diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/versioning/Version.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/versioning/Version.java
index 100b0fdbd..55fc0566d 100644
--- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/versioning/Version.java
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/versioning/Version.java
@@ -26,9 +26,9 @@ public class Version implements Serializable {
 
     private String creator;
 
-    @JsonFormat(pattern = "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'")
+    @JsonFormat(pattern = "yyyy-MM-dd'T'HH:mm:ss.SSSSSS")
     private ZonedDateTime date;
 
     private static final long serialVersionUID = 3429591830989243421L;
 
-}
+}
\ No newline at end of file
diff --git a/backend/src/main/resources/application.yml b/backend/src/main/resources/application.yml
index bf1367934..46042589e 100644
--- a/backend/src/main/resources/application.yml
+++ b/backend/src/main/resources/application.yml
@@ -22,6 +22,7 @@
 #    identityProviderMetadataPath: "/etc/shibui/idp-metadata.xml"
 #    forceServiceProviderMetadataGeneration: false
 #    callbackUrl: "https://localhost:8443/callback"
+#    postLogoutURL: "https://idp.example.com/idp/profile/Logout"  # Must set this to get IDP logout
 #    maximumAuthenticationLifetime: 3600000
 #    requireAssertedRoleForNewUsers: false
 #    saml2ProfileMapping:
diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/domain/versioning/VersionJsonSerializationBasicTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/domain/versioning/VersionJsonSerializationBasicTests.groovy
index b7fecdf4d..2ceb78df6 100644
--- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/domain/versioning/VersionJsonSerializationBasicTests.groovy
+++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/domain/versioning/VersionJsonSerializationBasicTests.groovy
@@ -27,7 +27,7 @@ class VersionJsonSerializationBasicTests extends Specification {
             {
                 "id": "2",
                 "creator": "kramer",
-                "date": "2019-05-20T15:00:00.574Z"                                
+                "date": "2019-05-20T15:00:00.574000"                                
             }
         """
         def expectedJsonMap = jsonSlurper.parseText(expectedJson)
@@ -40,4 +40,4 @@ class VersionJsonSerializationBasicTests extends Specification {
         deSerializedJsonMap.id == expectedJsonMap.id
         deSerializedJsonMap.creator == expectedJsonMap.creator
     }
-}
+}
\ No newline at end of file
diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfiguration.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfiguration.java
index fd018d4b6..5853da065 100644
--- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfiguration.java
+++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfiguration.java
@@ -8,6 +8,7 @@
 import net.unicon.shibui.pac4j.authenticator.ShibuiSAML2Authenticator;
 import org.pac4j.core.client.Clients;
 import org.pac4j.core.config.Config;
+import org.pac4j.core.engine.LogoutLogic;
 import org.pac4j.core.matching.matcher.PathMatcher;
 import org.pac4j.core.profile.definition.CommonProfileDefinition;
 import org.pac4j.http.client.direct.HeaderClient;
@@ -69,32 +70,39 @@ public Config config(final Pac4jConfigurationProperties pac4jConfigProps,
         case "SAML2":
         default:
             log.info("**** Configuring PAC4J SAML2");
-            final SAML2Configuration saml2Config = new SAML2Configuration();
-            saml2Config.setKeystorePath(pac4jConfigProps.getKeystorePath());
-            saml2Config.setKeystorePassword(pac4jConfigProps.getKeystorePassword());
-            saml2Config.setPrivateKeyPassword(pac4jConfigProps.getPrivateKeyPassword());
-            saml2Config.setIdentityProviderMetadataPath(pac4jConfigProps.getIdentityProviderMetadataPath());
-            saml2Config.setMaximumAuthenticationLifetime(pac4jConfigProps.getMaximumAuthenticationLifetime());
-            saml2Config.setServiceProviderEntityId(pac4jConfigProps.getServiceProviderEntityId());
-            saml2Config.setServiceProviderMetadataPath(pac4jConfigProps.getServiceProviderMetadataPath());
-            saml2Config.setForceServiceProviderMetadataGeneration(pac4jConfigProps.isForceServiceProviderMetadataGeneration());
-            saml2Config.setWantsAssertionsSigned(pac4jConfigProps.isWantAssertionsSigned());
-            saml2Config.setAttributeAsId(pac4jConfigProps.getSimpleProfileMapping().getUsername());
+            final SAML2Configuration saml2Config = buildSaml2ConfigFromPac4JConfiguration(pac4jConfigProps);
+
 
             final SAML2Client saml2Client = new SAML2Client(saml2Config);
+            saml2Client.setName(PAC4J_CLIENT_NAME);
             saml2Client.addAuthorizationGenerator(saml2ModelAuthorizationGenerator);
             SAML2Authenticator saml2Authenticator = new ShibuiSAML2Authenticator(saml2Config.getAttributeAsId(), saml2Config.getMappedAttributes(), userService);
