From 33742b16c5e1eeaf9702f99e3007c8b9248a1f3d Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Tue, 11 Apr 2017 08:57:03 -0500
Subject: [PATCH] sync release and test configs

---
 .gitignore                           |   1 -
 README.md                            |  13 +-
 conf/access-control.xml              |   2 +-
 conf/attribute-filter.xml            |  47 +++-
 conf/attribute-resolver.xml          |  10 +-
 conf/authn/krb5-authn-config.xml     |   4 +-
 conf/authn/password-authn-config.xml |   4 +-
 conf/idp.properties                  |   6 +-
 conf/intercept/profile-intercept.xml |  18 +-
 conf/ldap.properties                 |   8 +-
 conf/metadata-providers.xml          |   4 -
 conf/relying-party.xml               |  10 +-
 credentials/http.keytab              | Bin 834 -> 0 bytes
 credentials/idp-backchannel.crt      |  21 --
 credentials/idp-backchannel.p12      | Bin 2660 -> 0 bytes
 credentials/idp-encryption.crt       |  21 --
 credentials/idp-encryption.key       |  27 ---
 credentials/idp-signing.crt          |  21 --
 credentials/idp-signing.key          |  27 ---
 credentials/sealer.jks               | Bin 500 -> 0 bytes
 credentials/sealer.kver              |   3 +-
 edit-webapp/css/logout.css           |  24 +-
 edit-webapp/css/main.css             | 326 +++++++++++++--------------
 23 files changed, 266 insertions(+), 331 deletions(-)
 delete mode 100644 .gitignore
 delete mode 100644 credentials/http.keytab
 delete mode 100644 credentials/idp-backchannel.crt
 delete mode 100644 credentials/idp-backchannel.p12
 delete mode 100644 credentials/idp-encryption.crt
 delete mode 100644 credentials/idp-encryption.key
 delete mode 100644 credentials/idp-signing.crt
 delete mode 100644 credentials/idp-signing.key
 delete mode 100644 credentials/sealer.jks

diff --git a/.gitignore b/.gitignore
deleted file mode 100644
index 47e48bc..0000000
--- a/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-shib-idp-conftree.tar*
diff --git a/README.md b/README.md
index 43cdf5e..f26284c 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,14 @@
 # shib-idp-conftree
 
-`tar cvf shib-idp-conftree.tar --exclude .git .`
+## Purpose
+
+This project contains the configuration tree (structure) for Shibboleth IDP.  The are various usage scenarios throughout the build, test, deploy cycle that warrant this abstraction
+of the configuration tree.  There is a separate repository for the Docker Image which is responsible for building the runtime environment and pulling the configuration trees housed here
+to complete a deployment.
+
+### Configuration Trees
+
+  * `test` branch
+    * Internal Testing - (TEST) branch/repo that uses the "test bed" which is something that I2 provides (LDAP) and an element to make all integrations.  Appropriate for Jenkins and testing environments
+  * `release` branch
+    * External Testing - (RELEASE) branch/repo (ultimately will live in Subversion?) for end users
diff --git a/conf/access-control.xml b/conf/access-control.xml
index a9184e6..21af6c3 100644
--- a/conf/access-control.xml
+++ b/conf/access-control.xml
@@ -30,7 +30,7 @@
     
         <entry key="AccessByIPAddress">
             <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
-                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128'} }" />
+                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '172.18.0.0/24'} }" />
         </entry>
         
         <!--
diff --git a/conf/attribute-filter.xml b/conf/attribute-filter.xml
index 9b49de0..0908192 100644
--- a/conf/attribute-filter.xml
+++ b/conf/attribute-filter.xml
@@ -13,9 +13,9 @@
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
 
-	<!-- EXAMPLES -->
+    <!-- EXAMPLES -->
     <!-- Release some attributes to an SP. -->
-	<!--
+    <!--
     <AttributeFilterPolicy id="example1">
         <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />
 
@@ -33,7 +33,7 @@
     </AttributeFilterPolicy>
 	-->
     <!-- Release eduPersonAffiliation to two specific SPs. -->
-	<!--
+    <!--
     <AttributeFilterPolicy id="example2">
         <PolicyRequirementRule xsi:type="OR">
             <Rule xsi:type="Requester" value="https://sp.example.org" />
@@ -45,33 +45,56 @@
         </AttributeRule>
     </AttributeFilterPolicy>
 	-->
-	<AttributeFilterPolicy id="releaseToAnyone">
-        <PolicyRequirementRule xsi:type="ANY" />
-
+	
+    <!-- Attribute release for all SPs (global) tagged as 'Research and Scholarship' -->
+    <AttributeFilterPolicy id="releaseRandSAttributeBundle">
+        <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+			attributeName="http://macedir.org/entity-category"
+			attributeValue="http://refeds.org/category/research-and-scholarship"/>
+        <AttributeRule attributeID="eduPersonPrincipalName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="eduPersonScopedAffiliation">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="givenName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="surname">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="displayName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="mail">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+    </AttributeFilterPolicy>
+	
+	
+    <!-- Attribute release for all InCommon SPs -->
+    <AttributeFilterPolicy id="releaseToInCommon">	
+        <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+			attributeName="http://macedir.org/entity-category"
+			attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
         <AttributeRule attributeID="eduPersonPrincipalName">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
-
         <AttributeRule attributeID="eduPersonScopedAffiliation">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
-
         <AttributeRule attributeID="givenName">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
-
         <AttributeRule attributeID="surname">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
-
         <AttributeRule attributeID="displayName">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
-
         <AttributeRule attributeID="mail">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
-
     </AttributeFilterPolicy>
 	
 </AttributeFilterPolicyGroup>
diff --git a/conf/attribute-resolver.xml b/conf/attribute-resolver.xml
index b23a80c..e111728 100644
--- a/conf/attribute-resolver.xml
+++ b/conf/attribute-resolver.xml
@@ -31,7 +31,7 @@
     long term implications. 
     -->
     <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid">
-        <Dependency ref="uid" />
+        <Dependency ref="myLDAP" />
         <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
         <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
     </AttributeDefinition>
@@ -60,6 +60,12 @@
         <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
     </AttributeDefinition>
 
