The auto-generated metadata created by net.shibboleth.idp.installer.metadata.MetadataGenerator includes MDUI metadata in both the IDPSSODescriptor and the AttributeAuthorityDescriptor.
While this is permitted by the specification (because I lost an argument with Chad) I don't think it's necessary because it is normally IdPs that are being discovered and not attribute authorities. As a result, the UKf tooling actually rejects MDUI metadata in the AA descriptor because it's usually there as a mistake.
I don't think we should include MDUI in example AA role descriptors, because doing so implies that it is in some sense necessary or recommended. We should drop this part of the output while retaining it in the SSO descriptor.