             saml2Authenticator.setProfileDefinition(new CommonProfileDefinition(p -> new BetterSAML2Profile(pac4jConfigProps.getSimpleProfileMapping())));
             saml2Client.setAuthenticator(saml2Authenticator);
 
-            saml2Client.setName(PAC4J_CLIENT_NAME);
             clients.setClients(saml2Client);
             break;
         }
         config.setClients(clients);
         return config;
     }
-    
+
+    private SAML2Configuration buildSaml2ConfigFromPac4JConfiguration(Pac4jConfigurationProperties pac4jConfigProps) {
+        SAML2Configuration saml2Config = new SAML2Configuration();
+        saml2Config.setKeystorePath(pac4jConfigProps.getKeystorePath());
+        saml2Config.setKeystorePassword(pac4jConfigProps.getKeystorePassword());
+        saml2Config.setPrivateKeyPassword(pac4jConfigProps.getPrivateKeyPassword());
+        saml2Config.setIdentityProviderMetadataPath(pac4jConfigProps.getIdentityProviderMetadataPath());
+        saml2Config.setMaximumAuthenticationLifetime(pac4jConfigProps.getMaximumAuthenticationLifetime());
+        saml2Config.setServiceProviderEntityId(pac4jConfigProps.getServiceProviderEntityId());
+        saml2Config.setServiceProviderMetadataPath(pac4jConfigProps.getServiceProviderMetadataPath());
+        saml2Config.setForceServiceProviderMetadataGeneration(pac4jConfigProps.isForceServiceProviderMetadataGeneration());
+        saml2Config.setWantsAssertionsSigned(pac4jConfigProps.isWantAssertionsSigned());
+        saml2Config.setAttributeAsId(pac4jConfigProps.getSimpleProfileMapping().getUsername());
+        saml2Config.setPostLogoutURL(pac4jConfigProps.getPostLogoutURL());
+        return saml2Config;
+    }
+
     @Bean
     public ErrorPageRegistrar errorPageRegistrar() {
         return this::registerErrorPages;
diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfigurationProperties.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfigurationProperties.java
index 30311ba84..19507d1c0 100644
--- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfigurationProperties.java
+++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfigurationProperties.java
@@ -29,6 +29,7 @@ public class Pac4jConfigurationProperties {
     private String serviceProviderEntityId = "https://unicon.net/shibui";
     private String serviceProviderMetadataPath = "/tmp/sp-metadata.xml";
     private String typeOfAuth = "SAML2";
+    private String postLogoutURL;
 
     private boolean wantAssertionsSigned = true;
     
diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java
index 884569ac7..cc5ce8e25 100644
--- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java
+++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java
@@ -5,10 +5,12 @@
 import edu.internet2.tier.shibboleth.admin.ui.security.service.IRolesService;
 import edu.internet2.tier.shibboleth.admin.ui.security.service.UserService;
 import edu.internet2.tier.shibboleth.admin.ui.service.EmailService;
+import org.jadira.usertype.spi.utils.lang.StringUtils;
 import org.pac4j.core.authorization.authorizer.DefaultAuthorizers;
 import org.pac4j.core.config.Config;
 import org.pac4j.core.matching.matcher.Matcher;
 import org.pac4j.springframework.security.web.CallbackFilter;
+import org.pac4j.springframework.security.web.LogoutFilter;
 import org.pac4j.springframework.security.web.SecurityFilter;
 import org.springframework.boot.autoconfigure.AutoConfigureAfter;
 import org.springframework.boot.autoconfigure.AutoConfigureOrder;
@@ -64,12 +66,23 @@ public Pac4jWebSecurityConfigurerAdapter(final Config config, UserService userSe
         protected void configure(HttpSecurity http) throws Exception {
             http.authorizeRequests().antMatchers("/unsecured/**/*").permitAll();
 
-            // adding the authorizor bypasses the default behavior of checking CSRF in Pac4J's default securitylogic+defaultauthorizationchecker
+            // adding the authorizer bypasses the default behavior of checking CSRF in Pac4J's default securitylogic+defaultauthorizationchecker
             final SecurityFilter securityFilter = new SecurityFilter(this.config, PAC4J_CLIENT_NAME, DefaultAuthorizers.IS_AUTHENTICATED);
 
-            // add filter based on auth type 
-            http.antMatcher("/**").addFilterBefore(getFilter(config, pac4jConfigurationProperties.getTypeOfAuth()), BasicAuthenticationFilter.class);
+            // If the post logout URL is configured, setup the logout filter
+            if (StringUtils.isNotEmpty(pac4jConfigurationProperties.getPostLogoutURL())){
+                final LogoutFilter logoutFilter = new LogoutFilter(config);
+                logoutFilter.setLocalLogout(Boolean.TRUE);
+                logoutFilter.setSuffix("login"); // "logout" is redirected before we ever hit the filters - sent to /login?logout
+                logoutFilter.setCentralLogout(Boolean.TRUE);
+                logoutFilter.setDefaultUrl(pac4jConfigurationProperties.getPostLogoutURL());
+                http.antMatcher("/**").addFilterBefore(logoutFilter, BasicAuthenticationFilter.class);
+            }
+