+    <!-- The attribute definition below is designed to represent whether a particular user is FERPA_restricted for attribute release
+         Change the sourceAttributeID property to reflect the correct attribute name in the local LDAP -->
+    <AttributeDefinition xsi:type="Simple" id="isFERPAattr" sourceAttributeID="isFERPAattr">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML2String" name="foo:attributes:isFERPAattr" friendlyName="isFERPAattr" encodeType="false" />
+    </AttributeDefinition>
 
     <!-- ========================================== -->
     <!--      Data Connectors                       -->
@@ -84,7 +90,7 @@
                 %{idp.attribute.resolver.LDAP.searchFilter}
             ]]>
         </FilterTemplate>
-		<dc:ReturnAttributes>givenName sn displayName mail uid</dc:ReturnAttributes>
+		<ReturnAttributes>givenName sn displayName mail uid</ReturnAttributes>
     </DataConnector>
 
 </AttributeResolver>
diff --git a/conf/authn/krb5-authn-config.xml b/conf/authn/krb5-authn-config.xml
index 3230134..7dc59ba 100644
--- a/conf/authn/krb5-authn-config.xml
+++ b/conf/authn/krb5-authn-config.xml
@@ -21,10 +21,10 @@
     The keytab bean must be an absolute file pathname and not a reference to a classpath resource,
     so if idp.home is not a path, don't use it in the value.
     -->
-    
+    <!--
     <bean id="shibboleth.authn.Krb5.ServicePrincipal" class="java.lang.String" c:_0="HTTP/idp.testbed.tier.internet2.edu@TESTBED.TIER.INTERNET2.EDU" />
     <bean id="shibboleth.authn.Krb5.Keytab" class="java.lang.String" c:_0="%{idp.home}/credentials/http.keytab" />
-    
+    -->
     
     <alias name="ValidateUsernamePasswordAgainstKerberos" alias="ValidateUsernamePassword"/>
 
diff --git a/conf/authn/password-authn-config.xml b/conf/authn/password-authn-config.xml
index 48b2c3d..08886b2 100644
--- a/conf/authn/password-authn-config.xml
+++ b/conf/authn/password-authn-config.xml
@@ -14,8 +14,8 @@
     
     <!-- Choose an import based on the back-end you want to use. -->
     <!-- <import resource="jaas-authn-config.xml" /> -->
-    <import resource="krb5-authn-config.xml" />
-    <!--<import resource="ldap-authn-config.xml" />-->
+    <!--<import resource="krb5-authn-config.xml" />-->
+    <import resource="ldap-authn-config.xml" />
     
     
     <!-- Names of form fields to pull username and password from. -->
diff --git a/conf/idp.properties b/conf/idp.properties
index 1f32c81..d7cfea7 100644
--- a/conf/idp.properties
+++ b/conf/idp.properties
@@ -2,10 +2,10 @@
 idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties
 
 # Set the entityID of the IdP
-idp.entityID= https://idp.testbed.tier.internet2.edu/idp/shibboleth
+idp.entityID= https://example.org/idp/shibboleth
 
 # Set the scope used in the attribute resolver for scoped attributes
-idp.scope= testbed.tier.internet2.edu
+idp.scope= example.org
 
 # General cookie properties (maxAge only applies to persistent cookies)
 #idp.cookie.secure = false
@@ -161,7 +161,7 @@ idp.authn.flows= Password
 #idp.replayCache.StorageService = shibboleth.StorageService
 
 # Toggles whether to allow outbound messages via SAML artifact
-#idp.artifact.enabled = true
+idp.artifact.enabled = false
 # Suppresses typical signing/encryption when artifact binding used
 #idp.artifact.secureChannel = true
 # May differ to direct SAML 2 artifact lookups to specific server nodes
diff --git a/conf/intercept/profile-intercept.xml b/conf/intercept/profile-intercept.xml
index 4040a10..bb3d3a7 100644
--- a/conf/intercept/profile-intercept.xml
+++ b/conf/intercept/profile-intercept.xml
@@ -30,9 +30,25 @@
         
                 <bean id="intercept/terms-of-use" parent="shibboleth.consent.TermsOfUseFlow" />
         
-                <bean id="intercept/attribute-release" parent="shibboleth.consent.AttributeReleaseFlow" />
+                <bean id="intercept/attribute-release" parent="shibboleth.consent.AttributeReleaseFlow" p:activationCondition-ref="isFERPA" />
             </list>
         </property>
     </bean>
 
+    <!-- Check if the FERPA restriction attribute is set -->
+    <bean id="isFERPA" class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
+      <property name="attributeValueMap">
+        <map>
+            <entry key="isFERPAattr">
+                <list>
+                    <value>true</value>
+                    <value>TRUE</value>
+                    <value>YES</value>
+                    <value>yes</value>
+                </list>
+            </entry>
+        </map>
+      </property>
+    </bean>
+
 </beans>
diff --git a/conf/ldap.properties b/conf/ldap.properties
index 1aafb7c..e045c8e 100644
--- a/conf/ldap.properties
+++ b/conf/ldap.properties
@@ -5,7 +5,7 @@
 #idp.authn.LDAP.authenticator                   = anonSearchAuthenticator
 
 ## Connection properties ##
-idp.authn.LDAP.ldapURL                          = ldap://testbed.tier.internet2.edu
+idp.authn.LDAP.ldapURL                          = ldap://localhost:10389
 idp.authn.LDAP.useStartTLS                     = false
 idp.authn.LDAP.useSSL                          = false
 # Time in milliseconds that connects will block
@@ -27,13 +27,13 @@ idp.authn.LDAP.returnAttributes                 = passwordExpirationTime,loginGr
 
 # Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator
 # for AD: CN=Users,DC=example,DC=org
-idp.authn.LDAP.baseDN                           = ou=People,dc=testbed,dc=tier,dc=internet2,dc=edu
+idp.authn.LDAP.baseDN                           = ou=people,dc=example,dc=org
 #idp.authn.LDAP.subtreeSearch                   = false
 idp.authn.LDAP.userFilter                       = (uid={user})
 # bind search configuration
 # for AD: idp.authn.LDAP.bindDN=adminuser@domain.com
-idp.authn.LDAP.bindDN                           = 
-idp.authn.LDAP.bindDNCredential                 = 
+idp.authn.LDAP.bindDN                           = uid=myservice,ou=system
+idp.authn.LDAP.bindDNCredential                 = myServicePassword
 
