diff --git a/Workbench/configs-and-secrets/midpoint/application/cert.pem b/Workbench/configs-and-secrets/midpoint/application/cert.pem
new file mode 100644
index 0000000..0dbb064
--- /dev/null
+++ b/Workbench/configs-and-secrets/midpoint/application/cert.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIE0DCCBHWgAwIBAgIRAK8LnrzhkHuEPH4q+WOqLjAwCgYIKoZIzj0EAwIwRDEL
+MAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjEhMB8GA1UEAxMYSW5Db21t
+b24gRUNDIFNlcnZlciBDQSAyMB4XDTIzMTEwOTAwMDAwMFoXDTI0MTEwODIzNTk1
+OVowXjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE1pY2hpZ2FuMRYwFAYDVQQKEw1J
+bkNvbW1vbiwgTExDMSQwIgYDVQQDExt0ZXN0LndvcmtiZW5jaC5pbmNvbW1vbi5v
+cmcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASVo9lNdC8c3yUIUoMS7wRadzsX
+bhSSgK4PCEV5FOPNYcsnFEc4fdt9ZiOeWmrlwVkq5Z/DzPLFXaD9PK60b/7Go4ID
+LDCCAygwHwYDVR0jBBgwFoAUMl8K2RhZ7UFxIdXuCeLZr7LXD7EwHQYDVR0OBBYE
+FBqIz6rIuIlLz74StmPXbI6kVQstMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8E
+AjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQG
+CysGAQQBsjEBAgJnMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20v
+Q1BTMAgGBmeBDAECAjBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vY3JsLnNlY3Rp
+Z28uY29tL0luQ29tbW9uRUNDU2VydmVyQ0EyLmNybDBwBggrBgEFBQcBAQRkMGIw
+OwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuc2VjdGlnby5jb20vSW5Db21tb25FQ0NT
+ZXJ2ZXJDQTIuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNv
+bTAmBgNVHREEHzAdght0ZXN0LndvcmtiZW5jaC5pbmNvbW1vbi5vcmcwggGABgor
+BgEEAdZ5AgQCBIIBcASCAWwBagB2AHb/iD8KtvuVUcJhzPWHujS0pM27KdxoQgqf
+5mdMWjp0AAABi7SpW/wAAAQDAEcwRQIgFccZe61hXAV8a5jwbeMBVKQC54Ii0QP7
+TGb+liXz8eQCIQD88vXok9Gz0y2nlarz9xFe3y/QkN8ubF0w2lK2g0uLwQB3AD8X
+S0/XIkdYlB1lHIS+DRLtkDd/H4Vq68G/KIXs+GRuAAABi7SpXB4AAAQDAEgwRgIh
+AN2X04k3SzVn2rRBKoBhx7FJPtyJ3gGrQzB3yCrzcz/RAiEAj6ugl5T9zMnpiOl6
+VSwpx2vEqk9i7CCZRfM6tyZBkBQAdwDuzdBk1dsazsVct520zROiModGfLzs3sNR
+SFlGcR+1mwAAAYu0qVwjAAAEAwBIMEYCIQDLAnC4IYrJAy2B61GlBqK13bYHh1cE
+FPlT0R0LEsNYaAIhAO6YNe0aQmBG5ZI4m1dVlhwyTCEqgKnQFyBuWm9N9nwOMAoG
+CCqGSM49BAMCA0kAMEYCIQCeDcX7iV+NpkJn+DE+VgQVxixxnZ9E6mhJXlMpwBpM
+XAIhAIoSwFNJXNv/HcmgBZT4ryBE4uVP0ZyIhmxrOsSYaMmk
+-----END CERTIFICATE-----
diff --git a/Workbench/configs-and-secrets/midpoint/application/keystore_password.txt b/Workbench/configs-and-secrets/midpoint/application/keystore_password.txt
new file mode 100644
index 0000000..1d40192
--- /dev/null
+++ b/Workbench/configs-and-secrets/midpoint/application/keystore_password.txt
@@ -0,0 +1 @@
+changeit
diff --git a/Workbench/directory/container_files/etc/phpMyAdmin/config.inc.php b/Workbench/directory/container_files/etc/phpMyAdmin/config.inc.php
old mode 100644
new mode 100755
diff --git a/Workbench/docker-compose.yml b/Workbench/docker-compose.yml
index df69d2b..8519cb1 100644
--- a/Workbench/docker-compose.yml
+++ b/Workbench/docker-compose.yml
@@ -259,47 +259,55 @@ services:
      - comanage_midpoint_data:/var/lib/postgresql/data
 
   data_init:
-    image: i2incommon/midpoint:4.8.2
+    image: evolveum/midpoint:${MP_VER:-4.8.3}-rockylinux
+    depends_on:
+      midpoint_data:
+        condition: service_healthy
     command: >
-        bash -c "
-        chmod 777 /opt/mp-pw/ ;
-        touch /opt/mp-pw/db_init_in_progress ;
-        echo -e '#!/bin/sh\ntouch /opt/mp-pw/db_init' >/opt/db-init/000-start.sh ;
-        echo -e '#!/bin/sh\necho DB structure init process has finished...\nrm -f /opt/mp-pw/db_init_in_progress /opt/mp-pw/db_init' > /opt/db-init/999-finish.sh ;
-        /opt/midpoint/bin/midpoint.sh init-native
-        "
+      bash -c "
+      cd /opt/midpoint ;
+      bin/midpoint.sh init-native ;
+      echo ' - - - - - - ' ;
+      bin/ninja.sh -B info >/dev/null 2>/tmp/ninja.log ;
+      grep -q \"ERROR\" /tmp/ninja.log && (
+      bin/ninja.sh run-sql --create --mode REPOSITORY  ;
+      bin/ninja.sh run-sql --create --mode AUDIT
+      ) ||
+      echo -e '\\n Repository init is not needed...' ;
+      if [ $$(keytool -list -keystore /opt/midpoint/var/keystore.jceks -storetype jceks -storepass:file /run/secrets/m_keystore_password.txt | grep -c 'local_gen_cert') -eq 0 ] ;
+      then
+      keytool -importcert -keystore /opt/midpoint/var/keystore.jceks -storetype jceks -storepass:file /run/secrets/m_keystore_password.txt -trustcacerts -alias 'local_gen_cert' -file /run/secrets/mp_host-cert.pem -noprompt ;
+      else
+        echo 'Certificate exists in the cert store' ;
+      fi ;
+      cp /opt/midpoint/csv_in/cs-portal.csv /opt/midpoint/var/ ;
+      cp /opt/midpoint/csv_in/faculty-portal.csv /opt/midpoint/var/ ;
+      cp /opt/midpoint/csv_in/mailing-lists.csv /opt/midpoint/var/ ;
+      cp -R /opt/midpoint/mp-home-in/* /opt/midpoint/var/ ;
+      "
     environment:
-     - MP_INIT_DB_CONCAT=/opt/db-init/init.sql
-     - MP_DB_PW=/run/secrets/m_database_password.txt
-     - MP_PW_DEF=/opt/mp-pw/keystorepw
+     - MP_SET_midpoint_repository_jdbcUsername=midpoint
+     - MP_SET_midpoint_repository_jdbcPassword_FILE=/run/secrets/m_database_password.txt
+     - MP_SET_midpoint_repository_jdbcUrl=jdbc:postgresql://midpoint_data:5432/midpoint
+     - MP_SET_midpoint_repository_database=postgresql
+     - MP_INIT_CFG=/opt/midpoint/var
+     - MP_PW_DEF=/run/secrets/m_keystore_password.txt
+     - MP_KEYSTORE=/opt/midpoint/var/keystore.jceks
+    networks:
+     - net
     secrets:
      - m_database_password.txt
+     - m_keystore_password.txt
+     - mp_host-cert.pem
     volumes:
-     - db_init:/opt/db-init
-     - mp_pw:/opt/mp-pw
+     - midpoint_home:/opt/midpoint/var
+     - ./midpoint_server/container_files/mp-home/:/opt/midpoint/mp-home-in/
+     - ./midpoint_server/container_files/mp-home/cs-portal.csv:/opt/midpoint/csv_in/cs-portal.csv
+     - ./midpoint_server/container_files/mp-home/faculty-portal.csv:/opt/midpoint/csv_in/faculty-portal.csv
+     - ./midpoint_server/container_files/mp-home/mailing-lists.csv:/opt/midpoint/csv_in/mailing-lists.csv
 
   midpoint_data:
-    image: postgres:13-alpine
-    command: >
-        bash -c "
-        rm -f /var/lib/postgresql/data/postmaster.pid ;
-        while [ ! -s /run/secrets/m_database_password.txt -o -e /opt/mp-pw/init_in_progress ] ; do
-         echo 'Waiting to the end of the init process...';
-         sleep 1;
-        done ;
-        {
-         sleep 2 ;
-         if [ ! -e /opt/mp-pw/db_init -a -e /opt/mp-pw/db_init_in_progress ] ;
-          then echo 'DB init did not start...' ;
-          rm -f /opt/mp-pw/db_ini*;
-          echo 'The lock files has been removed...';
-         fi ;
-        } &
-        docker-entrypoint.sh postgres
-        "
-    user: "70:70"
-    depends_on:
-     - data_init
+    image: postgres:16-alpine
     environment:
      - POSTGRES_PASSWORD_FILE=/run/secrets/m_database_password.txt
      - POSTGRES_USER=midpoint
@@ -309,66 +317,54 @@ services:
     ports:
      - 5432:5432 
     healthcheck:
-      test: /usr/local/bin/pg_isready
-      interval: 30s
-      timeout: 30s
-      retries: 3
+      test: [ "CMD-SHELL", "pg_isready -d midpoint -U midpoint" ]
+      interval: 5s
+      timeout: 10s
+      retries: 4
     networks:
      - net
     volumes:
      - midpoint_data:/var/lib/postgresql/data
-     - db_init:/docker-entrypoint-initdb.d/
-     - mp_pw:/opt/mp-pw
 
   midpoint_server:
-    build:
-      context: ./midpoint_server/
-      args:
-        - CSPHOSTNAME
+    image: evolveum/midpoint:${MP_VER:-4.8.3}-rockylinux
+    container_name: midpoint_server
+    hostname: midpoint-container
     depends_on:
-     - data_init
-     - midpoint_data
-    ports:
-     - 10443:443
+      data_init:
+        condition: service_completed_successfully
+      midpoint_data:
+        condition: service_healthy
+    command: [ "/opt/midpoint/bin/midpoint.sh", "container" ]
+    expose:
+     - 8080
     environment:
-     - ENV
-     - USERTOKEN
-     - REPO_DATABASE_TYPE=postgresql
      - MP_SET_midpoint_repository_jdbcUsername=midpoint
      - MP_SET_midpoint_repository_jdbcPassword_FILE=/run/secrets/m_database_password.txt
      - MP_SET_midpoint_repository_jdbcUrl=jdbc:postgresql://midpoint_data:5432/midpoint
-     - MP_SET_midpoint_keystore_keyStorePassword_FILE=/opt/mp-pw/keystorepw
+     - MP_SET_midpoint_repository_database=postgresql
+     - MP_SET_midpoint_keystore_keyStorePassword_FILE=/run/secrets/m_keystore_password.txt
+     - MP_SET_server_port=8080
      - MP_SET_server_tomcat_ajp_enabled=true
+     - MP_SET_server_tomcat_ajp_address="0.0.0.0"
      - MP_SET_server_tomcat_ajp_port=9090
      - MP_SET_server_tomcat_ajp_secret=s3cr3t
-     - MP_SET_logging_path=/tmp/logtomcat
+     - MP_SET_midpoint_administrator_initialPassword=Test5ecr3t
      - MP_UNSET_midpoint_repository_hibernateHbm2ddl=1
      - MP_NO_ENV_COMPAT=1
-     - MP_MEM_MAX
-     - MP_MEM_INIT
-     - MP_JAVA_OPTS
-     - TIER_BEACON_OPT_OUT
-     - TIMEZONE
+     - MP_ENTRY_POINT=/opt/midpoint-dirs-docker-entrypoint
     networks:
-      net:
-        aliases:
-         - midpoint-server
+     - net
     secrets:
      - m_database_password.txt
+     - m_keystore_password.txt
      - mp_host-key.pem
      - mp_shibboleth_sp_keys.jks
     volumes:
      - midpoint_home:/opt/midpoint/var
-     - type: bind
-       source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
-       target: /etc/pki/tls/certs/host-cert.pem
-     - type: bind
-       source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
-       target: /etc/pki/tls/certs/cachain.pem
      - type: bind
        source: ./midpoint_server/container_files/csv/source-hr.csv
        target: /opt/midpoint/csv/source-hr.csv
-     - mp_pw:/opt/mp-pw
 
