diff --git a/Dockerfile b/Dockerfile
index 8044503..03c121f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -22,7 +22,6 @@ RUN rm /etc/shibboleth/sp-signing-key.pem /etc/shibboleth/sp-signing-cert.pem  /
 
 COPY container_files/supervisor/supervisord.conf /etc/supervisor/supervisord.conf
 COPY container_files/httpd/conf/* /etc/httpd/conf.d/
-COPY container_files/shibboleth/* /etc/shibboleth/
 COPY container_files/usr-local-bin/* /usr/local/bin/
 COPY container_files/opt-tier/* /opt/tier/
 
diff --git a/container_files/shibboleth/attribute-map.xml b/container_files/shibboleth/attribute-map.xml
deleted file mode 100644
index a6725f3..0000000
--- a/container_files/shibboleth/attribute-map.xml
+++ /dev/null
@@ -1,153 +0,0 @@
-<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-
-    <!--
-    The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth
-    community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a
-    few exceptions for newer attributes where the name is the same for both versions. You will
-    usually want to uncomment or map the names for both SAML versions as a unit.
-    -->
-    
-    <!-- First some useful eduPerson attributes that many sites might use. -->
-
-    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
-        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
-    </Attribute>
-    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
-        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
-    </Attribute>
-
-    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
-        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
-    </Attribute>
-    <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
-        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
-    </Attribute>
-
-    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
-        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
-    </Attribute>
-    <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
-        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
-    </Attribute>
-
-    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
-    <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
-
-    <!-- A persistent id attribute that supports personalized anonymous access. -->
-    
-    <!-- First, the deprecated/incorrect version, decoded as a scoped string: -->
-    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
-        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
-        <!-- <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> -->
-    </Attribute>
-    
-    <!-- Second, an alternate decoder that will decode the incorrect form into the newer form. -->
-    <!--
-    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="persistent-id">
-        <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
-    </Attribute>
-    -->
-    
-    <!-- Third, the new version (note the OID-style name): -->
-    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
-        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
-    </Attribute>
-
-    <!-- Fourth, the SAML 2.0 NameID Format: -->
-    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
-        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
-    </Attribute>
-    
-    <!-- Some more eduPerson attributes, uncomment these to use them... -->
-    <!--
-    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
-    
-    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>
-    
-    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
-    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>
-
-    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
-        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
-    </Attribute>
-    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
-    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
-    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
-    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
-
-    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
-        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
-    </Attribute>
-    <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
-    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
-    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
-    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
-    -->
-
-    <!-- SCHAC attributes, uncomment to use... -->
-    <!--
-    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="schacHomeOrganization"/>
-    -->
-    
-    <!-- Examples of LDAP-based attributes, uncomment to use these... -->
-    <!--
-    <Attribute name="urn:oid:2.5.4.3" id="cn"/>
-    <Attribute name="urn:oid:2.5.4.4" id="sn"/>
-    <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
-    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
-    -->
-    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
-    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
-    <!--
-    <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
-    <Attribute name="urn:oid:2.5.4.12" id="title"/>
-    <Attribute name="urn:oid:2.5.4.43" id="initials"/>
-    <Attribute name="urn:oid:2.5.4.13" id="description"/>
-    <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
-    <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
-    <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
-    <Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/>
-    <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
-    <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
-    <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
-    <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
-    <Attribute name="urn:oid:2.5.4.9" id="street"/>
-    <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
-    <Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
-    <Attribute name="urn:oid:2.5.4.8" id="st"/>
-    <Attribute name="urn:oid:2.5.4.7" id="l"/>
-    <Attribute name="urn:oid:2.5.4.10" id="o"/>
-    <Attribute name="urn:oid:2.5.4.11" id="ou"/>
-    <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
-    <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
-
-    <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
-    <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
-    <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
-    <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
-    <Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>
-    <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
-    <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
-    <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
-    <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
-    <Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
-    <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
-    <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
-    <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
-    <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
-    <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
-    <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
-    <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
-    <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
-    <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
-    <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
-    <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
-    <Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
-    <Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
-    <Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
-    <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
-    <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
-    <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>
-    -->
-
-</Attributes>
diff --git a/container_files/shibboleth/native.logger b/container_files/shibboleth/native.logger
deleted file mode 100644
index 1a330fd..0000000
--- a/container_files/shibboleth/native.logger
+++ /dev/null
@@ -1,39 +0,0 @@
-# set overall behavior
-log4j.rootCategory=INFO, native_log, warn_log
-
-# fairly verbose for DEBUG, so generally leave at INFO
-log4j.category.XMLTooling.XMLObject=INFO
-log4j.category.XMLTooling.KeyInfoResolver=INFO
-log4j.category.Shibboleth.IPRange=INFO
-log4j.category.Shibboleth.PropertySet=INFO
-
-# raise for low-level tracing of SOAP client HTTP/SSL behavior
-log4j.category.XMLTooling.libcurl=INFO
-
-# useful categories to tune independently:
-#
-# tracing of SAML messages and security policies
-#log4j.category.OpenSAML.MessageDecoder=DEBUG
-#log4j.category.OpenSAML.MessageEncoder=DEBUG
-#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
-# interprocess message remoting
-#log4j.category.Shibboleth.Listener=DEBUG
-# mapping of requests to applicationId
-#log4j.category.Shibboleth.RequestMapper=DEBUG
-# high level session cache operations
-#log4j.category.Shibboleth.SessionCache=DEBUG
-# persistent storage and caching
-#log4j.category.XMLTooling.StorageService=DEBUG
-
-# define the appender
-
-log4j.appender.native_log=org.apache.log4j.FileAppender
-log4j.appender.native_log.fileName=/tmp/logshib
-log4j.appender.native_log.layout=org.apache.log4j.PatternLayout
-log4j.appender.native_log.layout.ConversionPattern=shibd;native.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
-
-log4j.appender.warn_log=org.apache.log4j.FileAppender
-log4j.appender.warn_log.fileName=/tmp/logshib
-log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
-log4j.appender.warn_log.layout.ConversionPattern=shibd;native_warn.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
-log4j.appender.warn_log.threshold=WARN
diff --git a/container_files/shibboleth/shibd.logger b/container_files/shibboleth/shibd.logger
deleted file mode 100644
index e211857..0000000
--- a/container_files/shibboleth/shibd.logger
+++ /dev/null
@@ -1,59 +0,0 @@
-# set overall behavior
-log4j.rootCategory=INFO, shibd_log
-
-# fairly verbose for DEBUG, so generally leave at INFO
-log4j.category.XMLTooling.XMLObject=INFO
-log4j.category.XMLTooling.KeyInfoResolver=INFO
-log4j.category.Shibboleth.IPRange=INFO
-log4j.category.Shibboleth.PropertySet=INFO
-
-# raise for low-level tracing of SOAP client HTTP/SSL behavior
-log4j.category.XMLTooling.libcurl=INFO
-
-# useful categories to tune independently:
-#
-# tracing of SAML messages and security policies
-#log4j.category.OpenSAML.MessageDecoder=DEBUG
-#log4j.category.OpenSAML.MessageEncoder=DEBUG
-#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
-#log4j.category.XMLTooling.SOAPClient=DEBUG
-# interprocess message remoting
-#log4j.category.Shibboleth.Listener=DEBUG
-# mapping of requests to applicationId
-#log4j.category.Shibboleth.RequestMapper=DEBUG
-# high level session cache operations
-#log4j.category.Shibboleth.SessionCache=DEBUG
-# persistent storage and caching
-#log4j.category.XMLTooling.StorageService=DEBUG
-
-# logs XML being signed or verified if set to DEBUG
-log4j.category.XMLTooling.Signature.Debugger=INFO, sig_log
-log4j.additivity.XMLTooling.Signature.Debugger=false
-
-# the tran log blocks the "default" appender(s) at runtime
-# Level should be left at INFO for this category
-log4j.category.Shibboleth-TRANSACTION=INFO, tran_log
-log4j.additivity.Shibboleth-TRANSACTION=false
-# uncomment to suppress particular event types
-#log4j.category.Shibboleth-TRANSACTION.AuthnRequest=WARN
-#log4j.category.Shibboleth-TRANSACTION.Login=WARN
-#log4j.category.Shibboleth-TRANSACTION.Logout=WARN
-
-# define the appenders
-
-log4j.appender.shibd_log=org.apache.log4j.FileAppender
-log4j.appender.shibd_log.fileName=/tmp/logshib
-log4j.appender.shibd_log.maxFileSize=0
-log4j.appender.shibd_log.layout=org.apache.log4j.PatternLayout
-log4j.appender.shibd_log.layout.ConversionPattern=shibd;shibd.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
-
-log4j.appender.tran_log=org.apache.log4j.FileAppender
-log4j.appender.tran_log.fileName=/tmp/logshib
-log4j.appender.tran_log.maxFileSize=0
-log4j.appender.tran_log.layout=org.apache.log4j.PatternLayout
-log4j.appender.tran_log.layout.ConversionPattern=shibd;transaction.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
-
-log4j.appender.sig_log=org.apache.log4j.FileAppender
-log4j.appender.sig_log.fileName=/tmp/logshib
-log4j.appender.sig_log.layout=org.apache.log4j.PatternLayout
-log4j.appender.sig_log.layout.ConversionPattern=shibd;signature.log;${ENV};${USERTOKEN};%m
diff --git a/container_files/usr-local-bin/start-midpoint.sh b/container_files/usr-local-bin/start-midpoint.sh
index 043f97c..e729fec 100755
--- a/container_files/usr-local-bin/start-midpoint.sh
+++ b/container_files/usr-local-bin/start-midpoint.sh
@@ -8,6 +8,17 @@ function check () {
     fi
 }
 
+echo "Linking secrets"
+for filepath in /run/secrets/*; do
+  label_file=`basename $filepath`
+  if [ "$label_file" == "mp_shibboleth_sp_keys.jks" ]; then
+	if [ ! -d "/etc/pki/mp" ]; then
+		mkdir /etc/pki/mp
+	fi
+    ln -sf /run/secrets/mp_shibboleth_sp_keys.jks /etc/pki/mp/sp-shibboleth-keys.jks
+  fi
+done
+
 # These variables have reasonable defaults in Dockerfile. So we will _not_ supply defaults here.
 # The composer or user has to make sure they are well defined.
 
@@ -20,7 +31,6 @@ check REPO_PASSWORD_FILE
 check REPO_MISSING_SCHEMA_ACTION
 check REPO_UPGRADEABLE_SCHEMA_ACTION
 check MP_KEYSTORE_PASSWORD_FILE
-check SSO_HEADER
 check AJP_ENABLED
 check AJP_PORT
 
@@ -40,7 +50,6 @@ java -Xmx$MP_MEM_MAX -Xms$MP_MEM_INIT -Dfile.encoding=UTF8 \
        -Dmidpoint.logging.alt.enabled=true \
        -Dmidpoint.logging.alt.filename=/tmp/logmidpoint \
        -Dspring.profiles.active="`$MP_DIR/active-spring-profiles`" \
-       $(if [ "$AUTHENTICATION" = "shibboleth" ]; then echo "-Dauth.logout.url=$LOGOUT_URL -Dauth.sso.header=$SSO_HEADER"; fi) \
        -Dserver.tomcat.ajp.enabled=$AJP_ENABLED \
        -Dserver.tomcat.ajp.port=$AJP_PORT \
        -Dlogging.path=/tmp/logtomcat \
diff --git a/demo/grouper/.env b/demo/grouper/.env
index 1a7a71d..6cca1f1 100644
--- a/demo/grouper/.env
+++ b/demo/grouper/.env
@@ -9,5 +9,4 @@ REPO_MISSING_SCHEMA_ACTION=create
 REPO_UPGRADEABLE_SCHEMA_ACTION=stop
 MP_MEM_MAX=2048m
 MP_MEM_INIT=1024m
-SSO_HEADER=uid
 TIMEZONE=UTC
diff --git a/demo/grouper/configs-and-secrets/midpoint/shibboleth/shibboleth2.xml b/demo/grouper/configs-and-secrets/midpoint/shibboleth/shibboleth2.xml
deleted file mode 100644
index ee05a97..0000000
--- a/demo/grouper/configs-and-secrets/midpoint/shibboleth/shibboleth2.xml
+++ /dev/null
@@ -1,139 +0,0 @@
-<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
-    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
-    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
-    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-    clockSkew="180">
-
-    <!--
-    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
-    are used. See example-shibboleth2.xml for samples of explicitly configuring them.
-    -->
-
-    <!--
-    To customize behavior for specific resources on Apache, and to link vhosts or
-    resources to ApplicationOverride settings below, use web server options/commands.
-    See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
-    
-    For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
-    file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
-    -->
-    <TCPListener address="127.0.0.1" port="1600"/> 
-
-
-    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
-    <ApplicationDefaults entityID="https://midpointdemo/shibboleth"
-                         REMOTE_USER="uid">
-
-        <!--
-        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
-        You MUST supply an effectively unique handlerURL value for each of your applications.
-        The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
-        a relative value based on the virtual host. Using handlerSSL="true", the default, will force
-        the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
-        Note that while we default checkAddress to "false", this has a negative impact on the
-        security of your site. Stealing sessions via cookie theft is much easier with this disabled.
-        -->
-        <Sessions lifetime="28800" timeout="28800" relayState="ss:mem"
-                  checkAddress="false" handlerSSL="true" cookieProps="https">
-
-            <!--
-            Configures SSO for a default IdP. To allow for >1 IdP, remove
-            entityID property and adjust discoveryURL to point to discovery service.
-            (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
-            You can also override entityID on /Login query string, or in RequestMap/htaccess.
-            -->
-		<SSO entityID="https://idptestbed/idp/shibboleth">
-			SAML2
-		</SSO>
-
-            <!-- SAML and local-only logout. -->
-            <Logout>SAML2 Local</Logout>
-            
-            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
-            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
-
-            <!-- Status reporting service. -->
-            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
-
-            <!-- Session diagnostic service. -->
-            <Handler type="Session" Location="/Session" showAttributeValues="true"/>
-
-            <!-- JSON feed of discovery information. -->
-            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
-        </Sessions>
-
-        <!--
-        Allows overriding of error template information/filenames. You can
-        also add attributes with values that can be plugged into the templates.
-        -->
-        <Errors supportContact="root@localhost"
-            helpLocation="/about.html"
-            styleSheet="/shibboleth-sp/main.css"/>
-        
-        <!-- Example of remotely supplied batch of signed metadata. -->
-        <!--
-        <MetadataProvider type="XML" validate="true"
-	      uri="http://example.org/federation-metadata.xml"
-              backingFilePath="federation-metadata.xml" reloadInterval="7200">
-            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
-            <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
-            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
-              attributeName="http://macedir.org/entity-category"
-              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
-              attributeValue="http://refeds.org/category/hide-from-discovery" />
-        </MetadataProvider>
-        -->
-
-        <MetadataProvider type="XML" validate="true" file="idp-metadata.xml"/>
-
-        <!--
-        InCommon
-	  <MetadataProvider type="XML" validate="true"
-		uri="http://md.incommon.org/InCommon/InCommon-metadata.xml"
-              backingFilePath="federation-metadata.xml" reloadInterval="7200">
-            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
-		<MetdataFilter type="Signature" certificate="inc-md-cert.pem"/>
-            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
-              attributeName="http://macedir.org/entity-category"
-              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
-              attributeValue="http://refeds.org/category/hide-from-discovery" />
-        </MetadataProvider>
-        -->
-
-        <!-- Map to extract attributes from SAML assertions. -->
-        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
-        
-        <!-- Use a SAML query if no attributes are supplied during SSO. -->
-        <AttributeResolver type="Query" subjectMatch="true"/>
-
-        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
-        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
-
-        <!-- Simple file-based resolvers for separate signing/encryption keys. -->
-        <CredentialResolver type="File" use="signing"
-            key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
-        <CredentialResolver type="File" use="encryption"
-            key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
-
-        <!--
-        The default settings can be overridden by creating ApplicationOverride elements (see
-        the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
-        Resource requests are mapped by web server commands, or the RequestMapper, to an
-        applicationId setting.
-        
-        Example of a second application (for a second vhost) that has a different entityID.
-        Resources on the vhost would map to an applicationId of "admin":
-        -->
-        <!--
-        <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
-        -->
-    </ApplicationDefaults>
-    
-    <!-- Policies that determine how to process and authenticate runtime messages. -->
-    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
-
-    <!-- Low-level configuration about protocols and bindings available for use. -->
-    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
-
-</SPConfig>
diff --git a/demo/grouper/configs-and-secrets/midpoint/shibboleth/shibboleth_sp_keys.jks b/demo/grouper/configs-and-secrets/midpoint/shibboleth/shibboleth_sp_keys.jks
new file mode 100644
index 0000000..af2e8f4
Binary files /dev/null and b/demo/grouper/configs-and-secrets/midpoint/shibboleth/shibboleth_sp_keys.jks differ
diff --git a/demo/grouper/configs-and-secrets/midpoint/shibboleth/sp-encrypt-cert.pem b/demo/grouper/configs-and-secrets/midpoint/shibboleth/sp-encrypt-cert.pem
deleted file mode 100644
index 7a66196..0000000
--- a/demo/grouper/configs-and-secrets/midpoint/shibboleth/sp-encrypt-cert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID/TCCAmWgAwIBAgIJAINng1bI63LGMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNV
-BAMTEnNwdGVzdC5leGFtcGxlLmVkdTAeFw0xODEyMjAyMjM4MDJaFw0yODEyMTcy
-MjM4MDJaMB0xGzAZBgNVBAMTEnNwdGVzdC5leGFtcGxlLmVkdTCCAaIwDQYJKoZI
-hvcNAQEBBQADggGPADCCAYoCggGBAOjmPSBzRsjbPBBA6jYVW+QtsYM5fvIuNErG
-VDRvKHyCTNbmdFZ37qEl/fwsrdF4hn4V7fAZ6jW6R1aMGFl1vQyJ289B8l5HOPjf
-GuB2gL9IxulOmrkYVN8nfgjlbFNNktMQJ8NprYEyl3o786xCCxx3AiA5Mgdv400L
-6vlmEfNHIwsOHAUTNRyCwMS9P6jBJ5IIxD0Mef+3oUjAvVsPZu24EJnzTUasZnI0
-F8aC/YzVbxObBNcymtA2Ipec/gLe1B09eDZUduXPL/as57QWvgJrWj8bCK+Ldj0P
-MPSvWzr4BnN58dxaYgCgRH7tnhZudPvCjBakQzkxo/njsRIKtm3lN9UmUYiXbl+e
-bu0DSQFUaFfO2hOOUTNAr/QuC+GQL+U7VAdybTbP+KcH5LbNUSqYkxSwhbFz5aym
-o5KppnYB9K5iySRWvGIhnwXHNv5yFrmUbet2BPJlMzv7NaePaZ76ypobzNjjNBbg
-aNECsQ1ZD9fe2Q8UBe0m2gQP5Yux5QIDAQABo0AwPjAdBgNVHREEFjAUghJzcHRl
-c3QuZXhhbXBsZS5lZHUwHQYDVR0OBBYEFGcLIl5kg+GFIh9HXeZyLzsv5e7qMA0G
-CSqGSIb3DQEBCwUAA4IBgQAf8/iZXUWtWGMBw2OfonDDWbuhgLnNWddpllcVx7v/
-Yu75+wgfIdNXg6XM4WkGkpbhlkpDLRt2c6rMQpxrQtq/5G3OKEXKyjUOl5pZsYkG
-asVENYPSCfuu3rlK85XaW3H1SSJqSax/UKcYXyB1TIW6mNy3OxuvHak6y4LzFnug
-CO7p/W2jvffwmxfqjbO7wQfXUQz3SZS04sHMqQoStOwy2N5xxQ3uTF34EoXBto+n
-XIEOptKPhV2NkEzj+UUIi1588dck8T0SstbSElbTnJ4sNZFriX6JOPFNW08fezot
-izerOHuAFpFQvtugWoZT87YYaFwG+Zr5QNa4fNOcAL+FHvbOfEqIGs+H6GSf0dZV
-lkcJyzWZvuK/4RGqWbLvfAYRm0PAGTQSLdO8QJSYWdJtJvZFEMgddQ2HoIzeO5wo
-B42FKDSHottI9avilApQBdRCtust8XRPtEAzDB/t/1jbO7u2tkzgY3614mX5xgut
-Ileaae5eVCjw4uYbkh+Mt5M=
------END CERTIFICATE-----
diff --git a/demo/grouper/configs-and-secrets/midpoint/shibboleth/sp-encrypt-key.pem b/demo/grouper/configs-and-secrets/midpoint/shibboleth/sp-encrypt-key.pem
deleted file mode 100644
index 901ce4b..0000000
--- a/demo/grouper/configs-and-secrets/midpoint/shibboleth/sp-encrypt-key.pem
+++ /dev/null
@@ -1,165 +0,0 @@
-RSA Private-Key: (3072 bit, 2 primes)
-modulus:
-    00:e8:e6:3d:20:73:46:c8:db:3c:10:40:ea:36:15:
-    5b:e4:2d:b1:83:39:7e:f2:2e:34:4a:c6:54:34:6f:
-    28:7c:82:4c:d6:e6:74:56:77:ee:a1:25:fd:fc:2c:
-    ad:d1:78:86:7e:15:ed:f0:19:ea:35:ba:47:56:8c:
-    18:59:75:bd:0c:89:db:cf:41:f2:5e:47:38:f8:df:
-    1a:e0:76:80:bf:48:c6:e9:4e:9a:b9:18:54:df:27:
-    7e:08:e5:6c:53:4d:92:d3:10:27:c3:69:ad:81:32:
-    97:7a:3b:f3:ac:42:0b:1c:77:02:20:39:32:07:6f:
-    e3:4d:0b:ea:f9:66:11:f3:47:23:0b:0e:1c:05:13:
-    35:1c:82:c0:c4:bd:3f:a8:c1:27:92:08:c4:3d:0c:
-    79:ff:b7:a1:48:c0:bd:5b:0f:66:ed:b8:10:99:f3:
-    4d:46:ac:66:72:34:17:c6:82:fd:8c:d5:6f:13:9b:
-    04:d7:32:9a:d0:36:22:97:9c:fe:02:de:d4:1d:3d:
-    78:36:54:76:e5:cf:2f:f6:ac:e7:b4:16:be:02:6b:
-    5a:3f:1b:08:af:8b:76:3d:0f:30:f4:af:5b:3a:f8:
-    06:73:79:f1:dc:5a:62:00:a0:44:7e:ed:9e:16:6e:
-    74:fb:c2:8c:16:a4:43:39:31:a3:f9:e3:b1:12:0a:
-    b6:6d:e5:37:d5:26:51:88:97:6e:5f:9e:6e:ed:03:
-    49:01:54:68:57:ce:da:13:8e:51:33:40:af:f4:2e:
-    0b:e1:90:2f:e5:3b:54:07:72:6d:36:cf:f8:a7:07:
-    e4:b6:cd:51:2a:98:93:14:b0:85:b1:73:e5:ac:a6:
-    a3:92:a9:a6:76:01:f4:ae:62:c9:24:56:bc:62:21:
-    9f:05:c7:36:fe:72:16:b9:94:6d:eb:76:04:f2:65:
-    33:3b:fb:35:a7:8f:69:9e:fa:ca:9a:1b:cc:d8:e3:
-    34:16:e0:68:d1:02:b1:0d:59:0f:d7:de:d9:0f:14:
-    05:ed:26:da:04:0f:e5:8b:b1:e5
-publicExponent: 65537 (0x10001)
-privateExponent:
-    4c:dd:e0:82:db:49:1b:75:b0:27:35:25:97:e0:08:
-    ca:10:82:ab:ea:c8:09:2a:52:bb:f3:25:4b:80:fc:
-    7d:cb:8b:8c:c9:d6:cf:cb:19:89:3a:3e:cf:81:f7:
-    84:51:21:22:70:1e:6d:c6:3f:d4:a7:bc:6f:c6:21:
-    2b:35:7e:c5:aa:a2:4f:8f:56:6c:e3:58:dc:5a:d6:
-    46:0b:16:87:0b:80:0a:f4:94:80:4e:95:84:69:46:
-    61:ad:46:c9:5f:aa:fb:da:33:25:7d:b5:74:14:bc:
-    85:ed:4f:89:24:eb:01:e4:0d:61:91:3e:ff:d1:5f:
-    d5:c7:ff:2f:7d:0e:a3:9a:70:e8:6f:29:b4:4b:18:
-    96:66:59:35:15:b8:f2:fb:7d:11:e7:ae:cc:ef:57:
-    3c:9c:e0:b0:60:5c:9e:b7:40:a3:68:c2:a1:ec:f9:
-    2e:40:2c:37:b9:15:b7:c0:f7:ea:09:6f:75:ab:0e:
-    37:f0:4d:c4:36:79:c8:4c:5a:51:9c:35:08:89:92:
-    17:25:28:f7:4a:a7:31:fd:6e:d0:eb:17:a2:fb:2f:
-    79:53:8b:64:b1:3d:ff:49:0e:e1:55:7a:7e:06:17:
-    f2:8d:77:4a:fe:4d:2f:37:3c:59:7d:69:3d:9c:20:
-    fc:87:b1:de:89:0b:8b:3c:43:73:ae:53:b0:b9:6b:
-    48:fa:02:c3:21:d1:69:95:75:09:fb:fa:62:2b:7a:
-    24:76:cb:5d:1c:97:16:70:d5:1e:95:6f:32:af:b2:
-    52:a6:fd:48:6b:62:8c:80:72:36:17:85:15:71:36:
-    0b:66:b7:af:cf:17:79:6b:47:29:bc:55:bb:be:6b:
-    dd:c3:6b:c5:ac:26:f9:26:c5:6c:9a:a0:6e:e4:e2:
-    de:69:51:83:21:b2:00:d9:22:df:26:aa:b5:d9:f8:
-    b6:af:19:36:f1:5b:70:5d:78:1a:09:3b:6d:48:cf:
-    bc:55:8e:dd:95:3f:e6:3c:2a:97:dd:2c:76:78:ce:
-    c4:3e:de:91:54:7b:ab:8b:81
-prime1:
-    00:fb:7a:ba:56:1b:7a:d1:85:cd:6b:0e:e6:e0:11:
-    48:4a:7b:55:9b:86:76:80:61:4d:b3:02:e5:ae:03:
-    d1:1c:e6:9c:69:05:4c:2a:1a:6a:b7:71:e6:34:a0:
-    13:d4:c0:ff:6b:90:ba:d0:79:14:8c:c0:7d:e6:6d:
-    a7:13:89:35:21:a7:5e:f0:4c:d4:3d:70:f5:16:f1:
-    5b:13:df:fe:89:f3:71:d8:ea:c2:f2:92:ab:12:64:
-    62:4e:60:98:a1:e9:78:e6:ea:17:b2:4b:0d:18:9c:
-    a7:7e:e4:69:d9:3a:40:55:26:6b:5d:a2:1b:18:a6:
-    62:30:96:6f:d1:06:40:8a:55:41:ba:b6:67:67:25:
-    74:8c:a4:18:91:21:4c:14:eb:7a:d0:f0:c9:24:4a:
-    99:cc:6d:35:76:f0:c9:c6:c2:18:41:44:6d:8c:db:
-    1c:3b:44:76:9d:c9:68:2d:79:bb:aa:ed:7f:7d:c3:
-    fb:08:06:b0:5a:01:58:c9:ea:f6:58:47:55
-prime2:
-    00:ed:16:02:1c:42:bc:5a:1e:bf:7e:3c:59:fd:f7:
-    95:08:bd:73:ac:3b:58:df:d6:12:48:4d:38:9e:69:
-    e0:f2:ac:26:98:52:65:bb:76:6e:30:ad:45:d4:66:
-    bd:a8:52:5d:e8:86:ac:33:ee:6b:1a:16:69:0a:9c:
-    5e:9a:dc:bb:79:dd:15:80:5c:2b:6c:59:a4:89:7f:
-    99:fd:30:af:54:13:10:70:a4:45:7c:df:c5:18:c2:
-    32:6c:be:c9:37:8a:4f:82:f5:f3:12:a0:83:aa:49:
-    9f:ec:02:de:1c:2c:bf:60:50:3e:4a:7e:34:f2:61:
-    0f:66:e6:55:45:a8:ae:a5:ea:e5:f8:81:57:66:fb:
-    95:38:34:ab:51:c7:5d:8b:71:93:6d:9b:c3:bc:6d:
-    b2:d1:44:34:64:ea:6b:6d:8a:c0:3e:56:77:a9:e3:
-    f4:36:a6:2f:32:a1:52:13:9d:70:9e:f2:19:5b:bd:
-    b1:ee:d8:70:61:a1:a6:0e:7b:9a:e8:a0:51
-exponent1:
-    00:f9:7d:e1:fd:e9:97:68:e5:41:4d:f4:63:d3:6a:
-    f1:f8:8a:f1:fc:b1:63:41:ac:c7:84:50:dc:83:4e:
-    e0:18:b7:25:f7:ff:3c:78:0c:eb:51:02:1c:2c:9b:
-    9f:f1:14:64:93:57:ec:2f:45:e0:c0:5f:7c:c8:ae:
-    82:f2:9b:ce:6d:8b:fa:61:97:27:7d:a9:62:4e:97:
-    b7:0f:39:cb:f3:1a:e6:19:19:97:bd:47:0b:97:dc:
-    a5:b7:32:98:5b:12:21:53:9e:6d:52:02:a9:84:80:
-    6e:a0:32:86:5c:f0:30:c1:09:b3:bd:1a:45:9d:a7:
-    fc:84:4d:cb:b3:69:6b:80:92:62:fa:95:5a:72:f7:
-    b2:f0:91:20:9a:63:99:72:ab:c8:96:20:3c:bd:d7:
-    91:4c:42:10:a7:e6:ed:98:56:19:f0:2e:ae:2c:ef:
-    78:cb:c7:f9:92:43:2e:2a:e7:b9:eb:33:62:a7:e8:
-    56:55:b9:25:1e:b6:75:5b:25:d3:ae:f3:5d
-exponent2:
-    4d:0b:36:da:5a:31:7d:13:ba:e4:d9:d5:e0:bb:00:
-    fa:5b:1e:68:dc:cc:4f:c8:f0:1e:00:c2:22:70:83:
-    c2:38:81:3e:44:a0:7c:9f:ca:c5:14:b9:b9:81:3d:
-    a6:a2:45:94:17:97:84:34:b9:27:3c:1b:1c:70:9e:
-    29:b3:0b:55:59:ab:f0:0f:83:a8:ed:24:93:ee:1c:
-    6b:73:d3:b5:fd:8f:fd:1a:d4:dd:f4:95:c7:2a:ec:
-    59:fc:51:c5:33:b4:0c:f9:c1:e8:ce:b2:9a:b6:dc:
-    3a:44:e0:4a:c5:9b:d7:3f:9c:4e:76:de:db:d9:00:
-    b9:4e:a6:6d:41:98:a7:a0:42:e5:53:9a:c4:83:83:
-    05:45:d0:5a:7d:ef:ff:2d:84:5c:3d:1f:09:6f:98:
-    89:7a:a1:90:1d:c1:95:52:5e:90:a3:66:b5:95:b7:
-    39:bf:1d:5d:55:a1:27:70:a5:35:71:b5:1d:e3:f2:
-    1b:8c:c8:50:61:c8:65:b2:73:2f:9f:51
-coefficient:
-    00:c7:04:ff:52:f2:f0:85:87:85:2b:a5:07:47:02:
-    7f:cf:57:8a:18:00:bc:47:60:7d:b6:59:a0:75:d6:
-    71:4f:dd:ea:6d:5a:b8:95:95:ca:c3:7a:2c:a9:d8:
-    be:a6:05:af:be:68:3d:68:af:6b:fd:d3:b5:13:dd:
-    d2:d7:59:ac:9e:84:c8:f9:6f:71:4e:bf:b2:e7:2f:
-    5d:37:f8:71:e5:d7:90:31:42:be:df:0a:0b:a2:0e:
-    8b:b0:68:8a:13:62:1a:98:23:50:04:59:20:77:85:
-    6f:85:78:06:fb:6a:53:3d:82:7d:9f:2b:84:03:e9:
-    da:fa:d7:c4:e9:b4:9a:7e:82:7c:29:04:f5:ae:64:
-    45:41:84:5b:a0:16:3f:c7:1a:ad:b2:5e:8d:87:ce:
-    09:2b:b9:02:c3:6e:cd:35:d8:6c:b3:2b:a2:8a:97:
-    da:f0:d2:cc:e2:6f:b2:78:0e:a7:fe:8c:fc:c4:a9:
-    79:3c:ac:0e:ae:f9:36:0c:7f:85:c1:a0:20
------BEGIN RSA PRIVATE KEY-----
-MIIG5AIBAAKCAYEA6OY9IHNGyNs8EEDqNhVb5C2xgzl+8i40SsZUNG8ofIJM1uZ0
-VnfuoSX9/Cyt0XiGfhXt8BnqNbpHVowYWXW9DInbz0HyXkc4+N8a4HaAv0jG6U6a
-uRhU3yd+COVsU02S0xAnw2mtgTKXejvzrEILHHcCIDkyB2/jTQvq+WYR80cjCw4c
-BRM1HILAxL0/qMEnkgjEPQx5/7ehSMC9Ww9m7bgQmfNNRqxmcjQXxoL9jNVvE5sE
-1zKa0DYil5z+At7UHT14NlR25c8v9qzntBa+AmtaPxsIr4t2PQ8w9K9bOvgGc3nx
-3FpiAKBEfu2eFm50+8KMFqRDOTGj+eOxEgq2beU31SZRiJduX55u7QNJAVRoV87a
-E45RM0Cv9C4L4ZAv5TtUB3JtNs/4pwfkts1RKpiTFLCFsXPlrKajkqmmdgH0rmLJ
-JFa8YiGfBcc2/nIWuZRt63YE8mUzO/s1p49pnvrKmhvM2OM0FuBo0QKxDVkP197Z
-DxQF7SbaBA/li7HlAgMBAAECggGATN3ggttJG3WwJzUll+AIyhCCq+rICSpSu/Ml
-S4D8fcuLjMnWz8sZiTo+z4H3hFEhInAebcY/1Ke8b8YhKzV+xaqiT49WbONY3FrW
-RgsWhwuACvSUgE6VhGlGYa1GyV+q+9ozJX21dBS8he1PiSTrAeQNYZE+/9Ff1cf/
-L30Oo5pw6G8ptEsYlmZZNRW48vt9EeeuzO9XPJzgsGBcnrdAo2jCoez5LkAsN7kV
-t8D36glvdasON/BNxDZ5yExaUZw1CImSFyUo90qnMf1u0OsXovsveVOLZLE9/0kO
-4VV6fgYX8o13Sv5NLzc8WX1pPZwg/Iex3okLizxDc65TsLlrSPoCwyHRaZV1Cfv6
-Yit6JHbLXRyXFnDVHpVvMq+yUqb9SGtijIByNheFFXE2C2a3r88XeWtHKbxVu75r
-3cNrxawm+SbFbJqgbuTi3mlRgyGyANki3yaqtdn4tq8ZNvFbcF14Ggk7bUjPvFWO
-3ZU/5jwql90sdnjOxD7ekVR7q4uBAoHBAPt6ulYbetGFzWsO5uARSEp7VZuGdoBh
-TbMC5a4D0RzmnGkFTCoaardx5jSgE9TA/2uQutB5FIzAfeZtpxOJNSGnXvBM1D1w
-9RbxWxPf/onzcdjqwvKSqxJkYk5gmKHpeObqF7JLDRicp37kadk6QFUma12iGxim
-YjCWb9EGQIpVQbq2Z2cldIykGJEhTBTretDwySRKmcxtNXbwycbCGEFEbYzbHDtE
-dp3JaC15u6rtf33D+wgGsFoBWMnq9lhHVQKBwQDtFgIcQrxaHr9+PFn995UIvXOs
-O1jf1hJITTieaeDyrCaYUmW7dm4wrUXUZr2oUl3ohqwz7msaFmkKnF6a3Lt53RWA
-XCtsWaSJf5n9MK9UExBwpEV838UYwjJsvsk3ik+C9fMSoIOqSZ/sAt4cLL9gUD5K
-fjTyYQ9m5lVFqK6l6uX4gVdm+5U4NKtRx12LcZNtm8O8bbLRRDRk6mttisA+Vnep
-4/Q2pi8yoVITnXCe8hlbvbHu2HBhoaYOe5rooFECgcEA+X3h/emXaOVBTfRj02rx
-+Irx/LFjQazHhFDcg07gGLcl9/88eAzrUQIcLJuf8RRkk1fsL0XgwF98yK6C8pvO
-bYv6YZcnfaliTpe3DznL8xrmGRmXvUcLl9yltzKYWxIhU55tUgKphIBuoDKGXPAw
-wQmzvRpFnaf8hE3Ls2lrgJJi+pVacvey8JEgmmOZcqvIliA8vdeRTEIQp+btmFYZ
-8C6uLO94y8f5kkMuKue56zNip+hWVbklHrZ1WyXTrvNdAoHATQs22loxfRO65NnV
-4LsA+lseaNzMT8jwHgDCInCDwjiBPkSgfJ/KxRS5uYE9pqJFlBeXhDS5JzwbHHCe
-KbMLVVmr8A+DqO0kk+4ca3PTtf2P/RrU3fSVxyrsWfxRxTO0DPnB6M6ymrbcOkTg
-SsWb1z+cTnbe29kAuU6mbUGYp6BC5VOaxIODBUXQWn3v/y2EXD0fCW+YiXqhkB3B
-lVJekKNmtZW3Ob8dXVWhJ3ClNXG1HePyG4zIUGHIZbJzL59RAoHBAMcE/1Ly8IWH
-hSulB0cCf89XihgAvEdgfbZZoHXWcU/d6m1auJWVysN6LKnYvqYFr75oPWiva/3T
-tRPd0tdZrJ6EyPlvcU6/sucvXTf4ceXXkDFCvt8KC6IOi7BoihNiGpgjUARZIHeF
-b4V4BvtqUz2CfZ8rhAPp2vrXxOm0mn6CfCkE9a5kRUGEW6AWP8carbJejYfOCSu5
-AsNuzTXYbLMrooqX2vDSzOJvsngOp/6M/MSpeTysDq75Ngx/hcGgIA==
------END RSA PRIVATE KEY-----
diff --git a/demo/grouper/configs-and-secrets/midpoint/shibboleth/sp-signing-cert.pem b/demo/grouper/configs-and-secrets/midpoint/shibboleth/sp-signing-cert.pem
deleted file mode 100644
index 73aaaab..0000000
--- a/demo/grouper/configs-and-secrets/midpoint/shibboleth/sp-signing-cert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID/TCCAmWgAwIBAgIJAJZqOL69C6nRMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNV
-BAMTEnNwdGVzdC5leGFtcGxlLmVkdTAeFw0xODEyMjAyMjM4NDhaFw0yODEyMTcy
-MjM4NDhaMB0xGzAZBgNVBAMTEnNwdGVzdC5leGFtcGxlLmVkdTCCAaIwDQYJKoZI
-hvcNAQEBBQADggGPADCCAYoCggGBANJ1OC6Ql4te2/7PArBkuM/EF1NcQILv7bJa
-ecJDGYBVoWgL0a2KQ0XMESusgkVmVjj/jcbtvwIiXI/6BEu815OF6eSZIwxWdQBp
-eKbrWTbt07GiGgdXoXot6oMs5a9YXuWLt8pTXrFVMmwXU+ZfWJtuU8OIgm9esAEI
-QBHvDVOJtdKdBMWJFa5nUzkaVvA0Fr8r+/FHUvSCnlKOMaUIfTgtoS9AQnaRQ1dV
-l39Z2KAh87JYvRIxvbaPaKgar2eGQ+PQD8rqsB5K5wgnADAxYM9Vo0YXSpPH+Fvw
-N3EJgURUSEY2E0Jx8JOx368ERNLXx3kfnRxCiZRDkTZF9WP6lBnDwc1WXRwpVCDT
-RnF+SIh6IC1Bj/qpkpCD3nri7tycejoeAtVj1YZHWarf9iqdcLYOAWmeyGbFl3hj
-v6qcXnIfy1KyHLCAdIrg1TymLovXXKW09pEbVLdsHmLz0h+DxPs4FsinK2AQBMn1
-6u8BJJ/+spCzIQ2QNPcGORh6XemBpQIDAQABo0AwPjAdBgNVHREEFjAUghJzcHRl
-c3QuZXhhbXBsZS5lZHUwHQYDVR0OBBYEFPC8rkASWHQxrtCQ4wwtnsJRy6K5MA0G
-CSqGSIb3DQEBCwUAA4IBgQCks2nY7YzdIKV02NHD9STWD3yPtEwPYZZ3NBno0WW2
-0rS6cU+fxFx37nY8ULve4cFQkLR8fOO44e1qIuTgLGCauSGTx/Ts/tbmZXbpGTwV
-7cjZDCfC7yEFAVrfQFOMNKeQEssuLFj+d4STGLorxsM+2YygdOgohJz0e3xOcmCN
-HqEuC9RbzrnLc/A4/mOHKwnwCCg71zA1/Ew9NUoRm2n8IfaONIUaMg9opNiHxX4e
-u3UFaaPmn/mInuWYYMXzbIbdlU/XhKvXrujWYWj7anTDWvGQmNEecsQH92SrO0pf
-+9WwcWUQTQiWUdq8/OxjXfzs1PrQnSlp0eizgcdKHDKbCUaSuK1i2wdxfEsu5sbZ
-AIW0+dXJ2IyzM+0sv2g4DOsXsnSvinGqjr82A54mXGSr7edhPdlQhILFkJfhTwLq
-+mjnyQSNe3s24VNeGc76jbHIrkEWuA460QGqz1Fa2CsQo5SH1IkxNIKpBZWt+w2L
-dAza/NzYyDruY5IJCrZa9Qw=
------END CERTIFICATE-----
diff --git a/demo/grouper/configs-and-secrets/midpoint/shibboleth/sp-signing-key.pem b/demo/grouper/configs-and-secrets/midpoint/shibboleth/sp-signing-key.pem
deleted file mode 100644
index 16f582a..0000000
--- a/demo/grouper/configs-and-secrets/midpoint/shibboleth/sp-signing-key.pem
+++ /dev/null
@@ -1,165 +0,0 @@
-RSA Private-Key: (3072 bit, 2 primes)
-modulus:
-    00:d2:75:38:2e:90:97:8b:5e:db:fe:cf:02:b0:64:
-    b8:cf:c4:17:53:5c:40:82:ef:ed:b2:5a:79:c2:43:
-    19:80:55:a1:68:0b:d1:ad:8a:43:45:cc:11:2b:ac:
-    82:45:66:56:38:ff:8d:c6:ed:bf:02:22:5c:8f:fa:
-    04:4b:bc:d7:93:85:e9:e4:99:23:0c:56:75:00:69:
-    78:a6:eb:59:36:ed:d3:b1:a2:1a:07:57:a1:7a:2d:
-    ea:83:2c:e5:af:58:5e:e5:8b:b7:ca:53:5e:b1:55:
-    32:6c:17:53:e6:5f:58:9b:6e:53:c3:88:82:6f:5e:
-    b0:01:08:40:11:ef:0d:53:89:b5:d2:9d:04:c5:89:
-    15:ae:67:53:39:1a:56:f0:34:16:bf:2b:fb:f1:47:
-    52:f4:82:9e:52:8e:31:a5:08:7d:38:2d:a1:2f:40:
-    42:76:91:43:57:55:97:7f:59:d8:a0:21:f3:b2:58:
-    bd:12:31:bd:b6:8f:68:a8:1a:af:67:86:43:e3:d0:
-    0f:ca:ea:b0:1e:4a:e7:08:27:00:30:31:60:cf:55:
-    a3:46:17:4a:93:c7:f8:5b:f0:37:71:09:81:44:54:
-    48:46:36:13:42:71:f0:93:b1:df:af:04:44:d2:d7:
-    c7:79:1f:9d:1c:42:89:94:43:91:36:45:f5:63:fa:
-    94:19:c3:c1:cd:56:5d:1c:29:54:20:d3:46:71:7e:
-    48:88:7a:20:2d:41:8f:fa:a9:92:90:83:de:7a:e2:
-    ee:dc:9c:7a:3a:1e:02:d5:63:d5:86:47:59:aa:df:
-    f6:2a:9d:70:b6:0e:01:69:9e:c8:66:c5:97:78:63:
-    bf:aa:9c:5e:72:1f:cb:52:b2:1c:b0:80:74:8a:e0:
-    d5:3c:a6:2e:8b:d7:5c:a5:b4:f6:91:1b:54:b7:6c:
-    1e:62:f3:d2:1f:83:c4:fb:38:16:c8:a7:2b:60:10:
-    04:c9:f5:ea:ef:01:24:9f:fe:b2:90:b3:21:0d:90:
-    34:f7:06:39:18:7a:5d:e9:81:a5
-publicExponent: 65537 (0x10001)
-privateExponent:
-    00:92:60:71:19:01:fc:45:35:4e:f1:e4:ed:4b:de:
-    62:24:2f:90:c1:ab:f2:3a:9f:c1:c5:40:e4:5a:d6:
-    ec:8f:b3:ff:35:2c:b3:43:6e:5c:e7:d8:cd:40:81:
-    15:82:4b:71:40:e7:8d:a6:84:89:4b:64:b6:d8:74:
-    de:34:07:3e:31:1e:fc:d4:c0:25:fe:58:cb:bb:e3:
-    9f:c5:08:ff:de:12:80:20:96:4c:60:3a:f4:d6:d3:
-    c4:be:43:a5:e4:d5:23:fb:a7:b7:c7:03:41:63:39:
-    8c:7e:5d:a3:3f:21:a5:b1:45:85:01:04:9b:23:f6:
-    c9:97:8e:33:71:c5:c0:91:0f:c0:e4:a1:cd:45:ce:
-    d8:c3:9a:9d:e9:a3:86:40:3f:1a:6b:10:9e:84:ec:
-    44:a8:47:88:f2:86:6f:c5:07:28:80:c0:4b:d1:5f:
-    72:5a:a1:22:23:46:26:be:ae:b0:da:7f:82:cd:d2:
-    a6:7e:57:16:4a:39:68:63:33:5c:38:36:cb:11:fd:
-    be:f3:f7:c1:66:11:d3:4b:41:8b:08:8a:90:a4:af:
-    ad:67:1b:78:2b:be:c3:2b:6a:76:2f:d7:58:b8:72:
-    bb:be:d5:a7:d6:3d:18:23:03:ea:0f:e4:15:56:db:
-    93:77:b0:4e:3a:66:a4:3e:3d:84:ec:45:ea:fc:6b:
-    c5:c3:c8:01:fe:04:4b:a0:bb:89:4a:ae:6f:be:13:
-    eb:49:5b:89:a9:67:71:0e:ec:52:ba:d1:a0:22:83:
-    77:99:0c:5d:d8:08:ee:05:7b:ea:c1:86:99:dd:41:
-    87:66:50:58:01:0c:79:20:28:80:1a:3c:6f:ff:5c:
-    e6:2a:9f:bd:38:91:e0:7b:f6:b5:7b:a6:7c:8e:04:
-    1c:a5:2e:ce:58:d8:54:76:3e:aa:7e:cf:88:89:62:
-    84:68:c3:3b:0f:c7:63:e2:77:28:02:b0:69:13:bf:
-    c1:ce:55:6e:27:7e:fb:72:a4:71:df:96:a5:31:c2:
-    a5:6b:04:16:17:56:2a:48:3a:c1
-prime1:
-    00:f4:a2:a4:22:f3:e2:ca:f7:53:68:e5:b9:77:a1:
-    9e:d6:2c:29:eb:d6:70:1b:45:90:47:78:f4:0c:b9:
-    b9:94:ee:fd:ac:1e:29:62:28:ce:30:ed:ed:3d:cb:
-    9a:36:22:f9:01:a9:b7:6f:0c:74:d9:a9:a2:87:d8:
-    3a:6a:6d:fa:5a:dc:d0:75:ab:bf:e5:01:f6:4f:ea:
-    17:17:f0:81:92:9a:5d:ad:67:9b:f5:4b:7c:ae:fb:
-    2f:82:01:f0:8f:5d:a6:3b:c3:8b:bd:b8:5e:0f:c9:
-    27:58:ec:18:cd:77:fa:31:84:7d:34:13:97:81:e2:
-    d2:56:70:33:27:54:3b:e3:b8:a1:60:78:90:6f:6a:
-    84:5f:02:fb:24:1c:d7:60:82:14:7f:83:6b:cb:b0:
-    73:03:3e:cc:22:70:46:6d:ea:30:a7:1e:89:f8:44:
-    18:0b:85:27:8d:f4:46:9e:dc:ba:a9:49:61:f4:19:
-    e2:95:61:47:1c:0f:ea:f9:ec:70:b0:b3:f9
-prime2:
-    00:dc:3c:1e:5b:0a:37:22:fc:73:1e:d1:5d:7d:1f:
-    13:eb:2a:1d:21:18:f2:c8:44:23:c0:6a:44:fc:33:
-    3f:0d:da:55:40:b5:60:d7:14:be:6a:78:7b:24:97:
-    a7:1f:f1:14:0b:7e:b7:14:88:bf:a3:42:f0:f9:55:
-    5f:08:ec:19:28:94:2b:f4:19:94:ff:ab:7e:88:fd:
-    9d:50:2a:54:02:d4:ed:08:18:6f:e1:36:ac:2d:3d:
-    2f:39:60:ce:b2:0b:ce:18:20:ac:74:ac:de:8e:d3:
-    7f:e7:61:cb:25:46:fd:7d:ab:e3:0d:89:1f:6c:64:
-    47:8d:e9:c4:9c:51:ce:9a:50:83:61:5a:3c:d0:e2:
-    66:fc:67:d1:2b:82:e2:6b:ab:4b:02:a0:05:54:fa:
-    df:f2:46:8f:d8:07:f7:76:c5:d3:7d:5c:b7:be:d9:
-    c8:2c:33:ab:34:4e:21:e8:e2:fd:92:78:51:ca:7b:
-    00:70:f9:12:e9:ca:b4:a1:63:a0:8e:ce:0d
-exponent1:
-    00:d0:41:70:b7:6c:a5:82:21:a0:79:29:2f:85:5f:
-    2a:27:ab:3b:18:d0:d9:68:ee:04:50:43:f0:86:b0:
-    c9:02:b7:9d:6e:1b:d3:21:04:19:db:df:80:5a:5d:
-    ec:6e:ef:c0:c9:20:a0:ce:c1:6c:ec:2b:13:f8:cf:
-    23:93:9d:02:46:bd:ba:1c:a2:54:5e:f1:17:ad:9a:
-    5b:84:7e:b2:df:89:d7:fb:99:bb:53:cb:aa:5e:0f:
-    e9:b6:a4:4e:14:ce:25:88:b5:04:4e:43:18:98:19:
-    a7:0c:75:18:fc:39:89:dd:03:ab:ce:5c:6b:5b:20:
-    2b:ed:77:e0:a4:37:7a:30:76:e9:b2:85:90:77:b8:
-    d6:ed:47:4d:62:c5:c6:b8:1a:a4:b6:94:bb:7c:90:
-    3e:a8:e1:99:c8:2b:8a:59:61:c7:7f:4d:69:28:d7:
-    57:1c:df:82:f7:be:9f:2b:f8:3e:53:84:ec:05:70:
-    cf:ca:59:20:bf:0b:f1:fe:46:c0:fc:3c:89
-exponent2:
-    43:15:c0:fd:64:58:35:3d:06:e8:1d:48:48:03:be:
-    72:84:ca:88:b9:6b:c2:db:16:b4:d6:ea:1a:94:95:
-    a1:67:9f:4e:6d:b1:88:f2:95:aa:22:f7:07:c7:76:
-    2e:01:a6:64:75:fd:d8:b0:6b:07:95:2d:88:15:9c:
-    34:40:8e:cd:50:8d:2e:f6:d7:ef:25:53:0e:f1:8a:
-    08:d0:4b:f4:ec:dd:22:f9:26:a3:48:9f:1b:cc:a6:
-    64:e8:fb:2d:3a:f1:55:62:26:86:07:de:67:4d:3f:
-    89:c0:bd:3b:a6:ab:32:ab:b8:26:f8:5c:ed:0c:82:
-    cb:54:a9:02:20:dd:39:1e:4b:56:cd:40:f7:33:ef:
-    c0:f4:f2:bf:39:48:35:19:e1:68:74:4c:0b:7d:bb:
-    d7:b5:ec:bd:16:78:27:e2:cc:b0:44:1c:e8:72:b8:
-    49:d6:97:51:00:77:cd:d3:ce:ff:dd:cc:b4:4b:d1:
-    6f:98:3f:4d:9d:e4:75:c0:be:38:a1:c5
-coefficient:
-    3b:d4:77:cb:a6:63:50:cf:13:f3:fe:17:73:24:43:
-    f7:af:15:e2:c6:48:bd:54:1f:a5:26:87:f3:a1:8e:
-    4e:b1:02:66:9e:52:a9:25:94:4e:a0:16:4c:95:92:
-    d3:22:1c:b4:03:0b:eb:49:d6:17:e3:8f:45:49:6b:
-    ab:4c:a4:da:f7:8d:f5:17:ba:79:67:f2:a3:24:0e:
-    15:df:76:53:e6:f1:87:74:04:b9:ee:4b:18:ec:29:
-    aa:b3:d5:ff:57:09:48:57:6f:f3:c7:92:f8:5f:2a:
-    ee:2f:dd:0f:be:b9:4e:2a:3a:90:98:ca:cd:73:cd:
-    dc:52:6a:02:f3:41:94:09:da:3b:80:29:6e:ec:e8:
-    6f:6e:50:92:69:b4:35:54:07:6a:9f:93:24:62:4c:
-    bd:7d:af:55:7f:42:8c:4e:a1:69:55:aa:d6:52:4c:
-    6a:49:28:40:e7:88:97:28:b9:88:38:ed:f6:b0:e5:
-    23:00:d8:78:65:a4:e0:a1:60:b0:a3:3b
------BEGIN RSA PRIVATE KEY-----
-MIIG5AIBAAKCAYEA0nU4LpCXi17b/s8CsGS4z8QXU1xAgu/tslp5wkMZgFWhaAvR
-rYpDRcwRK6yCRWZWOP+Nxu2/AiJcj/oES7zXk4Xp5JkjDFZ1AGl4putZNu3TsaIa
-B1ehei3qgyzlr1he5Yu3ylNesVUybBdT5l9Ym25Tw4iCb16wAQhAEe8NU4m10p0E
-xYkVrmdTORpW8DQWvyv78UdS9IKeUo4xpQh9OC2hL0BCdpFDV1WXf1nYoCHzsli9
-EjG9to9oqBqvZ4ZD49APyuqwHkrnCCcAMDFgz1WjRhdKk8f4W/A3cQmBRFRIRjYT
-QnHwk7HfrwRE0tfHeR+dHEKJlEORNkX1Y/qUGcPBzVZdHClUINNGcX5IiHogLUGP
-+qmSkIPeeuLu3Jx6Oh4C1WPVhkdZqt/2Kp1wtg4BaZ7IZsWXeGO/qpxech/LUrIc
-sIB0iuDVPKYui9dcpbT2kRtUt2weYvPSH4PE+zgWyKcrYBAEyfXq7wEkn/6ykLMh
-DZA09wY5GHpd6YGlAgMBAAECggGBAJJgcRkB/EU1TvHk7UveYiQvkMGr8jqfwcVA
-5FrW7I+z/zUss0NuXOfYzUCBFYJLcUDnjaaEiUtktth03jQHPjEe/NTAJf5Yy7vj
-n8UI/94SgCCWTGA69NbTxL5DpeTVI/unt8cDQWM5jH5doz8hpbFFhQEEmyP2yZeO
-M3HFwJEPwOShzUXO2MOanemjhkA/GmsQnoTsRKhHiPKGb8UHKIDAS9FfclqhIiNG
-Jr6usNp/gs3Spn5XFko5aGMzXDg2yxH9vvP3wWYR00tBiwiKkKSvrWcbeCu+wytq
-di/XWLhyu77Vp9Y9GCMD6g/kFVbbk3ewTjpmpD49hOxF6vxrxcPIAf4ES6C7iUqu
-b74T60lbialncQ7sUrrRoCKDd5kMXdgI7gV76sGGmd1Bh2ZQWAEMeSAogBo8b/9c
-5iqfvTiR4Hv2tXumfI4EHKUuzljYVHY+qn7PiIlihGjDOw/HY+J3KAKwaRO/wc5V
-bid++3Kkcd+WpTHCpWsEFhdWKkg6wQKBwQD0oqQi8+LK91No5bl3oZ7WLCnr1nAb
-RZBHePQMubmU7v2sHiliKM4w7e09y5o2IvkBqbdvDHTZqaKH2Dpqbfpa3NB1q7/l
-AfZP6hcX8IGSml2tZ5v1S3yu+y+CAfCPXaY7w4u9uF4PySdY7BjNd/oxhH00E5eB
-4tJWcDMnVDvjuKFgeJBvaoRfAvskHNdgghR/g2vLsHMDPswicEZt6jCnHon4RBgL
-hSeN9Eae3LqpSWH0GeKVYUccD+r57HCws/kCgcEA3DweWwo3IvxzHtFdfR8T6yod
-IRjyyEQjwGpE/DM/DdpVQLVg1xS+anh7JJenH/EUC363FIi/o0Lw+VVfCOwZKJQr
-9BmU/6t+iP2dUCpUAtTtCBhv4TasLT0vOWDOsgvOGCCsdKzejtN/52HLJUb9favj
-DYkfbGRHjenEnFHOmlCDYVo80OJm/GfRK4Lia6tLAqAFVPrf8kaP2Af3dsXTfVy3
-vtnILDOrNE4h6OL9knhRynsAcPkS6cq0oWOgjs4NAoHBANBBcLdspYIhoHkpL4Vf
-KierOxjQ2WjuBFBD8IawyQK3nW4b0yEEGdvfgFpd7G7vwMkgoM7BbOwrE/jPI5Od
-Aka9uhyiVF7xF62aW4R+st+J1/uZu1PLql4P6bakThTOJYi1BE5DGJgZpwx1GPw5
-id0Dq85ca1sgK+134KQ3ejB26bKFkHe41u1HTWLFxrgapLaUu3yQPqjhmcgrillh
-x39NaSjXVxzfgve+nyv4PlOE7AVwz8pZIL8L8f5GwPw8iQKBwEMVwP1kWDU9Bugd
-SEgDvnKEyoi5a8LbFrTW6hqUlaFnn05tsYjylaoi9wfHdi4BpmR1/diwaweVLYgV
-nDRAjs1QjS721+8lUw7xigjQS/Ts3SL5JqNInxvMpmTo+y068VViJoYH3mdNP4nA
-vTumqzKruCb4XO0MgstUqQIg3TkeS1bNQPcz78D08r85SDUZ4Wh0TAt9u9e17L0W
-eCfizLBEHOhyuEnWl1EAd83Tzv/dzLRL0W+YP02d5HXAvjihxQKBwDvUd8umY1DP
-E/P+F3MkQ/evFeLGSL1UH6Umh/Ohjk6xAmaeUqkllE6gFkyVktMiHLQDC+tJ1hfj
-j0VJa6tMpNr3jfUXunln8qMkDhXfdlPm8Yd0BLnuSxjsKaqz1f9XCUhXb/PHkvhf
-Ku4v3Q++uU4qOpCYys1zzdxSagLzQZQJ2juAKW7s6G9uUJJptDVUB2qfkyRiTL19
-r1V/QoxOoWlVqtZSTGpJKEDniJcouYg47faw5SMA2HhlpOChYLCjOw==
------END RSA PRIVATE KEY-----
diff --git a/demo/grouper/docker-compose.yml b/demo/grouper/docker-compose.yml
index be418a8..83071fc 100644
--- a/demo/grouper/docker-compose.yml
+++ b/demo/grouper/docker-compose.yml
@@ -208,7 +208,6 @@ services:
      - MP_MEM_MAX
      - MP_MEM_INIT
      - MP_JAVA_OPTS
-     - SSO_HEADER
      - TIER_BEACON_OPT_OUT
      - TIMEZONE
     networks:
@@ -219,6 +218,7 @@ services:
      - mp_database_password.txt
      - mp_keystore_password.txt
      - mp_host-key.pem
+     - mp_shibboleth_sp_keys.jks
     volumes:
      - midpoint_home:/opt/midpoint/var
      - type: bind
@@ -283,6 +283,8 @@ secrets:
     file: ./configs-and-secrets/midpoint/application/database_password.txt
   mp_keystore_password.txt:
     file: ./configs-and-secrets/midpoint/application/keystore_password.txt    
+  mp_shibboleth_sp_keys.jks:
+    file: ./configs-and-secrets/midpoint/shibboleth/shibboleth_sp_keys.jks
     
 volumes:
   grouper_data:
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/SecurityPolicy.xml b/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/SecurityPolicy.xml
index 9a5a139..4b39fd3 100644
--- a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/SecurityPolicy.xml
+++ b/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/SecurityPolicy.xml
@@ -28,153 +28,27 @@
                     <singleLogoutEnabled>true</singleLogoutEnabled>
                     <nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</nameId>
                     <keys>
-                        <active>
-                            <name>sp-signing-key-1</name>
-                            <privateKey>
-                                <t:clearValue>-----BEGIN RSA PRIVATE KEY-----
-MIIG5AIBAAKCAYEA0nU4LpCXi17b/s8CsGS4z8QXU1xAgu/tslp5wkMZgFWhaAvR
-rYpDRcwRK6yCRWZWOP+Nxu2/AiJcj/oES7zXk4Xp5JkjDFZ1AGl4putZNu3TsaIa
-B1ehei3qgyzlr1he5Yu3ylNesVUybBdT5l9Ym25Tw4iCb16wAQhAEe8NU4m10p0E
-xYkVrmdTORpW8DQWvyv78UdS9IKeUo4xpQh9OC2hL0BCdpFDV1WXf1nYoCHzsli9
-EjG9to9oqBqvZ4ZD49APyuqwHkrnCCcAMDFgz1WjRhdKk8f4W/A3cQmBRFRIRjYT
-QnHwk7HfrwRE0tfHeR+dHEKJlEORNkX1Y/qUGcPBzVZdHClUINNGcX5IiHogLUGP
-+qmSkIPeeuLu3Jx6Oh4C1WPVhkdZqt/2Kp1wtg4BaZ7IZsWXeGO/qpxech/LUrIc
-sIB0iuDVPKYui9dcpbT2kRtUt2weYvPSH4PE+zgWyKcrYBAEyfXq7wEkn/6ykLMh
-DZA09wY5GHpd6YGlAgMBAAECggGBAJJgcRkB/EU1TvHk7UveYiQvkMGr8jqfwcVA
-5FrW7I+z/zUss0NuXOfYzUCBFYJLcUDnjaaEiUtktth03jQHPjEe/NTAJf5Yy7vj
-n8UI/94SgCCWTGA69NbTxL5DpeTVI/unt8cDQWM5jH5doz8hpbFFhQEEmyP2yZeO
-M3HFwJEPwOShzUXO2MOanemjhkA/GmsQnoTsRKhHiPKGb8UHKIDAS9FfclqhIiNG
-Jr6usNp/gs3Spn5XFko5aGMzXDg2yxH9vvP3wWYR00tBiwiKkKSvrWcbeCu+wytq
-di/XWLhyu77Vp9Y9GCMD6g/kFVbbk3ewTjpmpD49hOxF6vxrxcPIAf4ES6C7iUqu
-b74T60lbialncQ7sUrrRoCKDd5kMXdgI7gV76sGGmd1Bh2ZQWAEMeSAogBo8b/9c
-5iqfvTiR4Hv2tXumfI4EHKUuzljYVHY+qn7PiIlihGjDOw/HY+J3KAKwaRO/wc5V
-bid++3Kkcd+WpTHCpWsEFhdWKkg6wQKBwQD0oqQi8+LK91No5bl3oZ7WLCnr1nAb
-RZBHePQMubmU7v2sHiliKM4w7e09y5o2IvkBqbdvDHTZqaKH2Dpqbfpa3NB1q7/l
-AfZP6hcX8IGSml2tZ5v1S3yu+y+CAfCPXaY7w4u9uF4PySdY7BjNd/oxhH00E5eB
-4tJWcDMnVDvjuKFgeJBvaoRfAvskHNdgghR/g2vLsHMDPswicEZt6jCnHon4RBgL
-hSeN9Eae3LqpSWH0GeKVYUccD+r57HCws/kCgcEA3DweWwo3IvxzHtFdfR8T6yod
-IRjyyEQjwGpE/DM/DdpVQLVg1xS+anh7JJenH/EUC363FIi/o0Lw+VVfCOwZKJQr
-9BmU/6t+iP2dUCpUAtTtCBhv4TasLT0vOWDOsgvOGCCsdKzejtN/52HLJUb9favj
-DYkfbGRHjenEnFHOmlCDYVo80OJm/GfRK4Lia6tLAqAFVPrf8kaP2Af3dsXTfVy3
-vtnILDOrNE4h6OL9knhRynsAcPkS6cq0oWOgjs4NAoHBANBBcLdspYIhoHkpL4Vf
-KierOxjQ2WjuBFBD8IawyQK3nW4b0yEEGdvfgFpd7G7vwMkgoM7BbOwrE/jPI5Od
-Aka9uhyiVF7xF62aW4R+st+J1/uZu1PLql4P6bakThTOJYi1BE5DGJgZpwx1GPw5
-id0Dq85ca1sgK+134KQ3ejB26bKFkHe41u1HTWLFxrgapLaUu3yQPqjhmcgrillh
-x39NaSjXVxzfgve+nyv4PlOE7AVwz8pZIL8L8f5GwPw8iQKBwEMVwP1kWDU9Bugd
-SEgDvnKEyoi5a8LbFrTW6hqUlaFnn05tsYjylaoi9wfHdi4BpmR1/diwaweVLYgV
-nDRAjs1QjS721+8lUw7xigjQS/Ts3SL5JqNInxvMpmTo+y068VViJoYH3mdNP4nA
-vTumqzKruCb4XO0MgstUqQIg3TkeS1bNQPcz78D08r85SDUZ4Wh0TAt9u9e17L0W
-eCfizLBEHOhyuEnWl1EAd83Tzv/dzLRL0W+YP02d5HXAvjihxQKBwDvUd8umY1DP
-E/P+F3MkQ/evFeLGSL1UH6Umh/Ohjk6xAmaeUqkllE6gFkyVktMiHLQDC+tJ1hfj
-j0VJa6tMpNr3jfUXunln8qMkDhXfdlPm8Yd0BLnuSxjsKaqz1f9XCUhXb/PHkvhf
-Ku4v3Q++uU4qOpCYys1zzdxSagLzQZQJ2juAKW7s6G9uUJJptDVUB2qfkyRiTL19
-r1V/QoxOoWlVqtZSTGpJKEDniJcouYg47faw5SMA2HhlpOChYLCjOw==
------END RSA PRIVATE KEY-----</t:clearValue>
-                            </privateKey>
-                            <passphrase>
-                                <t:clearValue>password</t:clearValue>
-                            </passphrase>
-                            <certificate>
-                                <t:clearValue>-----BEGIN CERTIFICATE-----
-MIID/TCCAmWgAwIBAgIJAJZqOL69C6nRMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNV
-BAMTEnNwdGVzdC5leGFtcGxlLmVkdTAeFw0xODEyMjAyMjM4NDhaFw0yODEyMTcy
-MjM4NDhaMB0xGzAZBgNVBAMTEnNwdGVzdC5leGFtcGxlLmVkdTCCAaIwDQYJKoZI
-hvcNAQEBBQADggGPADCCAYoCggGBANJ1OC6Ql4te2/7PArBkuM/EF1NcQILv7bJa
-ecJDGYBVoWgL0a2KQ0XMESusgkVmVjj/jcbtvwIiXI/6BEu815OF6eSZIwxWdQBp
-eKbrWTbt07GiGgdXoXot6oMs5a9YXuWLt8pTXrFVMmwXU+ZfWJtuU8OIgm9esAEI
-QBHvDVOJtdKdBMWJFa5nUzkaVvA0Fr8r+/FHUvSCnlKOMaUIfTgtoS9AQnaRQ1dV
-l39Z2KAh87JYvRIxvbaPaKgar2eGQ+PQD8rqsB5K5wgnADAxYM9Vo0YXSpPH+Fvw
-N3EJgURUSEY2E0Jx8JOx368ERNLXx3kfnRxCiZRDkTZF9WP6lBnDwc1WXRwpVCDT
-RnF+SIh6IC1Bj/qpkpCD3nri7tycejoeAtVj1YZHWarf9iqdcLYOAWmeyGbFl3hj
-v6qcXnIfy1KyHLCAdIrg1TymLovXXKW09pEbVLdsHmLz0h+DxPs4FsinK2AQBMn1
-6u8BJJ/+spCzIQ2QNPcGORh6XemBpQIDAQABo0AwPjAdBgNVHREEFjAUghJzcHRl
-c3QuZXhhbXBsZS5lZHUwHQYDVR0OBBYEFPC8rkASWHQxrtCQ4wwtnsJRy6K5MA0G
-CSqGSIb3DQEBCwUAA4IBgQCks2nY7YzdIKV02NHD9STWD3yPtEwPYZZ3NBno0WW2
-0rS6cU+fxFx37nY8ULve4cFQkLR8fOO44e1qIuTgLGCauSGTx/Ts/tbmZXbpGTwV
-7cjZDCfC7yEFAVrfQFOMNKeQEssuLFj+d4STGLorxsM+2YygdOgohJz0e3xOcmCN
-HqEuC9RbzrnLc/A4/mOHKwnwCCg71zA1/Ew9NUoRm2n8IfaONIUaMg9opNiHxX4e
-u3UFaaPmn/mInuWYYMXzbIbdlU/XhKvXrujWYWj7anTDWvGQmNEecsQH92SrO0pf
-+9WwcWUQTQiWUdq8/OxjXfzs1PrQnSlp0eizgcdKHDKbCUaSuK1i2wdxfEsu5sbZ
-AIW0+dXJ2IyzM+0sv2g4DOsXsnSvinGqjr82A54mXGSr7edhPdlQhILFkJfhTwLq
-+mjnyQSNe3s24VNeGc76jbHIrkEWuA460QGqz1Fa2CsQo5SH1IkxNIKpBZWt+w2L
-dAza/NzYyDruY5IJCrZa9Qw=
------END CERTIFICATE-----</t:clearValue>
-                            </certificate>
-                        </active>
-                        <standBy>
-                            <name>sp-encrypt-key-1</name>
-                            <privateKey>
-                                <t:clearValue>-----BEGIN RSA PRIVATE KEY-----
-MIIG5AIBAAKCAYEA6OY9IHNGyNs8EEDqNhVb5C2xgzl+8i40SsZUNG8ofIJM1uZ0
-VnfuoSX9/Cyt0XiGfhXt8BnqNbpHVowYWXW9DInbz0HyXkc4+N8a4HaAv0jG6U6a
-uRhU3yd+COVsU02S0xAnw2mtgTKXejvzrEILHHcCIDkyB2/jTQvq+WYR80cjCw4c
-BRM1HILAxL0/qMEnkgjEPQx5/7ehSMC9Ww9m7bgQmfNNRqxmcjQXxoL9jNVvE5sE
-1zKa0DYil5z+At7UHT14NlR25c8v9qzntBa+AmtaPxsIr4t2PQ8w9K9bOvgGc3nx
-3FpiAKBEfu2eFm50+8KMFqRDOTGj+eOxEgq2beU31SZRiJduX55u7QNJAVRoV87a
-E45RM0Cv9C4L4ZAv5TtUB3JtNs/4pwfkts1RKpiTFLCFsXPlrKajkqmmdgH0rmLJ
-JFa8YiGfBcc2/nIWuZRt63YE8mUzO/s1p49pnvrKmhvM2OM0FuBo0QKxDVkP197Z
-DxQF7SbaBA/li7HlAgMBAAECggGATN3ggttJG3WwJzUll+AIyhCCq+rICSpSu/Ml
-S4D8fcuLjMnWz8sZiTo+z4H3hFEhInAebcY/1Ke8b8YhKzV+xaqiT49WbONY3FrW
-RgsWhwuACvSUgE6VhGlGYa1GyV+q+9ozJX21dBS8he1PiSTrAeQNYZE+/9Ff1cf/
-L30Oo5pw6G8ptEsYlmZZNRW48vt9EeeuzO9XPJzgsGBcnrdAo2jCoez5LkAsN7kV
-t8D36glvdasON/BNxDZ5yExaUZw1CImSFyUo90qnMf1u0OsXovsveVOLZLE9/0kO
-4VV6fgYX8o13Sv5NLzc8WX1pPZwg/Iex3okLizxDc65TsLlrSPoCwyHRaZV1Cfv6
-Yit6JHbLXRyXFnDVHpVvMq+yUqb9SGtijIByNheFFXE2C2a3r88XeWtHKbxVu75r
-3cNrxawm+SbFbJqgbuTi3mlRgyGyANki3yaqtdn4tq8ZNvFbcF14Ggk7bUjPvFWO
-3ZU/5jwql90sdnjOxD7ekVR7q4uBAoHBAPt6ulYbetGFzWsO5uARSEp7VZuGdoBh
-TbMC5a4D0RzmnGkFTCoaardx5jSgE9TA/2uQutB5FIzAfeZtpxOJNSGnXvBM1D1w
-9RbxWxPf/onzcdjqwvKSqxJkYk5gmKHpeObqF7JLDRicp37kadk6QFUma12iGxim
-YjCWb9EGQIpVQbq2Z2cldIykGJEhTBTretDwySRKmcxtNXbwycbCGEFEbYzbHDtE
-dp3JaC15u6rtf33D+wgGsFoBWMnq9lhHVQKBwQDtFgIcQrxaHr9+PFn995UIvXOs
-O1jf1hJITTieaeDyrCaYUmW7dm4wrUXUZr2oUl3ohqwz7msaFmkKnF6a3Lt53RWA
-XCtsWaSJf5n9MK9UExBwpEV838UYwjJsvsk3ik+C9fMSoIOqSZ/sAt4cLL9gUD5K
-fjTyYQ9m5lVFqK6l6uX4gVdm+5U4NKtRx12LcZNtm8O8bbLRRDRk6mttisA+Vnep
-4/Q2pi8yoVITnXCe8hlbvbHu2HBhoaYOe5rooFECgcEA+X3h/emXaOVBTfRj02rx
-+Irx/LFjQazHhFDcg07gGLcl9/88eAzrUQIcLJuf8RRkk1fsL0XgwF98yK6C8pvO
-bYv6YZcnfaliTpe3DznL8xrmGRmXvUcLl9yltzKYWxIhU55tUgKphIBuoDKGXPAw
-wQmzvRpFnaf8hE3Ls2lrgJJi+pVacvey8JEgmmOZcqvIliA8vdeRTEIQp+btmFYZ
-8C6uLO94y8f5kkMuKue56zNip+hWVbklHrZ1WyXTrvNdAoHATQs22loxfRO65NnV
-4LsA+lseaNzMT8jwHgDCInCDwjiBPkSgfJ/KxRS5uYE9pqJFlBeXhDS5JzwbHHCe
-KbMLVVmr8A+DqO0kk+4ca3PTtf2P/RrU3fSVxyrsWfxRxTO0DPnB6M6ymrbcOkTg
-SsWb1z+cTnbe29kAuU6mbUGYp6BC5VOaxIODBUXQWn3v/y2EXD0fCW+YiXqhkB3B
-lVJekKNmtZW3Ob8dXVWhJ3ClNXG1HePyG4zIUGHIZbJzL59RAoHBAMcE/1Ly8IWH
-hSulB0cCf89XihgAvEdgfbZZoHXWcU/d6m1auJWVysN6LKnYvqYFr75oPWiva/3T
-tRPd0tdZrJ6EyPlvcU6/sucvXTf4ceXXkDFCvt8KC6IOi7BoihNiGpgjUARZIHeF
-b4V4BvtqUz2CfZ8rhAPp2vrXxOm0mn6CfCkE9a5kRUGEW6AWP8carbJejYfOCSu5
-AsNuzTXYbLMrooqX2vDSzOJvsngOp/6M/MSpeTysDq75Ngx/hcGgIA==
------END RSA PRIVATE KEY-----</t:clearValue>
-                            </privateKey>
-                            <passphrase>
-                                <t:clearValue>password</t:clearValue>
-                            </passphrase>
-                            <certificate>
-                                <t:clearValue>-----BEGIN CERTIFICATE-----
-MIID/TCCAmWgAwIBAgIJAINng1bI63LGMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNV
-BAMTEnNwdGVzdC5leGFtcGxlLmVkdTAeFw0xODEyMjAyMjM4MDJaFw0yODEyMTcy
-MjM4MDJaMB0xGzAZBgNVBAMTEnNwdGVzdC5leGFtcGxlLmVkdTCCAaIwDQYJKoZI
-hvcNAQEBBQADggGPADCCAYoCggGBAOjmPSBzRsjbPBBA6jYVW+QtsYM5fvIuNErG
-VDRvKHyCTNbmdFZ37qEl/fwsrdF4hn4V7fAZ6jW6R1aMGFl1vQyJ289B8l5HOPjf
-GuB2gL9IxulOmrkYVN8nfgjlbFNNktMQJ8NprYEyl3o786xCCxx3AiA5Mgdv400L
-6vlmEfNHIwsOHAUTNRyCwMS9P6jBJ5IIxD0Mef+3oUjAvVsPZu24EJnzTUasZnI0
-F8aC/YzVbxObBNcymtA2Ipec/gLe1B09eDZUduXPL/as57QWvgJrWj8bCK+Ldj0P
-MPSvWzr4BnN58dxaYgCgRH7tnhZudPvCjBakQzkxo/njsRIKtm3lN9UmUYiXbl+e
-bu0DSQFUaFfO2hOOUTNAr/QuC+GQL+U7VAdybTbP+KcH5LbNUSqYkxSwhbFz5aym
-o5KppnYB9K5iySRWvGIhnwXHNv5yFrmUbet2BPJlMzv7NaePaZ76ypobzNjjNBbg
-aNECsQ1ZD9fe2Q8UBe0m2gQP5Yux5QIDAQABo0AwPjAdBgNVHREEFjAUghJzcHRl
-c3QuZXhhbXBsZS5lZHUwHQYDVR0OBBYEFGcLIl5kg+GFIh9HXeZyLzsv5e7qMA0G
-CSqGSIb3DQEBCwUAA4IBgQAf8/iZXUWtWGMBw2OfonDDWbuhgLnNWddpllcVx7v/
-Yu75+wgfIdNXg6XM4WkGkpbhlkpDLRt2c6rMQpxrQtq/5G3OKEXKyjUOl5pZsYkG
-asVENYPSCfuu3rlK85XaW3H1SSJqSax/UKcYXyB1TIW6mNy3OxuvHak6y4LzFnug
-CO7p/W2jvffwmxfqjbO7wQfXUQz3SZS04sHMqQoStOwy2N5xxQ3uTF34EoXBto+n
-XIEOptKPhV2NkEzj+UUIi1588dck8T0SstbSElbTnJ4sNZFriX6JOPFNW08fezot
-izerOHuAFpFQvtugWoZT87YYaFwG+Zr5QNa4fNOcAL+FHvbOfEqIGs+H6GSf0dZV
-lkcJyzWZvuK/4RGqWbLvfAYRm0PAGTQSLdO8QJSYWdJtJvZFEMgddQ2HoIzeO5wo
-B42FKDSHottI9avilApQBdRCtust8XRPtEAzDB/t/1jbO7u2tkzgY3614mX5xgut
-Ileaae5eVCjw4uYbkh+Mt5M=
------END CERTIFICATE-----</t:clearValue>
-                            </certificate>
-                            <type>encryption</type>
-                        </standBy>
+                        <activeKeyStoreKey>
+    				<keyStorePath>/etc/pki/mp/sp-shibboleth-keys.jks</keyStorePath>
+    				<keyStorePassword>
+        				<t:clearValue>changeit</t:clearValue>
+    				</keyStorePassword>
+    				<keyAlias>signing-key</keyAlias>
+    				<keyPassword>
+        				<t:clearValue>password</t:clearValue>
+    				</keyPassword>
+			</activeKeyStoreKey>
+                        <standByKeyStoreKey>
+    				<keyStorePath>/etc/pki/mp/sp-shibboleth-keys.jks</keyStorePath>
+    				<keyStorePassword>
+        				<t:clearValue>changeit</t:clearValue>
+    				</keyStorePassword>
+    				<keyAlias>encrypt-key</keyAlias>
+    				<keyPassword>
+        				<t:clearValue>password</t:clearValue>
+    				</keyPassword>
+				<type>encryption</type>
+			</standByKeyStoreKey>
                     </keys>
                     <provider>
                         <entityId>https://idptestbed/idp/shibboleth</entityId>
@@ -256,6 +130,8 @@ Ileaae5eVCjw4uYbkh+Mt5M=
                 <necessity>sufficient</necessity>
             </module>
         </sequence>
+	<ignoredLocalPath>/actuator</ignoredLocalPath>
+    	<ignoredLocalPath>/actuator/health</ignoredLocalPath>
     </authentication>
     <credentials>
         <password>
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/shibboleth2.xml b/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/shibboleth2.xml
deleted file mode 100644
index d597970..0000000
--- a/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/shibboleth2.xml
+++ /dev/null
@@ -1,139 +0,0 @@
-<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
-    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
-    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
-    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-    clockSkew="180">
-
-    <!--
-    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
-    are used. See example-shibboleth2.xml for samples of explicitly configuring them.
-    -->
-
-    <!--
-    To customize behavior for specific resources on Apache, and to link vhosts or
-    resources to ApplicationOverride settings below, use web server options/commands.
-    See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
-    
-    For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
-    file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
-    -->
-    <TCPListener address="127.0.0.1" port="1600"/> 
-
-
-    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
-    <ApplicationDefaults entityID="https://midpointdemo/shibboleth"
-                         REMOTE_USER="uid">
-
-        <!--
-        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
-        You MUST supply an effectively unique handlerURL value for each of your applications.
-        The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
-        a relative value based on the virtual host. Using handlerSSL="true", the default, will force
-        the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
-        Note that while we default checkAddress to "false", this has a negative impact on the
-        security of your site. Stealing sessions via cookie theft is much easier with this disabled.
-        -->
-        <Sessions lifetime="28800" timeout="28800" relayState="ss:mem"
-                  checkAddress="false" handlerSSL="true" cookieProps="https">
-
-            <!--
-            Configures SSO for a default IdP. To allow for >1 IdP, remove
-            entityID property and adjust discoveryURL to point to discovery service.
-            (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
-            You can also override entityID on /Login query string, or in RequestMap/htaccess.
-            -->
-		<SSO entityID="https://idptestbed/idp/shibboleth">
-			SAML2
-		</SSO>
-
-            <!-- SAML and local-only logout. -->
-            <Logout>SAML2 Local</Logout>
-            
-            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
-            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
-
-            <!-- Status reporting service. -->
-            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
-
-            <!-- Session diagnostic service. -->
-            <Handler type="Session" Location="/Session" showAttributeValues="true"/>
-
-            <!-- JSON feed of discovery information. -->
-            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
-        </Sessions>
-
-        <!--
-        Allows overriding of error template information/filenames. You can
-        also add attributes with values that can be plugged into the templates.
-        -->
-        <Errors supportContact="root@localhost"
-            helpLocation="/about.html"
-            styleSheet="/shibboleth-sp/main.css"/>
-        
-        <!-- Example of remotely supplied batch of signed metadata. -->
-        <!--
-        <MetadataProvider type="XML" validate="true"
-	      uri="http://example.org/federation-metadata.xml"
-              backingFilePath="federation-metadata.xml" reloadInterval="7200">
-            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
-            <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
-            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
-              attributeName="http://macedir.org/entity-category"
-              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
-              attributeValue="http://refeds.org/category/hide-from-discovery" />
-        </MetadataProvider>
-        -->
-
-        <MetadataProvider type="XML" validate="true" file="idp-metadata.xml"/>
-
-        <!--
-        InCommon
-	  <MetadataProvider type="XML" validate="true"
-		uri="http://md.incommon.org/InCommon/InCommon-metadata.xml"
-              backingFilePath="federation-metadata.xml" reloadInterval="7200">
-            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
-		<MetdataFilter type="Signature" certificate="inc-md-cert.pem"/>
-            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
-              attributeName="http://macedir.org/entity-category"
-              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
-              attributeValue="http://refeds.org/category/hide-from-discovery" />
-        </MetadataProvider>
-        -->
-
-        <!-- Map to extract attributes from SAML assertions. -->
-        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
-        
-        <!-- Use a SAML query if no attributes are supplied during SSO. -->
-        <AttributeResolver type="Query" subjectMatch="true"/>
-
-        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
-        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
-
-        <!-- Simple file-based resolvers for separate signing/encryption keys. -->
-        <CredentialResolver type="File" use="signing"
-            key="/run/secrets/mp_sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
-        <CredentialResolver type="File" use="encryption"
-            key="/run/secrets/mp_sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
-
-        <!--
-        The default settings can be overridden by creating ApplicationOverride elements (see
-        the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
-        Resource requests are mapped by web server commands, or the RequestMapper, to an
-        applicationId setting.
-        
-        Example of a second application (for a second vhost) that has a different entityID.
-        Resources on the vhost would map to an applicationId of "admin":
-        -->
-        <!--
-        <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
-        -->
-    </ApplicationDefaults>
-    
-    <!-- Policies that determine how to process and authenticate runtime messages. -->
-    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
-
-    <!-- Low-level configuration about protocols and bindings available for use. -->
-    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
-
-</SPConfig>
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/shibboleth_sp_keys.jks b/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/shibboleth_sp_keys.jks
new file mode 100644
index 0000000..af2e8f4
Binary files /dev/null and b/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/shibboleth_sp_keys.jks differ
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/sp-encrypt-cert.pem b/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/sp-encrypt-cert.pem
deleted file mode 100644
index 7a66196..0000000
--- a/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/sp-encrypt-cert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID/TCCAmWgAwIBAgIJAINng1bI63LGMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNV
-BAMTEnNwdGVzdC5leGFtcGxlLmVkdTAeFw0xODEyMjAyMjM4MDJaFw0yODEyMTcy
-MjM4MDJaMB0xGzAZBgNVBAMTEnNwdGVzdC5leGFtcGxlLmVkdTCCAaIwDQYJKoZI
-hvcNAQEBBQADggGPADCCAYoCggGBAOjmPSBzRsjbPBBA6jYVW+QtsYM5fvIuNErG
-VDRvKHyCTNbmdFZ37qEl/fwsrdF4hn4V7fAZ6jW6R1aMGFl1vQyJ289B8l5HOPjf
-GuB2gL9IxulOmrkYVN8nfgjlbFNNktMQJ8NprYEyl3o786xCCxx3AiA5Mgdv400L
-6vlmEfNHIwsOHAUTNRyCwMS9P6jBJ5IIxD0Mef+3oUjAvVsPZu24EJnzTUasZnI0
-F8aC/YzVbxObBNcymtA2Ipec/gLe1B09eDZUduXPL/as57QWvgJrWj8bCK+Ldj0P
-MPSvWzr4BnN58dxaYgCgRH7tnhZudPvCjBakQzkxo/njsRIKtm3lN9UmUYiXbl+e
-bu0DSQFUaFfO2hOOUTNAr/QuC+GQL+U7VAdybTbP+KcH5LbNUSqYkxSwhbFz5aym
-o5KppnYB9K5iySRWvGIhnwXHNv5yFrmUbet2BPJlMzv7NaePaZ76ypobzNjjNBbg
-aNECsQ1ZD9fe2Q8UBe0m2gQP5Yux5QIDAQABo0AwPjAdBgNVHREEFjAUghJzcHRl
-c3QuZXhhbXBsZS5lZHUwHQYDVR0OBBYEFGcLIl5kg+GFIh9HXeZyLzsv5e7qMA0G
-CSqGSIb3DQEBCwUAA4IBgQAf8/iZXUWtWGMBw2OfonDDWbuhgLnNWddpllcVx7v/
-Yu75+wgfIdNXg6XM4WkGkpbhlkpDLRt2c6rMQpxrQtq/5G3OKEXKyjUOl5pZsYkG
-asVENYPSCfuu3rlK85XaW3H1SSJqSax/UKcYXyB1TIW6mNy3OxuvHak6y4LzFnug
-CO7p/W2jvffwmxfqjbO7wQfXUQz3SZS04sHMqQoStOwy2N5xxQ3uTF34EoXBto+n
-XIEOptKPhV2NkEzj+UUIi1588dck8T0SstbSElbTnJ4sNZFriX6JOPFNW08fezot
-izerOHuAFpFQvtugWoZT87YYaFwG+Zr5QNa4fNOcAL+FHvbOfEqIGs+H6GSf0dZV
-lkcJyzWZvuK/4RGqWbLvfAYRm0PAGTQSLdO8QJSYWdJtJvZFEMgddQ2HoIzeO5wo
-B42FKDSHottI9avilApQBdRCtust8XRPtEAzDB/t/1jbO7u2tkzgY3614mX5xgut
-Ileaae5eVCjw4uYbkh+Mt5M=
------END CERTIFICATE-----
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/sp-encrypt-key.pem b/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/sp-encrypt-key.pem
deleted file mode 100644
index 1622ef3..0000000
--- a/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/sp-encrypt-key.pem
+++ /dev/null
@@ -1,40 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQDo5j0gc0bI2zwQ
-QOo2FVvkLbGDOX7yLjRKxlQ0byh8gkzW5nRWd+6hJf38LK3ReIZ+Fe3wGeo1ukdW
-jBhZdb0MidvPQfJeRzj43xrgdoC/SMbpTpq5GFTfJ34I5WxTTZLTECfDaa2BMpd6
-O/OsQgscdwIgOTIHb+NNC+r5ZhHzRyMLDhwFEzUcgsDEvT+owSeSCMQ9DHn/t6FI
-wL1bD2btuBCZ801GrGZyNBfGgv2M1W8TmwTXMprQNiKXnP4C3tQdPXg2VHblzy/2
-rOe0Fr4Ca1o/Gwivi3Y9DzD0r1s6+AZzefHcWmIAoER+7Z4WbnT7wowWpEM5MaP5
-47ESCrZt5TfVJlGIl25fnm7tA0kBVGhXztoTjlEzQK/0LgvhkC/lO1QHcm02z/in
-B+S2zVEqmJMUsIWxc+WspqOSqaZ2AfSuYskkVrxiIZ8Fxzb+cha5lG3rdgTyZTM7
-+zWnj2me+sqaG8zY4zQW4GjRArENWQ/X3tkPFAXtJtoED+WLseUCAwEAAQKCAYBM
-3eCC20kbdbAnNSWX4AjKEIKr6sgJKlK78yVLgPx9y4uMydbPyxmJOj7PgfeEUSEi
-cB5txj/Up7xvxiErNX7FqqJPj1Zs41jcWtZGCxaHC4AK9JSATpWEaUZhrUbJX6r7
-2jMlfbV0FLyF7U+JJOsB5A1hkT7/0V/Vx/8vfQ6jmnDobym0SxiWZlk1Fbjy+30R
-567M71c8nOCwYFyet0CjaMKh7PkuQCw3uRW3wPfqCW91qw438E3ENnnITFpRnDUI
-iZIXJSj3Sqcx/W7Q6xei+y95U4tksT3/SQ7hVXp+BhfyjXdK/k0vNzxZfWk9nCD8
-h7HeiQuLPENzrlOwuWtI+gLDIdFplXUJ+/piK3okdstdHJcWcNUelW8yr7JSpv1I
-a2KMgHI2F4UVcTYLZrevzxd5a0cpvFW7vmvdw2vFrCb5JsVsmqBu5OLeaVGDIbIA
-2SLfJqq12fi2rxk28VtwXXgaCTttSM+8VY7dlT/mPCqX3Sx2eM7EPt6RVHuri4EC
-gcEA+3q6Vht60YXNaw7m4BFISntVm4Z2gGFNswLlrgPRHOacaQVMKhpqt3HmNKAT
-1MD/a5C60HkUjMB95m2nE4k1Iade8EzUPXD1FvFbE9/+ifNx2OrC8pKrEmRiTmCY
-oel45uoXsksNGJynfuRp2TpAVSZrXaIbGKZiMJZv0QZAilVBurZnZyV0jKQYkSFM
-FOt60PDJJEqZzG01dvDJxsIYQURtjNscO0R2ncloLXm7qu1/fcP7CAawWgFYyer2
-WEdVAoHBAO0WAhxCvFoev348Wf33lQi9c6w7WN/WEkhNOJ5p4PKsJphSZbt2bjCt
-RdRmvahSXeiGrDPuaxoWaQqcXprcu3ndFYBcK2xZpIl/mf0wr1QTEHCkRXzfxRjC
-Mmy+yTeKT4L18xKgg6pJn+wC3hwsv2BQPkp+NPJhD2bmVUWorqXq5fiBV2b7lTg0
-q1HHXYtxk22bw7xtstFENGTqa22KwD5Wd6nj9DamLzKhUhOdcJ7yGVu9se7YcGGh
-pg57muigUQKBwQD5feH96Zdo5UFN9GPTavH4ivH8sWNBrMeEUNyDTuAYtyX3/zx4
-DOtRAhwsm5/xFGSTV+wvReDAX3zIroLym85ti/phlyd9qWJOl7cPOcvzGuYZGZe9
-RwuX3KW3MphbEiFTnm1SAqmEgG6gMoZc8DDBCbO9GkWdp/yETcuzaWuAkmL6lVpy
-97LwkSCaY5lyq8iWIDy915FMQhCn5u2YVhnwLq4s73jLx/mSQy4q57nrM2Kn6FZV
-uSUetnVbJdOu810CgcBNCzbaWjF9E7rk2dXguwD6Wx5o3MxPyPAeAMIicIPCOIE+
-RKB8n8rFFLm5gT2mokWUF5eENLknPBsccJ4pswtVWavwD4Oo7SST7hxrc9O1/Y/9
-GtTd9JXHKuxZ/FHFM7QM+cHozrKattw6ROBKxZvXP5xOdt7b2QC5TqZtQZinoELl
-U5rEg4MFRdBafe//LYRcPR8Jb5iJeqGQHcGVUl6Qo2a1lbc5vx1dVaEncKU1cbUd
-4/IbjMhQYchlsnMvn1ECgcEAxwT/UvLwhYeFK6UHRwJ/z1eKGAC8R2B9tlmgddZx
-T93qbVq4lZXKw3osqdi+pgWvvmg9aK9r/dO1E93S11msnoTI+W9xTr+y5y9dN/hx
-5deQMUK+3woLog6LsGiKE2IamCNQBFkgd4VvhXgG+2pTPYJ9nyuEA+na+tfE6bSa
-foJ8KQT1rmRFQYRboBY/xxqtsl6Nh84JK7kCw27NNdhssyuiipfa8NLM4m+yeA6n
-/oz8xKl5PKwOrvk2DH+FwaAg
------END PRIVATE KEY-----
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/sp-signing-cert.pem b/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/sp-signing-cert.pem
deleted file mode 100644
index 73aaaab..0000000
--- a/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/sp-signing-cert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID/TCCAmWgAwIBAgIJAJZqOL69C6nRMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNV
-BAMTEnNwdGVzdC5leGFtcGxlLmVkdTAeFw0xODEyMjAyMjM4NDhaFw0yODEyMTcy
-MjM4NDhaMB0xGzAZBgNVBAMTEnNwdGVzdC5leGFtcGxlLmVkdTCCAaIwDQYJKoZI
-hvcNAQEBBQADggGPADCCAYoCggGBANJ1OC6Ql4te2/7PArBkuM/EF1NcQILv7bJa
-ecJDGYBVoWgL0a2KQ0XMESusgkVmVjj/jcbtvwIiXI/6BEu815OF6eSZIwxWdQBp
-eKbrWTbt07GiGgdXoXot6oMs5a9YXuWLt8pTXrFVMmwXU+ZfWJtuU8OIgm9esAEI
-QBHvDVOJtdKdBMWJFa5nUzkaVvA0Fr8r+/FHUvSCnlKOMaUIfTgtoS9AQnaRQ1dV
-l39Z2KAh87JYvRIxvbaPaKgar2eGQ+PQD8rqsB5K5wgnADAxYM9Vo0YXSpPH+Fvw
-N3EJgURUSEY2E0Jx8JOx368ERNLXx3kfnRxCiZRDkTZF9WP6lBnDwc1WXRwpVCDT
-RnF+SIh6IC1Bj/qpkpCD3nri7tycejoeAtVj1YZHWarf9iqdcLYOAWmeyGbFl3hj
-v6qcXnIfy1KyHLCAdIrg1TymLovXXKW09pEbVLdsHmLz0h+DxPs4FsinK2AQBMn1
-6u8BJJ/+spCzIQ2QNPcGORh6XemBpQIDAQABo0AwPjAdBgNVHREEFjAUghJzcHRl
-c3QuZXhhbXBsZS5lZHUwHQYDVR0OBBYEFPC8rkASWHQxrtCQ4wwtnsJRy6K5MA0G
-CSqGSIb3DQEBCwUAA4IBgQCks2nY7YzdIKV02NHD9STWD3yPtEwPYZZ3NBno0WW2
-0rS6cU+fxFx37nY8ULve4cFQkLR8fOO44e1qIuTgLGCauSGTx/Ts/tbmZXbpGTwV
-7cjZDCfC7yEFAVrfQFOMNKeQEssuLFj+d4STGLorxsM+2YygdOgohJz0e3xOcmCN
-HqEuC9RbzrnLc/A4/mOHKwnwCCg71zA1/Ew9NUoRm2n8IfaONIUaMg9opNiHxX4e
-u3UFaaPmn/mInuWYYMXzbIbdlU/XhKvXrujWYWj7anTDWvGQmNEecsQH92SrO0pf
-+9WwcWUQTQiWUdq8/OxjXfzs1PrQnSlp0eizgcdKHDKbCUaSuK1i2wdxfEsu5sbZ
-AIW0+dXJ2IyzM+0sv2g4DOsXsnSvinGqjr82A54mXGSr7edhPdlQhILFkJfhTwLq
-+mjnyQSNe3s24VNeGc76jbHIrkEWuA460QGqz1Fa2CsQo5SH1IkxNIKpBZWt+w2L
-dAza/NzYyDruY5IJCrZa9Qw=
------END CERTIFICATE-----
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/sp-signing-key.pem b/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/sp-signing-key.pem
deleted file mode 100644
index 9e979fe..0000000
--- a/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/sp-signing-key.pem
+++ /dev/null
@@ -1,40 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQDSdTgukJeLXtv+
-zwKwZLjPxBdTXECC7+2yWnnCQxmAVaFoC9GtikNFzBErrIJFZlY4/43G7b8CIlyP
-+gRLvNeThenkmSMMVnUAaXim61k27dOxohoHV6F6LeqDLOWvWF7li7fKU16xVTJs
-F1PmX1ibblPDiIJvXrABCEAR7w1TibXSnQTFiRWuZ1M5GlbwNBa/K/vxR1L0gp5S
-jjGlCH04LaEvQEJ2kUNXVZd/WdigIfOyWL0SMb22j2ioGq9nhkPj0A/K6rAeSucI
-JwAwMWDPVaNGF0qTx/hb8DdxCYFEVEhGNhNCcfCTsd+vBETS18d5H50cQomUQ5E2
-RfVj+pQZw8HNVl0cKVQg00ZxfkiIeiAtQY/6qZKQg9564u7cnHo6HgLVY9WGR1mq
-3/YqnXC2DgFpnshmxZd4Y7+qnF5yH8tSshywgHSK4NU8pi6L11yltPaRG1S3bB5i
-89Ifg8T7OBbIpytgEATJ9ervASSf/rKQsyENkDT3BjkYel3pgaUCAwEAAQKCAYEA
-kmBxGQH8RTVO8eTtS95iJC+QwavyOp/BxUDkWtbsj7P/NSyzQ25c59jNQIEVgktx
-QOeNpoSJS2S22HTeNAc+MR781MAl/ljLu+OfxQj/3hKAIJZMYDr01tPEvkOl5NUj
-+6e3xwNBYzmMfl2jPyGlsUWFAQSbI/bJl44zccXAkQ/A5KHNRc7Yw5qd6aOGQD8a
-axCehOxEqEeI8oZvxQcogMBL0V9yWqEiI0Ymvq6w2n+CzdKmflcWSjloYzNcODbL
-Ef2+8/fBZhHTS0GLCIqQpK+tZxt4K77DK2p2L9dYuHK7vtWn1j0YIwPqD+QVVtuT
-d7BOOmakPj2E7EXq/GvFw8gB/gRLoLuJSq5vvhPrSVuJqWdxDuxSutGgIoN3mQxd
-2AjuBXvqwYaZ3UGHZlBYAQx5ICiAGjxv/1zmKp+9OJHge/a1e6Z8jgQcpS7OWNhU
-dj6qfs+IiWKEaMM7D8dj4ncoArBpE7/BzlVuJ377cqRx35alMcKlawQWF1YqSDrB
-AoHBAPSipCLz4sr3U2jluXehntYsKevWcBtFkEd49Ay5uZTu/aweKWIozjDt7T3L
-mjYi+QGpt28MdNmpoofYOmpt+lrc0HWrv+UB9k/qFxfwgZKaXa1nm/VLfK77L4IB
-8I9dpjvDi724Xg/JJ1jsGM13+jGEfTQTl4Hi0lZwMydUO+O4oWB4kG9qhF8C+yQc
-12CCFH+Da8uwcwM+zCJwRm3qMKceifhEGAuFJ430Rp7cuqlJYfQZ4pVhRxwP6vns
-cLCz+QKBwQDcPB5bCjci/HMe0V19HxPrKh0hGPLIRCPAakT8Mz8N2lVAtWDXFL5q
-eHskl6cf8RQLfrcUiL+jQvD5VV8I7BkolCv0GZT/q36I/Z1QKlQC1O0IGG/hNqwt
-PS85YM6yC84YIKx0rN6O03/nYcslRv19q+MNiR9sZEeN6cScUc6aUINhWjzQ4mb8
-Z9ErguJrq0sCoAVU+t/yRo/YB/d2xdN9XLe+2cgsM6s0TiHo4v2SeFHKewBw+RLp
-yrShY6COzg0CgcEA0EFwt2ylgiGgeSkvhV8qJ6s7GNDZaO4EUEPwhrDJAredbhvT
-IQQZ29+AWl3sbu/AySCgzsFs7CsT+M8jk50CRr26HKJUXvEXrZpbhH6y34nX+5m7
-U8uqXg/ptqROFM4liLUETkMYmBmnDHUY/DmJ3QOrzlxrWyAr7XfgpDd6MHbpsoWQ
-d7jW7UdNYsXGuBqktpS7fJA+qOGZyCuKWWHHf01pKNdXHN+C976fK/g+U4TsBXDP
-ylkgvwvx/kbA/DyJAoHAQxXA/WRYNT0G6B1ISAO+coTKiLlrwtsWtNbqGpSVoWef
-Tm2xiPKVqiL3B8d2LgGmZHX92LBrB5UtiBWcNECOzVCNLvbX7yVTDvGKCNBL9Ozd
-Ivkmo0ifG8ymZOj7LTrxVWImhgfeZ00/icC9O6arMqu4Jvhc7QyCy1SpAiDdOR5L
-Vs1A9zPvwPTyvzlINRnhaHRMC32717XsvRZ4J+LMsEQc6HK4SdaXUQB3zdPO/93M
-tEvRb5g/TZ3kdcC+OKHFAoHAO9R3y6ZjUM8T8/4XcyRD968V4sZIvVQfpSaH86GO
-TrECZp5SqSWUTqAWTJWS0yIctAML60nWF+OPRUlrq0yk2veN9Re6eWfyoyQOFd92
-U+bxh3QEue5LGOwpqrPV/1cJSFdv88eS+F8q7i/dD765Tio6kJjKzXPN3FJqAvNB
-lAnaO4Apbuzob25Qkmm0NVQHap+TJGJMvX2vVX9CjE6haVWq1lJMakkoQOeIlyi5
-iDjt9rDlIwDYeGWk4KFgsKM7
------END PRIVATE KEY-----
diff --git a/demo/shibboleth/docker-compose-tests.yml b/demo/shibboleth/docker-compose-tests.yml
index b6e2860..d611fd1 100644
--- a/demo/shibboleth/docker-compose-tests.yml
+++ b/demo/shibboleth/docker-compose-tests.yml
@@ -45,17 +45,18 @@ services:
      - mp_database_password.txt
      - mp_keystore_password.txt
      - mp_host-key.pem
+     - mp_shibboleth_sp_keys.jks
     volumes:
      - midpoint_home:/opt/midpoint/var
+     - type: bind
+       source: ./configs-and-secrets/midpoint/shibboleth/idp-metadata.xml
+       target: /etc/shibboleth/idp-metadata.xml
      - type: bind
        source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
        target: /etc/pki/tls/certs/host-cert.pem
      - type: bind
        source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
        target: /etc/pki/tls/certs/cachain.pem
-     - type: bind
-       source: ./configs-and-secrets/midpoint/shibboleth/idp-metadata.xml
-       target: /etc/shibboleth/idp-metadata.xml
 
   directory:
     build: ./directory/
@@ -89,7 +90,9 @@ secrets:
   mp_database_password.txt:
     file: ./configs-and-secrets/midpoint/application/database_password.txt
   mp_keystore_password.txt:
-    file: ./configs-and-secrets/midpoint/application/keystore_password.txt 
+    file: ./configs-and-secrets/midpoint/application/keystore_password.txt
+  mp_shibboleth_sp_keys.jks:
+    file: ./configs-and-secrets/midpoint/shibboleth/shibboleth_sp_keys.jks
     
 volumes:
   midpoint_mysql:
diff --git a/demo/shibboleth/docker-compose.yml b/demo/shibboleth/docker-compose.yml
index 9caf8b2..decacb9 100644
--- a/demo/shibboleth/docker-compose.yml
+++ b/demo/shibboleth/docker-compose.yml
@@ -42,17 +42,18 @@ services:
      - mp_database_password.txt
      - mp_keystore_password.txt
      - mp_host-key.pem
+     - mp_shibboleth_sp_keys.jks
     volumes:
      - midpoint_home:/opt/midpoint/var
+     - type: bind
+       source: ./configs-and-secrets/midpoint/shibboleth/idp-metadata.xml
+       target: /etc/shibboleth/idp-metadata.xml
      - type: bind
        source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
        target: /etc/pki/tls/certs/host-cert.pem
      - type: bind
        source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
        target: /etc/pki/tls/certs/cachain.pem
-     - type: bind
-       source: ./configs-and-secrets/midpoint/shibboleth/idp-metadata.xml
-       target: /etc/shibboleth/idp-metadata.xml
 
   directory:
     build: ./directory/
@@ -86,7 +87,9 @@ secrets:
   mp_database_password.txt:
     file: ./configs-and-secrets/midpoint/application/database_password.txt
   mp_keystore_password.txt:
-    file: ./configs-and-secrets/midpoint/application/keystore_password.txt 
+    file: ./configs-and-secrets/midpoint/application/keystore_password.txt
+  mp_shibboleth_sp_keys.jks:
+    file: ./configs-and-secrets/midpoint/shibboleth/shibboleth_sp_keys.jks
     
 volumes:
   midpoint_mysql:
diff --git a/demo/shibboleth/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/SecurityPolicy.xml b/demo/shibboleth/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/SecurityPolicy.xml
index 29b3e37..4fce414 100644
--- a/demo/shibboleth/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/SecurityPolicy.xml
+++ b/demo/shibboleth/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/SecurityPolicy.xml
@@ -28,153 +28,27 @@
                     <singleLogoutEnabled>true</singleLogoutEnabled>
                     <nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</nameId>
                     <keys>
-                        <active>
-                            <name>sp-signing-key-1</name>
-                            <privateKey>
-                                <t:clearValue>-----BEGIN RSA PRIVATE KEY-----
-MIIG5AIBAAKCAYEA0nU4LpCXi17b/s8CsGS4z8QXU1xAgu/tslp5wkMZgFWhaAvR
-rYpDRcwRK6yCRWZWOP+Nxu2/AiJcj/oES7zXk4Xp5JkjDFZ1AGl4putZNu3TsaIa
-B1ehei3qgyzlr1he5Yu3ylNesVUybBdT5l9Ym25Tw4iCb16wAQhAEe8NU4m10p0E
-xYkVrmdTORpW8DQWvyv78UdS9IKeUo4xpQh9OC2hL0BCdpFDV1WXf1nYoCHzsli9
-EjG9to9oqBqvZ4ZD49APyuqwHkrnCCcAMDFgz1WjRhdKk8f4W/A3cQmBRFRIRjYT
-QnHwk7HfrwRE0tfHeR+dHEKJlEORNkX1Y/qUGcPBzVZdHClUINNGcX5IiHogLUGP
-+qmSkIPeeuLu3Jx6Oh4C1WPVhkdZqt/2Kp1wtg4BaZ7IZsWXeGO/qpxech/LUrIc
-sIB0iuDVPKYui9dcpbT2kRtUt2weYvPSH4PE+zgWyKcrYBAEyfXq7wEkn/6ykLMh
-DZA09wY5GHpd6YGlAgMBAAECggGBAJJgcRkB/EU1TvHk7UveYiQvkMGr8jqfwcVA
-5FrW7I+z/zUss0NuXOfYzUCBFYJLcUDnjaaEiUtktth03jQHPjEe/NTAJf5Yy7vj
-n8UI/94SgCCWTGA69NbTxL5DpeTVI/unt8cDQWM5jH5doz8hpbFFhQEEmyP2yZeO
-M3HFwJEPwOShzUXO2MOanemjhkA/GmsQnoTsRKhHiPKGb8UHKIDAS9FfclqhIiNG
-Jr6usNp/gs3Spn5XFko5aGMzXDg2yxH9vvP3wWYR00tBiwiKkKSvrWcbeCu+wytq
-di/XWLhyu77Vp9Y9GCMD6g/kFVbbk3ewTjpmpD49hOxF6vxrxcPIAf4ES6C7iUqu
-b74T60lbialncQ7sUrrRoCKDd5kMXdgI7gV76sGGmd1Bh2ZQWAEMeSAogBo8b/9c
-5iqfvTiR4Hv2tXumfI4EHKUuzljYVHY+qn7PiIlihGjDOw/HY+J3KAKwaRO/wc5V
-bid++3Kkcd+WpTHCpWsEFhdWKkg6wQKBwQD0oqQi8+LK91No5bl3oZ7WLCnr1nAb
-RZBHePQMubmU7v2sHiliKM4w7e09y5o2IvkBqbdvDHTZqaKH2Dpqbfpa3NB1q7/l
-AfZP6hcX8IGSml2tZ5v1S3yu+y+CAfCPXaY7w4u9uF4PySdY7BjNd/oxhH00E5eB
-4tJWcDMnVDvjuKFgeJBvaoRfAvskHNdgghR/g2vLsHMDPswicEZt6jCnHon4RBgL
-hSeN9Eae3LqpSWH0GeKVYUccD+r57HCws/kCgcEA3DweWwo3IvxzHtFdfR8T6yod
-IRjyyEQjwGpE/DM/DdpVQLVg1xS+anh7JJenH/EUC363FIi/o0Lw+VVfCOwZKJQr
-9BmU/6t+iP2dUCpUAtTtCBhv4TasLT0vOWDOsgvOGCCsdKzejtN/52HLJUb9favj
-DYkfbGRHjenEnFHOmlCDYVo80OJm/GfRK4Lia6tLAqAFVPrf8kaP2Af3dsXTfVy3
-vtnILDOrNE4h6OL9knhRynsAcPkS6cq0oWOgjs4NAoHBANBBcLdspYIhoHkpL4Vf
-KierOxjQ2WjuBFBD8IawyQK3nW4b0yEEGdvfgFpd7G7vwMkgoM7BbOwrE/jPI5Od
-Aka9uhyiVF7xF62aW4R+st+J1/uZu1PLql4P6bakThTOJYi1BE5DGJgZpwx1GPw5
-id0Dq85ca1sgK+134KQ3ejB26bKFkHe41u1HTWLFxrgapLaUu3yQPqjhmcgrillh
-x39NaSjXVxzfgve+nyv4PlOE7AVwz8pZIL8L8f5GwPw8iQKBwEMVwP1kWDU9Bugd
-SEgDvnKEyoi5a8LbFrTW6hqUlaFnn05tsYjylaoi9wfHdi4BpmR1/diwaweVLYgV
-nDRAjs1QjS721+8lUw7xigjQS/Ts3SL5JqNInxvMpmTo+y068VViJoYH3mdNP4nA
-vTumqzKruCb4XO0MgstUqQIg3TkeS1bNQPcz78D08r85SDUZ4Wh0TAt9u9e17L0W
-eCfizLBEHOhyuEnWl1EAd83Tzv/dzLRL0W+YP02d5HXAvjihxQKBwDvUd8umY1DP
-E/P+F3MkQ/evFeLGSL1UH6Umh/Ohjk6xAmaeUqkllE6gFkyVktMiHLQDC+tJ1hfj
-j0VJa6tMpNr3jfUXunln8qMkDhXfdlPm8Yd0BLnuSxjsKaqz1f9XCUhXb/PHkvhf
-Ku4v3Q++uU4qOpCYys1zzdxSagLzQZQJ2juAKW7s6G9uUJJptDVUB2qfkyRiTL19
-r1V/QoxOoWlVqtZSTGpJKEDniJcouYg47faw5SMA2HhlpOChYLCjOw==
------END RSA PRIVATE KEY-----</t:clearValue>
-                            </privateKey>
-                            <passphrase>
-                                <t:clearValue>password</t:clearValue>
-                            </passphrase>
-                            <certificate>
-                                <t:clearValue>-----BEGIN CERTIFICATE-----
-MIID/TCCAmWgAwIBAgIJAJZqOL69C6nRMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNV
-BAMTEnNwdGVzdC5leGFtcGxlLmVkdTAeFw0xODEyMjAyMjM4NDhaFw0yODEyMTcy
-MjM4NDhaMB0xGzAZBgNVBAMTEnNwdGVzdC5leGFtcGxlLmVkdTCCAaIwDQYJKoZI
-hvcNAQEBBQADggGPADCCAYoCggGBANJ1OC6Ql4te2/7PArBkuM/EF1NcQILv7bJa
-ecJDGYBVoWgL0a2KQ0XMESusgkVmVjj/jcbtvwIiXI/6BEu815OF6eSZIwxWdQBp
-eKbrWTbt07GiGgdXoXot6oMs5a9YXuWLt8pTXrFVMmwXU+ZfWJtuU8OIgm9esAEI
-QBHvDVOJtdKdBMWJFa5nUzkaVvA0Fr8r+/FHUvSCnlKOMaUIfTgtoS9AQnaRQ1dV
-l39Z2KAh87JYvRIxvbaPaKgar2eGQ+PQD8rqsB5K5wgnADAxYM9Vo0YXSpPH+Fvw
-N3EJgURUSEY2E0Jx8JOx368ERNLXx3kfnRxCiZRDkTZF9WP6lBnDwc1WXRwpVCDT
-RnF+SIh6IC1Bj/qpkpCD3nri7tycejoeAtVj1YZHWarf9iqdcLYOAWmeyGbFl3hj
-v6qcXnIfy1KyHLCAdIrg1TymLovXXKW09pEbVLdsHmLz0h+DxPs4FsinK2AQBMn1
-6u8BJJ/+spCzIQ2QNPcGORh6XemBpQIDAQABo0AwPjAdBgNVHREEFjAUghJzcHRl
-c3QuZXhhbXBsZS5lZHUwHQYDVR0OBBYEFPC8rkASWHQxrtCQ4wwtnsJRy6K5MA0G
-CSqGSIb3DQEBCwUAA4IBgQCks2nY7YzdIKV02NHD9STWD3yPtEwPYZZ3NBno0WW2
-0rS6cU+fxFx37nY8ULve4cFQkLR8fOO44e1qIuTgLGCauSGTx/Ts/tbmZXbpGTwV
-7cjZDCfC7yEFAVrfQFOMNKeQEssuLFj+d4STGLorxsM+2YygdOgohJz0e3xOcmCN
-HqEuC9RbzrnLc/A4/mOHKwnwCCg71zA1/Ew9NUoRm2n8IfaONIUaMg9opNiHxX4e
-u3UFaaPmn/mInuWYYMXzbIbdlU/XhKvXrujWYWj7anTDWvGQmNEecsQH92SrO0pf
-+9WwcWUQTQiWUdq8/OxjXfzs1PrQnSlp0eizgcdKHDKbCUaSuK1i2wdxfEsu5sbZ
-AIW0+dXJ2IyzM+0sv2g4DOsXsnSvinGqjr82A54mXGSr7edhPdlQhILFkJfhTwLq
-+mjnyQSNe3s24VNeGc76jbHIrkEWuA460QGqz1Fa2CsQo5SH1IkxNIKpBZWt+w2L
-dAza/NzYyDruY5IJCrZa9Qw=
------END CERTIFICATE-----</t:clearValue>
-                            </certificate>
-                        </active>
-                        <standBy>
-                            <name>sp-encrypt-key-1</name>
-                            <privateKey>
-                                <t:clearValue>-----BEGIN RSA PRIVATE KEY-----
-MIIG5AIBAAKCAYEA6OY9IHNGyNs8EEDqNhVb5C2xgzl+8i40SsZUNG8ofIJM1uZ0
-VnfuoSX9/Cyt0XiGfhXt8BnqNbpHVowYWXW9DInbz0HyXkc4+N8a4HaAv0jG6U6a
-uRhU3yd+COVsU02S0xAnw2mtgTKXejvzrEILHHcCIDkyB2/jTQvq+WYR80cjCw4c
-BRM1HILAxL0/qMEnkgjEPQx5/7ehSMC9Ww9m7bgQmfNNRqxmcjQXxoL9jNVvE5sE
-1zKa0DYil5z+At7UHT14NlR25c8v9qzntBa+AmtaPxsIr4t2PQ8w9K9bOvgGc3nx
-3FpiAKBEfu2eFm50+8KMFqRDOTGj+eOxEgq2beU31SZRiJduX55u7QNJAVRoV87a
-E45RM0Cv9C4L4ZAv5TtUB3JtNs/4pwfkts1RKpiTFLCFsXPlrKajkqmmdgH0rmLJ
-JFa8YiGfBcc2/nIWuZRt63YE8mUzO/s1p49pnvrKmhvM2OM0FuBo0QKxDVkP197Z
-DxQF7SbaBA/li7HlAgMBAAECggGATN3ggttJG3WwJzUll+AIyhCCq+rICSpSu/Ml
-S4D8fcuLjMnWz8sZiTo+z4H3hFEhInAebcY/1Ke8b8YhKzV+xaqiT49WbONY3FrW
-RgsWhwuACvSUgE6VhGlGYa1GyV+q+9ozJX21dBS8he1PiSTrAeQNYZE+/9Ff1cf/
-L30Oo5pw6G8ptEsYlmZZNRW48vt9EeeuzO9XPJzgsGBcnrdAo2jCoez5LkAsN7kV
-t8D36glvdasON/BNxDZ5yExaUZw1CImSFyUo90qnMf1u0OsXovsveVOLZLE9/0kO
-4VV6fgYX8o13Sv5NLzc8WX1pPZwg/Iex3okLizxDc65TsLlrSPoCwyHRaZV1Cfv6
-Yit6JHbLXRyXFnDVHpVvMq+yUqb9SGtijIByNheFFXE2C2a3r88XeWtHKbxVu75r
-3cNrxawm+SbFbJqgbuTi3mlRgyGyANki3yaqtdn4tq8ZNvFbcF14Ggk7bUjPvFWO
-3ZU/5jwql90sdnjOxD7ekVR7q4uBAoHBAPt6ulYbetGFzWsO5uARSEp7VZuGdoBh
-TbMC5a4D0RzmnGkFTCoaardx5jSgE9TA/2uQutB5FIzAfeZtpxOJNSGnXvBM1D1w
-9RbxWxPf/onzcdjqwvKSqxJkYk5gmKHpeObqF7JLDRicp37kadk6QFUma12iGxim
-YjCWb9EGQIpVQbq2Z2cldIykGJEhTBTretDwySRKmcxtNXbwycbCGEFEbYzbHDtE
-dp3JaC15u6rtf33D+wgGsFoBWMnq9lhHVQKBwQDtFgIcQrxaHr9+PFn995UIvXOs
-O1jf1hJITTieaeDyrCaYUmW7dm4wrUXUZr2oUl3ohqwz7msaFmkKnF6a3Lt53RWA
-XCtsWaSJf5n9MK9UExBwpEV838UYwjJsvsk3ik+C9fMSoIOqSZ/sAt4cLL9gUD5K
-fjTyYQ9m5lVFqK6l6uX4gVdm+5U4NKtRx12LcZNtm8O8bbLRRDRk6mttisA+Vnep
-4/Q2pi8yoVITnXCe8hlbvbHu2HBhoaYOe5rooFECgcEA+X3h/emXaOVBTfRj02rx
-+Irx/LFjQazHhFDcg07gGLcl9/88eAzrUQIcLJuf8RRkk1fsL0XgwF98yK6C8pvO
-bYv6YZcnfaliTpe3DznL8xrmGRmXvUcLl9yltzKYWxIhU55tUgKphIBuoDKGXPAw
-wQmzvRpFnaf8hE3Ls2lrgJJi+pVacvey8JEgmmOZcqvIliA8vdeRTEIQp+btmFYZ
-8C6uLO94y8f5kkMuKue56zNip+hWVbklHrZ1WyXTrvNdAoHATQs22loxfRO65NnV
-4LsA+lseaNzMT8jwHgDCInCDwjiBPkSgfJ/KxRS5uYE9pqJFlBeXhDS5JzwbHHCe
-KbMLVVmr8A+DqO0kk+4ca3PTtf2P/RrU3fSVxyrsWfxRxTO0DPnB6M6ymrbcOkTg
-SsWb1z+cTnbe29kAuU6mbUGYp6BC5VOaxIODBUXQWn3v/y2EXD0fCW+YiXqhkB3B
-lVJekKNmtZW3Ob8dXVWhJ3ClNXG1HePyG4zIUGHIZbJzL59RAoHBAMcE/1Ly8IWH
-hSulB0cCf89XihgAvEdgfbZZoHXWcU/d6m1auJWVysN6LKnYvqYFr75oPWiva/3T
-tRPd0tdZrJ6EyPlvcU6/sucvXTf4ceXXkDFCvt8KC6IOi7BoihNiGpgjUARZIHeF
-b4V4BvtqUz2CfZ8rhAPp2vrXxOm0mn6CfCkE9a5kRUGEW6AWP8carbJejYfOCSu5
-AsNuzTXYbLMrooqX2vDSzOJvsngOp/6M/MSpeTysDq75Ngx/hcGgIA==
------END RSA PRIVATE KEY-----</t:clearValue>
-                            </privateKey>
-                            <passphrase>
-                                <t:clearValue>password</t:clearValue>
-                            </passphrase>
-                            <certificate>
-                                <t:clearValue>-----BEGIN CERTIFICATE-----
-MIID/TCCAmWgAwIBAgIJAINng1bI63LGMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNV
-BAMTEnNwdGVzdC5leGFtcGxlLmVkdTAeFw0xODEyMjAyMjM4MDJaFw0yODEyMTcy
-MjM4MDJaMB0xGzAZBgNVBAMTEnNwdGVzdC5leGFtcGxlLmVkdTCCAaIwDQYJKoZI
-hvcNAQEBBQADggGPADCCAYoCggGBAOjmPSBzRsjbPBBA6jYVW+QtsYM5fvIuNErG
-VDRvKHyCTNbmdFZ37qEl/fwsrdF4hn4V7fAZ6jW6R1aMGFl1vQyJ289B8l5HOPjf
-GuB2gL9IxulOmrkYVN8nfgjlbFNNktMQJ8NprYEyl3o786xCCxx3AiA5Mgdv400L
-6vlmEfNHIwsOHAUTNRyCwMS9P6jBJ5IIxD0Mef+3oUjAvVsPZu24EJnzTUasZnI0
-F8aC/YzVbxObBNcymtA2Ipec/gLe1B09eDZUduXPL/as57QWvgJrWj8bCK+Ldj0P
-MPSvWzr4BnN58dxaYgCgRH7tnhZudPvCjBakQzkxo/njsRIKtm3lN9UmUYiXbl+e
-bu0DSQFUaFfO2hOOUTNAr/QuC+GQL+U7VAdybTbP+KcH5LbNUSqYkxSwhbFz5aym
-o5KppnYB9K5iySRWvGIhnwXHNv5yFrmUbet2BPJlMzv7NaePaZ76ypobzNjjNBbg
-aNECsQ1ZD9fe2Q8UBe0m2gQP5Yux5QIDAQABo0AwPjAdBgNVHREEFjAUghJzcHRl
-c3QuZXhhbXBsZS5lZHUwHQYDVR0OBBYEFGcLIl5kg+GFIh9HXeZyLzsv5e7qMA0G
-CSqGSIb3DQEBCwUAA4IBgQAf8/iZXUWtWGMBw2OfonDDWbuhgLnNWddpllcVx7v/
-Yu75+wgfIdNXg6XM4WkGkpbhlkpDLRt2c6rMQpxrQtq/5G3OKEXKyjUOl5pZsYkG
-asVENYPSCfuu3rlK85XaW3H1SSJqSax/UKcYXyB1TIW6mNy3OxuvHak6y4LzFnug
-CO7p/W2jvffwmxfqjbO7wQfXUQz3SZS04sHMqQoStOwy2N5xxQ3uTF34EoXBto+n
-XIEOptKPhV2NkEzj+UUIi1588dck8T0SstbSElbTnJ4sNZFriX6JOPFNW08fezot
-izerOHuAFpFQvtugWoZT87YYaFwG+Zr5QNa4fNOcAL+FHvbOfEqIGs+H6GSf0dZV
-lkcJyzWZvuK/4RGqWbLvfAYRm0PAGTQSLdO8QJSYWdJtJvZFEMgddQ2HoIzeO5wo
-B42FKDSHottI9avilApQBdRCtust8XRPtEAzDB/t/1jbO7u2tkzgY3614mX5xgut
-Ileaae5eVCjw4uYbkh+Mt5M=
------END CERTIFICATE-----</t:clearValue>
-                            </certificate>
-                            <type>encryption</type>
-                        </standBy>
+			<activeKeyStoreKey>
+    				<keyStorePath>/etc/pki/mp/sp-shibboleth-keys.jks</keyStorePath>
+    				<keyStorePassword>
+        				<t:clearValue>changeit</t:clearValue>
+    				</keyStorePassword>
+    				<keyAlias>signing-key</keyAlias>
+    				<keyPassword>
+        				<t:clearValue>password</t:clearValue>
+    				</keyPassword>
+			</activeKeyStoreKey>
+                        <standByKeyStoreKey>
+    				<keyStorePath>/etc/pki/mp/sp-shibboleth-keys.jks</keyStorePath>
+    				<keyStorePassword>
+        				<t:clearValue>changeit</t:clearValue>
+    				</keyStorePassword>
+    				<keyAlias>encrypt-key</keyAlias>
+    				<keyPassword>
+        				<t:clearValue>password</t:clearValue>
+    				</keyPassword>
+				<type>encryption</type>
+			</standByKeyStoreKey>
                     </keys>
                     <provider>
                         <entityId>https://idptestbed/idp/shibboleth</entityId>
@@ -256,6 +130,8 @@ Ileaae5eVCjw4uYbkh+Mt5M=
                 <necessity>sufficient</necessity>
             </module>
         </sequence>
+	<ignoredLocalPath>/actuator</ignoredLocalPath>
+    	<ignoredLocalPath>/actuator/health</ignoredLocalPath>
     </authentication>
     <credentials>
         <password>