+            // add filters
+            http.antMatcher("/**").addFilterBefore(getFilter(pac4jConfigurationProperties.getTypeOfAuth()), BasicAuthenticationFilter.class);
             http.antMatcher("/**").addFilterBefore(securityFilter, BasicAuthenticationFilter.class);
+
             // add the new user filter
             http.addFilterAfter(new AddNewUserFilter(pac4jConfigurationProperties, userService, rolesService, getPathMatcher("exclude-paths-matcher"), groupService, emailService), SecurityFilter.class);
 
@@ -84,7 +97,7 @@ private Matcher getPathMatcher(String name) {
             return config.getMatchers().get(name);
         }
 
-        private Filter getFilter(Config config2, String typeOfAuth) {
+        private Filter getFilter(String typeOfAuth) {
             switch (typeOfAuth) {
             case "SAML2":
                 return new CallbackFilter(this.config);
diff --git a/testbed/authentication/shibui/application.yml b/testbed/authentication/shibui/application.yml
index 14085a9b7..cb789f06c 100644
--- a/testbed/authentication/shibui/application.yml
+++ b/testbed/authentication/shibui/application.yml
@@ -18,6 +18,7 @@ shibui:
     forceServiceProviderMetadataGeneration: true
     callbackUrl: "https://shibui.unicon.local/callback"
     maximumAuthenticationLifetime: 3600000
+    postLogoutURL: "https://idp.unicon.local/idp/profile/Logout"
     simpleProfileMapping:
       username: urn:oid:0.9.2342.19200300.100.1.1
       firstName: urn:oid:2.5.4.42
diff --git a/testbed/smoke-test/cheat.html b/testbed/smoke-test/cheat.html
new file mode 100644
index 000000000..74682f912
--- /dev/null
+++ b/testbed/smoke-test/cheat.html
@@ -0,0 +1,110 @@
+<html>
+<body>
+<h2>Reload Service</h2>
+<form action="https://idp.unicon.local/idp/profile/admin/reload-service" target="_blank" method="get">
+    <label for="id">id</label>
+    <select name="id" id="id">
+        <option value="shibboleth.LoggingService">LoggingService</option>
+        <option value="shibboleth.AttributeFilterService">AttributeFilterService</option>
+        <option value="shibboleth.AttributeResolverService">AttributeResolverService</option>
+        <option value="shibboleth.AttributeRegistryService">AttributeRegistryService</option>
+        <option value="shibboleth.NameIdentifierGenerationService">NameIdentifierGenerationService</option>
+        <option value="shibboleth.RelyingPartyResolverService">RelyingPartyResolverService</option>
+        <option value="shibboleth.MetadataResolverService">MetadataResolverService</option>
+        <option value="shibboleth.ReloadableAccessControlService">ReloadableAccessControlService</option>
+        <option value="shibboleth.ReloadableCASServiceRegistry">ReloadableCASServiceRegistry</option>
+    </select>
+    <input type="submit" />
+</form>
+<h2>Attribute Resolution</h2>
+<form action="https://idp.unicon.local/idp/profile/admin/resolvertest" target="_blank" method="get">
+    <table>
+        <tr>
+            <td>
+                <label for="requester">Requester</label>
+            </td>
+            <td>
+    <input name="requester" id="requester" type="text" />
+            </td>
+        </tr>
+        <tr>
+            <td>
+    <label for="principal">Principal</label>
+            </td>
+            <td>
+    <input name="principal" id="principal" type="text" />
+            </td>
+        </tr>
+        <tr>
+            <td>
+                <label for="acsIndex">acs index</label>
+            </td>
+            <td>
+                <input name="acsIndex" id="acsIndex" type="number" />
+            </td>
+        </tr>
+        <tr>
+            <td>
+                <label for="saml1">SAML1</label>
+            </td>
+            <td>
+                <input name="saml1" id="saml1" type="checkbox" />
+            </td>
+        </tr>
+        <tr>
+            <td>
+                <label for="saml2">SAML2</label>
+            </td>
+            <td>
+                <input name="saml2" id="saml2" type="checkbox" />
+            </td>
+        </tr>
+    </table>
+    <input type="submit" />
+
+</form>
+<form action="https://idp.unicon.local/idp/profile/admin/mdquery" target="_blank" method="get">
+    <h2>Metadata Query</h2>
+    <table>
+        <tr>
+            <td>
+                <label for="entityID">Entity ID</label>
+            </td>
+            <td>
+                <input name="entityID" id="entityID" type="text" />
+            </td>
+        </tr>
+    </table>
+    <input type="submit" />
+</form>
+<form action="https://idp.unicon.local/idp/profile/admin/reload-metadata" target="_blank" method="get">
+    <h2>Reload Metadata</h2>
+    <table>
+        <tr>
+            <td>
+                <label for="id">provider id</label>
+            </td>
+            <td>
+                <input name="id" id="provider" type="text" />
+            </td>
+        </tr>
+    </table>
+    <input type="submit" />
+</form>
+<form action="https://idp.unicon.local/idp/profile/SAML2/Unsolicited/SSO" target="_blank" method="get">
+    <h2>Unsolicited SSO</h2>
+    <table>
+        <tr>
+            <td>
+                <label for="providerId">provider id</label>
+            </td>
+            <td>
+                <input name="providerId" type="text" />
+            </td>
+        </tr>
+    </table>
+    <input type="submit" />
+</form>
+<a href="https://idp.unicon.local/idp/profile/admin/metrics" target="_blank">metrics</a>
+</body>
+</html>
diff --git a/testbed/smoke-test/db_configs/mariadb.application.yml b/testbed/smoke-test/db_configs/mariadb.application.yml
new file mode 100644
index 000000000..a42a5c8bc
--- /dev/null
+++ b/testbed/smoke-test/db_configs/mariadb.application.yml
@@ -0,0 +1,13 @@
+spring:
+  profiles:
+    include:
+  datasource:
+    platform: mysql
+    driver-class-name: org.mariadb.jdbc.Driver
+    url: jdbc:mariadb://database:3306/shibui
+    username: shibui
+    password: shibui
+  jpa:
+    properties:
+      hibernate:
+        dialect: org.hibernate.dialect.MariaDB103Dialect
diff --git a/testbed/smoke-test/db_configs/mariadb.docker-compose.override.yml b/testbed/smoke-test/db_configs/mariadb.docker-compose.override.yml
new file mode 100644
index 000000000..ad9f8ae09
--- /dev/null
+++ b/testbed/smoke-test/db_configs/mariadb.docker-compose.override.yml
@@ -0,0 +1,19 @@
+services:
+  database:
+    image: mariadb
+    environment:
+      MYSQL_DATABASE: shibui
+      MYSQL_USER: shibui
+      MYSQL_PASSWORD: shibui
+      MYSQL_ROOT_PASSWORD: root
+    healthcheck:
+      test: mysql -u shibui --password=shibui shibui -e "select 1"
+      interval: 5s
+      retries: 5
+      start_period: 5s
+      timeout: 10s
+  shib-idp-ui:
+    depends_on:
+      database:
+        condition: service_healthy
+      
\ No newline at end of file
diff --git a/testbed/smoke-test/db_configs/mysql.application.yml b/testbed/smoke-test/db_configs/mysql.application.yml
new file mode 100644
index 000000000..b3d434d8a
--- /dev/null
+++ b/testbed/smoke-test/db_configs/mysql.application.yml
@@ -0,0 +1,13 @@
+spring:
+  profiles:
+    include:
+  datasource:
+    platform: mysql
+    driver-class-name: com.mysql.cj.jdbc.Driver
+    url: jdbc:mysql://database:3306/shibui
+    username: shibui
+    password: shibui
+  jpa:
+    properties:
+      hibernate:
+        dialect: org.hibernate.dialect.MySQL8Dialect
diff --git a/testbed/smoke-test/db_configs/mysql.docker-compose.override.yml b/testbed/smoke-test/db_configs/mysql.docker-compose.override.yml
new file mode 100644
index 000000000..6d511c7e6
--- /dev/null
+++ b/testbed/smoke-test/db_configs/mysql.docker-compose.override.yml
@@ -0,0 +1,19 @@
+services:
+  database:
+    image: mysql
+    environment:
+      MYSQL_DATABASE: shibui
+      MYSQL_USER: shibui
+      MYSQL_PASSWORD: shibui
+      MYSQL_ROOT_PASSWORD: root
+    healthcheck:
+      test: mysql -u shibui --password=shibui shibui -e "select 1"
+      interval: 5s
+      retries: 5
+      start_period: 5s
+      timeout: 10s
+  shib-idp-ui:
+    depends_on:
+      database:
+        condition: service_healthy
+        
\ No newline at end of file
diff --git a/testbed/smoke-test/db_configs/postgres.application.yml b/testbed/smoke-test/db_configs/postgres.application.yml
new file mode 100644
index 000000000..c9117f2e5
--- /dev/null
+++ b/testbed/smoke-test/db_configs/postgres.application.yml
@@ -0,0 +1,13 @@
+spring:
+  profiles:
+    include:
+  datasource:
+    platform: postgres
+    driver-class-name: org.postgresql.Driver
+    url: jdbc:postgresql://database:5432/shibui
+    username: shibui
+    password: shibui
+  jpa:
+    properties:
+      hibernate:
+        dialect: org.hibernate.dialect.PostgreSQLDialect
\ No newline at end of file
diff --git a/testbed/smoke-test/db_configs/sqlServer.application.yml b/testbed/smoke-test/db_configs/sqlServer.application.yml
new file mode 100644
index 000000000..d6e7a3e68
--- /dev/null
+++ b/testbed/smoke-test/db_configs/sqlServer.application.yml
@@ -0,0 +1,13 @@
+spring:
+  profiles:
+    include:
+  datasource:
+    platform: sqlserver
+    driver-class-name: com.microsoft.sqlserver.jdbc.SQLServerDriver
+    url: jdbc:sqlserver://database:1433
+    username: sa
+    password: Password1
+  jpa:
+    properties:
+      hibernate:
+        dialect: org.hibernate.dialect.SQLServerDialect
\ No newline at end of file
diff --git a/testbed/smoke-test/db_configs/sqlServer.docker-compose.override.yml b/testbed/smoke-test/db_configs/sqlServer.docker-compose.override.yml
new file mode 100644
index 000000000..13d5a0670
--- /dev/null
+++ b/testbed/smoke-test/db_configs/sqlServer.docker-compose.override.yml
@@ -0,0 +1,17 @@
+services:
+  database:
+    build:
+      context: ../sqlServer
+      dockerfile: ../sqlServer/docker/Dockerfile
+    image: smoke-test_database
+#    healthcheck:
+#      test: mysql -u shibui --password=shibui shibui -e "select 1"
+#      interval: 5s
+#      retries: 5
+#      start_period: 5s
+#      timeout: 10s
+#  shib-idp-ui:
+#    depends_on:
+#      database:
+#        condition: service_healthy
+        