   idp:
     build: 
@@ -475,7 +471,17 @@ services:
      - net
     ports:
      - 443:443
-     
+ 
+  mpproxy:
+    build:  
+      context: ./mpproxy/
+      args:
+        - CSPHOSTNAME
+    networks:
+     - net
+    ports:
+     - 7443:443
+ 
   wordpress_server:
     build: 
       context: ./wordpress_server/
@@ -638,8 +644,12 @@ secrets:
 # midPoint
   m_database_password.txt:
     file: ./configs-and-secrets/midpoint/application/database_password.txt
+  m_keystore_password.txt:
+    file: ./configs-and-secrets/midpoint/application/keystore_password.txt
   mp_host-key.pem:
     file: ./configs-and-secrets/midpoint/httpd/host-key.pem
+  mp_host-cert.pem:
+    file: ./configs-and-secrets/midpoint/httpd/host-cert.pem
   mp_shibboleth_sp_keys.jks:
     file: ./configs-and-secrets/midpoint/shibboleth/shibboleth_sp_keys.jks
 # COmanage
diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/SecurityPolicy.xml b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/SecurityPolicy.xml
new file mode 100644
index 0000000..b03856a
--- /dev/null
+++ b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/SecurityPolicy.xml
@@ -0,0 +1,89 @@
+  <securityPolicy xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" oid="00000000-0000-0000-0000-000000000120" version="2">
+    <name>Default Security Policy</name>
+    <authentication>
+        <modules>
+            <loginForm>
+                <identifier>loginForm</identifier>
+            </loginForm>
+            <httpBasic>
+                <identifier>httpBasic</identifier>
+            </httpBasic>
+            <httpHeader>
+                <identifier>httpHeader</identifier>
+                <usernameHeader>REMOTE_USER</usernameHeader>
+                <logoutUrl>/Shibboleth.sso/Logout</logoutUrl>
+            </httpHeader>
+        </modules>
+        <sequence>
+            <identifier>admin-gui-saml-internal</identifier>
+            <description>
+                Internal SAML2 GUI authentication sequence.
+            </description>
+            <channel>
+                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
+                <default>true</default>
+                <urlSuffix>saml-internal</urlSuffix>
+            </channel>
+            <module>
+                <identifier>httpHeader</identifier>
+                <order>30</order>
+                <necessity>sufficient</necessity>
+            </module>
+        </sequence>
+        <sequence>
+            <identifier>admin-gui-emergency</identifier>
+            <description>
+                Special GUI authentication sequence that is using just the internal user password.
+            </description>
+            <channel>
+                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
+                <default>false</default>
+                <urlSuffix>emergency</urlSuffix>
+            </channel>
+            <requireAssignmentTarget oid="00000000-0000-0000-0000-000000000004" relation="org:default" type="c:RoleType">
+            </requireAssignmentTarget>
+            <module>
+                <identifier>loginForm</identifier>
+                <order>30</order>
+                <necessity>sufficient</necessity>
+            </module>
+	</sequence>
+        <sequence>
+            <identifier>rest-default</identifier>
+            <channel>
+                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest</channelId>
+                <default>true</default>
+                <urlSuffix>rest-default</urlSuffix>
+            </channel>
+            <module>
+                <identifier>httpBasic</identifier>
+                <order>1</order>
+                <necessity>sufficient</necessity>
+            </module>
+        </sequence>
+        <sequence>
+            <identifier>actuator-default</identifier>
+            <channel>
+                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#actuator</channelId>
+                <default>true</default>
+                <urlSuffix>actuator-default</urlSuffix>
+            </channel>
+            <module>
+                <identifier>httpBasic</identifier>
+                <order>1</order>
+                <necessity>sufficient</necessity>
+            </module>
+        </sequence>
+        <ignoredLocalPath>/actuator/health</ignoredLocalPath>
+    </authentication>
+    <credentials>
+        <password>
+            <minOccurs>0</minOccurs>
+            <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
+            <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
+            <lockoutDuration>PT15M</lockoutDuration>
+            <valuePolicyRef oid="00000000-0000-0000-0000-000000000003"/>
+        </password>
+    </credentials>
+</securityPolicy>
+
diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/ordering.txt b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/ordering.txt
deleted file mode 100644
index baf3f06..0000000
--- a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/ordering.txt
+++ /dev/null
@@ -1,21 +0,0 @@
-Notes on objects ordering
-=========================
-
-Objects are ordered to be imported in waves. Objects in each wave can depend only on objects in preceding waves.
-(By depending we mean that the other object should exist in repo in order to assure warning-less import. Usually,
-assigned/induced objects should exist. Objects that are referenced e.g. in groovy code are not required at the
-import time.)
-
-Waves are:
-- 0xx: security policy and system configuration
-- 100: resources (do not depend on anything)
-       root orgs (do not depend on anything)
-       user template (inactive until users are imported)
-       grouper function library (inactive until async updates come)
-- 200: metaroles and roles (contain constructions i.e. references to resources)
-- 300: archetypes (induce resources, root orgs, metaroles)
-- 400: specific orgs i.e. org-grouper-sysadmin (has an archetype)
-- 600: specific users i.e. user-banderson (is in specific orgs)
-- 9xx: bulk actions (testing all resource, recomputing grouper objects)
-       importing scavenger task
-
diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml
index ffd8450..e70f49f 100644
--- a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml
+++ b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml
@@ -1,52 +1,17 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<objects xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-  xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-  xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3">
   <securityPolicy xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" oid="00000000-0000-0000-0000-000000000120" version="2">
     <name>Default Security Policy</name>
     <authentication>
         <modules>
             <loginForm>
-                <identifier>internalLoginForm</identifier>
-                <description>Internal username/password authentication, default user password, login form</description>
+                <identifier>loginForm</identifier>
             </loginForm>
             <httpBasic>
-                <identifier>internalBasic</identifier>
-                <description>Internal username/password authentication, using HTTP basic auth</description>
+                <identifier>httpBasic</identifier>
             </httpBasic>
-            <saml2>
-                <identifier>mySamlSso</identifier>
-                <description>My internal enterprise SAML-based SSO system.</description>
-                <serviceProvider>
-                    <entityId>midpointdemo-shibboleth</entityId>
-                    <signRequests>true</signRequests>
-                    <keys>
-                      <activeKeyStoreKey>
-                        <keyStorePath>/etc/pki/mp/sp-shibboleth-keys.jks</keyStorePath>
-                        <keyStorePassword>
-                          <t:clearValue>changeit</t:clearValue>
-                        </keyStorePassword>
-                        <keyAlias>signing-key</keyAlias>
-                        <keyPassword>
-                          <t:clearValue>password</t:clearValue>
-                        </keyPassword>
-                      </activeKeyStoreKey>
-                    </keys>
-                    <identityProvider>
-                      <entityId>https://idptestbed/idp/shibboleth</entityId>
-                        <metadata>
-                            <pathToFile>/etc/shibboleth/idp-metadata.xml</pathToFile>
-                        </metadata>
-                        <linkText>Shibboleth</linkText>
-                        <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
-                        <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
-                    </identityProvider>
-                </serviceProvider>
-            </saml2>
             <httpHeader>
-              <identifier>httpHeader</identifier>
-	      <logoutUrl>https://__CSPHOSTNAME__/MPSSO/Shibboleth.sso/Logout</logoutUrl>
-              <usernameHeader>REMOTE_USER</usernameHeader>
+                <identifier>httpHeader</identifier>
+                <usernameHeader>REMOTE_USER</usernameHeader>
+                <logoutUrl>https://localhost:8443/Shibboleth.sso/Logout</logoutUrl>
             </httpHeader>
         </modules>
         <sequence>
@@ -56,11 +21,11 @@
             </description>
             <channel>
                 <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
-                <default>false</default>
+                <default>true</default>
                 <urlSuffix>saml-internal</urlSuffix>
             </channel>
             <module>
-                <identifier>mySamlSso</identifier>
+                <identifier>httpHeader</identifier>
                 <order>30</order>
                 <necessity>sufficient</necessity>
             </module>
@@ -78,60 +43,37 @@
             <requireAssignmentTarget oid="00000000-0000-0000-0000-000000000004" relation="org:default" type="c:RoleType">
             </requireAssignmentTarget>
             <module>
-                <identifier>internalLoginForm</identifier>
+                <identifier>loginForm</identifier>
                 <order>30</order>
                 <necessity>sufficient</necessity>
             </module>
         </sequence>
         <sequence>
-            <identifier>admin-gui-default</identifier>
-            <description>
-                Special GUI authentication sequence that is using Shibboleth SP
-            </description>
-            <channel>
-                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
-                <default>true</default>
-                <urlSuffix>shib</urlSuffix>
-            </channel>
-            <module>
-                <identifier>httpHeader</identifier>
-                <order>30</order>
-                <necessity>sufficient</necessity>
-            </module>
-        </sequence>
-        <sequence>
-            <identifier>rest</identifier>
-            <description>
-                Authentication sequence for REST service.
-            </description>
+            <identifier>rest-default</identifier>
             <channel>
                 <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest</channelId>
                 <default>true</default>
                 <urlSuffix>rest-default</urlSuffix>
             </channel>
             <module>
-                <identifier>internalBasic</identifier>
-                <order>10</order>
+                <identifier>httpBasic</identifier>
+                <order>1</order>
                 <necessity>sufficient</necessity>
             </module>
         </sequence>
         <sequence>
-            <identifier>actuator</identifier>
-            <description>
-                Authentication sequence for actuator.
-            </description>
+            <identifier>actuator-default</identifier>
             <channel>
                 <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#actuator</channelId>
                 <default>true</default>
                 <urlSuffix>actuator-default</urlSuffix>
             </channel>
             <module>
-                <identifier>internalBasic</identifier>
-                <order>10</order>
+                <identifier>httpBasic</identifier>
+                <order>1</order>
                 <necessity>sufficient</necessity>
             </module>
         </sequence>
-        <ignoredLocalPath>/actuator</ignoredLocalPath>
         <ignoredLocalPath>/actuator/health</ignoredLocalPath>
     </authentication>
     <credentials>
@@ -140,10 +82,8 @@
             <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
             <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
             <lockoutDuration>PT15M</lockoutDuration>
-            <valuePolicyRef xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" oid="e9d96c61-261a-428d-b21a-d4bc359ea9df" relation="org:default" type="tns:ValuePolicyType">
-            </valuePolicyRef>
+            <valuePolicyRef oid="00000000-0000-0000-0000-000000000003"/>
         </password>
     </credentials>
 </securityPolicy>
 
