From 1ea3abf5908a7ab3baa87d154c3a2f7ab7d31818 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Thu, 19 Dec 2024 20:54:44 +0000
Subject: [PATCH] add COmanage Match

---
 Workbench/comanage_match/Dockerfile           |  40 ++++
 .../container_files/httpd/match-ssl.crt       |  22 ++
 .../container_files/httpd/match-ssl.key       |  27 +++
 .../shibboleth/attribute-map.xml              | 169 +++++++++++++++
 .../shibboleth/idp-metadata.xml               | 202 ++++++++++++++++++
 .../shibboleth/shibboleth2.xml                | 113 ++++++++++
 .../shibboleth/sp-encrypt-cert.pem            |  25 +++
 .../shibboleth/sp-encrypt-key.pem             |  40 ++++
 .../shibboleth/sp-signing-cert.pem            |  25 +++
 .../shibboleth/sp-signing-key.pem             |  40 ++++
 .../container_files/system/setservername.sh   |  10 +
 Workbench/comanage_match_data/Dockerfile      |   5 +
 .../seed-data/addExtension.sql                |   2 +
 Workbench/docker-compose.yml                  |  41 ++++
 .../webproxy/container_files/httpd/index.html |   2 +
 .../webproxy/container_files/httpd/proxy.conf |   5 +
 .../container_files/mdload/match-sp.xml       | 113 ++++++++++
 .../container_files/system/setservername.sh   |   2 +-
 .../container_files/system/startWithMDLoad.sh |   3 +-
 19 files changed, 884 insertions(+), 2 deletions(-)
 create mode 100644 Workbench/comanage_match/Dockerfile
 create mode 100644 Workbench/comanage_match/container_files/httpd/match-ssl.crt
 create mode 100644 Workbench/comanage_match/container_files/httpd/match-ssl.key
 create mode 100644 Workbench/comanage_match/container_files/shibboleth/attribute-map.xml
 create mode 100644 Workbench/comanage_match/container_files/shibboleth/idp-metadata.xml
 create mode 100644 Workbench/comanage_match/container_files/shibboleth/shibboleth2.xml
 create mode 100644 Workbench/comanage_match/container_files/shibboleth/sp-encrypt-cert.pem
 create mode 100644 Workbench/comanage_match/container_files/shibboleth/sp-encrypt-key.pem
 create mode 100644 Workbench/comanage_match/container_files/shibboleth/sp-signing-cert.pem
 create mode 100644 Workbench/comanage_match/container_files/shibboleth/sp-signing-key.pem
 create mode 100644 Workbench/comanage_match/container_files/system/setservername.sh
 create mode 100644 Workbench/comanage_match_data/Dockerfile
 create mode 100644 Workbench/comanage_match_data/container_files/seed-data/addExtension.sql
 create mode 100644 Workbench/webproxy/container_files/mdload/match-sp.xml

diff --git a/Workbench/comanage_match/Dockerfile b/Workbench/comanage_match/Dockerfile
new file mode 100644
index 0000000..06c9577
--- /dev/null
+++ b/Workbench/comanage_match/Dockerfile
@@ -0,0 +1,40 @@
+FROM comanageproject/comanage-match:1.2.0-shibboleth-sp-supervisor-6
+
+ARG CSPHOSTNAME=localhost
+ENV CSPHOSTNAME=$CSPHOSTNAME
+
+# match settings (env vars from https://spaces.at.internet2.edu/display/COmanage/Configuring+Match+Container+Images)