\ No newline at end of file
diff --git a/testbed/smoke-test/docker-compose.yml b/testbed/smoke-test/docker-compose.yml
new file mode 100644
index 000000000..9e2ac5340
--- /dev/null
+++ b/testbed/smoke-test/docker-compose.yml
@@ -0,0 +1,110 @@
+version: "3.8"
+
+services:
+  reverse-proxy:
+    image: library/traefik:v2.5.2
+    command:
+      - "--api.insecure=true"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--entrypoints.web-secure.address=:443"
+      - "--providers.file.directory=/configuration/"
+      - "--providers.file.watch=true"
+      #- "--log.level=DEBUG"
+    networks:
+      reverse-proxy:
+        aliases:
+          - idp.unicon.local
+    ports:
+      - "80:80"
+      - "8080:8080"
+      - "443:443"
+      - "8443:8443"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ../reverse-proxy/:/configuration/
+      - ../reverse-proxy/certs/:/certs/
+  directory:
+    build: ../directory
+    networks:
+      - idp
+    volumes:
+      - directory_data:/var/lib/ldap
+      - directory_config:/etc/ldap/slapd.d
+      - ../directory/certs:/container/service/slapd/assets/certs
+    environment:
+      LDAP_BASE_DN: "dc=unicon,dc=local"
+      LDAP_DOMAIN: "unicon.local"
+      HOSTNAME: "directory"
+      LDAP_TLS_VERIFY_CLIENT: "try"
+  database:
+    image: postgres:14-alpine
+    networks:
+      - backend
+    environment:
+      POSTGRES_PASSWORD: shibui
+      POSTGRES_USER: shibui
+      POSTGRES_DB: shibui
+  idp:
+    build: ../integration/shibboleth-idp
+    labels:
+      - "traefik.http.routers.idp.rule=Host(`idp.unicon.local`)"
+      - "traefik.http.services.idp.loadbalancer.server.port=8080"
+      - "traefik.http.routers.idp.tls=true"
+      - "traefik.docker.network=smoke-test_reverse-proxy"
+      - "traefik.enable=true"
+    depends_on:
+      - directory
+      - reverse-proxy
+    networks:
+      - reverse-proxy
+      - idp
+    volumes:
+      - dynamic_metadata:/opt/shibboleth-idp/metadata/dynamic
+      - dynamic_config:/opt/shibboleth-idp/conf/dynamic
+      - ../directory/certs/ca.crt:/opt/shibboleth-idp/credentials/ldap-server.crt
+      - ../authentication/shibboleth-idp/config/shib-idp/conf/attribute-filter.xml:/opt/shibboleth-idp/conf/attribute-filter.xml
+      - ./shibboleth-idp/conf/metadata-providers.xml:/opt/shibboleth-idp/conf/metadata-providers.xml
+      - ./shibboleth-idp/conf/access-control.xml:/opt/shibboleth-idp/conf/access-control.xml
+      - ./shibboleth-idp/metadata/test-provider-config.xml:/opt/shibboleth-idp/metadata/test-provider-config.xml
+      - ../integration/shibboleth-idp/metadata/dynamic/700bfe6fa4495100f5c193fa5b7ca4192c150923.xml:/opt/shibboleth-idp/metadata/700bfe6fa4495100f5c193fa5b7ca4192c150923.xml
+    healthcheck:
+      disable: true
+  shib-idp-ui:
+    image: unicon/shibui:latest
+    labels:
+      - "traefik.http.routers.shibui.rule=Host(`shibui.unicon.local`)"
+      - "traefik.http.services.shibui.loadbalancer.server.port=8080"
+      - "traefik.http.routers.shibui.tls=true"
+      - "traefik.docker.network=smoke-test_reverse-proxy"
+      - "traefik.enable=true"
+    depends_on:
+      database:
+        condition: service_started
+    networks:
+      - reverse-proxy
+      - backend
+    volumes:
+      - dynamic_metadata:/var/shibboleth/dynamic_metadata
+      - dynamic_config:/var/shibboleth/dynamic_config
+      - ../authentication/shibui:/conf
+      - ./shibui/application.yml:/application.yml
+      - ../integration/shibboleth-idp/credentials/shib-idp/inc-md-cert-mdq.pem:/opt/shibboleth-idp/credentials/inc-md-cert-mdq.pem
+    environment:
+      - "IDP_HOME=/opt/shibboleth-idp"
+      
+networks:
+  reverse-proxy:
+  idp:
+  backend:
+volumes:
+  directory_data:
+    driver: local
+  directory_config:
+    driver: local
+  dynamic_metadata:
+    driver: local
+  dynamic_config:
+    driver: local
+  database_data:
+    driver: local
diff --git a/testbed/smoke-test/setdb.sh b/testbed/smoke-test/setdb.sh
new file mode 100755
index 000000000..4795526a2
--- /dev/null
+++ b/testbed/smoke-test/setdb.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+DB=$1
+
+if [[ ! "$DB" =~ ^(postgres|mariadb|mysql|sqlServer)$ ]];
+then
+    echo "argument must be one of: postgres mariadb mysql sqlServer"
+    exit 0;
+fi
+
+if [[ $DB == "postgres" ]];
+then
+rm -f docker-compose.override.yml
+else
+rm -f docker-compose.override.yml
+ln -s db_configs/$DB.docker-compose.override.yml docker-compose.override.yml
+fi
+
+rm -f shibui/application.yml
+cat shibui/application.yml.nodb db_configs/$DB.application.yml >> shibui/application.yml
+
+echo "shibui will now use the $DB container"
diff --git a/testbed/smoke-test/shibboleth-idp/conf/access-control.xml b/testbed/smoke-test/shibboleth-idp/conf/access-control.xml
new file mode 100644
index 000000000..053bc22c7
--- /dev/null
+++ b/testbed/smoke-test/shibboleth-idp/conf/access-control.xml
@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    Map of access control policies used to limit access to administrative functions.
