}

    // Test backward compatibility: aad -> entraid mapping
    @Test
    public void test_getAuthenticator_aadMapsToEntraid() {
        // Register an authenticator with the new "entraid" name
        ComponentUtil.register(testAuthenticator, "entraidAuthenticator");

        // Use legacy "aad" SSO type
        currentSsoType = "aad";
        ssoManager = new SsoManager() {
            @Override

        // When
        byte[] aad = transformHeader.getAssociatedData();

        // Then
        assertEquals(52, aad.length); // AAD should be same size as transform header

        // Verify protocol ID (first 4 bytes) - 0xFD534D42 in little-endian
        assertEquals((byte) 0x42, aad[0]);
        assertEquals((byte) 0x4D, aad[1]);
        assertEquals((byte) 0x53, aad[2]);
        assertEquals((byte) 0xFD, aad[3]);

	aad, err := req.AssociatedData.MarshalText()
	if err != nil {
		return DEK{}, err
	}

	name := req.Name
	if name == "" {
		name = c.defaultKey
	}

	resp, err := c.client.GenerateKey(ctx, c.enclave, &kms.GenerateKeyRequest{
		Name:           name,
		AssociatedData: aad,
		Length:         32,
	})
	if err != nil {

        final AEADBlockCipher cipher = createCCMCipher(true, nonce, associatedData.length, message.length);

        // Process AAD (not included in output)
        cipher.processAADBytes(associatedData, 0, associatedData.length);

        // Process message (will be encrypted)
        final byte[] output = new byte[cipher.getOutputSize(message.length)];

            public String getSystemProperty(final String key) {
                return systemPropMap.get(key);
            }
        };

        // Test fallback to legacy aad.permission.fields key
        systemPropMap.put("aad.permission.fields", "mail,displayName");
        String[] fields = fessConfig.getEntraIdPermissionFields();
        assertEquals(2, fields.length);
        assertEquals("mail", fields[0]);