-</objects>
diff --git a/Workbench/mpproxy/Dockerfile b/Workbench/mpproxy/Dockerfile
new file mode 100644
index 0000000..da3c577
--- /dev/null
+++ b/Workbench/mpproxy/Dockerfile
@@ -0,0 +1,26 @@
+FROM i2incommon/shibboleth_sp:3.4.1_05152024_rocky9_multiarch
+
+ARG CSPHOSTNAME=localhost
+ENV CSPHOSTNAME=$CSPHOSTNAME
+
+RUN dnf -y install php php-json wget php-bcmath jq yum-utils
+
+COPY container_files/httpd/midpoint.conf /etc/httpd/conf.d/
+COPY container_files/httpd/ssl.conf /etc/httpd/conf.d/
+
+COPY container_files/httpd/localhost.crt /etc/pki/tls/certs/localhost.crt
+COPY container_files/httpd/localhost.key /etc/pki/tls/private/localhost.key
+COPY container_files/httpd/server-chain.crt /etc/pki/tls/certs/server-chain.crt
+RUN chmod 600 /etc/pki/tls/certs/localhost.crt && chmod 600 /etc/pki/tls/private/localhost.key
+
+COPY container_files/shibboleth/ /etc/shibboleth/
+COPY container_files/system/startWithPHP.sh /usr/local/bin/
+COPY container_files/system/setservername.sh /usr/local/bin/
+RUN chmod 755 /usr/local/bin/startWithPHP.sh /usr/local/bin/setservername.sh && /usr/local/bin/setservername.sh
+RUN mkdir -p /run/php-fpm/
+
+HEALTHCHECK --interval=1m --timeout=30s \
+  CMD curl -k -f -u csp:workbench https://127.0.0.1/mppSSO/Shibboleth.sso/Status || exit 1
+
+CMD ["/usr/local/bin/startWithPHP.sh"]
+
diff --git a/Workbench/mpproxy/container_files/httpd/.htpasswd b/Workbench/mpproxy/container_files/httpd/.htpasswd
new file mode 100644
index 0000000..f9046e3
--- /dev/null
+++ b/Workbench/mpproxy/container_files/httpd/.htpasswd
@@ -0,0 +1,3 @@
+csp:$apr1$/AqZo5q1$D0h7ClOUpgCvUhayr6oOg0
+guest:$apr1$E6QtcEtu$/YXrr/F4OpNmTClXGBXpX/
+administrator:$apr1$yYQxN8bz$UlAb7q/m6jra60QKjhHPA/
diff --git a/Workbench/mpproxy/container_files/httpd/csp_logo.jpg b/Workbench/mpproxy/container_files/httpd/csp_logo.jpg
new file mode 100644
index 0000000..8b1d36f
Binary files /dev/null and b/Workbench/mpproxy/container_files/httpd/csp_logo.jpg differ
diff --git a/Workbench/mpproxy/container_files/httpd/httpd.conf b/Workbench/mpproxy/container_files/httpd/httpd.conf
new file mode 100644
index 0000000..780ee12
--- /dev/null
+++ b/Workbench/mpproxy/container_files/httpd/httpd.conf
@@ -0,0 +1,367 @@
+#
+# This is the main Apache HTTP server configuration file.  It contains the
+# configuration directives that give the server its instructions.
+# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
+# In particular, see 
+# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
+# for a discussion of each configuration directive.
+#
+# Do NOT simply read the instructions in here without understanding
+# what they do.  They're here only as hints or reminders.  If you are unsure
+# consult the online docs. You have been warned.  
+#
+# Configuration and logfile names: If the filenames you specify for many
+# of the server's control files begin with "/" (or "drive:/" for Win32), the
+# server will use that explicit path.  If the filenames do *not* begin
+# with "/", the value of ServerRoot is prepended -- so 'log/access_log'
+# with ServerRoot set to '/www' will be interpreted by the
+# server as '/www/log/access_log', where as '/log/access_log' will be
+# interpreted as '/log/access_log'.
+
+#
+# ServerRoot: The top of the directory tree under which the server's
+# configuration, error, and log files are kept.
+#
+# Do not add a slash at the end of the directory path.  If you point
+# ServerRoot at a non-local disk, be sure to specify a local disk on the
+# Mutex directive, if file-based mutexes are used.  If you wish to share the
+# same ServerRoot for multiple httpd daemons, you will need to change at
+# least PidFile.
+#
+ServerRoot "/etc/httpd"
+
+#
+# Listen: Allows you to bind Apache to specific IP addresses and/or
+# ports, instead of the default. See also the <VirtualHost>
+# directive.
+#
+# Change this to Listen on specific IP addresses as shown below to 
+# prevent Apache from glomming onto all bound IP addresses.
+#
+#Listen 12.34.56.78:80
+Listen 80
+
+#
+# Dynamic Shared Object (DSO) Support
+#
+# To be able to use the functionality of a module which was built as a DSO you
+# have to place corresponding `LoadModule' lines at this location so the
+# directives contained in it are actually available _before_ they are used.
+# Statically compiled modules (those listed by `httpd -l') do not need
+# to be loaded here.
+#
+# Example:
+# LoadModule foo_module modules/mod_foo.so
+#
+Include conf.modules.d/*.conf
+
+#
+# If you wish httpd to run as a different user or group, you must run
+# httpd as root initially and it will switch.  
+#
+# User/Group: The name (or #number) of the user/group to run httpd as.
+# It is usually good practice to create a dedicated user and group for
+# running httpd, as with most system services.
+#
+User apache
+Group apache
+
+# 'Main' server configuration
+#
+# The directives in this section set up the values used by the 'main'
+# server, which responds to any requests that aren't handled by a
+# <VirtualHost> definition.  These values also provide defaults for
+# any <VirtualHost> containers you may define later in the file.
+#
+# All of these directives may appear inside <VirtualHost> containers,
+# in which case these default settings will be overridden for the
+# virtual host being defined.
+#
+
+#
+# ServerAdmin: Your address, where problems with the server should be
+# e-mailed.  This address appears on some server-generated pages, such
+# as error documents.  e.g. admin@your-domain.com
+#
+ServerAdmin root@localhost
+
+#
+# ServerName gives the name and port that the server uses to identify itself.
+# This can often be determined automatically, but we recommend you specify
+# it explicitly to prevent problems during startup.
+#
+# If your host doesn't have a registered DNS name, enter its IP address here.
+#
+#ServerName www.example.com:80
+
+#
+# Deny access to the entirety of your server's filesystem. You must
+# explicitly permit access to web content directories in other 
+# <Directory> blocks below.
+#
+<Directory />
+    AllowOverride none
+    Require all denied
+</Directory>
+
+#
+# Note that from this point forward you must specifically allow
+# particular features to be enabled - so if something's not working as
+# you might expect, make sure that you have specifically enabled it
+# below.
+#
+
+#
+# DocumentRoot: The directory out of which you will serve your
+# documents. By default, all requests are taken from this directory, but
+# symbolic links and aliases may be used to point to other locations.
+#
+DocumentRoot "/var/www/html"
+
+#
+# Relax access to content within /var/www.
+#
+<Directory "/var/www">
+    AllowOverride None
+    # Allow open access:
+    Require all granted
+</Directory>
+
+# Further relax access to the default document root:
+<Directory "/var/www/html">
+    #
+    # Possible values for the Options directive are "None", "All",
+    # or any combination of:
+    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
+    #
+    # Note that "MultiViews" must be named *explicitly* --- "Options All"
+    # doesn't give it to you.
+    #
+    # The Options directive is both complicated and important.  Please see
+    # http://httpd.apache.org/docs/2.4/mod/core.html#options
+    # for more information.
+    #
+    Options Indexes FollowSymLinks
+
+    #no anonymous access
+    AuthType Basic
+    AuthName "Restricted CSP Content"
+    AuthUserFile /etc/httpd/.htpasswd
+    Require valid-user
+
+
+    #
+    # AllowOverride controls what directives may be placed in .htaccess files.
+    # It can be "All", "None", or any combination of the keywords:
+    #   Options FileInfo AuthConfig Limit
+    #
+    AllowOverride None
+
+    #
+    # Controls who can get stuff from this server.
+    #
+    #Require all granted
+	
+</Directory>
+
+#
+# DirectoryIndex: sets the file that Apache will serve if a directory
+# is requested.
+#
+<IfModule dir_module>
+    DirectoryIndex index.html
+</IfModule>
+
+#
+# The following lines prevent .htaccess and .htpasswd files from being 
+# viewed by Web clients. 
+#
+<Files ".ht*">
+    Require all denied
+</Files>
+
+#
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here.  If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog "/tmp/logpipe"
+
+#
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+#
+LogLevel warn
+
+<IfModule log_config_module>
+    #
+    # The following directives define some format nicknames for use with
+    # a CustomLog directive (see below).
+    #
+    LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;%h %l %u %t \"%r\" %>s %b" common
+
+    <IfModule logio_module>
+      # You need to enable mod_logio.c to use %I and %O
+      LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+    </IfModule>
+
+    #
+    # The location and format of the access logfile (Common Logfile Format).
+    # If you do not define any access logfiles within a <VirtualHost>
+    # container, they will be logged here.  Contrariwise, if you *do*
+    # define per-<VirtualHost> access logfiles, transactions will be
+    # logged therein and *not* in this file.
+    #
+    #CustomLog "/tmp/logpipe" common
+
+    #
+    # If you prefer a logfile with access, agent, and referer information
+    # (Combined Logfile Format) you can use the following directive.
+    #
+    CustomLog "/tmp/logpipe" combined
+</IfModule>
+
+<IfModule alias_module>
+    #
+    # Redirect: Allows you to tell clients about documents that used to 
+    # exist in your server's namespace, but do not anymore. The client 
+    # will make a new request for the document at its new location.
+    # Example:
+    # Redirect permanent /foo http://www.example.com/bar
+
+    #
+    # Alias: Maps web paths into filesystem paths and is used to
+    # access content that does not live under the DocumentRoot.
+    # Example:
+    # Alias /webpath /full/filesystem/path
+    #
+    # If you include a trailing / on /webpath then the server will
+    # require it to be present in the URL.  You will also likely
+    # need to provide a <Directory> section to allow access to
+    # the filesystem path.
+
+    #
+    # ScriptAlias: This controls which directories contain server scripts. 
+    # ScriptAliases are essentially the same as Aliases, except that
+    # documents in the target directory are treated as applications and
+    # run by the server when requested rather than as documents sent to the
+    # client.  The same rules about trailing "/" apply to ScriptAlias
+    # directives as to Alias.
+    #
+    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
+
+</IfModule>
+
+#
+# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
+# CGI directory exists, if you have that configured.
+#
+<Directory "/var/www/cgi-bin">
+    AllowOverride None
+    Options None
+    Require all granted
+</Directory>
+
+<IfModule mime_module>
+    #
+    # TypesConfig points to the file containing the list of mappings from
+    # filename extension to MIME-type.
+    #
+    TypesConfig /etc/mime.types
+
+    #
+    # AddType allows you to add to or override the MIME configuration
+    # file specified in TypesConfig for specific file types.
+    #
+    #AddType application/x-gzip .tgz
+    #
+    # AddEncoding allows you to have certain browsers uncompress
+    # information on the fly. Note: Not all browsers support this.
+    #
+    #AddEncoding x-compress .Z
+    #AddEncoding x-gzip .gz .tgz
+    #
+    # If the AddEncoding directives above are commented-out, then you
+    # probably should define those extensions to indicate media types:
+    #
+    AddType application/x-compress .Z
+    AddType application/x-gzip .gz .tgz
+
+    #
+    # AddHandler allows you to map certain file extensions to "handlers":
+    # actions unrelated to filetype. These can be either built into the server
+    # or added with the Action directive (see below)
+    #
+    # To use CGI scripts outside of ScriptAliased directories:
+    # (You will also need to add "ExecCGI" to the "Options" directive.)
+    #
+    #AddHandler cgi-script .cgi
+
+    # For type maps (negotiated resources):
+    #AddHandler type-map var
+
+    #
+    # Filters allow you to process content before it is sent to the client.
+    #
+    # To parse .shtml files for server-side includes (SSI):
+    # (You will also need to add "Includes" to the "Options" directive.)
+    #
+    AddType text/html .shtml
+    AddOutputFilter INCLUDES .shtml
+</IfModule>
+
+#
+# Specify a default charset for all content served; this enables
+# interpretation of all content as UTF-8 by default.  To use the 
+# default browser choice (ISO-8859-1), or to allow the META tags
+# in HTML content to override this choice, comment out this
+# directive:
+#
+AddDefaultCharset UTF-8
+
+<IfModule mime_magic_module>
+    #
+    # The mod_mime_magic module allows the server to use various hints from the
+    # contents of the file itself to determine its type.  The MIMEMagicFile
+    # directive tells the module where the hint definitions are located.
+    #
+    MIMEMagicFile conf/magic
+</IfModule>
+
+#
+# Customizable error responses come in three flavors:
+# 1) plain text 2) local redirects 3) external redirects
+#
+# Some examples:
+#ErrorDocument 500 "The server made a boo boo."
+#ErrorDocument 404 /missing.html
+#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
+#ErrorDocument 402 http://www.example.com/subscription_info.html
+#
+
+#
+# EnableMMAP and EnableSendfile: On systems that support it, 
+# memory-mapping or the sendfile syscall may be used to deliver
+# files.  This usually improves server performance, but must
+# be turned off when serving from networked-mounted 
+# filesystems or if support for these functions is otherwise
+# broken on your system.
+# Defaults if commented: EnableMMAP On, EnableSendfile Off
+#
+#EnableMMAP off
+EnableSendfile on
+
+# Supplemental configuration
+#
+# Load config files in the "/etc/httpd/conf.d" directory, if any.
+IncludeOptional conf.d/*.conf
+
+ErrorLogFormat "httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"
+
+PassEnv ENV
+
+PassEnv USERTOKEN
diff --git a/Workbench/mpproxy/container_files/httpd/index.html b/Workbench/mpproxy/container_files/httpd/index.html
new file mode 100644
index 0000000..b41714e
--- /dev/null
+++ b/Workbench/mpproxy/container_files/httpd/index.html
@@ -0,0 +1,50 @@
+<img src="csp_logo.jpg">
+<br /><br />
+<h3>Welcome to the InCommon TAP Workbench!</h3>
+<br />
+This is your own personal instance of the InCommon <i>Trusted Access Platform</i> Workbench.
+<br /><br />
+For complete documentation, see <a href="https://spaces.at.internet2.edu/x/-IKeCg" target="_blank">this page</a>.
+<br /><br />
+The system contains the following TAP components (click the links to access each component in its own tab):
+
+<ul>
+<li><a href="https://__CSPHOSTNAME__/grouper" target="TAP-WB-GROUPER">Grouper (4.14.1)</a></li>
+<li><a href="https://__CSPHOSTNAME__/midpoint" target="TAP-WB-MIDPOINT">midPoint (4.8.2)</a></li>
+<ul><li><a href="https://__CSPHOSTNAME__/midPoint-doc.html" target="TAP-WB-MIDPOINT-CONFIG">Technical doc on midPoint's configuration</a></li></ul>
+<li><a href="https://__CSPHOSTNAME__/registry" target="TAP-WB-COMANAGE">COmanage Registry (4.3.4)</a></li>
+<li><a href="https://__CSPHOSTNAME__/idpui/" target="TAP-WB-IDPUI">Shibboleth IdP UI (1.18.0)</a></li>
+</ul>
+
+<br />
+The system also contains the following downstream/target applications:
+<ul>
+<li><a href="https://__CSPHOSTNAME__/wordpress/" target="TAP-WB-WORDPRESS">WordPress</a></li>
+<ul><li><a href="https://__CSPHOSTNAME__/wordpress/wp-admin/" target="TAP-WB-WORDPRESS-ADMON">WordPress Admin</a></li></ul>
+</ul>
+<br />
+The following repository and message exchange monitoring tools are available:
+<ul>
+<li><a href="https://__CSPHOSTNAME__/rabbit" target="TAP-WB-RABBIT">Rabbit MQ</a></li>
+<li><a href="https://__CSPHOSTNAME__/ldapadmin" target="TAP-WB-LDAPADMIN">LDAP/AD Admin</a></li>
+<li><a href="https://__CSPHOSTNAME__/phpmyadmin" target="TAP-WB-SQLADMIN">MySQL Admin</a></li>
+<li><a href="https://__CSPHOSTNAME__/phpPgAdmin" target="TAP-WB-PGSQLADMIN">Postgres Admin</a></li>
+</ul>
+<br />
+Shibboleth SAML Identity Provider and Service Providers:
+<ul>
+<li><a href="https://__CSPHOSTNAME__/idp/status" target="TAP-WB-IDP">Shibboleth IdP (5.1.2) status</a></li>
+<li>Shibboleth SPs:</li>
+<ul>
+  <li><a href="https://__CSPHOSTNAME__/grouperSSO/Shibboleth.sso/Status" target="TAP-WB-gSP">Grouper SP (3.4.1) status</a></li>
+  <li><a href="https://__CSPHOSTNAME__/MPSSO/Shibboleth.sso/Status" target="TAP-WB-mSP">midPoint SP (3.4.1) status</a></li>
+  <li><a href="https://__CSPHOSTNAME__/registrySSO/Shibboleth.sso/Status" target="TAP-WB-cSP">COmanage SP (3.4.1) status</a></li>
+  <li><a href="https://__CSPHOSTNAME__/wordpressSSO/Shibboleth.sso/Status" target="TAP-WB-wSP">Wordpress SP (3.4.1) status</a></li>
+</ul>
+</ul>
+<br /><br /><br />
+<a href="https://__CSPHOSTNAME__/status" target="TAP-WB-STATUS">Container Status</a>
+<br />
+<a href="https://__CSPHOSTNAME__/refresh/" target="TAP-WB-REFRESH">Refresh this instance</a>
+
+
diff --git a/Workbench/mpproxy/container_files/httpd/localhost.crt b/Workbench/mpproxy/container_files/httpd/localhost.crt
new file mode 100644
index 0000000..0dbb064
--- /dev/null
+++ b/Workbench/mpproxy/container_files/httpd/localhost.crt
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIE0DCCBHWgAwIBAgIRAK8LnrzhkHuEPH4q+WOqLjAwCgYIKoZIzj0EAwIwRDEL
+MAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjEhMB8GA1UEAxMYSW5Db21t
+b24gRUNDIFNlcnZlciBDQSAyMB4XDTIzMTEwOTAwMDAwMFoXDTI0MTEwODIzNTk1
+OVowXjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE1pY2hpZ2FuMRYwFAYDVQQKEw1J
+bkNvbW1vbiwgTExDMSQwIgYDVQQDExt0ZXN0LndvcmtiZW5jaC5pbmNvbW1vbi5v
+cmcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASVo9lNdC8c3yUIUoMS7wRadzsX
+bhSSgK4PCEV5FOPNYcsnFEc4fdt9ZiOeWmrlwVkq5Z/DzPLFXaD9PK60b/7Go4ID
+LDCCAygwHwYDVR0jBBgwFoAUMl8K2RhZ7UFxIdXuCeLZr7LXD7EwHQYDVR0OBBYE
+FBqIz6rIuIlLz74StmPXbI6kVQstMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8E
+AjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQG
+CysGAQQBsjEBAgJnMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20v
+Q1BTMAgGBmeBDAECAjBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vY3JsLnNlY3Rp
+Z28uY29tL0luQ29tbW9uRUNDU2VydmVyQ0EyLmNybDBwBggrBgEFBQcBAQRkMGIw
+OwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuc2VjdGlnby5jb20vSW5Db21tb25FQ0NT
+ZXJ2ZXJDQTIuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNv
+bTAmBgNVHREEHzAdght0ZXN0LndvcmtiZW5jaC5pbmNvbW1vbi5vcmcwggGABgor
+BgEEAdZ5AgQCBIIBcASCAWwBagB2AHb/iD8KtvuVUcJhzPWHujS0pM27KdxoQgqf
+5mdMWjp0AAABi7SpW/wAAAQDAEcwRQIgFccZe61hXAV8a5jwbeMBVKQC54Ii0QP7
+TGb+liXz8eQCIQD88vXok9Gz0y2nlarz9xFe3y/QkN8ubF0w2lK2g0uLwQB3AD8X
+S0/XIkdYlB1lHIS+DRLtkDd/H4Vq68G/KIXs+GRuAAABi7SpXB4AAAQDAEgwRgIh
+AN2X04k3SzVn2rRBKoBhx7FJPtyJ3gGrQzB3yCrzcz/RAiEAj6ugl5T9zMnpiOl6
+VSwpx2vEqk9i7CCZRfM6tyZBkBQAdwDuzdBk1dsazsVct520zROiModGfLzs3sNR
+SFlGcR+1mwAAAYu0qVwjAAAEAwBIMEYCIQDLAnC4IYrJAy2B61GlBqK13bYHh1cE
+FPlT0R0LEsNYaAIhAO6YNe0aQmBG5ZI4m1dVlhwyTCEqgKnQFyBuWm9N9nwOMAoG
+CCqGSM49BAMCA0kAMEYCIQCeDcX7iV+NpkJn+DE+VgQVxixxnZ9E6mhJXlMpwBpM
+XAIhAIoSwFNJXNv/HcmgBZT4ryBE4uVP0ZyIhmxrOsSYaMmk
+-----END CERTIFICATE-----
diff --git a/Workbench/mpproxy/container_files/httpd/localhost.key b/Workbench/mpproxy/container_files/httpd/localhost.key
new file mode 100644
index 0000000..6e9d693
--- /dev/null
+++ b/Workbench/mpproxy/container_files/httpd/localhost.key
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgZOLttXigKHyb2Pxw
+pu/CGu0EusPaSqu8iOPq4B591OOhRANCAASVo9lNdC8c3yUIUoMS7wRadzsXbhSS
+gK4PCEV5FOPNYcsnFEc4fdt9ZiOeWmrlwVkq5Z/DzPLFXaD9PK60b/7G
+-----END PRIVATE KEY-----
diff --git a/Workbench/mpproxy/container_files/httpd/midpoint.conf b/Workbench/mpproxy/container_files/httpd/midpoint.conf
new file mode 100644
index 0000000..37e27f5
--- /dev/null
+++ b/Workbench/mpproxy/container_files/httpd/midpoint.conf
@@ -0,0 +1,37 @@
+Timeout 2400
+ProxyTimeout 2400
+ProxyBadHeader Ignore
+
+<Location /midpoint>
+  AuthType shibboleth
+  ShibRequestSetting requireSession 1
+  ShibRequireSession on
+  ShibUseHeaders On
+  require shib-session
+</Location>
+
+<Location ~ "/midpoint/(actuator/health|js/*|css/*|img/*|less/*|fonts/*|model/*|ws/*|rest/*|report/*|wro/*|static-web/*|wicket/resource/*)">
+  Satisfy Any
+  Allow from all
+  AuthType None
+  Require all granted
+</Location>
+
+<Location /midpoint/auth/saml-internal>
+  AuthType shibboleth
+  ShibRequestSetting requireSession 1
+  ShibRequireSession on
+  ShibUseHeaders On
+  require shib-session
+</Location>
+
+<Location />
+  AuthType shibboleth
+  ShibRequestSetting requireSession false
+  ShibUseHeaders On
+  require shibboleth
+</Location>
+
+RequestHeader unset Authorization
+ProxyPass /midpoint ajp://midpoint_server:9090/midpoint secret=s3cr3t timeout=2400 retry=0
+
diff --git a/Workbench/mpproxy/container_files/httpd/server-chain.crt b/Workbench/mpproxy/container_files/httpd/server-chain.crt
new file mode 100644
index 0000000..0fdbd23
--- /dev/null
+++ b/Workbench/mpproxy/container_files/httpd/server-chain.crt
@@ -0,0 +1,44 @@
+-----BEGIN CERTIFICATE-----
+MIIDXzCCAuSgAwIBAgIRAKjg16/B1MulLLyGBcf9FmMwCgYIKoZIzj0EAwMwgYgx
+CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtKZXJz
+ZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYDVQQD
+EyVVU0VSVHJ1c3QgRUNDIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTIyMTEx
+NjAwMDAwMFoXDTMyMTExNTIzNTk1OVowRDELMAkGA1UEBhMCVVMxEjAQBgNVBAoT
+CUludGVybmV0MjEhMB8GA1UEAxMYSW5Db21tb24gRUNDIFNlcnZlciBDQSAyMFkw
+EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERdem6VwRp4k+kplQr0CJEgK+EuhLa1sV
+/kLWxfHaHpq/tAY8pLAMG19qRcYwVEl/zfF81FKjn+kxChUAjakOG6OCAXAwggFs
+MB8GA1UdIwQYMBaAFDrhCYbUzxnClnZ0SXbc4DXGY2OaMB0GA1UdDgQWBBQyXwrZ
+GFntQXEh1e4J4tmvstcPsTAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB
+/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwIgYDVR0gBBswGTAN
+BgsrBgEEAbIxAQICZzAIBgZngQwBAgIwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDov
+L2NybC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdEVDQ0NlcnRpZmljYXRpb25BdXRo
+b3JpdHkuY3JsMHEGCCsGAQUFBwEBBGUwYzA6BggrBgEFBQcwAoYuaHR0cDovL2Ny
+dC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdEVDQ0FBQUNBLmNydDAlBggrBgEFBQcw
+AYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTAKBggqhkjOPQQDAwNpADBmAjEA
+gKnucjW0Le2dHezMD4mFvVH5QTATQG7sRhGOUAfFVd1BU4AF3iekMQ0CnafF603G
+AjEAziSrw1zt1WdlJMgCDqE9NBTeb1JmkdrjKPb0Vk9rnbuQeRIw8fHGj3tL+4CO
+5K0S
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIID0zCCArugAwIBAgIQVmcdBOpPmUxvEIFHWdJ1lDANBgkqhkiG9w0BAQwFADB7
+MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
+VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
+AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
+MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
+MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
+ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgRUNDIENlcnRpZmljYXRpb24gQXV0
+aG9yaXR5MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEGqxUWqn5aCPnetUkb1PGWthL
+q8bVttHmc3Gu3ZzWDGH926CJA7gFFOxXzu5dP+Ihs8731Ip54KODfi2X0GHE8Znc
+JZFjq38wo7Rw4sehM5zzvy5cU7Ffs30yf4o043l5o4HyMIHvMB8GA1UdIwQYMBaA
+FKARCiM+lvEH7OKvKe+CpX/QMKS0MB0GA1UdDgQWBBQ64QmG1M8ZwpZ2dEl23OA1
+xmNjmjAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zARBgNVHSAECjAI
+MAYGBFUdIAAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5j
+b20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNAYIKwYBBQUHAQEEKDAmMCQG
+CCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wDQYJKoZIhvcNAQEM
+BQADggEBABns652JLCALBIAdGN5CmXKZFjK9Dpx1WywV4ilAbe7/ctvbq5AfjJXy
+ij0IckKJUAfiORVsAYfZFhr1wHUrxeZWEQff2Ji8fJ8ZOd+LygBkc7xGEJuTI42+
+FsMuCIKchjN0djsoTI0DQoWz4rIjQtUfenVqGtF8qmchxDM6OW1TyaLtYiKou+JV
+bJlsQ2uRl9EMC5MCHdK8aXdJ5htN978UeAOwproLtOGFfy/cQjutdAFI3tZs4RmY
+CV4Ks2dH/hzg1cEo70qLRDEmBDeNiXQ2Lu+lIg+DdEmSx/cQwgwp+7e9un/jX9Wf
+8qn0dNW44bOwgeThpWOjzOoEeJBuv/c=
+-----END CERTIFICATE-----
diff --git a/Workbench/mpproxy/container_files/httpd/shib.conf b/Workbench/mpproxy/container_files/httpd/shib.conf
new file mode 100644
index 0000000..2314d87
--- /dev/null
+++ b/Workbench/mpproxy/container_files/httpd/shib.conf
@@ -0,0 +1,50 @@
+# https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig
+
+# RPM installations on platforms with a conf.d directory will
+# result in this file being copied into that directory for you
+# and preserved across upgrades.
+
+# For non-RPM installs, you should copy the relevant contents of
+# this file to a configuration location you control.
+
+#
+# Load the Shibboleth module.
+#
+LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
+
+#
+# Turn this on to support "require valid-user" rules from other
+# mod_authn_* modules, and use "require shib-session" for anonymous
+# session-based authorization in mod_shib.
+#
+ShibCompatValidUser On
+
+#
+# Ensures handler will be accessible.
+#
+<Location /Shibboleth.sso>
+  AuthType None
+  Require all granted
+  SetHandler shib
+</Location>
+
+#
+# Used for example style sheet in error templates.
+#
+<IfModule mod_alias.c>
+  <Location /shibboleth-sp>
+    AuthType None
+    Require all granted
+  </Location>
+  Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
+</IfModule>
+
+#
+# Configure the module for content.
+#
+# You MUST enable AuthType shibboleth for the module to process
+# any requests, and there MUST be a require command as well. To
+# enable Shibboleth but not specify any session/access requirements
+# use "require shibboleth".
+#
+
diff --git a/Workbench/mpproxy/container_files/httpd/ssl.conf b/Workbench/mpproxy/container_files/httpd/ssl.conf
new file mode 100644
index 0000000..b9d0d35
--- /dev/null
+++ b/Workbench/mpproxy/container_files/httpd/ssl.conf
@@ -0,0 +1,222 @@
+#
+# When we also provide SSL we have to listen to the 
+# the HTTPS port in addition.
+#
+Listen 443 https
+
+##
+##  SSL Global Context
+##
+##  All SSL configuration in this context applies both to
+##  the main server and all SSL-enabled virtual hosts.
+##
+
+#   Pass Phrase Dialog:
+#   Configure the pass phrase gathering process.
+#   The filtering dialog program (`builtin' is a internal
+#   terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
+
+#   Inter-Process Session Cache:
+#   Configure the SSL Session Cache: First the mechanism 
+#   to use and second the expiring timeout (in seconds).
+SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout  300
+
+#   Pseudo Random Number Generator (PRNG):
+#   Configure one or more sources to seed the PRNG of the 
+#   SSL library. The seed data should be of good random quality.
+#   WARNING! On some platforms /dev/random blocks if not enough entropy
+#   is available. This means you then cannot use the /dev/random device
+#   because it would lead to very long connection times (as long as
+#   it requires to make more entropy available). But usually those
+#   platforms additionally provide a /dev/urandom device which doesn't
+#   block. So, if available, use this one instead. Read the mod_ssl User
+#   Manual for more details.
+SSLRandomSeed startup file:/dev/urandom  256
+SSLRandomSeed connect builtin
+#SSLRandomSeed startup file:/dev/random  512
+#SSLRandomSeed connect file:/dev/random  512
+#SSLRandomSeed connect file:/dev/urandom 512
+
+#
+# Use "SSLCryptoDevice" to enable any supported hardware
+# accelerators. Use "openssl engine -v" to list supported
+# engine names.  NOTE: If you enable an accelerator and the
+# server does not start, consult the error logs and ensure
+# your accelerator is functioning properly. 
+#
+SSLCryptoDevice builtin
+#SSLCryptoDevice ubsec
+
+##
+## SSL Virtual Host Context
+##
+
+<VirtualHost _default_:443>
+
+AllowEncodedSlashes NoDecode
+
+# General setup for the virtual host, inherited from global configuration
+#DocumentRoot "/var/www/html"
+#ServerName test.example.org:443
+
+# Use separate log files for the SSL virtual host; note that LogLevel
+# is not inherited from httpd.conf.
+ErrorLog /tmp/logpipe
+TransferLog /tmp/logpipe
+LogLevel warn
+
+#   SSL Engine Switch:
+#   Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+#   SSL Protocol support:
+# List the enable protocol levels with which clients will be able to
+# connect.  Disable SSLv2 access by default:
+SSLProtocol all -SSLv2 -SSLv3
+
+#   SSL Cipher Suite:
+#   List the ciphers that the client is permitted to negotiate.
+#   See the mod_ssl documentation for a complete list.
+SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
+
+#   Speed-optimized SSL Cipher configuration:
+#   If speed is your main concern (on busy HTTPS servers e.g.),
+#   you might want to force clients to specific, performance
+#   optimized ciphers. In this case, prepend those ciphers
+#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
+#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
+#   (as in the example below), most connections will no longer
+#   have perfect forward secrecy - if the server's key is
+#   compromised, captures of past or future traffic must be
+#   considered compromised, too.
+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+#SSLHonorCipherOrder on 
+
+#   Server Certificate:
+# Point SSLCertificateFile at a PEM encoded certificate.  If
+# the certificate is encrypted, then you will be prompted for a
+# pass phrase.  Note that a kill -HUP will prompt again.  A new
+# certificate can be generated using the genkey(1) command.
+SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+
+#   Server Private Key:
+#   If the key is not combined with the certificate, use this
+#   directive to point at the key file.  Keep in mind that if
+#   you've both a RSA and a DSA private key you can configure
+#   both in parallel (to also allow the use of DSA ciphers, etc.)
+SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+
+#   Server Certificate Chain:
+#   Point SSLCertificateChainFile at a file containing the
+#   concatenation of PEM encoded CA certificates which form the
+#   certificate chain for the server certificate. Alternatively
+#   the referenced file can be the same as SSLCertificateFile
+#   when the CA certificates are directly appended to the server
+#   certificate for convinience.
+SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
+
+#   Certificate Authority (CA):
+#   Set the CA certificate verification path where to find CA
+#   certificates for client authentication or alternatively one
+#   huge file containing all of them (file must be PEM encoded)
+#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+
+#   Client Authentication (Type):
+#   Client certificate verification type and depth.  Types are
+#   none, optional, require and optional_no_ca.  Depth is a
+#   number which specifies how deeply to verify the certificate
+#   issuer chain before deciding the certificate is not valid.
+#SSLVerifyClient require
+#SSLVerifyDepth  10
+
+#   Access Control:
+#   With SSLRequire you can do per-directory access control based
+#   on arbitrary complex boolean expressions containing server
+#   variable checks and other lookup directives.  The syntax is a
+#   mixture between C and Perl.  See the mod_ssl documentation
+#   for more details.
+#<Location />
+#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
+#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#</Location>
+
+RewriteEngine on
+RewriteRule   "^/$"  "/midpoint/"  [R]
+RewriteRule   "^/midpoint/$"  "/midpoint/auth/saml-internal"  [R]
+
+#   SSL Engine Options:
+#   Set various options for the SSL engine.
+#   o FakeBasicAuth:
+#     Translate the client X.509 into a Basic Authorisation.  This means that
+#     the standard Auth/DBMAuth methods can be used for access control.  The
+#     user name is the `one line' version of the client's X.509 certificate.
+#     Note that no password is obtained from the user. Every entry in the user
+#     file needs this password: `xxj31ZMTZzkVA'.
+#   o ExportCertData:
+#     This exports two additional environment variables: SSL_CLIENT_CERT and
+#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+#     server (always existing) and the client (only existing when client
+#     authentication is used). This can be used to import the certificates
+#     into CGI scripts.
+#   o StdEnvVars:
+#     This exports the standard SSL/TLS related `SSL_*' environment variables.
+#     Per default this exportation is switched off for performance reasons,
+#     because the extraction step is an expensive operation and is usually
+#     useless for serving static content. So one usually enables the
+#     exportation for CGI and SSI requests only.
+#   o StrictRequire:
+#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+#     under a "Satisfy any" situation, i.e. when it applies access is denied
+#     and no other module can change it.
+#   o OptRenegotiate:
+#     This enables optimized SSL connection renegotiation handling when SSL
+#     directives are used in per-directory context. 
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+<Files ~ "\.(cgi|shtml|phtml|php3?)$">
+    SSLOptions +StdEnvVars
+</Files>
+<Directory "/var/www/cgi-bin">
+    SSLOptions +StdEnvVars
+</Directory>
+
+#   SSL Protocol Adjustments:
+#   The safe and default but still SSL/TLS standard compliant shutdown
+#   approach is that mod_ssl sends the close notify alert but doesn't wait for
+#   the close notify alert from client. When you need a different shutdown
+#   approach you can use one of the following variables:
+#   o ssl-unclean-shutdown:
+#     This forces an unclean shutdown when the connection is closed, i.e. no
+#     SSL close notify alert is send or allowed to received.  This violates
+#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
+#     this when you receive I/O errors because of the standard approach where
+#     mod_ssl sends the close notify alert.
+#   o ssl-accurate-shutdown:
+#     This forces an accurate shutdown when the connection is closed, i.e. a
+#     SSL close notify alert is send and mod_ssl waits for the close notify
+#     alert of the client. This is 100% SSL/TLS standard compliant, but in
+#     practice often causes hanging connections with brain-dead browsers. Use
+#     this only for browsers where you know that their SSL implementation
+#     works correctly. 
+#   Notice: Most problems of broken clients are also related to the HTTP
+#   keep-alive facility, so you usually additionally want to disable
+#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+#   "force-response-1.0" for this.
+BrowserMatch "MSIE [2-5]" \
+         nokeepalive ssl-unclean-shutdown \
+         downgrade-1.0 force-response-1.0
+
+#   Per-Server Logging:
+#   The home of a custom SSL log file. Use this when you want a
+#   compact non-error SSL logfile on a virtual host basis.
+CustomLog logs/ssl_request_log \
+          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+</VirtualHost>
diff --git a/Workbench/mpproxy/container_files/shibboleth/attribute-map.xml b/Workbench/mpproxy/container_files/shibboleth/attribute-map.xml
new file mode 100644
index 0000000..5924514
--- /dev/null
+++ b/Workbench/mpproxy/container_files/shibboleth/attribute-map.xml
@@ -0,0 +1,168 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!--
+    The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth
+    community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a
+    few exceptions for newer attributes where the name is the same for both versions. You will
+    usually want to uncomment or map the names for both SAML versions as a unit.
+    -->
+
+    <!-- New standard identifier attributes for SAML. -->
+
+    <Attribute name="urn:oasis:names:tc:SAML:attribute:subject-id" id="subject-id">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:oasis:names:tc:SAML:attribute:pairwise-id" id="pairwise-id">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <!-- The most typical eduPerson attributes. -->
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
+
+    <!--
+    Legacy pairwise identifier attribute / NameID format, intended to be replaced by the
+    simpler pairwise-id attribute (see top of file).
+    -->
+
+    <!-- The eduPerson attribute version (note the OID-style name): -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+    <!-- The SAML 2.0 NameID Format: -->
+    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+    <!-- Other eduPerson attributes (SAML 2 names followed by SAML 1 names)... -->
+    <!--
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>    
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
+    -->
+
+    <!-- Older LDAP-defined attributes (SAML 2.0 names followed by SAML 1 names)... -->
+    <!--
+    <Attribute name="urn:oid:2.5.4.3" id="cn"/>
+    <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+    <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+    -->
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
+    <!--
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+    <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
+    <Attribute name="urn:oid:2.5.4.12" id="title"/>
+    <Attribute name="urn:oid:2.5.4.43" id="initials"/>
+    <Attribute name="urn:oid:2.5.4.13" id="description"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
+    <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
+    <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
+    <Attribute name="urn:oid:2.5.4.9" id="street"/>
+    <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
+    <Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
+    <Attribute name="urn:oid:2.5.4.8" id="st"/>
+    <Attribute name="urn:oid:2.5.4.7" id="l"/>
+    <Attribute name="urn:oid:2.5.4.10" id="o"/>
+    <Attribute name="urn:oid:2.5.4.11" id="ou"/>
+    <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
+    <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
+    <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
+    <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
+    <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
+    <Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>
+    <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
+    <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
+    <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
+    <Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
+    <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
+    <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
+    <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
+    <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
+    <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
+    <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
+    <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
+    <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
+    <Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
+    <Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
+    <Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
+    <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
+    <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
+    <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>
+    -->
+
+    <!-- SCHAC attributes... -->
+    <!--
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="schacHomeOrganization">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10" id="schacHomeOrganizationType">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.14" id="schacPersonalUniqueCode">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.15" id="schacPersonalUniqueID"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.19" id="schacUserStatus">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.20" id="schacProjectMembership">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.21" id="schacProjectSpecificRole">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    -->
+
+</Attributes>
\ No newline at end of file
diff --git a/Workbench/mpproxy/container_files/shibboleth/idp-metadata.xml b/Workbench/mpproxy/container_files/shibboleth/idp-metadata.xml
new file mode 100644
index 0000000..8bf0814
--- /dev/null
+++ b/Workbench/mpproxy/container_files/shibboleth/idp-metadata.xml
@@ -0,0 +1,201 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntityDescriptor  xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://idptestbed/idp/shibboleth">
+
+    <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
+
+        <Extensions>
+            <shibmd:Scope regexp="false">example.org</shibmd:Scope>
+<!--
+    Fill in the details for your IdP here 
+
+            <mdui:UIInfo>
+                <mdui:DisplayName xml:lang="en">A Name for the IdP at idptestbed</mdui:DisplayName>
+                <mdui:Description xml:lang="en">Enter a description of your IdP at idptestbed</mdui:Description>
+                <mdui:Logo height="80" width="80">https://localhost/Path/To/Logo.png</mdui:Logo>
+            </mdui:UIInfo>
+-->
+        </Extensions>
+
+        <KeyDescriptor use="signing">
+            <ds:KeyInfo>
+                    <ds:X509Data>
+                        <ds:X509Certificate>
+MIIDEzCCAfugAwIBAgIUS9SuTXwsFVVG+LjOEAbLqqT/el0wDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMjZaFw0zNTEy
+MTEwMjIwMjZaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCMAoDHx8xCIfv/6QKqt9mcHYmEJ8y2dKprUbpdcOjH
+YvNPIl/lHPsUyrb+Nc+q2CDeiWjVk1mWYq0UpIwpBMuw1H6+oOqr4VQRi65pin0M
+SfE0MWIaFo5FPvpvoptkHD4gvREbm4swyXGMczcMRfqgalFXhUD2wz8W3XAM5Cq2
+03XeJbj6TwjvKatG5XPdeUe2FBGuOO2q54L1hcIGnLMCQrg7D31lR13PJbjnJ0No
+5C3k8TPuny6vJsBC03GNLNKfmrKVTdzr3VKp1uay1G3DL9314fgmbl8HA5iRQmy+
+XInUU6/8NXZSF59p3ITAOvZQeZsbJjg5gGDip5OZo9YlAgMBAAGjWzBZMB0GA1Ud
+DgQWBBRPlM4VkKZ0U4ec9GrIhFQl0hNbLDA4BgNVHREEMTAvggppZHB0ZXN0YmVk
+hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
+BQADggEBAIZ0a1ov3my3ljJG588I/PHx+TxAWONWmpKbO9c/qI3Drxk4oRIffiac
+ANxdvtabgIzrlk5gMMisD7oyqHJiWgKv5Bgctd8w3IS3lLl7wHX65mTKQRXniG98
+NIjkvfrhe2eeJxecOqnDI8GOhIGCIqZUn8ShdM/yHjhQ2Mh0Hj3U0LlKvnmfGSQl
+j0viGwbFCaNaIP3zc5UmCrdE5h8sWL3Fu7ILKM9RyFa2ILHrJScV9t623IcHffHP
+IeaY/WtuapsrqRFxuQL9QFWN0FsRIdLmjTq+00+B/XnnKRKFBuWfjhHLF/uu8f+E
+t6Lf23Kb8yD6ZR7dihMZAGHnYQ/hlhM=
+                        </ds:X509Certificate>
+                    </ds:X509Data>
+            </ds:KeyInfo>
+
+        </KeyDescriptor>
+        <KeyDescriptor use="signing">
+            <ds:KeyInfo>
+                    <ds:X509Data>
+                        <ds:X509Certificate>
+MIIDFDCCAfygAwIBAgIVAN3vv+b7KN5Se9m1RZsCllp/B/hdMA0GCSqGSIb3DQEB
+CwUAMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwHhcNMTUxMjExMDIyMDE0WhcNMzUx
+MjExMDIyMDE0WjAVMRMwEQYDVQQDDAppZHB0ZXN0YmVkMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAh91caeY0Q85uhaUyqFwP2bMjwMFxMzRlAoqBHd7g
+u6eo4duaeLz1BaoR2XTBpNNvFR5oHH+TkKahVDGeH5+kcnIpxI8JPdsZml1srvf2
+Z6dzJsulJZUdpqnngycTkGtZgEoC1vmYVky2BSAIIifmdh6s0epbHnMGLsHzMKfJ
+Cb/Q6dYzRWTCPtzE2VMuQqqWgeyMr7u14x/Vqr9RPEFsgY8GIu5jzB6AyUIwrLg+
+MNkv6aIdcHwxYTGL7ijfy6rSWrgBflQoYRYNEnseK0ZHgJahz4ovCag6wZAoPpBs
+uYlY7lEr89Ucb6NHx3uqGMsXlDFdE4QwfDLLhCYHPvJ0uwIDAQABo1swWTAdBgNV
+HQ4EFgQUAkOgED3iYdmvQEOMm6u/JmD/UTQwOAYDVR0RBDEwL4IKaWRwdGVzdGJl
+ZIYhaHR0cHM6Ly9pZHB0ZXN0YmVkL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB
+CwUAA4IBAQBIdd4YWlnvJjql8+zKKgmWgIY7U8DA8e6QcbAf8f8cdE33RSnjI63X
+sv/y9GfmbAVAD6RIAXPFFeRYJ08GOxGI9axfNaKdlsklJ9bk4ducHqgCSWYVer3s
+RQBjxyOfSTvk9YCJvdJVQRJLcCvxwKakFCsOSnV3t9OvN86Ak+fKPVB5j2fM/0fZ
+Kqjn3iqgdNPTLXPsuJLJO5lITRiBa4onmVelAiCstI9PQiaEck+oAHnMTnC9JE/B
+DHv3e4rwq3LznlqPw0GSd7xqNTdMDwNOWjkuOr3sGpWS8ms/ZHHXV1Vd22uPe70i
+s00xrv14zLifcc8oj5DYzOhYRifRXgHX
+                        </ds:X509Certificate>
+                    </ds:X509Data>
+            </ds:KeyInfo>
+
+        </KeyDescriptor>
+        <KeyDescriptor use="encryption">
+            <ds:KeyInfo>
+                    <ds:X509Data>
+                        <ds:X509Certificate>
+MIIDEzCCAfugAwIBAgIUG6Nn1rlERS1vsi88tcdzSYX0oqAwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMTRaFw0zNTEy
+MTEwMjIwMTRaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCBXv0o3fmT8iluyLjJ4lBAVCW+ZRVyEXPYQuRi7vfD
+cO4a6d1kxiJLsaK0W88VNxjFQRr8PgDkWr28vwoH1rgk4pLsszLD48DBzD942peJ
+l/S6FnsIJjmaHcBh4pbNhU4yowu63iKkvttrcZAEbpEro6Z8CziWEx8sywoaYEQG
+ifPkr9ORV6Cn3txq+9gMBePG41GrtZrUGIu+xrndL0Shh4Pq0eq/9MAsVlIIXEa8
+9WfH8J2kFcTOfoWtIc70b7TLZQsx4YnNcnrGLSUEcstFyPLX+Xtv5SNZF89OOIxX
+VNjNvgE5DbJb9hMM4UAFqI+1bo9QqtxwThjc/sOvIxzNAgMBAAGjWzBZMB0GA1Ud
+DgQWBBStTyogRPuAVG6q7yPyav1uvE+7pTA4BgNVHREEMTAvggppZHB0ZXN0YmVk
+hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
+BQADggEBAFMfoOv+oISGjvamq7+Y4G7ep5vxlAPeK3RATYPYvAmyH946qZXh98ni
+QXyuqZW5P5eEt86toY45IwDU5r09SKwHughEe99iiEkxh0mb2qo84qX9/qcg+kyN
+jeLd/OSyolpUCEFNwOFcog7pj7Eer+6AHbwTn1Mjb5TBsKwtDMJsaxPvdj0u7M5r
+xL/wHkFhn1rCo2QiojzjSlV3yLTh49iTyhE3cG+RxaNKDCxhp0jSSLX1BW/ZoPA8
++PMJEA+Q0QbyRD8aJOHN5O8jGxCa/ZzcOnYVL6AsEXoDiY3vAUYh1FUonOWw0m9H
+p+tGUbGS2l873J5PrsbpeKEVR/IIoKo=
+                        </ds:X509Certificate>
+                    </ds:X509Data>
+            </ds:KeyInfo>
+
+        </KeyDescriptor>
+
+        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+
+        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://__CSPHOSTNAME__/idp/profile/Shibboleth/SSO"/>
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://__CSPHOSTNAME__/idp/profile/SAML2/POST/SSO"/>
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://__CSPHOSTNAME__/idp/profile/SAML2/POST-SimpleSign/SSO"/>
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://__CSPHOSTNAME__/idp/profile/SAML2/Redirect/SSO"/>
+
+    </IDPSSODescriptor>
+
+
+    <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
+
+        <Extensions>
+            <shibmd:Scope regexp="false">localhost</shibmd:Scope>
+        </Extensions>
+
+        <KeyDescriptor use="signing">
+            <ds:KeyInfo>
+                    <ds:X509Data>
+                        <ds:X509Certificate>
+MIIDEzCCAfugAwIBAgIUS9SuTXwsFVVG+LjOEAbLqqT/el0wDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMjZaFw0zNTEy
+MTEwMjIwMjZaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCMAoDHx8xCIfv/6QKqt9mcHYmEJ8y2dKprUbpdcOjH
+YvNPIl/lHPsUyrb+Nc+q2CDeiWjVk1mWYq0UpIwpBMuw1H6+oOqr4VQRi65pin0M
+SfE0MWIaFo5FPvpvoptkHD4gvREbm4swyXGMczcMRfqgalFXhUD2wz8W3XAM5Cq2
+03XeJbj6TwjvKatG5XPdeUe2FBGuOO2q54L1hcIGnLMCQrg7D31lR13PJbjnJ0No
+5C3k8TPuny6vJsBC03GNLNKfmrKVTdzr3VKp1uay1G3DL9314fgmbl8HA5iRQmy+
+XInUU6/8NXZSF59p3ITAOvZQeZsbJjg5gGDip5OZo9YlAgMBAAGjWzBZMB0GA1Ud
+DgQWBBRPlM4VkKZ0U4ec9GrIhFQl0hNbLDA4BgNVHREEMTAvggppZHB0ZXN0YmVk
+hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
+BQADggEBAIZ0a1ov3my3ljJG588I/PHx+TxAWONWmpKbO9c/qI3Drxk4oRIffiac
+ANxdvtabgIzrlk5gMMisD7oyqHJiWgKv5Bgctd8w3IS3lLl7wHX65mTKQRXniG98
+NIjkvfrhe2eeJxecOqnDI8GOhIGCIqZUn8ShdM/yHjhQ2Mh0Hj3U0LlKvnmfGSQl
+j0viGwbFCaNaIP3zc5UmCrdE5h8sWL3Fu7ILKM9RyFa2ILHrJScV9t623IcHffHP
+IeaY/WtuapsrqRFxuQL9QFWN0FsRIdLmjTq+00+B/XnnKRKFBuWfjhHLF/uu8f+E
+t6Lf23Kb8yD6ZR7dihMZAGHnYQ/hlhM=
+                        </ds:X509Certificate>
+                    </ds:X509Data>
+            </ds:KeyInfo>
+
+        </KeyDescriptor>
+        <KeyDescriptor use="signing">
+            <ds:KeyInfo>
+                    <ds:X509Data>
+                        <ds:X509Certificate>
+MIIDFDCCAfygAwIBAgIVAN3vv+b7KN5Se9m1RZsCllp/B/hdMA0GCSqGSIb3DQEB
+CwUAMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwHhcNMTUxMjExMDIyMDE0WhcNMzUx
+MjExMDIyMDE0WjAVMRMwEQYDVQQDDAppZHB0ZXN0YmVkMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAh91caeY0Q85uhaUyqFwP2bMjwMFxMzRlAoqBHd7g
+u6eo4duaeLz1BaoR2XTBpNNvFR5oHH+TkKahVDGeH5+kcnIpxI8JPdsZml1srvf2
+Z6dzJsulJZUdpqnngycTkGtZgEoC1vmYVky2BSAIIifmdh6s0epbHnMGLsHzMKfJ
+Cb/Q6dYzRWTCPtzE2VMuQqqWgeyMr7u14x/Vqr9RPEFsgY8GIu5jzB6AyUIwrLg+
+MNkv6aIdcHwxYTGL7ijfy6rSWrgBflQoYRYNEnseK0ZHgJahz4ovCag6wZAoPpBs
+uYlY7lEr89Ucb6NHx3uqGMsXlDFdE4QwfDLLhCYHPvJ0uwIDAQABo1swWTAdBgNV
+HQ4EFgQUAkOgED3iYdmvQEOMm6u/JmD/UTQwOAYDVR0RBDEwL4IKaWRwdGVzdGJl
+ZIYhaHR0cHM6Ly9pZHB0ZXN0YmVkL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB
+CwUAA4IBAQBIdd4YWlnvJjql8+zKKgmWgIY7U8DA8e6QcbAf8f8cdE33RSnjI63X
+sv/y9GfmbAVAD6RIAXPFFeRYJ08GOxGI9axfNaKdlsklJ9bk4ducHqgCSWYVer3s
+RQBjxyOfSTvk9YCJvdJVQRJLcCvxwKakFCsOSnV3t9OvN86Ak+fKPVB5j2fM/0fZ
+Kqjn3iqgdNPTLXPsuJLJO5lITRiBa4onmVelAiCstI9PQiaEck+oAHnMTnC9JE/B
+DHv3e4rwq3LznlqPw0GSd7xqNTdMDwNOWjkuOr3sGpWS8ms/ZHHXV1Vd22uPe70i
+s00xrv14zLifcc8oj5DYzOhYRifRXgHX
+                        </ds:X509Certificate>
+                    </ds:X509Data>
+            </ds:KeyInfo>
+
+        </KeyDescriptor>
+        <KeyDescriptor use="encryption">
+            <ds:KeyInfo>
+                    <ds:X509Data>
+                        <ds:X509Certificate>
+MIIDEzCCAfugAwIBAgIUG6Nn1rlERS1vsi88tcdzSYX0oqAwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMTRaFw0zNTEy
+MTEwMjIwMTRaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCBXv0o3fmT8iluyLjJ4lBAVCW+ZRVyEXPYQuRi7vfD
+cO4a6d1kxiJLsaK0W88VNxjFQRr8PgDkWr28vwoH1rgk4pLsszLD48DBzD942peJ
+l/S6FnsIJjmaHcBh4pbNhU4yowu63iKkvttrcZAEbpEro6Z8CziWEx8sywoaYEQG
+ifPkr9ORV6Cn3txq+9gMBePG41GrtZrUGIu+xrndL0Shh4Pq0eq/9MAsVlIIXEa8
+9WfH8J2kFcTOfoWtIc70b7TLZQsx4YnNcnrGLSUEcstFyPLX+Xtv5SNZF89OOIxX
+VNjNvgE5DbJb9hMM4UAFqI+1bo9QqtxwThjc/sOvIxzNAgMBAAGjWzBZMB0GA1Ud
+DgQWBBStTyogRPuAVG6q7yPyav1uvE+7pTA4BgNVHREEMTAvggppZHB0ZXN0YmVk
+hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
+BQADggEBAFMfoOv+oISGjvamq7+Y4G7ep5vxlAPeK3RATYPYvAmyH946qZXh98ni
+QXyuqZW5P5eEt86toY45IwDU5r09SKwHughEe99iiEkxh0mb2qo84qX9/qcg+kyN
+jeLd/OSyolpUCEFNwOFcog7pj7Eer+6AHbwTn1Mjb5TBsKwtDMJsaxPvdj0u7M5r
+xL/wHkFhn1rCo2QiojzjSlV3yLTh49iTyhE3cG+RxaNKDCxhp0jSSLX1BW/ZoPA8
++PMJEA+Q0QbyRD8aJOHN5O8jGxCa/ZzcOnYVL6AsEXoDiY3vAUYh1FUonOWw0m9H
+p+tGUbGS2l873J5PrsbpeKEVR/IIoKo=
+                        </ds:X509Certificate>
+                    </ds:X509Data>
+            </ds:KeyInfo>
+
+        </KeyDescriptor>
+
+        
+        <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://__CSPHOSTNAME__/idp/profile/SAML1/SOAP/AttributeQuery"/>
+        <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://__CSPHOSTNAME__/idp/profile/SAML2/SOAP/AttributeQuery"/> 
+        <!-- If you uncomment the above you should add urn:oasis:names:tc:SAML:2.0:protocol to the protocolSupportEnumeration above -->
+
+    </AttributeAuthorityDescriptor>
+
+</EntityDescriptor>
diff --git a/Workbench/mpproxy/container_files/shibboleth/shibboleth2.xml b/Workbench/mpproxy/container_files/shibboleth/shibboleth2.xml
new file mode 100644
index 0000000..fca4078
--- /dev/null
+++ b/Workbench/mpproxy/container_files/shibboleth/shibboleth2.xml
@@ -0,0 +1,121 @@
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+    clockSkew="180">
+
+    <OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
+  
+    <!--
+    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
+    are used. See example-shibboleth2.xml for samples of explicitly configuring them.
+    -->
+
+    <RequestMapper type="XML">
+        <RequestMap>
+            <Host name="test.workbench.incommon.org">
+                <Path name="midpoint" authType="shibboleth" requireSession="true"/>
+                <Path name="test" authType="shibboleth" requireSession="true"/>
+            </Host>
+        </RequestMap>
+    </RequestMapper>
+
+    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
+    <ApplicationDefaults entityID="https://mpproxy.example.org/shibboleth"
+        REMOTE_USER="uid eppn subject-id pairwise-id persistent-id"
+        cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
+
+        <!--
+        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+        Each Application has an effectively unique handlerURL, which defaults to "/Shibboleth.sso"
+        and should be a relative path, with the SP computing the full value based on the virtual
+        host. Using handlerSSL="true" will force the protocol to be https. You should also set
+        cookieProps to "https" for SSL-only sites. Note that while we default checkAddress to
+        "false", this makes an assertion stolen in transit easier for attackers to misuse.
+        -->
+    	<Sessions lifetime="28800" timeout="3600" relayState="ss:mem" handlerURL="/mppSSO/Shibboleth.sso"
+                  checkAddress="false" handlerSSL="true" cookieProps="https"
+                  redirectLimit="exact">
+
+            <!--
+            Configures SSO for a default IdP. To properly allow for >1 IdP, remove
+            entityID property and adjust discoveryURL to point to discovery service.
+            You can also override entityID on /Login query string, or in RequestMap/htaccess.
+            -->
+            <SSO entityID="https://idptestbed/idp/shibboleth">
+              SAML2
+            </SSO>
+
+            <!-- SAML and local-only logout. -->
+            <Logout>SAML2 Local</Logout>
+
+            <!-- Administrative logout. -->
+            <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
+          
+            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+            <!-- Status reporting service. -->
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1 172.16.0.0/12 192.168.0.0/16"/>
+
+            <!-- Session diagnostic service. -->
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+
+            <!-- JSON feed of discovery information. -->
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+
+        <!--
+        Allows overriding of error template information/filenames. You can
+        also add your own attributes with values that can be plugged into the
+        templates, e.g., helpLocation below.
+        -->
+        <Errors supportContact="root@localhost"
+            helpLocation="/about.html"
+            styleSheet="/shibboleth-sp/main.css"/>
+
+        <!-- Example of locally maintained metadata. -->
+        <MetadataProvider type="XML" validate="true" path="idp-metadata.xml"/>
+
+        <!-- Example of remotely supplied batch of signed metadata. -->
+        <!--
+        <MetadataProvider type="XML" validate="true"
+	            url="http://federation.org/federation-metadata.xml"
+              backingFilePath="federation-metadata.xml" maxRefreshDelay="7200">
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+            <MetadataFilter type="Signature" certificate="fedsigner.pem" verifyBackup="false"/>
+            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
+              attributeName="http://macedir.org/entity-category"
+              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+              attributeValue="http://refeds.org/category/hide-from-discovery" />
+        </MetadataProvider>
+        -->
+
+        <!-- Example of remotely supplied "on-demand" signed metadata. -->
+        <!--
+        <MetadataProvider type="MDQ" validate="true" cacheDirectory="mdq"
+	            baseUrl="http://mdq.federation.org" ignoreTransport="true">
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+            <MetadataFilter type="Signature" certificate="mdqsigner.pem" />
+        </MetadataProvider>
+        -->
+
+        <!-- Map to extract attributes from SAML assertions. -->
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+
+        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+        <!-- Simple file-based resolvers for separate signing/encryption keys. -->
+        <CredentialResolver type="File" use="signing"
+            key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
+        <CredentialResolver type="File" use="encryption"
+            key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
+        
+    </ApplicationDefaults>
+    
+    <!-- Policies that determine how to process and authenticate runtime messages. -->
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+    <!-- Low-level configuration about protocols and bindings available for use. -->
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
diff --git a/Workbench/mpproxy/container_files/shibboleth/sp-encrypt-cert.pem b/Workbench/mpproxy/container_files/shibboleth/sp-encrypt-cert.pem
new file mode 100644
index 0000000..d3c288c
--- /dev/null
+++ b/Workbench/mpproxy/container_files/shibboleth/sp-encrypt-cert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID6zCCAlOgAwIBAgIJAIB4eHZ1M1ByMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
+BAMTDDdjZjI3NzhiZWIxNTAeFw0yMDEwMzExODA4NDVaFw0zMDEwMjkxODA4NDVa
+MBcxFTATBgNVBAMTDDdjZjI3NzhiZWIxNTCCAaIwDQYJKoZIhvcNAQEBBQADggGP
+ADCCAYoCggGBAOPMP1n+c6q6IdujWWvW0/kW3if2rmk9WfHAxvLyguJCP1W3kMwV
+CZMKky8+26zcHX2PvdEHwJsrjDltsg73ZAnZYYFXTPh7JY3W1bAoRuywvUmyUIel
+tjH03d+riKaE4eqaCgPqyJaI2zLxNJHwCmr6FjLZ5cj8GatPQeNf0WPSnQonk8NW
+3eAWvOIeqS9w3bNfpIpP/mw49M9m6LbwH1VKEPHJDUY952fqWIJBSGDfrzCCftsl
+xQ9m7DrKARUfSFjwu3uTunKZAzkhVX/DWQ9SnyTADIfD5fgFq3wVIFmXTFLIWaWS
+Yr03qGs2XcDKkfoRcBXEWyQKp3zfxjCRks1Nr6cqdPyyJvZW6OVigbrMQP23CQca
+dinD0I1bpAMW/hIMWI3HPu/Cxli8GM3/03u5XDvTBrSXxmXncNCrAQBAYhZ9vrIc
+nqyGS8lTnzsNNZXzPK3dsJvBNE4ogk/MK4Cg9bBieyBZz0IZR46EnI7qVsycIGHy
+ttv2xyZ05sMgTQIDAQABozowODAXBgNVHREEEDAOggw3Y2YyNzc4YmViMTUwHQYD
+VR0OBBYEFKdOek6UqVa8xmmBFcz5pizhCEQgMA0GCSqGSIb3DQEBCwUAA4IBgQDK
+qFQyjhO6PVjHWy3PyhaXuCQ3UTyMEr1ZUY4nYZd2eIJXMssLpxzVAu93aWowDmNO
+m2bg5MI0agNUhly7zs+cbepkH9r32Z/c5H1fuJs1iuPdfZb4xPKic2or0Kx6n8eq
+NNZBPBXnb1ulEOWokn3PaaNPLHWk23k0SmgXHp5ibpWKpETO+Py3dnMjRzCTJeY1
+M2B+ovMgNK1otlK+IV3GPMNEkMeUa/uX/IjW+YlhhUqvL9b/lWdLY4D7ZL7F2Ieq
+u4Kb1ezOTjZ0A/8oVbTK8MXHNCouwVtPl00jsSHchIHDAz/iB524Eve/ayeV0KWd
+n8+t02stqKPqiS1wzM+zatgINaCTDQOEaq6TeRy423xoBps8yBF7qPPEIBwsI9Hv
+HNUq5NfIHltpt9TfbfHWRr4S/Ccslyi14gpNFZQO7mmuAZdUPGd/m4GzdGd9lFmz
+IvRCNeI0FpjTvdt4stm66ZqRfH8Ww+hzCHtDz6MBBRIl5uRaYPqakjsW6/UK7hs=
+-----END CERTIFICATE-----
diff --git a/Workbench/mpproxy/container_files/shibboleth/sp-encrypt-key.pem b/Workbench/mpproxy/container_files/shibboleth/sp-encrypt-key.pem
new file mode 100644
index 0000000..3bfdafe
--- /dev/null
+++ b/Workbench/mpproxy/container_files/shibboleth/sp-encrypt-key.pem
@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQDjzD9Z/nOquiHb
+o1lr1tP5Ft4n9q5pPVnxwMby8oLiQj9Vt5DMFQmTCpMvPtus3B19j73RB8CbK4w5
+bbIO92QJ2WGBV0z4eyWN1tWwKEbssL1JslCHpbYx9N3fq4imhOHqmgoD6siWiNsy
+8TSR8Apq+hYy2eXI/BmrT0HjX9Fj0p0KJ5PDVt3gFrziHqkvcN2zX6SKT/5sOPTP
+Zui28B9VShDxyQ1GPedn6liCQUhg368wgn7bJcUPZuw6ygEVH0hY8Lt7k7pymQM5
+IVV/w1kPUp8kwAyHw+X4Bat8FSBZl0xSyFmlkmK9N6hrNl3AypH6EXAVxFskCqd8
+38YwkZLNTa+nKnT8sib2VujlYoG6zED9twkHGnYpw9CNW6QDFv4SDFiNxz7vwsZY
+vBjN/9N7uVw70wa0l8Zl53DQqwEAQGIWfb6yHJ6shkvJU587DTWV8zyt3bCbwTRO
+KIJPzCuAoPWwYnsgWc9CGUeOhJyO6lbMnCBh8rbb9scmdObDIE0CAwEAAQKCAYAj
+mnGwXB+x6GOQU4iPXUVGIjfYoSqDUk5zhYDSyeqA+H+zovwjmYokjDuS380vyDtn
+u4acXAzTc8v30dhJlIrzKyGdOIrUL1MgRxqg7LqhFcKP+Smy+chvKGlhIws5k31H
+0ImOMSzmsj8oSCDCSnUmYS4FBp9ueVB9wOZ4Zipw4qMeyi7DEhmdg5BD+yzQOGC+
+P02VPIl0WraQj/IBXahYCTp6v8SuXNCFIlBxE0j/sxZLi6nOEKorDRgQ3C+tIHU/
+th9VMQ7BsrpgZqLrvmvlhFtct4hYO4a6vdYgl87pU1amg3HbKR1rtG/lccDHDXUc
+Upx5pv67lBm8E3XLQVTtNwlHu0b1Z/+aebm84vCVR55Rt84rqIKM5tr9fkX3SX9f
+loydVMWPXhPI7X4Atj2PBNJ8aKFe69YTYIE7guqngcjFHZ6sPydmHq8p3shaNNwT
+PVQbrcFJngFypWuD+BcO4/m0pDC79Ig8k7qyTgKDkBU0118gyW+3/M/DntF+pCEC
+gcEA/XU0oJXSFJ5nRDUZkxqW5zZQo9zjaebdRPc+TYs/tqiwhDuT2EsYQ6lE6QKN
+6RxnFiY3xBxOJesYXAaCCFOhOiOj6MGdi+G90iUoRiuxOlhTH5io1c+jUSmY5QDQ
+/6ivZAxVbG7CGgt3XBfzMgvQe7ku2/JLMOwygdoURTGp6ySF8uyALakNzpebCJq+
+8MFm0BqLXbFA0kDhqPoEjJLhjfe4/BtHtGoXDirEVw3/rFWRqXCBI9F60eoGe1k8
+NxW5AoHBAOYVJ9m1GvVY9GcQY/QGA90tGtEXazQCmVNLljvpSXPQiwP09TkMMZYt
+JvRNf7IirehMq+dNBI5JA51h4SSwmwL1GVh5uChi6uQ62Cy7EGCoOU/oPpDY5trd
+2a0r+fzr1D0I+sK9HGJ1eVlunUTfYtDBSHX37mK5hhCGT5K+PaeBRfXe+gpxBoaO
+T8RyioplpKH4zK4TEefCk6jvDkkYLEHP4spGN33mRHvpVQ3oaLYHfgKXKpKqe09k
+KICOVGkpNQKBwA3ZYqfHp/QCd8gNUrlsAYTevedGQZLez4ZeMCRSkIetjf+btcdi
+yw+fZymIPzLWn3dhXTi1BzwhLXKR1HcaArxHiERGmBI1ooaiCyJSbtuuSdR3JfqQ
+3u6nZDhXJBRkJjlER0Kmhqqfp8T7dgltBdZM1xejlKI2tcfMn8DsJsm3dC5C5/oW
+u69nL0x4ECjdmH2Uhbr33X/flbUC/E6mE/cK6yuzXeaoyVu30ISlOiwzfMMSZ6wK
+XTitHe+Nf7HO2QKBwALyDGOOHP09GUvketMZ7Jy9QhWhLh8pVVsqoY68ytLvvYfc
+b/M+A7h/dXs1LshSB1Xs/VplswQ7TQ+LvD0jAakFCEEIteHWellXo4LXFjuWi71J
+JNvn2vS8WFgOMxIY1su9PLCXiTB9foM1lk/WaEZx4wKXnPaol13IymX/h3yIfCPM
+qfjOP54jXkQOj1V8PaJRNBWaauVDqW5FOTKYW6CwD6A1S+qRsxi/APa/ne+Oov9X
+fhUIl7GJf7c9mzkJbQKBwQCThYQtED8ganxTHsOYPp+NUR4sqgXSox2aBpRJRfEz
+eb2IkyBbQIbHXDkn1WDKiE33e39NXEPgSc2lDrkQSfhtgAniAdg5TEWorMVzl9Wx
+FOb3+zECzgB6wKnfPwA3SH+YbystUAaI1SEnJXUoqq4nBVVj8o1NTdxTnEI8zvhU
+tdG6t6Ao/VKBmFyDS5JPbnXVXCnym0QsPBcP67zVK8FnUz+p2S4OsVRVVrfYi9LB
+SnL+ZAlsa3/NQWPBfOqIWNc=
+-----END PRIVATE KEY-----
diff --git a/Workbench/mpproxy/container_files/shibboleth/sp-signing-cert.pem b/Workbench/mpproxy/container_files/shibboleth/sp-signing-cert.pem
new file mode 100644
index 0000000..c5a4988
--- /dev/null
+++ b/Workbench/mpproxy/container_files/shibboleth/sp-signing-cert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID6zCCAlOgAwIBAgIJAPeLX7GZ1mdUMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
+BAMTDDdjZjI3NzhiZWIxNTAeFw0yMDEwMzExODA3MjVaFw0zMDEwMjkxODA3MjVa
+MBcxFTATBgNVBAMTDDdjZjI3NzhiZWIxNTCCAaIwDQYJKoZIhvcNAQEBBQADggGP
+ADCCAYoCggGBAJmgdbLZgwGaITfXZdIUpTuujVf+IPzvUgxyAmsyECJSAzLEYpvy
+AUEymK3NgGdfM9kYvaHqwNSzZgsLG+24fWtim3e4ksVJOV1ZOYdpe8+6Kbd6bMOp
+3Xc2BQYeMCZ/daP+v7i8UCiFQQr5qECfYkHli6WpOYlyCMFOa6hzLoEcuakLQz6k
+o4Hf5zN/lemKZ8M1YHJcAMmCjYCwxtzJsHAvJWS1rTQIafoWyOYVNl0nwf+NJlNp
+StWcYb6O7DBmxO9mec4rQ8yp9pi2WqUL9Eha2/P7VNJVDvO32SdWQiCXKSxdZ+vi
+nSOA1BfgcAJkePl21FKHFVQzjtC7wl/u3DVSk+Pbq5gm7jOS1Rh9EYmoNRzV/jbX
+jp8RJlxTABIKNNeD0qvtJ1vImEzXCaa9elnSmcbNlmcFK3izHBffrqk08LS6Nh5S
+//yFX+OObEI0kIdLjuHwgml+DeiWyOJi8ca98gps2Pph4A2xAYu3khE9pFdAe8Mo
+1O5FhRmzJteYnwIDAQABozowODAXBgNVHREEEDAOggw3Y2YyNzc4YmViMTUwHQYD
+VR0OBBYEFHHqoc9SPoSYSC1aF2hDAzzu+qogMA0GCSqGSIb3DQEBCwUAA4IBgQBh
+AtP/C43KuGIngpn8Bz9/iJocNmvUqZd3UonEFP9+ThW147HGK+FNeOCUSAFr5TKD
++J/NkfZ9u3uLRd6vYP6WBwgEXivjac8cyQwKwPAsE0ottO8A6lmc5rf2rsw/e1nj
+QGjKMIAwo4n8/H8mcTRmY3zP9DmevfyXbimNZpXHUIGbqUWLwMZRPRjBNajG3R8A
+SSXfuPqSe6Vu52cfPtELcInHTBTo2B1yYtqk/xlFMUxM4HT+JqZpiXFGV+0cxSoD
+Z4RijtBi/B2Oqy5xHaHM/Me0pQtuKz0JtEw3IUNKIU/nVCryLNU8uGJC7nEJF4aW
+JF7ErYSEwvCCjm2GH3tmkeguNZN4sc+ah6spA5AazakzXJntMVac42OKjDsqfxKA
+fdY5ejYiTq+4q0qCan7CjHcKy0y6wTUakLhHyHXFOrJu6hrWC1Tm68i41yrIj9sJ
+6fGzRN1eZFSaq95Sc2nq6xrUE6ldgu6udIDeCfn7y+a3N0RTaUhgPjylglOB9aU=
+-----END CERTIFICATE-----
diff --git a/Workbench/mpproxy/container_files/shibboleth/sp-signing-key.pem b/Workbench/mpproxy/container_files/shibboleth/sp-signing-key.pem
new file mode 100644
index 0000000..915002a
--- /dev/null
+++ b/Workbench/mpproxy/container_files/shibboleth/sp-signing-key.pem
@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQCZoHWy2YMBmiE3
+12XSFKU7ro1X/iD871IMcgJrMhAiUgMyxGKb8gFBMpitzYBnXzPZGL2h6sDUs2YL
+CxvtuH1rYpt3uJLFSTldWTmHaXvPuim3emzDqd13NgUGHjAmf3Wj/r+4vFAohUEK
++ahAn2JB5YulqTmJcgjBTmuocy6BHLmpC0M+pKOB3+czf5XpimfDNWByXADJgo2A
+sMbcybBwLyVkta00CGn6FsjmFTZdJ8H/jSZTaUrVnGG+juwwZsTvZnnOK0PMqfaY
+tlqlC/RIWtvz+1TSVQ7zt9knVkIglyksXWfr4p0jgNQX4HACZHj5dtRShxVUM47Q
+u8Jf7tw1UpPj26uYJu4zktUYfRGJqDUc1f42146fESZcUwASCjTXg9Kr7SdbyJhM
+1wmmvXpZ0pnGzZZnBSt4sxwX366pNPC0ujYeUv/8hV/jjmxCNJCHS47h8IJpfg3o
+lsjiYvHGvfIKbNj6YeANsQGLt5IRPaRXQHvDKNTuRYUZsybXmJ8CAwEAAQKCAYBD
+NVaocs4EYmiL5HjQCmYrEPcW+r91yEEt3qa+PL2gNh7eE9pL/PidjEQNLS0yjAzD
+ujYj4u6PXxiSVj7WpfKAizgWjTHwi1NESmeHnRckTn43naB9jQ+tOn3CKmzIOtS9
+dRJtAD1VLM7CvWvlMZUr3P9V7w2T2saHwwYIQLOkmmuCz8GQYziA9fJQrk1oSTuR
+xAU4opVZkvrSxQOKzdWZjpaeU3i9nby3Q0aKmdcZs+4EHb0ZmqO5hduhISelGR/7
+Sl0dQOV60MsF6zXAthrX4y3w/DJgYlytOKuHfUWsCD5dB9+cKAsKFkhceNpW9JYl
+6QiygFdblj9CRhJY1sMccOfwP3ktdSaNopt6hX5R7tgeDNbmOeXJMzFtB4jSSsVP
+LsWcxi/MWvy4cJmCudjJ48Fm7AHXKXF8Z2ry3BquAiS88qPQDXgZgavv9BeW8QRN
+iEtAoTw8pKmQICEeizY+RT5KtVk/ZlO0afAIHqiLnfz8ePHtEqJMgy1ZSs123jEC
+gcEAykp84C7ppVr+HoDQ/s2PrbA67GDG5M2/Of9IpNGw7HQ4fEL768op1M3l1W7U
+s17y8r63EnclpWrqYQbKm6ERvoXim01uPxvtGbTUn+2LuwfXTtRjv0WGnvmB3y6L
+y5mrmsABJhSwmNU9/aV7/PmOMYh56Dm/VNj0h8TxwNFWXKLs6LUSdelMI0rs25y3
+ADuai4V7LEiGVNeIFWOGNVn17hi1+77DTxjVFEIVRa8DtqiYmTCrU5MXuanaNZ42
+/ccXAoHBAMJqUUZ4i99Ej5w3mCH7QHOBFZ8gKbkFJ5Er+0DSJhlXdxwa2ED+ZOmz
+lBkOdkhFocpnKNpe8LXQdyT4Hc39oLg/hgM+9xiS0knwWYR9aEsaPscdEa9XkJfy
+MHArST+YQ6VkkSQFw5JlsgOSbqQsMsTzbCSRPnK1kh2FpAeCFdBKc7zPkXDz/eDN
+U1PyUbxvhnvO/7Wm3qk8prGxYPTo3lT+YCOvGBB0D7Dszqo1lmDhmMLW3wQ+7d3Z
+zgx3PLavuQKBwQCvPUniVyF2alX7jLIAGYke+KyCuu9xpD7E+j4u8awnmiKYmtpr
+j40fWWKBu2otHNKvsMEdEPQe0XjKprx7h1O8zXTZ/oDD0OhbvYf4JytF0WwWUO07
+8/nD2/dCpKrbrHq5Kx2TpJa7PvddtK6tHm6swEKDBwuVcACdYOHgnDgJNeavTLT6
+Sij35d87/A2X+QpPVUm3ufgMpU2w4a+QpibipKt5su60pZlo3DpbTFqWMIVJJ50z
+YBhMcTSkADQ5Me8CgcA+O/BmgaIsx3K9TCKcBiTclJ7KQG56tsaytwSH/H2LsS8E
+xScirwy4ru6ikrmUaw3ej+VI+glN+jyZjf9keGMhd9w7X8WTjTRZzOGrAsYG/JDK
+Bmkp2vsDWNjen0ykWeaVpDq98EZpr7orYI2gajGaUF322rPF3o+2eZhHewHmml6w
+OzXQlZpYgwHAppo5mu3O5jV+/brbK/okeaaS35SEWqWF5r/qTGzVcwi4/cx0mOLg
+xA3B+y8DzHwkC2tZA6kCgcEArXovFQS56M+Kcfi/gv4s0/Ax33loCRuaaRKHJBJ2
+SRQFMQ+a5UzUiUI9YLjuonchsaieoBUkdzhkqqY1rdzbEuOL7SzfL9Xcp6IM/gXk
+eLdscobfFonbDlJJIm1lkWvBbLTe9V7/IOmd3f06U66jwGEH9+gahKags1lmWBl3
+kUMKfdm2ZiJOW6Mg2r86FKs3rCoe0XpxnIcNyTuJ/u8/faR6+9XINo/RkzRDUPb1
+ECX4/movLrhpXT8i3sM/E7Kq
+-----END PRIVATE KEY-----
diff --git a/Workbench/mpproxy/container_files/system/setservername.sh b/Workbench/mpproxy/container_files/system/setservername.sh
new file mode 100755
index 0000000..20b9d05
--- /dev/null
+++ b/Workbench/mpproxy/container_files/system/setservername.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+files="/etc/shibboleth/idp-metadata.xml"
+
+for file in $files
+  do
+    sed -i "s|__CSPHOSTNAME__|$CSPHOSTNAME|g" $file
+  done
+
diff --git a/Workbench/mpproxy/container_files/system/startWithMDLoad.sh b/Workbench/mpproxy/container_files/system/startWithMDLoad.sh
new file mode 100755
index 0000000..e3f14fa
--- /dev/null
+++ b/Workbench/mpproxy/container_files/system/startWithMDLoad.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+/usr/local/bin/startup.sh &
+php-fpm -D &
+
+#wait for IdPUI's API, then load metadata into it
+pushd /mdload
+./wait-for-it.sh -t 0 idp_ui_api:8443 -- ./loadMD.sh GrouperSP /mdload/grouper-sp.xml 90 && \
+                                         ./loadMD.sh midPointSP /mdload/midpoint-sp.xml 0 && \
+                                         ./loadMD.sh ProxySP /mdload/proxy-sp.xml 0 && \
+                                         ./loadMD.sh WordPressSP /mdload/wordpress-sp.xml 0 && \
+                                         ./loadMD.sh COmanageSP /mdload/comanage-sp.xml 0
+popd
+wait
+
diff --git a/Workbench/mpproxy/container_files/system/startWithPHP.sh b/Workbench/mpproxy/container_files/system/startWithPHP.sh
new file mode 100755
index 0000000..6dbcef0
--- /dev/null
+++ b/Workbench/mpproxy/container_files/system/startWithPHP.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+#
+/usr/local/bin/startup.sh &
+php-fpm -D &
+wait
diff --git a/Workbench/scripts/gethealth.py b/Workbench/scripts/gethealth.py
index 456c25d..ba23e09 100755
--- a/Workbench/scripts/gethealth.py
+++ b/Workbench/scripts/gethealth.py
@@ -1,6 +1,6 @@
 #!/bin/python
 