+ENV COMANAGE_MATCH_ADMIN_USERNAME=banderson@example.org
+ENV COMANAGE_MATCH_SECURITY_SALT=kd67NSQ93VcXPioYT6083620jfutBHGKSNND23hvGG09m10S
+ENV COMANAGE_MATCH_VIRTUAL_HOST_FQDN=$CSPHOSTNAME
+ENV COMANAGE_MATCH_VIRTUAL_HOST_SCHEME=https
+#from database.php
+ENV COMANAGE_MATCH_DATABASE=match
+ENV COMANAGE_MATCH_DATABASE_HOST=comanage-match-data
+ENV COMANAGE_MATCH_DATABASE_USER=match_user
+ENV COMANAGE_MATCH_DATABASE_USER_PASSWORD=Password1
+#from email.php
+ENV COMANAGE_MATCH_EMAIL_FROM_EMAIL=noreply@workbench.incommon.org
+ENV COMANAGE_MATCH_EMAIL_FROM_NAME="Do Not Reply"
+ENV COMANAGE_MATCH_EMAIL_TRANSPORT=Smtp
+ENV COMANAGE_MATCH_EMAIL_HOST=tls://email-smtp.us-west-2.amazonaws.com
+ENV COMANAGE_MATCH_EMAIL_ACCOUNT=AKIAZDWJANQRZKPFVK6J
+ENV COMANAGE_MATCH_EMAIL_ACCOUNT_PASSWORD=BNAp6WlvsI4iXK3ush8pwPD2QKHDYQ09ti+Z3r/mb2Nx
+ENV COMANAGE_MATCH_EMAIL_PORT=465
+# for httpd
+ENV COMANAGE_MATCH_HTTP_NO=true
+ENV COMANAGE_MATCH_HTTPS_LISTEN_PORT=443
+ENV HTTPS_CERT_FILE=/etc/pki/tls/certs/match-ssl.crt
+ENV HTTPS_PRIVKEY_FILE=/etc/pki/tls/private/match-ssl.key
+
+COPY container_files/httpd/match-ssl.crt /etc/pki/tls/certs/
+COPY container_files/httpd/match-ssl.key /etc/pki/tls/private/
+RUN chmod 600 /etc/pki/tls/certs/match-ssl.crt && chmod 600 /etc/pki/tls/private/match-ssl.key
+
+COPY container_files/shibboleth/ /etc/shibboleth/
+
+#dynamically set hostname
+COPY container_files/system/setservername.sh /usr/local/bin/
+RUN chmod 755 /usr/local/bin/setservername.sh && /usr/local/bin/setservername.sh
+
+
diff --git a/Workbench/comanage_match/container_files/httpd/match-ssl.crt b/Workbench/comanage_match/container_files/httpd/match-ssl.crt
new file mode 100644
index 0000000..d7e9300
--- /dev/null
+++ b/Workbench/comanage_match/container_files/httpd/match-ssl.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDqTCCApGgAwIBAgIJALFLXI21jEHrMA0GCSqGSIb3DQEBCwUAMGsxCzAJBgNV
+BAYTAlVTMREwDwYDVQQIDAhNaWNoaWdhbjESMBAGA1UEBwwJQW5uIEFyYm9yMRIw
+EAYDVQQKDAlJbnRlcm5ldDIxITAfBgNVBAMMGGNvbWFuYWdlLW1hdGNoLndvcmti
+ZW5jaDAeFw0yNDEyMTkxNDI3NDhaFw0zNDEyMTcxNDI3NDhaMGsxCzAJBgNVBAYT
+AlVTMREwDwYDVQQIDAhNaWNoaWdhbjESMBAGA1UEBwwJQW5uIEFyYm9yMRIwEAYD
+VQQKDAlJbnRlcm5ldDIxITAfBgNVBAMMGGNvbWFuYWdlLW1hdGNoLndvcmtiZW5j
+aDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALKgirFsUBMGr8+H5QtY
+e/w8HB5spFUJUX7+Ako1v9yY95WYolbs5s8/TO8iVdRw38yn7mVOavPpquhEfuBg
+oUI4iGftowEv+cT7C1ALZHfHr7cpYGOYS0sHOXWVaUx6ggPR57Vs+gb/3sLA9AUR
+F+AUG+Fkd49yWF+MwnV8ieA88qdx828RdfmWqeO3VAjNXxsWN7/hX9RKBmBSS0n0
+6xaSIqA/5vTD+8kA+D0Rvvv2xBmpBJo+FbLhA9qz2NJM7iVy7xxC/HQojBrXt7qd
+63EkPv7H6o6sBzZQ4oxyT3on8E6tUPfa/jrRhHuJt9JmDVEZyvhOkidDyvZef+Qr
+bckCAwEAAaNQME4wHQYDVR0OBBYEFPXB9x9X7k3gk3Jwm1BS4/HFldPVMB8GA1Ud
+IwQYMBaAFPXB9x9X7k3gk3Jwm1BS4/HFldPVMAwGA1UdEwQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBACXerk/2Q4+Hw6laPj/IkreUgrHe9oCt3EjbMSTjUERp6j/c
+Trmy/QefGVICpGPnBNV5XcDmPMoAG5UJ5wxG3lXu2VFuf1qhs4yuTzYuskZGijEv
+xGIxhMuhPuRZrccfrqMXMGS0HV0kPKVJcTD21wzoJNzvBxZG1YGshehBUComsjFt
+YHaqHD4tgMCA+TElILi9GJk9hiqc4+X6V/XXPDitXXx+eKC4fNrXfdJ+tb5eE/A7
+a6204TeVdOX+iChjJOOcSJY3uLto/Ez0dVxrMIEbppZWMlrl7tlJVS9Y4lKkw3FC
+XDWW3UplClTk3tCtfhfF1zLm2gk40ep38o8O8NY=
+-----END CERTIFICATE-----
diff --git a/Workbench/comanage_match/container_files/httpd/match-ssl.key b/Workbench/comanage_match/container_files/httpd/match-ssl.key
new file mode 100644
index 0000000..bad477c
--- /dev/null
+++ b/Workbench/comanage_match/container_files/httpd/match-ssl.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAsqCKsWxQEwavz4flC1h7/DwcHmykVQlRfv4CSjW/3Jj3lZii
+Vuzmzz9M7yJV1HDfzKfuZU5q8+mq6ER+4GChQjiIZ+2jAS/5xPsLUAtkd8evtylg
+Y5hLSwc5dZVpTHqCA9HntWz6Bv/ewsD0BREX4BQb4WR3j3JYX4zCdXyJ4Dzyp3Hz
+bxF1+Zap47dUCM1fGxY3v+Ff1EoGYFJLSfTrFpIioD/m9MP7yQD4PRG++/bEGakE
+mj4VsuED2rPY0kzuJXLvHEL8dCiMGte3up3rcSQ+/sfqjqwHNlDijHJPeifwTq1Q
+99r+OtGEe4m30mYNURnK+E6SJ0PK9l5/5CttyQIDAQABAoIBAFZBC3fNE4V8bxzJ
+RCKMYaJU7EcMsvWVAFNQGI75EWJWQwdroshSsMlWibHXZJamwoqydH1atm59YNez
+a4ixYGz3m3aD23hRUEx75OSL+8GTHRhW1IKDIahjHq3WrfgOGAX8L+T9cGY827Yz
+MiHYNS0wyJ23w7vyvRW2hJfywSkTtW1l2yXHrU8/AYcq0in07GPeIdSnmrRuov+b
+kPAkiLkJBXrMmPkKX0qQ9jCU2hdZVHtlaoMSr2/6klNn2ynNLST08W9Hd5qQTbpw
+eDmKQZYUH2W/dEnmii4MzA9FiW0s6sPV5NSMQAZoWpSk2bt1rAFZp5UjWGuXX5gz
+xGRahFkCgYEA7fNDS/+O/lPTjaAdoZ9triYrKHdRTlNwfenkinghMj/yKLFmCu6/
+C+6sGvJELJaJqQc1rYSwNhd3VeI+lpqqTmPrtid16ZD9InQbA2Zywa5XI1okCWtH
+TQccSRE9B4Ow4NUfjIyFeI6u1xq3P+2sM5EXWMLl7g2nMKKCejoFQC8CgYEAwC1J
+pwBvLFfTUMNxoILpXx31xcrKvRCfGWRWB8hyj2x14/7qhpGueUkjqHSRl0fW6urk
+zdmiPRmb2R68bOZ2alkbvgrxWyicSoRWyaLsipbk0H4o3tBOxZHTGqdY/6czlBJX
+vYHc1qi3+Ak/+xYXxh3d13uNpVq72d2pNx9we4cCgYEAlGAWXLN01P4scqmfEIM7
+f1ZpnwgX+QFqqflI+1dBS/Y36EwGV1bcZnJje0IKZMtR98Z5IEQXJQOo9DLp2DuF
+avA/sQwWKJiyX+OKXKprcH5n87Fnuz/b7Bo89wr6xU7G4svCqn+NUsmWGKeeEQ0B
+Tf5xUnXlrnVxBZCwT8sSLx0CgYBxcYp74f6+n22nzGfkB8N5mbb+tpJtf0Vb+OXs
+HEC8N5t0JoQNQixLfohlJcLYGdldvaGpfqKODPL5/XHfm0Al0UpWKiGF3Xg9aNfO
+mbWmriKOjRrVRQRrDoUew9D+wZXp/9X5kZJqyRgofFVfhBAurGzLiiz4gpJHrtj4
+KD//OwKBgAkrQfT4pvsiUi+c8oCEiHd/rR3e+Q3mhJrx3/lRWff7X7lb90JeVa9y
+xwfe9V/mWhihXCVPJMyyMKrfonDBlsXW7EiruJxIOa11hNXD07UsOYwKk0WAhmXU
+iv7FsRK9JStKTKw/sI9P8H+Xfi/2zyc+8vJJprXdZtJBnTM4/fEr
+-----END RSA PRIVATE KEY-----
diff --git a/Workbench/comanage_match/container_files/shibboleth/attribute-map.xml b/Workbench/comanage_match/container_files/shibboleth/attribute-map.xml
new file mode 100644
index 0000000..f7580d0
--- /dev/null
+++ b/Workbench/comanage_match/container_files/shibboleth/attribute-map.xml
@@ -0,0 +1,169 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!--
+    The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth
+    community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a
+    few exceptions for newer attributes where the name is the same for both versions. You will
+    usually want to uncomment or map the names for both SAML versions as a unit.
+    -->
+
+    <!-- New standard identifier attributes for SAML. -->
+
+    <Attribute name="urn:oasis:names:tc:SAML:attribute:subject-id" id="subject-id">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:oasis:names:tc:SAML:attribute:pairwise-id" id="pairwise-id">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <!-- The most typical eduPerson attributes. -->
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
+
+    <!--
+    Legacy pairwise identifier attribute / NameID format, intended to be replaced by the
+    simpler pairwise-id attribute (see top of file).
+    -->
+
+    <!-- The eduPerson attribute version (note the OID-style name): -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+    <!-- The SAML 2.0 NameID Format: -->
+    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+    <!-- Other eduPerson attributes (SAML 2 names followed by SAML 1 names)... -->
+    <!--
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>    
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
+    -->
+
+    <!-- Older LDAP-defined attributes (SAML 2.0 names followed by SAML 1 names)... -->
+    <!--
+    <Attribute name="urn:oid:2.5.4.3" id="cn"/>
+    <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+    <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+    -->
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
+    <!--
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+    <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
+    <Attribute name="urn:oid:2.5.4.12" id="title"/>
+    <Attribute name="urn:oid:2.5.4.43" id="initials"/>
+    <Attribute name="urn:oid:2.5.4.13" id="description"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
+    <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
+    <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
+    <Attribute name="urn:oid:2.5.4.9" id="street"/>
+    <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
+    <Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
+    <Attribute name="urn:oid:2.5.4.8" id="st"/>
+    <Attribute name="urn:oid:2.5.4.7" id="l"/>
+    <Attribute name="urn:oid:2.5.4.10" id="o"/>
+    <Attribute name="urn:oid:2.5.4.11" id="ou"/>
+    <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
+    <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
+    <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
+    <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
+    <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
+    <Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>
+    <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
+    <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
+    <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
+    <Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
+    <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
+    <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
+    <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
