* this is the attribute that holds the TISS ID from the TUW IdP
* this is required for the integration between some of our services
  (for TUW employees)

* nowadays, compose will ignore the tagged version and use the latest
  schema anyway
* https://github.com/compose-spec/compose-spec/blob/master/04-version-and-name.md

* according to: https://github.com/IdentityPython/pysaml2/issues/956

* this introduces another layer of security, especially for when the
  signing key is fetched from a URL
* adapted from the suggestion made by Peter Brand
* abort if the fingerprint is defined and doesn't match the calculated
  value
* complain if no fingerprint is specified and the certificate is fetched
  from a URL (but keep quiet if it's a local file)

* add "mailto:" prefix to contact email addresses
* add German information about the SP
* add comment about subject-id and pairwise-id
* mark displayName attribute as required

* according to the SAML spec, the IdP's responses need to be signed
  anyway

* because simply not having values means `null`

* make YAML formatting more consistent
* update information about eduPersonScopedAffiliation and request it
  optionally
* remove redundant information about required/optional fields
* replace `entity_category_support` with `entity_category` in SP config

* the extension in use is `.yaml` rather than `.yml`

* this will issue a warning on startup however, as it's recommended to
  provide a local file

* make metadata endpoint configurable
* allow specification of a certificate file for checking the signature

* because that allows anybody to authenticate with an arbitrary email
* we only want to allow institutions that vouch for the identity of
  their users

* use the eduid discovery service as fallback

* fetch the IDP metadata from the central eduID endpoint
* use their discovery service

* mount most configuration into the container rather than baking it into
  the image
* use a configuration file for registered clients and disable dynamic
  registration of clients during runtime

* according to feedback from PB from ACOnet
* while not strictly necessary (because they usually tweak the metadata
  a bit), it's still nice for documentation purposes for us

* because it's more relevant to have a stable ID rather than having the
  ID point to an actual endpoint providing XML metadata

* because SATOSA only accepts values from a certain enumeration

* we just deployed the image in a 100x100 px resolution, because
  1000x1000 px was a bit large

* also points to tudata@tuwien.ac.at, because the service is under our
  control

* because it needs to be a valid legal person, and the CRDM is just an
  organizational unit

* rename OIDC frontend
* change TU Wien logo in SAML configuration
* use proper ACR in SAML
* plus some further smaller changes