diff --git a/comanage-registry-shibboleth-sp/000-comanage.conf b/comanage-registry-shibboleth-sp/000-comanage.conf
new file mode 100644
index 0000000..db48f48
--- /dev/null
+++ b/comanage-registry-shibboleth-sp/000-comanage.conf
@@ -0,0 +1,46 @@
+
+ RewriteEngine On
+ RewriteCond %{HTTPS} off
+ RewriteRule ^ https://%{HTTP_HOST}:443%{REQUEST_URI} [R=302,L,QSA]
+
+
+
+
+ DocumentRoot /var/www/html
+
+ RedirectMatch ^/$ /registry/
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+ LogLevel warn
+
+ Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
+
+ SSLEngine on
+ SSLProtocol all -SSLv2 -SSLv3
+ SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+ SSLHonorCipherOrder on
+
+ SSLCertificateFile /etc/apache2/cert.pem
+ SSLCertificateKeyFile /etc/apache2/privkey.pem
+ SSLCertificateChainFile /etc/apache2/chain.pem
+
+
+ Options Indexes FollowSymLinks
+ DirectoryIndex index.php
+ AllowOverride All
+ Require all granted
+
+
+
+ SetHandler shib
+
+
+
+ AuthType shibboleth
+ ShibRequestSetting requireSession 1
+ Require valid-user
+
+
+
diff --git a/comanage-registry-shibboleth-sp/Dockerfile.template b/comanage-registry-shibboleth-sp/Dockerfile.template
new file mode 100644
index 0000000..3c71d38
--- /dev/null
+++ b/comanage-registry-shibboleth-sp/Dockerfile.template
@@ -0,0 +1,242 @@
+# Copyright (C) 2017 Spherical Cow Group
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under
+# the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the specific language governing
+# permissions and limitations under the License.
+
+# Official PHP image with Apache HTTPD includes
+# --with-openssl
+# --with-mbstring
+# but xls, pdo, pdo_mysql, pdo_pgsql, mysqli, pgsql,
+# and ldap extensions must be built.
+FROM php:7.0-apache
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+ apache2-dev \
+ file \
+ gcc \
+ g++ \
+ libboost-dev \
+ libcurl4-openssl-dev \
+ libssl-dev \
+ libssl1.0.0 \
+ make \
+ wget
+
+ARG LOG4SHIB_URL=http://shibboleth.net/downloads/log4shib/latest/log4shib-1.0.9.tar.gz
+
+RUN wget -O log4shib.tar.gz "${LOG4SHIB_URL}" \
+ && mkdir -p src \
+ && tar -zxf log4shib.tar.gz -C src --strip-components=1 \
+ && rm -f log4shib.tar.gz \
+ && cd src \
+ && LD_FLAGS=-lpthread CXXFLAGS=-fPIC ./configure --disable-static \
+ --disable-doxygen \
+ --prefix=/opt/shibboleth-sp \
+ --build=x86_64 \
+ && LD_FLAGS=-lpthread make \
+ && make install \
+ && cd .. \
+ && rm -r src
+
+ARG XERCESC_URL=http://ftp.wayne.edu/apache/xerces/c/3/sources/xerces-c-3.1.4.tar.gz
+
+RUN wget -O xerces.tar.gz "${XERCESC_URL}" \
+ && mkdir -p src \
+ && tar -zxf xerces.tar.gz -C src --strip-components=1 \
+ && rm -f xerces.tar.gz \
+ && cd src \
+ && ./configure --prefix=/opt/shibboleth-sp \
+ && make \
+ && make install \
+ && cd .. \
+ && rm -r src
+
+ARG XMLSECC_URL=http://ftp.wayne.edu/apache/santuario/c-library/xml-security-c-1.7.3.tar.gz
+
+RUN wget -O xmlsecc.tar.gz "${XMLSECC_URL}" \
+ && mkdir -p src \
+ && tar -zxf xmlsecc.tar.gz -C src --strip-components=1 \
+ && rm -f xmlsecc.tar.gz \
+ && cd src \
+ && ./configure --prefix=/opt/shibboleth-sp \