+    <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
+    <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
+    <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
+    <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
+    <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
+    <Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
+    <Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
+    <Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
+    <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
+    <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
+    <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>
+    -->
+
+    <!-- SCHAC attributes... -->
+    <!--
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="schacHomeOrganization">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10" id="schacHomeOrganizationType">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.14" id="schacPersonalUniqueCode">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.15" id="schacPersonalUniqueID"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.19" id="schacUserStatus">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.20" id="schacProjectMembership">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.21" id="schacProjectSpecificRole">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    -->
+
+</Attributes>
+
diff --git a/Workbench/comanage_match/container_files/shibboleth/idp-metadata.xml b/Workbench/comanage_match/container_files/shibboleth/idp-metadata.xml
new file mode 100644
index 0000000..7d33cd1
--- /dev/null
+++ b/Workbench/comanage_match/container_files/shibboleth/idp-metadata.xml
@@ -0,0 +1,202 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntityDescriptor  xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://idptestbed/idp/shibboleth">
+
+    <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
+
+        <Extensions>
+            <shibmd:Scope regexp="false">example.org</shibmd:Scope>
+<!--
+    Fill in the details for your IdP here 
+
+            <mdui:UIInfo>
+                <mdui:DisplayName xml:lang="en">A Name for the IdP at idptestbed</mdui:DisplayName>
+                <mdui:Description xml:lang="en">Enter a description of your IdP at idptestbed</mdui:Description>
+                <mdui:Logo height="80" width="80">https://localhost/Path/To/Logo.png</mdui:Logo>
+            </mdui:UIInfo>
+-->
+        </Extensions>
+
+        <KeyDescriptor use="signing">
+            <ds:KeyInfo>
+                    <ds:X509Data>
+                        <ds:X509Certificate>
+MIIDEzCCAfugAwIBAgIUS9SuTXwsFVVG+LjOEAbLqqT/el0wDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMjZaFw0zNTEy
+MTEwMjIwMjZaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCMAoDHx8xCIfv/6QKqt9mcHYmEJ8y2dKprUbpdcOjH
+YvNPIl/lHPsUyrb+Nc+q2CDeiWjVk1mWYq0UpIwpBMuw1H6+oOqr4VQRi65pin0M
+SfE0MWIaFo5FPvpvoptkHD4gvREbm4swyXGMczcMRfqgalFXhUD2wz8W3XAM5Cq2
