From 799dbbdaaddc23cd31ef7bcadaec2f54970fa03a Mon Sep 17 00:00:00 2001
From: John Gasper <jtgasper3@gmail.com>
Date: Mon, 27 Aug 2018 17:02:35 -0700
Subject: [PATCH] Completed: ex401.2.1, 401.2.2, 401.2.3, and 401.2.4

---
 ex401/ex401.2.1/Dockerfile                    |  24 +++
 .../container_files/seed-data/bootstrap.gsh   |   0
 .../container_files/seed-data/sisData.sql     |   0
 .../container_files/seed-data/users.ldif      |   0
 ex401/ex401.2.2/Dockerfile                    |  24 +++
 .../container_files/seed-data/bootstrap.gsh   |  12 ++
 .../container_files/seed-data/sisData.sql     |   0
 .../container_files/seed-data/users.ldif      |   0
 ex401/ex401.2.3/Dockerfile                    |  27 +++
 .../container_files/grouper-loader.properties | 100 +++++++++
 .../container_files/seed-data/bootstrap.gsh   |  15 ++
 .../container_files/seed-data/sisData.sql     |   0
 .../container_files/seed-data/users.ldif      |   0
 ex401/ex401.2.4/Dockerfile                    |  27 +++
 .../idp/conf/authn/general-authn.xml          | 176 ++++++++++++++++
 .../idp/conf/authn/mfa-authn-config.xml       |  99 +++++++++
 .../container_files/idp/conf/idp.properties   | 195 ++++++++++++++++++
 .../flows/authn/Gaspo/gaspo-authn-beans.xml   |  25 +++
 .../flows/authn/Gaspo/gaspo-authn-flow.xml    |  32 +++
 .../container_files/idp/views/gaspo.vm        |  62 ++++++
 .../container_files/seed-data/bootstrap.gsh   |   0
 .../container_files/seed-data/sisData.sql     |   0
 .../container_files/seed-data/users.ldif      |   0
 manualBuild.sh                                |   4 +
 24 files changed, 822 insertions(+)
 create mode 100644 ex401/ex401.2.1/Dockerfile
 create mode 100644 ex401/ex401.2.1/container_files/seed-data/bootstrap.gsh
 create mode 100644 ex401/ex401.2.1/container_files/seed-data/sisData.sql
 create mode 100644 ex401/ex401.2.1/container_files/seed-data/users.ldif
 create mode 100644 ex401/ex401.2.2/Dockerfile
 create mode 100644 ex401/ex401.2.2/container_files/seed-data/bootstrap.gsh
 create mode 100644 ex401/ex401.2.2/container_files/seed-data/sisData.sql
 create mode 100644 ex401/ex401.2.2/container_files/seed-data/users.ldif
 create mode 100644 ex401/ex401.2.3/Dockerfile
 create mode 100644 ex401/ex401.2.3/container_files/grouper-loader.properties
 create mode 100644 ex401/ex401.2.3/container_files/seed-data/bootstrap.gsh
 create mode 100644 ex401/ex401.2.3/container_files/seed-data/sisData.sql
 create mode 100644 ex401/ex401.2.3/container_files/seed-data/users.ldif
 create mode 100644 ex401/ex401.2.4/Dockerfile
 create mode 100644 ex401/ex401.2.4/container_files/idp/conf/authn/general-authn.xml
 create mode 100644 ex401/ex401.2.4/container_files/idp/conf/authn/mfa-authn-config.xml
 create mode 100644 ex401/ex401.2.4/container_files/idp/conf/idp.properties
 create mode 100644 ex401/ex401.2.4/container_files/idp/flows/authn/Gaspo/gaspo-authn-beans.xml
 create mode 100644 ex401/ex401.2.4/container_files/idp/flows/authn/Gaspo/gaspo-authn-flow.xml
 create mode 100644 ex401/ex401.2.4/container_files/idp/views/gaspo.vm
 create mode 100644 ex401/ex401.2.4/container_files/seed-data/bootstrap.gsh
 create mode 100644 ex401/ex401.2.4/container_files/seed-data/sisData.sql
 create mode 100644 ex401/ex401.2.4/container_files/seed-data/users.ldif

diff --git a/ex401/ex401.2.1/Dockerfile b/ex401/ex401.2.1/Dockerfile
new file mode 100644
index 0000000..6ec4b10
--- /dev/null
+++ b/ex401/ex401.2.1/Dockerfile
@@ -0,0 +1,24 @@
+FROM tier/grouper-training-env:ex401.1.end
+
+LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
+      Vendor="TIER" \
+      ImageType="Grouper Training" \
+      ImageName=$imagename \
+      ImageOS=centos7
+
+ENV USERTOKEN=ex401.2.1
+
+COPY container_files/seed-data/ /seed-data/
+
+RUN (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \
+    && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \
+    (mysqld_safe & ) \
+    && while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \
+    cd /opt/grouper/grouper.apiBinary \
+    && ldapadd -x -D cn=root,dc=internet2,dc=edu -w password -f /seed-data/users.ldif \
+    && mysql grouper < /seed-data/sisData.sql \
+    && bin/gsh /seed-data/bootstrap.gsh \
+    && pkill -HUP slapd \
+    && while curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \
+    pkill -u mysql mysqld \
+    && while curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done
diff --git a/ex401/ex401.2.1/container_files/seed-data/bootstrap.gsh b/ex401/ex401.2.1/container_files/seed-data/bootstrap.gsh
new file mode 100644
index 0000000..e69de29
diff --git a/ex401/ex401.2.1/container_files/seed-data/sisData.sql b/ex401/ex401.2.1/container_files/seed-data/sisData.sql
new file mode 100644
index 0000000..e69de29
diff --git a/ex401/ex401.2.1/container_files/seed-data/users.ldif b/ex401/ex401.2.1/container_files/seed-data/users.ldif
new file mode 100644
index 0000000..e69de29
diff --git a/ex401/ex401.2.2/Dockerfile b/ex401/ex401.2.2/Dockerfile
new file mode 100644
index 0000000..eb1dc4b
--- /dev/null
+++ b/ex401/ex401.2.2/Dockerfile
@@ -0,0 +1,24 @@
+FROM tier/grouper-training-env:ex401.2.1
+
+LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
+      Vendor="TIER" \
+      ImageType="Grouper Training" \
+      ImageName=$imagename \
+      ImageOS=centos7
+
+ENV USERTOKEN=ex401.2.2
+
+COPY container_files/seed-data/ /seed-data/
+
+RUN (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \
+    && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \
+    (mysqld_safe & ) \
+    && while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \
+    cd /opt/grouper/grouper.apiBinary \
+    && ldapadd -x -D cn=root,dc=internet2,dc=edu -w password -f /seed-data/users.ldif \
+    && mysql grouper < /seed-data/sisData.sql \
+    && bin/gsh /seed-data/bootstrap.gsh \
+    && pkill -HUP slapd \
+    && while curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \
+    pkill -u mysql mysqld \
+    && while curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done
diff --git a/ex401/ex401.2.2/container_files/seed-data/bootstrap.gsh b/ex401/ex401.2.2/container_files/seed-data/bootstrap.gsh
new file mode 100644
index 0000000..a88aa2a
--- /dev/null
+++ b/ex401/ex401.2.2/container_files/seed-data/bootstrap.gsh
@@ -0,0 +1,12 @@
+gs = GrouperSession.startRootSession();
+
+addStem("app", "mfa", "mfa");
+addGroup("app:mfa", "mfa_enabled", "mfa_enabled");
+addGroup("app:mfa", "mfa_allow", "mfa_allow");
+addGroup("app:mfa", "mfa_deny", "mfa_deny");
+addComposite("app:mfa:mfa_enabled", CompositeType.COMPLEMENT, "app:mfa:mfa_allow", "app:mfa:mfa_deny");
+
+addStem("app:mfa", "ref", "ref");
+addGroup("app:mfa:ref", "pilot", "pilot");
+
+addMember("app:mfa:mfa_allow", "app:mfa:ref:pilot");
diff --git a/ex401/ex401.2.2/container_files/seed-data/sisData.sql b/ex401/ex401.2.2/container_files/seed-data/sisData.sql
new file mode 100644
index 0000000..e69de29
diff --git a/ex401/ex401.2.2/container_files/seed-data/users.ldif b/ex401/ex401.2.2/container_files/seed-data/users.ldif
new file mode 100644
index 0000000..e69de29
diff --git a/ex401/ex401.2.3/Dockerfile b/ex401/ex401.2.3/Dockerfile
new file mode 100644
index 0000000..fded027
--- /dev/null
+++ b/ex401/ex401.2.3/Dockerfile
@@ -0,0 +1,27 @@
+FROM tier/grouper-training-env:ex401.2.2
+
+LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
+      Vendor="TIER" \
+      ImageType="Grouper Training" \
+      ImageName=$imagename \
+      ImageOS=centos7
+
+ENV USERTOKEN=ex401.2.3
+
+COPY container_files/seed-data/ /seed-data/
+COPY container_files/grouper-loader.properties /opt/grouper/conf/
+
+RUN . /usr/local/bin/library.sh \
+    && prepConf; \
+    (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \
+    && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \
+    (mysqld_safe & ) \
+    && while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \
+    cd /opt/grouper/grouper.apiBinary \
+    && ldapadd -x -D cn=root,dc=internet2,dc=edu -w password -f /seed-data/users.ldif \
+    && mysql grouper < /seed-data/sisData.sql \
+    && bin/gsh /seed-data/bootstrap.gsh \
+    && pkill -HUP slapd \
+    && while curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \
+    pkill -u mysql mysqld \
+    && while curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done
diff --git a/ex401/ex401.2.3/container_files/grouper-loader.properties b/ex401/ex401.2.3/container_files/grouper-loader.properties
new file mode 100644
index 0000000..6df4abe
--- /dev/null
+++ b/ex401/ex401.2.3/container_files/grouper-loader.properties
@@ -0,0 +1,100 @@
+#specify the consumers here.  specify the consumer name after the changeLog.consumer. part.  This example is "psp"
+#but it could be changeLog.consumer.myConsumerName.class
+#the class must extend edu.internet2.middleware.grouper.changeLog.ChangeLogConsumerBase
+#changeLog.consumer.psp.class = edu.internet2.middleware.psp.grouper.PspChangeLogConsumer
+
+#the quartz cron is a cron-like string.  it defaults to every minute on the minute (since the temp to change log job runs
+#at 10 seconds to each minute).  it defaults to this: 0 * * * * ?                                          
+#though it will stagger each one by 2 seconds                                                              
+# http://www.quartz-scheduler.org/documentation/quartz-1.x/tutorials/crontrigger                           
+#changeLog.consumer.psp.quartzCron = 0 * * * * ?                                                          
+                                                                                                           
+# To retry processing a change log entry if an error occurs, set retryOnError to true. Defaults to false.  
+#changeLog.consumer.psp.retryOnError = false                                                              
+                                                                                                           
+# To run full provisioning synchronizations periodically, provide the class name which provides a 'public void fullSync()' method.
+#changeLog.psp.fullSync.class = edu.internet2.middleware.psp.grouper.PspChangeLogConsumer                 
+                                                                                                           
+# Schedule full synchronizations. Defaults to 5 am : 0 0 5 * * ?.                                          
+#changeLog.psp.fullSync.quartzCron = 0 0 5 * * ?
+                                                                                                           
+# Run a full synchronization job at startup. Defaults to false.                                            
+#changeLog.psp.fullSync.runAtStartup = false                                                              
+                                                                                                           
+# Omit diff responses from bulk response to conserve memory.                                               
+#changeLog.psp.fullSync.omitDiffResponses = true                                                          
+                                                                                                           
+# Omit sync responses from bulk response to conserve memory.                                               
+#changeLog.psp.fullSync.omitSyncResponses = true 
+
+#################################
+## LDAP connections
+#################################
+# specify the ldap connection with user, pass, url
+# the string after "ldap." is the ID of the connection, and it should not have
+# spaces or other special chars in it.  In this case is it "personLdap"
+ 
+#note the URL should start with ldap: or ldaps: if it is SSL.  
+#It should contain the server and port (optional if not default), and baseDn,
+#e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu
+ldap.demo.url = ldap://localhost:389/
+ 
+#optional, if authenticated
+ldap.demo.user = cn=root,dc=internet2,dc=edu
+ 
+#optional, if authenticated note the password can be stored encrypted in an external file
+ldap.demo.pass = password
+ 
+#optional, if you are using tls, set this to true.  Generally you will not be using an SSL URL to use TLS...
+ldap.demo.tls = false
+ 
+#optional, if using sasl
+#ldap.personLdap.saslAuthorizationId =
+#ldap.personLdap.saslRealm =
+ 
+#optional (note, time limit is for search operations, timeout is for connection timeouts),
+#most of these default to vt-ldap defaults.  times are in millis
+#validateOnCheckout defaults to true if all other validate methods are false
+#ldap.personLdap.batchSize =
+#ldap.personLdap.countLimit =
+#ldap.personLdap.timeLimit =
+#ldap.personLdap.timeout =
+#ldap.personLdap.minPoolSize =
+#ldap.personLdap.maxPoolSize =
+#ldap.personLdap.validateOnCheckIn =
+#ldap.personLdap.validateOnCheckOut =
+#ldap.personLdap.validatePeriodically =
+#ldap.personLdap.validateTimerPeriod =
+#ldap.personLdap.pruneTimerPeriod =
+#if connections expire after a certain amount of time, this is it, in millis, defaults to 300000 (5 minutes)
+#ldap.personLdap.expirationTime =
+
+#make the paths fully qualified and not relative to the loader group.
+loader.ldap.requireTopStemAsStemFromConfigGroup=false
+
+changeLog.consumer.pspng_groupOfNames.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
+changeLog.consumer.pspng_groupOfNames.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
+changeLog.consumer.pspng_groupOfNames.quartzCron = 0 * * * * ?
+changeLog.consumer.pspng_groupOfNames.ldapPoolName = demo
+changeLog.consumer.pspng_groupOfNames.supportsEmptyGroups = false
+changeLog.consumer.pspng_groupOfNames.memberAttributeName = member
+changeLog.consumer.pspng_groupOfNames.memberAttributeValueFormat = ${ldapUser.getDn()}
+changeLog.consumer.pspng_groupOfNames.groupSearchBaseDn = ou=groups,dc=internet2,dc=edu
+changeLog.consumer.pspng_groupOfNames.allGroupsSearchFilter = objectclass=groupOfNames
+changeLog.consumer.pspng_groupOfNames.singleGroupSearchFilter = (&(objectclass=groupOfNames)(cn=${group.name}))
+changeLog.consumer.pspng_groupOfNames.groupSearchAttributes = cn,objectclass
+changeLog.consumer.pspng_groupOfNames.groupCreationLdifTemplate = dn: cn=${group.name}||cn: ${group.name}||objectclass: groupOfNames
+changeLog.consumer.pspng_groupOfNames.userSearchBaseDn = ou=people,dc=internet2,dc=edu
+changeLog.consumer.pspng_groupOfNames.userSearchFilter = uid=${subject.id}
+changeLog.consumer.pspng_groupOfNames.grouperIsAuthoritative = true
+
+
+changeLog.consumer.pspng_entitlements.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
+changeLog.consumer.pspng_entitlements.type = edu.internet2.middleware.grouper.pspng.LdapAttributeProvisioner
+changeLog.consumer.pspng_entitlements.quartzCron = 0 * * * * ?
