diff --git a/.dockerignore b/.dockerignore
index b66e30b..ac0479b 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,4 +1,5 @@
 .git/
 test-compose/
 *.md
-manualBuild.sh
\ No newline at end of file
+manualBuild.sh
+LICENSE
diff --git a/Dockerfile b/Dockerfile
index eeccd7b..92eef61 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,14 +4,11 @@ RUN yum update -y \
     && yum install -y wget tar unzip dos2unix \
     && yum clean all
 
-ENV ANT_VERSION="1.10.1" \
-    GROUPER_VERSION=2.3.0 \
-    JAVA_HOME=/opt/openjdk8 \
-    TOMCAT_MAJOR=8 \
-    TOMCAT_VERSION="8.5.23"
-
-RUN java_version=8.0.131; \ 
-    zulu_version=8.21.0.1; \   
+ENV GROUPER_VERSION=2.3.0 \
+    JAVA_HOME=/opt/java
+
+RUN java_version=8.0.131; \
+    zulu_version=8.21.0.1; \
     echo 'Downloading the OpenJDK Zulu...' \
     && wget -q http://cdn.azul.com/zulu/bin/zulu$zulu_version-jdk$java_version-linux_x64.tar.gz \
     && echo "1931ed3beedee0b16fb7fd37e069b162  zulu$zulu_version-jdk$java_version-linux_x64.tar.gz" | md5sum -c - \
@@ -40,30 +37,40 @@ RUN echo 'Installing Grouper'; \
     cd /opt/grouper/$GROUPER_VERSION/ \
     && $JAVA_HOME/bin/java -cp :grouperInstaller.jar edu.internet2.middleware.grouperInstaller.GrouperInstaller
 
-#The Grouper Installer is corrupting the Messaging Jar files.
-RUN cp /opt/grouper/2.3.0/grouper.rabbitMq-2.3.0/lib/* /opt/grouper/2.3.0/grouper.apiBinary-2.3.0/lib/grouper/ \
-    && cp /opt/grouper/2.3.0/grouper.activeMq-2.3.0/lib/* /opt/grouper/2.3.0/grouper.apiBinary-2.3.0/lib/grouper/
 
 
 FROM centos:centos7 as cleanup
 
-COPY --from=installing /opt/grouper/2.3.0/grouper.apiBinary-2.3.0/ /opt/grouper/grouper.apiBinary
-COPY --from=installing /opt/grouper/2.3.0/grouper.ui-2.3.0/dist/grouper/ /opt/grouper/grouper.ui/dist/grouper/
-COPY --from=installing /opt/grouper/2.3.0/grouper.ws-2.3.0/grouper-ws/build/dist/grouper-ws/ /opt/grouper/grouper.ws/dist/grouper-ws/
-COPY --from=installing /opt/grouper/2.3.0/apache-tomcat-8.5.12/ /opt/tomcat/
-COPY --from=installing /opt/grouper/2.3.0/apache-tomee-webprofile-7.0.0/ /opt/tomee/
-COPY --from=installing /opt/grouper/2.3.0/grouper.clientBinary-2.3.0/ /opt/grouper/grouper.clientBinary/
+ENV GROUPER_VERSION=2.3.0 \
+    TOMCAT_VERSION=8.5.12 \    
+    TOMEE_VERSION=7.0.0
+
+COPY --from=installing /opt/grouper/$GROUPER_VERSION/grouperInstaller.jar /opt/grouper/
+COPY --from=installing /opt/grouper/$GROUPER_VERSION/grouper.apiBinary-$GROUPER_VERSION/ /opt/grouper/grouper.apiBinary/
+COPY --from=installing /opt/grouper/$GROUPER_VERSION/grouper.ui-$GROUPER_VERSION/dist/grouper/ /opt/grouper/grouper.ui/
+COPY --from=installing /opt/grouper/$GROUPER_VERSION/grouper.ws-$GROUPER_VERSION/grouper-ws/build/dist/grouper-ws/ /opt/grouper/grouper.ws/
+COPY --from=installing /opt/grouper/$GROUPER_VERSION/grouper.ws-$GROUPER_VERSION/grouper-ws-scim/targetBuiltin/grouper-ws-scim/ /opt/grouper/grouper.scim/
+#COPY --from=installing /opt/grouper/$GROUPER_VERSION/grouper.clientBinary-$GROUPER_VERSION/ /opt/grouper/grouper.clientBinary/
+COPY --from=installing /opt/grouper/$GROUPER_VERSION/apache-tomcat-$TOMCAT_VERSION/ /opt/tomcat/
+COPY --from=installing /opt/grouper/$GROUPER_VERSION/apache-tomee-webprofile-$TOMEE_VERSION/ /opt/tomee/
 
 RUN cd /opt/grouper/grouper.apiBinary/; \
-    rm -fr ddlScripts/ grouper.lck grouper.log grouper.script grouper.tmp/ gshAddGrouperSystemWsGroup.gsh logs/ 
+    rm -fr ddlScripts/ grouper.lck grouper.log grouper.script grouper.tmp/ gshAddGrouperSystemWsGroup.gsh logs/
+
+RUN cd /opt/tomcat/; \
+    rm -fr webapps/docs/ webapps/examples/ webapps/host-manager/ webapps/manager/ logs/* temp/* work/* \
+    && mkdir -p logs/grouperUi logs/grouperWs
 
-RUN cd /opt/tomcat/webapps/; \
-    rm -fr docs/ examples/ host-manager/ manager/ logs/*
+RUN cd /opt/tomee/; \
+    rm -fr webapps/docs/ webapps/host-manager/ webapps/manager/ logs/* temp/* work/*
 
-RUN cd /opt/tomee/webapps/; \
-    rm -fr docs/ host-manager/ manager/ 
+RUN sed -i "s/\/opt\/grouper\/$GROUPER_VERSION\/apache-tomcat-$TOMCAT_VERSION/\/opt\/tomcat/g" /opt/grouper/grouper.ui/WEB-INF/classes/log4j.properties \
+    && sed -i "s/\/opt\/grouper\/$GROUPER_VERSION\/apache-tomcat-$TOMCAT_VERSION/\/opt\/tomcat/g" /opt/grouper/grouper.ws/WEB-INF/classes/log4j.properties \
+    && sed -i 's/${grouper.home}/\/opt\/tomee\//g' /opt/grouper/grouper.scim/WEB-INF/classes/log4j.properties
+
+COPY container_files/tomcat/ /opt/tomcat/
+COPY container_files/tomee/ /opt/tomee/
 
-COPY container_files/server.xml /opt/tomcat/conf/
 
 
 FROM tier/shibboleth_sp
@@ -74,8 +81,9 @@ LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
       ImageName=$imagename \
       ImageOS=centos7
 
-ENV JAVA_HOME=/opt/openjdk8 \
-    PATH=$PATH:$JAVA_HOME/bin
+ENV JAVA_HOME=/opt/java \
+    PATH=$PATH:$JAVA_HOME/bin \
+    GROUPER_HOME=/opt/grouper/grouper.apiBinary
 
 RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime
 
@@ -84,12 +92,18 @@ RUN yum update -y \
     && pip install --upgrade pip \
     && pip install supervisor \
     && yum clean -y all
-   
+
 COPY --from=installing $JAVA_HOME $JAVA_HOME
 COPY --from=cleanup /opt/tomcat/ /opt/tomcat/
 COPY --from=cleanup /opt/tomee/ /opt/tomee/
 COPY --from=cleanup /opt/grouper/ /opt/grouper/
 
+RUN groupadd -r tomcat \
+    && useradd -r -m -s /sbin/nologin -g tomcat tomcat \
+    && mkdir -p /opt/tomcat/logs/ /opt/tomcat/temp/ /opt/tomcat/work/ \
+    && chown -R tomcat:tomcat /opt/tomcat/logs/ /opt/tomcat/temp/ /opt/tomcat/work/ \
+    && chown -R tomcat:tomcat /opt/tomee/logs/ /opt/tomee/temp/ /opt/tomee/work/
+
 COPY container_files/tier-support/ /opt/tier-support/
 COPY container_files/usr-local-bin /usr/local/bin/
 COPY container_files/httpd/* /etc/httpd/conf.d/
diff --git a/README.md b/README.md
index 0dc1cdb..aa558e4 100644
--- a/README.md
+++ b/README.md
@@ -168,8 +168,8 @@ This image can now be used locally or pushed to an organization's Docker reposit
 # File System Endpoints
 Significant directories and files that deployers should be aware of.
 
-- `/grouper/conf/`: a common directory to place non-sensitive config files that will be placed into the appropriate location for each Grouper component at container start-up.
-- `/grouper/lib/`: a common directory to place additional jar files that will be placed into the appropriate location for each Grouper component at container start-up.
+- `/opt/grouper/conf/`: a common directory to place non-sensitive config files that will be placed into the appropriate location for each Grouper component at container start-up.
+- `/opt/grouper/lib/`: a common directory to place additional jar files that will be placed into the appropriate location for each Grouper component at container start-up.
 
 - `/etc/httpd/conf.d/ssl-enabled.conf`: Can be overlaid to change the TLS settings when running Grouper UI or Web Servicse.
 - `/etc/shibboleth/`: location to overlay the Shibboleth SP configuration files used by the image.
@@ -183,7 +183,7 @@ To examine baseline image files, one might run `docker run --name=temp -it tier/
 (TODO)
 
 ```
-docker run --detach --rm --name daemon \
+docker run --rm \
   --mount type=bind,src=$(pwd)/grouper.hibernate.properties,dst=/run/secrets/grouper.hibernate.properties \
   tier/grouper gsh -registry -check -runscript -noprompt
 ```
diff --git a/container_files/grouper.installer.properties b/container_files/grouper.installer.properties
index 303da95..c8f4095 100644
--- a/container_files/grouper.installer.properties
+++ b/container_files/grouper.installer.properties
@@ -6,10 +6,7 @@ grouper.version = 2.3.0
 grouperInstaller.print.autorunKeys = true
 # default to install or upgrade (default is install)
 grouperInstaller.default.installOrUpgrade = install
-# where to get grouper source from, the variable $BRANCH_NAME$ will be substituted for the branch
-download.source.url = https://github.com/Internet2/grouper/archive/$BRANCH_NAME$.zip
-# where to get grouper psp source from, the variable $BRANCH_NAME$ will be substituted for the branch
-download.pspSource.url = https://github.com/Internet2/grouper-psp/archive/$BRANCH_NAME$.zip
+
 ##############################
 ## Autorun properties
 ##
@@ -23,23 +20,10 @@ grouperInstaller.autorun.useDefaultsAsMuchAsAvailable = true
 ## Note: not all of them need to be filled out for all operations
 # autorun grouper system password (its not secure to have a plain text pass in a config file)
 grouperInstaller.autorun.grouperSystemPassword = XXXXXXXXXX
-# autorun Enter the database URL
-grouperInstaller.autorun.dbUrl = jdbc:mysql://localhost:3306/grouper
-# autorun database user
-grouperInstaller.autorun.dbUser = grouper
-# autorun database pass (note, it is not good security to have plaintext passwords in text config files)
-grouperInstaller.autorun.dbPass = XXXXXXXXXX
-# autorun Do you want to init the database (delete all existing grouper tables, add new ones) (t|f)?
-grouperInstaller.autorun.deleteAndInitDatabase = t
-
-# [jvf] The 'fake' run-through of 
-# While running the installer, we don't have access to the database
-#grouperInstaller.autorun.deleteAndInitDatabase = f
 
-# While running the installer, we don't have access to the database
-#grouperInstaller.autorun.addQuickstartSubjectsToDb = f
-
-# grouperInstaller.autorun.addQuickstartData = f
+grouperInstaller.autorun.deleteAndInitDatabase = t
+grouperInstaller.autorun.addQuickstartData = f
+grouperInstaller.autorun.installClient = f
  
 grouperInstaller.autorun.installGrouperActiveMqMessaging = t
 grouperInstaller.autorun.activeMqWhereInstalled = /opt/grouper/2.3.0/grouper.apiBinary-2.3.0/
diff --git a/container_files/httpd/grouper-www.conf b/container_files/httpd/grouper-www.conf
index 6d15d22..368f7f6 100644
--- a/container_files/httpd/grouper-www.conf
+++ b/container_files/httpd/grouper-www.conf
@@ -5,6 +5,7 @@ ProxyBadHeader Ignore
 
 ProxyPass /grouper ajp://localhost:8009/grouper  timeout=2400
 ProxyPass /grouper-ws ajp://localhost:8009/grouper-ws  timeout=2400
+ProxyPass /grouper-ws-scim ajp://localhost:8009/grouper-ws-scim  timeout=2400
 
 <Location /grouper>
   AuthType shibboleth
diff --git a/container_files/tier-support/grouper-ws-scim.xml b/container_files/tier-support/grouper-ws-scim.xml
new file mode 100644
index 0000000..bb15b17
--- /dev/null
+++ b/container_files/tier-support/grouper-ws-scim.xml
@@ -0,0 +1,6 @@
+<Context docBase="/opt/grouper/grouper.scim/" path="/grouper-ws-scim" reloadable="false">
+    <!-- Allow our symlinks to work-->
+    <Resources allowLinking="true" />
+</Context>
+
+
diff --git a/container_files/tier-support/grouper-ws.xml b/container_files/tier-support/grouper-ws.xml
index e4812a4..b9aa647 100644
--- a/container_files/tier-support/grouper-ws.xml
+++ b/container_files/tier-support/grouper-ws.xml
@@ -1,4 +1,4 @@
-<Context docBase="/opt/grouper/grouper.ws/dist/grouper-ws/" path="/grouper-ws" reloadable="false">
+<Context docBase="/opt/grouper/grouper.ws/" path="/grouper-ws" reloadable="false">
     <!-- Allow our symlinks to work-->
     <Resources allowLinking="true" />
 </Context>
diff --git a/container_files/tier-support/grouper.xml b/container_files/tier-support/grouper.xml
index d9c6134..22cfbd8 100644
--- a/container_files/tier-support/grouper.xml
+++ b/container_files/tier-support/grouper.xml
@@ -1,4 +1,4 @@
-<Context docBase="/opt/grouper/grouper.ui/dist/grouper/" path="/grouper" reloadable="false">
+<Context docBase="/opt/grouper/grouper.ui/" path="/grouper" reloadable="false">
     <!-- Allow our symlinks to work-->
     <Resources allowLinking="true" />
 </Context>
diff --git a/container_files/tier-support/supervisord-web.conf b/container_files/tier-support/supervisord-tomcat.conf
similarity index 90%
rename from container_files/tier-support/supervisord-web.conf
rename to container_files/tier-support/supervisord-tomcat.conf
index 34ace41..3bb7553 100644
--- a/container_files/tier-support/supervisord-web.conf
+++ b/container_files/tier-support/supervisord-tomcat.conf
@@ -3,7 +3,7 @@ logfile=/dev/fd/1                               ; supervisord log file
 logfile_maxbytes=0                           ; maximum size of logfile before rotation
 loglevel=error                                  ; info, debug, warn, trace
 nodaemon=true                                  ; run supervisord as a daemon
-;user=root                                       ; default user
+user=root                                       ; default user
 
 [rpcinterface:supervisor]
 supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
@@ -22,13 +22,15 @@ stdout_logfile = /dev/fd/1
 stdout_logfile_maxbytes=0
 
 [program:shibbolethsp]
-command=/usr/sbin/shibd -f
+user=shibd
+command=/usr/sbin/shibd -f -F
 stderr_logfile = /dev/fd/2
 stderr_logfile_maxbytes=0
 stdout_logfile = /dev/fd/1
 stdout_logfile_maxbytes=0
 
 [program:tomcat]
+user=tomcat
 command=/opt/tomcat/bin/catalina.sh run 
 stderr_logfile = /dev/fd/2
 stderr_logfile_maxbytes=0
diff --git a/container_files/tier-support/supervisord-tomee.conf b/container_files/tier-support/supervisord-tomee.conf
new file mode 100644
index 0000000..40d0c81
--- /dev/null
+++ b/container_files/tier-support/supervisord-tomee.conf
@@ -0,0 +1,31 @@
+[supervisord]
+logfile=/dev/fd/1                               ; supervisord log file
+logfile_maxbytes=0                           ; maximum size of logfile before rotation
+loglevel=error                                  ; info, debug, warn, trace
+nodaemon=true                                  ; run supervisord as a daemon
+user=root                                       ; default user
+
+[rpcinterface:supervisor]
+supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
+
+[supervisorctl]
+serverurl=unix:///tmp/supervisor.sock         ; use a unix:// URL  for a unix socket
+
+; Our processes
+; writing output to stdout (1) and err (2) (for Docker logging) and disabling log rotation
+
+[program:httpd]
+command=httpd -DFOREGROUND
+stderr_logfile = /dev/fd/2
+stderr_logfile_maxbytes=0
+stdout_logfile = /dev/fd/1
+stdout_logfile_maxbytes=0
+
+[program:tomee]
+user=tomcat
+command=/opt/tomee/bin/catalina.sh run 
+stderr_logfile = /dev/fd/2
+stderr_logfile_maxbytes=0
+stdout_logfile = /dev/fd/1
+stdout_logfile_maxbytes=0
+
diff --git a/container_files/server.xml b/container_files/tomcat/conf/server.xml
similarity index 100%
rename from container_files/server.xml
rename to container_files/tomcat/conf/server.xml
diff --git a/container_files/tomee/conf/server.xml b/container_files/tomee/conf/server.xml
new file mode 100644
index 0000000..e5c8996
--- /dev/null
+++ b/container_files/tomee/conf/server.xml
@@ -0,0 +1,164 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<!-- Note:  A "Server" is not itself a "Container", so you may not
+     define subcomponents such as "Valves" at this level.
+     Documentation at /docs/config/server.html
+ -->
+<Server port="8005" shutdown="SHUTDOWN">
+  <!-- TomEE plugin for Tomcat -->
+  <Listener className="org.apache.tomee.catalina.ServerListener" />
+  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
+  <!-- Security listener. Documentation at /docs/config/listeners.html
+  <Listener className="org.apache.catalina.security.SecurityListener" />
+  -->
+  <!--APR library loader. Documentation at /docs/apr.html -->
+  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
+  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
+  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
+  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
+
+  <!-- Global JNDI resources
+       Documentation at /docs/jndi-resources-howto.html
+  -->
+  <GlobalNamingResources>
+    <!-- Editable user database that can also be used by
+         UserDatabaseRealm to authenticate users
+    -->
+    <Resource name="UserDatabase" auth="Container"
+              type="org.apache.catalina.UserDatabase"
+              description="User database that can be updated and saved"
+              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
+              pathname="conf/tomcat-users.xml" />
+  </GlobalNamingResources>
+
+  <!-- A "Service" is a collection of one or more "Connectors" that share
+       a single "Container" Note:  A "Service" is not itself a "Container",
+       so you may not define subcomponents such as "Valves" at this level.
+       Documentation at /docs/config/service.html
+   -->
+  <Service name="Catalina">
+
+    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
+    <!--
+    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
+        maxThreads="150" minSpareThreads="4"/>
+    -->
+
+
+    <!-- A "Connector" represents an endpoint by which requests are received
+         and responses are returned. Documentation at :
+         Java HTTP Connector: /docs/config/http.html
+         Java AJP  Connector: /docs/config/ajp.html
+         APR (HTTP/AJP) Connector: /docs/apr.html
+         Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
+    -->
+    <Connector port="8080" protocol="HTTP/1.1" URIEncoding="UTF-8"
+               connectionTimeout="20000"
+               redirectPort="8443" xpoweredBy="false" server="Apache TomEE" />
+    <!-- A "Connector" using the shared thread pool-->
+    <!--
+    <Connector executor="tomcatThreadPool"
+               port="8080" protocol="HTTP/1.1"
+               connectionTimeout="20000"
+               redirectPort="8443" />
+    -->
+    <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
+         This connector uses the NIO implementation with the JSSE engine. When
+         using the JSSE engine, the JSSE configuration attributes must be used.
+    -->
+    <!--
+    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
+               maxThreads="150" SSLEnabled="true">
+        <SSLHostConfig>
+            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
+                         type="RSA" xpoweredBy="false" server="Apache TomEE" />
+        </SSLHostConfig>
+    </Connector>
+    -->
+    <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
+         This connector uses the APR/native implementation. When using the
+         APR/native implementation or the OpenSSL engine with NIO or NIO2 then
+         the OpenSSL configuration attributes must be used.
+    -->
+    <!--
+    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
+               maxThreads="150" SSLEnabled="true" >
+        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" xpoweredBy="false" server="Apache TomEE" />
+        <SSLHostConfig>
+            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
+                         certificateFile="conf/localhost-rsa-cert.pem"
+                         certificateChainFile="conf/localhost-rsa-chain.pem"
+                         type="RSA" />
+        </SSLHostConfig>
+    </Connector>
+    -->
+
+    <!-- Define an AJP 1.3 Connector on port 8009 -->
+    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" URIEncoding="UTF-8" />
+
+
+    <!-- An Engine represents the entry point (within Catalina) that processes
+         every request.  The Engine implementation for Tomcat stand alone
+         analyzes the HTTP headers included with the request, and passes them
+         on to the appropriate Host (virtual host).
+         Documentation at /docs/config/engine.html -->
+
+    <!-- You should set jvmRoute to support load-balancing via AJP ie :
+    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
+    -->
+    <Engine name="Catalina" defaultHost="localhost">
+
+      <!--For clustering, please take a look at documentation at:
+          /docs/cluster-howto.html  (simple how to)
+          /docs/config/cluster.html (reference documentation) -->
+      <!--
+      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
+      -->
+
+      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
+           via a brute-force attack -->
+      <Realm className="org.apache.catalina.realm.LockOutRealm">
+        <!-- This Realm uses the UserDatabase configured in the global JNDI
+             resources under the key "UserDatabase".  Any edits
+             that are performed against this UserDatabase are immediately
+             available for use by the Realm.  -->
+        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+               resourceName="UserDatabase"/>
+      </Realm>
+
+      <Host name="localhost"  appBase="webapps"
+            unpackWARs="true" autoDeploy="true">
+
+        <!-- SingleSignOn valve, share authentication between web applications
+             Documentation at: /docs/config/valve.html -->
+        <!--
+        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
+        -->
+
+        <!-- Access log processes all example.
+             Documentation at: /docs/config/valve.html
+             Note: The pattern used is equivalent to using pattern="common" -->
+        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
+               prefix="localhost_access_log" suffix=".txt"
+               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
+
+      </Host>
+    </Engine>
+  </Service>
+</Server>
\ No newline at end of file
diff --git a/container_files/usr-local-bin/gsh b/container_files/usr-local-bin/gsh
new file mode 100755
index 0000000..e68f947
--- /dev/null
+++ b/container_files/usr-local-bin/gsh
@@ -0,0 +1,8 @@
+#!/bin/bash
+set -x
+
+. /usr/local/bin/library.sh
+
+prepDaemon
+
+exec bin/gsh "$@"
diff --git a/container_files/usr-local-bin/library.sh b/container_files/usr-local-bin/library.sh
index fcf92cc..fafc6e2 100644
--- a/container_files/usr-local-bin/library.sh
+++ b/container_files/usr-local-bin/library.sh
@@ -30,7 +30,7 @@ prepDaemon() {
 }
 
 prepUI() {
-    local dest=/opt/grouper/grouper.ui/dist/grouper/WEB-INF
+    local dest=/opt/grouper/grouper.ui/WEB-INF
     linkGrouperSecrets $dest/classes
 
     if [ -d "/opt/grouper/conf" ]; then
@@ -43,8 +43,22 @@ prepUI() {
     cp /opt/tier-support/grouper.xml /opt/tomcat/conf/Catalina/localhost/
 }
 
+prepSCIM() {
+    local dest=/opt/grouper/grouper.scim/WEB-INF
+    linkGrouperSecrets $dest/classes
+
+    if [ -d "/opt/grouper/conf" ]; then
+        cp /opt/grouper/conf/* $dest/classes/
+    fi
+    if [ -d "/opt/grouper/lib" ]; then
+        cp /opt/grouper/lib/* $dest/lib/
+    fi
+
+    cp /opt/tier-support/grouper-ws-scim.xml /opt/tomee/conf/Catalina/localhost/
+}
+
 prepWS() {
-    local dest=/opt/grouper/grouper.ws/dist/grouper-ws/WEB-INF
+    local dest=/opt/grouper/grouper.ws/WEB-INF
     linkGrouperSecrets $dest/classes
     
     if [ -d "/opt/grouper/conf" ]; then
diff --git a/container_files/usr-local-bin/scim b/container_files/usr-local-bin/scim
new file mode 100755
index 0000000..69ded13
--- /dev/null
+++ b/container_files/usr-local-bin/scim
@@ -0,0 +1,8 @@
+#!/bin/bash
+set -x
+
+. /usr/local/bin/library.sh
+
+prepSCIM
+
+exec /usr/bin/supervisord -c /opt/tier-support/supervisord-tomee.conf
diff --git a/container_files/usr-local-bin/ui b/container_files/usr-local-bin/ui
index a451c8b..efc1699 100755
--- a/container_files/usr-local-bin/ui
+++ b/container_files/usr-local-bin/ui
@@ -5,4 +5,6 @@ set -x
 
 prepUI
 
-exec /usr/bin/supervisord -c /opt/tier-support/supervisord-web.conf
+export LD_LIBRARY_PATH=/opt/shibboleth/lib64:$LD_LIBRARY_PATH
+
+exec /usr/bin/supervisord -c /opt/tier-support/supervisord-tomcat.conf
diff --git a/container_files/usr-local-bin/ui-ws b/container_files/usr-local-bin/ui-ws
index 46e0471..ae19afd 100755
--- a/container_files/usr-local-bin/ui-ws
+++ b/container_files/usr-local-bin/ui-ws
@@ -6,4 +6,6 @@ set -x
 prepUI
 prepWS
 
-/usr/bin/supervisord -c /opt/tier-support/supervisord-web.conf
+export LD_LIBRARY_PATH=/opt/shibboleth/lib64:$LD_LIBRARY_PATH
+
+/usr/bin/supervisord -c /opt/tier-support/supervisord-tomcat.conf
diff --git a/container_files/usr-local-bin/ws b/container_files/usr-local-bin/ws
index e748390..a0a21c7 100755
--- a/container_files/usr-local-bin/ws
+++ b/container_files/usr-local-bin/ws
@@ -5,4 +5,4 @@ set -x
 
 prepWS
 
-exec /usr/bin/supervisord -c /opt/tier-support/supervisord-web.conf
+exec /usr/bin/supervisord -c /opt/tier-support/supervisord-tomcat.conf
diff --git a/manualBuild.sh b/manualBuild.sh
index 72b161b..67b7d8a 100755
--- a/manualBuild.sh
+++ b/manualBuild.sh
@@ -1,4 +1,4 @@
-&& docker build --pull --tag=tier/grouper . \
+docker build --pull --tag=tier/grouper:latest . \
 
 if [[ "$OSTYPE" == "darwin"* ]]; then
   say build complete
diff --git a/test-compose/daemon/Dockerfile b/test-compose/daemon/Dockerfile
index 5749d02..f620350 100644
--- a/test-compose/daemon/Dockerfile
+++ b/test-compose/daemon/Dockerfile
@@ -2,4 +2,4 @@ FROM tier/grouper:latest
 
 LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
 
-CMD ["bin/gsh", "-loader"]
\ No newline at end of file
+CMD ["daemon"]
diff --git a/test-compose/data/Dockerfile b/test-compose/data/Dockerfile
index 9c88903..7739de3 100644
--- a/test-compose/data/Dockerfile
+++ b/test-compose/data/Dockerfile
@@ -2,10 +2,11 @@ FROM tier/grouper:latest
 
 LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
  
-COPY seed-data/ /seed-data/
-COPY conf/ /opt/grouper/grouper.apiBinary/conf/
+COPY container_files/seed-data/ /seed-data/
+COPY container_files/conf/ /opt/grouper/grouper.apiBinary/conf/
 
 RUN yum install -y epel-release \
+    && yum update -y \
     && yum install -y 389-ds-base 389-admin 389-adminutil mariadb-server mariadb \
     && yum clean all
 
diff --git a/test-compose/data/conf/grouper.hibernate.properties b/test-compose/data/container_files/conf/grouper.hibernate.properties
similarity index 100%
rename from test-compose/data/conf/grouper.hibernate.properties
rename to test-compose/data/container_files/conf/grouper.hibernate.properties
diff --git a/test-compose/data/conf/grouper.properties b/test-compose/data/container_files/conf/grouper.properties
similarity index 100%
rename from test-compose/data/conf/grouper.properties
rename to test-compose/data/container_files/conf/grouper.properties
diff --git a/test-compose/data/conf/sources.xml b/test-compose/data/container_files/conf/sources.xml
similarity index 100%
rename from test-compose/data/conf/sources.xml
rename to test-compose/data/container_files/conf/sources.xml
diff --git a/test-compose/data/seed-data/bootstrap.gsh b/test-compose/data/container_files/seed-data/bootstrap.gsh
similarity index 100%
rename from test-compose/data/seed-data/bootstrap.gsh
rename to test-compose/data/container_files/seed-data/bootstrap.gsh
diff --git a/test-compose/data/seed-data/ds-setup.inf b/test-compose/data/container_files/seed-data/ds-setup.inf
similarity index 100%
rename from test-compose/data/seed-data/ds-setup.inf
rename to test-compose/data/container_files/seed-data/ds-setup.inf
diff --git a/test-compose/data/seed-data/sisData.sql b/test-compose/data/container_files/seed-data/sisData.sql
similarity index 100%
rename from test-compose/data/seed-data/sisData.sql
rename to test-compose/data/container_files/seed-data/sisData.sql
diff --git a/test-compose/data/seed-data/users.ldif b/test-compose/data/container_files/seed-data/users.ldif
similarity index 100%
rename from test-compose/data/seed-data/users.ldif
rename to test-compose/data/container_files/seed-data/users.ldif
diff --git a/test-compose/docker-compose.yml b/test-compose/docker-compose.yml
index 038cf48..6b2f765 100644
--- a/test-compose/docker-compose.yml
+++ b/test-compose/docker-compose.yml
@@ -3,7 +3,7 @@ version: "3.3"
 services:
   daemon:
     build: ./daemon/
-    command: bash -c "while ! curl -s data:3306 > /dev/null; do echo waiting for mysql to start; sleep 3; done; daemon"
+    command: bash -c "while ! curl -s data:3306 > /dev/null; do echo waiting for mysql to start; sleep 3; done; exec daemon"
     volumes:
      - type: bind
        source: ./configs-and-secrets/grouper/grouper.properties
@@ -27,7 +27,7 @@ services:
  
   ui:
     build: ./ui/
-    command: bash -c "while ! curl -s data:3306 > /dev/null; do echo waiting for mysql to start; sleep 3; done; while ! curl -s ldap://data:389 > /dev/null; do echo waiting for ldap to start; sleep 3; done; ui"
+    command: bash -c "while ! curl -s data:3306 > /dev/null; do echo waiting for mysql to start; sleep 3; done; while ! curl -s ldap://data:389 > /dev/null; do echo waiting for ldap to start; sleep 3; done; exec ui"
     volumes:
      - type: bind
        source: ./configs-and-secrets/grouper/grouper.properties
@@ -74,7 +74,7 @@ services:
 
   ws:
     build: ./ws/
-    command: bash -c "while ! curl -s data:3306 > /dev/null; do echo waiting for mysql to start; sleep 3; done; while ! curl -s ldap://data:389 > /dev/null; do echo waiting for ldap to start; sleep 3; done; ws"
+    command: bash -c "while ! curl -s data:3306 > /dev/null; do echo waiting for mysql to start; sleep 3; done; while ! curl -s ldap://data:389 > /dev/null; do echo waiting for ldap to start; sleep 3; done; exec ws"
     volumes:
      - type: bind
        source: ./configs-and-secrets/grouper/grouper.properties
@@ -106,6 +106,40 @@ services:
        target: grouper_sources.xml
      - source: host-key.pem
 
+  scim:
+    build: ./scim/
+    command: bash -c "while ! curl -s data:3306 > /dev/null; do echo waiting for mysql to start; sleep 3; done; while ! curl -s ldap://data:389 > /dev/null; do echo waiting for ldap to start; sleep 3; done; exec scim"
+    volumes:
+     - type: bind
+       source: ./configs-and-secrets/grouper/grouper.properties
+       target: /opt/grouper/conf/grouper.properties
+     - type: bind
+       source: ./configs-and-secrets/grouper/grouper.client.properties
+       target: /opt/grouper/conf/grouper.client.properties
+     - type: bind
+       source: ./configs-and-secrets/httpd/host-cert.pem
+       target: /etc/pki/tls/certs/host-cert.pem
+     - type: bind
+       source: ./configs-and-secrets/httpd/host-cert.pem
+       target: /etc/pki/tls/certs/cachain.pem
+    depends_on: 
+     - data
+    networks:
+     - front
+     - back
+    ports:
+     - "9443:443"
+    secrets:
+     - source: grouper.hibernate.properties
+       target: grouper_grouper.hibernate.properties
+     - source: grouper-loader.properties
+       target: grouper_grouper-loader.properties
+     - source: ldap.properties
+       target: grouper_ldap.properties
+     - source: sources.xml
+       target: grouper_sources.xml
+     - source: host-key.pem
+
   gsh:
     build: ./gsh/
     volumes:
diff --git a/test-compose/gsh/Dockerfile b/test-compose/gsh/Dockerfile
index 39421b2..3302328 100644
--- a/test-compose/gsh/Dockerfile
+++ b/test-compose/gsh/Dockerfile
@@ -2,4 +2,4 @@ FROM tier/grouper:latest
 
 MAINTAINER tier-packaging@internet2.edu <tier-packaging@internet2.edu>
 
-CMD ["bin/gsh"]
+CMD ["gsh"]
diff --git a/test-compose/scim/Dockerfile b/test-compose/scim/Dockerfile
new file mode 100644
index 0000000..c47c091
--- /dev/null
+++ b/test-compose/scim/Dockerfile
@@ -0,0 +1,7 @@
+FROM tier/grouper:latest
+
+LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
+
+COPY container_files/WEB-INF/ /opt/grouper/grouper.scim/WEB-INF/
+
+CMD ["scim"]
diff --git a/test-compose/ui/Dockerfile b/test-compose/ui/Dockerfile
index 1dd0943..e1731fd 100644
--- a/test-compose/ui/Dockerfile
+++ b/test-compose/ui/Dockerfile
@@ -2,9 +2,9 @@ FROM tier/grouper:latest
 
 LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
 
-COPY WEB-INF/ /opt/grouper/grouper.ui/dist/grouper/WEB-INF/
-COPY tomcat/ /opt/tomcat/conf/
+COPY container_files/WEB-INF/ /opt/grouper/grouper.ui/WEB-INF/
+COPY container_files/tomcat/ /opt/tomcat/conf/
 
-#COPY httpd/logout.php /var/www/cgi-bin/logout.php
+#COPY container_files/httpd/logout.php /var/www/cgi-bin/logout.php
 
 CMD ["ui"]
diff --git a/test-compose/ui/WEB-INF/web.xml b/test-compose/ui/container_files/WEB-INF/web.xml
similarity index 100%
rename from test-compose/ui/WEB-INF/web.xml
rename to test-compose/ui/container_files/WEB-INF/web.xml
diff --git a/test-compose/ui/shibboleth/shibd.logger b/test-compose/ui/container_files/shibboleth/shibd.logger
similarity index 100%
rename from test-compose/ui/shibboleth/shibd.logger
rename to test-compose/ui/container_files/shibboleth/shibd.logger
diff --git a/test-compose/ui/tomcat/server.xml b/test-compose/ui/container_files/tomcat/server.xml
similarity index 100%
rename from test-compose/ui/tomcat/server.xml
rename to test-compose/ui/container_files/tomcat/server.xml
diff --git a/test-compose/ws/Dockerfile b/test-compose/ws/Dockerfile
index ea9b4c7..b163f51 100644
--- a/test-compose/ws/Dockerfile
+++ b/test-compose/ws/Dockerfile
@@ -2,7 +2,7 @@ FROM tier/grouper:latest
 
 LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
 
-COPY WEB-INF/ /opt/grouper/grouper.ws/dist/grouper-ws/WEB-INF/
-COPY tomcat/ /opt/tomcat/conf/
+COPY container_files/WEB-INF/ /opt/grouper/grouper.ws/WEB-INF/
+COPY container_files/tomcat/ /opt/tomcat/conf/
 
-CMD ["/usr/bin/local/ws"]
\ No newline at end of file
+CMD ["ws"]
diff --git a/test-compose/ws/WEB-INF/web.xml b/test-compose/ws/container_files/WEB-INF/web.xml
similarity index 100%
rename from test-compose/ws/WEB-INF/web.xml
rename to test-compose/ws/container_files/WEB-INF/web.xml
diff --git a/test-compose/ws/tomcat/server.xml b/test-compose/ws/container_files/tomcat/server.xml
similarity index 100%
rename from test-compose/ws/tomcat/server.xml
rename to test-compose/ws/container_files/tomcat/server.xml