValidUntilPeriod(metadataValidUntilPeriod)
-                .entityId("https://test-sp.example.com")
-                .build();
+            .metadataValidUntilUnit(metadataValidUntilUnit)
+            .metadataValidUntilPeriod(metadataValidUntilPeriod)
+            .entityId("https://test-sp.example.com")
+            .build();
 
         XMLGregorianCalendar validUntil = entityDescriptor.getValidUntil();
         assertNotNull(validUntil);
@@ -210,5 +190,3 @@ void shouldSetMetadataValidUntil() {
         assertEquals(expectedCalendar.get(Calendar.DAY_OF_MONTH), actualCalendar.get(Calendar.DAY_OF_MONTH));
     }
 }
-
-
diff --git a/src/test/java/nl/first8/keycloak/saml/processing/SAML2ArtifactResolutionBuilderTest.java b/src/test/java/nl/first8/keycloak/saml/processing/SAML2ArtifactResolutionBuilderTest.java
index edc0ff3..970284a 100644
--- a/src/test/java/nl/first8/keycloak/saml/processing/SAML2ArtifactResolutionBuilderTest.java
+++ b/src/test/java/nl/first8/keycloak/saml/processing/SAML2ArtifactResolutionBuilderTest.java
@@ -19,20 +19,16 @@ void setUp() {
 
     @Test
     void testToDocument_ValidInput_ShouldGenerateDocument() {
-        // Arrange
         String testArtifact = "testArtifact123";
         String testIssuer = "testIssuer";
 
         builder.artifact(testArtifact).issuer(testIssuer);
 
-        // Act
         Document document = builder.toDocument();
 