 # Format DN resolution, used by directAuthenticator, adAuthenticator
 # for AD use idp.authn.LDAP.dnFormat=%s@domain.com
diff --git a/conf/metadata-providers.xml b/conf/metadata-providers.xml
index 778989c..d22b15b 100644
--- a/conf/metadata-providers.xml
+++ b/conf/metadata-providers.xml
@@ -80,9 +80,5 @@
 			
     </MetadataProvider>
 
-    <MetadataProvider id="testbed.tier" xsi:type="FilesystemMetadataProvider" metadataFile="/opt/shibboleth-idp/metadata/testbed-tier-metadata.xml"/>
-	<MetadataProvider id="sp.testbed.tier" xsi:type="FilesystemMetadataProvider" metadataFile="/opt/shibboleth-idp/metadata/sp-testbed-tier-metadata.xml"/>
 	
 </MetadataProvider>
-
-</MetadataProvider>
diff --git a/conf/relying-party.xml b/conf/relying-party.xml
index 28c9193..1f48cff 100644
--- a/conf/relying-party.xml
+++ b/conf/relying-party.xml
@@ -34,14 +34,16 @@
     <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
         <property name="profileConfigurations">
             <list>
-                <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
+                <!-- Uncomment to enable optional SAML 1.1 support -->
+                <!--<bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
                 <ref bean="SAML1.AttributeQuery" />
-                <ref bean="SAML1.ArtifactResolution" />
+                <ref bean="SAML1.ArtifactResolution" />-->
                 <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" />
                 <ref bean="SAML2.ECP" />
                 <ref bean="SAML2.Logout" />
-                <ref bean="SAML2.AttributeQuery" />
-                <ref bean="SAML2.ArtifactResolution" />
+                <!-- Uncomment to enable optional back-channel features -->
+                <!--<ref bean="SAML2.AttributeQuery" />
+                <ref bean="SAML2.ArtifactResolution" />-->
                 <ref bean="Liberty.SSOS" />
             </list>
         </property>
diff --git a/credentials/http.keytab b/credentials/http.keytab
deleted file mode 100644
index f057e3672460b8240b797cb2911ed651dbd904d5..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 834
zcmZQ&Vqjn>WME>D3ULh%adLIh3-NRf()08SaSifw4KdPlbqQr)@dybCV35m9DbOoP
zEiOq)P0=gKOfAyO%qvMP%1bRV(o0P#1)9Sc&O7%2BZClwLb}|KgOztX98|M!ZWee`
z`*nL;y`i!~+Od~?1umSt(f5Ih6RB&dAcMgCn1o!ZIbYr?6^ARSTsXi9v?P<dmIyFN
zeBr+TJz90))lZ(SZilY5eZOP)?AeBpFXq(ukvM}uX!?aI7B{lX3w-V4A8cz`4YY*H
zaV5o|Q1*RGf`Q^+?gi!l46aEEoO|o{Q}VJvf5z^+eP(e_pRK39&m<WHuD)WJ&~<60
uVBBfveF>}g>j5o^q;6bsFmT-BXn2|Q$`cf9R5qNMfg}3w@jS!(N4fw(83iH$

diff --git a/credentials/idp-backchannel.crt b/credentials/idp-backchannel.crt
deleted file mode 100644
index 78b0409..0000000
--- a/credentials/idp-backchannel.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDZjCCAk6gAwIBAgIVAOFETpFi27881c/E8q+EMl9Q0x3eMA0GCSqGSIb3DQEB
-CwUAMCkxJzAlBgNVBAMMHmlkcC50ZXN0YmVkLnRpZXIuaW50ZXJuZXQyLmVkdTAe
-Fw0xNjA0MDEwMTU0MTZaFw0zNjA0MDEwMTU0MTZaMCkxJzAlBgNVBAMMHmlkcC50
-ZXN0YmVkLnRpZXIuaW50ZXJuZXQyLmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAJHEgwTuY6udWkTkKrIAjy/0NFdqlSQ0KlUesN9806aSTB44kF4z
-x3dqLNZ0sXYb42vVkhJs9ClD7+nU/PhYErMdsHFkeEiC/oaNA4KJxraPtQwdcXv7
-qutoiNcGPXAAqNC80OkcqneeWWEo83BYMPA/YB+Oko+qZkaAqaQq6fPUhUZzKxp1
-jkAWFknZXt676MRbqqXMSdLQScJ9DHC1t8m4+R29In8wybMofvmLZ1DzKjQPlRzD
-XtEx66USOAoDZLXzmSkYPOx8Rq3HoEsIWnjUOXIA7zurKqyv3qe9Dwy6XYdBpvpw
-JYtpfL9I7P5ftAqgDAd0nUuro7m133EHTXsCAwEAAaOBhDCBgTAdBgNVHQ4EFgQU
-x7OgBHgTB2AYpVTo5OaIMlLOVgEwYAYDVR0RBFkwV4IeaWRwLnRlc3RiZWQudGll
-ci5pbnRlcm5ldDIuZWR1hjVodHRwczovL2lkcC50ZXN0YmVkLnRpZXIuaW50ZXJu
-ZXQyLmVkdS9pZHAvc2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAQEAdt2uTZVH
-DflxXQ4MkPrPIP99xeTZfYc9Y9bwCMjt21+cDfnu92MzlbYzQ9txLQcw30iFc0Zj
-i7gys2m+/dp8zRjB++RfXirbNyZUSo/KQIr1GrWeoIJ8CMVafRRw+46RJA/3GsSN
-/0zX1sFJHz0q8WrKZMh2c4P7ejwuVp1JSh0vWZxXhyhHuSklygSvG6XXUPlBwB8p
-QbZEuxKgalDTQSaa5vza0d+0ocgaaybMnex6N7MD1Lvsh/qEy+Yxc1/4ruay7nmk
-2mXmsTUWN3majWZjsCJCMNrugom03rhC3BhnuLA/tYAHOiSt8W4zdfqf2/ShWRjJ
-4HpJj1hbzraYTw==
------END CERTIFICATE-----
diff --git a/credentials/idp-backchannel.p12 b/credentials/idp-backchannel.p12
deleted file mode 100644
index 91a22fc6446391d5c94ef0c82689c6e4ca4eb525..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 2660
zcmY+Ec{~&TAIG=Zh7HXSxpLn$GR)n#5<+g4Icm+7b8<zF(GWTu5x$mCZiP8=M6Pn|
zD^2L2#hOTtq%87V-^cIw{XTw=&*SrXzdo<m`~Cj&i6X&#KtL`O2__EZRU=!Hzw-mR
zfp<wTIG6<E=GdGFQuu!nBm+!>T;<rwoO=Zd|L+tZ3<$bQ0<%#h@HR>X3j3eUSuPG1
z#!JsouXbKORxjA9c`nNT`VnitTo4Eh0F%JaWO++1NV8BkpT%AlZQSnrk9%*l0|&+4
zk10vIO`q^Zb&XR1t1cJ!G;GFI3Xm_Vl3Gi+d#&%i-8Vfo)E-p}9!_8H=odqyhlY33
z+a@Mc+usQh#w3nsVJTCX>Ye4(F(0o8ypZ6_A0I+85D!b*?(-JGEstyo$tBcGXTx6Z
zJM=4;omrYb-2yL~O6v0<xD3Y`gMvu}iE%fx3-V3Qgmn=}n17q1Y2~!%P1b5sH6Jn|
zt2nq5q}jo!PkMHTes3YuP@!b^l-6b!aWbteDULnvRribXbVM?)?HV^aP)ZE(NsG)^
z3eB2U^l_L8cm60Ao8par4@bBZoneas&k<yo0U~;R=+6n?-$u*%fB(`M<e>kZ>d2e*
zb~*6T1BBXB(w9fNR}54gW~!bP?w!T-swQ=}mySu-Bn!%jB`IvG>0B3nm}1aLmqj9H
z?zE&|8n0C^Qn3k}P8jBbojEtckCte?3@uO)x5g!0ayNIU{^A?ll^k!5wLK;P(JUWI
zet+$mrLVF{JnZV*eVSeLiyu9h)t7Ro5xI6|X2!?GVKppb?@`-#C>1h|o_E1QR=qhl
z+fGvSHZB*LX63r70P}Q9CR`3q*vSLh-iT^yQBB}8Lv-NQPu*Zq4dZj^splUE&Zw+E
zf4-f)8S-b_naTT8(Z*jB_nq~I`!*n^qOn_$%m5O5adu7PPo58Ogquvy>GBhMc32&&
zbg^jv+BAooK|_TjW*T+N-NCU3T^=uVDJFY~e*6ii^Nw|{do;KIs*;OEf3;yJdsQF|
z<aD_0yW^}Q@7A_>sUC_9DnC3V01D~>bE`{EV(isI@@i*o;dVx0HduC|8IF;Td%)Z)
zEQ-Vnzy^K>|MIkc5lP!u6X<Z~HRP=*30wY_QO#6*maJD=wr$`Bb#<JV2xqk1;Zuip
zq?SqDM_h>dE=3;Bgj1vL&#T=qKvO@{rdNbN0e4TP>v?w%e3D%@RK=SeU2uRf(!3-s
z>rtLbi973*&%wLGuWAlX|A=4S?H7D7GjAPTnaeAuSl2&BS!we;(52gKtbWvG?rHu&
zq2s|&8!p)bvf)gj#&AU%R$fY_()0!TZu+B>JFUraCHUm?PRAqv@-VOzs4>XGPbFFy
z1`?OP@xwn(@!hg}O}%>pHd{42urhck0I4`-BKvV2{q$Ypw(5e(C+`wZw)AaQE8Y@8
z8eUaSzQSq(mWHIhJyy7zu{ju;uxKcHz+al0c9a(`sCz>RbJe`XsPgrdzr3zt!OjPo
zTYQcfzFImgxsSE`$du1UmY}%K(i1O5M}9D(S8K)QTUb61o@j^K3Pr(SGl-hdQImL)
z;)v>c)WhQ!TlGR8L9S*~c2n%%ccLs-dW@v>P2ux5M*D^aoe|ZeZ$4us^<GJ6y&}eY
zK#u~gz)lJ=9WDBx6R!F4hl)-9n3~`CA?r9xM_WLed!&5ey)v?3L8*O0yGm%p4t%15
z$P8j`Ro96qRlEtRb7#%*El3np`yfeOT$p%FKCa3B{zO&Q1}=pMb+~7UTxHQg2P?-J
zQj)7$k0s<t@#MbK@Y_D2@18EN_b?`UgR;?JATbAV>(_aRSjc2R_=-Mtk@9ca+sb5>
z=Z(22X@{Xs|3gY%VQo`sV?Y4l0w4^a1-Jwt03tZ=c}~6X_dkH6h#VCF2>ClDaw>tN
zbU5Dco=BAJzsp3lg~3SYfM9}*wk{f@tB=;>9Bq9LYw`ayaYH%yb>>+1ARvHKto}`a
z{|98~Zy;}4^ABJ46f2Y$8EYKX&pYb<xtH=A$VntH!sAwHhaN$MvW_rrj@!*Fbdk}+
zkSMihEk-mRpc=$=aXG~;j{#HtuL9I?m;6drlzQaVXbWcM^sf%!`sV4N_}w-D`+i#T
zFJ`c^-RPVK(G^{6M-4V-;sWOyomCP(IGhDGh^mo8`#b4#%G|4#4~k5j9UEv0C*^*!
zCYk<zuR{E+M{81;Aj!B<i_UOWr2HXzuDVpFUy6c+sN0|iD|OLGODNW!T;V24(@OGH
z)bCU`nEL!fnnB!jko*!d5Z&OrR!PSk-;)i8Urz@J#EWI=dNb@c%=3|Tnn%cE&RBB_
zVrTReY~f~x>Bu9i@cu){cfM2ds5B(mS%0VI*Hqpyc#2cLjL$&^&8VQ+I?nS7Heu!1
z;oXw?(JVZxq<x~-BmZFELU%SJgPhSG<B=<m@4JRG!a6aTlHQW4`URn#&T%R5z~>Qb
zI1yRmaUPSHt*om2ay)fg&i9$s9X-D2^GCs6CQKed7-r(6UH$ye7)RAxJt)#1yXhy_
zEJ$Nkd%wH@j1LG8Daw~~=Ld^0nlzmfZ5<#5OInx+>3f|(?nJp|iH$BotSvL!?CN4{
z&NV5)J$T5uCxBJg)-Lr(p38aXi~vm;O7_G$jOI-<la~$3-27pyZ8<bA`wJ`(+TQn@
zp}vOGTENH*dTq(8<g4;+{o9kHwpj2f7NJ8TxGq;o2kw~QJAgJ#S$VvAVC2ofsadKg
z4J#HU<k6wn(wkCSk{77S*rE^ya$Xnv3fF%04fMHiGy2Zp#lyO97H#z5Yd(pcFVa+y
z-CLe)|EL%t?LBltNN;9E@w>v78_E!MtMjQ^w?q!@uJrfjx-SZbz<evoV}De%BUZ?K
zzC6J?m~2txk{kQg-Lu6taSt1(so7@~@mW1_BQeoMnGl~G>q9XIa=X7S8q?im_OXuv
zU&^<_GodE3{3)Vn=C{nss78P)^L_P7^>tChw{t(t#(hFM+1FE(<@ys{fn1Y*{JE<|
z@6k^3^UuY~&Q1aDYZ}=o;qm*dcMm{^UlvtxIYQbi$*c+J#n7*_$M!Y9&t#Z|wwlX3
zl&IqB_77a7)@!)(RnL|UPQT7gwNf%TT~KGk8q-y(0=%a!rQ6?q&OIzf)$UkPP*SYf
zBKGAx;W3<(6X+46jONrV$MWs7Gm9pd_LhM}yIPkcr9rAG*5(sVapz2ps%=LF!@o7$
zs?TcOKx8_-ei;O7-wk}dV|OCY>AVa7i$BCl%exsKL}t-cqMzv#Zr?BDtB&%RHLs%Q
ztZ&i~<xE_!uvH_aX<X^dOLn>;J#Tv`ydog#jWO+43`olW<Bj5etn+6{y4KcYL=C=%
z(HIdtJIsbkcKFwO?~7~QZY1jG*enqk-kbP?C=-+{iWdq|7vKVkLjYjm>Ol*)<M6KS
qOHYilKlq66K9Q@`1`GF@(bgnBfz23Yf?W4x{IO|ce+B+V%6|Y7%eFxP

diff --git a/credentials/idp-encryption.crt b/credentials/idp-encryption.crt
deleted file mode 100644
index 43d508f..0000000
--- a/credentials/idp-encryption.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDZTCCAk2gAwIBAgIUXt4aAKQ9aNNGsvwLPlsHphaOfoEwDQYJKoZIhvcNAQEL
-BQAwKTEnMCUGA1UEAwweaWRwLnRlc3RiZWQudGllci5pbnRlcm5ldDIuZWR1MB4X
-DTE2MDQwMTAxNTQxNVoXDTM2MDQwMTAxNTQxNVowKTEnMCUGA1UEAwweaWRwLnRl
-c3RiZWQudGllci5pbnRlcm5ldDIuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAoIGFGiOtOc4wCWQdxkupjRlebjY7PGUu+qayLzy/vA2Q9ZaPbFCt
-/BfrKxCofOnZYyDV0hNphEzni/Iedrbp25hquvN0EvVnNxbXdkwWWP3NtqJNrlKt
-NKtF9kUnJm1jHLqaM1Zn3rubBk4mdPJy8gqPAf+K5TVeeeKBdRySdlpXAnf3Ag98
-pAFSJI4zSGiV95NJ4qvqDg65RgoqDrsDCazoNLpW2jsSUhdlwmstsmKNm6Jp4XKj
-Es+3uI/b5IZSld0YEiLPBmCI3CUOx4ssTJHZta69Y5uBBCV8f5vHg9JnAu3j7YaK
-ARLScxBDN+edYRMnNN3emMFHXHRX/Jv75wIDAQABo4GEMIGBMB0GA1UdDgQWBBT+
-i3k4bakmyCBAf5dCGpkk4w81HjBgBgNVHREEWTBXgh5pZHAudGVzdGJlZC50aWVy
-LmludGVybmV0Mi5lZHWGNWh0dHBzOi8vaWRwLnRlc3RiZWQudGllci5pbnRlcm5l
-dDIuZWR1L2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBCwUAA4IBAQB9obiWK3jK
-MOmD3IJ3q8VzVtZ/8YRNR5OfIl0t1aA1ayXaOAt/NfVrawusDglkHoKnsnfSOrgW
-6KeKu22IOoZtbepCBw+ExxLJbHElPRxEP/KO0kF/cKk3eBhabObfASK6GsWaFbZc
-W3XkjDNsallC1rmLCS8utWwZu/N6jKcngIWR3O6y3CSTpTN1ndy7efGSgOR/V53S
-39WBfzCOCcqKoVAJj0sTPHnrLLE103w++sakYR+apAwStj76TuIDQVAN3S6KJ4BQ
-sWDAiZvF7GD/EWP9W3T9jgH159tlL0bqBKdBOkLiH+lDSZsi3dJ7nNeaMEB8jl89
-9ruHytM7gLu8
------END CERTIFICATE-----
diff --git a/credentials/idp-encryption.key b/credentials/idp-encryption.key
deleted file mode 100644
index 88d9814..0000000
--- a/credentials/idp-encryption.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAoIGFGiOtOc4wCWQdxkupjRlebjY7PGUu+qayLzy/vA2Q9ZaP
-bFCt/BfrKxCofOnZYyDV0hNphEzni/Iedrbp25hquvN0EvVnNxbXdkwWWP3NtqJN
-rlKtNKtF9kUnJm1jHLqaM1Zn3rubBk4mdPJy8gqPAf+K5TVeeeKBdRySdlpXAnf3
-Ag98pAFSJI4zSGiV95NJ4qvqDg65RgoqDrsDCazoNLpW2jsSUhdlwmstsmKNm6Jp
-4XKjEs+3uI/b5IZSld0YEiLPBmCI3CUOx4ssTJHZta69Y5uBBCV8f5vHg9JnAu3j
-7YaKARLScxBDN+edYRMnNN3emMFHXHRX/Jv75wIDAQABAoIBAQCMUM5YjKnqZ/uM
-qi5xZUHjbTMlbFmaseZBD6ukKhqAPufkGuxlR57iTNK1AkoZcaIuy8zBa2EKXOTr
-bg39wGhvJi7gIubtkAXcniZcb6X1xGOrbvY0GGj9K2HtKoVQTb6gpe0aRkZl7GJZ
-P8bU5ANi36InoAv/1wkxyrdb909/EJLmovM2SeagIjHyGVx94D6hb/akNeFgxnJg
-utPqTA58Jzp00TPl+gnAtu3SU5pzHTjkk9YaXDR+WdNSF2pkuFV2NZ6IDAkqlGLa
-SfVQQrYpFCjVCAB9jIp2ref6k15iagy3VW8z7U8dnu4ITymjAcOUDK0KKwHUEc0P
-WNyIyT95AoGBAOpr1x1lAiriNjL0c9aryL6K09skv0yGpCaukPotMnvp2S5x33aJ
-2vXP5BCdglwQFXuSrJHmcF0LGpy0nble9UtxjHwNdzzMFmSWDAR6zCEj7Mr8sxnP
-95L7rKrJouXvpfTxRF+KI20U9J3F/xHKC0WG4AYzVolgc497lQxcHO+jAoGBAK9H
-26hRjkmBBJQt1OwgdQPz0hQKN6zNkr7987Z4CIo7uUMKDufp5pElCen1WziCC9Di
-WxP3TIFiTMukQTiLkZAy5h9/jubik0D/S2vwcNspYpMdw+rdhwCTTJN09kEGuXV0
-R8xiOR69wU/sI+bksl7FIXhP3tSS7Q9wESFk/3btAoGAdOw070RiQGF0BxZGcNxd
-1CwKX1OE1vaRCXoodZ/1fji1SqUhgE5iGBkI+ACX9LNRA8G0sVDu2nmfXGn6AWuL
-jYWlPHq67mgdAy6T7+gPyLfSc6x26HkCUx2UkdrglS9i5zkvkTelU9MP72HCR20v
-Eg6jznPsxbiF6xsIzJFlHWECgYBNBhe5hHUxSbe4YdeCF9Uz8m3rjn3eust0kGYL
-Vf3yuMH1erMIKFnAiHUt0TrPvx3wIbgCMxb0eDzk8/4RGgvSQPus9cHXJdOtqUH8
-YcFGHY6KtXbFe6l6kEADQE+CTbErsvhmEPem0Z3kQBGawf679IZ7tyVlZlc0BHwS
-n64/FQKBgF6UQ9BdRywiifsXnRK4cb0Kwaaru3TlMKM+NiPO30AmWxp6nXn8FqaO
-tAz+3SFxrnDFBf5xymiOe5klDwGFxyiabuzima6QmmBgb/Wn6/HZdLAInlAjIokN
-519M0/Yps7huYk6HS5ixNoynj4INlni+fBCnlAF6xhwDYIeiWV8b
------END RSA PRIVATE KEY-----
diff --git a/credentials/idp-signing.crt b/credentials/idp-signing.crt
deleted file mode 100644
index 9f9ab27..0000000
--- a/credentials/idp-signing.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDZjCCAk6gAwIBAgIVAOMpm2MaJi2ZzTCDARxq7wZG8gPlMA0GCSqGSIb3DQEB
-CwUAMCkxJzAlBgNVBAMMHmlkcC50ZXN0YmVkLnRpZXIuaW50ZXJuZXQyLmVkdTAe
-Fw0xNjA0MDEwMTU0MTVaFw0zNjA0MDEwMTU0MTVaMCkxJzAlBgNVBAMMHmlkcC50