+    The purpose of the map is to label policies with a key/name so they can be reused.
+    -->
+
+    <!--
+    Use the "shibboleth.IPRangeAccessControl" parent bean for IP-based access control.
+    The ranges provided MUST be CIDR network expressions. To specify a single address,
+    add "/32" or "/128" for IPv4 or IPv6 respectively.
+
+    The additional examples below demonstrate how to control access by username
+    and by attribute(s), in the case of authenticated access to admin functions.
+    -->
+
+    <util:map id="shibboleth.AccessControlPolicies">
+
+        <entry key="AccessByIPAddress">
+            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
+                  p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '172.16.0.0/12', '192.168.0.0/12'} }" />
+        </entry>
+
+        <!--
+        <entry key="AccessByAdminUser">
+            <bean parent="shibboleth.PredicateAccessControl">
+                <constructor-arg>
+                    <bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'jdoe'}" />
+                </constructor-arg>
+            </bean>
+        </entry>
+        -->
+
+        <!--
+        <entry key="AccessByAttribute">
+            <bean parent="shibboleth.PredicateAccessControl">
+                <constructor-arg>
+                    <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
+                        <property name="attributeValueMap">
+                            <map>
+                                <entry key="eduPersonEntitlement">
+                                    <list>
+                                        <value>https://example.org/entitlement/idpadmin</value>
+                                    </list>
+                                </entry>
+                            </map>
+                        </property>
+                    </bean>
+                </constructor-arg>
+            </bean>
+        </entry>
+        -->
+
+    </util:map>
+
+</beans>
diff --git a/testbed/smoke-test/shibboleth-idp/conf/metadata-providers.xml b/testbed/smoke-test/shibboleth-idp/conf/metadata-providers.xml
new file mode 100644
index 000000000..bd90a4751
--- /dev/null
+++ b/testbed/smoke-test/shibboleth-idp/conf/metadata-providers.xml
@@ -0,0 +1,101 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
+    xmlns="urn:mace:shibboleth:2.0:metadata"
+    xmlns:security="urn:mace:shibboleth:2.0:security"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:ds11="http://www.w3.org/2009/xmldsig11#"
+    xmlns:enc="http://www.w3.org/2001/04/xmlenc#"
+    xmlns:enc11="http://www.w3.org/2009/xmlenc11#"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
+                        urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
+                        urn:oasis:names:tc:SAML:2.0:assertion http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd
+                        urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd
+                        urn:oasis:names:tc:SAML:metadata:algsupport http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-algsupport-v1.0.xsd
+                        http://www.w3.org/2000/09/xmldsig# http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd
+                        http://www.w3.org/2009/xmldsig11# http://www.w3.org/TR/2013/REC-xmldsig-core1-20130411/xmldsig11-schema.xsd
+                        http://www.w3.org/2001/04/xmlenc# http://www.w3.org/TR/xmlenc-core/xenc-schema.xsd
+                        http://www.w3.org/2009/xmlenc11# http://www.w3.org/TR/2013/REC-xmlenc-core1-20130411/xenc-schema-11.xsd">
+
+    <!--
+    Below you place the mechanisms which define how to load the metadata for SP(s) you will
+    provide service to.
+    
+    Some simple examples are provided. The documentation provides more details; in most cases,
+    the modern replacement for these older plugins are the "DynamicHTTPMetadataProvider" and
+    "LocalDynamic" variants, which provide dramatic memory savings and more reliable operation.
+     
+    NOTE: You do NOT need to load metadata for this IdP itself within this configuration.
+    -->
+    
+    
+    
+    <!--
+    Example HTTP metadata provider.  Use this if you want to download the metadata
+    from a remote source.
+
+    You *MUST* provide the SignatureValidationFilter in order to function securely.
+    Get the public key certificate from the party publishing the metadata, and validate
+    it with them via some out of band mechanism (e.g., a fingerprint on a secure page).
+
+    The EntityRoleWhiteList saves memory by only loading metadata from SAML roles
+    that the IdP needs to interoperate with.