-        // Assert
         assertNotNull(document, "Generated Document should not be null");
         String xmlString = DocumentUtil.asString(document);
         assertTrue(xmlString.contains(testArtifact), "Artifact should be present in the XML");
         assertTrue(xmlString.contains(testIssuer), "Issuer should be present in the XML");
     }
 }
-
diff --git a/src/test/java/nl/first8/saml/util/SAMLUtil.java b/src/test/java/nl/first8/saml/util/SAMLUtil.java
new file mode 100644
index 0000000..275cf05
--- /dev/null
+++ b/src/test/java/nl/first8/saml/util/SAMLUtil.java
@@ -0,0 +1,467 @@
+package nl.first8.saml.util;
+
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Base64;
+import java.util.Date;
+import java.util.UUID;
+import net.shibboleth.utilities.java.support.xml.SerializeSupport;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.opensaml.core.config.InitializationException;
+import org.opensaml.core.config.InitializationService;
+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
+import org.opensaml.core.xml.io.Marshaller;
+import org.opensaml.core.xml.io.MarshallingException;
+import org.opensaml.saml.common.SAMLObject;
+import org.opensaml.saml.common.SignableSAMLObject;
+import org.opensaml.saml.saml2.core.ArtifactResponse;
+import org.opensaml.saml.saml2.core.Assertion;
+import org.opensaml.saml.saml2.core.Attribute;
+import org.opensaml.saml.saml2.core.AttributeStatement;
+import org.opensaml.saml.saml2.core.AttributeValue;
+import org.opensaml.saml.saml2.core.Audience;
+import org.opensaml.saml.saml2.core.AudienceRestriction;
+import org.opensaml.saml.saml2.core.AuthnContext;
+import org.opensaml.saml.saml2.core.AuthnContextClassRef;
+import org.opensaml.saml.saml2.core.AuthnStatement;
+import org.opensaml.saml.saml2.core.Conditions;
+import org.opensaml.saml.saml2.core.EncryptedAttribute;
+import org.opensaml.saml.saml2.core.Issuer;
+import org.opensaml.saml.saml2.core.NameID;
+import org.opensaml.saml.saml2.core.Response;
+import org.opensaml.saml.saml2.core.Status;
+import org.opensaml.saml.saml2.core.StatusCode;
+import org.opensaml.saml.saml2.core.Subject;
+import org.opensaml.saml.saml2.core.impl.ArtifactResponseBuilder;
+import org.opensaml.saml.saml2.core.impl.AssertionBuilder;
+import org.opensaml.saml.saml2.core.impl.AttributeBuilder;
+import org.opensaml.saml.saml2.core.impl.AttributeStatementBuilder;
+import org.opensaml.saml.saml2.core.impl.AttributeValueBuilder;
+import org.opensaml.saml.saml2.core.impl.AudienceBuilder;
+import org.opensaml.saml.saml2.core.impl.AudienceRestrictionBuilder;
+import org.opensaml.saml.saml2.core.impl.AuthnContextBuilder;
+import org.opensaml.saml.saml2.core.impl.AuthnContextClassRefBuilder;
+import org.opensaml.saml.saml2.core.impl.AuthnStatementBuilder;
+import org.opensaml.saml.saml2.core.impl.ConditionsBuilder;
+import org.opensaml.saml.saml2.core.impl.IssuerBuilder;
+import org.opensaml.saml.saml2.core.impl.NameIDBuilder;
+import org.opensaml.saml.saml2.core.impl.ResponseBuilder;
+import org.opensaml.saml.saml2.core.impl.StatusBuilder;
+import org.opensaml.saml.saml2.core.impl.StatusCodeBuilder;
+import org.opensaml.saml.saml2.core.impl.SubjectBuilder;
+import org.opensaml.saml.saml2.encryption.Encrypter;
+import org.opensaml.security.credential.BasicCredential;
+import org.opensaml.security.credential.Credential;
+import org.opensaml.xmlsec.config.impl.DefaultSecurityConfigurationBootstrap;
+import org.opensaml.xmlsec.encryption.support.DataEncryptionParameters;
+import org.opensaml.xmlsec.encryption.support.EncryptionConstants;
+import org.opensaml.xmlsec.encryption.support.EncryptionException;
+import org.opensaml.xmlsec.encryption.support.KeyEncryptionParameters;
+import org.opensaml.xmlsec.keyinfo.KeyInfoGenerator;
+import org.opensaml.xmlsec.keyinfo.NamedKeyInfoGeneratorManager;
+import org.opensaml.xmlsec.signature.Signature;
+import org.opensaml.xmlsec.signature.impl.SignatureBuilder;
+import org.opensaml.xmlsec.signature.support.SignatureConstants;
+import org.opensaml.xmlsec.signature.support.SignatureException;
+import org.opensaml.xmlsec.signature.support.Signer;
+import org.w3c.dom.Element;
+
+public class SAMLUtil {
+
+    /**
+     * Shared RSA key pair for all test signing and encryption. Static so every test method
+     * sees the same public key - the config stubs and the SAML builders must agree on it.
+     */
+    public static final KeyPair TEST_KEY_PAIR;
+
+    // OpenSAML's XML provider registry must be bootstrapped before any builder or marshaller
+    // lookup. TEST_KEY_PAIR is generated once here to avoid repeated RSA keygen across tests
+    // and to keep the public key material stable for the config stubs that reference it.
+    static {
+        try {
+            InitializationService.initialize();
+        } catch (InitializationException e) {
+            throw new ExceptionInInitializerError(e);
+        }
+        KeyPair kp;
+        try {
+            KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
+            kpg.initialize(2048);
+            kp = kpg.generateKeyPair();
+        } catch (NoSuchAlgorithmException e) {
+            throw new RuntimeException("Failed to generate test RSA key pair", e);
+        }
+        TEST_KEY_PAIR = kp;
+    }
+
+    /**
+     * Builds the ArtifactResponse object graph. Delegates to createResponse() for the inner
+     * Response so signature and conditions are consistent between the two levels.
+     */
+    public static ArtifactResponse createArtifactResponse() throws SignatureException, MarshallingException, EncryptionException {
+        return createArtifactResponse(createResponse());
+    }
+
+    private static ArtifactResponse createArtifactResponse(Response response) throws SignatureException, MarshallingException {
+        return createArtifactResponse(response, createBasicCredential());
+    }
+
+    private static ArtifactResponse createArtifactResponse(Response response, Credential credential) throws SignatureException, MarshallingException {
+        Signature signature = createSignature(credential);
+        ArtifactResponse artifactResponse = new ArtifactResponseBuilder().buildObject();
+        artifactResponse.setSchemaLocation("http://www.w3.org/2001/XMLSchema");
+        artifactResponse.setID("_" + UUID.randomUUID());
+        artifactResponse.setIssueInstant(Instant.now());
+        artifactResponse.setInResponseTo("ID_" + UUID.randomUUID());
+        artifactResponse.setIssuer(createIssuer());
+        artifactResponse.setStatus(createStatus());
+        artifactResponse.setMessage(response);
+        artifactResponse.setSignature(signature);
+        marshall(artifactResponse, signature);
+        return artifactResponse;
+    }
+
+    /**
+     * Happy-path fixture: a fully signed ArtifactResponse wrapping a valid Response.
+     * Returned by the resolveArtifact stub in testHandleSamlResponse.
+     */
+    public static String createArtifactResponseAsString() throws MarshallingException, SignatureException, EncryptionException {
+        ArtifactResponse artifactResponse = createArtifactResponse();
+
+        return prettyPrint(artifactResponse.getDOM());
+    }
+
+
+    /**
+     * Builds a valid assertion with eHerkenning-style attributes. One attribute (ActingSubjectID)
+     * is encrypted in the fixture builder - SAMLEndpoint passes it through raw, decryption is
+     * UserEncryptedAttributeMapper's job, not tested here.
+     */
+    private static Assertion createAssertion() throws MarshallingException, SignatureException, EncryptionException {
+        return createAssertion(createConditions(), createSignature());
+    }
+
+    /**
+     * Signs the assertion with the given credential instead of TEST_KEY_PAIR - used when
+     * building a response signed with a wrong key so the full chain uses the same bad key.
+     */
+    private static Assertion createAssertion(Credential credential) throws MarshallingException, SignatureException, EncryptionException {
+        return createAssertion(createConditions(), createSignature(credential));
+    }
+
+    private static Assertion createAssertion(Conditions conditions) throws MarshallingException, SignatureException, EncryptionException {
+        return createAssertion(conditions, createSignature());
+    }
+
+    private static Assertion createAssertion(Conditions conditions, Signature signature) throws MarshallingException, SignatureException, EncryptionException {
+        Assertion assertion = new AssertionBuilder().buildObject();
+        assertion.setID("_" + UUID.randomUUID());
+        assertion.setIssueInstant(Instant.now());
+        assertion.setIssuer(createIssuer());
+        assertion.setSubject(createSubject());
+        assertion.setConditions(conditions);
+        assertion.getAuthnStatements().add(createAuthnStatement());
+        assertion.getAttributeStatements().add(createAttributeStatements());
+        assertion.setSignature(signature);
+        marshall(assertion, signature);
+        return assertion;
+    }
+
+    /**
+     * eHerkenning attribute set: ServiceID and ServiceUUID are plaintext; ActingSubjectID is
+     * encrypted (AES-128 / RSA-OAEP) here in the fixture builder. SAMLEndpoint passes it
+     * through raw - decryption is UserEncryptedAttributeMapper's job, not tested here.
+     */
+    private static AttributeStatement createAttributeStatements() throws EncryptionException {
+        AttributeStatement attributeStatement = new AttributeStatementBuilder().buildObject();
+        attributeStatement.getAttributes().add(createAttribute("urn:etoegang:core:ServiceID", "urn:etoegang:DV:00000001812483297000:services:1"));
+        attributeStatement.getAttributes().add(createAttribute("urn:etoegang:core:ServiceUUID", "95df68ac-301c-40e7-a14b-0fb495e004a4"));
+        attributeStatement.getEncryptedAttributes().add(createEncryptedAttribute("urn:etoegang:core:ActingSubjectID", "173599916"));
+        return attributeStatement;
+    }
+
+    private static EncryptedAttribute createEncryptedAttribute(String name, String value) throws EncryptionException {
+        Attribute attribute = createAttribute(name, value);
+        return getEncrypter().encrypt(attribute);
+    }
+
+    /**
+     * Configures AES-128 data encryption with RSA-OAEP key transport against TEST_KEY_PAIR.
+     * PEER placement embeds the encrypted key inside EncryptedData, which is what SAMLEndpoint
+     * expects when decrypting attributes.
+     */
+    private static Encrypter getEncrypter() {
+        Credential credential = createBasicCredential();
+
+        DataEncryptionParameters encParams = new DataEncryptionParameters();
+        encParams.setAlgorithm(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128);
+
+        NamedKeyInfoGeneratorManager manager = DefaultSecurityConfigurationBootstrap
+            .buildBasicKeyInfoGeneratorManager();
+
+        KeyEncryptionParameters kekParams = new KeyEncryptionParameters();
+        kekParams.setEncryptionCredential(credential);
+        kekParams.setAlgorithm(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
+        KeyInfoGenerator keyInfoGenerator = manager.getDefaultManager().getFactory(credential).newInstance();
+        kekParams.setKeyInfoGenerator(keyInfoGenerator);
+
+        Encrypter samlEncrypter = new Encrypter(encParams, kekParams);
+        samlEncrypter.setKeyPlacement(Encrypter.KeyPlacement.PEER);
+        return samlEncrypter;
+    }
+
+    private static Attribute createAttribute(String name, String value) {
+        Attribute attribute = new AttributeBuilder().buildObject();
+        attribute.setName(name);
+        attribute.setSchemaLocation("http://www.w3.org/2001/XMLSchema-instance");
+        attribute.getAttributeValues().add(createAttributeValue(value));
+        return attribute;
+    }
+
+    private static AttributeValue createAttributeValue(String text) {
+        AttributeValue attributeValue = new AttributeValueBuilder().buildObject();
+        attributeValue.setTextContent(text);
+        return attributeValue;
+    }
+
+    private static AuthnStatement createAuthnStatement() {
+        AuthnStatement authnStatement = new AuthnStatementBuilder().buildObject();
+        authnStatement.setAuthnInstant(Instant.now());
+        authnStatement.setAuthnContext(createAuthnContext());
+        return authnStatement;
+    }
+
+    private static AuthnContext createAuthnContext() {
+        AuthnContext authnContext = new AuthnContextBuilder().buildObject();
+        authnContext.setAuthnContextClassRef(createAuthnContextClassRef());
+        return authnContext;
+    }
+
+    private static AuthnContextClassRef createAuthnContextClassRef() {
+        AuthnContextClassRef authnContextClassRef = new AuthnContextClassRefBuilder().buildObject();
+        authnContextClassRef.setValue("urn:etoegang:core:assurance-class:loa3");
+        return authnContextClassRef;
+    }
+
+    /**
+     * Valid time window: -1 min to +5 min, with an audience restriction pointing at the
+     * test ACS URL. The 15-second clock skew configured in getMockConfig() has no effect here.
+     */
+    private static Conditions createConditions() {
+        Conditions conditions = new ConditionsBuilder().buildObject();
+        Instant now = Instant.now();
+        conditions.setNotBefore(now.minus(1, ChronoUnit.MINUTES));
+        conditions.setNotOnOrAfter(now.plus(5, ChronoUnit.MINUTES));
+        conditions.getAudienceRestrictions().add(createAudienceRestriction());
+        return conditions;
+    }
+
+    /**
+     * Expired time window: -10 min to -5 min. ConditionsValidator will reject any assertion
+     * carrying these conditions, even within the allowed clock skew.
+     */
+    private static Conditions createConditionsExpired() {
+        Conditions conditions = new ConditionsBuilder().buildObject();
+        Instant now = Instant.now();
+        conditions.setNotBefore(now.minus(10, ChronoUnit.MINUTES));
+        conditions.setNotOnOrAfter(now.minus(5, ChronoUnit.MINUTES));
+        conditions.getAudienceRestrictions().add(createAudienceRestriction());
+        return conditions;
+    }
+
+    /**
+     * Like createAssertion() but uses an expired Conditions window - used to build the
+     * fixture returned by createArtifactResponseWithExpiredAssertionAsString().
+     */
+    private static Assertion createAssertionExpired() throws MarshallingException, SignatureException, EncryptionException {
+        return createAssertion(createConditionsExpired());
+    }
+
+    /**
+     * Fixture for the expired-assertion test. The inner assertion's Conditions window is
+     * entirely in the past (NotOnOrAfter = now - 5 min) so ConditionsValidator rejects it.
+     */
+    public static String createArtifactResponseWithExpiredAssertionAsString() throws MarshallingException, SignatureException, EncryptionException {
+        return prettyPrint(createArtifactResponse(createResponse(createAssertionExpired())).getDOM());
+    }
+
+    private static AudienceRestriction createAudienceRestriction() {
+        AudienceRestriction audienceRestriction = new AudienceRestrictionBuilder().buildObject();
+        audienceRestriction.getAudiences().add(createAudience());
+        return audienceRestriction;
+    }
+
+    /**
+     * Audience URI must match the base URI returned by getMockKeycloakSession() (https://auth.testhost.lcl)
+     * so ConditionsValidator's audience restriction check passes in the happy-path test.
+     */
+    private static Audience createAudience() {
+        Audience audience = new AudienceBuilder().buildObject();
+        audience.setValue("https://auth.testhost.lcl/realms/test-realm/broker/saml-extended/endpoint");
+        return audience;
+    }
+
+    private static Subject createSubject() {
+        Subject subject = new SubjectBuilder().buildObject();
+        subject.setNameID(createNameId());
+        return subject;
+    }
+
+    /**
+     * The NameID value "9170bd..." is the subject identity extracted by SAMLEndpoint and
+     * asserted on in testHandleSamlResponse (identity.getId() and identity.getBrokerUserId()).
+     */
+    private static NameID createNameId() {
+        NameID nameID = new NameIDBuilder().buildObject();
+        nameID.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
+        nameID.setNameQualifier("urn:etoegang:MR:00000003271247010000:entities:9113");
+        nameID.setValue("9170bd139d9b5e364290187482329e89bcb431ea");
+        return nameID;
+    }
+
+    /**
+     * Wraps TEST_KEY_PAIR as an OpenSAML BasicCredential for use in signing and encryption.
+     */
+    private static Credential createBasicCredential() {
+        return new BasicCredential(TEST_KEY_PAIR.getPublic(), TEST_KEY_PAIR.getPrivate());
+    }
+
+    public static String createResponseAsString() throws SignatureException, MarshallingException, EncryptionException {
+        Response response = createResponse();
+        return prettyPrint(response.getDOM());
+    }
+
+    public static Response createResponse() throws SignatureException, MarshallingException, EncryptionException {
+        return createResponse(createAssertion());
+    }
+
+    private static Response createResponse(Assertion assertion) throws SignatureException, MarshallingException {
+        return createResponse(assertion, createBasicCredential());
+    }
+
+    private static Response createResponse(Assertion assertion, Credential credential) throws SignatureException, MarshallingException {
+        Response response = new ResponseBuilder().buildObject();
+        response.setDestination("https://auth.testhost.lcl/realms/test-realm/broker/saml-extended/endpoint");
+        response.setID("_" + UUID.randomUUID());
+        response.setInResponseTo("ID_" + UUID.randomUUID());
+        response.setIssueInstant(Instant.now());
+        response.setIssuer(createIssuer());
+        response.setStatus(createStatus());
+        response.getAssertions().add(assertion);
+        Signature signature = createSignature(credential);
+        response.setSignature(signature);
+        marshall(response, signature);
+        return response;
+    }
+
+    private static Issuer createIssuer() {
+        Issuer issuer = new IssuerBuilder().buildObject();
+        issuer.setNoNamespaceSchemaLocation("urn:oasis:names:tc:SAML:2.0:assertion");
+        issuer.setValue("urn:etoegang:HM:00000003271247010000:entities:9113");
+
+        return issuer;
+    }
+
+    public static Signature createSignature() {
+        return createSignature(createBasicCredential());
+    }
+
+    /**
+     * Core signature factory: RSA-SHA256 with exclusive C14N. Algorithm choices must match
+     * what Keycloak's signature validator accepts.
+     */
+    private static Signature createSignature(Credential credential) {
+        Signature signature = new SignatureBuilder().buildObject();
+        signature.setSigningCredential(credential);
+        signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
+        signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
+        return signature;
+    }
+
+    /**
+     * Fixture for the wrong-signature test. Generates a fresh key pair that is
+     * NOT TEST_KEY_PAIR, then signs the entire response tree with it.
+     *
+     * The config stub supplies TEST_KEY_PAIR's public cert as the trusted key,
+     * so signature validation must fail.
+     */
+    public static String createArtifactResponseSignedWithWrongKeyAsString() throws MarshallingException, SignatureException, EncryptionException {
+        KeyPair wrongKeyPair;
+        try {
+            KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
+            kpg.initialize(2048);
+            wrongKeyPair = kpg.generateKeyPair();
+        } catch (NoSuchAlgorithmException e) {
+            throw new RuntimeException(e); // RSA is always available
+        }
+        Credential wrongCredential = new BasicCredential(wrongKeyPair.getPublic(), wrongKeyPair.getPrivate());
+        Assertion assertion = createAssertion(wrongCredential);
+
+        Response response = createResponse(assertion, wrongCredential);
+        ArtifactResponse artifactResponse = createArtifactResponse(response, wrongCredential);
+        return prettyPrint(artifactResponse.getDOM());
+    }
+
+    /**
+     * Wraps TEST_KEY_PAIR.getPublic() in a self-signed X.509 cert and returns it Base64-
+     * encoded. Used by getMockConfigWithSignatureValidation() as the trusted signing cert,
+     * so signature validation succeeds for TEST_KEY_PAIR-signed responses and fails for others.
+     */
+    public static String getCorrectPublicKeyCertificateAsBase64() throws OperatorCreationException, CertificateException {
+        X500Name subject = new X500Name("CN=test");
+        Date notBefore = new Date(System.currentTimeMillis() - 86_400_000L);
+        Date notAfter = new Date(System.currentTimeMillis() + 86_400_000L * 365);
+
+        JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(
+            subject, BigInteger.ONE, notBefore, notAfter, subject, TEST_KEY_PAIR.getPublic());
+        ContentSigner signer = new JcaContentSignerBuilder("SHA256withRSA").build(TEST_KEY_PAIR.getPrivate());
+        X509Certificate cert = new JcaX509CertificateConverter().getCertificate(builder.build(signer));
+
+        return Base64.getEncoder().encodeToString(cert.getEncoded());
+    }
+
+    private static Status createStatus() {
+        Status status = new StatusBuilder().buildObject();
+        status.setStatusCode(createStatusCode());
+
+        return status;
+    }
+
+    private static StatusCode createStatusCode() {
+        StatusCode statusCode = new StatusCodeBuilder().buildObject();
+        statusCode.setValue("urn:oasis:names:tc:SAML:2.0:status:Success");
+
+        return statusCode;
+    }
+
+    private static String prettyPrint(Element element) throws MarshallingException, SignatureException {
+        return SerializeSupport.prettyPrintXML(element);
+    }
+
+    /**
+     * Marshals the object to DOM first, then signs. The two steps must stay in this order:
+     * OpenSAML computes the signature over the canonical XML, which only exists after marshalling.
+     */
+    private static Element marshall(SAMLObject object, Signature signature) throws MarshallingException, SignatureException {
+        Marshaller out = XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(object);
+        out.marshall(object);
+        Element element = object.getDOM();
+
+        if (object instanceof SignableSAMLObject) {
+            Signer.signObject(signature);
+        }
+        return element;
+    }
+
+}