+ --with-xerces=/opt/shibboleth-sp \
+ --with-openssl=/usr \
+ --disable-static \
+ --without-xalan \
+ && make \
+ && make install \
+ && cd .. \
+ && rm -r src
+
+ARG XMLTOOLING_URL=http://shibboleth.net/downloads/c++-opensaml/latest/xmltooling-1.6.0.tar.gz
+
+RUN wget -O xmltooling.tar.gz "${XMLTOOLING_URL}" \
+ && mkdir -p src \
+ && tar -zxf xmltooling.tar.gz -C src --strip-components=1 \
+ && rm -f xmltooling.tar.gz \
+ && cd src \
+ && CXXFLAGS=-fPIC ./configure --prefix=/opt/shibboleth-sp \
+ --with-log4shib=/opt/shibboleth-sp \
+ -C \
+ && make \
+ && make install \
+ && cd .. \
+ && rm -r src
+
+ARG OPENSAMLC_URL=http://shibboleth.net/downloads/c++-opensaml/latest/opensaml-2.6.0.tar.gz
+
+RUN wget -O opensamlc.tar.gz "${OPENSAMLC_URL}" \
+ && mkdir -p src \
+ && tar -zxf opensamlc.tar.gz -C src --strip-components=1 \
+ && rm -f opensamlc.tar.gz \
+ && cd src \
+ && ./configure --prefix=/opt/shibboleth-sp \
+ --with-log4shib=/opt/shibboleth-sp \
+ -C \
+ && make \
+ && make install \
+ && cd .. \
+ && rm -r src
+
+ARG SHIBBOLETH_SP_URL=http://shibboleth.net/downloads/service-provider/latest/shibboleth-sp-2.6.0.tar.gz
+
+RUN wget -O shibboleth-sp.tar.gz "${SHIBBOLETH_SP_URL}" \
+ && mkdir -p src \
+ && tar -zxf shibboleth-sp.tar.gz -C src --strip-components=1 \
+ && rm -f shibboleth-sp.tar.gz \
+ && cd src \
+ && ./configure --prefix=/opt/shibboleth-sp \
+ --with-log4shib=/opt/shibboleth-sp \
+ --with-saml=/opt/shibboleth-sp \
+ --with-xerces=/opt/shibboleth-sp \
+ --with-xmlsec=/opt/shibboleth-sp \
+ --with-xmltooling=/opt/shibboleth-sp \
+ --enable-apache-24 \
+ --with-apxs24=/usr/bin/apxs \
+ --disable-adfs \
+ --disable-obc \
+ && make \
+ && make install \
+ && cd .. \
+ && rm -r src
+
+COPY shib2.load /etc/apache2/mods-available
+
+RUN /usr/sbin/useradd --system _shibd \
+ && mkdir -p /var/run/shibboleth \
+ && chown _shibd:_shibd /var/run/shibboleth \
+ && chown -R _shibd:_shibd /opt/shibboleth-sp/var \
+ && cp -a /opt/shibboleth-sp/etc/shibboleth /etc/shibboleth \
+ && chown _shibd:_shibd /etc/shibboleth/sp-cert.pem \
+ && chown _shibd:_shibd /etc/shibboleth/sp-key.pem \
+ && cd /opt/shibboleth-sp/etc \
+ && rm -rf shibboleth \
+ && ln -s /etc/shibboleth shibboleth \
+ && a2enmod shib2 \
+ && apt-get install -y --no-install-recommends supervisor \
+ && mkdir -p /var/log/supervisor
+
+COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
+
+ARG COMANAGE_REGISTRY_VERSION=%%COMANAGE_REGISTRY_VERSION%%
+ARG COMANAGE_REGISTRY_SRC_URL=https://github.com/Internet2/comanage-registry/archive/$COMANAGE_REGISTRY_VERSION.tar.gz
+
+LABEL comanage_registry_version=$COMANAGE_REGISTRY_VERSION
+LABEL comanage_registry_src_url=$COMANAGE_REGISTRY_SRC_URL
+
+ENV COMANAGE_REGISTRY_DIR /srv/comanage-registry
+
+RUN apt-get update && apt-get install -y \
+ libldap-2.4-2 \
+ libldap2-dev \
+ libmysqlclient18 \
+ libmysqlclient-dev \
+ libpq-dev \
+ libxml2 \
+ libxslt1-dev \
+ libxslt1.1 \
+ ssl-cert \
+ wget \
+ zlib1g \
+ && docker-php-ext-configure pgsql -with-pgsql=/usr/local/pgsql \
+ && docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu \
+ && docker-php-ext-configure mysqli --with-mysqli=/usr/bin/mysql_config \
+ && docker-php-ext-install xsl pdo pdo_mysql pdo_pgsql mysqli pgsql ldap \
+ && docker-php-source delete \
+ && apt-get purge -y \
+ libldap2-dev \
+ libmysqlclient-dev \
+ libpq-dev \
+ apache2-dev \
+ file \
+ gcc \
+ g++ \
+ libboost-dev \
+ libcurl4-openssl-dev \
+ libssl-dev \
+ make \
+ && apt-get clean
+
+WORKDIR "$COMANAGE_REGISTRY_DIR"
+
+COPY 000-comanage.conf /etc/apache2/sites-available/000-comanage.conf
+
+RUN mkdir -p "$COMANAGE_REGISTRY_DIR" \
+ && wget -O comanage.tar.gz $COMANAGE_REGISTRY_SRC_URL \
+ && tar -zxf comanage.tar.gz -C "$COMANAGE_REGISTRY_DIR" --strip-components=1 \
+ && rm -f comanage.tar.gz \
+ && rm -f "$COMANAGE_REGISTRY_DIR/app/tmp" \
+ && cp -r "$COMANAGE_REGISTRY_DIR/app/tmp.dist" "$COMANAGE_REGISTRY_DIR/app/tmp" \
+ && chown -R www-data:www-data "$COMANAGE_REGISTRY_DIR/app/tmp" \
+ && cd /var/www/html \
+ && ln -s "$COMANAGE_REGISTRY_DIR/app/webroot" registry \
+ && cd "$COMANAGE_REGISTRY_DIR" \
+ && rm -rf local \
+ && mkdir -p /local \
+ && ln -s /local local \
+ && a2enmod headers \
+ && a2enmod ssl \
+ && a2enmod rewrite \
+ && a2dissite 000-default.conf \
+ && a2ensite 000-comanage.conf \
+ && a2disconf other-vhosts-access-log \
+ && cd /etc/apache2 \
+ && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem cert.pem \
+ && ln -s /etc/ssl/private/ssl-cert-snakeoil.key privkey.pem \
+ && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem chain.pem \
+ && sed -ie 's/'"'"'engine'"'"' => '"'"'FileLog'"'"'/'"'"'engine'"'"' => '"'"'ConsoleLog'"'"'/' "$COMANAGE_REGISTRY_DIR/app/Config/bootstrap.php"
+
+COPY docker-comanage-entrypoint /usr/local/bin/
+
+# expose COmanage Registry local directory
+VOLUME ["/local"]
+
+WORKDIR /var/www/html
+
+EXPOSE 80 443
+
+# Default values for first administrator bootstrapped
+# into the platform, most likely overridden at build time
+# using build arguments.
+ARG COMANAGE_REGISTRY_ADMIN_GIVEN_NAME
+ARG COMANAGE_REGISTRY_ADMIN_FAMILY_NAME
+ARG COMANAGE_REGISTRY_ADMIN_USERNAME
+ARG COMANAGE_REGISTRY_ENABLE_POOLING
+
+ENV COMANAGE_REGISTRY_ADMIN_GIVEN_NAME ${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME:-Registry}
+ENV COMANAGE_REGISTRY_ADMIN_FAMILY_NAME ${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME:-Admin}
+ENV COMANAGE_REGISTRY_ADMIN_USERNAME ${COMANAGE_REGISTRY_ADMIN_USERNAME:-registry.admin}
+ENV COMANAGE_REGISTRY_ENABLE_POOLING ${COMANAGE_REGISTRY_ENABLE_POOLING:-No}
+
+# expose Shibboleth SP configuration files
+VOLUME ["/etc/shibboleth"]
+
+ENTRYPOINT ["/usr/bin/supervisord"]
diff --git a/comanage-registry-shibboleth-sp/README.md b/comanage-registry-shibboleth-sp/README.md
new file mode 100644
index 0000000..dce6b46
--- /dev/null
+++ b/comanage-registry-shibboleth-sp/README.md
@@ -0,0 +1,147 @@
+# COmanage Registry Shibboleth
+
+Intended to build a COmanage Registry image
+using the official PHP 7 with Apache image as the foundation
+and providing the Shibboleth Native SP for Apache HTTP Server
+as the authentication mechanism.