+changeLog.consumer.pspng_entitlements.ldapPoolName = demo
+changeLog.consumer.pspng_entitlements.provisionedAttributeName = eduPersonEntitlement
+changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = urn:mace:example.edu:${group.extension}
+changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people,dc=internet2,dc=edu
+changeLog.consumer.pspng_entitlements.userSearchFilter = uid=${subject.id}
+changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=urn:mace:example.edu:
diff --git a/ex401/ex401.2.3/container_files/seed-data/bootstrap.gsh b/ex401/ex401.2.3/container_files/seed-data/bootstrap.gsh
new file mode 100644
index 0000000..ee6c5af
--- /dev/null
+++ b/ex401/ex401.2.3/container_files/seed-data/bootstrap.gsh
@@ -0,0 +1,15 @@
+gs = GrouperSession.startRootSession();
+
+//Assign the PSPNG attribute for the standard groups
+group = GroupFinder.findByName(gs, "app:mfa:mfa_enabled");
+
+# Auto create the PSPNG attributes
+edu.internet2.middleware.grouper.pspng.FullSyncProvisionerFactory.getFullSyncer("pspng_groupOfNames");
+
+pspngAttribute = AttributeDefNameFinder.findByName("etc:pspng:provision_to", true);
+//pspngAttributeDef = AttributeDefFinder.findByName("etc:pspng:provision_to_def", true);
+AttributeAssignSave attributeAssignSave = new AttributeAssignSave(gs).assignPrintChangesToSystemOut(true);
+attributeAssignSave.assignAttributeDefName(pspngAttribute);
+attributeAssignSave.assignOwnerGroup(group);
+attributeAssignSave.addValue("pspng_entitlements");
+attributeAssignSave.save();
\ No newline at end of file
diff --git a/ex401/ex401.2.3/container_files/seed-data/sisData.sql b/ex401/ex401.2.3/container_files/seed-data/sisData.sql
new file mode 100644
index 0000000..e69de29
diff --git a/ex401/ex401.2.3/container_files/seed-data/users.ldif b/ex401/ex401.2.3/container_files/seed-data/users.ldif
new file mode 100644
index 0000000..e69de29
diff --git a/ex401/ex401.2.4/Dockerfile b/ex401/ex401.2.4/Dockerfile
new file mode 100644
index 0000000..2688478
--- /dev/null
+++ b/ex401/ex401.2.4/Dockerfile
@@ -0,0 +1,27 @@
+FROM tier/grouper-training-env:ex401.2.3
+
+LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
+      Vendor="TIER" \
+      ImageType="Grouper Training" \
+      ImageName=$imagename \
+      ImageOS=centos7
+
+ENV USERTOKEN=ex401.2.4
+
+COPY container_files/seed-data/ /seed-data/
+COPY container_files/idp/ /opt/shibboleth-idp/
+
+RUN . /usr/local/bin/library.sh \
+    && prepConf; \
+    (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \
+    && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \
+    (mysqld_safe & ) \
+    && while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \
+    cd /opt/grouper/grouper.apiBinary \
+    && ldapadd -x -D cn=root,dc=internet2,dc=edu -w password -f /seed-data/users.ldif \
+    && mysql grouper < /seed-data/sisData.sql \
+    && bin/gsh /seed-data/bootstrap.gsh \
+    && pkill -HUP slapd \
+    && while curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \
+    pkill -u mysql mysqld \
+    && while curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done
diff --git a/ex401/ex401.2.4/container_files/idp/conf/authn/general-authn.xml b/ex401/ex401.2.4/container_files/idp/conf/authn/general-authn.xml
new file mode 100644
index 0000000..d171696
--- /dev/null
+++ b/ex401/ex401.2.4/container_files/idp/conf/authn/general-authn.xml
@@ -0,0 +1,176 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    This file provisions the IdP with information about the configured login mechanisms available for use.
+    The actual beans and subflows that make up those mechanisms are in their own files, but this pulls them
+    together with deployer-supplied metadata to describe them to the system.
+    
+    You can turn on and off individual mechanisms by adding and remove them here. Nothing left out will
+    be used, regardless any other files loaded by the Spring container.
+    
+    Flow defaults include: no support for IsPassive/ForceAuthn, support for non-browser clients enabled,
+    and default timeout and lifetime values set via properties. We also default to supporting the SAML 1/2
+    expressions for password-based authentication over a secure channel, so anything more exotic requires
+    customization, as the examples below for IP address and SPNEGO authentication illustrate.
+    -->
+
+    <util:list id="shibboleth.AvailableAuthenticationFlows">
+        
+        <bean id="authn/IPAddress" parent="shibboleth.AuthenticationFlow"
+                p:passiveAuthenticationSupported="true"
+                p:lifetime="PT60S" p:inactivityTimeout="PT60S">
+            <property name="supportedPrincipals">
+                <list>
+                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
+                </list>
+            </property>
+        </bean>
+
+        <bean id="authn/SPNEGO" parent="shibboleth.AuthenticationFlow"
+                p:nonBrowserSupported="false">
+            <property name="supportedPrincipals">
+                <list>
+                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos" />
+                    <bean parent="shibboleth.SAML1AuthenticationMethod"
+                        c:method="urn:ietf:rfc:1510" />
+                </list>
+            </property>
+        </bean>
+        
+        <bean id="authn/External" parent="shibboleth.AuthenticationFlow"
+            p:nonBrowserSupported="false" />
+
+        <bean id="authn/RemoteUser" parent="shibboleth.AuthenticationFlow"
+            p:nonBrowserSupported="false" />
+
+        <bean id="authn/RemoteUserInternal" parent="shibboleth.AuthenticationFlow" />
+
+        <bean id="authn/X509" parent="shibboleth.AuthenticationFlow"
+                p:nonBrowserSupported="false">
+            <property name="supportedPrincipals">
+                <list>
+                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" />
+                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" />
+                    <bean parent="shibboleth.SAML1AuthenticationMethod"
+                        c:method="urn:ietf:rfc:2246" />
+                </list>
+            </property>
+        </bean>
+
+        <bean id="authn/X509Internal" parent="shibboleth.AuthenticationFlow">
+            <property name="supportedPrincipals">
+                <list>
+                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" />
+                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" />
+                    <bean parent="shibboleth.SAML1AuthenticationMethod"
+                        c:method="urn:ietf:rfc:2246" />
+                </list>
+            </property>
+        </bean>
+
+        <bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
+                p:passiveAuthenticationSupported="true"
+                p:forcedAuthenticationSupported="true" />
+
+        <bean id="authn/Duo" parent="shibboleth.AuthenticationFlow"
+                p:forcedAuthenticationSupported="true"
+                p:nonBrowserSupported="false">
+            <!--
+            The list below should be changed to reflect whatever locally- or
+            community-defined values are appropriate to represent MFA. It is
+            strongly advised that the value not be specific to Duo or any
+            particular technology.
+            -->
+            <property name="supportedPrincipals">
+                <list>
+                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                        c:classRef="http://example.org/ac/classes/mfa" />
+                    <bean parent="shibboleth.SAML1AuthenticationMethod"
+                        c:method="http://example.org/ac/classes/mfa" />
+                </list>
+            </property>
+        </bean>
+
+        <!-- A Mock MFA provider for this tutorial -->
+        <bean id="authn/Gaspo" parent="shibboleth.AuthenticationFlow"
+                p:forcedAuthenticationSupported="true"
+                p:nonBrowserSupported="false">
+            <!--
+            The list below should be changed to reflect whatever locally- or
+            community-defined values are appropriate to represent MFA. It is
+            strongly advised that the value not be specific to Duo or any
+            particular technology.
+            -->
+            <property name="supportedPrincipals">
+                <list>
+                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                        c:classRef="http://tier.internet2.edu/mfa/enabled" />
+                    <bean parent="shibboleth.SAML1AuthenticationMethod"
+                        c:method="http://tier.internet2.edu/mfa/enabled" />
+                </list>
+            </property>
+        </bean>
+
+        <bean id="authn/MFA" parent="shibboleth.AuthenticationFlow"
+                p:passiveAuthenticationSupported="true"
+                p:forcedAuthenticationSupported="true">
+            <!--
+            The list below almost certainly requires changes, and should generally be the
+            union of any of the separate factors you combine in your particular MFA flow
+            rules. The example corresponds to the example in mfa-authn-config.xml that
+            combines IPAddress with Password.
+            -->
+            <property name="supportedPrincipals">
+                <list>
+                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
+                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
+                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
+                    <bean parent="shibboleth.SAML1AuthenticationMethod"
+                        c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
+                </list>
+            </property>
+        </bean>
+
+    </util:list>
+
+    <!--
+    This is a map used to "weight" particular methods above others if the IdP has to randomly select one
+    to insert into a SAML authentication statement. The typical use shown below is to bias the IdP in favor
+    of expressing the SAML 2 PasswordProtectedTransport class over the more vanilla Password class on the
+    assumption that the IdP doesn't accept passwords via an insecure channel. This map never causes the IdP
+    to violate its matching rules if an RP requests a particular value; it only matters when nothing specific
+    is chosen. Anything not in the map has a weight of zero.
+    -->
+    
+    <util:map id="shibboleth.AuthenticationPrincipalWeightMap">
+        <entry>
+            <key>
+                <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                    c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
+            </key>
+            <value>1</value>
+        </entry>
+    </util:map>
+
+</beans>
diff --git a/ex401/ex401.2.4/container_files/idp/conf/authn/mfa-authn-config.xml b/ex401/ex401.2.4/container_files/idp/conf/authn/mfa-authn-config.xml
new file mode 100644
index 0000000..3121865
--- /dev/null
+++ b/ex401/ex401.2.4/container_files/idp/conf/authn/mfa-authn-config.xml
@@ -0,0 +1,99 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    This is a map of transition rules that guide the behavior of the MFA flow
+    and controls how factors are sequenced, skipped, etc. The key of each entry
+    is the name of the step/flow out of which control is passing. The starting
+    rule has an empty key.
+
+    Each entry is a bean inherited from "shibboleth.authn.MFA.Transition". Per
+    the Javadoc for net.shibboleth.idp.authn.MultiFactorAuthenticationTransition:
+
+        p:nextFlow (String)
+            - A flow to run if the previous step signaled a "proceed" event, for simple
+                transitions.
+
+        p:nextFlowStrategy (Function<ProfileRequestContext,String>)
+            - A function to run if the previous step signaled a "proceed" event, for dynamic
+                transitions. Returning null ends the MFA process.
+
+        p:nextFlowStrategyMap (Map<String,Object> where Object is String or Function<ProfileRequestContext,String>)
+            - Fully dynamic way of expressing control paths. Map is keyed by a previously
+                signaled event and the value is a flow to run or a function to
+                return the flow to run. Returning null ends the MFA process.
+
+    When no rule is provided, there's an implicit "null" that ends the MFA flow
+    with whatever event was last signaled. If the "proceed" event from a step is
+    the final event, then the MFA process attempts to complete itself successfully.
+    -->
+    <util:map id="shibboleth.authn.MFA.TransitionMap">
+        <!-- First rule runs the IPAddress login flow. -->
+        <entry key="">
+            <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/Password" />
+        </entry>
+
+        <!--
+        Second rule runs a function if IPAddress succeeds, to determine whether an additional
+        factor is required.
+        -->
+        <entry key="authn/Password">
+            <bean parent="shibboleth.authn.MFA.Transition" p:nextFlowStrategy-ref="checkSecondFactor" />
+        </entry>
+
+        <!-- An implicit final rule will return whatever the final flow returns. -->
+    </util:map>
+
+    <!-- Example script to see if second factor is required. -->
+    <bean id="checkSecondFactor" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
+        p:customObject-ref="shibboleth.AttributeResolverService">
+        <constructor-arg>
+            <value>
+            <![CDATA[
+                nextFlow = null;
+
+                // Go straight to second factor if we have to, or set up for an attribute lookup first.
+                authCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
+                mfaCtx = authCtx.getSubcontext("net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext");
+                if (mfaCtx.isAcceptable()) {
+                    // Attribute check is required to decide if first factor alone is enough.
+                    resCtx = input.getSubcontext(
+                        "net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext", true);
+
+                    // Look up the username using a standard function.
+                    usernameLookupStrategyClass
+                        = Java.type("net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy");
+                    usernameLookupStrategy = new usernameLookupStrategyClass();
+                    resCtx.setPrincipal(usernameLookupStrategy.apply(input));
+
+                    resCtx.getRequestedIdPAttributeNames().add("eduPersonEntitlement");
+                    resCtx.resolveAttributes(custom);
+
+                    // Check for an attribute that authorizes use of first factor.
+                    attribute = resCtx.getResolvedIdPAttributes().get("eduPersonEntitlement");
+                    valueType =  Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
+                    if (attribute != null && attribute.getValues().contains(new valueType("urn:mace:example.edu:mfa_enabled"))) {
+                        nextFlow = "authn/Gaspo";
+                    }
+
+                    input.removeSubcontext(resCtx);   // cleanup
+                }
+
+                nextFlow;   // pass control to second factor or end with the first
+            ]]>
+            </value>
+        </constructor-arg>
+    </bean>
+
+</beans>
diff --git a/ex401/ex401.2.4/container_files/idp/conf/idp.properties b/ex401/ex401.2.4/container_files/idp/conf/idp.properties
new file mode 100644
index 0000000..73e64ca
--- /dev/null
+++ b/ex401/ex401.2.4/container_files/idp/conf/idp.properties
@@ -0,0 +1,195 @@
+# Load any additional property resources from a comma-delimited list
+idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties
+
+# Set the entityID of the IdP
+idp.entityID= https://idptestbed/idp/shibboleth
+
+# Set the scope used in the attribute resolver for scoped attributes
+idp.scope= example.edu
+
+# General cookie properties (maxAge only applies to persistent cookies)
+#idp.cookie.secure = false
+#idp.cookie.httpOnly = true
+#idp.cookie.domain =
+#idp.cookie.path =
+#idp.cookie.maxAge = 31536000
+
+# Set the location of user-supplied web flow definitions
+#idp.webflows = %{idp.home}/flows
+
+# Set the location of Velocity view templates
+#idp.views = %{idp.home}/views
+
+# Settings for internal AES encryption key
+#idp.sealer.storeType = JCEKS
+#idp.sealer.updateInterval = PT15M
+#idp.sealer.aliasBase = secret
+idp.sealer.storeResource= %{idp.home}/credentials/sealer.jks
+idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver
+idp.sealer.storePassword= password
+idp.sealer.keyPassword= password
+
+# Settings for public/private signing and encryption key(s)
+# During decryption key rollover, point the ".2" properties at a second
+# keypair, uncomment in credentials.xml, then publish it in your metadata.
+idp.signing.key= %{idp.home}/credentials/idp-signing.key
+idp.signing.cert= %{idp.home}/credentials/idp-signing.crt
+idp.encryption.key= %{idp.home}/credentials/idp-encryption.key
+idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt
+#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key
+#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt
+
+# Sets the bean ID to use as a default security configuration set
+#idp.security.config = shibboleth.DefaultSecurityConfiguration
+
+# To default to SHA-1, set to shibboleth.SigningConfiguration.SHA1
+#idp.signing.config = shibboleth.SigningConfiguration.SHA256
+
+# Configures trust evaluation of keys used by services at runtime
+# Defaults to supporting both explicit key and PKIX using SAML metadata.
+#idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine
+# To pick only one set to one of:
+#   shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine
+#idp.trust.certificates = shibboleth.ChainingX509TrustEngine
+# To pick only one set to one of:
+#   shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine
+
+# If true, encryption will happen whenever a key to use can be located, but
+# failure to encrypt won't result in request failure.
+#idp.encryption.optional = false
+
+# Configuration of client- and server-side storage plugins
+#idp.storage.cleanupInterval = PT10M
+#idp.storage.htmlLocalStorage = false
+
+# Set to true to expose more detailed errors in responses to SPs
+#idp.errors.detailed = false
+# Set to false to skip signing of SAML response messages that signal errors
+#idp.errors.signed = true
+# Name of bean containing a list of Java exception classes to ignore
+#idp.errors.excludedExceptions = ExceptionClassListBean
+# Name of bean containing a property set mapping exception names to views
+#idp.errors.exceptionMappings = ExceptionToViewPropertyBean
+# Set if a different default view name for events and exceptions is needed
+#idp.errors.defaultView = error
+
+# Set to false to disable the IdP session layer
+#idp.session.enabled = true
+
+# Set to "shibboleth.StorageService" for server-side storage of user sessions
+#idp.session.StorageService = shibboleth.ClientSessionStorageService
+idp.session.StorageService = shibboleth.StorageService
+
+# Size of session IDs
+#idp.session.idSize = 32
+# Bind sessions to IP addresses
+#idp.session.consistentAddress = true
+# Inactivity timeout
+#idp.session.timeout = PT60M
+# Extra time to store sessions for logout
+#idp.session.slop = PT0S
+# Tolerate storage-related errors
+#idp.session.maskStorageFailure = false
+# Track information about SPs logged into
+#idp.session.trackSPSessions = false
+# Support lookup by SP for SAML logout
+#idp.session.secondaryServiceIndex = false
+# Length of time to track SP sessions
+#idp.session.defaultSPlifetime = PT2H
+
+# Regular expression matching login flows to enable, e.g. IPAddress|Password
+idp.authn.flows= MFA
+
+# Regular expression of forced "initial" methods when no session exists,
+# usually in conjunction with the idp.authn.resolveAttribute property below.
+#idp.authn.flows.initial = Password
+
+# Set to an attribute ID to resolve prior to selecting authentication flows;
+# its values are used to filter the flows to allow.
+#idp.authn.resolveAttribute = eduPersonAssurance
+
+# Default lifetime and timeout of various authentication methods
+#idp.authn.defaultLifetime = PT60M
+#idp.authn.defaultTimeout = PT30M
+
+# Whether to prioritize "active" results when an SP requests more than
+# one possible matching login method (V2 behavior was to favor them)
+#idp.authn.favorSSO = true
+
+# Whether to fail requests when a user identity after authentication
+# doesn't match the identity in a pre-existing session.
+#idp.authn.identitySwitchIsError = false
+
+# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent
+#idp.consent.StorageService = shibboleth.ClientPersistentStorageService
+
+# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute
+# to key user consent storage records (and set the attribute name)
+#idp.consent.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey
+#idp.consent.userStorageKeyAttribute = uid
+
+# Flags controlling how built-in attribute consent feature operates
+#idp.consent.allowDoNotRemember = true
+#idp.consent.allowGlobal = true
+#idp.consent.allowPerAttribute = false
+
+# Whether attribute values and terms of use text are compared
+#idp.consent.compareValues = false
+# Maximum number of consent records for space-limited storage (e.g. cookies)
+#idp.consent.maxStoredRecords = 10
+# Maximum number of consent records for larger/server-side storage (0 = no limit)
+#idp.consent.expandedMaxStoredRecords = 0
+
+# Time in milliseconds to expire consent storage records.
+#idp.consent.storageRecordLifetime = P1Y
+
+# Whether to lookup metadata, etc. for every SP involved in a logout
+# for use by user interface logic; adds overhead so off by default.
+#idp.logout.elaboration = false
+
+# Whether to require logout requests be signed/authenticated.
+#idp.logout.authenticated = true
+
+# Message freshness and replay cache tuning
+#idp.policy.messageLifetime = PT3M
+#idp.policy.clockSkew = PT3M
+
+# Set to custom bean for alternate storage of replay cache
+#idp.replayCache.StorageService = shibboleth.StorageService
+
+# Toggles whether to allow outbound messages via SAML artifact
+#idp.artifact.enabled = true
+# Suppresses typical signing/encryption when artifact binding used
+#idp.artifact.secureChannel = true
+# May differ to direct SAML 2 artifact lookups to specific server nodes
+#idp.artifact.endpointIndex = 2
+# Set to custom bean for alternate storage of artifact map state
+#idp.artifact.StorageService = shibboleth.StorageService
+
+# Name of access control policy for various admin flows
+idp.status.accessPolicy= AccessByIPAddress
+idp.resolvertest.accessPolicy= AccessByIPAddress
+idp.reload.accessPolicy= AccessByIPAddress
+
+# Comma-delimited languages to use if not match can be found with the
+# browser-supported languages, defaults to an empty list.
+idp.ui.fallbackLanguages= en,fr,de
+
+# Storage service used by CAS protocol
+# Defaults to shibboleth.StorageService (in-memory)
+# MUST be server-side storage (e.g. in-memory, memcached, database)
+# NOTE that idp.session.StorageService requires server-side storage
+# when CAS protocol is enabled
+idp.cas.StorageService=shibboleth.StorageService
+
+# CAS service registry implementation class
+#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry
+
+# Profile flows in which the ProfileRequestContext should be exposed
+# in servlet request under the key "opensamlProfileRequestContext"
+#idp.profile.exposeProfileRequestContextInServletRequest = SAML2/POST/SSO,SAML2/Redirect/SSO
+
+# F-TICKS auditing - set salt to include hashed username
+#idp.fticks.federation=MyFederation
+#idp.fticks.algorithm=SHA-256
+#idp.fticks.salt=somethingsecret
diff --git a/ex401/ex401.2.4/container_files/idp/flows/authn/Gaspo/gaspo-authn-beans.xml b/ex401/ex401.2.4/container_files/idp/flows/authn/Gaspo/gaspo-authn-beans.xml
new file mode 100644
index 0000000..2a19a15
--- /dev/null
+++ b/ex401/ex401.2.4/container_files/idp/flows/authn/Gaspo/gaspo-authn-beans.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+    default-init-method="initialize" default-destroy-method="destroy">
+
+    <bean class="org.springframework.context.support.PropertySourcesPlaceholderConfigurer" p:placeholderPrefix="%{"
+        p:placeholderSuffix="}" />
+
+    <bean class="net.shibboleth.ext.spring.config.IdentifiableBeanPostProcessor" />
+    <bean class="net.shibboleth.idp.profile.impl.ProfileActionBeanPostProcessor" />
+
+   <!--   
+    <bean id="ValidateGaspoWebResponse" scope="prototype"
+        class="net.shibboleth.idp.authn.gaspo.impl.ValidateGaspoWebResponse"
+        p:httpServletRequest-ref="shibboleth.HttpServletRequest"
+        p:usernameLookupStrategy-ref="shibboleth.authn.Duo.UsernameLookupStrategy"
+        p:duoIntegrationLookupStrategy-ref="shibboleth.authn.Duo.DuoIntegrationStrategy"
+        p:addDefaultPrincipals="#{getObject('shibboleth.authn.Duo.addDefaultPrincipals') ?: true}" />
+-->
+</beans>
diff --git a/ex401/ex401.2.4/container_files/idp/flows/authn/Gaspo/gaspo-authn-flow.xml b/ex401/ex401.2.4/container_files/idp/flows/authn/Gaspo/gaspo-authn-flow.xml
new file mode 100644
index 0000000..fc1399d
--- /dev/null
+++ b/ex401/ex401.2.4/container_files/idp/flows/authn/Gaspo/gaspo-authn-flow.xml
@@ -0,0 +1,32 @@
+<flow xmlns="http://www.springframework.org/schema/webflow" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd"
+    parent="authn.abstract">
+    
+    <!-- This is a simple login flow for Gaspo MFA authentication. -->
+