+    -->
+    
+    <!--
+    <MetadataProvider id="HTTPMetadata"
+                      xsi:type="FileBackedHTTPMetadataProvider"
+                      backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
+                      metadataURL="http://WHATEVER"> 
+        
+        <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
+        <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
+        <MetadataFilter xsi:type="EntityRoleWhiteList">
+            <RetainedRole>md:SPSSODescriptor</RetainedRole>
+        </MetadataFilter>
+    </MetadataProvider>
+    -->   
+
+    <!--
+    Example file metadata provider.  Use this if you want to load metadata
+    from a local file. You use this if you have some local SPs which are not
+    "federated" but you wish to offer a service to.
+    
+    If you do not provide a SignatureValidation filter, then you have the
+    responsibility to ensure that the contents on disk are trustworthy.
+    -->
+    
+    <MetadataProvider id="LocalMetadata"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/700bfe6fa4495100f5c193fa5b7ca4192c150923.xml"/>
+
+
+    <!--
+    Example CAS metadata source for managing CAS services using SAML metadata.
+    -->
+
+    <!--
+    <MetadataProvider id="CASMetadata"
+                      xsi:type="FilesystemMetadataProvider"
+                      metadataFile="PATH_TO_YOUR_METADATA"
+                      indexesRef="shibboleth.CASMetadataIndices" />
+    -->
+
+    <MetadataProvider id="local-dynamic" xsi:type="LocalDynamicMetadataProvider" sourceDirectory="%{idp.home}/metadata/dynamic" />
+
+     <!-- InCommon Per-Entity Metadata Distribution Service -->
+     <MetadataProvider id="incommon" xsi:type="DynamicHTTPMetadataProvider"
+                   maxCacheDuration="PT24H" minCacheDuration="PT10M">
+       <!-- Verify the signature on the root element (i.e., the EntityDescriptor element) -->
+       <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
+                   certificateFile="%{idp.home}/credentials/inc-md-cert-mdq.pem" />
+  
+       <!-- Require a validUntil XML attribute no more than 14 days into the future -->
+       <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D" />
+  
+       <!-- The MetadataQueryProtocol element specifies the base URL for the query protocol -->
+       <MetadataQueryProtocol>https://mdq.incommon.org/</MetadataQueryProtocol>
+     </MetadataProvider>
+
+</MetadataProvider>
diff --git a/testbed/smoke-test/shibboleth-idp/metadata/test-provider-config.xml b/testbed/smoke-test/shibboleth-idp/metadata/test-provider-config.xml
new file mode 100644
index 000000000..caec9caf4
--- /dev/null
+++ b/testbed/smoke-test/shibboleth-idp/metadata/test-provider-config.xml
@@ -0,0 +1,38 @@
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="test-provider-config">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
+    <md:KeyDescriptor>
+      <ds:KeyInfo>
+        <ds:X509Data>
+          <ds:X509Certificate>
+MIIECDCCAnCgAwIBAgIUXOD+38b0Cpaynm5Wrclnzigz9rcwDQYJKoZIhvcNAQEL
+BQAwHTEbMBkGA1UEAxMSdW5pY29uLXNwb3J0aC0yNjU4MB4XDTIyMDgwNTE3MDE1
+NloXDTMyMDgwMjE3MDE1NlowHTEbMBkGA1UEAxMSdW5pY29uLXNwb3J0aC0yNjU4
+MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAynP0dUXXr0yb4oAYT5OG
+/ik+24jor0W0Z/0T0g3C4IXqDMHMdHlfPSrp6rf+PDlS+0L+GCZQC2IpntmGNEdf
+miCs9UcssZ3aBHoch0R0Og4rxu74Vk488NVXHsX75RTom5B0atPGxdmHRNIPUPNp
+F4AqAMMV18y35+ElJj5UuPZe9QEgJVzGqdH0dGvaNFPZfB7HCD7lGJiO0Remhufn
+umwrRqfQETmefCD4Wrv60I4LgUrUSqlZTpD4TaR3o1N6uSKaJPy7iANqQXoEqc3p
+jbiM+Tkv6t+q6FbEIF3zKwODzHcycaVYzqOxzVMGWtyPADBm3P/8wvDZnHWEqAcy
+9cHY7THHq8s6bdR8aIO+T0uvIqXJAO0orGVJ4b1X2OBRRneUVtxFbzbAXWN+wwKW
+Xn8M1sP9hteV9CAkp4nbyPnfwWlZYaN48QytMZhu3oQywlcc/VuDEst04IeAt/1f
+YTWmSliJwAduFXpRtQjgB/ejfLUkJHugNJe2N23dNb8ZAgMBAAGjQDA+MB0GA1Ud
+EQQWMBSCEnVuaWNvbi1zcG9ydGgtMjY1ODAdBgNVHQ4EFgQUuAUQzGLs2Psbx5aw
+ec5sz66h4TIwDQYJKoZIhvcNAQELBQADggGBAEqDt2lXrAEJ80yWLYZKM2qdif5j
+DbFI4oGMJ+6Wicfjh9iSm6CG2pSdZllypNLd7KmUJbGFS5wmP7qPAiPLOiHn6hBC