+
+## Build
+
+```
+export COMANAGE_REGISTRY_VERSION=develop
+sed -e s/%%COMANAGE_REGISTRY_VERSION%%/${COMANAGE_REGISTRY_VERSION}/g Dockerfile.template > Dockerfile
+docker build -t comanage-registry-shibboleth-sp:${COMANAGE_REGISTRY_VERSION} .
+```
+
+You can (and should) use build arguments to bootstrap the first
+platform administrator. The administrator username is the value
+COmanage Registry expects to read from $REMOTE\_USER after
+the administrator authenticates using whichever authentication
+method is provided:
+
+```
+export COMANAGE_REGISTRY_VERSION=develop
+
+export COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Karel
+export COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Novak
+export COMANAGE_REGISTRY_ADMIN_USERNAME=karel.novak@my.org
+
+sed -e s/%%COMANAGE_REGISTRY_VERSION%%/${COMANAGE_REGISTRY_VERSION}/g Dockerfile.template > Dockerfile
+docker build \
+ --build-arg COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME} \
+ --build-arg COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME} \
+ --build-arg COMANAGE_REGISTRY_ADMIN_USERNAME=${COMANAGE_REGISTRY_ADMIN_USERNAME} \
+ -t comanage-registry-shibboleth-sp:${COMANAGE_REGISTRY_VERSION} .
+```
+## Run
+
+### Database
+
+COmanage Registry requires a relational database. See the
+[PostgreSQL example for COmanage Registry](../comanage-registry-postgres/README.md).
+
+### Network
+
+Create a user-defined network bridge with
+
+```
+docker network create --driver=bridge \
+ --subnet=192.168.0.0/16 \
+ --gateway=192.168.0.100 \
+ comanage-registry-internal-network
+```
+
+### COmanage Registry Configuration
+
+Create a directory to hold persistent COmanage Registry configuration and
+other state such as local plugins and other customizations. In that directory
+create a `Config` directory and in it place a `database.php` and `email.php`
+configuration file:
+
+```
+mkdir -p /opt/comanage-registry/Config
+
+cat >> /opt/comanage-registry/Config/database.php <<"EOF"
+ 'Database/Postgres',
+ 'persistent' => false,
+ 'host' => 'comanage-registry-database',
+ 'login' => 'registry_user',
+ 'password' => 'password',
+ 'database' => 'registry',
+ 'prefix' => 'cm_',
+ );
+
+}
+EOF
+
+cat >> /opt/comanage-registry/Config/database.php <<"EOF"
+ 'Smtp',
+ 'host' => 'tls://smtp.gmail.com',
+ 'port' => 465,
+ 'username' => 'account@gmail.com',
+ 'password' => 'password'
+ );
+}
+EOF
+```
+
+### Shibboleth SP Configuration
+
+Mount or COPY Shibboleth SP configuration files into the directory
+`/etc/shibboleth`. A standard set of default files is already present
+in the image.
+
+```
+COPY shibboleth2.xml /etc/shibboleth/shibboleth2.xml
+COPY sp-cert.pem /etc/shibboleth/sp-cert.pem
+COPY sp-key.pem /etc/shibboleth/sp-key.pem
+```
+
+### Container
+
+```
+docker run -d --name comanage-registry \
+ -v /opt/comanage-registry:/local \
+ --network comanage-registry-internal-network \
+ -p 80:80 -p 443:443 \
+ comanage-registry-shibboleth-sp:${COMANAGE_REGISTRY_VERSION}
+```
+
+### Logging
+
+Both Apache HTTP Server and COmanage Registry log to the stdout and
+stderr of the container.
+
+The Shibboleth SP can also log to the stdout and stderr of the container
+by setting the `logger` configuration option in `shibboleth2.xml`.
+
+```
+
+```
+
+### HTTPS Configuration
+
+Mount or COPY in an X.509 certificate file, associated private key file,
+and certificate signing chain file.