+    <view-state id="DisplayGaspoWebView" view="gaspo">
+        <on-render>
+            <evaluate expression="environment" result="viewScope.environment" />
+            <evaluate expression="opensamlProfileRequestContext" result="viewScope.profileRequestContext" />
+            <evaluate expression="opensamlProfileRequestContext.getSubcontext(T(net.shibboleth.idp.authn.context.AuthenticationContext))" result="viewScope.authenticationContext" />
+            <evaluate expression="authenticationContext.getSubcontext(T(net.shibboleth.idp.ui.context.RelyingPartyUIContext))" result="viewScope.rpUIContext" />
+            <evaluate expression="T(net.shibboleth.utilities.java.support.codec.HTMLEncoder)" result="viewScope.encoder" />
+            <evaluate expression="flowRequestContext.getExternalContext().getNativeRequest()" result="viewScope.request" />
+            <evaluate expression="flowRequestContext.getExternalContext().getNativeResponse()" result="viewScope.response" />
+            <evaluate expression="flowRequestContext.getActiveFlow().getApplicationContext().containsBean('shibboleth.CustomViewContext') ? flowRequestContext.getActiveFlow().getApplicationContext().getBean('shibboleth.CustomViewContext') : null" result="viewScope.custom" />
+        </on-render>
+        
+        <transition on="proceed" to="ValidateGaspoWebResponse" />
+        <transition on="cancel" to="ReselectFlow" />
+    </view-state>
+
+    <action-state id="ValidateGaspoWebResponse">
+        <!--<evaluate expression="ValidateGaspoWebResponse" />-->
+        <evaluate expression="'proceed'" />
+        
+        <transition on="proceed" to="proceed" />
+    </action-state>
+
+    <bean-import resource="gaspo-authn-beans.xml" />
+
+</flow>
diff --git a/ex401/ex401.2.4/container_files/idp/views/gaspo.vm b/ex401/ex401.2.4/container_files/idp/views/gaspo.vm
new file mode 100644
index 0000000..235d960
--- /dev/null
+++ b/ex401/ex401.2.4/container_files/idp/views/gaspo.vm
@@ -0,0 +1,62 @@
+##
+## Velocity Template for Gaspo login view-state
+##
+## Velocity context will contain the following properties
+## flowExecutionUrl - the form action location
+## flowRequestContext - the Spring Web Flow RequestContext
+## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl)
+## profileRequestContext - root of context tree
+## authenticationContext - context with authentication request information
+## rpUIContext - the context with SP UI information from the metadata
+## encoder - HTMLEncoder class
+## request - HttpServletRequest
+## response - HttpServletResponse
+## environment - Spring Environment object for property resolution
+## custom - arbitrary object injected by deployer
+##
+<!DOCTYPE html>
+<html>
+<head>
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>#springMessageText("idp.title", "Web Login Service")</title>
+    <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
+</head>
+<body>
+    <div class="wrapper">
+      <div class="container">
+        <header>
+          <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
+        </header>
+
+        <div class="content">
+          <div class="column one">
+          
+            Please check your authenticator and click proceed below.
+
+            <form id="gaspo_form" method="post">
+                <input type="hidden" name="_eventId" value="proceed" />
+                <input type="submit" value="proceed" />
+            </form>
+            
+            <h3 style="text-align: center">
+                <a href="$flowExecutionUrl&_eventId=cancel">Cancel this Request</a>
+            </h3>
+          </div>
+          <div class="column two">
+            <ul class="list list-help">
+              <li class="list-help-item"><a href="#springMessageText("idp.url.helpdesk", "#")"><span class="item-marker">&rsaquo;</span> #springMessageText("idp.login.needHelp", "Need Help?")</a></li>
+            </ul>
+          </div>
+        </div>
+      </div>
+
+      <footer>
+        <div class="container container-footer">
+          <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
+        </div>
+      </footer>
+    </div>
+</body>
+</html>
diff --git a/ex401/ex401.2.4/container_files/seed-data/bootstrap.gsh b/ex401/ex401.2.4/container_files/seed-data/bootstrap.gsh
new file mode 100644
index 0000000..e69de29
diff --git a/ex401/ex401.2.4/container_files/seed-data/sisData.sql b/ex401/ex401.2.4/container_files/seed-data/sisData.sql
new file mode 100644
index 0000000..e69de29
diff --git a/ex401/ex401.2.4/container_files/seed-data/users.ldif b/ex401/ex401.2.4/container_files/seed-data/users.ldif
new file mode 100644
index 0000000..e69de29
diff --git a/manualBuild.sh b/manualBuild.sh
index 6930bf7..648129c 100755
--- a/manualBuild.sh
+++ b/manualBuild.sh
@@ -7,6 +7,10 @@ docker build --pull --tag=tier/grouper-training-env:base base/ \
 && docker build --tag=tier/grouper-training-env:ex401.1.5 ex401/ex401.1.5 \
 && docker build --tag=tier/grouper-training-env:ex401.1.6 ex401/ex401.1.6 \
 && docker build --tag=tier/grouper-training-env:ex401.1.end ex401/ex401.1.end \
+&& docker build --tag=tier/grouper-training-env:ex401.2.1 ex401/ex401.2.1 \
+&& docker build --tag=tier/grouper-training-env:ex401.2.2 ex401/ex401.2.2 \
+&& docker build --tag=tier/grouper-training-env:ex401.2.3 ex401/ex401.2.3 \
+&& docker build --tag=tier/grouper-training-env:ex401.2.4 ex401/ex401.2.4
 
 if [[ "$OSTYPE" == "darwin"* ]]; then
   say build complete