diff --git a/comanage-registry-shibboleth-sp/Dockerfile.template b/comanage-registry-shibboleth-sp/Dockerfile.template
index 38b00cc..0e68db2 100644
--- a/comanage-registry-shibboleth-sp/Dockerfile.template
+++ b/comanage-registry-shibboleth-sp/Dockerfile.template
@@ -142,6 +142,7 @@ RUN /usr/sbin/useradd --system _shibd \
       && chown _shibd:_shibd /var/run/shibboleth \
       && chown -R _shibd:_shibd /opt/shibboleth-sp/var \
       && cp -a /opt/shibboleth-sp/etc/shibboleth /etc/shibboleth \
+      && rm -f /etc/shibboleth/shibboleth2.xml \
       && chown _shibd:_shibd /etc/shibboleth/sp-cert.pem \
       && chown _shibd:_shibd /etc/shibboleth/sp-key.pem \
       && cd /opt/shibboleth-sp/etc \
@@ -151,7 +152,6 @@ RUN /usr/sbin/useradd --system _shibd \
       && apt-get install -y --no-install-recommends supervisor \
       && mkdir -p /var/log/supervisor
 
-COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
 
 ARG COMANAGE_REGISTRY_VERSION=%%COMANAGE_REGISTRY_VERSION%%
 ARG COMANAGE_REGISTRY_SRC_URL=https://github.com/Internet2/comanage-registry/archive/$COMANAGE_REGISTRY_VERSION.tar.gz
@@ -173,6 +173,7 @@ RUN apt-get update && apt-get install -y \
          ssl-cert \
          wget \
          zlib1g \
+         libpcre3-dev \
       && docker-php-ext-configure pgsql -with-pgsql=/usr/local/pgsql \
       && docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu \
       && docker-php-ext-configure mysqli --with-mysqli=/usr/bin/mysql_config \
@@ -221,7 +222,11 @@ RUN mkdir -p "$COMANAGE_REGISTRY_DIR" \
       && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem chain.pem  \
       && sed -ie 's/'"'"'engine'"'"' => '"'"'FileLog'"'"'/'"'"'engine'"'"' => '"'"'ConsoleLog'"'"'/' "$COMANAGE_REGISTRY_DIR/app/Config/bootstrap.php" 
 
+COPY shibboleth2.xml.template /etc/shibboleth/shibboleth2.xml.template
+COPY supervisord.conf /usr/local/etc/supervisord.conf
+
 COPY docker-comanage-entrypoint /usr/local/bin/
+COPY docker-comanage-shibboleth-sp-entrypoint /usr/local/bin/
 
 # expose COmanage Registry local directory
 VOLUME ["/local"]
@@ -246,4 +251,4 @@ ENV COMANAGE_REGISTRY_ENABLE_POOLING ${COMANAGE_REGISTRY_ENABLE_POOLING:-No}
 # expose Shibboleth SP configuration files
 VOLUME ["/etc/shibboleth"]
 