-ZXN0YmVkLnRpZXIuaW50ZXJuZXQyLmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAJKkiQrjCYuaG3pu2XWmwlZmkyLFoBP+SFSk1aHh7sCFvu8Dt4/o
-EndpjBLsJw1ZgrpKVZTo1nBHHycFwp0Lmx31wgQYqabqSp/yWvTMxWpCBOJfRLD5
-9SbDk0hykvsUpa+MH9FeEerxNHhoKOiHxKtk9zSuaevoKzGjPDr4TFMgS6qtJdQn
-H+RwTTpLBuWPlCsTfInvWd/0n2qMukvOt9oqs1Modu14Oy/O6uWyypk82IEG6Nxs
-ngARR8XncYPbmahte6xR/Lk/eFHQNBg6+haAFPUjTdoD9+4EBVCPmdaDGhQzjoLl
-Z5KTlorEPGPfdsFEe5EslILCdGQvhH/N7/cCAwEAAaOBhDCBgTAdBgNVHQ4EFgQU
-UeUgJ5t3CTd3WIB0sSHonn5lAKgwYAYDVR0RBFkwV4IeaWRwLnRlc3RiZWQudGll
-ci5pbnRlcm5ldDIuZWR1hjVodHRwczovL2lkcC50ZXN0YmVkLnRpZXIuaW50ZXJu
-ZXQyLmVkdS9pZHAvc2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAQEAHgikn/w/
-Np0ayFaqi1HVnktowUqNcaY9IkUfQ81pEYSyIi6WEbd8r78735rlEpJ7GaT+ggZY
-E672rLnfHa2yID1xHVp+VNp0hyDcokETCUknTDovUUFr1pfF0qM9pxDjsTg7n1EC
-zeqBKLKfB04nBuk8rsTDM5X+pii5LabFtslItsKMq6uraLrYWMC2CUCPUiTPN4VV
-nwQpz3Qam32mxE0khppppd54zQi39SKPhQMDtZaDFcrNtMUAB/0sysk/kNE/mvm4
-33Gn///Wic20pR31EJNxOgokuJ8M182gEGeJbV9ymtld/L8lBtIWbPH65RqNKuR1
-TzizVs6q/jei7A==
------END CERTIFICATE-----
diff --git a/credentials/idp-signing.key b/credentials/idp-signing.key
deleted file mode 100644
index b2f08ca..0000000
--- a/credentials/idp-signing.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAkqSJCuMJi5obem7ZdabCVmaTIsWgE/5IVKTVoeHuwIW+7wO3
-j+gSd2mMEuwnDVmCukpVlOjWcEcfJwXCnQubHfXCBBippupKn/Ja9MzFakIE4l9E
-sPn1JsOTSHKS+xSlr4wf0V4R6vE0eGgo6IfEq2T3NK5p6+grMaM8OvhMUyBLqq0l
-1Ccf5HBNOksG5Y+UKxN8ie9Z3/Sfaoy6S8632iqzUyh27Xg7L87q5bLKmTzYgQbo
-3GyeABFHxedxg9uZqG17rFH8uT94UdA0GDr6FoAU9SNN2gP37gQFUI+Z1oMaFDOO
-guVnkpOWisQ8Y992wUR7kSyUgsJ0ZC+Ef83v9wIDAQABAoIBAFTJFQNaabZxj9mm
-Jc1EcbCK9h9wrDFjIGbwNyS2ANkHe3GucH+f6q1oNTjrmVi6nD8ho4HJbdLVDEn/
-ppouj60u3tKHf++mHyeDdNt9Wdcp/LD17D13CCs1gP6uYBUTxwhMuEjRXwK8G15S
-uvRXK3r9kYDAJzXisrasbrKZxWd5sLiFN3zrk5M7lEAOoZuH6kngnZnndS9T1h1p
-lH2gWvy2XxZhQ+vXpa8JhWxzbUY+SrV2LOLPzIm7IiMJskTnlsK7/Mvi7kSEqPcQ
-45fYqxBINjM1zRrKjSYjjDsYRPVxuxHRt1QzFMrdOOy0JeAunEU2rIQWzicGeUTr
-Q32UZEECgYEAwojkoLEfsJdbvPly8PRkOkEFbVx31QxZ1gjUu2xxUmqAxD88dozM
-f5L7EoMYNoXR/VBZel7/fXFnz1mcDMQHP37rxEJhot6XN/jGRaOFiBRRLowu8wul
-X+f4bZRGzZfawIKjC4yCo4LkI28aSPmF/ByB1XwdCrpcZALtPI3hwi8CgYEAwPnb
-ASnRhKiCQhMnXQcvCo8nKxOY+x6d6WWcvgwAx74v1wxaTHF0rJ+CHvxrb8Vmy9Cn
-lBnWavHJ9FBvB5RVxfIkg2Sk26DAbY+kYjj04OHd//qPjWscrqpLIzdnMx080TUp
-3bJZhFM7b7CkEbURbfhvL7mIzrxzJEYYlHjGJLkCgYBAm8KC9BC4T6yyOI7KJADd
-sBajWaCa630yrsAodz2zx5d4lh/4p46LmD82yL9T7GHvpa3yDHcCLJXzsak4PCrE
-Fd0r03gl5ZOHjWIcYtDIfybvNLOrGOUV0y8ZBbP2OEb4xOptvX7t21z1v8KVFfo/
-3x/nzU6/72Eb/jTYda7TFQKBgHgXxfw+Wx5Ug+O86cVSICtRFU4QfybgUeObEeWP
-sLidmkYZcOSbwsFe7up7qhy/245Bhth7D940JLt/hulPneV3INQIQTRRIQ/N0b4y
-tepxhee0tbuLiikE34fGBdpgeqWzkR9fy6e26IlEg4ZlibhHYGJx8zq9Oma7nLZh
-RuY5AoGARv6jYkWOggjdrlZN1vwXDLkhGFi0t0KJF18/7A8x7NxznRzJm+2G+cpd
-T/xb0m25ft9jpk6SS8H9jCfkFkf0Kpow5th8A0abADp2eLc4ZSNVqA0yD0nqD7WW
-DULEdHbGSjd55DO+pzlb6dxXZa98qmo5FS+UXPcOlEsNci2wyO4=
------END RSA PRIVATE KEY-----
diff --git a/credentials/sealer.jks b/credentials/sealer.jks
deleted file mode 100644
index ca9fdfa7c06339969c2fe01da4986ead7e9b1c84..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 500
zcmX?i?%X*B1_mY|W&~np2KM6A<f7CPLm)r+e7pYFHE$VMi;EbHlk;=+ic9nKl8Y(}
zO7iszit@`cQ&Nlcf>RT7Qd9hsvQm>v-13XOQ!4|C@=Ji6{Gzkrry`#l><$JRUQxs#
znUz?USOL?Itj*5McG=<WAq7kfEYS?Ssd>ryDXA#|iA9OI#U%_((N56}0zg5Ky{ReA
z`FSO&c_oDmbqq{C44egERgO97B@9A7APe+!67$magG-7s^U|$-K)y-L0ZN0^GglOp
z7J<xL^I7}{8%M|kkh=<ip5`~;W#P!!wf^^!{cS6m7)44!s#$>&6Lx%@b5iDN+=O=v
z^D9$-YleRC`=i9JST^<M8pm5p&vwn6Tz5z|ZIfNjyoW1~Z_Lz9TrU1CVc+u?tV{iB
z3|>nx*aYpE^Z(3^ypzvLU&?*|;I?!U+r-^9OVxXKlo!vvcE{RiQVOT;Gyg)Vu!vc*
zKi|$Us!-&d=@a<i_wxNM7rX;)ik5#kQNk*?azn(8H#eOcyWW;Chy^&ghG&*!__~-n
m=B0!bWftV5y0`}8lwirtxXoYjK`JDSDI@mNlS}TVhYA6KZN+8)