-containers = ["idp", "idp_ui", "idp_ui_data", "idp_ui_api", "grouper_ui", "grouper_ws", "grouper_daemon", "grouper_data", "comanage", "comanage_cron", "comanage_data", "midpoint_server", "midpoint_data", "webproxy", "wordpress_server", "wordpress_data", "mq", "directory", "sources", "ad", "comanage_midpoint_data"]
+containers = ["idp", "idp_ui", "idp_ui_data", "idp_ui_api", "grouper_ui", "grouper_ws", "grouper_daemon", "grouper_data", "comanage", "comanage_cron", "comanage_data", "evolveum/midpoint", "midpoint_data", "webproxy", "mpproxy", "wordpress_server", "wordpress_data", "mq", "directory", "sources", "ad", "comanage_midpoint_data"]
 
 print("<table><tr><th style='text-align:left;width:150px'>Container</th><th style='text-align:left'>Health Status</th></tr>")
 for container in containers:
diff --git a/Workbench/webproxy/Dockerfile b/Workbench/webproxy/Dockerfile
index d7d0360..93dbdf7 100644
--- a/Workbench/webproxy/Dockerfile
+++ b/Workbench/webproxy/Dockerfile
@@ -3,6 +3,7 @@ FROM i2incommon/shibboleth_sp:3.4.1_05152024_rocky9_multiarch
 ARG CSPHOSTNAME=localhost
 ENV CSPHOSTNAME=$CSPHOSTNAME
 