-ENTRYPOINT ["/usr/bin/supervisord"]
+ENTRYPOINT ["/usr/bin/supervisord", "-c", "/usr/local/etc/supervisord.conf"]
diff --git a/comanage-registry-shibboleth-sp/docker-comanage-shibboleth-sp-entrypoint b/comanage-registry-shibboleth-sp/docker-comanage-shibboleth-sp-entrypoint
new file mode 100755
index 0000000..500454b
--- /dev/null
+++ b/comanage-registry-shibboleth-sp/docker-comanage-shibboleth-sp-entrypoint
@@ -0,0 +1,99 @@
+#!/bin/bash
+
+# COmanage Registry Shibboleth SP Dockerfile entrypoint
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ -n "$COMANAGE_DEBUG" ]
+then
+    OUTPUT=/dev/stdout
+else
+    OUTPUT=/dev/null
+fi
+
+# Configuration details that may be injected through environment
+# variables or the contents of files.
+
+injectable_config_vars=( 
+    SHIBBOLETH_SP_ENTITY_ID
+    SHIBBOLETH_SP_CERT
+    SHIBBOLETH_SP_PRIVKEY
+    SHIBBOLETH_SP_SAMLDS_URL
+    SHIBBOLETH_SP_METADATA_PROVIDER_XML
+)
+
+# If the file associated with a configuration variable is present then 
+# read the value from it into the appropriate variable. So for example
+# if the variable COMANAGE_REGISTRY_DATASOURCE_FILE exists and its
+# value points to a file on the file system then read the contents
+# of that file into the variable COMANAGE_REGISTRY_DATASOURCE.
+
+for config_var in "${injectable_config_vars[@]}"
+do
+    eval file_name=\$"${config_var}_FILE";
+
+    if [ -e "$file_name" ]; then
+        declare "${config_var}"=`cat $file_name`
+    fi
+done
+
+# If no shibboleth2.xml file is present then create one using 
+# injected information or defaults that are not particularly
+# useful in a federated context but will allow shibd to start.
+if [ ! -e /etc/shibboleth/shibboleth2.xml ]; then
+    cp /etc/shibboleth/shibboleth2.xml.template /etc/shibboleth/shibboleth2.xml
+    sed -i -e s@%%SHIBBOLETH_SP_ENTITY_ID%%@"${SHIBBOLETH_SP_ENTITY_ID:-https://comanage.registry/shibboleth}"@ /etc/shibboleth/shibboleth2.xml
+    sed -i -e s@%%SHIBBOLETH_SP_SAMLDS_URL%%@"${SHIBBOLETH_SP_SAMLDS_URL:-https://localhost/registry/pages/eds/index}"@ /etc/shibboleth/shibboleth2.xml
+
+    # The metadata provider injected input most likely contains special characters
+    # so use a sed script instead of simple substitution on the command line.
+
+    if [ -n "$SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE" ]; then
+        xml_content_file="$SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE"
+    else
+        xml_content_file=`/bin/mktemp`
+        echo ${SHIBBOLETH_SP_METADATA_PROVIDER_XML:-} > ${xml_content_file}
+    fi
+
+    sed_script_file=`/bin/mktemp`
+    cat >> ${sed_script_file}<<EOF
+/%%SHIBBOLETH_SP_METADATA_PROVIDER_XML%%/ {
+    r ${xml_content_file}
+    d
+}
+EOF
+
+    sed -i -f ${sed_script_file} /etc/shibboleth/shibboleth2.xml
+    
+    chmod 0644 /etc/shibboleth/shibboleth2.xml
+fi
+
+# If defined use configured location of Shibboleth SP SAML certificate and key.
+if [ -n "$SHIBBOLETH_SP_CERT" ]; then
+    cp "$SHIBBOLETH_SP_CERT" /etc/shibboleth/sp-cert.pem
+    chown _shibd /etc/shibboleth/sp-cert.pem
+    chmod 0644 /etc/shibboleth/sp-cert.pem
+fi
+
+if [ -n "$SHIBBOLETH_SP_PRIVKEY" ]; then
+    cp "$SHIBBOLETH_SP_PRIVKEY" /etc/shibboleth/sp-key.pem
+    chown _shibd /etc/shibboleth/sp-key.pem
+    chmod 0600 /etc/shibboleth/sp-key.pem
+fi
+
+exec /opt/shibboleth-sp/sbin/shibd -f -u _shibd -g _shibd -c /etc/shibboleth/shibboleth2.xml -p /var/run/shibboleth/shibd.pid -F
diff --git a/comanage-registry-shibboleth-sp/shibboleth2.xml.template b/comanage-registry-shibboleth-sp/shibboleth2.xml.template
new file mode 100644
index 0000000..dda4d13
--- /dev/null
+++ b/comanage-registry-shibboleth-sp/shibboleth2.xml.template
@@ -0,0 +1,51 @@
+<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    logger="/etc/shibboleth/console.logger"
+    clockSkew="180">
+
+    <ApplicationDefaults entityID="%%SHIBBOLETH_SP_ENTITY_ID%%"
+                         REMOTE_USER="eppn persistent-id targeted-id">
+
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https" >
+
+           <SSO discoveryProtocol="SAMLDS"
+                discoveryURL="%%SHIBBOLETH_SP_SAMLDS_URL%%" > 
+             SAML2
+           </SSO>
+
+           <Logout>Local</Logout>
+
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+
+            <Handler type="Session" Location="/Session" showAttributeValues="true"/>
+
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+
+        <Errors supportContact="root@localhost"
+            helpLocation="/about.html"
+            styleSheet="/shibboleth-sp/main.css"/>
+        
+        %%SHIBBOLETH_SP_METADATA_PROVIDER_XML%%
+
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+
+        <AttributeResolver type="Query" subjectMatch="true"/>
+
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
+
+    </ApplicationDefaults>
+    
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
diff --git a/comanage-registry-shibboleth-sp/supervisord.conf b/comanage-registry-shibboleth-sp/supervisord.conf
index f9a33b6..8b3e8e3 100644
--- a/comanage-registry-shibboleth-sp/supervisord.conf
+++ b/comanage-registry-shibboleth-sp/supervisord.conf
@@ -19,6 +19,7 @@
 
 [supervisord]
 nodaemon=true
+user=root
 
 [program:apache2]
 command=/usr/local/bin/docker-comanage-entrypoint apache2-foreground
@@ -28,7 +29,7 @@ stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 
 [program:shibd]
-command=/opt/shibboleth-sp/sbin/shibd -f -u _shibd -g _shibd -c /etc/shibboleth/shibboleth2.xml -p /var/run/shibboleth/shibd.pid -F
+command=/usr/local/bin/docker-comanage-shibboleth-sp-entrypoint
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr