diff --git a/conf/access-control.xml b/conf/access-control.xml
index 3853722..9ed4242 100644
--- a/conf/access-control.xml
+++ b/conf/access-control.xml
@@ -47,7 +47,7 @@
         <entry key="AccessByAttribute">
             <bean parent="shibboleth.PredicateAccessControl">
                 <constructor-arg>
-                    <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
+                    <bean parent="shibboleth.Conditions.SimpleAttribute">
                         <property name="attributeValueMap">
                             <map>
                                 <entry key="eduPersonEntitlement">
diff --git a/conf/admin/admin.properties b/conf/admin/admin.properties
index 7f14b56..8713a81 100644
--- a/conf/admin/admin.properties
+++ b/conf/admin/admin.properties
@@ -4,52 +4,86 @@
 #idp.status.accessPolicy = AccessByIPAddress
 #idp.status.authenticated = false
 #idp.status.nonBrowserSupported = false
+#idp.status.defaultAuthenticationMethods =
 #idp.status.resolveAttributes = false
+#idp.status.postAuthenticationFlows =
 
 #idp.reload.logging = Reload
 #idp.reload.accessPolicy = AccessByIPAddress
 #idp.reload.authenticated = false
 #idp.reload.nonBrowserSupported = false
+#idp.reload.defaultAuthenticationMethods =
 #idp.reload.resolveAttributes = false
+#idp.reload.postAuthenticationFlows =
 
 #idp.resolvertest.logging = ResolverTest
 #idp.resolvertest.accessPolicy = AccessByIPAddress
 #idp.resolvertest.authenticated = false
 #idp.resolvertest.nonBrowserSupported = false
+#idp.resolvertest.defaultAuthenticationMethods =
 #idp.resolvertest.resolveAttributes = false
+#idp.resolvertest.postAuthenticationFlows =
+
+#idp.dumpconfig.logging = DumpConfig
+#idp.dumpconfig.accessPolicy = AccessByIPAddress
+#idp.dumpconfig.authenticated = false
+#idp.dumpconfig.nonBrowserSupported = false
+#idp.dumpconfig.defaultAuthenticationMethods =
+#idp.dumpconfig.resolveAttributes = false
+#idp.dumpconfig.postAuthenticationFlows =
 
 #idp.mdquery.logging = MetadataQuery
 #idp.mdquery.accessPolicy = AccessByIPAddress
 #idp.mdquery.authenticated = false
 #idp.mdquery.nonBrowserSupported = false
+#idp.mdquery.defaultAuthenticationMethods =
 #idp.mdquery.resolveAttributes = false
+#idp.mdquery.postAuthenticationFlows =
 
 #idp.metrics.logging = Metrics
 #idp.metrics.authenticated = false
 #idp.metrics.nonBrowserSupported = false
+#idp.metrics.defaultAuthenticationMethods =
 #idp.metrics.resolveAttributes = false
+#idp.metrics.postAuthenticationFlows =
 # See admin/metrics.xml for other configuration
 
 #idp.hello.logging = Hello
 #idp.hello.accessPolicy = AccessByAdminUser
 #idp.hello.authenticated = true
 #idp.hello.nonBrowserSupported = false
+#idp.hello.defaultAuthenticationMethods =
 #idp.hello.resolveAttributes = true
+#idp.hello.postAuthenticationFlows =
 
 #idp.lockout.logging = Lockout
 #idp.lockout.accessPolicy = AccessDenied
 #idp.lockout.authenticated = false
 #idp.lockout.nonBrowserSupported = false
+#idp.lockout.defaultAuthenticationMethods =
 #idp.lockout.resolveAttributes = false
+#idp.lockout.postAuthenticationFlows =
+
+#idp.revocation.logging = Revocation
+#idp.revocation.accessPolicy = AccessDenied
+#idp.revocation.authenticated = false
+#idp.revocation.nonBrowserSupported = false
+#idp.revocation.defaultAuthenticationMethods =
+#idp.revocation.resolveAttributes = false
+#idp.revocation.postAuthenticationFlows =
 
 #idp.storage.logging = Storage
 #idp.storage.accessPolicy = AccessDenied
 #idp.storage.authenticated = false
 #idp.storage.nonBrowserSupported = false
+#idp.storage.defaultAuthenticationMethods =
 #idp.storage.resolveAttributes = false
+#idp.storage.postAuthenticationFlows =
 
 #idp.unlock-keys.logging = UnlockKeys
 #idp.unlock-keys.accessPolicy = AccessDenied
 #idp.unlock-keys.authenticated = true
 #idp.unlock-keys.nonBrowserSupported = false
+#idp.unlock-keys.defaultAuthenticationMethods =
 #idp.unlock-keys.resolveAttributes = false
+#idp.unlock-keys.postAuthenticationFlows =
diff --git a/conf/admin/metrics.xml b/conf/admin/metrics.xml
index 208ab6b..7ac0735 100644
--- a/conf/admin/metrics.xml
+++ b/conf/admin/metrics.xml
@@ -31,6 +31,10 @@
                 <ref bean="shibboleth.metrics.AttributeFilterGaugeSet" />
                 <ref bean="shibboleth.metrics.CASServiceRegistryGaugeSet" />
                 <ref bean="shibboleth.metrics.ManagedBeanGaugeSet" />
+                <ref bean="shibboleth.metrics.ModuleGaugeSet" />
+                
+                <!-- Note that this accesses remote "state" regarding IdP and plugin updates. -->
+                <ref bean="shibboleth.metrics.InstallableComponents" />
 
                 <!--
                 <bean class="com.codahale.metrics.jvm.CachedThreadStatesGaugeSet"
@@ -55,6 +59,7 @@
     <util:map id="shibboleth.metrics.MetricGroups">
         <entry key="core" value-ref="shibboleth.metrics.CoreGaugeSet" />
         <entry key="idp" value-ref="shibboleth.metrics.IdPGaugeSet" />
+        <entry key="updates" value-ref="shibboleth.metrics.InstallableComponents" />
         <entry key="logging" value-ref="shibboleth.metrics.LoggingGaugeSet" />
         <entry key="access" value-ref="shibboleth.metrics.AccessControlGaugeSet" />
         <entry key="metadata" value-ref="shibboleth.metrics.MetadataGaugeSet" />
diff --git a/conf/attribute-filter.xml b/conf/attribute-filter.xml
index 7787d0c..c2bf890 100644
--- a/conf/attribute-filter.xml
+++ b/conf/attribute-filter.xml
@@ -14,6 +14,14 @@
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
 
+
+    <!-- Release home org signifier to everybody. -->
+    <AttributeFilterPolicy id="alwaysRelease">
+        <PolicyRequirementRule xsi:type="ANY" />
+        
+        <AttributeRule attributeID="schacHomeOrganization" permitAny="true" />
+    </AttributeFilterPolicy>
+
     <!--
     Example rule relying on a locally applied tag in metadata to trigger attribute
     release of some specific attributes. Add additional attributes as desired.
diff --git a/conf/attribute-resolver.xml b/conf/attribute-resolver.xml
index 8d16a59..dd5545f 100644
--- a/conf/attribute-resolver.xml
+++ b/conf/attribute-resolver.xml
@@ -66,7 +66,10 @@ list of possible components and their options.
     <!--      Data Connectors                       -->
     <!-- ========================================== -->
 
-    <DataConnector id="staticAttributes" xsi:type="Static">
+    <DataConnector id="staticAttributes" xsi:type="Static" exportAttributes="schacHomeOrganization">
+        <Attribute id="schacHomeOrganization">
+            <Value>%{idp.scope}</Value>
+        </Attribute>
         <Attribute id="affiliation">
             <Value>member</Value>
         </Attribute>
diff --git a/conf/attributes/default-rules.xml b/conf/attributes/default-rules.xml
index c865157..db8f1a1 100644
--- a/conf/attributes/default-rules.xml
+++ b/conf/attributes/default-rules.xml
@@ -23,6 +23,7 @@
     <import resource="inetOrgPerson.xml" />
     <import resource="eduPerson.xml" />
     <import resource="eduCourse.xml" />
+    <import resource="schac.xml" />
     <import resource="samlSubject.xml" />
 
 </beans>
diff --git a/conf/attributes/eduCourse.xml b/conf/attributes/eduCourse.xml
index 6794da6..96341c3 100644
--- a/conf/attributes/eduCourse.xml
+++ b/conf/attributes/eduCourse.xml
@@ -12,6 +12,13 @@
        default-init-method="initialize"
        default-destroy-method="destroy">
 
+    <!--
+    Note that all built-in rules rely on URI-naming and thus include the implied settings:
+    
+    <prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:uri</prop>
+    <prop key="saml1.namespace">urn:mace:shibboleth:1.0:attributeNamespace:uri</prop>
+    -->
+
     <bean parent="shibboleth.TranscodingRuleLoader">
     <constructor-arg>
     <list>
diff --git a/conf/attributes/eduPerson.xml b/conf/attributes/eduPerson.xml
index afe1299..115967c 100644
--- a/conf/attributes/eduPerson.xml
+++ b/conf/attributes/eduPerson.xml
@@ -11,6 +11,13 @@
                            
        default-init-method="initialize"
        default-destroy-method="destroy">
+
+    <!--
+    Note that all built-in rules rely on URI-naming and thus include the implied settings:
+    
+    <prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:uri</prop>
+    <prop key="saml1.namespace">urn:mace:shibboleth:1.0:attributeNamespace:uri</prop>
+    -->
        
     <bean parent="shibboleth.TranscodingRuleLoader">
     <constructor-arg>
@@ -26,13 +33,13 @@
                     <prop key="displayName.en">Affiliation</prop>
                     <prop key="displayName.de">Zugehörigkeit</prop>
                     <prop key="displayName.fr">Affiliation</prop>
-                    <prop key="displayName.it">Tipo di membro</prop>
+                    <prop key="displayName.it">Affiliazione</prop>
                     <prop key="displayName.ja">職位</prop>
                     <prop key="description.en">Affiliation: Type of affiliation with Home Organization</prop>
                     <prop key="description.de">Art der Zugehörigkeit zur Heimatorganisation</prop>
                     <prop key="description.de-ch">Art der Zugehörigkeit zur Heimorganisation</prop>
                     <prop key="description.fr">Type d'affiliation dans l'organisation</prop>
-                    <prop key="description.it">Tipo di membro: Tipo di lavoro svolto per l'organizzazione</prop>
+                    <prop key="description.it">Affiliazione: Tipo di affiliazione presso l'organizzazione</prop>
                     <prop key="description.ja">所属機関における職位(faculty，staff，student，memberなど)</prop>
                 </props>
             </property>
@@ -48,12 +55,12 @@
                     <prop key="displayName.en">Assurance level</prop>
                     <prop key="displayName.de">Vertrauensgrad</prop>
                     <prop key="displayName.fr">Niveau de confiance</prop>
-                    <prop key="displayName.it">Livello di sicurezza</prop>
+                    <prop key="displayName.it">Livello di garanzia dell'identita'</prop>
                     <prop key="displayName.ja">保証レベル</prop>
-                    <prop key="description.en">Set of URIs that assert compliance with specific standards for identity assurance.</prop>
+                    <prop key="description.en">Set of URIs that assert compliance with specific standards for identity assurance</prop>
                     <prop key="description.de">URIs die eine gewisse Zusicherung für spezifische Standards des Vertrauens beinhalten</prop>
                     <prop key="description.fr">Un ensemble d'URI qui attestent la conformité selon un standard pour les niveaux d'assurance d'identités</prop>
-                    <prop key="description.it">Un insieme di URI che asseriscono l'osservanza dei livelli di sicurezza richiesti</prop>
+                    <prop key="description.it">Un insieme di URI che asseriscono l'osservanza dei livelli di garanzia dell'identita'</prop>
                     <prop key="description.ja">IDの保証レベルに関して特定の基準に準拠していることを示すURI</prop>
                 </props>
             </property>
@@ -68,13 +75,13 @@
                     <prop key="saml1.name">urn:mace:dir:attribute-def:eduPersonEntitlement</prop>
                     <prop key="displayName.en">Entitlement</prop>
                     <prop key="displayName.de">Berechtigung</prop>
-                    <prop key="displayName.fr">Entitlement</prop>
-                    <prop key="displayName.it">Prerogativa</prop>
+                    <prop key="displayName.fr">Membre de</prop>
+                    <prop key="displayName.it">Diritti</prop>
                     <prop key="displayName.ja">資格情報</prop>
                     <prop key="description.en">Member of: URI (either URL or URN) that indicates a set of rights to specific resources based on an agreement across the releavant community</prop>
                     <prop key="description.de">Zeichenkette, die Rechte für spezifische Ressourcen beschreibt</prop>
-                    <prop key="description.fr">Membre de: URI (soit une URL ou une URN) décrivant un droit spécific d'accès.</prop>
-                    <prop key="description.it">Membro delle seguenti URI (sia URL o URN) che rappresentano diritti specifici d'accesso validi in tutta la communità</prop>
+                    <prop key="description.fr">Membre de: URI (soit une URL ou une URN) décrivant un droit spécific d'accès</prop>
+                    <prop key="description.it">Membro di: URI (sia URL, sia URN) che rappresentano diritti su specifiche risorse e basati su accordi tra le comunità interessate</prop>
                     <prop key="description.ja">特定のアプリケーションもしくはコミュニティ内の複数リソースへのアクセス権限を持つことを示すURI(URLもしくはURN)</prop>
                 </props>
             </property>
@@ -91,13 +98,13 @@
                     <prop key="displayName.de">Kurzname</prop>
                     <prop key="displayName.de-ch">Übername</prop>
                     <prop key="displayName.fr">Surnom</prop>
-                    <prop key="displayName.it">Diminutivo</prop>
+                    <prop key="displayName.it">Soprannome</prop>
                     <prop key="displayName.ja">ニックネーム</prop>
-                    <prop key="description.en">Person's nickname, or the informal name by which they are accustomed to be hailed.</prop>
-                    <prop key="description.de">Kurzname einer Person, oder üblicher Rufname zur Begrüßung.</prop>
-                    <prop key="description.de-ch">Übername einer Person, oder üblicher Rufname zur Begrüssung.</prop>
-                    <prop key="description.fr">Nom personnalisable pour un usage informel.</prop>
-                    <prop key="description.it">Diminutivo della persona, o  soprannome.</prop>
+                    <prop key="description.en">Person's nickname, or the informal name by which they are accustomed to be hailed</prop>
+                    <prop key="description.de">Kurzname einer Person, oder üblicher Rufname zur Begrüßung</prop>
+                    <prop key="description.de-ch">Übername einer Person, oder üblicher Rufname zur Begrüssung</prop>
+                    <prop key="description.fr">Nom personnalisable pour un usage informel</prop>
+                    <prop key="description.it">Soprannome della persona</prop>
                     <prop key="description.ja">利用者のニックネームもしくは通称</prop>
                 </props>
             </property>
@@ -111,7 +118,7 @@
                     <prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.3</prop>
                     <prop key="saml1.name">urn:mace:dir:attribute-def:eduPersonOrgDN</prop>
                     <prop key="displayName.en">Organization distinguished name</prop>
-                    <prop key="description.en">Distinguished name (DN) of the directory entry representing the institution with which the person is associated.</prop>
+                    <prop key="description.en">Distinguished name (DN) of the directory entry representing the institution with which the person is associated</prop>
                 </props>
             </property>
         </bean>
@@ -124,7 +131,9 @@
                     <prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.4</prop>
                     <prop key="saml1.name">urn:mace:dir:attribute-def:eduPersonOrgUnitDN</prop>
                     <prop key="displayName.en">Organization unit distinguished name</prop>
-                    <prop key="description.en">Distinguished name(s) (DN) of the directory entries representing the person's Organizational Unit(s).</prop>
+                    <prop key="displayName.fr">Structures de rattachement</prop>
+                    <prop key="description.en">Distinguished name(s) (DN) of the directory entries representing the person's Organizational Unit(s)</prop>
+                    <prop key="description.fr">Structures d'affectation (composante, service...) de la personne dans l'annuaire</prop>
                 </props>
             </property>
         </bean>
@@ -137,7 +146,9 @@
                     <prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.16</prop>
                     <prop key="saml1.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.16</prop>
                     <prop key="displayName.en">ORCID</prop>
-                    <prop key="description.en">ORCID researcher identifier(s) belonging to a person.</prop>
+                    <prop key="displayName.fr">identifiants ORCID</prop>
+                    <prop key="description.en">ORCID researcher identifier(s) belonging to a person</prop>
+                    <prop key="description.fr">Identifiant(s) ORCID d'une personne</prop>
                 </props>
             </property>
         </bean>
@@ -151,13 +162,13 @@
                     <prop key="saml1.name">urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation</prop>
                     <prop key="displayName.en">Primary affiliation</prop>
                     <prop key="displayName.de">Primäre Zugehörigkeit</prop>
-                    <prop key="displayName.fr">Affiliation pricipale</prop>
-                    <prop key="displayName.it">Appartenenza principale</prop>
+                    <prop key="displayName.fr">Affiliation principale</prop>
+                    <prop key="displayName.it">Affiliazione principale</prop>
                     <prop key="displayName.ja">主要職位</prop>
                     <prop key="description.en">Specifies the person's primary relationship to the institution in broad categories such as student, faculty, staff, alum, etc.</prop>
                     <prop key="description.de">Spezifiziert der Hauptbeziehung einer Person innerhalb ihrer Organisation in groben Kategorien wie Student, Mitarbeiter, Alumni, etc.</prop>
                     <prop key="description.fr">Spécifie la relation principale d'une personne avec l'institution selon des majeures catégories comme étudiant, collaborateur, alumni etc.</prop>
-                    <prop key="description.it">Specifica la relazione principale dell persona con l'istituzione secondo le maggiori categorie come studente, collaboratore, alumni, etc.</prop>
+                    <prop key="description.it">Specifica la relazione principale della persona con l'istituzione secondo le categorie studente, collaboratore, alumni, etc.</prop>
                     <prop key="description.ja">所属機関における主要な職位(faculty，staff，student，memberなど)</prop>
                 </props>
             </property>
@@ -171,7 +182,9 @@
                     <prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.8</prop>
                     <prop key="saml1.name">urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN</prop>
                     <prop key="displayName.en">Primary organization unit distinguished name</prop>
-                    <prop key="description.en">Distinguished name (DN) of the directory entry representing the person's primary Organizational Unit.</prop>
+                    <prop key="displayName.fr">Structure de rattachement principal</prop>
+                    <prop key="description.en">Distinguished name (DN) of the directory entry representing the person's primary Organizational Unit</prop>
+                    <prop key="description.fr">Structure (composante, service) dans l'annuaire considérée comme affectation principale de la personne</prop>
                 </props>
             </property>
         </bean>
@@ -186,10 +199,10 @@
                     <prop key="saml1.encodeType">false</prop>
                     <prop key="displayName.en">Principal name</prop>
                     <prop key="displayName.de">Persönliche ID</prop>
-                    <prop key="displayName.fr">Principal Name</prop>
-                    <prop key="displayName.it">Principal Name</prop>
+                    <prop key="displayName.fr">Identifiant unique</prop>
+                    <prop key="displayName.it">ID personale</prop>
                     <prop key="displayName.ja">プリンシパルID</prop>
-                    <prop key="description.en">A unique identifier for a person, mainly for inter-institutional user identification.</prop>
+                    <prop key="description.en">A unique identifier for a person, mainly for inter-institutional user identification</prop>
                     <prop key="description.de">Eindeutige Benutzeridentifikation</prop>
                     <prop key="description.de-ch">Eindeutige Benützeridentifikation</prop>
                     <prop key="description.fr">L'identifiant unique de l'utilisateur</prop>
@@ -208,7 +221,9 @@
                     <prop key="saml1.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.12</prop>
                     <prop key="saml1.encodeType">false</prop>
                     <prop key="displayName.en">Prior principal name(s)</prop>
-                    <prop key="description.en">eduPersonPrincipalName value(s) previously associated with the entry.</prop>
+                    <prop key="displayName.fr">Anciens identifiants EPPN</prop>
+                    <prop key="description.en">eduPersonPrincipalName value(s) previously associated with the entry</prop>
+                    <prop key="description.fr">Liste des valeurs de l'attribut eduPersonPrincipalName précédemment attribuées à la personne</prop>
                 </props>
             </property>
         </bean>
@@ -224,13 +239,13 @@
                     <prop key="displayName.en">Scoped affiliation</prop>
                     <prop key="displayName.de">Zugehörigkeit</prop>
                     <prop key="displayName.fr">Affiliation</prop>
-                    <prop key="displayName.it">Tipo di membro</prop>
+                    <prop key="displayName.it">Affiliazione</prop>
                     <prop key="displayName.ja">スコープ付き職位</prop>
                     <prop key="description.en">Specifies the person's affiliation within a particular security domain</prop>
                     <prop key="description.de">Art der Zugehörigkeit zur Heimatorganisation</prop>
                     <prop key="description.de-ch">Art der Zugehörigkeit zur Heimorganisation</prop>
                     <prop key="description.fr">Type d'affiliation dans l'organisation</prop>
-                    <prop key="description.it">Tipo di membro: Tipo di lavoro svolto per l'organizzazione</prop>
+                    <prop key="description.it">Affiliazione: Tipo di affiliazione pressocon l'organizzazione</prop>
                     <prop key="description.ja">セキュリティドメインのスコープが付いた所属機関における職位</prop>
                 </props>
             </property>
@@ -247,18 +262,46 @@
                     <prop key="displayName.en">Unique ID</prop>
                     <prop key="displayName.de">Eindeutige ID</prop>
                     <prop key="displayName.fr">ID unique</prop>
-                    <prop key="displayName.it">ID unico</prop>
+                    <prop key="displayName.it">ID univoco</prop>
                     <prop key="displayName.ja">ユニークID</prop>
-                    <prop key="description.en">A unique identifier for a person, mainly for inter-institutional user identification.</prop>
+                    <prop key="description.en">A unique identifier for a person, mainly for inter-institutional user identification</prop>
                     <prop key="description.de">Eindeutige Benutzeridentifikation</prop>
                     <prop key="description.de-ch">Eindeutige Benützeridentifikation</prop>
                     <prop key="description.fr">Identifiant unique de l'utilisateur</prop>
-                    <prop key="description.it">Un identificativo personale che identifica chiaramente l'utente in seno alla sua organizzazione</prop>
+                    <prop key="description.it">Un identificativo univoco che identifica chiaramente l'utente in seno alla sua organizzazione</prop>
                     <prop key="description.ja">フェデレーション内で一意で永続的かつ難読化された利用者識別子(後継はサブジェクトID)</prop>
                 </props>
             </property>
         </bean>
 
+        <bean parent="shibboleth.TranscodingProperties">
+            <property name="properties">
+                <props merge="true">
+                    <prop key="id">eduPersonAnalyticsTag</prop>
+                    <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder CASStringTranscoder</prop>
+                    <prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.17</prop>
+                    <prop key="saml1.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.17</prop>
+                    <prop key="saml1.encodeType">false</prop>
+                    <prop key="displayName.en">Aggregated analytics tag</prop>
+                    <prop key="description.en">Opaque string that aggregates the use of a service by a set of subjects for the purpose of reporting or analytics</prop>
+                </props>
+            </property>
+        </bean>
+
+        <bean parent="shibboleth.TranscodingProperties">
+            <property name="properties">
+                <props merge="true">
+                    <prop key="id">eduPersonDisplayPronouns</prop>
+                    <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder CASStringTranscoder</prop>
+                    <prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.18</prop>
+                    <prop key="saml1.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.18</prop>
+                    <prop key="saml1.encodeType">false</prop>
+                    <prop key="displayName.en">Display Pronouns</prop>
+                    <prop key="description.en">Personal pronouns by which the person prefers to be identified</prop>
+                </props>
+            </property>
+        </bean>
+
     </list>
     </constructor-arg>
     </bean>
diff --git a/conf/attributes/inetOrgPerson.xml b/conf/attributes/inetOrgPerson.xml
index f2aebb1..2ab78ef 100644
--- a/conf/attributes/inetOrgPerson.xml
+++ b/conf/attributes/inetOrgPerson.xml
@@ -12,6 +12,13 @@
        default-init-method="initialize"
        default-destroy-method="destroy">
 
+    <!--
+    Note that all built-in rules rely on URI-naming and thus include the implied settings:
+    
+    <prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:uri</prop>
+    <prop key="saml1.namespace">urn:mace:shibboleth:1.0:attributeNamespace:uri</prop>
+    -->
+
     <!-- https://tools.ietf.org/html/rfc2798 -->
 
     <bean parent="shibboleth.TranscodingRuleLoader">
@@ -26,7 +33,9 @@
                     <prop key="saml2.name">urn:oid:2.5.4.3</prop>
                     <prop key="saml1.name">urn:mace:dir:attribute-def:cn</prop>
                     <prop key="displayName.en">Common name</prop>
+                    <prop key="displayName.fr">Nom et Prénom</prop>
                     <prop key="description.en">Common name of a person</prop>
+                    <prop key="description.fr">Nom complet sans accent d'une personne</prop>
                 </props>
             </property>
         </bean>
@@ -39,9 +48,11 @@
                     <prop key="saml2.name">urn:oid:2.16.840.1.113730.3.1.2</prop>
                     <prop key="saml1.name">urn:mace:dir:attribute-def:departmentNumber</prop>
                     <prop key="displayName.en">Department number</prop>
+                    <prop key="displayName.fr">departmentNumber</prop>
                     <prop key="displayName.de">Abteilungsnummer</prop>
                     <prop key="description.en">Department number</prop>
                     <prop key="description.de">Nummer der Abteilung</prop>
+                    <prop key="description.fr">Identifiant du département dans l'organisation</prop>
                 </props>
             </property>
         </bean>
@@ -58,7 +69,7 @@
                     <prop key="displayName.fr">Nom</prop>
                     <prop key="displayName.it">Nome</prop>
                     <prop key="displayName.ja">表示名</prop>
-                    <prop key="description.en">The name that should appear in white-pages-like applications for this person.</prop>
+                    <prop key="description.en">The name that should appear in white-pages-like applications for this person</prop>
                     <prop key="description.de">Anzeigename</prop>
                     <prop key="description.fr">Nom complet d'affichage</prop>
                     <prop key="description.it">Nome</prop>
@@ -96,7 +107,9 @@
                     <prop key="saml2.name">urn:oid:2.16.840.1.113730.3.1.4</prop>
                     <prop key="saml1.name">urn:mace:dir:attribute-def:employeeType</prop>
                     <prop key="displayName.en">Employee type</prop>
+                    <prop key="displayName.fr">Type d'employé</prop>
                     <prop key="description.en">Employee type</prop>
+                    <prop key="description.fr">Catégorie d'employé dans l'organisation</prop>
                 </props>
             </property>
         </bean>
@@ -195,7 +208,7 @@
                     <prop key="saml1.name">urn:mace:dir:attribute-def:l</prop>
                     <prop key="displayName.en">Locality name</prop>
                     <prop key="displayName.de">Ort</prop>
-                    <prop key="displayName.fr">Locality name</prop>
+                    <prop key="displayName.fr">Localité</prop>
                     <prop key="displayName.ja">場所(L)</prop>
                     <prop key="description.en">Locality name</prop>
                     <prop key="description.de">Ort</prop>
@@ -398,7 +411,7 @@
                     <prop key="displayName.ja">姓</prop>
                     <prop key="description.en">Surname or family name</prop>
                     <prop key="description.de">Familienname</prop>
-                    <prop key="description.fr">Nom de famille de l'utilisateur.</prop>
+                    <prop key="description.fr">Nom de famille de l'utilisateur</prop>
                     <prop key="description.it">Cognome dell'utilizzatore</prop>
                     <prop key="description.ja">氏名(姓)の英語表記</prop>
                 </props>
@@ -413,8 +426,10 @@
                     <prop key="saml2.name">urn:oid:2.5.4.8</prop>
                     <prop key="saml1.name">urn:mace:dir:attribute-def:st</prop>
                     <prop key="displayName.en">State or province name</prop>
+                    <prop key="displayName.fr">Etat ou nom de province</prop>
                     <prop key="displayName.ja">都道府県もしくは州や省(ST)</prop>
                     <prop key="description.en">State or province name</prop>
+                    <prop key="description.fr">Etat ou nom de province</prop>
                     <prop key="description.ja">州名や省名 国によって異なり日本の場合は都道府県名</prop>
                 </props>
             </property>
@@ -494,10 +509,10 @@
                     <prop key="displayName.fr">ID utilisateur</prop>
                     <prop key="displayName.it">ID dell'utente</prop>
                     <prop key="displayName.ja">ユーザID</prop>
-                    <prop key="description.en">A unique identifier for a person, mainly used for user identification within the user's home organization.</prop>
-                    <prop key="description.de">Eine eindeutige Nummer für eine Person, welche hauptsächlich zur Identifikation innerhalb der Organisation benutzt wird.</prop>
-                    <prop key="description.fr">Identifiant de connexion d'une personnes sur les systèmes informatiques.</prop>
-                    <prop key="description.it">Identificativo unico della persona, usato per l'identificazione dell'utente all'interno della organizzazione di appartenenza.</prop>
+                    <prop key="description.en">A unique identifier for a person, mainly used for user identification within the user's home organization</prop>
+                    <prop key="description.de">Eine eindeutige Nummer für eine Person, welche hauptsächlich zur Identifikation innerhalb der Organisation benutzt wird</prop>
+                    <prop key="description.fr">Identifiant de connexion d'une personnes sur les systèmes informatiques</prop>
+                    <prop key="description.it">Identificativo unico della persona, usato per l'identificazione dell'utente all'interno della organizzazione di appartenenza</prop>
                     <prop key="description.ja">所属機関内で一意の利用者識別子</prop>
                 </props>
             </property>
diff --git a/conf/attributes/samlSubject.xml b/conf/attributes/samlSubject.xml
index dac9a59..3ffa3cc 100644
--- a/conf/attributes/samlSubject.xml
+++ b/conf/attributes/samlSubject.xml
@@ -12,6 +12,12 @@
        default-init-method="initialize"
        default-destroy-method="destroy">
 
+    <!--
+    Note that all built-in rules rely on URI-naming and thus include the implied settings:
+    
+    <prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:uri</prop>
+    -->
+
     <!-- https://wiki.oasis-open.org/security/SAMLSubjectIDAttr -->
 
     <bean parent="shibboleth.TranscodingRuleLoader">
@@ -29,7 +35,7 @@
                     <prop key="displayName.fr">ID unique</prop>
                     <prop key="displayName.it">ID unico</prop>
                     <prop key="displayName.ja">サブジェクトID</prop>
-                    <prop key="description.en">A unique identifier for a person, mainly for inter-institutional user identification.</prop>
+                    <prop key="description.en">A unique identifier for a person, mainly for inter-institutional user identification</prop>
                     <prop key="description.de">Eindeutige Benutzeridentifikation</prop>
                     <prop key="description.de-ch">Eindeutige Benützeridentifikation</prop>
                     <prop key="description.fr">Identifiant unique de l'utilisateur</prop>
@@ -50,11 +56,11 @@
                     <prop key="displayName.fr">Pairwise ID</prop>
                     <prop key="displayName.it">Pairwise ID</prop>
                     <prop key="displayName.ja">ペアワイズID</prop>
-                    <prop key="description.en">Pairwise ID: A unique identifier for a person, different for each service provider.</prop>
-                    <prop key="description.de">Pairwise ID: Eindeutige Benutzeridentifikation, unterschiedlich pro Service Provider.</prop>
-                    <prop key="description.de-ch">Pairwise ID: Eindeutige Benützeridentifikation, unterschiedlich pro Service Provider.</prop>
-                    <prop key="description.fr">Pairwise ID: Un identifiant unique de l'utilisateur, différent pour chaque fournisseur de service.</prop>
-                    <prop key="description.it">Pairwise ID: identificativo unico della persona, differente per ogni fornitore di servizio.</prop>
+                    <prop key="description.en">Pairwise ID: A unique identifier for a person, different for each service provider</prop>
+                    <prop key="description.de">Pairwise ID: Eindeutige Benutzeridentifikation, unterschiedlich pro Service Provider</prop>
+                    <prop key="description.de-ch">Pairwise ID: Eindeutige Benützeridentifikation, unterschiedlich pro Service Provider</prop>
+                    <prop key="description.fr">Pairwise ID: Un identifiant unique de l'utilisateur, différent pour chaque fournisseur de service</prop>
+                    <prop key="description.it">Pairwise ID: identificativo unico della persona, differente per ogni fornitore di servizio</prop>
                     <prop key="description.ja">フェデレーション内で一意かつSP毎に送出される値が異なる利用者識別子(eduPersonTargetedIDの後継)</prop>
                 </props>
             </property>
diff --git a/conf/attributes/schac.xml b/conf/attributes/schac.xml
new file mode 100644
index 0000000..2e0db26
--- /dev/null
+++ b/conf/attributes/schac.xml
@@ -0,0 +1,382 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    Note that all built-in rules rely on URI-naming and thus include the implied settings:
+    
+    <prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:uri</prop>
+    <prop key="saml1.namespace">urn:mace:shibboleth:1.0:attributeNamespace:uri</prop>
+    -->
+
+    <bean parent="shibboleth.TranscodingRuleLoader">
+    <constructor-arg>
+    <list>
+	<bean parent="shibboleth.TranscodingProperties">
+            <property name="properties">
+                <props merge="true">
+                    <prop key="id">schacMotherTongue</prop>
+                    <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+                    <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.1</prop>
+                    <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.1</prop>
+                    <prop key="displayName.en">Mother Tongue</prop>
+                    <prop key="displayName.fr">Langue maternelle</prop>
+                    <prop key="displayName.it">Lingua Madre</prop>
+                    <prop key="description.en">Mother Tongue of the user</prop>
+                    <prop key="description.fr">Langue maternelle (la langue apprise en premier par une personne : fr</prop>
+                    <prop key="description.it">Lingua Madre dell'utente</prop>
+                </props>
+            </property>
+        </bean>
+
+        <bean parent="shibboleth.TranscodingProperties">
+            <property name="properties">
+                <props merge="true">
+                    <prop key="id">schacGender</prop>
+                    <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+                    <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.2</prop>
+                    <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.2</prop>
+                    <prop key="displayName.en">Gender</prop>
+                    <prop key="displayName.fr">Genre</prop>
+                    <prop key="displayName.it">Genere</prop>
+                    <prop key="description.en">Gender of the user</prop>
+                    <prop key="description.fr">Genre de la personne : un chiffre (0 "Not known, 1 "Male", 2 "Female", 9 "Not specified")</prop>
+                    <prop key="description.it">Genere dell'utente</prop>
+                </props>
+            </property>
+        </bean>
+
+        <bean parent="shibboleth.TranscodingProperties">
+            <property name="properties">
+                <props merge="true">
+                    <prop key="id">schacDateOfBirth</prop>
+                    <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+                    <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.3</prop>
+                    <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.3</prop>
+                    <prop key="displayName.en">Date or Birth</prop>
+                    <prop key="displayName.fr">Date de naissance</prop>
+                    <prop key="displayName.it">Giorno di nascita</prop>
+                    <prop key="description.en">The date of birth for the subject it is associated with</prop>
+                    <prop key="description.fr">Date de naissance au format "YYYYMMJJ"</prop>
+                    <prop key="description.it">Giorno di nascita del soggetto</prop>
+                </props>
+            </property>
+        </bean>
+
+        <bean parent="shibboleth.TranscodingProperties">
+            <property name="properties">
+                <props merge="true">
+                    <prop key="id">schacYearOfBirth</prop>
+                    <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+                    <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.0.2.3</prop>
+                    <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.0.2.3</prop>
+                    <prop key="displayName.en">Year of birth</prop>
+                    <prop key="displayName.fr">Année de naissance</prop>
+                    <prop key="displayName.it">Anno di nascita</prop>
+                    <prop key="description.en">The year of birth for the subject it is associated with</prop>
+                    <prop key="description.fr">Année de naissance au format "YYYY"</prop>
+                    <prop key="description.it">Anno di nascita del soggetto</prop>
+                </props>
+            </property>
+        </bean>
+
+        <bean parent="shibboleth.TranscodingProperties">
+            <property name="properties">
+                <props merge="true">
+                    <prop key="id">schacPlaceOfBirth</prop>
+                    <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+                    <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.4</prop>
+                    <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.4</prop>
+                    <prop key="displayName.en">Place of Birth</prop>
+                    <prop key="displayName.fr">Lieu de naissance</prop>
+                    <prop key="displayName.it">Luogo di nascita</prop>
+                    <prop key="description.en">The place of birth for the subject it is associated with</prop>
+                    <prop key="description.fr">Lieu de naissance</prop>
+                    <prop key="description.it">Luogo di nascita del soggetto</prop>
+                </props>
+            </property>
+        </bean>
+
+        <bean parent="shibboleth.TranscodingProperties">
+            <property name="properties">
+                <props merge="true">
+                    <prop key="id">schacCountryOfCitizenship</prop>
+                    <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+                    <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.5</prop>
+                    <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.5</prop>
+                    <prop key="displayName.en">Country of Citizenship</prop>
+                    <prop key="displayName.fr">Nationalité</prop>
+                    <prop key="description.en">The countries of citizenship for the subject it is associated with</prop>
+                    <prop key="description.fr">Pays où une personne est un citoyen : 2 lettres au format ISO 3166 (fr, es...)</prop>
+                    <prop key="description.it">Cittadinanza</prop>
+                </props>
+            </property>
+        </bean>
+
+        <bean parent="shibboleth.TranscodingProperties">
+            <property name="properties">
+                <props merge="true">
+                    <prop key="id">schacSn1</prop>
+                    <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+                    <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.6</prop>
+                    <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.6</prop>
+                    <prop key="displayName.en">First Surname</prop>
+                    <prop key="displayName.fr">Premier nom</prop>
+                    <prop key="displayName.it">Primo Cognome</prop>
+                    <prop key="description.en">First surname of a person ("the surname" in international terms)</prop>
+                    <prop key="description.fr">Premier nom d'une personne</prop>
+                    <prop key="description.it">Il cognome di una persona</prop>
+                </props>
+            </property>
+        </bean>
+
+        <bean parent="shibboleth.TranscodingProperties">
+            <property name="properties">
+                <props merge="true">
+                    <prop key="id">schacSn2</prop>
+                    <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+                    <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.7</prop>
+                    <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.7</prop>
+                    <prop key="displayName.en">Second Surname</prop>
+                    <prop key="displayName.fr">Second nom</prop>
+                    <prop key="displayName.it">Secondo Cognome</prop>
+                    <prop key="description.en">Second surname of a person</prop>
+                    <prop key="description.fr">Second nom d'une personne</prop>
+                    <prop key="description.it">Secondo cognome di una persona</prop>
+                </props>
+            </property>
+        </bean>
+
+        <bean parent="shibboleth.TranscodingProperties">
+            <property name="properties">
+                <props merge="true">
+                    <prop key="id">schacPersonalTitle</prop>
+                    <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+                    <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.8</prop>
+                    <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.8</prop>
+                    <prop key="displayName.en">Personal Title</prop>
+                    <prop key="displayName.fr">Titre</prop>
+                    <prop key="displayName.it">Soprannome</prop>
+                    <prop key="description.en">Nice name used for the user</prop>
+                    <prop key="description.fr">Titre de la personne</prop>
+                    <prop key="description.it">Titolo usato per salutare l'utente</prop>
+                </props>
+            </property>
+        </bean>
+
+        <bean parent="shibboleth.TranscodingProperties">
+            <property name="properties">
+                <props merge="true">
+                    <prop key="id">schacHomeOrganization</prop>
+                    <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+                    <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.9</prop>
+                    <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.9</prop>
+                    <prop key="displayName.en">Home Organization</prop>
+                    <prop key="displayName.fi">Kotiorganisaatio</prop>
+                    <prop key="displayName.fr">Organisme</prop>
+                    <prop key="displayName.it">Dominio dell'istituzione</prop>
+                    <prop key="description.en">The domain name of the person's home organisation</prop>
+                    <prop key="description.fi">Henkilön kotiorganisaation domain-nimi</prop>
+                    <prop key="description.fr">Nom de domaine DNS de l'organisme d'origine d'une personne</prop>
+                    <prop key="description.it">Dominio dell'istituzione</prop>
+                </props>
+            </property>
+        </bean>
+
+        <bean parent="shibboleth.TranscodingProperties">
+            <property name="properties">
+                <props merge="true">
+                    <prop key="id">schacHomeOrganizationType</prop>
+                    <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+                    <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.10</prop>
+                    <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.10</prop>
+                    <prop key="displayName.en">Home organization type</prop>
+                    <prop key="displayName.fi">Kotiorganisaation tyyppi</prop>
+                    <prop key="displayName.fr">Type d'organisme</prop>
+                    <prop key="displayName.it">Tipo di organizzazione di appartenenza (internazionale)</prop>
+                    <prop key="description.en">Home organisation type: university, polytechnic, etc</prop>
+                    <prop key="description.fi">Kotiorganisaation tyyppi: yliopisto, ammattikorkeakoulu jne</prop>
+                    <prop key="description.fr">Type d'organisme d'origine d'une personne</prop>
+                    <prop key="description.it">Tipo di organizzazione di appartenenza</prop>
+                </props>
+            </property>
+        </bean>
+
+        <bean parent="shibboleth.TranscodingProperties">
+            <property name="properties">
+                <props merge="true">
+                    <prop key="id">schacCountryOfResidence</prop>
+                    <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+                    <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.11</prop>
+                    <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.11</prop>
+                    <prop key="displayName.en">Country of Residence</prop>
+                    <prop key="displayName.fr">Pays de résidence</prop>
+                    <prop key="displayName.it">Residenza</prop>
+                    <prop key="description.en">The country of residence for the subject</prop>
+                    <prop key="description.fr">Pays de résidence : fr, es...</prop>
+                    <prop key="description.it">Paese di residenza dell'utente</prop>
+                </props>
+            </property>
+        </bean>
+
+        <bean parent="shibboleth.TranscodingProperties">
+            <property name="properties">
+                <props merge="true">
+                    <prop key="id">schacUserPresenceID</prop>
+                    <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+                    <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.12</prop>
+                    <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.12</prop>
+                    <prop key="displayName.en">User Presence ID</prop>
+                    <prop key="displayName.fr">Identifiant de présence</prop>
+                    <prop key="displayName.it">ID utente sulla rete</prop>
+                    <prop key="description.en">Identifiers that user collect on the net</prop>
+                    <prop key="description.fr">Ensemble de valeurs liées aux protocoles de présence réseau (sip, xmpp, h323...)</prop>
+                    <prop key="description.it">Identificativi usati dall'utente sulla rete</prop>
+                </props>
+            </property>
+        </bean>
+
+        <bean parent="shibboleth.TranscodingProperties">
+            <property name="properties">
+                <props merge="true">
+                    <prop key="id">schacPersonalPosition</prop>
+                    <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+                    <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.13</prop>
+                    <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.13</prop>
+                    <prop key="displayName.en">Personal Position</prop>
+                    <prop key="displayName.fr">Position/Rôle</prop>
+                    <prop key="displayName.it">Ruolo ricoperto</prop>
+                    <prop key="description.en">Personal Position of the user for the institution</prop>
+                    <prop key="description.fr">Position/Rôle de la personne au sein d'une institution</prop>
+                    <prop key="description.it">Ruolo dell'utente nell'istituzione</prop>
+                </props>
+            </property>
+        </bean>
+
+        <bean parent="shibboleth.TranscodingProperties">
+            <property name="properties">
+                <props merge="true">
+                    <prop key="id">schacPersonalUniqueCode</prop>
+                    <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+                    <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.14</prop>
+                    <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.14</prop>
+                    <prop key="displayName.en">Personal Unique Code</prop>
+                    <prop key="displayName.fr">Code personnel unique</prop>
+                    <prop key="displayName.it">Codice Univoco</prop>
+                    <prop key="description.en">Unique code for the subject it is associated with</prop>
+                    <prop key="description.fr">"Code unique" pour le sujet auquel il est associé (peut être le numéro d'étudiant, le numéro d'employé, ...)</prop>
+                    <prop key="description.it">Codice Univoco legato al soggetto</prop>
+                </props>
+            </property>
+        </bean>
+
+        <bean parent="shibboleth.TranscodingProperties">
+            <property name="properties">
+                <props merge="true">
+                    <prop key="id">schacPersonalUniqueID</prop>
+                    <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+                    <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.15</prop>
+                    <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.15</prop>
+                    <prop key="displayName.en">Personal Unique ID</prop>
+                    <prop key="displayName.fr">Identifiant personnel unique</prop>
+                    <prop key="displayName.it">ID Legale Univoco</prop>
+                    <prop key="description.en">Unique Legal Identifier of a person</prop>
+                    <prop key="description.fr">identifiant unique légal (DNI en espagne)</prop>
+                    <prop key="description.it">Identificativo Univoco Legale associato alla persona</prop>
+                </props>
+            </property>
+        </bean>
+
+        <bean parent="shibboleth.TranscodingProperties">
+            <property name="properties">
+                <props merge="true">
+                    <prop key="id">schacExpiryDate</prop>
+                    <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+                    <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.17</prop>
+                    <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.17</prop>
+                    <prop key="displayName.en">Expiry Date</prop>
+                    <prop key="displayName.fr">Date d'expiration</prop>
+                    <prop key="description.en">The date from which the set of data is to be considered invalid (specifically, in what refers to rights and entitlements)</prop>
+                    <prop key="description.fr">Date à partir de laquelle l'ensemble de données de la personne doit être considéré comme invalide, au format "YYYYMMDDhhmmssZ"</prop>
+                    <prop key="description.it">Data di scadenza dei dati utente (diritti e titoli)</prop>
+                </props>
+            </property>
+        </bean>
+
+        <bean parent="shibboleth.TranscodingProperties">
+            <property name="properties">
+                <props merge="true">
+                    <prop key="id">schacUserPrivateAttribute</prop>
+                    <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+                    <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.18</prop>
+                    <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.18</prop>
+                    <prop key="displayName.en">User Private Attribute</prop>
+                    <prop key="displayName.fr">Exigences de confidentialité</prop>
+                    <prop key="description.en">Datas that the user and/or organization policies want to keep private</prop>
+                    <prop key="description.fr">Exigences de confidentialité, telles qu'exprimées par l'utilisateur et / ou les stratégies de l'entreprise</prop>
+                    <prop key="description.it">Dati che l'utente o le policy organizzative vogliono tenere private</prop>
+                </props>
+            </property>
+        </bean>
+
+        <bean parent="shibboleth.TranscodingProperties">
+            <property name="properties">
+                <props merge="true">
+                    <prop key="id">schacUserStatus</prop>
+                    <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+                    <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.19</prop>
+                    <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.19</prop>
+                    <prop key="displayName.en">User Status</prop>
+                    <prop key="displayName.fr">Status utilisateur</prop>
+                    <prop key="description.en">Set of status of a person as user of services</prop>
+                    <prop key="description.fr">Ensemble de status d'une personne en tant qu'utilisateur de services</prop>
+                    <prop key="description.it">Stato di attivita' per l'utente sui diversi servizi</prop>
+                </props>
+            </property>
+        </bean>
+
+        <bean parent="shibboleth.TranscodingProperties">
+            <property name="properties">
+                <props merge="true">
+                    <prop key="id">schacProjectMembership</prop>
+                    <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+                    <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.20</prop>
+                    <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.20</prop>
+                    <prop key="displayName.en">Project Membership</prop>
+                    <prop key="displayName.fr">Appartenance au projet</prop>
+                    <prop key="description.en">Name of the project the user belongs to</prop>
+                    <prop key="description.fr">Nom du projet auquel l'utilisateur appartient</prop>
+                    <prop key="description.it">Nome del progetto a cui l'utente appartiene</prop>
+                </props>
+            </property>
+        </bean>
+
+        <bean parent="shibboleth.TranscodingProperties">
+            <property name="properties">
+                <props merge="true">
+                    <prop key="id">schacProjectSpecificRole</prop>
+                    <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+                    <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.21</prop>
+                    <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.21</prop>
+                    <prop key="displayName.en">Project Specific Role</prop>
+                    <prop key="displayName.fr">Roles spécifiques au projet</prop>
+                    <prop key="description.en">Set of roles inside specific projects for the user</prop>
+                    <prop key="description.fr">Ensemble de rôles dans des projets spécifiques</prop>
+                    <prop key="description.it">Insieme dei ruoli svolti dall'utente su specifici progetti</prop>
+                </props>
+            </property>
+        </bean>
+    </list>
+    </constructor-arg>
+    </bean>
+</beans>
diff --git a/conf/audit.xml b/conf/audit.xml
index 42d82b8..3c9c408 100644
--- a/conf/audit.xml
+++ b/conf/audit.xml
@@ -29,6 +29,10 @@
         <value>http://shibboleth.net/ns/profiles/mdquery</value>
     </util:list>
 
+    <!--
+    You can freely add/change this map to map constants or frequently appearing strings into
+    shorter values in the audit log.
+    -->
     <util:map id="shibboleth.AuditFieldReplacementMap">
         <entry key="urn:oasis:names:tc:SAML:1.0:am:password" value="password" />
         <entry key="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" value="password" />
diff --git a/conf/authn/authn.properties b/conf/authn/authn.properties
index 56111ef..405c522 100644
--- a/conf/authn/authn.properties
+++ b/conf/authn/authn.properties
@@ -24,6 +24,23 @@
 # If using IdP discovery feature, provides a discovery location to use.
 #idp.authn.discoveryURL = https://ds.example.org/shibboleth-ds/index.html
 
+# Login flow audit logging (defaults false for log compatibility)
+#idp.authn.audit.enabled = false
+
+# Revocation (administrative logout)
+#idp.authn.revocation = false
+#idp.authn.revocation.lifetime = %{idp.authn.defaultAuthnLifetime:PT12H}
+# Name of BiCondition to apply for check
+#idp.authn.revocation.Condition = shibboleth.RevocationCacheCondition
+# Set to true to treat lookup failures as being revoked.
+#idp.authn.revocation.strict = false
+# Set to true to check for address-based revocation.
+#idp.authn.revocation.addressBased = false
+# Default implementation based on a StorageService bean.
+#idp.authn.revocation.cache = shibboleth.AuthnRevocationCache
+#idp.authn.revocation.StorageService = shibboleth.StorageService
+
+
 # Properties below override specific method behavior, as an alternative
 # to defining Spring beans in XML. Refer to the documentation for a complete
 # list. Many of the properties below are mentioned only because they are
@@ -92,7 +109,14 @@ idp.authn.External.externalAuthnPath = contextRelative:external.jsp
 # Unset in most cases only if using the authnMethodHeader or
 # subjectAttribute settings
 #idp.authn.RemoteUser.addDefaultPrincipals = true
-# Most other settings need to be supplied via web.xml to the servlet
+#idp.authn.RemoteUser.checkRemoteUser = true
+# Comma-delimited lists of attributes or headers to pull from
+#idp.authn.RemoteUser.checkAttributes = 
+#idp.authn.RemoteUser.checkHeaders = 
+# Advanced settings
+#idp.authn.RemoteUser.subjectAttribute =
+#idp.authn.RemoteUser.authnMethodHeader =
+#idp.authn.RemoteUser.authnAuthorityHeader =
 
 #### RemoteUserInternal ####
 
@@ -127,6 +151,7 @@ idp.authn.SPNEGO.supportedPrincipals = \
 
 #idp.authn.X509.order = 1000
 #idp.authn.X509.nonBrowserSupported = false
+#idp.authn.X509.saveCertificateToCredentialSet = true
 # Servlet context-relative path to wherever your implementation lives
 #idp.authn.X509.externalAuthnPath = contextRelative:x509-prompt.jsp
 idp.authn.X509.supportedPrincipals = \
@@ -160,24 +185,6 @@ idp.authn.IPAddress.supportedPrincipals = \
 # Unset if you plan to return full Java Subject from function
 #idp.authn.Function.addDefaultPrincipals = true
 
-#### Duo ####
-
-#idp.authn.Duo.order = 1000
-#idp.authn.Duo.nonBrowserSupported = false
-#idp.authn.Duo.forcedAuthenticationSupported = true
-# Unset if you have advanced Duo integrations with individualized Principals
-#idp.authn.Duo.addDefaultPrincipals = true
-# The list below should be changed to reflect whatever locally- or
-# community-defined values are appropriate to represent Duo. It is
-# strongly advised that the value not be specific to Duo or any
-# particular technology to avoid lock-in.
-idp.authn.Duo.supportedPrincipals = \
-    saml2/http://example.org/ac/classes/mfa, \
-    saml1/http://example.org/ac/classes/mfa
-# Default Duo integration settings are defined separately
-# in duo.properties due to the sensitivity of the secret key.
-
-
 #### SAML ####
 
 #idp.authn.SAML.order = 1000
@@ -193,7 +200,12 @@ idp.authn.Duo.supportedPrincipals = \
 #idp.authn.SAML.discoveryRequired = true
 # Generally left false with bidirectional mappings in
 # conf/authn/authn-comparison.xml across the proxy boundary.
+# Adjust as needed to reflect IdP's capabilities/support.
 #idp.authn.SAML.addDefaultPrincipals = false
+#idp.authn.SAML.supportedPrincipals = \
+#    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
+#    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
+#    saml1/urn:oasis:names:tc:SAML:1.0:am:password
 
 #### MFA ####
 
@@ -201,6 +213,8 @@ idp.authn.Duo.supportedPrincipals = \
 #idp.authn.MFA.passiveAuthenticationSupported = true
 #idp.authn.MFA.forcedAuthenticationSupported = true
 #idp.authn.MFA.validateLoginTransitions = true
+# Defaults to set AuthnInstant based on oldest component result
+#idp.authn.MFA.useLatestTimestamp = false
 # The list below almost certainly requires changes, and should generally be the
 # union of any of the separate factors you combine in your particular MFA flow
 # rules. The example corresponds to the example in mfa-authn-config.xml that
diff --git a/conf/authn/password-authn-config.xml b/conf/authn/password-authn-config.xml
index 4529b6f..dc10fa1 100644
--- a/conf/authn/password-authn-config.xml
+++ b/conf/authn/password-authn-config.xml
@@ -53,7 +53,6 @@
         <entry key="UnknownUsername">
             <list>
                 <value>NoCredentials</value>
-                <value>UnknownUsername</value>
                 <value>CLIENT_NOT_FOUND</value>
                 <value>Client not found</value>
                 <value>Cannot get kdc for realm</value>
@@ -78,7 +77,6 @@
         </entry>
         <entry key="AccountLocked">
             <list>
-                <value>AccountLocked</value>
                 <value>Clients credentials have been revoked</value>
                 <value>AcceptSecurityContext error, data 775</value>
             </list>
@@ -102,43 +100,6 @@
                 <value>ACCOUNT_WARNING</value>
             </list>
         </entry>
-        <entry key="RequestUnsupported">
-            <list>
-                <value>RequestUnsupported</value>
-            </list>
-        </entry>
     </util:map>
 
-    <!--
-    WARNING: This set of features is generally discouraged in favor of the MFA flow,
-    and while not deprecated, is not recommended for new deployments.
-    
-    Configuration of "extended" login methods to offer in the password login form.
-    
-    The String bean is a regular expression identifying the flows to offer. These flows
-    must also be enabled at the "top" level to be available for use.
-    
-    The ExtendedFlowParameters bean can be used to transfer custom parameters from the
-    login form into the context tree for use later by other flows.
-    
-    The last bean provides the set of custom Principals to use for results produced by the
-    Password flow itself. You would use this if you need the Password flow to run as a shell
-    to run the "extended" login methods, but want to limit its own results more narrowly.
-    -->
-    <!--
-    <bean id="shibboleth.authn.Password.ExtendedFlows" class="java.lang.String" c:_0="" />
-
-    <util:list id="shibboleth.authn.Password.ExtendedFlowParameters">
-    </util:list>
-
-    <util:list id="shibboleth.authn.Password.PrincipalOverride">
-        <bean parent="shibboleth.SAML2AuthnContextClassRef"
-            c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
-        <bean parent="shibboleth.SAML2AuthnContextClassRef"
-            c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
-        <bean parent="shibboleth.SAML1AuthenticationMethod"
-            c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
-    </util:list>
-    -->
-    
 </beans>
diff --git a/conf/credentials.xml b/conf/credentials.xml
index dde530b..b40778d 100644
--- a/conf/credentials.xml
+++ b/conf/credentials.xml
@@ -13,8 +13,6 @@
        default-destroy-method="destroy">
 
     <!--
-    NOTE: if you're using a legacy relying-party.xml file from a V2 configuration, this file is ignored.
-
     This defines the signing and encryption key and certificate pairs referenced by your relying-party.xml
     configuration. You don't normally need to touch this, unless you have advanced requirements such as
     supporting multiple sets of keys for different relying parties, in which case you may want to define
@@ -30,8 +28,7 @@
     </util:list>
     
     <!-- Your IdP's default signing key, set via property file. -->
-    <bean id="shibboleth.DefaultSigningCredential"
-        class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
+    <bean id="shibboleth.DefaultSigningCredential" parent="shibboleth.BasicX509CredentialFactoryBean"
         p:privateKeyResource="%{idp.signing.key}"
         p:certificateResource="%{idp.signing.cert}"
         p:entityId-ref="entityID" />
@@ -48,7 +45,7 @@
         
     <!-- Your IdP's default encryption (really decryption) keys, set via property file. -->
     <util:list id="shibboleth.DefaultEncryptionCredentials">
-        <bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
+        <bean parent="shibboleth.BasicX509CredentialFactoryBean"
             p:privateKeyResource="%{idp.encryption.key}"
             p:certificateResource="%{idp.encryption.cert}"
             p:entityId-ref="entityID" />
@@ -58,7 +55,7 @@
         to point to your new keypair. Once metadata has propagated, comment this one out again.
         -->
         <!--
-        <bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
+        <bean parent="shibboleth.BasicX509CredentialFactoryBean"
             p:privateKeyResource="%{idp.encryption.key.2}"
             p:certificateResource="%{idp.encryption.cert.2}"
             p:entityId-ref="entityID" />
diff --git a/conf/errors.xml b/conf/errors.xml
index a9730c0..8d629ab 100644
--- a/conf/errors.xml
+++ b/conf/errors.xml
@@ -27,6 +27,7 @@
         <entry key="AttributeReleaseRejected" value="true" />
         <entry key="TermsRejected" value="true" />
         <entry key="EndpointResolutionFailed" value="true" />
+        <entry key="MessageAuthenticationError" value="true" />
         <entry key="RuntimeException" value="false" />
         <entry key="InvalidEvent" value="false" />
         <entry key="InvalidCSRFToken" value="false" />
diff --git a/conf/examples/attribute-resolver-ldap.xml b/conf/examples/attribute-resolver-ldap.xml
index ec375b4..74b3033 100644
--- a/conf/examples/attribute-resolver-ldap.xml
+++ b/conf/examples/attribute-resolver-ldap.xml
@@ -59,6 +59,7 @@
         principal="%{idp.attribute.resolver.LDAP.bindDN}"
         principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
         useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
+        startTLSTimeout="%{idp.attribute.resolver.LDAP.startTLSTimeout}"
         connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
         trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
         responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"
@@ -79,7 +80,9 @@
             validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
             validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
             validateDN="%{idp.pool.LDAP.validateDN:}"
+            validateOnCheckout="%{idp.pool.LDAP.validateOnCheckout:false}"
             validateFilter="%{idp.pool.LDAP.validateFilter:(objectClass=*)}"
+            prunePeriod="%{idp.pool.LDAP.prunePeriod:PT5M}"
             expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"/>
     </DataConnector>
 
diff --git a/conf/global.xml b/conf/global.xml
index c485f3f..0bfa7bc 100644
--- a/conf/global.xml
+++ b/conf/global.xml
@@ -41,6 +41,9 @@
     
     The example below defines the bean as a map, which allows you to inject multiple objects under
     named keys to expand the feature to support multiple injected objects.
+    
+    You MUST NOT change the bean(s) referenced in this way, they should be treated as read-only from
+    within views.
     -->
     
     <!--
diff --git a/conf/idp.properties b/conf/idp.properties
index 24c20d9..59a6299 100644
--- a/conf/idp.properties
+++ b/conf/idp.properties
@@ -1,3 +1,7 @@
+# Set false if you do not want the IdP to check (asynchronously) whether
+# it can be updated or not when the container starts
+#idp.updateCheck.enable=true
+
 # Auto-load all files matching conf/**/*.properties
 # Disable if you want to manually maintain a list of sources.
 idp.searchForProperties=true
@@ -18,37 +22,48 @@ idp.entityID=https://idp.example.org/idp/shibboleth
 # Set to empty value to disable and return a 404.
 #idp.entityID.metadataFile=%{idp.home}/metadata/idp-metadata.xml
 
-# Set the scope used in the attribute resolver for scoped attributes
+# Set the scope used in the attribute resolver for scoped attributes 
 idp.scope=example.org
 
 # General cookie properties (maxAge only applies to persistent cookies)
 #idp.cookie.secure = true
 #idp.cookie.httpOnly = true
 #idp.cookie.domain =
-#idp.cookie.path =
+# Note the path is now / to allow defaulting to __Host- prefixed names.
+#idp.cookie.path = /
 #idp.cookie.maxAge = 31536000
 # These control operation of the SameSite filter, which is off by default.
 #idp.cookie.sameSite = None
 #idp.cookie.sameSiteCondition = shibboleth.Conditions.FALSE
 
-# Enable cross-site request forgery mitigation for views.
+# Enable cross-site request forgery mitigation for views. 
 idp.csrf.enabled=true
 # Name of the HTTP parameter that stores the CSRF token.
 #idp.csrf.token.parameter = csrf_token
 
 # HSTS/CSP response headers
-#idp.hsts = max-age=0
+#idp.hsts = max-age=31536000
 # X-Frame-Options value, set to DENY or SAMEORIGIN to block framing
 #idp.frameoptions = DENY
 # Content-Security-Policy value, set to match X-Frame-Options default
 #idp.csp = frame-ancestors 'none';
 
+# Set to false to disable filter that forcibly applies UTF-8 encoding
+#idp.encoding.forceUTF8 = true
+
+# Enable and control MDC filter
+#idp.logging.MDC.enabled = true
+#idp.logging.MDC.createSession = true
+
 # Set the location of user-supplied web flow definitions
 #idp.webflows = %{idp.home}/flows
 
 # Set the location of Velocity view templates
 #idp.views = %{idp.home}/views
 
+# Do we fail on velocity "syntax errors"
+#idp.velocity.runtime.strictmode=false
+
 # Settings for internal AES encryption key
 #idp.sealer.keyStrategy = shibboleth.DataSealerKeyStrategy
 #idp.sealer.storeType = JCEKS
@@ -57,9 +72,9 @@ idp.csrf.enabled=true
 idp.sealer.storeResource=%{idp.home}/credentials/sealer.jks
 idp.sealer.versionResource=%{idp.home}/credentials/sealer.kver
 
-# Settings for public/private signing and encryption key(s)
-# During decryption key rollover, point the ".2" properties at a second
-# keypair, uncomment in credentials.xml, then publish it in your metadata.
+# Settings for public/private signing and encryption key(s):
+#  During decryption key rollover, point the ".2" properties at a second
+#  keypair, uncomment in credentials.xml, then publish it in your metadata.
 idp.signing.key=%{idp.home}/credentials/idp-signing.key
 idp.signing.cert=%{idp.home}/credentials/idp-signing.crt
 idp.encryption.key=%{idp.home}/credentials/idp-encryption.key
@@ -96,6 +111,8 @@ idp.trust.certificates=shibboleth.ExplicitKeyX509TrustEngine
 # Configuration of client- and server-side storage plugins
 #idp.storage.cleanupInterval = PT10M
 idp.storage.htmlLocalStorage=true
+#idp.storage.clientSessionStorageName = shib_idp_session_ss
+#idp.storage.clientPersistentStorageName = shib_idp_persistent_ss
 
 # Set to true to expose more detailed errors in responses to SPs
 #idp.errors.detailed = false
@@ -111,9 +128,14 @@ idp.storage.htmlLocalStorage=true
 # Set to false to disable the IdP session layer
 #idp.session.enabled = true
 
+# Set to true to rely on persistent cookies for session management
+#idp.session.persistent = false
+
 # Set to "shibboleth.StorageService" for server-side storage of user sessions
 #idp.session.StorageService = shibboleth.ClientSessionStorageService
 
+# Name of cookie used for session
+#idp.session.cookieName = __Host-shib_idp_session
 # Size of session IDs
 #idp.session.idSize = 32
 # Bind sessions to IP addresses
@@ -149,7 +171,7 @@ idp.session.secondaryServiceIndex=true
 # Defaults to text displayed to the user.
 #idp.consent.terms-of-use.consentValueMessageCodeSuffix = .text
 
-# Flags controlling how built-in attribute consent feature operates
+# Flags controlling how built-in attribute consent feature operates 
 #idp.consent.allowDoNotRemember = true
 #idp.consent.allowGlobal = true
 #idp.consent.allowPerAttribute = false
@@ -182,11 +204,18 @@ idp.bindings.inMetadataOrder=false
 # Whether to require logout requests/responses be signed/authenticated.
 #idp.logout.authenticated = true
 
+# Whether to handle logout lacking response endpoonts as asynchronous.
+#idp.logout.assumeAsync = false
+
+# Whether to hide logout propagation status reporting.
+#idp.logout.propagationHidden = false
+
 # Bean to determine whether user should be allowed to cancel logout
 #idp.logout.promptUser=shibboleth.Conditions.FALSE
 
 # Message freshness and replay cache tuning
 #idp.policy.messageLifetime = PT3M
+#idp.policy.assertionLifetime = PT3M
 #idp.policy.clockSkew = PT3M
 
 # Set to custom bean for alternate storage of replay cache
diff --git a/conf/ldap.properties b/conf/ldap.properties
index 45b0be0..a711d75 100644
--- a/conf/ldap.properties
+++ b/conf/ldap.properties
@@ -1,5 +1,5 @@
-# LDAP authentication configuration, see authn/ldap-authn-config.xml
-# Note, this doesn't apply to the use of JAAS
+# LDAP authentication (and possibly attribute resolver) configuration
+# Note, this doesn't apply to the use of JAAS authentication via LDAP
 
 ## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator
 #idp.authn.LDAP.authenticator                   = anonSearchAuthenticator
@@ -7,9 +7,11 @@
 ## Connection properties ##
 idp.authn.LDAP.ldapURL=ldap://localhost:10389
 #idp.authn.LDAP.useStartTLS                     = true
-# Time in milliseconds that connects will block
+# Time to wait for startTLS responses
+#idp.authn.LDAP.startTLSTimeout                 = PT3S
+# Time to wait for connections to open
 #idp.authn.LDAP.connectTimeout                  = PT3S
-# Time in milliseconds to wait for responses
+# Time to wait for operation responses (e.g. search, bind)
 #idp.authn.LDAP.responseTimeout                 = PT3S
 # Connection strategy to use when multiple URLs are supplied, either ACTIVE_PASSIVE, ROUND_ROBIN, RANDOM
 #idp.authn.LDAP.connectionStrategy               = ACTIVE_PASSIVE
@@ -51,6 +53,7 @@ idp.attribute.resolver.LDAP.connectionStrategy=%{idp.authn.LDAP.connectionStrate
 idp.attribute.resolver.LDAP.baseDN=%{idp.authn.LDAP.baseDN:undefined}
 idp.attribute.resolver.LDAP.bindDN=%{idp.authn.LDAP.bindDN:undefined}
 idp.attribute.resolver.LDAP.useStartTLS=%{idp.authn.LDAP.useStartTLS:true}
+idp.attribute.resolver.LDAP.startTLSTimeout=%{idp.authn.LDAP.startTLSTimeout:PT3S}
 idp.attribute.resolver.LDAP.trustCertificates=%{idp.authn.LDAP.trustCertificates:undefined}
 idp.attribute.resolver.LDAP.searchFilter=(uid=$resolutionContext.principal)
 
diff --git a/conf/logback.xml b/conf/logback.xml
index bf38b44..034886f 100644
--- a/conf/logback.xml
+++ b/conf/logback.xml
@@ -48,16 +48,17 @@
     <logger name="org.ldaptive" level="${idp.loglevel.ldap}"/>
 
     <!-- Logs embedded HTTP client messages -->
-    <logger name="org.apache.http" level="${idp.loglevel.httpclient}"/>
+    <logger name="org.apache.hc" level="${idp.loglevel.httpclient}"/>
     
     <!-- Logs inbound and outbound protocols messages at DEBUG level -->
     <logger name="PROTOCOL_MESSAGE" level="${idp.loglevel.messages}" />
 
     <!-- Logs unencrypted SAML at DEBUG level -->
     <logger name="org.opensaml.saml.saml2.encryption.Encrypter" level="${idp.loglevel.encryption}" />
+    <logger name="org.opensaml.saml.saml2.encryption.Decrypter" level="${idp.loglevel.encryption}" />
 
     <!-- Logs system properties during startup at DEBUG level -->
-    <logger name="net.shibboleth.idp.log.LogbackLoggingService" level="${idp.loglevel.props}" />
+    <logger name="net.shibboleth.idp.admin.impl.LogImplementationDetails" level="${idp.loglevel.props}" />
 
     <!-- Especially chatty. -->
     <logger name="org.apache.xml.security" level="${idp.loglevel.xmlsec}" />
@@ -155,6 +156,8 @@
         <suffixPattern>[%thread] %logger %msg</suffixPattern>
     </appender>
 
+    <!-- Top level loggers. -->
+
     <logger name="Shibboleth-Audit" level="ALL">
         <appender-ref ref="${idp.audit.appender:-IDP_AUDIT}"/>
     </logger>
@@ -172,4 +175,22 @@
         <appender-ref ref="${idp.warn.appender:-IDP_WARN}" />
     </root>
 
+    <!-- Example routing Password flow auditing to separate location (extend to other flows as needed). -->
+    
+    <!--
+    <appender name="IDP_PASSWORD_AUDIT" class="ch.qos.logback.core.FileAppender">
+        <File>${idp.logfiles}/idp-password-audit.log</File>
+
+
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%msg%n</Pattern>
+        </encoder>
+    </appender>
+    
+    <logger name="Shibboleth-Audit.Password" level="ALL" additivity="false">
+        <appender-ref ref="IDP_PASSWORD_AUDIT"/>
+    </logger>
+    -->
+    
 </configuration>
diff --git a/conf/logback.xml.dist b/conf/logback.xml.dist
index 730f583..0124fce 100644
--- a/conf/logback.xml.dist
+++ b/conf/logback.xml.dist
@@ -48,16 +48,17 @@
     <logger name="org.ldaptive" level="${idp.loglevel.ldap}"/>
 
     <!-- Logs embedded HTTP client messages -->
-    <logger name="org.apache.http" level="${idp.loglevel.httpclient}"/>
+    <logger name="org.apache.hc" level="${idp.loglevel.httpclient}"/>
     
     <!-- Logs inbound and outbound protocols messages at DEBUG level -->
     <logger name="PROTOCOL_MESSAGE" level="${idp.loglevel.messages}" />
 
     <!-- Logs unencrypted SAML at DEBUG level -->
     <logger name="org.opensaml.saml.saml2.encryption.Encrypter" level="${idp.loglevel.encryption}" />
+    <logger name="org.opensaml.saml.saml2.encryption.Decrypter" level="${idp.loglevel.encryption}" />
 
     <!-- Logs system properties during startup at DEBUG level -->
-    <logger name="net.shibboleth.idp.log.LogbackLoggingService" level="${idp.loglevel.props}" />
+    <logger name="net.shibboleth.idp.admin.impl.LogImplementationDetails" level="${idp.loglevel.props}" />
 
     <!-- Especially chatty. -->
     <logger name="org.apache.xml.security" level="${idp.loglevel.xmlsec}" />
@@ -171,6 +172,8 @@
         <suffixPattern>[%thread] %logger %msg</suffixPattern>
     </appender>
 
+    <!-- Top level loggers. -->
+
     <logger name="Shibboleth-Audit" level="ALL">
         <appender-ref ref="${idp.audit.appender:-IDP_AUDIT}"/>
     </logger>
@@ -188,4 +191,26 @@
         <appender-ref ref="${idp.warn.appender:-IDP_WARN}" />
     </root>
 
+    <!-- Example routing Password flow auditing to separate location (extend to other flows as needed). -->
+    
+    <!--
+    <appender name="IDP_PASSWORD_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
+        <File>${idp.logfiles}/idp-password-audit.log</File>
+
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+            <fileNamePattern>${idp.logfiles}/idp-password-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+            <maxHistory>${idp.loghistory}</maxHistory>
+        </rollingPolicy>
+
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%msg%n</Pattern>
+        </encoder>
+    </appender>
+    
+    <logger name="Shibboleth-Audit.Password" level="ALL" additivity="false">
+        <appender-ref ref="IDP_PASSWORD_AUDIT"/>
+    </logger>
+    -->
+    
 </configuration>
diff --git a/conf/logback.xml.tmp3 b/conf/logback.xml.tmp3
index 4674e93..989cf30 100644
--- a/conf/logback.xml.tmp3
+++ b/conf/logback.xml.tmp3
@@ -48,16 +48,17 @@
     <logger name="org.ldaptive" level="${idp.loglevel.ldap}"/>
 
     <!-- Logs embedded HTTP client messages -->
-    <logger name="org.apache.http" level="${idp.loglevel.httpclient}"/>
+    <logger name="org.apache.hc" level="${idp.loglevel.httpclient}"/>
     
     <!-- Logs inbound and outbound protocols messages at DEBUG level -->
     <logger name="PROTOCOL_MESSAGE" level="${idp.loglevel.messages}" />
 
     <!-- Logs unencrypted SAML at DEBUG level -->
     <logger name="org.opensaml.saml.saml2.encryption.Encrypter" level="${idp.loglevel.encryption}" />
+    <logger name="org.opensaml.saml.saml2.encryption.Decrypter" level="${idp.loglevel.encryption}" />
 
     <!-- Logs system properties during startup at DEBUG level -->
-    <logger name="net.shibboleth.idp.log.LogbackLoggingService" level="${idp.loglevel.props}" />
+    <logger name="net.shibboleth.idp.admin.impl.LogImplementationDetails" level="${idp.loglevel.props}" />
 
     <!-- Especially chatty. -->
     <logger name="org.apache.xml.security" level="${idp.loglevel.xmlsec}" />
@@ -171,6 +172,8 @@
         <suffixPattern>[%thread] %logger %msg</suffixPattern>
     </appender>
 
+    <!-- Top level loggers. -->
+
     <logger name="Shibboleth-Audit" level="ALL">
         <appender-ref ref="${idp.audit.appender:-IDP_AUDIT}"/>
     </logger>
@@ -188,4 +191,26 @@
         <appender-ref ref="${idp.warn.appender:-IDP_WARN}" />
     </root>
 
+    <!-- Example routing Password flow auditing to separate location (extend to other flows as needed). -->
+    
+    <!--
+    <appender name="IDP_PASSWORD_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
+        <File>${idp.logfiles}/idp-password-audit.log</File>
+
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+            <fileNamePattern>${idp.logfiles}/idp-password-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+            <maxHistory>${idp.loghistory}</maxHistory>
+        </rollingPolicy>
+
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%msg%n</Pattern>
+        </encoder>
+    </appender>
+    
+    <logger name="Shibboleth-Audit.Password" level="ALL" additivity="false">
+        <appender-ref ref="IDP_PASSWORD_AUDIT"/>
+    </logger>
+    -->
+    
 </configuration>
diff --git a/conf/relying-party.xml b/conf/relying-party.xml
index 439e7f1..26c6c17 100644
--- a/conf/relying-party.xml
+++ b/conf/relying-party.xml
@@ -27,24 +27,29 @@
         </property>
     </bean>
 