diff --git a/credentials/sealer.kver b/credentials/sealer.kver
index 2f1ad21..562fc1d 100644
--- a/credentials/sealer.kver
+++ b/credentials/sealer.kver
@@ -1,2 +1 @@
-#Fri Apr 01 01:54:16 UTC 2016
-CurrentVersion=1
+CurrentVersion=1
\ No newline at end of file
diff --git a/edit-webapp/css/logout.css b/edit-webapp/css/logout.css
index e57319c..26f1893 100644
--- a/edit-webapp/css/logout.css
+++ b/edit-webapp/css/logout.css
@@ -1,12 +1,12 @@
-/* Success/Failure indicators for logout propagation. */
-
-.success {
-    background: url(../images/success-32x32.png) no-repeat left center;
-    line-height: 36px;
-    padding-left: 36px;
-}
-.failure {
-    background: url(../images/failure-32x32.png) no-repeat left center;
-    line-height: 36px;
-    padding-left: 36px;
-}
+/* Success/Failure indicators for logout propagation. */
+
+.success {
+    background: url(../images/success-32x32.png) no-repeat left center;
+    line-height: 36px;
+    padding-left: 36px;
+}
+.failure {
+    background: url(../images/failure-32x32.png) no-repeat left center;
+    line-height: 36px;
+    padding-left: 36px;
+}
diff --git a/edit-webapp/css/main.css b/edit-webapp/css/main.css
index b28c0ce..c23a7e9 100644
--- a/edit-webapp/css/main.css
+++ b/edit-webapp/css/main.css
@@ -1,163 +1,163 @@
-* {
-    margin: 0;
-    padding: 0;
-}
-header, footer, section, nav {
-    display: block;
-}
-html, body {
-    height: 100%;
-}
-body {
-    font-family:Verdana, Geneva, sans-serif;
-    font-size: 12px;
-    line-height: 1.5;
-    color: #717171;
-    background: #717171;
-}
-a:link,
-a:visited {
-    text-decoration: none;
-    color: #717171;
-}
-img {
-    max-width: 100%;
-    margin-bottom: 12px;
-}
-
-.wrapper {
-    background: #ffffff;
-}
-
-.container {
-    position: relative;
-    left: 34%;
-    width: 540px;
-    margin-left: -270px;
-}
-.container-footer {
-    padding-top: 12px;
-}
-@media only screen and (max-width: 1020px) {
-    .container {
-        left: 45%;
-    }
-}
-@media only screen and (max-width: 650px) {
-    .container {
-        position: static;
-        margin: 0 auto;
-        width: 280px;
-    }
-}
-
-header {
-    padding: 20px 0;
-}
-
-.logo img {
-    border: none;
-}
-@media only screen and (max-width: 650px) {
-    .logo img {
-        display: none;
-    }
-    .logo {
-        background: url(../images/dummylogo-mobile.png) no-repeat top center;
-        display: block;
-        height: 115px;
-        width: 100px;
-        margin: 0 auto;
-    }
-}
-
-.content {
-    padding-bottom: 80px;
-    overflow: hidden;
-}
-
-.column {
-    float: left;
-}
-.column.one {
-    width: 50%;
-    margin-right: 48px;
-}
-
-form {
-    width: 240px;
-    padding-bottom: 21px;
-}
-form label { /* labels are hidden */
-    font-weight: bold;
-}
-form legend {
-    font-size:1.2em;
-    margin-bottom: 12px;
-}
-.form-element-wrapper {
-    margin-bottom: 12px;
-}
-.form-element {
-    width: 100%;
-    padding: 13px 12px;
-    border: none;
-    font-size: 14px;
-    border-radius: 4px;
-    -webkit-border-radius: 4px;
-    -moz-border-radius: 4px;
-}
-.form-field {
-    color: #B7B7B7;
-    border: 1px solid #B7B7B7;
-}
-.form-field-focus {
-    color: #333333;
-    border-color: #333;
-}
-.form-button {
-    background: #B61601;
-    box-sizing: content-box;
-    -moz-box-sizing: content-box;
-    color: #ffffff;
-    cursor: pointer;
-}
-.form-button:hover {
-    background: #FF6400;
-}
-.form-error {
-    padding: 0;
-    color: #B61601;
-}
-
-.list-help {
-    margin-top: 40px; /* offset padding on first anchor */
-    list-style: none;
-}
-.list-help-item a {
-    display: block;
-    padding: 6px 0;
-}
-.item-marker {
-    color: #be0000;
-}
-
-footer {
-    color: #ffffff;
-    font-size: 11px;
-    background: #717171;
-}
-.footer-text {
-    margin-bottom: 12px;
-}
-.footer-links a:link,
-.footer-links a:visited {
-    color: #ffffff;
-    font-weight: bold;
-}
-.footer-links a:after {
-    content: "\00a0\00a0\00a0|\00a0\00a0";
-}
-.footer-links a.last:after {
-    content: "";
-}
+* {
+    margin: 0;
+    padding: 0;
+}
+header, footer, section, nav {
+    display: block;
+}
+html, body {
+    height: 100%;
+}
+body {
+    font-family:Verdana, Geneva, sans-serif;
+    font-size: 12px;
+    line-height: 1.5;
+    color: #717171;
+    background: #717171;
+}
+a:link,
+a:visited {
+    text-decoration: none;
+    color: #717171;
+}
+img {
+    max-width: 100%;
+    margin-bottom: 12px;
+}
+
+.wrapper {
+    background: #ffffff;
+}
+
+.container {
+    position: relative;
+    left: 34%;
+    width: 540px;
+    margin-left: -270px;
+}
+.container-footer {
+    padding-top: 12px;
+}
+@media only screen and (max-width: 1020px) {
+    .container {
+        left: 45%;
+    }
+}
+@media only screen and (max-width: 650px) {
+    .container {
+        position: static;
+        margin: 0 auto;
+        width: 280px;
+    }
+}
+
+header {
+    padding: 20px 0;
+}
+
+.logo img {
+    border: none;
+}
+@media only screen and (max-width: 650px) {
+    .logo img {
+        display: none;
+    }
+    .logo {
+        background: url(../images/dummylogo-mobile.png) no-repeat top center;
+        display: block;
+        height: 115px;
+        width: 100px;
+        margin: 0 auto;
+    }
+}
+
+.content {
+    padding-bottom: 80px;
+    overflow: hidden;
+}
+
+.column {
+    float: left;
+}
+.column.one {
+    width: 50%;
+    margin-right: 48px;
+}
+
+form {
+    width: 240px;
+    padding-bottom: 21px;
+}
+form label { /* labels are hidden */
+    font-weight: bold;
+}
+form legend {
+    font-size:1.2em;
+    margin-bottom: 12px;
+}
+.form-element-wrapper {
+    margin-bottom: 12px;
+}
+.form-element {
+    width: 100%;
+    padding: 13px 12px;
+    border: none;
+    font-size: 14px;
+    border-radius: 4px;
+    -webkit-border-radius: 4px;
+    -moz-border-radius: 4px;
+}
+.form-field {
+    color: #B7B7B7;
+    border: 1px solid #B7B7B7;
+}
+.form-field-focus {
+    color: #333333;
+    border-color: #333;
+}
+.form-button {
+    background: #B61601;
+    box-sizing: content-box;
+    -moz-box-sizing: content-box;
+    color: #ffffff;
+    cursor: pointer;
+}
+.form-button:hover {
+    background: #FF6400;
+}
+.form-error {
+    padding: 0;
+    color: #B61601;
+}
+
+.list-help {
+    margin-top: 40px; /* offset padding on first anchor */
+    list-style: none;
+}
+.list-help-item a {
+    display: block;
+    padding: 6px 0;
+}
+.item-marker {
+    color: #be0000;
+}
+
+footer {
+    color: #ffffff;
+    font-size: 11px;
+    background: #717171;
+}
+.footer-text {
+    margin-bottom: 12px;
+}
+.footer-links a:link,
+.footer-links a:visited {
+    color: #ffffff;
+    font-weight: bold;
+}
+.footer-links a:after {
+    content: "\00a0\00a0\00a0|\00a0\00a0";
+}
+.footer-links a.last:after {
+    content: "";
+}