From 540f898c09c05fe7b95d35b7250116840418494e Mon Sep 17 00:00:00 2001
From: oadham <omar.adham@first8.nl>
Date: Fri, 22 May 2026 15:42:05 +0200
Subject: [PATCH 11/16] Minor frontend config fix

---
 .../resources/saml-extended-frontend/js/InfoUpdaterAdd.js    | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/main/resources/saml-extended-frontend/js/InfoUpdaterAdd.js b/src/main/resources/saml-extended-frontend/js/InfoUpdaterAdd.js
index 7506dac..5c8ae62 100644
--- a/src/main/resources/saml-extended-frontend/js/InfoUpdaterAdd.js
+++ b/src/main/resources/saml-extended-frontend/js/InfoUpdaterAdd.js
@@ -306,13 +306,14 @@ if (storedData) {
         updateField('assertionConsumingServiceIndex', pluginData.config.assertionConsumingServiceIndex);
     }
     
-    if (pluginData.config.attributeConsumingServiceName) {
-        updateField('attributeConsumingServiceName', pluginData.config.attributeConsumingServiceName);
+    if (pluginData.config.attributeConsumingServiceIndex) {
+        updateField('attributeConsumingServiceIndex', pluginData.config.attributeConsumingServiceIndex);
     }
     
     if (pluginData.config.attributeConsumingServiceName) {
         updateField('attributeConsumingServiceName', pluginData.config.attributeConsumingServiceName);
     }
+    
     if (pluginData.config.authnContextComparisonType) {
         updateField('comparison', pluginData.config.authnContextComparisonType);
     }

From 73a65ef7e106d02aad7a1222f8097c36a7c7618a Mon Sep 17 00:00:00 2001
From: oadham <omar.adham@first8.nl>
Date: Wed, 27 May 2026 15:10:47 +0200
Subject: [PATCH 12/16] Reverted removal of Test; minor additional fixes.

---
 .../keycloak/broker/saml/SAMLEndpoint.java    |  21 +--
 .../broker/saml/SAMLIdentityProvider.java     |   1 -
 .../saml/SAMLIdentityProviderConfig.java      |   9 --
 .../saml/SAMLIdentityProviderConfigTest.java  |   3 -
 .../mappers/UserAttributeValueMapperTest.java | 144 ++++++++++++++++++
 5 files changed, 147 insertions(+), 31 deletions(-)
 create mode 100644 src/test/java/nl/first8/keycloak/broker/saml/mappers/UserAttributeValueMapperTest.java

diff --git a/src/main/java/nl/first8/keycloak/broker/saml/SAMLEndpoint.java b/src/main/java/nl/first8/keycloak/broker/saml/SAMLEndpoint.java
index fed534d..7f036e9 100644
--- a/src/main/java/nl/first8/keycloak/broker/saml/SAMLEndpoint.java
+++ b/src/main/java/nl/first8/keycloak/broker/saml/SAMLEndpoint.java
@@ -445,8 +445,8 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
                     logger.debug("Verify and get assertion!");
                     assertionElement = DocumentUtil.getElement(holder.getSamlDocument(), new QName(JBossSAMLConstants.ASSERTION.get()));
                 }
-                logger.trace("before Validate the response Issuer");
 
+                logger.trace("Validating the response Issuer");
                 // Validate the response Issuer
                 final String responseIssuer = responseType.getIssuer() != null ? responseType.getIssuer().getValue() : null;
                 final boolean responseIssuerValidationSuccess = config.getIdpEntityId() == null ||
@@ -458,8 +458,6 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
                     return ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, Messages.INVALID_REQUESTER);
                 }
 