+L5ke3y8bJsaEazOmZt0IgKv2w6naEAfvR5dKbEbXsipf/k+WHyk6uLFoz9iGxZ0g
+f8MA+nWa1tJcPcGVOReN3wNNeBaRZ5y0r6oWSpwYtoBJH+wp2EoLPYhOXFjUoAZ0
+d4b+G2x9FyHU4yfnN9sTLocl/BVDiVdazMQqSvZDSWbccRsD8sz4BaLnXkLOtulv
+0qOYuVTdCivgU0lBMhvXjiEpn0ZwU+UlSgtfEgaVP8pZVgHxKrMhoOxAe85dNHun
+RyYCrByqg4lyFGzRKSTAUlx0YittvEyYOEqbSsXExViSIl+elg4PtghsYAaUphm4
++FHJo8B1rNNQp4vqikGF2WOr3D2usIS9ZbiGvTC0M8TSG39jGCqgQZaclV2yshEC
+cXQllPfIyCtMzlaGVjpXPEqahwkug4ywml9yAw==
+          </ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://test.provider.config/Shibboleth.sso/SAML2/POST" index="1"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://test.provider.config/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://test.provider.config/Shibboleth.sso/SAML2/ECP" index="3"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://test.provider.config/Shibboleth.sso/SAML/POST" index="4"/>
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>
diff --git a/testbed/smoke-test/shibui/application.yml b/testbed/smoke-test/shibui/application.yml
new file mode 100644
index 000000000..df9137c0b
--- /dev/null
+++ b/testbed/smoke-test/shibui/application.yml
@@ -0,0 +1,40 @@
+server:
+  forward-headers-strategy: NATIVE
+shibui:
+  default-password: "{noop}letmein7"
+  metadata-dir: /var/shibboleth/dynamic_metadata
+  metadataProviders:
+    target: file:/var/shibboleth/dynamic_config/metadata-providers.xml
+  user-bootstrap-resource: file:/conf/users.csv
+  roles: ROLE_ADMIN,ROLE_NONE,ROLE_USER,ROLE_ENABLE,ROLE_PONY
+  pac4j-enabled: true
+  pac4j:
+    keystorePath: "/conf/samlKeystore.jks"
+    keystorePassword: "changeit"
+    privateKeyPassword: "changeit"
+    serviceProviderEntityId: "https://unicon.net/test/shibui"
+    serviceProviderMetadataPath: "/conf/sp-metadata.xml"
+    identityProviderMetadataPath: "/conf/idp-metadata.xml"
+    forceServiceProviderMetadataGeneration: true
+    callbackUrl: "https://shibui.unicon.local/callback"
+    maximumAuthenticationLifetime: 3600000
+    simpleProfileMapping:
+      username: urn:oid:0.9.2342.19200300.100.1.1
+      firstName: urn:oid:2.5.4.42
+      lastName: urn:oid:2.5.4.4
+      email: urn:oid:0.9.2342.19200300.100.1.3
+      groups: urn:oid:2.5.4.15  # businessCategory
+      roles: urn:oid:1.3.6.1.4.1.5923.1.1.1.7  # eduPersonEntitlement
+spring:
+  profiles:
+    include:
+  datasource:
+    platform: postgres
+    driver-class-name: org.postgresql.Driver
+    url: jdbc:postgresql://database:5432/shibui
+    username: shibui
+    password: shibui
+  jpa:
+    properties:
+      hibernate:
+        dialect: org.hibernate.dialect.PostgreSQLDialect
\ No newline at end of file
diff --git a/testbed/smoke-test/shibui/application.yml.nodb b/testbed/smoke-test/shibui/application.yml.nodb
new file mode 100644
index 000000000..b4a070c2c
--- /dev/null
+++ b/testbed/smoke-test/shibui/application.yml.nodb
@@ -0,0 +1,27 @@
+server:
+  forward-headers-strategy: NATIVE
+shibui:
+  default-password: "{noop}letmein7"
+  metadata-dir: /var/shibboleth/dynamic_metadata
+  metadataProviders:
+    target: file:/var/shibboleth/dynamic_config/metadata-providers.xml
+  user-bootstrap-resource: file:/conf/users.csv
+  roles: ROLE_ADMIN,ROLE_NONE,ROLE_USER,ROLE_ENABLE,ROLE_PONY
+  pac4j-enabled: true
+  pac4j:
+    keystorePath: "/conf/samlKeystore.jks"
+    keystorePassword: "changeit"
+    privateKeyPassword: "changeit"
+    serviceProviderEntityId: "https://unicon.net/test/shibui"
+    serviceProviderMetadataPath: "/conf/sp-metadata.xml"
+    identityProviderMetadataPath: "/conf/idp-metadata.xml"
+    forceServiceProviderMetadataGeneration: true
+    callbackUrl: "https://shibui.unicon.local/callback"
+    maximumAuthenticationLifetime: 3600000
+    simpleProfileMapping:
+      username: urn:oid:0.9.2342.19200300.100.1.1
+      firstName: urn:oid:2.5.4.42
+      lastName: urn:oid:2.5.4.4
+      email: urn:oid:0.9.2342.19200300.100.1.3
+      groups: urn:oid:2.5.4.15  # businessCategory
+      roles: urn:oid:1.3.6.1.4.1.5923.1.1.1.7  # eduPersonEntitlement