-    <!-- Default configuration, with default settings applied for all profiles. -->
+    <!--
+    Default configuration, with default settings applied for all profiles.
+    
+    Take care with any defaults you apply at this level because you will have to create
+    overrides or apply metadata tags for every single SP that requires a different setting.
+    Changed defaults should be things you really do want to apply to nearly every SP.
+    -->
     <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
         <property name="profileConfigurations">
             <list>
                 <!-- SAML 1.1 and SAML 2.0 AttributeQuery are disabled by default. -->
                 <!--
-                <bean parent="Shibboleth.SSO" />
+                <ref bean="Shibboleth.SSO" />
                 <ref bean="SAML1.AttributeQuery" />
                 <ref bean="SAML1.ArtifactResolution" />
                 -->
-                <bean parent="SAML2.SSO" />
+                <ref bean="SAML2.SSO" />
                 <ref bean="SAML2.ECP" />
                 <ref bean="SAML2.Logout" />
                 <!--
                 <ref bean="SAML2.AttributeQuery" />
                 -->
                 <ref bean="SAML2.ArtifactResolution" />
-                <ref bean="Liberty.SSOS" />
             </list>
         </property>
     </bean>
diff --git a/conf/saml-nameid.properties b/conf/saml-nameid.properties
index 7169c5e..08b66c5 100644
--- a/conf/saml-nameid.properties
+++ b/conf/saml-nameid.properties
@@ -25,7 +25,7 @@ idp.persistentId.encoding = BASE32
 #idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator
 # For basic use, set this to a JDBC DataSource bean name:
 #idp.persistentId.dataSource = PersistentIdDataSource
-# For advanced use, set to a bean inherited from shibboleth.JDBCPersistentIdStore
-#idp.persistentId.store = MyPersistentIdStore
+# Controls which JDBC error codes are treated as retryable
+#idp.persistentId.retryableErrors = 23000,23505
 # Set to an empty property to skip hash-based generation of first stored ID
 #idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator
diff --git a/conf/services.properties b/conf/services.properties
index 8150d3a..6e507a2 100644
--- a/conf/services.properties
+++ b/conf/services.properties
@@ -70,13 +70,3 @@ idp.service.managedBean.checkInterval = PT15M
 #idp.httpclient.socketTimeout = PT1M
 #idp.httpclient.maxConnectionsTotal = 100
 #idp.httpclient.maxConnectionsPerRoute = 100
-
-# These are deprecated properties that configure the old caching HttpClient
-# beans that are no longer supported. If you want to manually configure
-# the caching clients, you should define the beans yourself and if desired
-# rely on properties of your own devising.
-#idp.httpclient.memorycaching.maxCacheEntries = 50
-#idp.httpclient.memorycaching.maxCacheEntrySize = 1048576
-#idp.httpclient.filecaching.maxCacheEntries = 100
-#idp.httpclient.filecaching.maxCacheEntrySize = 10485760
-idp.httpclient.filecaching.cacheDirectory = %{idp.home}/tmp/httpClientCache
\ No newline at end of file
diff --git a/credentials/beta1-keys b/credentials/beta1-keys
new file mode 100644
index 0000000..1767e17
--- /dev/null
+++ b/credentials/beta1-keys
@@ -0,0 +1,100 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBE56gwwBEADI6Y7tBIdYr8t0zfHU2hRbD7GfuanIkn4Fhf/CZ7ICN+SfA/XP
+JAx3HDRkM/nc65U2mKG7vG3zlNOcKgeFoCwqhlLc4sSGP6DDoPYKtZOLEHwA/sIy
+Lldw3re5KbCFIElnbBW/0av15IGHXgyylmG24jhlY/ufjLd53Qm4agxv51kdYdgH
+cI0djzLqvMWTabWhw8QtmitPZSKdqOwTqkIt6bYAdOvc9r5bvAzemw6IO01L9aX7
+/yFIVJAYySL/UpbEtLcl3B/qXUXwhiq2bAUtvdmV+35FSMrAgfD25bYv+dVoJdtX
+Gb4tQcPteSRDIQYswT+bilEtGOOu9vqLvko3hSHOK2Yqc8SufDakrOlCWO1R00Sw
+QHGSkPKgA5O3RpOz3qbuPN6sDt/7FgqyzB6VqF9445bTqWDfIihXEAFr97gf28Xg
+ngAn2Tp8ZZ6zTzYWv3/GGvCedCcrHrIG/nKf0Z0/1q9Uf8P7crv2udGuZjs3bMtY
+RQNKzki/wKRuGnZ7HjgOEDIe8E+QMs+568i5vYqdaNrmCxUodRFjwkZ/0aRuHzxo
+JNQaB/r2Ckj5X/yEX6f45D0hiwBmIFz2+VUnis7RAPelcUl1X/kT4p/3gvKSsFE0
+Ti7JWCY9e+ntnzcsb4ywisFen9tQQPP4G++qnhGyApz323LfDVPJkFWWJwARAQAB
+tB9TY290dCBDYW50b3IgPGNhbnRvci4yQG9zdS5lZHU+iEYEEBECAAYFAk6DTO8A
+CgkQ70D8KeoogrukNwCdGX5zZOsC44CjV2AopI8KoMFJto4AoMH+qA35GIBUkEt8
+IoRVFs1rp3TGiEYEEBEKAAYFAk6ApGIACgkQpXtW80eQXRUgxwCePIV9LehYh+Ji
+o8mtQ74I/NWvfDQAoLmXTfmKAganE+r/FcCcwykzj70ViQEcBBABAgAGBQJOfS4a
+AAoJEH8LUwap169VyrAH/1lrWiCJarm8eFLNlajcDt5TR5ZpanZVUbuzAp9Jk8Xt
+BkCMssnuzcqqSbGmq3P6CuaSTx0BybBOhRgC+UCb/DCS0TGomJYUTcG7e7MyJZC4
+ocarORGURABk1UK/fkgEBn+9o2jdDlf7bm7JHlZJ8huLjiAq5fapzp5WhTUAcreH
+jYieTS5umt01yxFatxhqiTbNXzs1c7Hc19rW4cTLREm6YQUNwTIxqJ2hHyDfU13e
+phowv1DpoAwLXdHAsNy/C8RKRlr0Qc4snihVkGevLNWatYK4HP6M0tEvGX9CpnTX
+pOsLZkfp96RMtE2TEvMEEA0HVoZPE7/kCyYR5DForeqJARwEEAECAAYFAlQtSU8A
+CgkQWcpz+XPnY1H5dQgA4p+myZvcKjMAfhgvQZtEeqeSloZIcyYF1NyWJp0WAUUK
+pZKdYYauaxPVd9l+iqz0dBlVotx5CHuymbqnj6JiX55kfKsbClWcDUs0wE6NGH3m
+evosr55/17u01yFGw2KhbevdpgO5i+rNAliFe5LkZ+50CEzWcO0Io2ZhXy+qYpcz
+Oy71ezwstgTJG2guH5BpbcIKku75dauPkD106wmSSswA+D95nXiJ5CFSdK3c4+Q2
+GDbXoIxJtKECb0c6tsjhU1TSPgc/XeeWqAaH/z4u8S5QlQCrMYHOMmvi8ExIrZG3
+3ba8qvB4RhSMKq+5GeJ3Gsgytp/Kc7UnVo09XFYkYokCHAQQAQIABgUCToOQYAAK
+CRCagE6X1wecd5lDD/9ChSLSg/WWnsyNsUoai8KIJBTWoTRgQMemSQPHCP/KgYrf
+KU4Z3fat6DPdO6hXgA/tkXt5m+shexUHmnZvwUvgiQEmL39xdQl1n5zL/QJ3u+K9
+3jycQFM1m8c2TIrKMVbz8VwTYjLKUkhv1pxXZadmAap84ynyT+UpzN/M1ppXcUVV
+jXlDVDuF5JSICh/zn93EA6hbSLWPt2ZE0QpEciZ7S/vVC/4nvXhz3m6ODV3zeshr
+m5V8P8R4Fsmf1a9FY7s49jKWG7Ike6u29DYIkv39FQveYixo3FMfB5d8q4uzJigi
+RAvsekMgYOlnmM8yu9JJ4//zCBj81Q2teFixUrTQON369X3bnEOt0Djqk0QXgXCU
+vhYUdmAa6s/EZgngxeV5axDbW3vQa9Mki3UWsXnlpi4clx/nH7xWKcba27WkImDl
+v3g4n2SbUFj/GOCc3DFp+qmWwFV8yMs300zSPbAqr+CXO0GAitoqpmhxCLmiauaG
+ImnWqt051YWFG0hjaQLKhfjzXfsVuyEDD870RMXqnkS4oQd35OOy1OFbqgghxtJX
+o8oCL2fRwvlREv0ko7X6rpCxPhiyy6LFoHRt+4X0G5h2/LbGjIV4oPi436pJyozb
+83kCh5yGP1oh+GrKFfgTHxakp3MTNXzil8a+9aTyQRlARIevaFlGrKSR0umqaokC
+HAQQAQIABgUCTpRR2wAKCRCgs8sJ0rNzUwVbD/4ufRZKllrocevu/7MEiNPyBYo1
+xOHhBjXXBKZqZmYUnoWmcp8mxAGdLDmHrKFni4v6mv9eHOcNkljKF1Heei9qbKsF
+9UkeSlCNzELzRoQJ2wjP7enW80QoEWcAN7P3SBRwVE1XF3zBo5mwN/RXBGy7xy/6
+6Yy378uunCwnPyZabNTWrMhOIAw3Qhd2fMCoDt86sVm9x8CfQzJI8YPJOFSwbSuX
+YMkfx/Va9sO5A9LDaX79abafHAHiwJBiGeu8W7VwJYh5acr/lTUQbUW8Hlco5IKz
+3Rjd8t7qfCWpcALR2pOPYJaii97lEonrtT9Hx+iL9gma9PN1D80ty7bMYYtOdMsk
+udH8XD0FBKEi0ViT83lzl2Wz3T/2INdJsuHLhLMo+R2wrE9M4jLsp6P4qRJ3NVpj
+DkNe3CXwVQgQ6Q+EjtXGb541MvZY1442pHPE7c6eTDIgw5P7LpH0Jcim/iXQdpPW
+apdLB1zxntmCRyYyDYhd0KNvWNDRsr+PAE2XK82KD8fF2r3m8eULm4buGA8tf2sq
+uQ5K2okLlZT1NLIXmgThSDgSBjy/iFUz95AmtYdy2eqT5oRgXAsJDKMCl+nO5/1s
+IRA1sRHaXCnPczQkiXhKidiVOuRpkThx3mMxYhIV2wYCG/pEpoeCHkuUMiBDSRpG
+DaxucQQJR9r83xK5JIkCHAQTAQIABgUCTnvvowAKCRD6QbX3MKI2LppVEACA4l4N
+BK1m38ziJZ0IBlWBKgXi4v0LK0jv1WrsrQzLWijoHSaLMt9wzbXjDyAlugxq+8Gf
+PXr3bmV5Zyo6MeJiybLzQCXzbsPhpN3iT7tRAnU5EX7Qef390oWHB9GSTr2jE8yw
+3dmx3UGFuP4ELmHIyxYvWSdSjGTPROVONRruR6/yVCrzy/51VPY4vw59Iv+JxbjY
+5iE00TNtaXNcH2M9K7xnwrjSAGE4cViHpV12gqRdD94X8F/xKCxPD+kJCaAIKD2u
+fGcdanabU6lM+UyrscNvnpXjDUFHdldE245yfdBgbm8RLWzJJKz9ETz/rYto+A6F
+NZPRocbaeSv0A1J6v5MkmqNVISORxyCznhu+30s2Knw2Mn02quM/CxadxrrN/3ZW
+Gcat29R3KG7OF9qEMV+5NJ84MHNqmUdCYSjdKrh4VGZcvA/+KrxDdlKmuk5Lj5Qt
+b3QAv0ql6cUEEJ+ekunzQmW8UHz4XOwJ5r3OI1wuGdPShK6ItLls2W3Hxu3vDRFW
+2trbj5/GHn67aJCRqkLtxRpgN4o9YPvC8kdj8WO/iMw10w7OfprEA8S1CjnOwkZw
+Q6Mqr+JZZk/MKFHAeywIiLE1i1VPel2s4o7NXaaFthoFR33RIW3LMGFUsyfqyL/t
+RGzDG3fso5VOy/4fiGulJ8YrWW9KjXGudQIb3IkCNwQTAQoAIQUCTnqDDAIbAwUL
+CQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRA3i4RUAid5Yun8D/9dC3GDJEIVzg3j
+tvkJD08TNVTMUwSQozN2V+WaQgglKJSboR5ajZY6SVMeqtlT+1LzcdU9c3lpQq0n
+B1GZ8WkugYdFk8/0njXTI9Tw1i2Xhp/hKJEUzUkcx1NlyYHZ1EQjW/KVnq0rhPAb
+qDDlyET/qo/38SrzZqOauMye8uT+aqUElF8W3U7l4t4C7ollnwychRrOaOJjSAwL
+tK1WJIneDqLxzDv+bVmoZL+7Vw7iry4xwYovZ+7CpaZsicTJMYvo/CXG2qhyrvJ0
+DcxEIdhk0KiPkiP7Nd3b52vA4Z30yjfwqkoC1XlpzeD4v7il+L6HdcOigl4PDr85
+Uhoo//5SB654tmTL2a32w8GnCK/b8ySu6XwlUISiUABKGerycBeThz65c8Ud67Hi
+P9QDK7+sEpqANxuX1IfwhCAnvdDKc96Y8kO8aC4pfO/bTFhhkyARMW98CVyP4XCy
+wPXQQ75w5ekS/wecgKzYk/4S4aH1vErtDeY3WF5IDNTAOau747vgbf8nz0gxBwWg
+Kdlwh11zslKV1fLPML7tiVyT2id2pGGOO3gUJ5Bu4LeUkLndQZeERZwWcd0IhDsE
+JWIazg0lbEWCLtW7Cf/B0/X6MT9wq8aq64UMksnOU6iI91ZkH3mj2I8Ty+nl+ZXU
+t1cVgj+AyYdyHIWLHfZkQLvkH5oJ5rkCDQROeoMMARAAtzb8+leM9ELMiTgwb4EG
+KwY7wNt6mWOcrlvwp+mnGN4VPJa0ftDn/kFyPxtFkg4oVlHlmPUGk5RukRrl9K3q
+zHMuWa+NqhjM69Fw9hZlvCcL0bqqq/CKB0GyJX/bn2V/WRgAuVQAL8P4fAQ/t8Sf
+80lTTQ40ImE6F//n52AFsK0S5+gG71iCANY6DuMz4GUPbwTV1FKZqaYVdiz4Erxd
+/qaurPDcgcaqtiSQnOf6qrYIX/LZqwQrpEmruj8l5xP1N8eTLtx0iW/mB0AXYyH2
+eXmtclHTYHjvoPgZajSO2obnLdDngqJ5zHZXkCX4RLFgCq/3A4NvxLOtVDYyiID3
+HcQ167aDbpjMHetleUKXMWIA4/6o+WZs9bhbgf6xDa73Qqug8RP4VX7FBrEe2s0x
+cc9d15YbA8rGrq4jvGB3hUEw/tK/3uVuft+mRrHqNFEjKs49MKTc8vu4CyxQN21O
+6dfrp/84MD93VjQUkYUrL2zxbJcBvQTA5SuE0mqBR/e8IH8UBYmuM4nWdUuHNTsw
+KqzRsAqdPfZ1bNnfo9empNFEl2me2IXhNgiBpbpGEFWY02bEXdtCId/hpMNhE3y6
+pxJwTtxqj1Kw+u32qcL0lswz5tCF0CrW5ha9UDzO5xH3kY19/NXUnb2WFNqViy02
+KwpbHG5jQcQ206Amwo/Fun0AEQEAAYkCHwQYAQoACQUCTnqDDAIbDAAKCRA3i4RU
+Aid5YjyED/9vz1JX0q4TEFVxzgla8BbhVwlaXoOmbJcOxw8ne2qO3NZ+ecnoWS0d
+DRe1AJLcaAgC2hwpDpZ3Or5bCpQSUBlwdA/rxOMJom7GKYO9oGp54V+cjNlzJpb1
+1cKuYzj6HdmVGKbzo65G8tYUK0fDTsjWWU4Mh7HAztZH9Umh0e9103DfkGf2uS8e
+A8WVc2sBwCtlfJTilyJ7LxVO+vfodb9RKTPx0PGbQBNbFaxmK64Sz4xjVUTZiHn9
+j329rTDv7yzQuCiO+CWSy7Ti789bRcUgPWv2bbg4UlTPn40OIfAUb/s1P39J3lID
+g4GstZcBjGNTa5o65tF3m0+s2mDbDAToGqzqv0fHE6iDDvctudFZoUbgJ/5DSqsA
+5Xe5VCRRvwR3S9t7OJS4eQdxDYWxgPGhoovNdzPePTbdIfkWBw+Wwokj0rsAUKfx
+7jXZtjYXfG6NJdEHqGQLYeW23kMmxIdoY1jjWOEJwdD0q8p7M2aum9Ncjn1sW/RU
+PPLu+U3rtjc6fhf4VWpvp6NVp7a8/6cgSTZL4eavYIOuXDCa44KsnGhWpPBOJNeZ
+WvCkgGNCUbzArnre3iDTnf6iJ1aMrXToN838IV2svifkAvEnMkhYfjUgDIFOMOrs
+fLhRULAR6zzyXiJiznT6rjlxlixsKazyy9dLC3qlwC4pCIpol0QKbQ==
+=96Mf
+-----END PGP PUBLIC KEY BLOCK-----
+
diff --git a/credentials/idp-backchannel.crt b/credentials/idp-backchannel.crt
index a4d86af..d42aba2 100644
--- a/credentials/idp-backchannel.crt
+++ b/credentials/idp-backchannel.crt
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEJzCCAo+gAwIBAgIUEtJU0oOkMid5473At++VFGAbX3gwDQYJKoZIhvcNAQEL
-BQAwGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMB4XDTIxMDMyNDE1NTQyNFoX
-DTQxMDMyNDE1NTQyNFowGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMIIBojAN
-BgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAq+6x7Ay8s9vl/r+trvJMbwdXiFxH
-PwQeJ/Oof48EWuP61zluBENhk9E5rdf2zlCxkfiB78G8YFZh9ZjcWkIR63xIO9YA
-+NuQg+WOPu8fvegcly0ulg2dRXvi0b7q/FsK1MtKcxRECpTNu2DD6K5oHkjf/nmp
-nJIlAxvYyP0aqwEy+qq1NFC+WTjoFP7ZyKt+oSz08ONV2v/1dNRwcjfgc8MJcoq0
-Nw56mGZ2LlTidXP8lQBpsQ6/gJvdnVv/B4q8fVS3zpFgokkyQM6eW1ZpGjPY9K1A
-paLcAio+MCoPbRJwAlI+5tdgKMMvz+xq4RN0e68IIZS4IgmkVem52uJcfUiX297F
-Ar1QdH4NZvijir2Wt4xYMxpThsV6n7F88wWzJj/D5bErZeIWG+DWJq2FZ7rqq3Oc
-tz22TH3iBkYrSvFG5nwyHQJaptDDMm6OpWTfmcjh9jT9H6mz4BdBln2uJUswVNGG
-bR9w9OcXqYN6X8bll9Q9XcVZh2uBgPB3NWGzAgMBAAGjZTBjMB0GA1UdDgQWBBTc
-BIECuv3b1y5K9FBK2zKFc2j4HzBCBgNVHREEOzA5gg9pZHAuZXhhbXBsZS5vcmeG
+MIIEJzCCAo+gAwIBAgIUZZ1ALRCNTEGZYSBsigxOeq+v1C8wDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMB4XDTIzMDkxNDE4NDczOFoX
+DTQzMDkxNDE4NDczOFowGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMIIBojAN
+BgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAmYDThO5zYOJ9ZHwIXdr9NoifSnYZ
+QpSJzwYr8dX+DxOyL3gWs2N+z5PnZJlBuxtCKKvgmJGT0uomKj+PFD1OSgSz5gv9
+LwBJxGIzqQpiXyYX2Lol1CYlBno+p2oqM4eGadjMp9doHxRH+sbVzn6+5pjC6zIE
+dYLZ4oGdWZrel9JcjRXTuYzPMKrnioQd6bWS5UJDtXuPxAODP9t7R7e6RSEREoMe
+eJ/jO0M92383l99wB3OkkdjJpvzFnJLHuOG1h22ObhWIqUCyjBpN1W3jmGfkonfX
+j2IVqjXerP9RWUP6yE5GH/m4dTlmoy1nMkwE+kkYD8CLNsjnV1ztqjR6gFdaQTuH
+i2mKwvC0wh9gh/tqkYju7FtjT8mMgQh1rv2g6qtinM5aP6XLsUN9X+NTR2bhpP4N
+Rx32uBnwVPjUTuSXSUgNdnf4kT++UT/waznAjYB6pYUvqix0re6hhrTrOvkWSLSR
+KIrSxtR88oL+t+DgPfbYTYI4FypPUXr0TNhvAgMBAAGjZTBjMB0GA1UdDgQWBBSY
+fAaupAgeAd0fKfSj8Xzx4+cVajBCBgNVHREEOzA5gg9pZHAuZXhhbXBsZS5vcmeG
 Jmh0dHBzOi8vaWRwLmV4YW1wbGUub3JnL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3
-DQEBCwUAA4IBgQAQsx5PLHRi8+WjBTSW6RiNiSRFTpNKPdFzoKDhpaCVSlrpjgzp
-0qD7QorlKPVJNUhl56Fs2S6oWy6e7lb1eBPBAfCNqTalFJNnDdMvZh02FCecbE87
-6Wv7JcD5kA+f6HUDwmaB15fabheSE3YMGQFtaEidmd/jd23CaDL5RNeHUoKS6JHC
-yNsUlZ+R0Cq2ia2wLhW2Z2CYpNh9JM/LOmcTslOgmThNeCnrMIikWSTLQ4C3H9/R
-/iN8NaQhKn4vcYTwEqiaVFQbIU2mQQLT+YK63L4S4S339IsjZiqGEw8DKBnfjL7b
-D1snXa+G6MiQJNcuChuvGfGSlXCSFjtUr9vivzHeGW2h+6uStzTuZ7t5NhQMRTFD
-qT+gyCR/bzsEUh1Lj3J2mFPM/cUSlhH3H0TJcVT9GZUzFNAP0qbaFs9PxXH2gpDI
-XrshYcEiXlj+dsSUNhaCqYibPwkHrRBIAqoDGdMFI+Y5SePVo4ksA55m0gPeY+FM
-mUbCNQngUzNlYPU=
+DQEBCwUAA4IBgQBfVjToMenwC4TUFk/cHv0/AfblQLKA+qeJNxZVAleKbkfAncqD
+q7PTWFGSTX4z0jfR/STUArVLlmKN15PRS7D/b/7SbXvWPP0cMIc/JOqZCSO4MC1T
+sRy94BNUKmifY0WzR4i03XwAkl3MKZ7Y1dj8xDAe6a0owLszyZfECjrOwgEoe1Gd
+RLJ66EtweqrOyjfyIy0r2VRE4HIE1jaKMyTZHTKksM8vaJVMUjm3czymDPOBikKY
+rvCGmQdh8QH/8kOIAlgKiMnoAYX5WjNa4Ai7om+gpTBACfBj32n/nDWhTlxwJ3nZ
+6R8dxYBFiAo4WOzcSbY0ig/sFyzPRhdvs2SivJYyxSl8tloXYzMUAdPmlVA03NYq
+7j8R8heok2y508RH/v/OqqXKm0JCT5OeL9TwGXMt81sIdTINU1GVEXa8aeHE6T/6
+fe5APorQU5n5RNEeC5dVODD92cF2JSk/fi73I1phtexF027d58CTzPpUJteQ9VRH
+JysbXuA3viPdblE=
 -----END CERTIFICATE-----
diff --git a/credentials/idp-backchannel.p12 b/credentials/idp-backchannel.p12
index 9e30c3d..b5501a9 100644
Binary files a/credentials/idp-backchannel.p12 and b/credentials/idp-backchannel.p12 differ
diff --git a/credentials/idp-encryption.crt b/credentials/idp-encryption.crt
index 10fa34d..c5e4b2b 100644
--- a/credentials/idp-encryption.crt
+++ b/credentials/idp-encryption.crt
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEKDCCApCgAwIBAgIVAPyKe4kuv7ZzU9YkyhDT6PWudYj5MA0GCSqGSIb3DQEB
-CwUAMBoxGDAWBgNVBAMMD2lkcC5leGFtcGxlLm9yZzAeFw0yMTAzMjQxNTU0MjNa
-Fw00MTAzMjQxNTU0MjNaMBoxGDAWBgNVBAMMD2lkcC5leGFtcGxlLm9yZzCCAaIw
-DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAL+i5PmO/JsPcM25CSY0zJeJ+rim
-4mqlr0sT7BRIEEv6ja9RAxRI3fRXOYfz6PxfF6AMsYy35bCueOAOcbr5IyCIhHiu
-HemT3ieiROoOUY3P0D4KdwC3cSxANc53pEIVsNd05Xxe2mVnGJ9liomWGl0Zsj4v
-TC6f7PFjAEV3JyaETMyLpKVH9rt9FVKPZ3zl9FN/nqA0KodjQVbJYjIyJsib3WBB
-WWZ6VgwErHQriCk2gIGrYbltcZe3ujKOpNaRiIraG1VPs/YaP0IcsPekS0Vy9qcF
-6Xq4xErWdR+Fh0v5iI6bZ3feKnGDO1q30M5I/cfkwW9CQd9zqLjM38MilFJYCoqI
-KbZRPvvKAt1B/JZJMhZZJaBy9y5CtTHnZiEZxdovz1R8BsZgmYgMRfIqTAN3+bYl
-kzfgaS/PmQkiY+iUzsi7Bi753Eqlaksa1xqeV7tkpVRDOUeTMOvjBzueQS1wdP7i
-VgiQrWF+EqBBxGY6QqlYdPbOZOwcL8nOE6+BwwIDAQABo2UwYzAdBgNVHQ4EFgQU
-N1YcXFUpP/ioF9ByIell/FLIxCIwQgYDVR0RBDswOYIPaWRwLmV4YW1wbGUub3Jn
+MIIEKDCCApCgAwIBAgIVAJLvssEzx/CNl7hX6vhAYmUSTlbPMA0GCSqGSIb3DQEB
+CwUAMBoxGDAWBgNVBAMMD2lkcC5leGFtcGxlLm9yZzAeFw0yMzA5MTQxODQ3Mzda
+Fw00MzA5MTQxODQ3MzdaMBoxGDAWBgNVBAMMD2lkcC5leGFtcGxlLm9yZzCCAaIw
+DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAI4Lg9rN4x3rux40VV0rDGp+LY4h
+UXvXhAWVmeqFvl4BV8ndCoaR04BiEOs7jl2WVljWh6bVNgGe/oekDdztVMeeumNQ
+r9Bnl9VuSR5BbNM8RpA/KaDYluKv97CntaWOYCkwZljb9Sn5/SpKEod/b6r6aHqN
+5W2tShg5HIwlTqhAq3SnygYQk133B4r1TzTiRfk4Ti5kVw3Nc04Gmv6fdq5nP7gC
+I3tgl4zEK8XuHDgdN6mG3prE8LFTLO6VARFpEWQQg71Iu0vJhqpGBjKbQliejiti
+dzD3AvGSakA7Gum2A6V/BDXFZd/pjctgutXqJ1aBQ1F4DgEredLqORkyK3h6+ufq
+1hG47fxGvgJF5NV9KyPrxNVdNJ9c7i9oDEjoYD1oX7T48xCnUQChLK+80pWBNDSS
+5YdxeCdoci3C/T3uIePZetsEQ0u+zc97feqaINI983CIN839hFOOQQ6Y9TBBxTkd
+i4VXkWa3E6RqiUBAld4H1SN6rkRiGNhoeZ49uwIDAQABo2UwYzAdBgNVHQ4EFgQU
+4JYXPboLsz/+QjOITS7Ht6imKUAwQgYDVR0RBDswOYIPaWRwLmV4YW1wbGUub3Jn
 hiZodHRwczovL2lkcC5leGFtcGxlLm9yZy9pZHAvc2hpYmJvbGV0aDANBgkqhkiG
-9w0BAQsFAAOCAYEAq3MFr90wgCFV2fUdxACwnytfK3tlpT7bczA4ks3iUlMM2o8t
-QuaMe5pru+5nhMk+D8Be3RoIIks/ddxHwVKbwLjzJFEG/9S43MduXP6P3weMr0Y8
