private XMLObject unmarshall(String samlString) throws SAMLSSOException {

    try {
      DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
      documentBuilderFactory.setNamespaceAware(true);
      documentBuilderFactory.setExpandEntityReferences(false);
      documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
      org.apache.xerces.util.SecurityManager securityManager = new SecurityManager();
      securityManager.setEntityExpansionLimit(ENTITY_EXPANSION_LIMIT);
      documentBuilderFactory.setAttribute(SECURITY_MANAGER_PROPERTY, securityManager);

      DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();
      docBuilder.setEntityResolver(new CarbonEntityResolver());
      ByteArrayInputStream is = new ByteArrayInputStream(samlString.getBytes());
      Document document = docBuilder.parse(is);
      Element element = document.getDocumentElement();
      UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
      Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(element);
      return unmarshaller.unmarshall(element);
    } catch (ParserConfigurationException e) {
      throw new SAMLSSOException("Error in unmarshalling SAML Request from the encoded String", e);
    } catch (UnmarshallingException e) {
      throw new SAMLSSOException("Error in unmarshalling SAML Request from the encoded String", e);
    } catch (SAXException e) {
      throw new SAMLSSOException("Error in unmarshalling SAML Request from the encoded String", e);
    } catch (IOException e) {
      throw new SAMLSSOException("Error in unmarshalling SAML Request from the encoded String", e);
    }
  }
  public static DocumentBuilderFactory getSecuredDocumentBuilder() {

    DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
    documentBuilderFactory.setNamespaceAware(true);
    documentBuilderFactory.setXIncludeAware(false);
    documentBuilderFactory.setExpandEntityReferences(false);
    try {
      documentBuilderFactory.setFeature(
          Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE, false);
      documentBuilderFactory.setFeature(
          Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE, false);
      documentBuilderFactory.setFeature(
          Constants.XERCES_FEATURE_PREFIX + Constants.LOAD_EXTERNAL_DTD_FEATURE, false);
    } catch (ParserConfigurationException e) {
      log.error(
          "Failed to load XML Processor Feature "
              + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE
              + " or "
              + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE
              + " or "
              + Constants.LOAD_EXTERNAL_DTD_FEATURE);
    }

    org.apache.xerces.util.SecurityManager securityManager =
        new org.apache.xerces.util.SecurityManager();
    securityManager.setEntityExpansionLimit(
        JaggeryappTemplateDeployerConstants.ENTITY_EXPANSION_LIMIT);
    documentBuilderFactory.setAttribute(
        Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY, securityManager);
    return documentBuilderFactory;
  }
  /**
   * * This method provides a secured document builder which will secure XXE attacks.
   *
   * @return DocumentBuilder
   * @throws ParserConfigurationException
   */
  private DocumentBuilder getSecuredDocumentBuilder() throws ParserConfigurationException {

    DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
    documentBuilderFactory.setNamespaceAware(true);
    documentBuilderFactory.setExpandEntityReferences(false);
    documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
    documentBuilderFactory.setFeature(EXTERNAL_GENERAL_ENTITIES_URI, false);
    SecurityManager securityManager = new SecurityManager();
    securityManager.setEntityExpansionLimit(ENTITY_EXPANSION_LIMIT);
    documentBuilderFactory.setAttribute(SECURITY_MANAGER_PROPERTY, securityManager);
    DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
    documentBuilder.setEntityResolver(new CarbonEntityResolver());
    return documentBuilder;
  }
  /**
   * Formats a given unformatted XML string
   *
   * @param xml
   * @return A CDATA wrapped, formatted XML String
   */
  public String formatXML(String xml) {

    try {
      // create the factory
      DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
      docFactory.setIgnoringComments(true);
      docFactory.setNamespaceAware(true);
      docFactory.setExpandEntityReferences(false);
      SecurityManager securityManager = new SecurityManager();
      securityManager.setEntityExpansionLimit(ENTITY_EXPANSION_LIMIT);
      docFactory.setAttribute(SECURITY_MANAGER_PROPERTY, securityManager);
      DocumentBuilder docBuilder;
      Document xmlDoc;

      // now use the factory to create the document builder
      docFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
      docBuilder = docFactory.newDocumentBuilder();
      docBuilder.setEntityResolver(new CarbonEntityResolver());
      xmlDoc = docBuilder.parse(new ByteArrayInputStream(xml.getBytes(Charsets.UTF_8)));

      OutputFormat format = new OutputFormat(xmlDoc);
      format.setLineWidth(0);
      format.setIndenting(true);
      format.setIndent(2);
      ByteArrayOutputStream baos = new ByteArrayOutputStream();
      XMLSerializer serializer = new XMLSerializer(baos, format);
      serializer.serialize(xmlDoc);

      xml = baos.toString("UTF-8");

    } catch (ParserConfigurationException pce) {
      throw new IllegalArgumentException("Failed to setup repository: ");
    } catch (Exception e) {
      log.error(e);
    }

    return "<![CDATA[" + xml + "]]>";
  }