diff --git a/mariadb/Dockerfile b/mariadb-plain-password/Dockerfile
similarity index 100%
rename from mariadb/Dockerfile
rename to mariadb-plain-password/Dockerfile
diff --git a/mariadb/docker-compose.yml b/mariadb-plain-password/docker-compose.yml
similarity index 100%
rename from mariadb/docker-compose.yml
rename to mariadb-plain-password/docker-compose.yml
diff --git a/mariadb-secret/Dockerfile b/mariadb-secret/Dockerfile
new file mode 100644
index 0000000..15c489c
--- /dev/null
+++ b/mariadb-secret/Dockerfile
@@ -0,0 +1,51 @@
+#
+#  Just a demonstration of how to flexibly use MariaDB running in a separate container, receiving password as a Docker secret.
+#  It requires v3.9devel-274-g1b9943e or later.
+#
+#  Features:
+#   - see docker-compose.yml
+#
+#  Limitations (will be resolved):
+#   - mariadb uses default database of 'registry' and default user of 'root'
+#   - JDBC password is present exclusively as a Docker secret: it would be better to have it switchable between secret and a plaintext value
+#     (probably requiring more elaborate working with -D... switches)
+#
+#  Building:      (assumes midpoint-3.9-SNAPSHOT-dist.tar.gz is present in the current directory)
+#
+#    (build tier/shib-sp-java beforehand)
+#    docker build -t midpoint .
+#    docker stack deploy -c docker-compose.yml mp
+#
+
+FROM tier/shib-sp-java
+
+MAINTAINER info@evolveum.com
+
+ARG MP_VERSION=3.9-SNAPSHOT
+ARG MP_DIST_FILE=midpoint-${MP_VERSION}-dist.tar.gz
+
+ENV MP_DIR /opt/midpoint
+ENV REPO_HOST mariadb
+ENV REPO_PORT 3306
+ENV REPO_USER root
+ENV REPO_PASSWORD_FILE /run/secrets/repo-password
+
+RUN mkdir -p ${MP_DIR}/var
+
+COPY ${MP_DIST_FILE} ${MP_DIR}
+
+RUN echo 'Extracting midPoint archive...' \
+ && tar xzf ${MP_DIR}/midpoint-${MP_VERSION}-dist.tar.gz -C ${MP_DIR} --strip-components=1
+
+VOLUME ${MP_DIR}/var
+
+CMD java -Xmx2048M -Xms2048M -Dfile.encoding=UTF8 \
+       -Dmidpoint.home=$MP_DIR/var \
+       -Dmidpoint.repository.database=mariadb \
+       -Dmidpoint.repository.jdbcUsername=$REPO_USER \
+       -Dmidpoint.repository.jdbcPasswordFile=$REPO_PASSWORD_FILE \
+       -Dmidpoint.repository.jdbcUrl=jdbc:mariadb://$REPO_HOST:$REPO_PORT/registry?characterEncoding=utf8 \
+       -Dmidpoint.repository.hibernateHbm2ddl=none \
+       -Dmidpoint.repository.missingSchemaAction=create \
+       -Dmidpoint.repository.initializationFailTimeout=60000 \
+       -jar $MP_DIR/lib/midpoint.war
diff --git a/mariadb-secret/docker-compose.yml b/mariadb-secret/docker-compose.yml
new file mode 100644
index 0000000..8dceb89
--- /dev/null
+++ b/mariadb-secret/docker-compose.yml
@@ -0,0 +1,64 @@
+#
+#  Composition of midPoint and TIER MariaDB containers.
+#
+#  MariaDB serves as a repository for midPoint.
+#
+#  Features:
+#   - a separate volume for repository data (MySQL database directory), so it persists between creation/removal cycle of this stack
+#   - a separate volume for midPoint home directory, containing config.xml, logs, generated encryption keys, and so on
+#   - MariaDB password is presented to midPoint as a Docker secret
+#
+
+version: "3.1"
+services:
+
+  mariadb:
+    image: tier/mariadb:mariadb10
+    deploy:
+      restart_policy:
+        condition: none
+    volumes:
+      - repo-db-data:/var/lib/mysqlmounted
+    networks:
+      - webnet
+    secrets:
+      - repo-password
+
+  mariadbadminer:
+    image: adminer
+    deploy:
+      restart_policy:
+        condition: none
+    depends_on:
+      - mariadb
+    ports:
+      - 18080:8080
+    networks:
+      - webnet
+
+  midpoint:
+    image: midpoint
+    deploy:
+      restart_policy:
+        condition: none
+    depends_on:
+      - mariadb
+    ports:
+      - 8080:8080
+    volumes:
+      - midpoint-home:/opt/midpoint/var           # change this if MP_DIR changes
+    networks:
+      - webnet
+    secrets:
+      - repo-password
+
+networks:
+  webnet:
+
+volumes:
+  repo-db-data:
+  midpoint-home:
+
+secrets:
+  repo-password:
+    file: repo-password.txt
diff --git a/mariadb-secret/repo-password.txt b/mariadb-secret/repo-password.txt
new file mode 100644
index 0000000..28d983e
--- /dev/null
+++ b/mariadb-secret/repo-password.txt
@@ -0,0 +1 @@
+123321
diff --git a/shib-sp-java/Dockerfile b/shib-sp-java/Dockerfile
new file mode 100644
index 0000000..51f2a15
--- /dev/null
+++ b/shib-sp-java/Dockerfile
@@ -0,0 +1,27 @@
+#
+# An image that derives from shib-sp and contains a Java implementation.
+#
+# PRELIMINARY VERSION
+#
+# TODO:
+# - provide TIER-approved Java here
+#
+
+FROM tier/shib-sp
+
+ARG maintainer=tier
+ARG imagename=siteadmin-sp
+ARG version=1.0
+
+MAINTAINER $maintainer
+LABEL Vendor="Internet2"
+LABEL ImageType="SP"
+LABEL ImageName=$imagename
+LABEL ImageOS=centos7
+LABEL Version=$version
+
+LABEL Build docker build --rm --tag $maintainer/$imagename .
+
+# TODO switch to other appropriate Java implementation
+
+RUN yum -y install java-1.8.0-openjdk