-                logger.trace("before Validate InResponseTo attribute");
-
                 // Validate InResponseTo attribute: must match the generated request ID
                 String expectedRequestId = authSession.getClientNote(SamlProtocol.SAML_REQUEST_ID_BROKER);
                 final boolean inResponseToValidationSuccess = validateInResponseToAttribute(responseType, expectedRequestId);
@@ -475,7 +473,6 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
                 final boolean signatureNotValid = signed && config.isValidateSignature() && !AssertionUtil.isSignatureValid(assertionElement, getIDPKeyLocator());
                 final boolean hasNoSignatureWhenRequired = !signed && config.isValidateSignature() && !containsUnencryptedSignature(holder);
 
-                logger.trace("before if (assertionSignatureNotExistsWhenRequired || (...)");
 
                 if (assertionSignatureNotExistsWhenRequired || signatureNotValid || hasNoSignatureWhenRequired) {
                     logger.error("validation failed");
@@ -484,8 +481,6 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
                     return ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, Messages.INVALID_REQUESTER);
                 }
 
-                logger.trace("after if (assertionSignatureNotExistsWhenRequired || (...)");
-
                 if (AssertionUtil.isIdEncrypted(responseType)) {
                     try {
                         XMLEncryptionUtil.DecryptionKeyLocator decryptionKeyLocator = new SAMLDecryptionKeysLocator(session, realm, config.getEncryptionAlgorithm());
@@ -498,8 +493,7 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
 
                 AssertionType assertion = responseType.getAssertions().get(0).getAssertion();
 
-                logger.trace("before Validate the assertion issuer");
-
+                logger.trace("Validating the assertion issuer");
                 // Validate the assertion Issuer
                 final String assertionIssuer = assertion.getIssuer() != null ? assertion.getIssuer().getValue() : null;
                 final boolean assertionIssuerValidationSuccess = config.getIdpEntityId() == null ||
@@ -514,8 +508,6 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
                 NameIDType subjectNameID = getSubjectNameID(assertion);
                 String principal = getPrincipal(assertion);
 
-                logger.trace("before if (principal == null)");
-
                 if (principal == null) {
                     logger.errorf("no principal in assertion; expected: %s", expectedPrincipalType());
                     event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
@@ -530,7 +522,6 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
 
                 identity.setUsername(principal);
 
-                logger.trace("before if (subjectNameID != null && (...)");
                 //SAML Spec 2.2.2 Format is optional
                 if (subjectNameID != null && subjectNameID.getFormat() != null && subjectNameID.getFormat().toString().equals(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get())) {
                     identity.setEmail(subjectNameID.getValue());
@@ -540,7 +531,6 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
                     identity.setToken(samlResponse);
                 }
 
-                logger.trace("before if (subjectNameID != null && (...)");
 
                 ConditionsValidator.Builder cvb = new ConditionsValidator.Builder(assertion.getID(), assertion.getConditions(), destinationValidator)
                     .clockSkewInMillis(1000 * config.getAllowedClockSkew());
@@ -554,7 +544,6 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
                 } catch (IllegalArgumentException ex) {
                     // warning has been already emitted in DeploymentBuilder
                 }
-                logger.trace("before if (! cvb.build().isValid())");
                 if (!cvb.build().isValid()) {
                     logger.error("Assertion expired.");
                     event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
@@ -562,8 +551,6 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
                     return ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, Messages.EXPIRED_CODE);
                 }
 
-                logger.trace("before for (Object statement : (...)");
-
                 AuthnStatementType authn = null;
                 for (Object statement : assertion.getStatements()) {
                     if (statement instanceof AuthnStatementType) {
@@ -574,8 +561,6 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
                     }
                 }
 
-                logger.trace("before if (assertion.getAttributeStatements() != null");
-
                 if (assertion.getAttributeStatements() != null) {
                     String email = getX500Attribute(assertion, X500SAMLProfileConstants.EMAIL);
                     if (email != null) {
@@ -588,7 +573,6 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
                 identity.setBrokerUserId(brokerUserId);
                 identity.setIdp(provider);
 
-                logger.trace("before if (authn != null && (...)");
 
                 if (authn != null && authn.getSessionIndex() != null) {
                     String brokerSessionId = config.getAlias() + "." + authn.getSessionIndex();
@@ -596,6 +580,7 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
                     identity.setBrokerSessionId(brokerSessionId);
                 }
 
+                logger.trace("handleLoginResponse finished succesfully.");
                 return callback.authenticated(identity);
             } catch (WebApplicationException e) {
                 return e.getResponse();
diff --git a/src/main/java/nl/first8/keycloak/broker/saml/SAMLIdentityProvider.java b/src/main/java/nl/first8/keycloak/broker/saml/SAMLIdentityProvider.java
index c6c52ce..ff325c2 100644
--- a/src/main/java/nl/first8/keycloak/broker/saml/SAMLIdentityProvider.java
+++ b/src/main/java/nl/first8/keycloak/broker/saml/SAMLIdentityProvider.java
@@ -125,7 +125,6 @@ public Response performLogin(AuthenticationRequest request) {
             if (protocol.requireReauthentication(null, request.getAuthenticationSession()))
                 forceAuthn = Boolean.TRUE;
             SAML2AuthnRequestBuilder authnRequestBuilder = new SAML2AuthnRequestBuilder()
-                .assertionConsumerUrl(assertionConsumerServiceUrl)
                 .destination(destinationUrl)
                 .issuer(issuerURL)
                 .forceAuthn(forceAuthn)
diff --git a/src/main/java/nl/first8/keycloak/broker/saml/SAMLIdentityProviderConfig.java b/src/main/java/nl/first8/keycloak/broker/saml/SAMLIdentityProviderConfig.java
index 287eece..4a26552 100644
--- a/src/main/java/nl/first8/keycloak/broker/saml/SAMLIdentityProviderConfig.java
+++ b/src/main/java/nl/first8/keycloak/broker/saml/SAMLIdentityProviderConfig.java
@@ -62,7 +62,6 @@ public class SAMLIdentityProviderConfig extends org.keycloak.broker.saml.SAMLIde
     public static final String METADATA_VALID_UNTIL_PERIOD = "metadataValidUntilPeriod";
     public static final String ARTIFACT_BINDING_RESPONSE = "artifactBindingResponse";
     public static final String ARTIFACT_RESOLUTION_MUTUAL_TLS = "mutualTls";
-    public static final String IGNORE_SAML_ADVICE_NODES = "ignoreSamlAdviceNodes";
     public static final String AUTHN_REQUEST_SCOPING = "scoping";
     public static final String LINKED_PROVIDERS = "linkedProviders";
     public static final String SERVICE_NAME = "serviceName";
@@ -187,14 +186,6 @@ public void setMutualTls(boolean mutualTls) {
         getConfig().put(ARTIFACT_RESOLUTION_MUTUAL_TLS, String.valueOf(mutualTls));
     }
 
-    public void setIgnoreSamlAdviceNodes(boolean ignoreSamlAdviceNodes) {
-        getConfig().put(IGNORE_SAML_ADVICE_NODES, String.valueOf(ignoreSamlAdviceNodes));
-    }
-
-    public boolean isIgnoreSamlAdviceNodes() {
-        return Boolean.parseBoolean(getConfig().get(IGNORE_SAML_ADVICE_NODES));
-    }
-
     public String getScoping() {
         return this.getConfig().get(AUTHN_REQUEST_SCOPING);
     }
diff --git a/src/test/java/nl/first8/keycloak/broker/saml/SAMLIdentityProviderConfigTest.java b/src/test/java/nl/first8/keycloak/broker/saml/SAMLIdentityProviderConfigTest.java
index 824bc0e..e385917 100644
--- a/src/test/java/nl/first8/keycloak/broker/saml/SAMLIdentityProviderConfigTest.java
+++ b/src/test/java/nl/first8/keycloak/broker/saml/SAMLIdentityProviderConfigTest.java
@@ -97,9 +97,6 @@ static Stream<BooleanProperty> booleanProperties() {
             new BooleanProperty(ARTIFACT_RESOLUTION_MUTUAL_TLS,
                 SAMLIdentityProviderConfig::setMutualTls,
                 SAMLIdentityProviderConfig::isMutualTLS),
-            new BooleanProperty(IGNORE_SAML_ADVICE_NODES,
-                SAMLIdentityProviderConfig::setIgnoreSamlAdviceNodes,
-                SAMLIdentityProviderConfig::isIgnoreSamlAdviceNodes),
             new BooleanProperty(SIGN_SP_METADATA,
                 SAMLIdentityProviderConfig::setSignSpMetadata,
                 SAMLIdentityProviderConfig::isSignSpMetadata),
diff --git a/src/test/java/nl/first8/keycloak/broker/saml/mappers/UserAttributeValueMapperTest.java b/src/test/java/nl/first8/keycloak/broker/saml/mappers/UserAttributeValueMapperTest.java
new file mode 100644
index 0000000..d1742de
--- /dev/null
+++ b/src/test/java/nl/first8/keycloak/broker/saml/mappers/UserAttributeValueMapperTest.java
@@ -0,0 +1,144 @@
+package nl.first8.keycloak.broker.saml.mappers;
+
+import nl.first8.keycloak.dom.saml.v2.assertion.AssertionType;
+import nl.first8.keycloak.dom.saml.v2.assertion.AttributeStatementType;
+import nl.first8.keycloak.dom.saml.v2.assertion.XacmlResourceType;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.keycloak.broker.provider.BrokeredIdentityContext;
+import org.keycloak.dom.saml.v2.assertion.AttributeType;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.models.IdentityProviderMapperModel;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.RealmModel;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
+
+import java.util.*;
+
+import static org.mockito.Mockito.*;
+
+class UserAttributeValueMapperTest {
+
+    public static final String ATTRIBUTE_NAME = "urn:etoegang:core:LegalSubjectID";
+    public static final String USER_ATTRIBUTE_NAME = "LegalSubjectID";
+    public static final String ATTRIBUTE_VALUE_ATTRIBUTE_STATEMENT = "<saml:EncryptedID xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><xenc:EncryptedData xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\" Id=\"_eafaac3107634baeb7a41b4131c440e5\" Type=\"http://www.w3.org/2001/04/xmlenc#Element\"><xenc:EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes256-cbc\"/><ds:KeyInfo><ds:RetrievalMethod Type=\"http://www.w3.org/2001/04/xmlenc#EncryptedKey\" URI=\"#_c9034e8a48ac43dcbfcdef4ce0aec000\"/></ds:KeyInfo><xenc:CipherData><xenc:CipherValue> DFKsO9nqmQmi1cRiDHpY0kMSRLK8CFhdzX2pJh3gH5jgZPM3VS36AclLjLIIBvW2ln68qi5izMrcqIy5gWUqDxlrt5t7L5lSoppierATcxKHab9a0005FyYJl0kor9Z4TQouhr/bwZ2GBw4J88OiVwWrXWrjpqLIzbtJHiHsKkZ8Azh4FxR3xYlvFSdoJ3xHy4si2pQsCZ5KzGJislkNY/j/rKc2j2HX2aJXcJvJc0RvPqQT9yzKs3chJeSdujXaldK5FS/DBIkV0RMQ2nCzIpR+3pbxx+aMTmKx/YkvvhhEPi7xg5oXhOQ407LJCswHyjjj9Jx9274ocuaDNmdVAJyoMceL05awS5z/wLi8AyQ=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData><xenc:EncryptedKey xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\" Id=\"_c9034e8a48ac43dcbfcdef4ce0aec000\" Recipient=\"urn:etoegang:MR:0000000123456780000:entities:1234\"><xenc:EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\"><ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"/></xenc:EncryptionMethod><ds:KeyInfo><ds:KeyName>43005cb6118b950cbc6664945cec888debc594a0</ds:KeyName></ds:KeyInfo><xenc:CipherData><xenc:CipherValue> MGn0l8bj2mZJIFY/HfXZs69JLOdmwqnogieizFdOtSFdnYYflcWZ8KIIm48/DkdXeYlmEPjWHNlwPWnTnN5HeZiUL8Oe3K/T+PTHxq1IFFY5sVDWcE6CgUR4RWZgvsX2Sru841gb1in7HEeOkyIV/hzojiqlbs/MCbD5z+yX5Z8Vo4gbsFVHOiZDOgmpWDUXsPonYn3EIPz8oOslrqgln6cuwCCFXEhRpT3vqMsey+V95EcJmLu9KMXYzdfvikm4cmzlDe9iLk15aeQza2xN+G1y3adov3TsrfbL2NBsK6CJ8U5h0M1QPicvgmFQFFKIdL6y/u9FuGGoq+Gn6P4VXg==</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI=\"#_eafaac3107634baeb7a41b4131c440e5\"/></xenc:ReferenceList></xenc:EncryptedKey></saml:EncryptedID>";
+    public static final String ATTRIBUTE_VALUE_XACML_RESOURCE = "Value";
+
+    UserAttributeValueMapper mapper;
+
+    @BeforeEach
+    public void setUp() {
+        this.mapper = new UserAttributeValueMapper();
+    }
+
+    @Test
+    void preprocessFederatedIdentity_XmlElementAsBase64() {
+
+        RealmModel realm = mock(RealmModel.class);
+
+        KeycloakSession session = mock(KeycloakSession.class);
+
+        IdentityProviderMapperModel mapperModel = mock(IdentityProviderMapperModel.class);
+        Map<String, String> config = getConfig();
+        when(mapperModel.getConfig()).thenReturn(config);
+
+        BrokeredIdentityContext brokeredIdentityContext = mock(BrokeredIdentityContext.class);
+        Map<String, Object> context = getContext();
+        when(brokeredIdentityContext.getContextData()).thenReturn(context);
+
+        mapper.preprocessFederatedIdentity(session, realm, mapperModel, brokeredIdentityContext);
+    }
+
+    @Test
+    void read_attribute_from_attributeStatement() {
+        IdentityProviderMapperModel mapperModel = mock(IdentityProviderMapperModel.class);
+        Map<String, String> config = getConfig();
+        config.put("attribute.xacml-context", "false");
+        when(mapperModel.getConfig()).thenReturn(config);
+        BrokeredIdentityContext brokeredIdentityContext = mock(BrokeredIdentityContext.class);
+        Map<String, Object> context = getContext();
+        when(brokeredIdentityContext.getContextData()).thenReturn(context);
+
+        mapper.preprocessFederatedIdentity(null, null, mapperModel, brokeredIdentityContext);
+        verify(brokeredIdentityContext, times(1)).setUserAttribute(USER_ATTRIBUTE_NAME, List.of(ATTRIBUTE_VALUE_ATTRIBUTE_STATEMENT));
+    }
+
+    @Test
+    void read_attribute_from_xacmlRescource() {
+        IdentityProviderMapperModel mapperModel = mock(IdentityProviderMapperModel.class);
+        Map<String, String> config = getConfig();
+        config.put("attribute.xacml-context", "true");
+        when(mapperModel.getConfig()).thenReturn(config);
+        BrokeredIdentityContext brokeredIdentityContext = mock(BrokeredIdentityContext.class);
+        Map<String, Object> context = getContext();
+        when(brokeredIdentityContext.getContextData()).thenReturn(context);
+
+        mapper.preprocessFederatedIdentity(null, null, mapperModel, brokeredIdentityContext);
+        verify(brokeredIdentityContext, times(1)).setUserAttribute(USER_ATTRIBUTE_NAME, List.of(ATTRIBUTE_VALUE_XACML_RESOURCE));
+    }
+
+    private Map<String, Object> getContext() {
+
+        List<Object> attributeValues = new ArrayList<>();
+        attributeValues.add(ATTRIBUTE_VALUE_ATTRIBUTE_STATEMENT);
+
+        List<Object> attributeValuesXacml = new ArrayList<>();
+        attributeValuesXacml.add(ATTRIBUTE_VALUE_XACML_RESOURCE);
+
+        AttributeType attributeType = mock(AttributeType.class);
+        when(attributeType.getName()).thenReturn(ATTRIBUTE_NAME);
+        when(attributeType.getAttributeValue()).thenReturn(attributeValues);
+
+        AttributeType attributeTypeXacmlResource = mock(AttributeType.class);
+        when(attributeTypeXacmlResource.getName()).thenReturn(ATTRIBUTE_NAME);
+        when(attributeTypeXacmlResource.getAttributeValue()).thenReturn(attributeValuesXacml);
+
+        AttributeStatementType.ASTChoiceType astChoiceType = mock(AttributeStatementType.ASTChoiceType.class);
+        when(astChoiceType.getAttribute()).thenReturn(attributeType);
+
+        List<AttributeStatementType.ASTChoiceType> astChoiceTypes = new ArrayList<>();
+        astChoiceTypes.add(astChoiceType);
+
+        AttributeStatementType attributeStatement = mock(AttributeStatementType.class);
+        when(attributeStatement.getAttributes()).thenReturn(astChoiceTypes);
+
+        Set<AttributeStatementType> attributeStatements = new HashSet<>();
+        attributeStatements.add(attributeStatement);
+
+        XacmlResourceType xacmlResource = mock(XacmlResourceType.class);
+        when(xacmlResource.getAttributes()).thenReturn(Set.of(attributeTypeXacmlResource));
+
+        Set<XacmlResourceType> xacmlResources = new HashSet<>();
+        xacmlResources.add(xacmlResource);
+
+        AssertionType assertionType = mock(AssertionType.class);
+        when(assertionType.getID()).thenReturn("assertionTypeID");
+        when(assertionType.getIssueInstant()).thenReturn(XMLTimeUtil.getIssueInstant());
+        NameIDType nameIDType = new NameIDType();
+        nameIDType.setValue("nameIdValue");
+        nameIDType.setFormat(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.getUri());
+        when(assertionType.getIssuer()).thenReturn(nameIDType);
+        when(assertionType.getSignature()).thenReturn(null);
+        when(assertionType.getConditions()).thenReturn(null);
+        when(assertionType.getSubject()).thenReturn(null);
+        when(assertionType.getAdvice()).thenReturn(null);
+        when(assertionType.getAttributeStatements()).thenReturn(attributeStatements);
+        when(assertionType.getXacmlResources()).thenReturn(xacmlResources);
+
+        Map<String, Object> context = new HashMap<>();
+        context.put("SAML_ASSERTION", assertionType);
+
+        return context;
+    }
+
+    private Map<String, String> getConfig() {
+        Map<String, String> config = new HashMap<>();
+        config.put("user.attribute", USER_ATTRIBUTE_NAME);
+        config.put("attribute.name", ATTRIBUTE_NAME);
+        config.put("attribute.decrypt", "false");
+        config.put("attribute.xml.element", "true");
+
+        return config;
+    }
+}
\ No newline at end of file

From facc1ed4a63159ab284d7e9bcaba2ca3d22932ce Mon Sep 17 00:00:00 2001
From: oadham <omar.adham@first8.nl>
Date: Thu, 28 May 2026 09:30:37 +0200
Subject: [PATCH 13/16] Renamed wrongly capitalized serverUrl; allow for
 possible relativePath

---
 .../saml-extended-frontend/js/AddProvider.js        | 10 +++++-----
 .../resources/saml-extended-frontend/js/Config.js   | 13 +++++++------
 .../saml-extended-frontend/js/EditProvider.js       |  6 +++---
 .../saml-extended-frontend/js/InfoUpdaterAdd.js     |  2 +-
 .../saml-extended-frontend/js/RestApiMethodes.js    |  8 ++++----
 .../saml-extended-frontend/js/keycloakAdd.js        |  8 ++++----
 .../saml-extended-frontend/js/keycloakEdit.js       |  8 ++++----
 .../saml-extended-frontend/js/keycloakList.js       |  6 +++---
 .../saml-extended-frontend/pages/addprovider.html   |  8 ++++----
 .../saml-extended-frontend/pages/editprovider.html  |  2 +-
 10 files changed, 36 insertions(+), 35 deletions(-)

diff --git a/src/main/resources/saml-extended-frontend/js/AddProvider.js b/src/main/resources/saml-extended-frontend/js/AddProvider.js
index 99bbc23..5ae7c9b 100644
--- a/src/main/resources/saml-extended-frontend/js/AddProvider.js
+++ b/src/main/resources/saml-extended-frontend/js/AddProvider.js
@@ -28,7 +28,7 @@ import_data.addEventListener('click', async (event) => {
             {return}
             var newAccessToken = keycloak.token;
             
-            const checkPluginResponse = await fetch(`${ServerUrl}/admin/realms/${selectedrealm}/identity-provider/instances/${alias}`, {
+            const checkPluginResponse = await fetch(`${serverUrl}/admin/realms/${selectedrealm}/identity-provider/instances/${alias}`, {
                 method: 'GET',
                 headers: {
                     'Authorization': `Bearer ${newAccessToken}`
@@ -44,7 +44,7 @@ import_data.addEventListener('click', async (event) => {
                 // Add your logic for updating the existing plugin if needed
             } else if (checkPluginResponse.status === 404) {
                 // Plugin not found, add it using a POST request
-                const updatePluginResponse = await fetch(`${ServerUrl}/admin/realms/${selectedrealm}/identity-provider/import-config`, {
+                const updatePluginResponse = await fetch(`${serverUrl}/admin/realms/${selectedrealm}/identity-provider/import-config`, {
                     method: 'POST',
                     headers: {
                         'Authorization': `Bearer ${newAccessToken}`,
@@ -132,7 +132,7 @@ add.addEventListener('click', () => {
                 var newAccessToken = keycloak.token;
                 var selectedrealm = localStorage.getItem('selectedRealm');
                 
-                const updatePluginResponse = await fetch(`${ServerUrl}/admin/realms/${selectedrealm}/identity-provider/instances`, {
+                const updatePluginResponse = await fetch(`${serverUrl}/admin/realms/${selectedrealm}/identity-provider/instances`, {
                     method: 'POST',
                     headers: {
                         'Authorization': `Bearer ${newAccessToken}`,
@@ -301,7 +301,7 @@ add.addEventListener('click', () => {
                 var newAccessToken = keycloak.token;
                 var selectedrealm= localStorage.getItem('selectedRealm');
                 // Sending a GET request to check if the plugin exists
-                fetch(`${ServerUrl}/admin/realms/${selectedrealm}/identity-provider/instances/${alias}`, {
+                fetch(`${serverUrl}/admin/realms/${selectedrealm}/identity-provider/instances/${alias}`, {
                     method: 'GET',
                     headers: {
                         'Authorization': ` Bearer ${newAccessToken}`, // Fix here
@@ -314,7 +314,7 @@ add.addEventListener('click', () => {
                           // Add your logic for updating the existing plugin if needed
                       } else if (checkPluginResponse.status === 404) {
                           // Plugin not found, add it using a POST request
-                          const updatePluginResponse = await fetch(`${ServerUrl}/admin/realms/${selectedrealm}/identity-provider/instances`, {
+                          const updatePluginResponse = await fetch(`${serverUrl}/admin/realms/${selectedrealm}/identity-provider/instances`, {
                                 method: 'POST',
                                 headers: {
                                     'Authorization': ` Bearer ${newAccessToken}`, // Fix here
diff --git a/src/main/resources/saml-extended-frontend/js/Config.js b/src/main/resources/saml-extended-frontend/js/Config.js
index d0d56df..af1ac53 100644
--- a/src/main/resources/saml-extended-frontend/js/Config.js
+++ b/src/main/resources/saml-extended-frontend/js/Config.js
@@ -1,11 +1,12 @@
-const ServerUrl = window.location.protocol+"//" + window.location.host;
+const relativePath = window.location.pathname.substring(0,window.location.pathname.indexOf("/realm"));
+const serverUrl = window.location.protocol+"//" + window.location.host + relativePath;
 const clientid = 'saml-extended';
-const postLogoutRedirect = `${ServerUrl}/realms/master/samlconfig/pages/realm`;
-const redirectUri = `${ServerUrl}/realms/master/samlconfig/pages/list`;
-const editprovider=`${ServerUrl}/realms/master/samlconfig/pages/editprovider`;
-const addprovider=`${ServerUrl}/realms/master/samlconfig/pages/addprovider`;
+const postLogoutRedirect = `${serverUrl}/realms/master/samlconfig/pages/realm`;
+const redirectUri = `${serverUrl}/realms/master/samlconfig/pages/list`;
+const editprovider=`${serverUrl}/realms/master/samlconfig/pages/editprovider`;
+const addprovider=`${serverUrl}/realms/master/samlconfig/pages/addprovider`;
 const realm = localStorage.getItem('realm_input');
-localStorage.setItem('ServerUrl', ServerUrl);
+localStorage.setItem('serverUrl', serverUrl);
 localStorage.setItem('postLogoutRedirect', postLogoutRedirect);
 localStorage.setItem('redirectUri', redirectUri);
 localStorage.setItem('addprovider', addprovider);
diff --git a/src/main/resources/saml-extended-frontend/js/EditProvider.js b/src/main/resources/saml-extended-frontend/js/EditProvider.js
index 514b3c6..2a1d691 100644
--- a/src/main/resources/saml-extended-frontend/js/EditProvider.js
+++ b/src/main/resources/saml-extended-frontend/js/EditProvider.js
@@ -149,7 +149,7 @@ edit.addEventListener('click', () => {
             var selectedrealm = localStorage.getItem('selectedRealm');
             if(alias_input.value){
                 // Sending a GET request to check if the plugin exists
-                fetch(`${ServerUrl}/admin/realms/${selectedrealm}/identity-provider/instances/${alias_input.value}`, {
+                fetch(`${serverUrl}/admin/realms/${selectedrealm}/identity-provider/instances/${alias_input.value}`, {
                     method: 'GET',
                     headers: {
                         'Authorization': `Bearer ${newAccessToken}`,
@@ -160,7 +160,7 @@ edit.addEventListener('click', () => {
                   .then(async checkPluginResponse => {
                       if (checkPluginResponse.ok) {
                           var pluginData = await checkPluginResponse.json();
-                          const updatePluginResponse = await fetch(`${ServerUrl}/admin/realms/${selectedrealm}/identity-provider/instances/${alias_input.value}`, {
+                          const updatePluginResponse = await fetch(`${serverUrl}/admin/realms/${selectedrealm}/identity-provider/instances/${alias_input.value}`, {
                                 method: 'PUT',
                                 headers: {
                                     'Authorization': `Bearer ${newAccessToken}`,
@@ -185,7 +185,7 @@ edit.addEventListener('click', () => {
                           }
                       } else if (checkPluginResponse.status === 404) {
                           // If the status is 404, the plugin does not exist, so send a POST request
-                          return fetch(`${ServerUrl}/admin/realms/${selectedrealm}/identity-provider/instances`, {
+                          return fetch(`${serverUrl}/admin/realms/${selectedrealm}/identity-provider/instances`, {
                               method: 'POST',
                               headers: {
                                   'Authorization': `Bearer ${newAccessToken}`,
diff --git a/src/main/resources/saml-extended-frontend/js/InfoUpdaterAdd.js b/src/main/resources/saml-extended-frontend/js/InfoUpdaterAdd.js
index 5c8ae62..230f762 100644
--- a/src/main/resources/saml-extended-frontend/js/InfoUpdaterAdd.js
+++ b/src/main/resources/saml-extended-frontend/js/InfoUpdaterAdd.js
@@ -294,7 +294,7 @@ if (storedData) {
         
