- check/configure encryption force signing (?)
- add attributes encryption (at least optionally)
- sign metadata! Add expiration ? see <ns0:Entitydescriptor> and <ns0:ISPSSODescriptor>
- Jinja escaping for configuration strings