diff --git a/docs/simplesamlphp-reference-idp-hosted.md b/docs/simplesamlphp-reference-idp-hosted.md
index a0cf7db5c3aafe1bc9bcb7f78ddc003936d66057..a35e512d2434df6b41deef9ce9299381009fef96 100644
--- a/docs/simplesamlphp-reference-idp-hosted.md
+++ b/docs/simplesamlphp-reference-idp-hosted.md
@@ -249,12 +249,6 @@ The following SAML 2.0 options are available:
 :   Allows to specify information about the registrar of this SP. Please refer to the
     [MDRPI extension](./simplesamlphp-metadata-extensions-rpi) document for further information.
 
-`saml20.sendartifact`
-:   Set to `TRUE` to enable the IdP to send responses with the HTTP-Artifact binding.
-    Defaults to `FALSE`.
-
-:   Note that this requires a configured memcache server.
-
 `saml20.ecp`
 :   Set to `true` to enable the IdP to recieve authnrequests and send responses according the Enhanced Client or Proxy (ECP) Profile. Note: authentication filters that require interaction with the user will not work with ECP.
     Defaults to `false`.
@@ -263,22 +257,39 @@ The following SAML 2.0 options are available:
 :   Set to `TRUE` to enable the IdP to send responses according the [Holder-of-Key Web Browser SSO Profile](./simplesamlphp-hok-idp).
     Defaults to `FALSE`.
 
-`saml20.sign.response`
-:   Whether `<samlp:Response>` messages should be signed.
+`saml20.sendartifact`
+:   Set to `TRUE` to enable the IdP to send responses with the HTTP-Artifact binding.
+    Defaults to `FALSE`.
+
+:   Note that this requires a configured memcache server.
+
+`saml20.sign.assertion`
+:   Whether `<saml:Assertion>` elements should be signed.
     Defaults to `TRUE`.
 
 :   Note that this option also exists in the SP-remote metadata, and
     any value in the SP-remote metadata overrides the one configured
     in the IdP metadata.
 
-`saml20.sign.assertion`
-:   Whether `<saml:Assertion>` elements should be signed.
+`saml20.sign.response`
+:   Whether `<samlp:Response>` messages should be signed.
     Defaults to `TRUE`.
 
 :   Note that this option also exists in the SP-remote metadata, and
     any value in the SP-remote metadata overrides the one configured
     in the IdP metadata.
 
+`signature.algorithm`
+:   The algorithm to use when signing any message generated by this identity provider. Defaults to RSA-SHA256.
+:   Possible values:
+
+    * `http://www.w3.org/2000/09/xmldsig#rsa-sha1`
+       *Note*: the use of SHA1 is **deprecated** and will be disallowed in the future.
+    * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256`
+       The default.
+    * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha384`
+    * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha512`
+
 `sign.logout`
 :   Whether to sign logout messages sent from this IdP.
 
@@ -328,17 +339,6 @@ The following SAML 2.0 options are available:
 	specified will be kept in the metadata, making the first binding
 	the default one.
 
-`signature.algorithm`
-:   The algorithm to use when signing any message generated by this identity provider. Defaults to RSA-SHA256.
-:   Possible values:
-
-    * `http://www.w3.org/2000/09/xmldsig#rsa-sha1`
-       *Note*: the use of SHA1 is **deprecated** and will be disallowed in the future.
-    * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256`
-       The default.
-    * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha384`
-    * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha512`
-
 `validate.authnrequest`
 :   Whether we require signatures on authentication requests sent to this IdP.
 
diff --git a/docs/simplesamlphp-reference-idp-remote.md b/docs/simplesamlphp-reference-idp-remote.md
index dc96af4e73532cc60682b61f5ea0194042423504..95b4eda3e9d0b049267cf551a5d9b04f32986a60 100644
--- a/docs/simplesamlphp-reference-idp-remote.md
+++ b/docs/simplesamlphp-reference-idp-remote.md
@@ -44,6 +44,18 @@ The following options are common between both the SAML 2.0 protocol and Shibbole
 `icon`
 :   A logo which will be shown next to this IdP in the discovery service.
 
+`name`
+:   The name of this IdP. Will be used by various modules when they need to show a name of the SP to the user.
+
+:   If this option is unset, the organization name will be used instead (if it is available).
+
+:   This option can be translated into multiple languages by specifying the value as an array of language-code to translated name:
+
+        'name' => [
+            'en' => 'A service',
+            'no' => 'En tjeneste',
+        ],
+
 `OrganizationName`
 :   The name of the organization responsible for this SPP.
     This name does not need to be suitable for display to end users.
@@ -73,18 +85,6 @@ The following options are common between both the SAML 2.0 protocol and Shibbole
 
 :   *Note*: If you specify this option, you must also specify the `OrganizationName` option.
 
-`name`
-:   The name of this IdP. Will be used by various modules when they need to show a name of the SP to the user.
-
-:   If this option is unset, the organization name will be used instead (if it is available).
-
-:   This option can be translated into multiple languages by specifying the value as an array of language-code to translated name:
-
-        'name' => [
-            'en' => 'A service',
-            'no' => 'En tjeneste',
-        ],
-
 `scope`
 :   An array with scopes valid for this IdP.
     The IdP will send scopes in scoped attributes, that is, attributes containing a value with an `@` sign and a domain name
@@ -169,6 +169,19 @@ The following SAML 2.0 options are available:
 :   For compatibility purposes, `null` is equivalent to Transient and a format
     can be defined as a string instead of an array. These variants are deprecated.
 
+`signature.algorithm`
+:   The algorithm to use when signing any message sent to this specific identity provider. Defaults to RSA-SHA256.
+:   Note that this option also exists in the SP configuration.
+    This value in the IdP remote metadata overrides the value in the SP configuration.
+:   Possible values:
+
+    * `http://www.w3.org/2000/09/xmldsig#rsa-sha1`
+       *Note*: the use of SHA1 is **deprecated** and will be disallowed in the future.
+    * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256`
+      The default.
+    * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha384`
+    * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha512`
+
 `sign.authnrequest`
 :   Whether to sign authentication requests sent to this IdP.
 
@@ -189,19 +202,6 @@ The following SAML 2.0 options are available:
 `SingleLogoutServiceResponse`
 :   Endpoint URL for logout responses. Overrides the `SingleLogoutService`-option for responses.
 
-`signature.algorithm`
-:   The algorithm to use when signing any message sent to this specific identity provider. Defaults to RSA-SHA256.
-:   Note that this option also exists in the SP configuration.
-    This value in the IdP remote metadata overrides the value in the SP configuration.
-:   Possible values:
-
-    * `http://www.w3.org/2000/09/xmldsig#rsa-sha1`
-       *Note*: the use of SHA1 is **deprecated** and will be disallowed in the future.
-    * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256`
-      The default.
-    * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha384`
-    * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha512`
-
 `SPNameQualifier`
 :   This corresponds to the SPNameQualifier in the SAML 2.0 specification. It allows to give subjects a SP specific namespace. This option is rarely used, so if you don't need it, leave it out. When left out, SimpleSAMLphp assumes the entityID of your SP as the SPNameQualifier.
 
diff --git a/docs/simplesamlphp-reference-sp-remote.md b/docs/simplesamlphp-reference-sp-remote.md
index 96a01825ac2b949594fb55061f90f419aa22da18..8fb93248573554f6493fe4b94b1a7d878accc34e 100644
--- a/docs/simplesamlphp-reference-sp-remote.md
+++ b/docs/simplesamlphp-reference-sp-remote.md
@@ -119,6 +119,21 @@ The following SAML 2.0 options are available:
 
 :   The value of this option is specified in one of several [endpoint formats](./simplesamlphp-metadata-endpoints).
 
+`attributeencodings`
+:   What encoding should be used for the different attributes. This is
+    an array which maps attribute names to attribute encodings. There
+    are three different encodings:
+
+:   -   `string`: Will include the attribute as a normal string. This is
+        the default.
+
+:   -   `base64`: Store the attribute as a base64 encoded string. This
+        is the default when the `base64attributes`-option is set to
+        `TRUE`.
+
+:   -   `raw`: Store the attribute without any modifications. This
+        makes it possible to include raw XML in the response.
+
 `attributes.NameFormat`
 :   What value will be set in the Format field of attribute
     statements. This parameter can be configured multiple places, and
@@ -151,6 +166,16 @@ The following SAML 2.0 options are available:
 
 :   (This option was previously named `AttributeNameFormat`.)
 
+`certData`
+:   The base64 encoded certificate for this SP. This is an alternative to storing the certificate in a file on disk and specifying the filename in the `certificate`-option.
+
+`certificate`
+:   Name of certificate file for this SP. The certificate is used to
+    verify the signature of messages received from the SP (if
+    `redirect.validate`is set to `TRUE`), and to encrypting assertions
+    (if `assertion.encryption` is set to TRUE and `sharedkey` is
+    unset.)
+
 `encryption.blacklisted-algorithms`
 :   Blacklisted encryption algorithms. This is an array containing the algorithm identifiers.
 
@@ -193,33 +218,6 @@ The following SAML 2.0 options are available:
     entry in the SP-remote metadata overrides the option in the
     [IdP-hosted metadata](./simplesamlphp-reference-idp-hosted).
 