     }
     var selectedrealm = localStorage.getItem('selectedRealm');
-    var ServerUrl1 = localStorage.getItem('ServerUrl')
+    var ServerUrl1 = localStorage.getItem('serverUrl')
     var pluginalias=localStorage.setItem('pluginalias',`${pluginData.alias}`)
     document.getElementById('redirectUri').value = `${ServerUrl1}/realms/${selectedrealm}/broker/${pluginData.alias}/endpoint`
     
diff --git a/src/main/resources/saml-extended-frontend/js/RestApiMethodes.js b/src/main/resources/saml-extended-frontend/js/RestApiMethodes.js
index cd9fa3c..c607345 100644
--- a/src/main/resources/saml-extended-frontend/js/RestApiMethodes.js
+++ b/src/main/resources/saml-extended-frontend/js/RestApiMethodes.js
@@ -1,7 +1,7 @@
 // export let selectedRealm;
 function getAllPlugins(accessToken, selectedRealm) {
     if (selectedRealm) {
-        fetch(`${ServerUrl}/admin/realms/${selectedRealm}/identity-provider/instances`, {
+        fetch(`${serverUrl}/admin/realms/${selectedRealm}/identity-provider/instances`, {
             method: 'GET',
             headers: {
                 'Authorization': ` Bearer ${accessToken}`
@@ -58,7 +58,7 @@ window.handleAttributeServices=handleAttributeServices;
 
 function getAllRealms(accessToken) {
     keycloak.updateToken(300).then((bool) => {
-        fetch(`${ServerUrl}/admin/realms`, {
+        fetch(`${serverUrl}/admin/realms`, {
             method: 'GET',
             headers: {
                 'Authorization': `Bearer ${accessToken}`
@@ -209,7 +209,7 @@ function handleDeleteButtonClick(plugin_alias, accessToken) {
         if (bool) {
             var selectedrealm = localStorage.getItem('selectedRealm');
             // Assuming you have an API endpoint for deleting plugins
-            var deleteEndpoint = `${ServerUrl}/admin/realms/${selectedrealm}/identity-provider/instances/${plugin_alias}`;
+            var deleteEndpoint = `${serverUrl}/admin/realms/${selectedrealm}/identity-provider/instances/${plugin_alias}`;
             var accessToken = keycloak.token;
             // Send a DELETE request using Fetch API
             fetch(deleteEndpoint, {
@@ -251,7 +251,7 @@ function getPluginDetails(alias, accessToken) {
             if (bool) {
                 var accessToken = keycloak.token;
                 var selectedrealm = localStorage.getItem('selectedRealm');
-                fetch(`${ServerUrl}/admin/realms/${selectedrealm}/identity-provider/instances/${alias}`, {
+                fetch(`${serverUrl}/admin/realms/${selectedrealm}/identity-provider/instances/${alias}`, {
                     method: 'GET',
                     headers: {
                         'Authorization': `Bearer ${accessToken}`
diff --git a/src/main/resources/saml-extended-frontend/js/keycloakAdd.js b/src/main/resources/saml-extended-frontend/js/keycloakAdd.js
index d511550..3c331d0 100644
--- a/src/main/resources/saml-extended-frontend/js/keycloakAdd.js
+++ b/src/main/resources/saml-extended-frontend/js/keycloakAdd.js
@@ -1,6 +1,6 @@
 var accessToken;
 const keycloak =new Keycloak({
-    url: `${ServerUrl}`,
+    url: `${serverUrl}`,
     realm: `${realm}`,
     clientId: `${clientid}`,
     redirectUri: `${redirectUri}`,
@@ -9,7 +9,7 @@ const keycloak =new Keycloak({
 });
 
 document.getElementById('logout').addEventListener('click', () => {
-    window.location.href = `${ServerUrl}/realms/${realm}/protocol/openid-connect/logout?post_logout_redirect_uri=${postLogoutRedirect}&client_id=${clientid}`;
+    window.location.href = `${serverUrl}/realms/${realm}/protocol/openid-connect/logout?post_logout_redirect_uri=${postLogoutRedirect}&client_id=${clientid}`;
 });
 
 keycloak
@@ -23,7 +23,7 @@ keycloak
             const selectElement_postLoginFlow = document.getElementById('postLoginFlow');
             const selectElement_firstLoginFlow = document.getElementById('firstLoginFlow');
 
-            fetch(`${ServerUrl}/admin/realms/${selectedrealm}/ui-ext/authentication-management/flows`, {
+            fetch(`${serverUrl}/admin/realms/${selectedrealm}/ui-ext/authentication-management/flows`, {
                 method: 'GET',
                 headers: {
                     'Authorization': `Bearer ${accessToken}`,
@@ -80,7 +80,7 @@ keycloak
             } else {
 
                 alert("User does not have admin role. Access denied.");
-                window.location.href = `${ServerUrl}/realms/${realm}/protocol/openid-connect/logout?post_logout_redirect_uri=${post_logout_redirect_uri}&client_id=${clientid}`;
+                window.location.href = `${serverUrl}/realms/${realm}/protocol/openid-connect/logout?post_logout_redirect_uri=${post_logout_redirect_uri}&client_id=${clientid}`;
 
             }
         }
diff --git a/src/main/resources/saml-extended-frontend/js/keycloakEdit.js b/src/main/resources/saml-extended-frontend/js/keycloakEdit.js
index 0872946..49e966c 100644
--- a/src/main/resources/saml-extended-frontend/js/keycloakEdit.js
+++ b/src/main/resources/saml-extended-frontend/js/keycloakEdit.js
@@ -1,6 +1,6 @@
 var accessToken;
 const keycloak = new Keycloak({
-  url: `${ServerUrl}`,
+  url: `${serverUrl}`,
   realm: `${realm}`,
   clientId: `${clientid}`,
   redirectUri: `${redirectUri}`,
@@ -9,7 +9,7 @@ const keycloak = new Keycloak({
 });
 
 document.getElementById('logout').addEventListener('click', () => {
-  window.location.href = `${ServerUrl}/realms/${realm}/protocol/openid-connect/logout?post_logout_redirect_uri=${postLogoutRedirect}&client_id=${clientid}`;
+  window.location.href = `${serverUrl}/realms/${realm}/protocol/openid-connect/logout?post_logout_redirect_uri=${postLogoutRedirect}&client_id=${clientid}`;
 });
 
 keycloak
@@ -24,7 +24,7 @@ keycloak
       const selectElement_firstLoginFlow = document.getElementById('firstLoginFlow');
       var selectedrealm = localStorage.getItem('selectedRealm');
 
-      fetch(`${ServerUrl}/admin/realms/${selectedrealm}/ui-ext/authentication-management/flows`, {
+      fetch(`${serverUrl}/admin/realms/${selectedrealm}/ui-ext/authentication-management/flows`, {
         method: 'GET',
         headers: {
           'Authorization': `Bearer ${accessToken}`,
@@ -91,7 +91,7 @@ keycloak
       } else {
 
         alert("User does not have admin role. Access denied.");
-        window.location.href = `${ServerUrl}/realms/${realm}/protocol/openid-connect/logout?post_logout_redirect_uri=${post_logout_redirect_uri}&client_id=${clientid}`;
+        window.location.href = `${serverUrl}/realms/${realm}/protocol/openid-connect/logout?post_logout_redirect_uri=${post_logout_redirect_uri}&client_id=${clientid}`;
 