-lIqZrd65uaaEbAd0ldGSn6ekB+ERwDNC2aYghwMIPqyCvQo6vLRsBsnLEa3q63Xr
-GYbkCawtvMTINYxAgFP0vavxNXF7A9qqDCpS/m4QgdbL7DLEJTN/wCgJVPTA9f9M
-SyjcmSRJ2FMNHyRgor26jT0rCeUNJ1MgM0kA3hwqW5eK+nj9OZWWVjOZaAkdVRn1
-mGJoRmtK/dGE4SEXfyIgWqQfdGOpIAEkIG9EHaH37Kg+slMjb/ZwN/riShIxPacT
-YPkAC/AqRaiJOzvi4ZB9OtjC3wyoyak5e33p5DnCIQ2+hEbebAsnYWP6Yf/c1KMw
-1Z56FlQwmY1yBZ6+yTIR0jCKWj5mFuahsDW7VSkRUBmt55Q/o24YbHfLioYRSJAi
-uADV9N9NCGawgJnf
+9w0BAQsFAAOCAYEASeKc1xHMb18Qw5SF7D7sRRqyDoVwrN8ZHUDEE7zVMVeCkjCm
+L2GvSmbNpJfJbs78EsQt3mTTfroHByuH3LnTYv1i+CangdHrEe0K8u63pth0JjUn
+kZ3m6UPzGq69hZXIi3cLu0v6l3aywxjiQkNQg/3ndTrdL99/2AJS1TMknznRptGu
+bTbxvMomvKYp0O6WU0zcn3ElupZs2EnsOuM05QkLndh7KWodT5AjVODbiawVjfSl
+WB7INmDk1TVtk2nHRaoagjbcDKUWGHlXUsGgtqDuxb7THx2+glFaRGuUoT5LqZU2
+Zr1rwj9z7gKqZrpbkn2/xrA5W6M8WxUWGiPn6F+P+8liXbeq0MMrn6DWN8HKScVK
+vQy1G9fo3hHn0x+yAtWgEgi4GhuoaLFarw9oaVZP6yAlFrL39LWoj7sowCjoIK17
+pvgBrNqgolW25QHWLLG6SbAqIq9JxfiOxSs+XLWJorFtrmQuIap0e5mZw+hsuun/
+AcPlbssPcPJmxeCU
 -----END CERTIFICATE-----
diff --git a/credentials/idp-encryption.key b/credentials/idp-encryption.key
index b8ed07c..4ff57eb 100644
--- a/credentials/idp-encryption.key
+++ b/credentials/idp-encryption.key
@@ -1,39 +1,39 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIG5QIBAAKCAYEAv6Lk+Y78mw9wzbkJJjTMl4n6uKbiaqWvSxPsFEgQS/qNr1ED
-FEjd9Fc5h/Po/F8XoAyxjLflsK544A5xuvkjIIiEeK4d6ZPeJ6JE6g5Rjc/QPgp3
-ALdxLEA1znekQhWw13TlfF7aZWcYn2WKiZYaXRmyPi9MLp/s8WMARXcnJoRMzIuk
-pUf2u30VUo9nfOX0U3+eoDQqh2NBVsliMjImyJvdYEFZZnpWDASsdCuIKTaAgath
-uW1xl7e6Mo6k1pGIitobVU+z9ho/Qhyw96RLRXL2pwXperjEStZ1H4WHS/mIjptn
-d94qcYM7WrfQzkj9x+TBb0JB33OouMzfwyKUUlgKiogptlE++8oC3UH8lkkyFlkl
-oHL3LkK1MedmIRnF2i/PVHwGxmCZiAxF8ipMA3f5tiWTN+BpL8+ZCSJj6JTOyLsG
-LvncSqVqSxrXGp5Xu2SlVEM5R5Mw6+MHO55BLXB0/uJWCJCtYX4SoEHEZjpCqVh0
-9s5k7Bwvyc4Tr4HDAgMBAAECggGBAIQTUJxu38o+qhAfJx8d5KPMhPAelI3MAzRL
-VrnjsNesp1ndC7I/RjnQo+X/ROQq5a15EiVZ2QQcO1KwodGrQ3p4nFRQLG1/a+0E
-+VoW5D5Iq80WiU4FIArPdkYGTz78lBTqi/9boEmi9GVnJkQNH75qp14UWv0HW9ZB
-1T4LEQCKziNrWt5O6s3tN3TfQQPjuLCTlE/1pBoLXkziHrtZtUEtqzVb1LG8PvGp
-hvHJzt4Yohi8dW3G8DMQfVO63ADF65OwjaMO4SmU/lbRDqJSvb4LxRiahRasBLYC
-qoqi53Y3grDiZMVd6XAnDrr12JzsgGDj2/j4GiMHSQKkPBMcy+SQpiVYV2jFiaGn
-31vJufShqP+70Vez+1DVwjj9Gf/R/3zipib9q8sz7UDkpi2Du5I2mX4K5uEmx9Aw
-hkZoqIM+yHegfDSIwCqHqNqh7mHOwHOmOAgFqkY2DNyTpA513iIUzggQ1pNKsg+d
-cLljbubz7KppNApcTBaZUSGy7KzFAQKBwQDnKoxT1feWZhsDPOFa474sebHfpsMK
-vlvnEUzG4UvBz/QqR8ib7BsT2ZuF90lo+NTDg6Wohn5J/gTc6z0J5SBhjDay21a4
-qaGTA2BZL6D1el3yBTI0dK9AA/1UaNGQN1MUNmHEXlxFuAh6KEEbau0qNNgxJXpQ
-90FzQaonHdstGRj49iHbX1xO28AYlRkYFzraR9u1M8wFcWnVpoJ8nHP3LH/Qwq3m
-8ov63Jl9YkxPgvOnZb3Irj3Pz20CIgBWUPkCgcEA1Dk1ewLqkxYgMEcRnGGyF489
-3K88pe28/HCL7qWUuIHyHHnym10S0qRHxApTPKhpJS7L/h46lqFfPuxvLHLfB8I+
-uXxq4TKHVRbLHxbcC6h7oHJS5Ezi+PCIFP8nINJ97wq7OWaPVn388MU8sA9khy5j
-gsyPoRj8QnJrWi37j6RFJWoYiCwFRRtCzhMRJUafuOba865h2wXUZwhfMPCuhA4u
-go5621Sld/RD9PajGsfiGx/5uMdtdvPwDzLXOhObAoHBANUKI1VIBes3ooFzZASN
-isAWT1VcrLeEA9KJ4QYQr+6oJc+pZDo+eB3tGCV4ZtE1MXAWLV+Iw26Rig3HRfOO
-lC8SN37SIbQBsQR5whuvh1l0MoxPOZuaRcBrbNaT2z5bnlcsXyHIDKW8GyPpYUdR
-Xczd8rgoX/eqR0lfJN7z5wBC9v7KZx1zXvDWGM0O65eGIRj1zIfMeqQxh2X9FJie
-30jWW90a7YW/1j2VfGdPZiCJAOAvJZ6C5jhUY5PpngHukQKBwQCk7Qy920dXJWPA
-gQqToGzZ2Ez4Gwsj3Dz5ZbGpte588Sepr6+1w8AkCN1o4alMQ4jrB5Iqm21msGQn
-r3C6d08SZYd/eMxK1IzNuJgEQiyhtr7UsuPuXj4pvivTPXM4E70grxNPCYAtdF3E
-81M1c9DpKUjWVojsZlFshiUdgQy11bCS4f/Mm4FA8m2ZXsH9WQQ5mtbfd06++qnV
-pHDtxK2rHKZSec3Kc97f+OlzDtU0s8/oypG0Yu+T+QE/noAaty8CgcBLiCGm3D4z
-eQvCyp2ifIx3aS0EPClKYME3x5TyZJbQ5EKYEsmWk5zpfNczwQCSjgnURs1X4Txv
-4vTShW6isvC4D1+nmK19jajlhk9humMshhLSkSsbWAMIJYtqwz/w6CN4b7QvXhcB
-x7d3BR8cL8/aLAJxBLx0hcenbEM6u8f3nAivllcrW0kMrJDErjT8unkQJdLWV3ct
-qvrSqBArpykBjayM52USIUuNZFUIvjmwN2XUlC46+388fWwIiPwnfM0=
+MIIG4gIBAAKCAYEAjguD2s3jHeu7HjRVXSsMan4tjiFRe9eEBZWZ6oW+XgFXyd0K
+hpHTgGIQ6zuOXZZWWNaHptU2AZ7+h6QN3O1Ux566Y1Cv0GeX1W5JHkFs0zxGkD8p
+oNiW4q/3sKe1pY5gKTBmWNv1Kfn9KkoSh39vqvpoeo3lba1KGDkcjCVOqECrdKfK
+BhCTXfcHivVPNOJF+ThOLmRXDc1zTgaa/p92rmc/uAIje2CXjMQrxe4cOB03qYbe
+msTwsVMs7pUBEWkRZBCDvUi7S8mGqkYGMptCWJ6OK2J3MPcC8ZJqQDsa6bYDpX8E
+NcVl3+mNy2C61eonVoFDUXgOASt50uo5GTIreHr65+rWEbjt/Ea+AkXk1X0rI+vE
+1V00n1zuL2gMSOhgPWhftPjzEKdRAKEsr7zSlYE0NJLlh3F4J2hyLcL9Pe4h49l6
+2wRDS77Nz3t96pog0j3zcIg3zf2EU45BDpj1MEHFOR2LhVeRZrcTpGqJQECV3gfV
+I3quRGIY2Gh5nj27AgMBAAECggGAAsxxje5KQwcQSJindQAPihBSoefXsUlEJzlJ
+TEWN236QdgBM2mFxPJFyECnfAG1+Wh6NZKfFBdubrWK/lHKEb2r3DCYoJEK0EPzb
+admCavrXc28b4Fu5590zPIWmeMbjTMUt2fRANUaPllKT7JvHqVILywVDI1nUSXv7
+TiTXqjYos1288DHsl45O7N91y9G3G35sF+mg0xh5qrJLEzRjYS13r5pKF9u0St+T
+fnttjqIFGWoD5Nx3qKSPkHqJWYg9EV72Gl5OUxY5lCxk4+ZK2Aj4cEsTIHS7TKlX
+wr/mfm3j462EVh/aHo6Terej2wD1QQiuQZZIKW1iNXnjfpYk7/0pViFyBpbVZJfb
+XWOjSg+QTVyM49zVGQI3xp3qILrItZ6lfVv3gDQd2lahLxH10Rc1wqbV1bdyLomp
+SwX5nQFs9KMRftYHy9Rbq0BnjxDgu/a2WhZMrva2YL1ycKHLdWGfVAP9ZMwO9LpE
+dWkrzuiVxzgDH6GqFcKVWUhBfueFAoHBAMOdHzH4mU3IWqfktPqh759Q/iQipn7L
+n4xkmwbsya9K7iSwlAzVqnuHCqq0wpGjwSdbr51UHbqNo0BF910VubWCB+wZbQG4
+4ceUjfizHso3GMpZdeFS/rpGCqwU1fro6PlTGcC3G/x1y9K181UfE569ohr7sZyr
+ZXhRIHYcFQXGpQshcf7GVV8X5Z0d2oKmd6qO+hilxCU4+uAkI2zRM4PdWTTClB0n
+UkbVS2xTJPQjg9y/gZ9ETrtIlFS1R+bv3QKBwQC55PvCzt+YlZLPTBmHuo+yP1jc
+BpZ0idO2l0geIVhKjfNoJDgfhtlB6WdSaV3fvVTo92DzKWwqX5WSLkLiXbHM8CAH
+tjxUa0raUhNQFzQe4GsBYjUPuaucwG+CThS3RiGHNHpI7qlPVUJUS3mvpD92h2IK
+QrE1Lt10P2kVp9gjE6kHQFubsZ2Q/R+ydHCaYHABkuuqwTLNgLDjHX9LvhiMhPC1
+FkcovtPBKwVIwXAx+Sg2jFMwyVvbDBYeZRiq1ncCgcA1kJ7sNiD0tbptYylTwGg3
+fhw5lOt2qRelgB8bhFeuEpynm1rPMOsgLFh1ak4lR2wq9OZf9Jq3bPWZMg+Mg9h4
+pYS52DSLVi8tUbaWtaXmxbOaJWksLGfoZimh+YqmzISPUXwp03psZW1M49ogIwRi
+YZc0QFvghOaiTcTP0tzG2iBzrdLjazgRdB/CKFyfjioSoFhHy4ysjK/WFM9GivrK
+TyCQW//nA8956gpfPV1PJTKEjkRWcoQEsNk9YO6xhFkCgcAXcv4bHdNwwPVq9tOF
+no//0SPZZW9XNgeh0cWEH3qutOdObLszpuQC/3lMGQSBc7WhSYtOQRxm3/XTIcjI
+Gz+RdXzk3CUSFRK1JYNQKA0oE/ELlKLS3/344QFv83+DevJBxuniB1EOM9gRIBAy
+isqCniNM3grShZ3jyxfrZmfKTPGWe5TSt/4DSxrTfQKzRpT6bdkSihppd+FYVOE4
+4brhBugCP9QsHJ5DkLSy78vCUgazktHvpobSw9yKawBIlJMCgcAmB89kc4xVTo5j
+9IH7eLD0MfATPN52lpKvTM77te5wCmWS4HdSwiTFx7tjZGGtP4zhVJRX4CuoZf7E
+WaTKXoTQlc+TddUhdJYvdrPtahCl+IfMydvgSV5FDrTg05pJbNM/vdqc+K9G+BGA
+fNRexLtGu/3Dzgd44+RIG4V2I4ew41k0LG0ZXFhJXwo/iVOWk0hVxf6ss/WouXpX
+QoPoNFqvRng0Xc2FpEA/elinM51zno5xq7GI15q/8rCaOC4dBZA=
 -----END RSA PRIVATE KEY-----
diff --git a/credentials/idp-signing.crt b/credentials/idp-signing.crt
index a7f2528..0996181 100644
--- a/credentials/idp-signing.crt
+++ b/credentials/idp-signing.crt
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEJzCCAo+gAwIBAgIUZMvUeW53jFMs4M1rlNztvoKNXGowDQYJKoZIhvcNAQEL
-BQAwGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMB4XDTIxMDMyNDE1NTQyMloX
-DTQxMDMyNDE1NTQyMlowGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMIIBojAN
-BgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAvtENeKgTFxJ3l8ZTeaFifLRLS4da
-xjnKy7JpTfrVOqZHGUQ3zAwY4xifs5rbiBkOAiLLBIqjJJalZQ6A+fSu34eVYdxp
-5VY5L2gAcF/6kf+wOMCU2zdEwiewM9CZMo6HN77Z/ZEC1737/OBaRHwCEtC8l1Bx
-U0V9TgEB/n31mtg5h7FWDPe6dgo1NSeCjsKVGHrdG4Ozo+JHvklqy6knbqnNvPqm
-cLv4nrp/wQnRalqv7/26dlzoecXmCICH4cToBVACILXs331bpWEdHEc+bxInja15
-BOwb4pWLbqD5Qaj9hnPFCAKFtA+Ivb9PKV+44eNN3n73dYEPmx21QeqXWVfn3Ukl
-4lIIhFC9XETbmSI+V8HLYl7e7n6GKN3hdVip0thN5vyPWYBt2DskW6+QFXry2F+E
-qMxNHUqJt0k3uu4pTZ9f/DsQaA+/e+H23DGBIOytNzBz1jbU0Do/35td39YvRGN4
-T5KOuwmGTjrB6cM0/WOxJhaKourpM6qiDs0bAgMBAAGjZTBjMB0GA1UdDgQWBBSA
-UDgNLBosYiGapWvY1CIRGm5f/jBCBgNVHREEOzA5gg9pZHAuZXhhbXBsZS5vcmeG
+MIIEJzCCAo+gAwIBAgIUN5wi8O8FMY2nZCXakMaHkvb261QwDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMB4XDTIzMDkxNDE4NDczNloX
+DTQzMDkxNDE4NDczNlowGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMIIBojAN
+BgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAxM/ZTukRf08tonAflzexZJSSLGoW
+BOQ3JXzqWYh9gRW92S/MSyeBb0Ry05skyqgXXmuyg/lx9eJ+sziHcHdR0kkjE6d7
+0Un52SqgG5d1DHkB0kDpop0ePD811LQfBqXuZNYtlCqghR7e5mKGVZsKUmUL254V
+i3pSNyk5Kxae3R/WFpAg6Vo1i5e3odAc3Qr5H4raxY8IJfwK0GOzX9PMVq5O9dgc
+Fq2l+0NpmBGuovIjUEyqmK9FJykUJToXunjTdghnkuucR4Kpg0JjACSlcnUjO+2H
+2G3hMuoWdkAGhoj95kmIy78Q3OEv97F+n1ifvrWa3l2yzuUFHiUilnfusTFdM1CQ
+f5hkC09JNRnrNgyMi6dwgjkFVm3uOPuEov9vlbfma97INDnkPUIHAmXz5YF+FDgp
+nPCDa1G+t0DgrfOnCSUTJlleRWft/BcF/Y8uA8Bf0jkhebkwZrACbKPWl1Mr84FW
+9UAcJixAlGo7g/beF3vIDFZ2ehDyS/ARSHPLAgMBAAGjZTBjMB0GA1UdDgQWBBTP
+nlImROLHrQIuJJ1bGfmnCifpfTBCBgNVHREEOzA5gg9pZHAuZXhhbXBsZS5vcmeG
 Jmh0dHBzOi8vaWRwLmV4YW1wbGUub3JnL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3
-DQEBCwUAA4IBgQBb9ncPd748rnxrJ7tat50vDGAj/wnFM/9qt6gfwSv7gCikj29V
-QYgZ0gB76xH7RdLw/iuR4g3stuoARt+CYrzkh/A/pG6/FAFI6HZvX/Lic7YLv/rp
-m0aRcBLDzu6gYZ66qm05iXLs1Kueq8Eh0txpbg35LUVZGtXxE6t4da8a/XfSfgDs
-KlUj7ANT1vkbDYXJiio60EqGWxMiyxTacEFOSUqRTlDL1wdvU8hrcyO4ZQSf20Mv
-uROvXwki8Zb1Hoakn51fgJIKvIM6ttLpNdwsXFWpopMw9s5obtrNAB4KbbuISXdn
-3AjJtynK9HuIOyBkphetJcOXj99bAn6VLyl3ieuPPLzXPQ9byNmLlwp0njJE2xtR
-HjztBijmO8wtif3di+nUSwHRG0DcuE7f06Z28+pSrpB0XHDmALSefbq5g51aIR64
-fgC3txaEwILjHFjdK7Iaf0DHqQDUyxqC00IWATB9Dr9dtMIeQVN46x4681AfKp8p
-oHdTCGNvbFo8vGI=
+DQEBCwUAA4IBgQAkFQeq4iMNgzk1JVHdn4qVK8Y4vOUlHIDL4LOlYG0Nsyp9/L62
+LzF4/q9RU2+CQ6QuvwL1FXuH+pNxb4A2L9qx8X23u/fmdpGdH+YXfezOiEKW74v1
+usD18bFIw/E9aeyWQgWrQajqXkiLk4C4+ZOQ8IDxIBrVawV65tqyujx7DOHYd8zq
+VcdJjnchudt1mRzRPz6ajG6X5Zd4htNSim/Trd9JGymr4Xr3ILqHEnWihqpEETNd
+snwzij6jtdXixmSGPeVI/YlGiKJuBgC6j+wjXrXglvnA5WD/5aNtqo409/1rnzLK
+0XElMIvUTqtM2L/9MNALKcQqAoEzfjdtAqJ/yZ528+/H41gEfjoqyZicT8Av6Gf2
++EOx61jXmz9NLB5eUp1h2u94OrkZEpdYQN3VxVEdxR4CFdfllIev1lxMYwxQjai7
+J7bOAjiQAUK8peLx+HvQRMaCWW9VYCHVT7Fs/icq95yQPiLSUaQ0m86rSYG9IZGQ
+YQdqqQZaO3Z2nw8=
 -----END CERTIFICATE-----
diff --git a/credentials/idp-signing.key b/credentials/idp-signing.key
index cf8eb60..ec2fef1 100644
--- a/credentials/idp-signing.key
+++ b/credentials/idp-signing.key
@@ -1,39 +1,39 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIG4gIBAAKCAYEAvtENeKgTFxJ3l8ZTeaFifLRLS4daxjnKy7JpTfrVOqZHGUQ3
-zAwY4xifs5rbiBkOAiLLBIqjJJalZQ6A+fSu34eVYdxp5VY5L2gAcF/6kf+wOMCU
-2zdEwiewM9CZMo6HN77Z/ZEC1737/OBaRHwCEtC8l1BxU0V9TgEB/n31mtg5h7FW
-DPe6dgo1NSeCjsKVGHrdG4Ozo+JHvklqy6knbqnNvPqmcLv4nrp/wQnRalqv7/26
-dlzoecXmCICH4cToBVACILXs331bpWEdHEc+bxInja15BOwb4pWLbqD5Qaj9hnPF
-CAKFtA+Ivb9PKV+44eNN3n73dYEPmx21QeqXWVfn3Ukl4lIIhFC9XETbmSI+V8HL
-Yl7e7n6GKN3hdVip0thN5vyPWYBt2DskW6+QFXry2F+EqMxNHUqJt0k3uu4pTZ9f
-/DsQaA+/e+H23DGBIOytNzBz1jbU0Do/35td39YvRGN4T5KOuwmGTjrB6cM0/WOx
-JhaKourpM6qiDs0bAgMBAAECggGAXXk7CCgNcffx7b+RlLuh60TGvbEInqIg3bgA
-Ldr6KUja+12Xl7U1W8nsMadic0ESw6kXmpnvYTUKwH5iYA+kuotIei/nEBk02iww
-Stw5etuuD58HTHu+iv22Kyu8YC/BvWUYlEY9BkJi9nVQwsucmGr4d4dIfGpF/7gu
-qeQ6NChHxljwtlmEVd6aQfeg1R4su1k0hw31Kgrm6ig80JeEYYl8515BumfaWqcx
-ffa5R0g1d3LrrJ/GoiB3lyKfbdFuns5Nw6Cd4gBwTFoFwZrRPGXQGnBNLhaicSFQ
-vchLZQDe+SCdfOcdCmYI7pm9i8jbI+deTzDCT1am3gqvoil0Y+TW9EDk20a4vVnH
-unSsz+kIpVw1O8Hkc7U4yPXxLbS8qTMJUmp0GwLV9egGy8iVVjPXp8VbyjiEDNIJ
-Sp8y9wvjvDPDPxPg7H9Jkgk41muBVuo4KfpaojXSRomlqSD8NfzL6TIMSCPFq2vO
-brp3Gblf14jwj1gPaHiQ7Kr1cH/BAoHBAOLoUvcS1kbxp0NDDBiEgCLPXpoG8MMc
-Y3iSAZ9dtDXyqaUiFEyrpOCtJdIo/YW+on7J86t/+2t5hhJ1VQq7jUpHvoCnIOEj
-SuMAv806owV7XueoFBpaKBEMp28gWFAygeKhGI9g75hjq23f55XT43jPB4NOmYmW
-/Qle2ZS3G/lWKfMbNPbk4MAvvCULVWjaXgzOKnU3L4LybXYq1KzW0xxI7bAEj5ft
-38SyzCJn0pIhpvDgQe0TpkBGajDeHEQiNQKBwQDXSCJbWC8B8dF/kjdTPeeDo/gX
-sK2nBRxQuNJ6BwpAHaPcOA6G3Xcb9LNDFuRReh5jFDs1G86N4ZhL2dVthsQJHt/9
-1pNrn7/UlOjrgRKVZDR8gFZxvuxn/TifuR3xv6+kTgaqknMepA5SpD4VB55VBeJP
-B5OJtSrHxHh4fty+OMvvmpBNC+505yxY69nIRxAtOaFH6xFyM/klp7jgKsJV4lco
-Un1WO0BqflPkLXlbMx4FjcSjikUnkhzbJxdnHA8CgcARfOxgBIClSRymD3XQMe4a
-QLc+0cgekYKNGVusp7Eq8z/l7UF5Q0Va151xnB0mALJPaUsxbZS4DM6rf4WFZT0X
-e34QNlFPaMPtyPH/ZESKOJ7w5cBe45Hw9nO1Gd4UmD/wcpANBOCScyQUPMyBfKos
-dnBSy20D8LIh1cCZOJ+cUOq8xN0JJky4IzWx+TSk9yeGfyFAlXdA9WRAVj6773an
-2GsRRNi4UeoMI+edwzi0cImISRBrsDcA/yxSBdxR1/0CgcAry0zR8Dp/1sWbgg8n
-K+yw5uZNS2/IDk4YTcDjehMnv9/ZqL2rydm1Ii5lc3625HTSCweQYju+uSnWJFY6
-lbPDdzhx1vjeZ/0KLdDEN9mj8mKLAUCUmxZUgTrHo0zoJOqCLi1E/c3VaeJQBYFr
-ncUj3rKPCSeGWAh/4wPu3z/gooU6FONOCSNVPMHUxQXkrDAqQxMAIl3GMbR5aIk/
-cPNfrU+1sDI3HI6aG2DNhkKtvtRYpOJfsn0m855TJryoCRkCgcAHnLZQEkXP624q
-Pq5i5OaKUUeVfIlxHW4S9ucTDw/+G3iHdV9Gxeq3bmMh5B8c8VL9YIHHTKn1xs+h
-iOolSuroDbzzjn+7wF6g2+6wxGg5G0JAiU2WNR4Lv1yJ57tkL42wmEhbzEdqtg47
-RPHPnKhBTxQ4dRMQ9/wCxFsgM1CuD4Fpog4VK06HGt9fXB2iDNQrZmgHbKuGmCL/
-p/9Ftzzg5fo/D3Vd28r2rVo1r4M/LmPuQ5ODWffn4leVNkkV3Gg=
+MIIG4gIBAAKCAYEAxM/ZTukRf08tonAflzexZJSSLGoWBOQ3JXzqWYh9gRW92S/M
+SyeBb0Ry05skyqgXXmuyg/lx9eJ+sziHcHdR0kkjE6d70Un52SqgG5d1DHkB0kDp
+op0ePD811LQfBqXuZNYtlCqghR7e5mKGVZsKUmUL254Vi3pSNyk5Kxae3R/WFpAg
+6Vo1i5e3odAc3Qr5H4raxY8IJfwK0GOzX9PMVq5O9dgcFq2l+0NpmBGuovIjUEyq
+mK9FJykUJToXunjTdghnkuucR4Kpg0JjACSlcnUjO+2H2G3hMuoWdkAGhoj95kmI
+y78Q3OEv97F+n1ifvrWa3l2yzuUFHiUilnfusTFdM1CQf5hkC09JNRnrNgyMi6dw
+gjkFVm3uOPuEov9vlbfma97INDnkPUIHAmXz5YF+FDgpnPCDa1G+t0DgrfOnCSUT
+JlleRWft/BcF/Y8uA8Bf0jkhebkwZrACbKPWl1Mr84FW9UAcJixAlGo7g/beF3vI
+DFZ2ehDyS/ARSHPLAgMBAAECggGAMgQcVqh2cOMfVsuly5k0tLnpF+5x4BZbSWSg
+bdZ5BqgO0jYKdgL5Kty7Tbl8tR/YqH84I7/tzS4dQtCX4uX/3jAGAQWsOrjRDPZ/
+L+PitCPAab1jYpcJSwhJVt/bjqX2mpuvg5r9pjb9MJFTUEgRbHUPeWWIViTk5e3N
+AH1ELC/eCWfhZUwulWYeHbo0y5vxSanRBSnfST/vQ5xCxpSdtl2f5WxhXwYMS3mL
+SUEdH33nqY2CQUExks0muHs18oanzGnFPohA0PLCtUnPe//mK/xc9b6f9FpDeYYZ
+LTnEadz9f9n6FD7Sw8q/PdpL70odySvR4JbNh+1ntTG12KXdJw186QfEoe1P88SK
+dNLFuCttHTVjr6TCsaA/BnoyUv78SvO1MEr6nf78yqontmEqNM0C34UvFSMNZdkv
+2B9vn/Bl3ojOSNG2r1seMugFfVrXMv2MQVi96WO3T6WG329OCGKPFmjg0NQ77xYw
+V3OwMHnw345AxGHmDPFKVCjlTcAZAoHBAO5A1xco/my2RI0IFqvaUUlPPpg1s+pR
+vzVM5lAfU6NpZaYgYJ5EvssCXHKNHqOS8+8sBx2Bq6kkJIJamKLnZJ+kixPHDK9t
+tffhb2RY0jB1wDSNnculoOX29jPJBqVG2rrW4Q3GOiejD0Ig68OIYMOal4nr5GIE
+Y9HG9l7AuApyzJtlLI290mUp6aU4tszidG8PUx9rzL+a9V5HWUoTinIED0w7AJ+O
+6bIJkoOStF0/sYEXTIZKEcGOxZaJZogJ/QKBwQDTeMd1wgrkSebj3fgxUOOx1Pt2
+pFuT0ZZV0Wg7WwlOqpowlTbmQE+pmkmaus/T1o/8Nf1/djm8nlBr74FC7aShaRmH
+HDvl5t21aflV1K/m8AF3mi+ZIkYTfOhE/3Lr0x9Q1Y1eN1/oEwfszfm+lUL9ZJ99
+CDb97dokDe4+x/GutVELwCoz1kFD5Ne3t1afsU/wsIICe/BWrMyK0RzFE3LuUZhA
+C5Y0aelAz4R+T98CCfSpOEGBLlc+NqdoDUtV22cCgcBXFvSIzr9R1b5xHwfKgd88
+wO7MjLTbbk5KmXWGzCyyixBRDXzD3bUwWAibBuKwQENSpfFj48Zv6Xo+/AbXZWXu
+xSLhc907MwtVNN6W+7C5bhF4JFwN2Nlbtk6A13bKa4AA1BMoCdGwM3acYZRMwUk9
+twC1tbih66DhSa09LY0YpKYOF4mVtlF2EUAK2RRZCF4vSpbD4Y/Saj5O3B3Tahkt
+XDaLUvYDXSYnokAgQDwV6fZkjbO3UtPywNGRGWCVUbECgcBr7oQW9S+r7pAakwr+
+2KMt+19Q4XggDOOm71c8nC026loCG9ZGVGKUVLvmbhxuqV8ZwdCdQpEbVM4FGNun
+djUFcOfnjqB/qYJU+j6Y8RHKU4rcKWTLyrNrdN/zf1F/TWT5U9VwVeDsSPJNiZ9D
+B1mGjNnd7dhrZ/9jUXzcrB4NJlu0HKMti9gJt/3ltXxPyyba2KuyauFyy4UmAK6n
+Y1LQkfKcFY3XOIslWgTslwViPASUbbL5JNbAWRK+R7LAolcCgcA20+/3jIyTBOxM
+T2LrTYdPi2RxfnLavSjz9EuAs/WWRdpd3x1MGyz+H5fml4FxnJw0pACm9VRfW1F9
+AJL7Dnlr8eDIpuvFJeNvb0BHYbCecNLt5N8yjIljorY04iiQRLjN2XeyQ2Dh8DjW
+JK4gynLpB8bXgqU7fpEfUuiy/fOF6b5IQPPuSV90UZ6zWY+1Gm7X4pefg4eveD1R
+KFEkG95gmxR++xIDhXrI/uV+OFxkbr5qmR4riliqO31Hs+ZNbZs=
 -----END RSA PRIVATE KEY-----
diff --git a/credentials/sealer.jks b/credentials/sealer.jks
index f10f00a..db5ab6d 100644
Binary files a/credentials/sealer.jks and b/credentials/sealer.jks differ
diff --git a/credentials/sealer.kver b/credentials/sealer.kver
index aa1fae9..9604208 100644
--- a/credentials/sealer.kver
+++ b/credentials/sealer.kver
@@ -1,2 +1,2 @@
-#Wed Mar 24 15:54:24 UTC 2021
+#Thu Sep 14 18:47:39 UTC 2023
 CurrentVersion=1
diff --git a/credentials/secrets.properties b/credentials/secrets.properties
index 26d4af7..93658fc 100644
--- a/credentials/secrets.properties
+++ b/credentials/secrets.properties
@@ -1,13 +1,16 @@
 # This is a reserved spot for most properties containing passwords or other secrets.
-# Created by install at 2021-03-24T15:54:24.596740Z
+# Created by install at 2023-09-14T18:47:39.214769704Z
 
 # Access to internal AES encryption key
-idp.sealer.storePassword = changeit
-idp.sealer.keyPassword = changeit
+idp.sealer.storePassword =changeit
+idp.sealer.keyPassword =changeit
+
+# Password for idp-backchannel.p12 
+idp.backchannel.keyStorePassword =changeit
 
 # Default access to LDAP authn and attribute stores. 
-idp.authn.LDAP.bindDNCredential              = myServicePassword
-idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}
+idp.authn.LDAP.bindDNCredential              =myServicePassword
+idp.attribute.resolver.LDAP.bindDNCredential =%{idp.authn.LDAP.bindDNCredential:undefined}
 
 # Salt used to generate persistent/pairwise IDs, must be kept secret
-#idp.persistentId.salt = changethistosomethingrandom
+#idp.persistentId.salt =changethistosomethingrandom
diff --git a/edit-webapp/css/consent.css b/edit-webapp/css/consent.css
deleted file mode 100644
index 5daabee..0000000
--- a/edit-webapp/css/consent.css
+++ /dev/null
@@ -1,150 +0,0 @@
-.box {
-    width:600px;
-    margin-left: auto;
-    margin-right: auto;
-    margin-top: 50px;
-    background-color: white;
-   -webkit-box-shadow: 1px 1px 15px #999999;
-    -moz-box-shadow: 1px 1px 15px #999999;
-    box-shadow: 1px 1px 15px #999999;
-    -webkit-border-radius: 8px;
-    -moz-border-radius: 8px;
-    border-radius: 8px;
-    overflow: auto;
-    padding: 1.268em;
-}
-
-body {
-    font-family:Verdana, Geneva, sans-serif;
-    font-size: 12px;
-}
-
-h1 {
-    font-size: 13px;
-    padding-bottom: 12px;
-}
-
-a {
-    color: #00247D;
-    text-decoration: underline;
-}
-
-a:visited {
-    color: #00247D;
-    text-decoration: underline;
-}
-
-a:focus, a:hover, a:active {
-    color: #F39800;
-    text-decoration: underline;
-}
-
-#tou-content {
-    font-family:monospace;
-    width: 95%;
-    border: solid 1px #666;
-    margin: 4px;
-    padding: 10px;
-    overflow: hidden;
-}
-
-#tou-content li{
-    margin-bottom:10px;
-}
-
-#tou-acceptance {
-    width: 95%;
-    border: solid 1px #666;
-    background-color: #F0F0F0;
-    margin: 4px;
-    padding: 10px;
-    text-align: left;
-    overflow: hidden;
-}
-
-.service_name {
-    font-weight: bold;
-}
-
-.service_description {
-    font-style: italic;
-}
-
-.organization_name {
-}
-
-#attributeRelease-consent {
-    width: 95%;
-    border: solid 1px #666;
-    background-color: #F0F0F0;
-    margin: 4px;
-    overflow: hidden;
-}
-
-#attributeRelease {
-    width: 95%;
-    margin: 4px;
-    border: solid 1px black;
-    overflow: auto;
-}
-
-#attributeRelease table {
-    border-collapse: collapse;
-    border: none 0px white;
-    width: 100%;
-}
-
-#attributeRelease td {
-    padding: 3px 7px;
-    vertical-align: top;
-}
-
-#attributeRelease th  {
-    text-align: left;
-    font-size: 18px;
-    padding: 5px 7px;
-    background-color:#00247D;
-    color: white;
-}
-
-#attributeRelease tr:nth-of-type(even) {
-    background-color: #E4E5E3;
-}
-
-.federation_logo
-{
-	width: 50%;
-    float: left;
-    padding-top: 35px;
-    border: 0;
-}
-.organization_logo
-{
-	width: 50%;
-    float: right;
-    border: 0;
-}
-
-.form-error {
-  padding: 0;
-  color: #B61601;
-}
-
-/* Device specific styles */
-@media only screen and (max-device-width: 721px){
-  .box {
-      width: auto;
-      box-shadow: none;
-      border-radius: 0;
-      -webkit-box-shadow: none;
-      -webkit-border-radius: 0;
-      -moz-box-shadow: none;
-      -moz-border-radius: 0;
-      padding: 0;
-      margin-top:0;
-  }
-  #tou-content, #tou-acceptance{
-    /*width:87%;*/
-    width:auto;
-  }
-}
diff --git a/edit-webapp/css/logout.css b/edit-webapp/css/logout.css
index dcd10d2..5cd06c1 100644
--- a/edit-webapp/css/logout.css
+++ b/edit-webapp/css/logout.css
@@ -1,4 +1,7 @@
 /* Success/Failure indicators for logout propagation. */
+ol li:before {
+    content: ''
+}
 li.logout {
     line-height: 36px;
     padding-left: 36px;
diff --git a/edit-webapp/css/main.css b/edit-webapp/css/main.css
deleted file mode 100644
index 116b31e..0000000
--- a/edit-webapp/css/main.css
+++ /dev/null
@@ -1,165 +0,0 @@
-* {
-    margin: 0;
-    padding: 0;
-}
-header, footer, section, nav {
-    display: block;
-}
-html, body {
-    height: 100%;
-}
-body {
-    font-family:Verdana, Geneva, sans-serif;
-    font-size: 12px;
-    line-height: 1.5;
-    color: #717171;
-    background: #717171;
-}
-a:link,
-a:visited {
-    text-decoration: none;
-    color: #717171;
-}
-img {
-    max-width: 100%;
-    margin-bottom: 12px;
-}
-
-.wrapper {
-    background: #ffffff;
-}
-
-.container {
-    position: relative;
-    left: 34%;
-    width: 540px;
-    margin-left: -270px;
-}
-.container-footer {
-    padding-top: 12px;
-}
-@media only screen and (max-width: 1020px) {
-    .container {
-        left: 45%;
-    }
-}
-@media only screen and (max-width: 650px) {
-    .container {
-        position: static;
-        margin: 0 auto;
-        width: 280px;
-    }
-}
-
-header {
-    padding: 20px 0;
-}
-
-.logo img {
-    border: none;
-}
-@media only screen and (max-width: 650px) {
-    .logo img {
-        display: none;
-    }
-    .logo {
-        background: url(../images/dummylogo-mobile.png) no-repeat top center;
-        display: block;
-        height: 115px;
-        width: 100px;
-        margin: 0 auto;
-    }
-}
-
-.content {
-    padding-bottom: 80px;
-    overflow: hidden;
-}
-
-.column {
-    float: left;
-}
-.column.one {
-    width: 50%;
-    margin-right: 48px;
-}
-
-form {
-    width: 240px;
-    padding-bottom: 21px;
-}
-form label { /* labels are hidden */
-    font-weight: bold;
-}
-form legend {
-    font-size:1.2em;
-    margin-bottom: 12px;
-}
-.form-element-wrapper {
-    margin-bottom: 12px;
-}
-.form-element {
-    width: 100%;
-    padding: 13px 12px;
-    border: none;
-    font-size: 14px;
-    border-radius: 4px;
-    -webkit-border-radius: 4px;
-    -moz-border-radius: 4px;
-}
-.form-field {
-    color: #B7B7B7;
-    border: 1px solid #B7B7B7;
-}
-.form-field-focus,
-.form-field:focus,
-input[type="text"]:focus {
-    color: #333333;
-    border-color: #333;
-}
-.form-button {
-    background: #B61601;
-    box-sizing: content-box;
-    -moz-box-sizing: content-box;
-    color: #ffffff;
-    cursor: pointer;
-}
-.form-button:hover {
-    background: #FF6400;
-}
-.form-error {
-    padding: 0;
-    color: #B61601;
-}
-
-.list-help {
-    margin-top: 40px; /* offset padding on first anchor */
-    list-style: none;
-}
-.list-help-item a {
-    display: block;
-    padding: 6px 0;
-}
-.item-marker {
-    color: #be0000;
-}
-
-footer {
-    color: #ffffff;
-    font-size: 11px;
-    background: #717171;
-}
-.footer-text {
-    margin-bottom: 12px;
-}
-.footer-links a:link,
-.footer-links a:visited {
-    color: #ffffff;
-    font-weight: bold;
-}
-.footer-links a:after {
-    content: "\00a0\00a0\00a0|\00a0\00a0";
-}
-.footer-links a.last:after {
-    content: "";
-}
diff --git a/edit-webapp/css/placeholder.css b/edit-webapp/css/placeholder.css
new file mode 100644
index 0000000..c1dbe1c
--- /dev/null
+++ b/edit-webapp/css/placeholder.css
@@ -0,0 +1,802 @@
+/* Colours pallet
+
+To change the colours, use find and replace with the values below:
+
+ #ECEFF1 - Body background, header / section border, read only / disabled input fields.
+
+ #1534E3 - Links, buttons, list items, selected radio, selected checkbox.
+
+ #1A237E - Hover buttons.
+
+ #32424A - Body text, input fields border.
+ 
+ #7A2D00 - Output message.
+ 
+ #B50024 - Error messages / fields.
+ 
+ #1C7D40 - Success messages / fields.
+ 
+ #999999 - read only / disabled input fields.
+
+*/
+
+html, html * {
+  margin: 0;
+  padding: 0;
+  border: 0;
+  font-size: 100%;
+  font: inherit;
+  vertical-align: baseline;
+  box-sizing: border-box;
+  background: none;
+  background-repeat: no-repeat;
+  background-position: left top;
+  border: 0;
+  outline: 0;
+}
+
+html {
+  height: 100%;
+}
+
+/* HTML5 display-role reset for older browsers */
+article, aside, details, figcaption, figure, footer, header, hgroup, menu, nav, section, main {
+  display: block;
+}
+
+/* Default document styles - fonts, font sizes, text colours, font weight */
+body {
+  font-family: Segoe UI, Helvetica, Arial, sans-serif, Apple Color Emoji, Segoe UI Emoji, Segoe UI Symbol;
+  font-size: 16px;
+  font-size: 1rem;
+  line-height: 24px;
+  line-height: 1.5rem;
+  color: #32424a;
+  font-weight: 400;
+  max-width: 3000px;
+  margin: 0 auto;
+  background-color: #eceff1;
+  padding: 24px;
+}
+
+/* Links */
+a[href] {
+  text-decoration: none;
+  color: #1534e3;
+}
+
+/* Link hover states */
+a[href]:hover, a[href]:active, a[href]:focus {
+  text-decoration: underline;
+  color: #1534e3;
+}
+
+/* Heading styles */
+h1 {
+  font-size: 24px;
+  font-size: 1.5rem;
+  line-height: 28px;
+  line-height: 1.75rem;
+  font-weight: 700;
+}
+
+h2 {
+  font-size: 20px;
+  font-size: 1.25rem;
+  line-height: 25px;
+  line-height: 1.5rem;
+  font-weight: 400;
+}
+
+h3 {
+  font-size: 16px;
+  font-size: 1rem;
+  line-height: 22px;
+  line-height: 1.375rem;
+  font-weight: 700;
+}
+
+h4 {
+  font-size: 14px;
+  font-size: 0.875rem;
+  line-height: 18px;
+  line-height: 1.125rem;
+  font-weight: 700;
+  margin-bottom: 0.5em;
+}
+
+h5 {
+  font-size: 14px;
+  font-size: 0.875rem;
+  line-height: 18px;
+  line-height: 1.125rem;
+  font-weight: 400;
+}
+
+h1, h2, h3, h4, h5, h6, p {
+  margin-bottom: 1em;
+}
+
+h1:last-child, h2:last-child, h3:last-child, h4:last-child, h5:last-child, h6:last-child, p:last-child {
+  margin-bottom: 0px;
+}
+
+/* List styles */
+ol, ul {
+  list-style: none;
+  margin: 20px 0;
+}
+
+ol:before, ol:after,
+ul:before, ul:after {
+  content: " ";
+  display: table;
+}
+
+ol:after,
+ul:after {
+  clear: both;
+}
+
+ol:last-child,
+ul:last-child {
+  margin-bottom: 0px;
+}
+
+ol:first-child,
+ul:first-child {
+  margin-top: 0px;
+}
+
+ul li {
+  padding-left: 22px;
+  margin-bottom: 4px;
+  position: relative;
+  list-style: none;
+}
+
+ul li:last-child {
+  margin-bottom: 0px;
+}
+
+ul li:before {
+  content: '';
+  -webkit-border-radius: 2px;
+  -ms-border-radius: 2px;
+  -moz-border-radius: 2px;
+  -o-border-radius: 2px;
+  border-radius: 2px;
+  background-color: #1534e3;
+  height: 7px;
+  width: 7px;
+  display: block;
+  position: absolute;
+  left: 0;
+  top: 7px;
+}
+
+ol {
+  counter-reset: item;
+}
+
+ol li {
+  padding-left: 22px;
+  margin-bottom: 10px;
+  position: relative;
+  list-style: none;
+}
+
+ol li:last-child {
+  margin-bottom: 0px;
+}
+
+ol li:before {
+  color: #1534e3;
+  position: absolute;
+  left: 0;
+  content: counter(item) ". ";
+  counter-increment: item;
+  font-weight: 700;
+  top: 1px;
+}
+
+ol li:nth-child(n+10) {
+  padding-left: 30px;
+}
+
+ol li:nth-child(n+100) {
+  padding-left: 38px;
+}
+
+hr {
+  width: 100%;
+  clear: both;
+  border: 0;
+  outline: 0;
+  background-color: #eceff1;
+  height: 1px;
+  display: block;
+  margin: 30px 0;
+}
+
+b, strong {
+  font-weight: 700;
+}
+
+i, em {
+  font-style: italic;
+}
+
+small {
+  font-size: 0.8em;
+}
+
+big {
+  font-size: 1.2em;
+}
+
+.cc {
+  clear: both;
+  margin: 0 auto;
+  width: 100%;
+  max-width: 649px;
+  padding: 0 0;
+}
+
+.cc:before, .cc:after {
+  content: " ";
+  display: table;
+}
+
+.cc:after {
+  clear: both;
+}
+
+img {
+  max-width: 100%;
+  height: auto;
+}
+
+/* Main content area */
+main {
+  clear: both;
+  margin: 0 auto;
+  width: 100%;
+  max-width: 800px;
+  background-color: #fff;
+  -webkit-border-radius: 8px;
+  -ms-border-radius: 8px;
+  -moz-border-radius: 8px;
+  -o-border-radius: 8px;
+  border-radius: 8px;
+  -webkit-box-shadow: 0px 0px 10px 0px rgba(38, 50, 56, 0.11);
+  -ms-box-shadow: 0px 0px 10px 0px rgba(38, 50, 56, 0.11);
+  -moz-box-shadow: 0px 0px 10px 0px rgba(38, 50, 56, 0.11);
+  -o-box-shadow: 0px 0px 10px 0px rgba(38, 50, 56, 0.11);
+  box-shadow: 0px 0px 10px 0px rgba(38, 50, 56, 0.11);
+}
+
+/* Add a border top when 2 sections are together */
+main section + section {
+  border-top: 1px solid #eceff1;
+}
+
+/* Header */
+header {
+  display: block; /* Change to display: none to hide */
+  border-bottom: 1px solid #eceff1;
+  text-align: center;
+  padding: 6% 8%;
+}
+
+header .main-logo {
+  display: block;
+  margin: 0 auto;
+}
+
+.service-logo {
+	display: block;
+	margin: 24px 0;
+}
+
+section {
+  padding: 4% 8% 4% 8%;
+}
+
+/* Output Messages */
+.output-message {
+  font-size: 14px;
+  font-size: 0.875rem;
+  line-height: 18px;
+  line-height: 1.125rem;
+  font-style: italic;
+  -webkit-border-radius: 4px;
+  -ms-border-radius: 4px;
+  -moz-border-radius: 4px;
+  -o-border-radius: 4px;
+  border-radius: 4px;
+  background-color: #FFD8C2;
+  display: block;
+  padding: 4%;
+  margin-bottom: 20px;
+  color: #7A2D00;
+}
+
+.output-message:last-child {
+  margin-bottom: 0px;
+}
+
+/* Output Message Success */
+.output-message.output--success {
+  background-color: #DCF9E7;
+  color: #1C7D40;
+}
+
+/* Output Message Error */
+.output-message.output--error {
+  background-color: #FFF0F3;
+  color: #B50024;
+}
+
+.boxed {
+  -webkit-border-radius: 4px;
+  -ms-border-radius: 4px;
+  -moz-border-radius: 4px;
+  -o-border-radius: 4px;
+  border-radius: 4px;
+  -webkit-box-shadow: 0px 0px 10px 0px rgba(38, 50, 56, 0.11);
+  -ms-box-shadow: 0px 0px 10px 0px rgba(38, 50, 56, 0.11);
+  -moz-box-shadow: 0px 0px 10px 0px rgba(38, 50, 56, 0.11);
+  -o-box-shadow: 0px 0px 10px 0px rgba(38, 50, 56, 0.11);
+  box-shadow: 0px 0px 10px 0px rgba(38, 50, 56, 0.11);
+  background-color: #fff;
+  padding: 6%;
+  margin: 30px 0;
+}
+
+.boxed:last-child {
+  margin-bottom: 0px;
+}
+
+.boxed:first-child {
+  margin-top: 0px;
+}
+
+/* Footer style */
+footer {
+  z-index: 1;
+  position: relative;
+  text-align: center;
+  margin-top: 20px;
+  font-size: 12px;
+  font-size: 0.75rem;
+  line-height: 16px;
+  line-height: 1rem;
+}
+
+/* Forms styles */
+fieldset {
+  display: block;
+  margin-bottom: 20px;
+}
+
+fieldset:last-child {
+  margin-bottom: 0px;
+}
+
+fieldset .field-validation {
+  display: block;
+  margin-top: 10px;
+}
+
+fieldset .error {
+  color: #B50024;
+}
+
+fieldset legend span {
+  display: block;
+  text-indent: 100%;
+  white-space: nowrap;
+  overflow: hidden;
+  height: 0;
+}
+
+/* Form labels */
+label {
+  vertical-align: top;
+  font-size: 14px;
+  font-size: 0.875rem;
+  line-height: 18px;
+  line-height: 1.125rem;
+  font-weight: 700;
+  display: block;
+  color: #32424a;
+  margin-bottom: 6px;
+}
+
+label:focus {
+  color: #1534E3;
+}
+
+/* Form input fields */
+input[type="text"], 
+input[type="email"], 
+input[type="password"], 
+input[type="telephone"], 
+input[type="tel"], 
+input[type="url"], 
+textarea, 
+select {
+  background-color: #fff;
+  border: 2px solid #32424a;
+  -webkit-transition: all 0.3s ease-in-out;
+  -moz-transition: all 0.3s ease-in-out;
+  -ms-transition: all 0.3s ease-in-out;
+  -o-transition: all 0.3s ease-in-out;
+  transition: all 0.3s ease-in-out;
+  color: #32424a;
+  padding: 13px 20px;
+  display: block;
+  width: 100%;
+  -webkit-appearance: none;
+  -ms-appearance: none;
+  -moz-appearance: none;
+  -o-appearance: none;
+  appearance: none;
+  -webkit-border-radius: 4px;
+  -ms-border-radius: 4px;
+  -moz-border-radius: 4px;
+  -o-border-radius: 4px;
+  border-radius: 4px;
+}
+
+/* Form input focus */
+input[type="text"]:focus, 
+input[type="email"]:focus, 
+input[type="password"]:focus, 
+input[type="telephone"]:focus, 
+input[type="tel"]:focus, 
+input[type="url"]:focus, 
+textarea:focus, 
+select:focus,
+input[type="text"]:active, 
+input[type="email"]:active, 
+input[type="password"]:active, 
+input[type="telephone"]:active, 
+input[type="tel"]:active, 
+input[type="url"]:active, 
+textarea:active, 
+select:active {
+  border-color: #1534e3;
+  background-color: #fff;
+}
+
+/* Form input errors */
+input[type="text"].error, 
+input[type="email"].error, 
+input[type="password"].error, 
+input[type="telephone"].error, 
+input[type="tel"].error, 
+input[type="url"].error, 
+textarea.error, 
+select.error {
+  border-color: #B50024;
+}
+
+/* Form input read only / disabled */
+input[type="text"]:read-only, 
+input[type="email"]:read-only, 
+input[type="password"]:read-only, 
+input[type="telephone"]:read-only,
+input[type="tel"]:read-only, 
+input[type="url"]:read-only, 
+textarea:read-only, 
+select:read-only, 
+input[type="text"]:disabled, 
+input[type="email"]:disabled, 
+input[type="password"]:disabled, 
+input[type="telephone"]:disabled, 
+input[type="tel"]:disabled, 
+input[type="url"]:disabled, 
+textarea:disabled, 
+select:disabled {
+  background-color: #ECEFF1;
+  pointer-events: none;
+}
+
+/* Text areas */
+textarea {
+  height: 124px;
+  resize: none;
+}
+
+
+/* Dropdowns */
+select {
+  -webkit-appearance: auto;
+  -ms-appearance: auto;
+  -moz-appearance: auto;
+  -o-appearance: auto;
+  appearance: auto;
+}
+
+select:read-only {
+  background-color: #fff;
+  pointer-events: unset;
+}
+
+select::-ms-expand {
+  display: none;
+}
+
+/* Checkboxes / Radio buttons */
+input[type="checkbox"], input[type="radio"] {
+  position : absolute;
+  opacity: 0;
+  height: 0;
+  width: 0;
+}
+
+input[type="checkbox"] + label, input[type="radio"] + label {
+  display: block;
+  font-weight: 400;
+  font-size: 16px;
+  font-size: 1rem;
+  line-height: 24px;
+  line-height: 1.5rem;
+  cursor: pointer;
+  position: relative;
+  padding-left: 30px;
+  padding-top: 3px;
+  margin-bottom: 4px;
+  margin-right: 12px;
+  display: inline-block;
+}
+
+input[type="checkbox"] + label:before, input[type="radio"] + label:before {
+  content: "";
+  position: absolute;
+  top: 2px;
+  left: 0;
+  height: 20px;
+  width: 20px;
+  background-color: #fff;
+  border: 2px solid #32424a;
+  -webkit-transition: all 0.2s ease-out;
+  -ms-transition: all 0.2s ease-out;
+  -moz-transition: all 0.2s ease-out;
+  -o-transition: all 0.2s ease-out;
+  transition: all 0.2s ease-out;
+}
+
+input[type="checkbox"] + label:after, input[type="radio"] + label:after {
+  content: "";
+  position: absolute;
+  -webkit-transform: rotate(45deg);
+  -ms-transform: rotate(45deg);
+  -moz-transform: rotate(45deg);
+  -o-transform: rotate(45deg);
+  transform: rotate(45deg);
+  display: none;
+}
+
+input[type="checkbox"]:checked + label, input[type="radio"]:checked + label,
+input[type="checkbox"]:focus + label, input[type="radio"]:focus + label {
+  color: #1534e3;
+}
+
+input[type="checkbox"]:checked + label:before, input[type="radio"]:checked + label:before,
+input[type="checkbox"]:focus + label:before, input[type="radio"]:focus + label:before {
+  border-color: #1534e3;
+}
+
+input[type="checkbox"]:checked + label:after, input[type="radio"]:checked + label:after {
+  display: block;
+}
+
+input[type="checkbox"] + label:before {
+  -webkit-border-radius: 4px;
+  -ms-border-radius: 4px;
+  -moz-border-radius: 4px;
+  -o-border-radius: 4px;
+  border-radius: 4px;
+}
+
+input[type="checkbox"] + label:after {
+  left: 8px;
+  top: 5px;
+  width: 4px;
+  height: 10px;
+  border: solid #1534e3;
+  border-width: 0 4px 4px 0;
+}
+
+input[type="radio"] + label:before {
+  -webkit-border-radius: 100%;
+  -ms-border-radius: 100%;
+  -moz-border-radius: 100%;
+  -o-border-radius: 100%;
+  border-radius: 100%;
+}
+
+input[type="radio"] + label:after {
+  background-color: #1534e3;
+  height: 12px;
+  width: 12px;
+  -webkit-border-radius: 100%;
+  -ms-border-radius: 100%;
+  -moz-border-radius: 100%;
+  -o-border-radius: 100%;
+  border-radius: 100%;
+  left: 6px;
+  top: 8px;
+}
+
+/* Buttons / Submit buttons */
+button, input[type=button], 
+input[type=submit], 
+a.button, 
+.button {
+  display: inline-block;
+  text-align: center;
+  background-color: #1534e3;
+  border: 4px solid #1534e3;
+  font-weight: 700;
+  padding: 11px 74px;
+  cursor: pointer;
+  color: #fff;
+  -webkit-appearance: none;
+  -ms-appearance: none;
+  -moz-appearance: none;
+  -o-appearance: none;
+  appearance: none;
+  -webkit-border-radius: 4px;
+  -ms-border-radius: 4px;
+  -moz-border-radius: 4px;
+  -o-border-radius: 4px;
+  border-radius: 4px;
+  -webkit-transition: all 0.2s ease-out;
+  -ms-transition: all 0.2s ease-out;
+  -moz-transition: all 0.2s ease-out;
+  -o-transition: all 0.2s ease-out;
+  transition: all 0.2s ease-out;
+}
+
+/* Button hover & focus states */
+button:hover, 
+input[type=button]:hover, 
+input[type=submit]:hover, 
+a.button:hover, 
+.button:hover, 
+button:focus, 
+input[type=button]:focus, 
+input[type=submit]:focus, 
+a.button:focus, 
+.button:focus {
+  background: #1a237e;
+  color: #fff !important;
+  text-decoration: none !important;
+  border-color: #1a237e;
+}
+
+/* Secondary button styles */
+button.button--secondary, 
+input[type=button].button--secondary, 
+input[type=submit].button--secondary, 
+a.button.button--secondary, 
+.button.button--secondary {
+  background-color: transparent;
+  border-color: #1534e3;
+  color: #1534e3;
+}
+
+/* Secondary button hover & focus states */
+button.button--secondary:hover, 
+input[type=button].button--secondary:hover, 
+input[type=submit].button--secondary:hover, 
+a.button.button--secondary:hover, 
+.button.button--secondary:hover,
+button.button--secondary:focus, 
+input[type=button].button--secondary:focus, 
+input[type=submit].button--secondary:focus, 
+a.button.button--secondary:focus, 
+.button.button--secondary:focus {
+  background: #1a237e;
+  border-color: #1a237e;
+}
+
+/* Secondary button disabled states */
+button.button--secondary:disabled, 
+input[type=button].button--secondary:disabled, 
+input[type=submit].button--secondary:disabled, 
+a.button.button--secondary:disabled, 
+.button.button--secondary:disabled {
+  background-color: transparent;
+  color: #999999;
+}
+
+/* Full width buttons */
+button.button--full, 
+input[type=button].button--full, 
+input[type=submit].button--full, 
+a.button.button--full, 
+.button.button--full {
+  width: 100%;
+  padding-left: 30px;
+  padding-right: 30px;
+}
+
+/* Button disabled states */
+button:disabled, 
+input[type=button]:disabled, 
+input[type=submit]:disabled, 
+a.button:disabled, 
+.button:disabled {
+  pointer-events: none;
+  background-color: #999999;
+  border-color: #999999;
+}
+
+/* Placeholder styles */
+::-webkit-input-placeholder {
+  color: #a9b0b4;
+}
+
+:-moz-placeholder {
+  color: #a9b0b4;
+}
+
+::-moz-placeholder {
+  color: #a9b0b4;
+}
+
+:-ms-input-placeholder {
+  color: #a9b0b4;
+}
+
+.grid {
+  margin-top: 12px;
+}
+
+/* Grid (used for 2 columns) */
+.grid:before, .grid:after {
+  content: " ";
+  display: table;
+}
+
+.grid:after {
+  clear: both;
+}
+
+.grid > .grid-item {
+  margin-bottom: 18px;
+  min-height: 1px;
+  width: 100%;
+}
+
+.grid:last-child > .item:last-child {
+  margin-bottom: 0px;
+}
+
+@media screen and (min-width: 760px) {
+	
+  .grid.md-2 > .grid-item {
+    float: left;
+    width: 48.34436%;
+    margin-right: 3.31126%;
+  }
+  
+  .grid.md-2 > .grid-item:nth-child(n), .grid.md-2 > .grid-item:nth-of-type(n) {
+    margin-right: 3.31126%;
+    clear: none;
+  }
+  
+  .grid.md-2 > .grid-item:nth-child(2n) {
+    margin-right: 0;
+  }
+  
+  .grid.md-2 > .grid-item:nth-child(2n+1) {
+    clear: both;
+  }
+  
+}
diff --git a/edit-webapp/images/dummylogo-mobile.png b/edit-webapp/images/dummylogo-mobile.png
deleted file mode 100644
index 8ba3c95..0000000
Binary files a/edit-webapp/images/dummylogo-mobile.png and /dev/null differ
diff --git a/edit-webapp/images/dummylogo.png b/edit-webapp/images/dummylogo.png
deleted file mode 100644
index e89ede6..0000000
Binary files a/edit-webapp/images/dummylogo.png and /dev/null differ
diff --git a/edit-webapp/images/placeholder-logo.png b/edit-webapp/images/placeholder-logo.png
new file mode 100644
index 0000000..f5807ed
Binary files /dev/null and b/edit-webapp/images/placeholder-logo.png differ
diff --git a/edit-webapp/index.jsp b/edit-webapp/index.jsp
new file mode 100644
index 0000000..087cee2
--- /dev/null
+++ b/edit-webapp/index.jsp
@@ -0,0 +1,31 @@
+<%@ page pageEncoding="UTF-8" %>
+<%@ taglib uri="http://www.springframework.org/tags" prefix="spring" %>
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title><spring:message code="root.title" text="Shibboleth IdP" /></title>
+    <link rel="stylesheet" type="text/css" href="<%= request.getContextPath()%><spring:message code="root.css" text="/css/placeholder.css" />">
+  </head>
+
+  <body>
+    <div class="wrapper">
+      <div class="container">
+        <header>
+          <img src="<%= request.getContextPath() %><spring:message code="idp.logo" />" alt="<spring:message code="idp.logo.alt-text" text="logo" />">
+        </header>
+    
+        <div class="content">
+          <h2><spring:message code="root.message" text="No services are available at this location." /></h2>
+        </div>
+      </div>
+
+      <footer>
+        <div class="container container-footer">
+          <p class="footer-text"><spring:message code="root.footer" text="Insert your footer text here." /></p>
+        </div>
+      </footer>
+    </div>
+
+  </body>
+</html>
diff --git a/flows/authn/conditions/expiring-password/expiring-password-flow.xml b/flows/authn/conditions/expiring-password/expiring-password-flow.xml
index 10e041e..75bb86a 100644
--- a/flows/authn/conditions/expiring-password/expiring-password-flow.xml
+++ b/flows/authn/conditions/expiring-password/expiring-password-flow.xml
@@ -20,7 +20,7 @@
             <evaluate expression="authenticationContext.getSubcontext(T(net.shibboleth.idp.authn.context.AuthenticationErrorContext))" result="viewScope.authenticationErrorContext" />
             <evaluate expression="authenticationContext.getSubcontext(T(net.shibboleth.idp.authn.context.AuthenticationWarningContext))" result="viewScope.authenticationWarningContext" />
             <evaluate expression="authenticationContext.getSubcontext(T(net.shibboleth.idp.authn.context.LDAPResponseContext))" result="viewScope.ldapResponseContext" />
-            <evaluate expression="T(net.shibboleth.utilities.java.support.codec.HTMLEncoder)" result="viewScope.encoder" />
+            <evaluate expression="T(net.shibboleth.shared.codec.HTMLEncoder)" result="viewScope.encoder" />
             <evaluate expression="flowRequestContext.getExternalContext().getNativeRequest()" result="viewScope.request" />
             <evaluate expression="flowRequestContext.getExternalContext().getNativeResponse()" result="viewScope.response" />
             <evaluate expression="flowRequestContext.getActiveFlow().getApplicationContext().containsBean('shibboleth.CustomViewContext') ? flowRequestContext.getActiveFlow().getApplicationContext().getBean('shibboleth.CustomViewContext') : null" result="viewScope.custom" />
diff --git a/flows/user/prefs/prefs-flow.xml b/flows/user/prefs/prefs-flow.xml
deleted file mode 100644
index c79093b..0000000
--- a/flows/user/prefs/prefs-flow.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<flow xmlns="http://www.springframework.org/schema/webflow"
-      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-      xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd">
-
-    <!--
-    This flow allows a user to adjust various client-side preferences.
-    
-    It's partly example, partly a placeholder to allow adjustment of a few
-    existing cookie-based options used by some features of the IdP for the time
-    being while leaving the option of a more comprehensive UI down the road.
-    
-    As a flow, it's nothing much, just a view rendered to push some JS into
-    the browser to maintain things. Notably, it doesn't require a user login.
-    -->
-
-    <end-state id="RenderView" view="user-prefs">
-        <on-entry>
-            <evaluate expression="environment" result="requestScope.environment" />
-            <evaluate expression="T(net.shibboleth.utilities.java.support.codec.HTMLEncoder)" result="requestScope.encoder" />
-            <evaluate expression="flowRequestContext.getExternalContext().getNativeRequest()" result="requestScope.request" />
-            <evaluate expression="flowRequestContext.getExternalContext().getNativeResponse()" result="requestScope.response" />
-            <evaluate expression="flowRequestContext.getActiveFlow().getApplicationContext().containsBean('shibboleth.CustomViewContext') ? flowRequestContext.getActiveFlow().getApplicationContext().getBean('shibboleth.CustomViewContext') : null" result="requestScope.custom" />
-        </on-entry>
-    </end-state>
-</flow>
diff --git a/messages/messages.properties b/messages/messages.properties
index 5f94396..b59fc89 100644
--- a/messages/messages.properties
+++ b/messages/messages.properties
@@ -1,2 +1,6 @@
 # You can define message properties here to override messages defined in
-# system/messages/ or to add your own messages.
+# the system-supplied message file or to add your own messages.
+
+# You should alter these to point to different files of your own choosing.
+#idp.css = /css/placeholder.css
+#idp.logo = /images/placeholder-logo.png
diff --git a/views/admin/hello.vm b/views/admin/hello.vm
index 33a0528..6268c6c 100644
--- a/views/admin/hello.vm
+++ b/views/admin/hello.vm
@@ -14,60 +14,55 @@
 ##
 <!DOCTYPE html>
 <html>
-  <head>
-    <meta charset="utf-8">
-    <meta name="viewport" content="width=device-width,initial-scale=1.0">
-    <title>#springMessageText("idp.title", "Web Login Service") - #springMessageText("hello-world.title", "Hello World")</title>
-    <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
-  </head>
+    <head>
+        <title>#springMessageText("idp.title", "Web Login Service") - #springMessageText("hello-world.title", "Hello World")</title>
+        <meta charset="UTF-8" />
+        <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+        <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0">
+        <link rel="stylesheet" type="text/css" href="$request.getContextPath()#springMessageText("idp.css", "/css/placeholder.css")" media="all">
+    </head>
   
-  <body>
-    <div class="wrapper">
-      <div class="container" style="width: 100%">
-        <header>
-          <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
-          <h3>#springMessageText("idp.title", "Web Login Service")</h3>
-        </header>
+    <body>
+        <main class="main">
+            <header>
+                <img class="main-logo" src="$request.getContextPath()#springMessageText("idp.logo", "/images/placeholder-logo.png")" alt="#springMessageText("idp.logo.alt-text", "logo")">
+            </header>
                 
-        <div class="content">
-          <h4>#springMessageText("hello-world.greeting", "Greetings"), <em>$encoder.encodeForHTML($subjectContext.getPrincipalName())</em></h4>
-          <br/>
-          <h4>Authenticated By</h4>
-          #foreach ($result in $subjectContext.getAuthenticationResults().entrySet())
-            <blockquote>$encoder.encodeForHTML($result.getKey())</blockquote>
-          #end
-          <br/>
-          <h4>Java Principals in Subjects</h4>
-          #foreach ($s in $subjectContext.getSubjects())
-            #foreach ($p in $s.getPrincipals())
-              <blockquote>$encoder.encodeForHTML($p)<blockquote>
-            #end
-          #end
-          #if ($attributeContext && !$attributeContext.getUnfilteredIdPAttributes().isEmpty())
-            <br/>
-            <h4>Attributes:</h4>
-            #foreach ($a in $attributeContext.getUnfilteredIdPAttributes())
-              #if (!$a.getValues().isEmpty())
-                <br/>
-                <h5>$encoder.encodeForHTML($a.getId())</h5>
-                  #foreach ($v in $a.getValues())
-                    <blockquote>$encoder.encodeForHTML($v.getDisplayValue())</blockquote>
-                  #end
-              #end
-            #end
-          #end
-        </div>
-
-        <header>
-          <h3><a href="$request.getContextPath()/profile/admin/hello">#springMessageText("hello-world.reload", "Reload the Page")</a></h3>
-        </header>
-      </div>
+            <section>
+                <h1>#springMessageText("hello-world.greeting", "Greetings"), <em>$encoder.encodeForHTML($subjectContext.getPrincipalName())</em></h1>
+                <p><strong>Authenticated by</strong><br />
+                  #foreach ($result in $subjectContext.getAuthenticationResults().entrySet())
+                   <small>$encoder.encodeForHTML($result.getKey())</small><br/>
+                  #end</p>
+                  
+                <p><strong>Java Principals in Subjects</strong><br/>
+                #foreach ($s in $subjectContext.getSubjects())
+                    #foreach ($p in $s.getPrincipals())
+                      <small>$encoder.encodeForHTML($p)</small></br/>
+                    #end
+                  #end</p>
+                
+                #if ($attributeContext && !$attributeContext.getUnfilteredIdPAttributes().isEmpty())
 
-      <footer>
-        <div class="container container-footer">
-          <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
-        </div>
-      </footer>
-    </div>
-  </body>
+                    <p><strong>Attributes</strong><br/>
+                        #foreach ($a in $attributeContext.getUnfilteredIdPAttributes())
+                          #if (!$a.getValues().isEmpty())
+                            <small><strong>$encoder.encodeForHTML($a.getId())</strong></small><br/>
+                              #foreach ($v in $a.getValues())
+                                <small>$encoder.encodeForHTML($v.getDisplayValue())</small><br/>
+                              #end
+                          #end
+                        #end
+                      #end
+                    </p>
+                    
+                <a class="button button--secondary" href="$request.getContextPath()/profile/admin/hello">#springMessageText("hello-world.reload", "Reload the Page")</a>
+            </section>
+        </main>
+        <footer class="footer">
+            <div class="cc">
+                <p>#springMessageText("idp.footer", "Insert your footer text here.")</p>
+            </div>
+        </footer>
+    </body>
 </html>
diff --git a/views/client-storage/client-storage-read.vm b/views/client-storage/client-storage-read.vm
index 1993c14..1afe818 100644
--- a/views/client-storage/client-storage-read.vm
+++ b/views/client-storage/client-storage-read.vm
@@ -17,37 +17,32 @@
 <!DOCTYPE html>
 <html>
     <head>
-        <meta charset="utf-8" />
-        <meta name="viewport" content="width=device-width,initial-scale=1.0">
         <title>$title - $titleSuffix</title>
-        <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
+        <meta charset="UTF-8" />
+        <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+        <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0">
+        <link rel="stylesheet" type="text/css" href="$request.getContextPath()#springMessageText("idp.css", "/css/placeholder.css")">
         <script>
         <!--
-        #include( "client-storage/local-storage-read.js" )
+        #include("client-storage/local-storage-read.js")
         // -->
         </script>
     </head>
-    <body onload="doLoad()">
-        <div class="wrapper">
-            <div class="container">
-                <header>
-                    <h3>$title - $titleSuffix</h3>
-                </header>
-                <div class="content">
-                $springMacroRequestContext.getMessage("idp.client-storage-read.text", "Loading login session information from the browser...")
-                </div>
+    <body onload="doLoad()">        
+        <main class="main">
+            <section>
+                <h1>$title - $titleSuffix</h1>
+                <p>$springMacroRequestContext.getMessage("idp.client-storage-read.text", "Loading login session information from the browser...")</p>
                 <noscript>
-                    <div class="content">
                     $springMacroRequestContext.getMessage("idp.client-storage.no-js", "Since your browser does not support JavaScript, you must press the Continue button once to proceed.")
-                    </div>
                 </noscript>
-                #parse( "client-storage/read.vm" )
+                #parse("client-storage/read.vm")
+            </section>
+        </main>
+        <footer class="footer">
+            <div class="cc">
+                <p>#springMessageText("idp.footer", "Insert your footer text here.")</p>
             </div>
-            <footer>
-                <div class="container container-footer">
-                    <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
-                </div>
-            </footer>
-        </div>
+        </footer>
     </body>
 </html>
diff --git a/views/client-storage/client-storage-write.vm b/views/client-storage/client-storage-write.vm
index 4b92d6b..066cbdb 100644
--- a/views/client-storage/client-storage-write.vm
+++ b/views/client-storage/client-storage-write.vm
@@ -17,37 +17,34 @@
 <!DOCTYPE html>
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
     <head>
-        <meta charset="utf-8" />
-        <meta name="viewport" content="width=device-width,initial-scale=1.0">
         <title>$title - $titleSuffix</title>
-        <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
+        <meta charset="UTF-8" />
+        <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+        <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0">
+        <link rel="stylesheet" type="text/css" href="$request.getContextPath()#springMessageText("idp.css", "/css/placeholder.css")">
         <script>
         <!--
-        #include( "client-storage/local-storage-write.js" )
+        #include("client-storage/local-storage-write.js")
         // -->
         </script>
     </head>
-    <body onload="doSave()">
-        <div class="wrapper">
-            <div class="container">
-                <header>
-                    <h3>$title - $titleSuffix</h3>
-                </header>
-                <div class="content">
-                $springMacroRequestContext.getMessage("idp.client-storage-write.text", "Saving login session information to the browser...")
-                </div>
+    <body onload="doSave()">    
+        <main class="main">
+            <section>
+                <h1>$title - $titleSuffix</h1>
+                <p>$springMacroRequestContext.getMessage("idp.client-storage-write.text", "Saving login session information to the browser...")</p>
                 <noscript>
                     <div class="content">
                     $springMacroRequestContext.getMessage("idp.client-storage.no-js", "Since your browser does not support JavaScript, you must press the Continue button once to proceed.")
                     </div>
                 </noscript>
-                #parse( "client-storage/write.vm" )
+                #parse("client-storage/write.vm")
+            </section>
+        </main>
+        <footer class="footer">
+            <div class="cc">
+                <p>#springMessageText("idp.footer", "Insert your footer text here.")</p>
             </div>
-            <footer>
-                <div class="container container-footer">
-                    <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
-                </div>
-            </footer>
-        </div>
+        </footer>
     </body>
 </html>
\ No newline at end of file
diff --git a/views/error.vm b/views/error.vm
index a44bd6f..0f01e89 100644
--- a/views/error.vm
+++ b/views/error.vm
@@ -1,7 +1,10 @@
 ##
 ## Velocity Template for error end-state
 ##
-## Velocity context will contain the following properties
+## Velocity context will contain the following variables during controlled errors.
+## Some error paths involve runtime exceptions handled outside Spring Web Flow by the
+## MVC layer and will not generally populate most of these variables.
+##
 ## flowRequestContext - the Spring Web Flow RequestContext
 ## profileRequestContext - root of context tree
 ## encoder - HTMLEncoder class
@@ -45,31 +48,27 @@
 <!DOCTYPE html>
 <html>
     <head>
-        <meta charset="utf-8">
-        <meta name="viewport" content="width=device-width,initial-scale=1.0">
-        <title>$title - $titleSuffix</title>
-        <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
+        <meta charset="UTF-8" />
+        <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+        <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0">
+        <link rel="stylesheet" type="text/css" href="$request.getContextPath()#springMessageText("idp.css", "/css/placeholder.css")">
     </head>
   	
     <body>
-    <div class="wrapper">
-    	<div class="container">
-        	<header>
-				<img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
-				<h3>$title - $titleSuffix</h3>
-			</header>
-		
-        	<div class="content">
-            #evaluate($message)
+        <main class="main">
+            <header>
+                <img class="main-logo" src="$request.getContextPath()#springMessageText("idp.logo", "/images/placeholder-logo.png")" alt="#springMessageText("idp.logo.alt-text", "logo")" />
+            </header>
+            
+            <section>
+                <h1>$title - $titleSuffix</h1>
+                <p>#evaluate($message)</p>
+            </section>
+        </main>
+        <footer class="footer">
+            <div class="cc">
+                <p>#springMessageText("idp.footer", "Insert your footer text here.")</p>
             </div>
-    	</div>
-
-      	<footer>
-        	<div class="container container-footer">
-          		<p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
-        	</div>
-      	</footer>
-      	
-    </div>
+        </footer>
     </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/views/login-error.vm b/views/login-error.vm
index 224976b..4a9e641 100644
--- a/views/login-error.vm
+++ b/views/login-error.vm
@@ -2,11 +2,11 @@
 ##
 ## authenticationErrorContext - context containing error data, if available
 ##
-#if ($authenticationErrorContext && $authenticationErrorContext.getClassifiedErrors().size() > 0)
+#if ($authenticationErrorContext && $authenticationErrorContext.getClassifiedErrors().size() > 0 && !$authenticationErrorContext.getClassifiedErrors().contains('AuthenticationException'))
     ## This handles errors that are classified by the message maps in the authentication config.
     #set ($eventId = $authenticationErrorContext.getClassifiedErrors().iterator().next())
     #if ($eventId != "ReselectFlow")
-        #set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "login"))
+        #set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "authn"))
         #set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "Login Failure: $eventId"))
     #end
 #elseif ($authenticationErrorContext && $authenticationErrorContext.getExceptions().size() > 0)
@@ -20,7 +20,5 @@
 #end
 
 #if ($message)
-    <section>
-        <p class="form-element form-error">$encoder.encodeForHTML($message)</p>
-    </section>
+    <p class="output-message output--error">$encoder.encodeForHTML($message)</p>
 #end
diff --git a/views/login.vm b/views/login.vm
index c7b15c9..20ed38e 100644
--- a/views/login.vm
+++ b/views/login.vm
@@ -11,134 +11,96 @@
 ## authenticationWarningContext - context with login warning state
 ## ldapResponseContext - context with LDAP state (if using native LDAP)
 ## rpUIContext - the context with SP UI information from the metadata
-## extendedAuthenticationFlows - collection of "extended" AuthenticationFlowDescriptor objects
-## passwordPrincipals - contents of the shibboleth.authn.Password.PrincipalOverride bean
 ## encoder - HTMLEncoder class
 ## request - HttpServletRequest
 ## response - HttpServletResponse
 ## environment - Spring Environment object for property resolution
 ## custom - arbitrary object injected by deployer
 ##
-#set ($rpContext = $profileRequestContext.getSubcontext('net.shibboleth.idp.profile.context.RelyingPartyContext'))
+#set ($rpContext = $profileRequestContext.getSubcontext('net.shibboleth.profile.context.RelyingPartyContext'))
 #set ($username = $authenticationContext.getSubcontext('net.shibboleth.idp.authn.context.UsernamePasswordContext', true).getUsername())
-#set ($passwordEnabled = false)
-#if (!$passwordPrincipals or $passwordPrincipals.isEmpty() or $authenticationContext.isAcceptable($passwordPrincipals))
-  #set ($passwordEnabled = true)
-#end
 ##
 <!DOCTYPE html>
 <html>
     <head>
-        <meta charset="utf-8">
-        <meta name="viewport" content="width=device-width,initial-scale=1.0">
         <title>#springMessageText("idp.title", "Web Login Service")</title>
-        <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
+        <meta charset="UTF-8" />
+        <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+        <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0">
+        <link rel="stylesheet" type="text/css" href="$request.getContextPath()#springMessageText("idp.css", "/css/placeholder.css")">
     </head>
     <body>
-    <div class="wrapper">
-      <div class="container">
-        <header>
-          <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
-        </header>
+        <main class="main">
+            <header>
+                <img class="main-logo" src="$request.getContextPath()#springMessageText("idp.logo", "/images/placeholder-logo.png")" alt="#springMessageText("idp.logo.alt-text", "logo")" />
+                
+                #set ($serviceName = $rpUIContext.serviceName)
+                #if ($serviceName && !$rpContext.getRelyingPartyId().contains($serviceName))
+                    <h1>#springMessageText("idp.login.loginTo", "Login to") $encoder.encodeForHTML($serviceName)</h1>
+                #end
+            </header>
+            
+            <section>
+                <form action="$flowExecutionUrl" method="post">
+                    #parse("csrf/csrf.vm")
 
-        <div class="content">
-          <div class="column one">
-            #parse("login-error.vm")
+                    #*
+                    //
+                    //    SP Description & Logo (optional)
+                    //    These idpui lines will display added information (if available
+                    //    in the metadata) about the Service Provider (SP) that requested
+                    //    authentication. These idpui lines are "active" in this example
+                    //    (not commented out) - this extra SP info will be displayed.
+                    //    Remove or comment out these lines to stop the display of the
+                    //    added SP information.
+                    //
+                    *#
+                    #set ($logo = $rpUIContext.getLogo())
+                    #if ($logo)
+                        <img class="service-logo" src= "$encoder.encodeForHTMLAttribute($logo)" alt="$encoder.encodeForHTMLAttribute($serviceName)">
+                    #end
+                    #set ($desc = $rpUIContext.getServiceDescription())
+                    #if ($desc)
+                        <p>$encoder.encodeForHTML($desc)</p>
+                    #end
+                            
+                    #parse("login-error.vm")
 
-            <form action="$flowExecutionUrl" method="post">
-            #parse("csrf/csrf.vm")
-            #set ($serviceName = $rpUIContext.serviceName)
-            #if ($serviceName && !$rpContext.getRelyingPartyId().contains($serviceName))
-              <legend>
-                #springMessageText("idp.login.loginTo", "Login to") $encoder.encodeForHTML($serviceName)
-              </legend>
-            #end
+                    <label for="username">#springMessageText("idp.login.username", "Username")</label>
+                    <input id="username" name="j_username" type="text"
+                        value="#if($username)$encoder.encodeForHTML($username)#end" />
                         
-            #if ($passwordEnabled)
-              <div class="form-element-wrapper">
-                <label for="username">#springMessageText("idp.login.username", "Username")</label>
-                <input class="form-element form-field" id="username" name="j_username" type="text"
-                    value="#if($username)$encoder.encodeForHTML($username)#end" />
-              </div>
-
-              <div class="form-element-wrapper">
-                <label for="password">#springMessageText("idp.login.password", "Password")</label>
-                <input class="form-element form-field" id="password" name="j_password" type="password" value="" />
-              </div>
-
-              ## You may need to modify this to taste, such as changing the flow name its checking for to authn/MFA.
-              #if (!$authenticationContext.getActiveResults().containsKey('authn/Password'))
-              <div class="form-element-wrapper">
-                <input type="checkbox" name="donotcache" value="1" id="donotcache">
-                <label for="donotcache">#springMessageText("idp.login.donotcache", "Don't Remember Login")</label>
-               </div>
-              #end
-              
-            #end
-
-              <div class="form-element-wrapper">
-                <input id="_shib_idp_revokeConsent" type="checkbox" name="_shib_idp_revokeConsent" value="true" />
-                <label for="_shib_idp_revokeConsent">#springMessageText("idp.attribute-release.revoke", "Clear prior granting of permission for release of your information to this service.")</label>
-              </div>
-
-            #if ($passwordEnabled)
-              <div class="form-element-wrapper">
-                <button class="form-element form-button" type="submit" name="_eventId_proceed"
-                    onClick="this.childNodes[0].nodeValue='#springMessageText("idp.login.pleasewait", "Logging in, please wait...")'"
-                    >#springMessageText("idp.login.login", "Login")</button>
-              </div>
-            #end
-
-            #foreach ($extFlow in $extendedAuthenticationFlows)
-              #if ($authenticationContext.isAcceptable($extFlow) and $extFlow.test(profileRequestContext))
-                <div class="form-element-wrapper">
-                  <button class="form-element form-button" type="submit" name="_eventId_$extFlow.getId()">
-                    #springMessageText("idp.login.$extFlow.getId().replace('authn/','')", $extFlow.getId().replace('authn/',''))
-                  </button>
-                </div>
-              #end
-            #end
-            </form>
-
-            #*
-              //
-              //    SP Description & Logo (optional)
-              //    These idpui lines will display added information (if available
-              //    in the metadata) about the Service Provider (SP) that requested
-              //    authentication. These idpui lines are "active" in this example
-              //    (not commented out) - this extra SP info will be displayed.
-              //    Remove or comment out these lines to stop the display of the
-              //    added SP information.
-              //
-            *#
-            #set ($logo = $rpUIContext.getLogo())
-            #if ($logo)
-              <img src= "$encoder.encodeForHTMLAttribute($logo)"
-                  alt="$encoder.encodeForHTMLAttribute($serviceName)">
-            #end
-            #set ($desc = $rpUIContext.getServiceDescription())
-            #if ($desc)
-              $encoder.encodeForHTML($desc)
-            #end
-            
-          </div>
-          <div class="column two">
-            <ul class="list list-help">
-              #if ($passwordEnabled)
-                <li class="list-help-item"><a href="#springMessageText("idp.url.password.reset", '#')"><span class="item-marker">&rsaquo;</span> #springMessageText("idp.login.forgotPassword", "Forgot your password?")</a></li>
-              #end
-              <li class="list-help-item"><a href="#springMessageText("idp.url.helpdesk", '#')"><span class="item-marker">&rsaquo;</span> #springMessageText("idp.login.needHelp", "Need Help?")</a></li>
-            </ul>
-          </div>
-        </div>
-      </div>
-
-      <footer>
-        <div class="container container-footer">
-          <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
-        </div>
-      </footer>
-    </div>
+                    <label for="password">#springMessageText("idp.login.password", "Password")</label>
+                    <input type="password" name="j_password" id="password" value="" />
+    
+                    ## You may need to modify this to taste, such as changing the flow name checked to authn/MFA.
+                    #if (!$authenticationContext.getActiveResults().containsKey('authn/Password'))
+                        <input type="checkbox" name="donotcache" value="1" id="donotcache" />
+                        <label for="donotcache">#springMessageText("idp.login.donotcache", "Don't Remember Login")</label>
+                    #end
+    
+                    <input id="_shib_idp_revokeConsent" type="checkbox" name="_shib_idp_revokeConsent" value="true" />
+                    <label for="_shib_idp_revokeConsent">#springMessageText("idp.attribute-release.revoke", "Clear prior granting of permission for release of your information to this service.")</label>
+    
+                    <div class="grid">
+                        <div class="grid-item">
+                            <button type="submit" name="_eventId_proceed"
+                                onClick="this.childNodes[0].nodeValue='#springMessageText("idp.login.pleasewait", "Logging in, please wait...")'"
+                                >#springMessageText("idp.login.login", "Login")</button>
+                        </div>
+                    </div>
+                </form>
     
+                <ul>
+                    <li><a href="#springMessageText("idp.url.password.reset", '#')">#springMessageText("idp.login.forgotPassword", "Forgot your password?")</a></li>
+                    <li><a href="#springMessageText("idp.url.helpdesk", '#')">#springMessageText("idp.login.needHelp", "Need Help?")</a></li>
+                </ul>
+            </section>
+        </main>
+        <footer class="footer">
+            <div class="cc">
+                <p>#springMessageText("idp.footer", "Insert your footer text here.")</p>
+            </div>
+        </footer>
      </body>
 </html>
\ No newline at end of file
diff --git a/views/logout-complete.vm b/views/logout-complete.vm
index 7341e69..2d332ea 100644
--- a/views/logout-complete.vm
+++ b/views/logout-complete.vm
@@ -19,49 +19,43 @@
 <!DOCTYPE html>
 <html>
     <head>
-        <meta charset="utf-8">
-        <meta name="viewport" content="width=device-width,initial-scale=1.0">
         <title>#springMessageText("idp.title", "Web Login Service")</title>
-        <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
+        <meta charset="UTF-8" />
+        <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+        <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0">
+        <link rel="stylesheet" type="text/css" href="$request.getContextPath()#springMessageText("idp.css", "/css/placeholder.css")">
     </head>
 
     <body>
-    <div class="wrapper">
-      <div class="container">
-        <header>
-          <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
-        </header>
-
-        <div class="content">
-          <div class="column one">
-          #if ($activeIdPSessions)
-            <p>#springMessageText("idp.logout.cancelled", "Logout has been cancelled.")</p>
-          #elseif ($activeSPSessions)
-            <p>#springMessageText("idp.logout.local", "You elected not to log out of all the applications accessed during your session.")</p>
-          #else
-            <p>#springMessageText("idp.logout.complete", "The logout operation is complete, and no other services appear to have been accessed during this session.")</p>
-          #end
-          </div>
-          <div class="column two">
-            <ul class="list list-help">
-              <li class="list-help-item"><a href="#springMessageText("idp.url.password.reset", '#')"><span class="item-marker">&rsaquo;</span> #springMessageText("idp.login.forgotPassword", "Forgot your password?")</a></li>
-              <li class="list-help-item"><a href="#springMessageText("idp.url.helpdesk", '#')"><span class="item-marker">&rsaquo;</span> #springMessageText("idp.login.needHelp", "Need Help?")</a></li>
-            </ul>
-          </div>
-        </div>
-      </div>
-
-      <!-- If SAML logout, complete the flow by adding a hidden iframe. -->
-      #if ( $profileRequestContext.getProfileId().contains("saml2/logout") )
-          <iframe style="display:none" src="$flowExecutionUrl&_eventId=proceed"></iframe>
-      #end
-
-      <footer>
-        <div class="container container-footer">
-          <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
-        </div>
-      </footer>
-    </div>
-    
+        <main class="main">
+            <header>
+                <img class="main-logo" src="$request.getContextPath()#springMessageText("idp.logo", "/images/placeholder-logo.png")" alt="#springMessageText("idp.logo.alt-text", "logo")" />
+            </header>
+            
+            <section>
+            #if ($activeIdPSessions)
+                <h2>#springMessageText("idp.logout.cancelled", "Logout has been cancelled.")</h2>
+            #elseif ($activeSPSessions)
+                <p>#springMessageText("idp.logout.local", "You elected not to log out of all the applications accessed during your session.")</p>
+            #else
+                <p>#springMessageText("idp.logout.complete", "The logout operation is complete, and no other services appear to have been accessed during this session.")</p>
+            #end
+            
+                <ul>
+                    <li><a href="#springMessageText("idp.url.password.reset", '#')">#springMessageText("idp.login.forgotPassword", "Forgot your password?")</a></li>
+                    <li><a href="#springMessageText("idp.url.helpdesk", '#')">#springMessageText("idp.login.needHelp", "Need Help?")</a></li>
+                </ul>
+                
+              <!-- If SAML logout, complete the flow by adding a hidden iframe. -->
+              #if ( $profileRequestContext.getProfileId().contains("saml2/logout") )
+                  <iframe style="display:none" src="$flowExecutionUrl&_eventId=proceed"></iframe>
+              #end
+            </section>
+        </main>
+        <footer class="footer">
+            <div class="cc">
+                <p>#springMessageText("idp.footer", "Insert your footer text here.")</p>
+            </div>
+        </footer>
  	</body>
 </html>
\ No newline at end of file
diff --git a/views/logout-propagate.vm b/views/logout-propagate.vm
index 470eff5..ab73382 100644
--- a/views/logout-propagate.vm
+++ b/views/logout-propagate.vm
@@ -16,43 +16,42 @@
 ## environment - Spring Environment object for property resolution
 ## custom - arbitrary object injected by deployer
 ##
+#set ($hidden = $environment.getProperty("idp.logout.propagationHidden", "false"))
 <!DOCTYPE html>
 <html>
     <head>
-        <meta charset="utf-8">
-        <meta name="viewport" content="width=device-width,initial-scale=1.0">
         <title>#springMessageText("idp.title", "Web Login Service")</title>
-        <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
+        <meta charset="UTF-8" />
+        <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+        <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0">
+        <link rel="stylesheet" type="text/css" href="$request.getContextPath()#springMessageText("idp.css", "/css/placeholder.css")">
         <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/logout.css">
     </head>
 
     <body>
-    <div class="wrapper">
-      <div class="container">
-        <header>
-          <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
-        </header>
-
-        <div class="content">
-          <div class="column one">
-              <p>#springMessageText("idp.logout.attempt", "Attempting to log out of the following services:")</p>
-              #parse("logout/propagate.vm")
-          </div>
-          <div class="column two">
-            <ul class="list list-help">
-              <li class="list-help-item"><a href="#springMessageText("idp.url.password.reset", '#')"><span class="item-marker">&rsaquo;</span> #springMessageText("idp.login.forgotPassword", "Forgot your password?")</a></li>
-              <li class="list-help-item"><a href="#springMessageText("idp.url.helpdesk", '#')"><span class="item-marker">&rsaquo;</span> #springMessageText("idp.login.needHelp", "Need Help?")</a></li>
-            </ul>
-          </div>
-        </div>
-      </div>
-
-      <footer>
-        <div class="container container-footer">
-          <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
-        </div>
-      </footer>
-    </div>
-    
+        <main class="main">
+            <header>
+                <img class="main-logo" src="$request.getContextPath()#springMessageText("idp.logo", "/images/placeholder-logo.png")" alt="#springMessageText("idp.logo.alt-text", "logo")" />
+            </header>
+            
+            <section>
+                #if($hidden == "true")
+                <p>#springMessageText("idp.logout.hidden", "Your single sign-on session has been terminated, but you are still logged into many of the services you have accessed during your session.")</p>
+                #else
+                <h1>#springMessageText("idp.logout.attempt", "Attempting to log out of the following services:")</h1>
+                #end
+                #parse("logout/propagate.vm")
+                
+                <ul>
+                    <li><a href="#springMessageText("idp.url.password.reset", '#')">#springMessageText("idp.login.forgotPassword", "Forgot your password?")</a></li>
+                    <li><a href="#springMessageText("idp.url.helpdesk", '#')">#springMessageText("idp.login.needHelp", "Need Help?")</a></li>
+                </ul>
+            </section>
+        </main>
+        <footer class="footer">
+            <div class="cc">
+                <p>#springMessageText("idp.footer", "Insert your footer text here.")</p>
+            </div>
+        </footer>
  	</body>
 </html>
\ No newline at end of file
diff --git a/views/logout.vm b/views/logout.vm
index 3d8d50b..ab01600 100644
--- a/views/logout.vm
+++ b/views/logout.vm
@@ -14,7 +14,7 @@
 ## environment - Spring Environment object for property resolution
 ## custom - arbitrary object injected by deployer
 ##
-#set ($rpContext = $profileRequestContext.getSubcontext("net.shibboleth.idp.profile.context.RelyingPartyContext"))
+#set ($rpContext = $profileRequestContext.getSubcontext("net.shibboleth.profile.context.RelyingPartyContext"))
 #if ($rpContext)
 #set ($rpUIContext = $rpContext.getSubcontext("net.shibboleth.idp.ui.context.RelyingPartyUIContext"))
 #end
@@ -23,30 +23,30 @@
 <!DOCTYPE html>
 <html>
     <head>
-        <meta charset="utf-8">
-        <meta name="viewport" content="width=device-width,initial-scale=1.0">
+        <title>#springMessageText("idp.title", "Web Login Service")</title>
+        <meta charset="UTF-8" />
+        <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+        <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0">
         #if ($promptForSP)
             <meta http-equiv="refresh" content="10;url=$flowExecutionUrl&_eventId=propagate">
         #elseif ($promptForIdP)
             <meta http-equiv="refresh" content="10;url=$flowExecutionUrl&_eventId=local">
         #end
-        <title>#springMessageText("idp.title", "Web Login Service")</title>
-        <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
+        <link rel="stylesheet" type="text/css" href="$request.getContextPath()#springMessageText("idp.css", "/css/placeholder.css")">
     </head>
 
-    <body>
-    <div class="wrapper">   
-      <div class="container">
-        <header>
-          <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
-        </header>
+   <body>
+        <main class="main">
+            <header>
+                <img class="main-logo" src="$request.getContextPath()#springMessageText("idp.logo", "/images/placeholder-logo.png")" alt="#springMessageText("idp.logo.alt-text", "logo")" />
+            </header>
 
-        <div class="content">
-          <div class="column one">
-            <p>This page is displayed when a logout operation at the Identity Provider completes. This page is an example
-            and should be customized. It is not fully internationalized because the presentation will be a highly localized
-            decision, and we don't have a good suggestion for a default.</p>
-            <br>
+            <section>
+                <div class="output-message">
+                    <p><strong>Note for deployers:</strong> This page is displayed when a logout operation at the Identity Provider completes.
+                    This page is an example and should be customized. It is not fully internationalized because the presentation will be a highly localized decision,
+                    and we don't have a good suggestion for a default.</p>
+                </div>
     
             #if ($rpContext)
               <p>#springMessageText("idp.logout.sp-initiated", "You have been logged out of the following service:")</p>
@@ -66,17 +66,13 @@
 
               <form id="propagate_form" method="POST" action="$flowExecutionUrl">
                 
-                <div class="form-element-wrapper">
-                  <button id="logout_local" class="form-element form-button" type="submit" name="_eventId" value="local">#springMessageText("idp.logout.idponly", "Logout Locally")</button>
+                  <p><button id="logout_local" type="submit" name="_eventId" value="local">#springMessageText("idp.logout.idponly", "Logout Locally")</button></p>
                   <p>#springMessageText("idp.logout.idponly.caption", "End your SSO session.")</p>
-                </div>
             #end
 
             #if ($promptForSP)
-                <div class="form-element-wrapper">
-                  <button id="logout_propagate" class="form-element form-button" type="submit" name="_eventId" value="propagate">#springMessageText("idp.logout.global", "Logout Globally")</button>
+                  <p><button id="logout_propagate" type="submit" name="_eventId" value="propagate">#springMessageText("idp.logout.global", "Logout Globally")</button></p>
                   <p>#springMessageText("idp.logout.global.caption", "End your SSO session and attempt logout of services accessed during session.")</p>
-                  <br>
                   <p>#springMessageText("idp.logout.contactServices", "If instructed, the system will attempt to contact the following services:")</p>
                   <ol>
                   #foreach ($sp in $logoutContext.getSessionMap().keySet())
@@ -91,15 +87,11 @@
                     #end
                   #end
                   </ol>
-                  <br>
-                </div>
             #end
 
             #if ($promptForIdP)
-                <div class="form-element-wrapper">
-                  <button id="logout_cancel" class="form-element form-button" type="submit" name="_eventId" value="end">#springMessageText("idp.logout.cancel", "Cancel")</button>
+                  <p><button class="button--secondary" id="logout_cancel" type="submit" name="_eventId" value="end">#springMessageText("idp.logout.cancel", "Cancel")</button></p>
                   <p>#springMessageText("idp.logout.cancel.caption", "Cancel logout and retain your SSO session.")</p>
-                </div>
             #end
             
             #if ($promptForIdP or $promptForSP)
@@ -110,22 +102,17 @@
                 <iframe style="display:none" src="$flowExecutionUrl&_eventId=proceed"></iframe>
             #end
 
-          </div>
-          <div class="column two">
-            <ul class="list list-help">
-              <li class="list-help-item"><a href="#springMessageText("idp.url.password.reset", '#')"><span class="item-marker">&rsaquo;</span> #springMessageText("idp.login.forgotPassword", "Forgot your password?")</a></li>
-              <li class="list-help-item"><a href="#springMessageText("idp.url.helpdesk", '#')"><span class="item-marker">&rsaquo;</span> #springMessageText("idp.login.needHelp", "Need Help?")</a></li>
-            </ul>
-          </div>
-        </div>
-      </div>
-
-      <footer>
-        <div class="container container-footer">
-          <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
-        </div>
-      </footer>
-    </div>
-    
-  </body>
+                <ul>
+                    <li><a href="#springMessageText("idp.url.password.reset", '#')">#springMessageText("idp.login.forgotPassword", "Forgot your password?")</a></li>
+                    <li><a href="#springMessageText("idp.url.helpdesk", '#')">#springMessageText("idp.login.needHelp", "Need Help?")</a></li>
+                </ul>
+            </section>
+            
+        </main>
+        <footer class="footer">
+            <div class="cc">
+                <p>#springMessageText("idp.footer", "Insert your footer text here.")</p>
+            </div>
+        </footer>
+    </body>
 </html>
\ No newline at end of file
diff --git a/views/user-prefs.js b/views/user-prefs.js
deleted file mode 100644
index ab994f9..0000000
--- a/views/user-prefs.js
+++ /dev/null
@@ -1,45 +0,0 @@
-"use strict";
-
-function createCookie(name, value, seconds) {
-    var date = new Date();
-    date.setTime(date.getTime() + (seconds * 1000));
-    var expires = "; expires=" + date.toGMTString();
-    
-    var path = '$environment.getProperty("idp.cookie.path", $request.getContextPath())';
-    if (path.length > 0)
-        path = "; path=" + path;
-    document.cookie = name + "=" + value + expires + path;
-}
-
-function eraseCookie(name) {
-    createCookie(name, "", -31536000);
-}
-
-function readCookie(name) {
-    var nameEQ = name + "=";
-    var ca = document.cookie.split(';');
-    for (var i = 0; i < ca.length; i++) {
-        var c = ca[i];
-        while (c.charAt(0) == ' ')
-            c = c.substring(1, c.length);
-        if (c.indexOf(nameEQ) == 0)
-            return c.substring(nameEQ.length, c.length);
-    }
-    return null;
-}
-
-function load(id) {
-    var checkbox = document.getElementById(id);
-    if (checkbox != null) {
-        var spnego = readCookie(checkbox.name);
-        checkbox.checked = (spnego == "1");
-    }
-}
-
-function check(checkbox) {
-    if (checkbox.checked) {
-        createCookie(checkbox.name, checkbox.value, $environment.getProperty("idp.cookie.maxAge","31536000"));
-    } else {
-        eraseCookie(checkbox.name);
-    }
-}
diff --git a/views/user-prefs.vm b/views/user-prefs.vm
deleted file mode 100644
index 8de0503..0000000
--- a/views/user-prefs.vm
+++ /dev/null
@@ -1,60 +0,0 @@
-##
-## Velocity Template for user preferences view
-##
-## Velocity context will contain the following properties
-## request - HttpServletRequest
-## response - HttpServletResponse
-## environment - Spring Environment object for property resolution
-## custom - arbitrary object injected by deployer
-##
-<!DOCTYPE html>
-<html>
-    <head>
-    	<meta charset="utf-8">
-    	<meta name="viewport" content="width=device-width,initial-scale=1.0">
-    	<title>#springMessageText("idp.userprefs.title", "Web Login Service") - #springMessageText("idp.userprefs.title.suffix", "Login Preferences")</title>
-    	<link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
-    	<script language="Javascript">
-    	<!--
-    	#parse( "user-prefs.js" )
-    	// -->
-    	</script>
-    </head>
-    <body onLoad="document.getElementById('content').style.display='block'; load('spnego')">
-    <div class="wrapper">
-      <div class="container">
-        <header>
-          <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
-          <h3>#springMessageText("idp.title", "Web Login Service") - #springMessageText("idp.userprefs.title.suffix", "Login Preferences")</h3>
-          <p>
-          #springMessage("idp.userprefs.info")
-          </p>
-        </header>
-
-        <noscript>
-          <div id="content" class="content">
-            $springMacroRequestContext.getMessage("idp.userprefs.no-js", "This feature requires Javascript.")
-          </div>
-        </noscript>
-        
-        <div id="content" class="content" style="display:none">
-          <div class="form-element-wrapper">
-          <h4>#springMessageText("idp.userprefs.options", "The following options are available:")</h4>
-          </div>
-
-          <div class="form-element-wrapper">
-            <input type="checkbox" id="spnego" name="_idp_spnego_autologin" value="1" onClick="check(this)">
-            #springMessageText("idp.userprefs.spnego", "Automatically try desktop login when available.")
-          </div>
-        </div>
-      </div>
-
-      <footer>
-        <div class="container container-footer">
-          <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
-        </div>
-      </footer>
-    </div>
-    
- 	</body>
-</html>