-`SingleLogoutService`
-:   The URL of the SingleLogoutService endpoint for this SP.
-    This option is required if you want to implement single logout for
-    this SP. If the option isn't specified, this SP will not be logged
-    out automatically when a single logout operation is initialized.
-
-:   The value of this option is specified in one of several [endpoint formats](./simplesamlphp-metadata-endpoints).
-
-`SingleLogoutServiceResponse`
-:   The URL logout responses to this SP should be sent. If this option
-    is unspecified, the `SingleLogoutService` endpoint will be used as
-    the recipient of logout responses.
-
-`SPNameQualifier`
-:   SP NameQualifier for this SP. If not set, the IdP will set the
-    SPNameQualifier to be the SP entity ID.
-
-`certData`
-:   The base64 encoded certificate for this SP. This is an alternative to storing the certificate in a file on disk and specifying the filename in the `certificate`-option.
-
-`certificate`
-:   Name of certificate file for this SP. The certificate is used to
-    verify the signature of messages received from the SP (if
-    `redirect.validate`is set to `TRUE`), and to encrypting assertions
-    (if `assertion.encryption` is set to TRUE and `sharedkey` is
-    unset.)
-
 `saml20.sign.response`
 :   Whether `<samlp:Response>` messages should be signed.
     Defaults to `TRUE`.
@@ -259,6 +257,12 @@ The following SAML 2.0 options are available:
 :   Certificate file included by IdP for KeyInfo within the signature for the SP, in PEM format. The filename is relative to the cert/-directory.
 :   If `signature.privatekey` is present and `signature.certificate` is left blank, X509Certificate will not be included with the signature.
 
+`sign.logout`
+:   Whether to sign logout messages sent to this SP.
+
+:   Note that this option also exists in the IdP-hosted metadata.
+    The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
+
 `simplesaml.nameidattribute`
 :   When the value of the `NameIDFormat`-option is set to either
     `email` or `persistent`, this is the name of the attribute which
@@ -276,26 +280,22 @@ The following SAML 2.0 options are available:
 :   Whether the SP should receive any attributes from the IdP. The
     default value is `TRUE`.
 
-`attributeencodings`
-:   What encoding should be used for the different attributes. This is
-    an array which maps attribute names to attribute encodings. There
-    are three different encodings:
-
-:   -   `string`: Will include the attribute as a normal string. This is
-        the default.
-
-:   -   `base64`: Store the attribute as a base64 encoded string. This
-        is the default when the `base64attributes`-option is set to
-        `TRUE`.
+`SingleLogoutService`
+:   The URL of the SingleLogoutService endpoint for this SP.
+    This option is required if you want to implement single logout for
+    this SP. If the option isn't specified, this SP will not be logged
+    out automatically when a single logout operation is initialized.
 
-:   -   `raw`: Store the attribute without any modifications. This
-        makes it possible to include raw XML in the response.
+:   The value of this option is specified in one of several [endpoint formats](./simplesamlphp-metadata-endpoints).
 
-`sign.logout`
-:   Whether to sign logout messages sent to this SP.
+`SingleLogoutServiceResponse`
+:   The URL logout responses to this SP should be sent. If this option
+    is unspecified, the `SingleLogoutService` endpoint will be used as
+    the recipient of logout responses.
 
-:   Note that this option also exists in the IdP-hosted metadata.
-    The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
+`SPNameQualifier`
+:   SP NameQualifier for this SP. If not set, the IdP will set the
+    SPNameQualifier to be the SP entity ID.
 
 `validate.authnrequest`
 :   Whether we require signatures on authentication requests sent from this SP.
@@ -383,6 +383,11 @@ Shibboleth 1.3 options
 
 The following options for Shibboleth 1.3 SP's are avaiblable:
 
+`audience`
+:   The value which should be given in the `<Audience>`-element in the
+    `<AudienceRestrictionCondition>`-element in the response. The
+    default value is the entity ID of the SP.
+
 `AssertionConsumerService`
 :   The URL of the AssertionConsumerService endpoint for this SP.
     This endpoint must accept the SAML responses encoded with the
@@ -397,11 +402,6 @@ The following options for Shibboleth 1.3 SP's are avaiblable:
     `<NameIdentifier>`-element should be. The default value is the
     entity ID of the SP.
 
-`audience`
-:   The value which should be given in the `<Audience>`-element in the
-    `<AudienceRestrictionCondition>`-element in the response. The
-    default value is the entity ID of the SP.
-
 `scopedattributes`
 :   Array with names of attributes which should be scoped. Scoped
     attributes will receive a `Scope`-attribute on the