+#RUN dnf -y install cronie php php-json wget php-bcmath jq yum-utils mod_proxy_ajp
 RUN dnf -y install cronie php php-json wget php-bcmath jq yum-utils
 
 RUN wget https://getcomposer.org/installer -O composer-installer.php
diff --git a/Workbench/webproxy/container_files/httpd/index.html b/Workbench/webproxy/container_files/httpd/index.html
index b41714e..b551c0c 100644
--- a/Workbench/webproxy/container_files/httpd/index.html
+++ b/Workbench/webproxy/container_files/httpd/index.html
@@ -10,7 +10,7 @@ <h3>Welcome to the InCommon TAP Workbench!</h3>
 
 <ul>
 <li><a href="https://__CSPHOSTNAME__/grouper" target="TAP-WB-GROUPER">Grouper (4.14.1)</a></li>
-<li><a href="https://__CSPHOSTNAME__/midpoint" target="TAP-WB-MIDPOINT">midPoint (4.8.2)</a></li>
+<li><a href="https://__CSPHOSTNAME__/midpoint" target="TAP-WB-MIDPOINT">midPoint (4.8.3)</a></li>
 <ul><li><a href="https://__CSPHOSTNAME__/midPoint-doc.html" target="TAP-WB-MIDPOINT-CONFIG">Technical doc on midPoint's configuration</a></li></ul>
 <li><a href="https://__CSPHOSTNAME__/registry" target="TAP-WB-COMANAGE">COmanage Registry (4.3.4)</a></li>
 <li><a href="https://__CSPHOSTNAME__/idpui/" target="TAP-WB-IDPUI">Shibboleth IdP UI (1.18.0)</a></li>
@@ -37,7 +37,7 @@ <h3>Welcome to the InCommon TAP Workbench!</h3>
 <li>Shibboleth SPs:</li>
 <ul>
   <li><a href="https://__CSPHOSTNAME__/grouperSSO/Shibboleth.sso/Status" target="TAP-WB-gSP">Grouper SP (3.4.1) status</a></li>
-  <li><a href="https://__CSPHOSTNAME__/MPSSO/Shibboleth.sso/Status" target="TAP-WB-mSP">midPoint SP (3.4.1) status</a></li>
+  <li><a href="https://__CSPHOSTNAME__/mppSSO/Shibboleth.sso/Status" target="TAP-WB-mSP">midPoint SP (3.4.1) status</a></li>
   <li><a href="https://__CSPHOSTNAME__/registrySSO/Shibboleth.sso/Status" target="TAP-WB-cSP">COmanage SP (3.4.1) status</a></li>
   <li><a href="https://__CSPHOSTNAME__/wordpressSSO/Shibboleth.sso/Status" target="TAP-WB-wSP">Wordpress SP (3.4.1) status</a></li>
 </ul>
diff --git a/Workbench/webproxy/container_files/httpd/proxy.conf b/Workbench/webproxy/container_files/httpd/proxy.conf
index 9ff305d..27c9e3f 100644
--- a/Workbench/webproxy/container_files/httpd/proxy.conf
+++ b/Workbench/webproxy/container_files/httpd/proxy.conf
@@ -11,10 +11,8 @@ AllowEncodedSlashes NoDecode
   RequestHeader unset Authorization
 </Location>
 
-<Location /midpoint>
-  <If "%{THE_REQUEST} =~ m#\s/+midpoint/auth/shib/?[?\s]#">
-    RequestHeader unset Authorization
-  </If>
+<Location /Shibboleth.sso>
+  RequestHeader unset Authorization
 </Location>
 
 <Location /idpui>
@@ -25,10 +23,14 @@ AllowEncodedSlashes NoDecode
   RequestHeader unset Authorization
 </Location>
 
-ProxyPass /midpoint https://midpoint-server/midpoint
-ProxyPassReverse /midpoint https://midpoint-server/midpoint
-ProxyPass /MPSSO https://midpoint-server/MPSSO
-ProxyPassReverse /MPSSO https://midpoint-server/MPSSO
+<Location /midpoint>
+  RequestHeader unset Authorization
+</Location>
+
+ProxyPass /midpoint https://mpproxy/midpoint
+ProxyPassReverse /midpoint https://mpproxy/midpoint
+ProxyPass /mppSSO https://mpproxy/mppSSO
+ProxyPassReverse /mppSSO https://mpproxy/mppSSO
 