 
       }
diff --git a/src/main/resources/saml-extended-frontend/js/keycloakList.js b/src/main/resources/saml-extended-frontend/js/keycloakList.js
index 9433f86..21db915 100644
--- a/src/main/resources/saml-extended-frontend/js/keycloakList.js
+++ b/src/main/resources/saml-extended-frontend/js/keycloakList.js
@@ -1,6 +1,6 @@
 var accessToken;
 const keycloak = new Keycloak({
-    url: `${ServerUrl}`,
+    url: `${serverUrl}`,
     realm: `${realm}`,
     clientId: `${clientid}`,
     redirectUri: `${redirectUri}`,
@@ -10,7 +10,7 @@ const keycloak = new Keycloak({
 
 
 document.getElementById('logout').addEventListener('click', () => {
-    window.location.href = `${ServerUrl}/realms/${realm}/protocol/openid-connect/logout?post_logout_redirect_uri=${postLogoutRedirect}&client_id=${clientid}`;
+    window.location.href = `${serverUrl}/realms/${realm}/protocol/openid-connect/logout?post_logout_redirect_uri=${postLogoutRedirect}&client_id=${clientid}`;
 });
 
 keycloak
@@ -29,7 +29,7 @@ keycloak
                 document.body.style.display = 'block';
             } else {
                 alert("User does not have admin role. Access denied.");
-                window.location.href = `${ServerUrl}/realms/${realm}/protocol/openid-connect/logout?post_logout_redirect_uri=${post_logout_redirect_uri}&client_id=${clientid}`;
+                window.location.href = `${serverUrl}/realms/${realm}/protocol/openid-connect/logout?post_logout_redirect_uri=${post_logout_redirect_uri}&client_id=${clientid}`;
             }
         } else {
             alert("User authentication failed!");
diff --git a/src/main/resources/saml-extended-frontend/pages/addprovider.html b/src/main/resources/saml-extended-frontend/pages/addprovider.html
index c27b1a0..47c1ebb 100644
--- a/src/main/resources/saml-extended-frontend/pages/addprovider.html
+++ b/src/main/resources/saml-extended-frontend/pages/addprovider.html
@@ -379,7 +379,7 @@ <h5>Redirect URI
 
     <script>
       var selectedrealm = localStorage.getItem('selectedRealm');
-      var ServerUrl1 = localStorage.getItem('ServerUrl');
+      var ServerUrl1 = localStorage.getItem('serverUrl');
       document.getElementById('redirectUri').value = `${ServerUrl1}/realms/${selectedrealm}/broker/saml-extended/endpoint`
     </script>
     <h5>Alias *
@@ -390,14 +390,14 @@ <h5>Alias *
     <input type="text" name="alias" id="alias" class="input_text" oninput="copyValue(event)" required>
     <script>
       var selectedrealm = localStorage.getItem('selectedRealm');
-      var ServerUrl1 = localStorage.getItem('ServerUrl')
+      var ServerUrl1 = localStorage.getItem('serverUrl')
       document.getElementById('redirectUri').value = `${ServerUrl1}/realms/${selectedrealm}/broker/saml-extended/endpoint`
 
       function copyValue(event) {
         var alias = event.target.value;
         var selectedrealm = localStorage.getItem('selectedRealm');
         localStorage.setItem('alias_for_endpoint', alias)
-        var ServerUrl1 = localStorage.getItem('ServerUrl')
+        var ServerUrl1 = localStorage.getItem('serverUrl')
         document.getElementById('redirectUri').value = `${ServerUrl1}/realms/${selectedrealm}/broker/${alias}/endpoint`
         document.getElementById('metadataLink').onclick = function(event) {
           event.preventDefault();
@@ -427,7 +427,7 @@ <h5>Endpoints
     </section>
     <script>
       var selectedRealm = localStorage.getItem('selectedRealm');
-      var serverUrl = localStorage.getItem('ServerUrl');
+      var serverUrl = localStorage.getItem('serverUrl');
       var alias_for_endpoint = localStorage.getItem('alias_for_endpoint');
       document.getElementById('metadataLink').onclick = function(event) {
         event.preventDefault();
diff --git a/src/main/resources/saml-extended-frontend/pages/editprovider.html b/src/main/resources/saml-extended-frontend/pages/editprovider.html
index c7987d9..1b59d0d 100644
--- a/src/main/resources/saml-extended-frontend/pages/editprovider.html
+++ b/src/main/resources/saml-extended-frontend/pages/editprovider.html
@@ -398,7 +398,7 @@ <h5>Endpoints
 
         <script>
           var selectedRealm = localStorage.getItem('selectedRealm');
-          var serverUrl = localStorage.getItem('ServerUrl');
+          var serverUrl = localStorage.getItem('serverUrl');
           var pluginAlias = localStorage.getItem('pluginalias');
           var link = document.getElementById('metadataLink');
           document.getElementById('metadataLink').onclick = function(event) {

From 73a81299e14c4db74260b10da0f4230658b74f5e Mon Sep 17 00:00:00 2001
From: oadham <omar.adham@first8.nl>
Date: Thu, 28 May 2026 15:14:04 +0200
Subject: [PATCH 14/16] Add TracingProvider to keep SAMLEndpointTest working in
 26.1

---
 pom.xml                                                   | 2 +-
 .../nl/first8/keycloak/broker/saml/SAMLEndpointTest.java  | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index a36d12f..3007041 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,7 +20,7 @@
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
 
-        <keycloak.version>26.0.0</keycloak.version>
+        <keycloak.version>26.1.5</keycloak.version>
         <spotbugs.version>4.8.3.1</spotbugs.version>
 
         <jib-maven-plugin.version>3.4.1</jib-maven-plugin.version>
diff --git a/src/test/java/nl/first8/keycloak/broker/saml/SAMLEndpointTest.java b/src/test/java/nl/first8/keycloak/broker/saml/SAMLEndpointTest.java
index fe6943d..850a343 100644
--- a/src/test/java/nl/first8/keycloak/broker/saml/SAMLEndpointTest.java
+++ b/src/test/java/nl/first8/keycloak/broker/saml/SAMLEndpointTest.java
@@ -1,5 +1,6 @@
 package nl.first8.keycloak.broker.saml;
 
+import io.opentelemetry.api.trace.Span;
 import jakarta.ws.rs.core.Response;
 import java.lang.reflect.Field;
 import java.net.URI;
@@ -28,6 +29,7 @@
 import org.keycloak.saml.validators.DestinationValidator;
 import org.keycloak.services.messages.Messages;
 import org.keycloak.sessions.AuthenticationSessionModel;
+import org.keycloak.tracing.TracingProvider;
 import org.mockito.ArgumentCaptor;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyString;
@@ -230,6 +232,7 @@ private RealmModel getMockRealmModel() {
     /**
      * Assembles the full Keycloak session graph. Notable stubs:
      * - sessionFactory / innerSession: Keycloak spawns a child session for certain operations
+     * - TracingProvider: SAMLEndpoint calls getCurrentSpan(), also on the error path
      * - LoginFormsProvider: used by failure tests to assert on the error message rendered;
      * returned via session.getProvider(LoginFormsProvider.class) so tests can verify it
      */
@@ -261,6 +264,10 @@ private KeycloakSession getMockKeycloakSession() throws URISyntaxException {
         when(innerSession.getKeycloakSessionFactory()).thenReturn(sessionFactory);
         when(sessionFactory.create()).thenReturn(innerSession);
 
+        TracingProvider tracingProvider = mock(TracingProvider.class);
+        Span span = mock(Span.class);
+        when(tracingProvider.getCurrentSpan()).thenReturn(span);
+
         LoginFormsProvider loginFormsProvider = mock(LoginFormsProvider.class);
         when(loginFormsProvider.setAuthenticationSession(any())).thenReturn(loginFormsProvider);
         when(loginFormsProvider.setError(anyString())).thenReturn(loginFormsProvider);
@@ -273,6 +280,7 @@ private KeycloakSession getMockKeycloakSession() throws URISyntaxException {
         when(session.getContext()).thenReturn(context);
         when(session.keys()).thenReturn(keyManager);
         when(session.getKeycloakSessionFactory()).thenReturn(sessionFactory);
+        when(session.getProvider(TracingProvider.class)).thenReturn(tracingProvider);
         when(session.getProvider(LoginFormsProvider.class)).thenReturn(loginFormsProvider);
         return session;
     }

From 482869c2c714a421cc607eacb2620ececcb4c6f2 Mon Sep 17 00:00:00 2001
From: oadham <omar.adham@first8.nl>
Date: Thu, 28 May 2026 16:02:57 +0200
Subject: [PATCH 15/16] tiny pom version fix

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 075b0be..75c1631 100644
--- a/pom.xml
+++ b/pom.xml
@@ -11,7 +11,7 @@
     <description>
         SAML v2.0 extensions that adds more configuration options to connect to SAML Service Providers.
     </description>
-    <version>26.0</version>
+    <version>26.2</version>
 
     <properties>
         <maven.compiler.source>17</maven.compiler.source>

From 5103b6d3ca0c54e7933eb888500604aa5699b1e9 Mon Sep 17 00:00:00 2001
From: oadham <omar.adham@first8.nl>
Date: Thu, 28 May 2026 16:04:14 +0200
Subject: [PATCH 16/16] set pom versioning right before PR

---
 pom.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index 75c1631..267c710 100644
--- a/pom.xml
+++ b/pom.xml
@@ -11,7 +11,7 @@
     <description>
         SAML v2.0 extensions that adds more configuration options to connect to SAML Service Providers.
     </description>
-    <version>26.2</version>
+    <version>26.3</version>
 
     <properties>
         <maven.compiler.source>17</maven.compiler.source>
@@ -20,7 +20,7 @@
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
 
-        <keycloak.version>26.2.5</keycloak.version>
+        <keycloak.version>26.3.5</keycloak.version>
         <spotbugs.version>4.8.3.1</spotbugs.version>
 
         <jib-maven-plugin.version>3.4.1</jib-maven-plugin.version>