+
+```
+COPY cert.pem /etc/apache2/cert.pem
+COPY privkey.pem /etc/apache2/privkey.pem
+COPY chain.pem /etc/apache2/chain.pem
+```
diff --git a/comanage-registry-shibboleth-sp/docker-comanage-entrypoint b/comanage-registry-shibboleth-sp/docker-comanage-entrypoint
new file mode 100755
index 0000000..f788647
--- /dev/null
+++ b/comanage-registry-shibboleth-sp/docker-comanage-entrypoint
@@ -0,0 +1,80 @@
+#!/bin/bash
+
+# Copyright (C) 2017 Spherical Cow Group
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under
+# the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the specific language governing
+# permissions and limitations under the License.
+
+# Database initialization or schema management using adodb
+# is idempotent so we always run it at startup.
+pushd "$COMANAGE_REGISTRY_DIR/app" > /dev/null 2>&1
+./Console/cake database > /dev/null 2>&1
+popd > /dev/null 2>&1
+
+# We only want to run the setup script once since it creates
+# state in the database. Until COmanage Registry has a better
+# mechanism for telling us if setup has already been run
+# we create an ephemeral CakePHP script to tell us.
+SETUP_ALREADY_SCRIPT="$COMANAGE_REGISTRY_DIR/app/Console/Command/SetupAlreadyShell.php"
+
+cat >> $SETUP_ALREADY_SCRIPT <<"EOF"
+Co->find('first', $args);
+
+ if(!empty($co)) {
+ $this->error('Setup already');
+ }
+ }
+}
+EOF
+
+pushd /srv/comanage-registry/app > /dev/null 2>&1
+./Console/cake setupAlready > /dev/null 2>&1
+setup_already=$?
+
+rm -f "$SETUP_ALREADY_SCRIPT"
+
+if [ $setup_already -eq 0 ]; then
+ rm -f "$COMANAGE_REGISTRY_DIR/local/Config/security.salt" > /dev/null 2>&1
+ rm -f "$COMANAGE_REGISTRY_DIR/local/Config/security.seed" > /dev/null 2>&1
+ ./Console/cake setup --admin-given-name "${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME}" \
+ --admin-family-name "${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME}" \
+ --admin-username "${COMANAGE_REGISTRY_ADMIN_USERNAME}" \
+ --enable-pooling "${COMANAGE_REGISTRY_ENABLE_POOLING}" > /dev/null 2>&1
+fi
+
+popd > /dev/null 2>&1
+
+# Running CakePHP console commands generates cache files so
+# set the ownership of those files appropriately.
+chown -R www-data:www-data "$COMANAGE_REGISTRY_DIR/app/tmp"
+
+# Make sure the directory structure we need is available
+# in the data volume for $COMANAGE_REGISTRY_DIR/local
+mkdir -p "$COMANAGE_REGISTRY_DIR/local/Config"
+mkdir -p "$COMANAGE_REGISTRY_DIR/local/Plugin"
+mkdir -p "$COMANAGE_REGISTRY_DIR/local/View/Pages/public"
+mkdir -p "$COMANAGE_REGISTRY_DIR/local/webroot/img"
+
+# first arg is `-f` or `--some-option`
+if [ "${1#-}" != "$1" ]; then
+ set -- apache2-foreground "$@"
+fi
+
+exec "$@"
diff --git a/comanage-registry-shibboleth-sp/shib2.load b/comanage-registry-shibboleth-sp/shib2.load
new file mode 100644
index 0000000..a38c0db
--- /dev/null
+++ b/comanage-registry-shibboleth-sp/shib2.load
@@ -0,0 +1 @@
+LoadModule mod_shib /opt/shibboleth-sp/lib/shibboleth/mod_shib_24.so
diff --git a/comanage-registry-shibboleth-sp/supervisord.conf b/comanage-registry-shibboleth-sp/supervisord.conf
new file mode 100644
index 0000000..84b7c07
--- /dev/null
+++ b/comanage-registry-shibboleth-sp/supervisord.conf
@@ -0,0 +1,16 @@
+[supervisord]
+nodaemon=true
+
+[program:apache2]
+command=/usr/local/bin/docker-comanage-entrypoint apache2-foreground
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:shibd]
+command=/opt/shibboleth-sp/sbin/shibd -f -u _shibd -g _shibd -c /etc/shibboleth/shibboleth2.xml -p /var/run/shibboleth/shibd.pid -F
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0