 ProxyPass /grouper https://grouper-ui/grouper
 ProxyPassReverse /grouper https://grouper-ui/grouper
@@ -80,3 +82,6 @@ ProxyPassReverse /wordpress https://wordpress_server/wordpress
 #ProxyPassReverse /wp-content https://wordpress_server/wordpress/wp-content
 #ProxyPass /wp-admin https://wordpress_server/wordpress/wp-admin
 #ProxyPassReverse /wp-admin https://wordpress_server/wordpress/wp-admin
+ProxyPass /test2 https://mpproxy/test
+ProxyPassReverse /test2 https://mpproxy/test
+
diff --git a/Workbench/webproxy/container_files/httpd/shib.conf b/Workbench/webproxy/container_files/httpd/shib.conf
index bd9faa0..80fc679 100644
--- a/Workbench/webproxy/container_files/httpd/shib.conf
+++ b/Workbench/webproxy/container_files/httpd/shib.conf
@@ -58,3 +58,4 @@ ShibCompatValidUser On
   ShibRequestSetting requireSession 1
   require shib-session
 </Location>
+
diff --git a/Workbench/webproxy/container_files/httpd/ssl.conf b/Workbench/webproxy/container_files/httpd/ssl.conf
index 579e87d..37dbe74 100644
--- a/Workbench/webproxy/container_files/httpd/ssl.conf
+++ b/Workbench/webproxy/container_files/httpd/ssl.conf
@@ -59,7 +59,7 @@ AllowEncodedSlashes NoDecode
 
 # General setup for the virtual host, inherited from global configuration
 #DocumentRoot "/var/www/html"
-#ServerName www.example.com:443
+#ServerName test.example.org:443
 
 # Use separate log files for the SSL virtual host; note that LogLevel
 # is not inherited from httpd.conf.
@@ -176,6 +176,9 @@ SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
     Satisfy any
 </Location>
 
+RewriteEngine on
+RewriteRule   "^/midpoint/$"  "/midpoint/auth/saml-internal"  [R]
+
 <Location />
   AuthType Basic
   AuthName "Restricted CSP content"
diff --git a/Workbench/webproxy/container_files/mdload/mpproxy-sp.xml b/Workbench/webproxy/container_files/mdload/mpproxy-sp.xml
new file mode 100644
index 0000000..f300362
--- /dev/null
+++ b/Workbench/webproxy/container_files/mdload/mpproxy-sp.xml
@@ -0,0 +1,107 @@
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_b8354bd397249b9e20e7850d74e1902cdd184dd1" entityID="https://mpproxy.example.org/shibboleth">
+
+  <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
+  </md:Extensions>
+
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:Extensions>
+    <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://__CSPHOSTNAME__/mppSSO/Shibboleth.sso/Login"/>
+    </md:Extensions>
+    <md:KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:KeyName>7cf2778beb15</ds:KeyName>
+        <ds:X509Data>
+          <ds:X509SubjectName>CN=7cf2778beb15</ds:X509SubjectName>
+          <ds:X509Certificate>MIID6zCCAlOgAwIBAgIJAPeLX7GZ1mdUMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
+BAMTDDdjZjI3NzhiZWIxNTAeFw0yMDEwMzExODA3MjVaFw0zMDEwMjkxODA3MjVa
+MBcxFTATBgNVBAMTDDdjZjI3NzhiZWIxNTCCAaIwDQYJKoZIhvcNAQEBBQADggGP
+ADCCAYoCggGBAJmgdbLZgwGaITfXZdIUpTuujVf+IPzvUgxyAmsyECJSAzLEYpvy
+AUEymK3NgGdfM9kYvaHqwNSzZgsLG+24fWtim3e4ksVJOV1ZOYdpe8+6Kbd6bMOp
+3Xc2BQYeMCZ/daP+v7i8UCiFQQr5qECfYkHli6WpOYlyCMFOa6hzLoEcuakLQz6k
+o4Hf5zN/lemKZ8M1YHJcAMmCjYCwxtzJsHAvJWS1rTQIafoWyOYVNl0nwf+NJlNp
+StWcYb6O7DBmxO9mec4rQ8yp9pi2WqUL9Eha2/P7VNJVDvO32SdWQiCXKSxdZ+vi
+nSOA1BfgcAJkePl21FKHFVQzjtC7wl/u3DVSk+Pbq5gm7jOS1Rh9EYmoNRzV/jbX
+jp8RJlxTABIKNNeD0qvtJ1vImEzXCaa9elnSmcbNlmcFK3izHBffrqk08LS6Nh5S
+//yFX+OObEI0kIdLjuHwgml+DeiWyOJi8ca98gps2Pph4A2xAYu3khE9pFdAe8Mo
+1O5FhRmzJteYnwIDAQABozowODAXBgNVHREEEDAOggw3Y2YyNzc4YmViMTUwHQYD
+VR0OBBYEFHHqoc9SPoSYSC1aF2hDAzzu+qogMA0GCSqGSIb3DQEBCwUAA4IBgQBh
+AtP/C43KuGIngpn8Bz9/iJocNmvUqZd3UonEFP9+ThW147HGK+FNeOCUSAFr5TKD
++J/NkfZ9u3uLRd6vYP6WBwgEXivjac8cyQwKwPAsE0ottO8A6lmc5rf2rsw/e1nj
+QGjKMIAwo4n8/H8mcTRmY3zP9DmevfyXbimNZpXHUIGbqUWLwMZRPRjBNajG3R8A
+SSXfuPqSe6Vu52cfPtELcInHTBTo2B1yYtqk/xlFMUxM4HT+JqZpiXFGV+0cxSoD
+Z4RijtBi/B2Oqy5xHaHM/Me0pQtuKz0JtEw3IUNKIU/nVCryLNU8uGJC7nEJF4aW
+JF7ErYSEwvCCjm2GH3tmkeguNZN4sc+ah6spA5AazakzXJntMVac42OKjDsqfxKA
+fdY5ejYiTq+4q0qCan7CjHcKy0y6wTUakLhHyHXFOrJu6hrWC1Tm68i41yrIj9sJ
+6fGzRN1eZFSaq95Sc2nq6xrUE6ldgu6udIDeCfn7y+a3N0RTaUhgPjylglOB9aU=
+</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:KeyDescriptor use="encryption">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:KeyName>7cf2778beb15</ds:KeyName>
+        <ds:X509Data>
+          <ds:X509SubjectName>CN=7cf2778beb15</ds:X509SubjectName>
+          <ds:X509Certificate>MIID6zCCAlOgAwIBAgIJAIB4eHZ1M1ByMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
+BAMTDDdjZjI3NzhiZWIxNTAeFw0yMDEwMzExODA4NDVaFw0zMDEwMjkxODA4NDVa
+MBcxFTATBgNVBAMTDDdjZjI3NzhiZWIxNTCCAaIwDQYJKoZIhvcNAQEBBQADggGP
+ADCCAYoCggGBAOPMP1n+c6q6IdujWWvW0/kW3if2rmk9WfHAxvLyguJCP1W3kMwV
+CZMKky8+26zcHX2PvdEHwJsrjDltsg73ZAnZYYFXTPh7JY3W1bAoRuywvUmyUIel
+tjH03d+riKaE4eqaCgPqyJaI2zLxNJHwCmr6FjLZ5cj8GatPQeNf0WPSnQonk8NW
+3eAWvOIeqS9w3bNfpIpP/mw49M9m6LbwH1VKEPHJDUY952fqWIJBSGDfrzCCftsl
+xQ9m7DrKARUfSFjwu3uTunKZAzkhVX/DWQ9SnyTADIfD5fgFq3wVIFmXTFLIWaWS
+Yr03qGs2XcDKkfoRcBXEWyQKp3zfxjCRks1Nr6cqdPyyJvZW6OVigbrMQP23CQca
+dinD0I1bpAMW/hIMWI3HPu/Cxli8GM3/03u5XDvTBrSXxmXncNCrAQBAYhZ9vrIc
+nqyGS8lTnzsNNZXzPK3dsJvBNE4ogk/MK4Cg9bBieyBZz0IZR46EnI7qVsycIGHy
+ttv2xyZ05sMgTQIDAQABozowODAXBgNVHREEEDAOggw3Y2YyNzc4YmViMTUwHQYD
+VR0OBBYEFKdOek6UqVa8xmmBFcz5pizhCEQgMA0GCSqGSIb3DQEBCwUAA4IBgQDK
+qFQyjhO6PVjHWy3PyhaXuCQ3UTyMEr1ZUY4nYZd2eIJXMssLpxzVAu93aWowDmNO
+m2bg5MI0agNUhly7zs+cbepkH9r32Z/c5H1fuJs1iuPdfZb4xPKic2or0Kx6n8eq
+NNZBPBXnb1ulEOWokn3PaaNPLHWk23k0SmgXHp5ibpWKpETO+Py3dnMjRzCTJeY1
+M2B+ovMgNK1otlK+IV3GPMNEkMeUa/uX/IjW+YlhhUqvL9b/lWdLY4D7ZL7F2Ieq
+u4Kb1ezOTjZ0A/8oVbTK8MXHNCouwVtPl00jsSHchIHDAz/iB524Eve/ayeV0KWd
+n8+t02stqKPqiS1wzM+zatgINaCTDQOEaq6TeRy423xoBps8yBF7qPPEIBwsI9Hv
+HNUq5NfIHltpt9TfbfHWRr4S/Ccslyi14gpNFZQO7mmuAZdUPGd/m4GzdGd9lFmz
+IvRCNeI0FpjTvdt4stm66ZqRfH8Ww+hzCHtDz6MBBRIl5uRaYPqakjsW6/UK7hs=
+</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+    </md:KeyDescriptor>
+    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://__CSPHOSTNAME__/mppSSO/Shibboleth.sso/Artifact/SOAP" index="1"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://__CSPHOSTNAME__/mppSSO/Shibboleth.sso/SLO/SOAP"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://__CSPHOSTNAME__/mppSSO/Shibboleth.sso/SLO/Redirect"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://__CSPHOSTNAME__/mppSSO/Shibboleth.sso/SLO/POST"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://__CSPHOSTNAME__/mppSSO/Shibboleth.sso/SLO/Artifact"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://__CSPHOSTNAME__/mppSSO/Shibboleth.sso/SAML2/POST" index="1"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://__CSPHOSTNAME__/mppSSO/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://__CSPHOSTNAME__/mppSSO/Shibboleth.sso/SAML2/Artifact" index="3"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://__CSPHOSTNAME__/mppSSO/Shibboleth.sso/SAML2/ECP" index="4"/>
+  </md:SPSSODescriptor>
+
+</md:EntityDescriptor>
+
diff --git a/Workbench/webproxy/container_files/shibboleth/attribute-map.xml b/Workbench/webproxy/container_files/shibboleth/attribute-map.xml
new file mode 100644
index 0000000..5924514
--- /dev/null
+++ b/Workbench/webproxy/container_files/shibboleth/attribute-map.xml
@@ -0,0 +1,168 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!--
+    The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth
+    community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a
+    few exceptions for newer attributes where the name is the same for both versions. You will
+    usually want to uncomment or map the names for both SAML versions as a unit.
+    -->
+
+    <!-- New standard identifier attributes for SAML. -->
+
+    <Attribute name="urn:oasis:names:tc:SAML:attribute:subject-id" id="subject-id">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:oasis:names:tc:SAML:attribute:pairwise-id" id="pairwise-id">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <!-- The most typical eduPerson attributes. -->
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
+
+    <!--
+    Legacy pairwise identifier attribute / NameID format, intended to be replaced by the
+    simpler pairwise-id attribute (see top of file).
+    -->
+
+    <!-- The eduPerson attribute version (note the OID-style name): -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+    <!-- The SAML 2.0 NameID Format: -->
+    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+    <!-- Other eduPerson attributes (SAML 2 names followed by SAML 1 names)... -->
+    <!--
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>    
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
+    -->
+
+    <!-- Older LDAP-defined attributes (SAML 2.0 names followed by SAML 1 names)... -->
+    <!--
+    <Attribute name="urn:oid:2.5.4.3" id="cn"/>
+    <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+    <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+    -->
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
+    <!--
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+    <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
+    <Attribute name="urn:oid:2.5.4.12" id="title"/>
+    <Attribute name="urn:oid:2.5.4.43" id="initials"/>
+    <Attribute name="urn:oid:2.5.4.13" id="description"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
+    <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
+    <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
+    <Attribute name="urn:oid:2.5.4.9" id="street"/>
+    <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
+    <Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
+    <Attribute name="urn:oid:2.5.4.8" id="st"/>
+    <Attribute name="urn:oid:2.5.4.7" id="l"/>
+    <Attribute name="urn:oid:2.5.4.10" id="o"/>
+    <Attribute name="urn:oid:2.5.4.11" id="ou"/>
+    <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
+    <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
+    <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
+    <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
+    <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
+    <Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>
+    <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
+    <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
+    <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
+    <Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
+    <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
+    <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
+    <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
+    <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
+    <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
+    <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
+    <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
+    <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
+    <Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
+    <Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
+    <Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
+    <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
+    <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
+    <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>
+    -->
+
+    <!-- SCHAC attributes... -->
+    <!--
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="schacHomeOrganization">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10" id="schacHomeOrganizationType">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.14" id="schacPersonalUniqueCode">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.15" id="schacPersonalUniqueID"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.19" id="schacUserStatus">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.20" id="schacProjectMembership">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.21" id="schacProjectSpecificRole">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    -->
+
+</Attributes>
\ No newline at end of file
diff --git a/Workbench/webproxy/container_files/shibboleth/shibboleth2.xml b/Workbench/webproxy/container_files/shibboleth/shibboleth2.xml
index 6ffed9c..611c779 100644
--- a/Workbench/webproxy/container_files/shibboleth/shibboleth2.xml
+++ b/Workbench/webproxy/container_files/shibboleth/shibboleth2.xml
@@ -9,9 +9,18 @@
     are used. See example-shibboleth2.xml for samples of explicitly configuring them.
     -->
 
+    <RequestMapper type="XML">
+        <RequestMap>
+            <Host name="test.workbench.incommon.org">
+                <Path name="midpoint" authType="shibboleth" requireSession="true"/>
+                <Path name="test" authType="shibboleth" requireSession="true"/>
+            </Host>
+        </RequestMap>
+    </RequestMapper>
+
     <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
     <ApplicationDefaults entityID="https://proxysp.example.org/shibboleth"
-        REMOTE_USER="eppn uid subject-id pairwise-id persistent-id"
+        REMOTE_USER="uid eppn subject-id pairwise-id persistent-id"
         cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
 
         <!--
diff --git a/Workbench/webproxy/container_files/system/setservername.sh b/Workbench/webproxy/container_files/system/setservername.sh
index a48ec6b..0138b69 100755
--- a/Workbench/webproxy/container_files/system/setservername.sh
+++ b/Workbench/webproxy/container_files/system/setservername.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-files="/etc/shibboleth/idp-metadata.xml /var/www/html/index.html /mdload/grouper-sp.xml /mdload/midpoint-sp.xml /mdload/comanage-sp.xml /mdload/proxy-sp.xml /mdload/wordpress-sp.xml"
+files="/etc/shibboleth/idp-metadata.xml /var/www/html/index.html /mdload/grouper-sp.xml /mdload/midpoint-sp.xml /mdload/mpproxy-sp.xml /mdload/comanage-sp.xml /mdload/proxy-sp.xml /mdload/wordpress-sp.xml"
 
 for file in $files
   do
diff --git a/Workbench/webproxy/container_files/system/startWithMDLoad.sh b/Workbench/webproxy/container_files/system/startWithMDLoad.sh
index e3f14fa..14080d2 100755
--- a/Workbench/webproxy/container_files/system/startWithMDLoad.sh
+++ b/Workbench/webproxy/container_files/system/startWithMDLoad.sh
@@ -5,6 +5,7 @@ php-fpm -D &
 #wait for IdPUI's API, then load metadata into it
 pushd /mdload
 ./wait-for-it.sh -t 0 idp_ui_api:8443 -- ./loadMD.sh GrouperSP /mdload/grouper-sp.xml 90 && \
+                                         ./loadMD.sh midPointProxySP /mdload/mpproxy-sp.xml 0 && \
                                          ./loadMD.sh midPointSP /mdload/midpoint-sp.xml 0 && \
                                          ./loadMD.sh ProxySP /mdload/proxy-sp.xml 0 && \
                                          ./loadMD.sh WordPressSP /mdload/wordpress-sp.xml 0 && \