+03XeJbj6TwjvKatG5XPdeUe2FBGuOO2q54L1hcIGnLMCQrg7D31lR13PJbjnJ0No
+5C3k8TPuny6vJsBC03GNLNKfmrKVTdzr3VKp1uay1G3DL9314fgmbl8HA5iRQmy+
+XInUU6/8NXZSF59p3ITAOvZQeZsbJjg5gGDip5OZo9YlAgMBAAGjWzBZMB0GA1Ud
+DgQWBBRPlM4VkKZ0U4ec9GrIhFQl0hNbLDA4BgNVHREEMTAvggppZHB0ZXN0YmVk
+hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
+BQADggEBAIZ0a1ov3my3ljJG588I/PHx+TxAWONWmpKbO9c/qI3Drxk4oRIffiac
+ANxdvtabgIzrlk5gMMisD7oyqHJiWgKv5Bgctd8w3IS3lLl7wHX65mTKQRXniG98
+NIjkvfrhe2eeJxecOqnDI8GOhIGCIqZUn8ShdM/yHjhQ2Mh0Hj3U0LlKvnmfGSQl
+j0viGwbFCaNaIP3zc5UmCrdE5h8sWL3Fu7ILKM9RyFa2ILHrJScV9t623IcHffHP
+IeaY/WtuapsrqRFxuQL9QFWN0FsRIdLmjTq+00+B/XnnKRKFBuWfjhHLF/uu8f+E
+t6Lf23Kb8yD6ZR7dihMZAGHnYQ/hlhM=
+                        </ds:X509Certificate>
+                    </ds:X509Data>
+            </ds:KeyInfo>
+
+        </KeyDescriptor>
+        <KeyDescriptor use="signing">
+            <ds:KeyInfo>
+                    <ds:X509Data>
+                        <ds:X509Certificate>
+MIIDFDCCAfygAwIBAgIVAN3vv+b7KN5Se9m1RZsCllp/B/hdMA0GCSqGSIb3DQEB
+CwUAMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwHhcNMTUxMjExMDIyMDE0WhcNMzUx
+MjExMDIyMDE0WjAVMRMwEQYDVQQDDAppZHB0ZXN0YmVkMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAh91caeY0Q85uhaUyqFwP2bMjwMFxMzRlAoqBHd7g
+u6eo4duaeLz1BaoR2XTBpNNvFR5oHH+TkKahVDGeH5+kcnIpxI8JPdsZml1srvf2
+Z6dzJsulJZUdpqnngycTkGtZgEoC1vmYVky2BSAIIifmdh6s0epbHnMGLsHzMKfJ
+Cb/Q6dYzRWTCPtzE2VMuQqqWgeyMr7u14x/Vqr9RPEFsgY8GIu5jzB6AyUIwrLg+
+MNkv6aIdcHwxYTGL7ijfy6rSWrgBflQoYRYNEnseK0ZHgJahz4ovCag6wZAoPpBs
+uYlY7lEr89Ucb6NHx3uqGMsXlDFdE4QwfDLLhCYHPvJ0uwIDAQABo1swWTAdBgNV
+HQ4EFgQUAkOgED3iYdmvQEOMm6u/JmD/UTQwOAYDVR0RBDEwL4IKaWRwdGVzdGJl
+ZIYhaHR0cHM6Ly9pZHB0ZXN0YmVkL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB
+CwUAA4IBAQBIdd4YWlnvJjql8+zKKgmWgIY7U8DA8e6QcbAf8f8cdE33RSnjI63X
+sv/y9GfmbAVAD6RIAXPFFeRYJ08GOxGI9axfNaKdlsklJ9bk4ducHqgCSWYVer3s
+RQBjxyOfSTvk9YCJvdJVQRJLcCvxwKakFCsOSnV3t9OvN86Ak+fKPVB5j2fM/0fZ
+Kqjn3iqgdNPTLXPsuJLJO5lITRiBa4onmVelAiCstI9PQiaEck+oAHnMTnC9JE/B
+DHv3e4rwq3LznlqPw0GSd7xqNTdMDwNOWjkuOr3sGpWS8ms/ZHHXV1Vd22uPe70i
+s00xrv14zLifcc8oj5DYzOhYRifRXgHX
+                        </ds:X509Certificate>
+                    </ds:X509Data>
+            </ds:KeyInfo>
+
+        </KeyDescriptor>
+        <KeyDescriptor use="encryption">
+            <ds:KeyInfo>
+                    <ds:X509Data>
+                        <ds:X509Certificate>
+MIIDEzCCAfugAwIBAgIUG6Nn1rlERS1vsi88tcdzSYX0oqAwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMTRaFw0zNTEy
+MTEwMjIwMTRaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCBXv0o3fmT8iluyLjJ4lBAVCW+ZRVyEXPYQuRi7vfD
+cO4a6d1kxiJLsaK0W88VNxjFQRr8PgDkWr28vwoH1rgk4pLsszLD48DBzD942peJ
+l/S6FnsIJjmaHcBh4pbNhU4yowu63iKkvttrcZAEbpEro6Z8CziWEx8sywoaYEQG
+ifPkr9ORV6Cn3txq+9gMBePG41GrtZrUGIu+xrndL0Shh4Pq0eq/9MAsVlIIXEa8
+9WfH8J2kFcTOfoWtIc70b7TLZQsx4YnNcnrGLSUEcstFyPLX+Xtv5SNZF89OOIxX
+VNjNvgE5DbJb9hMM4UAFqI+1bo9QqtxwThjc/sOvIxzNAgMBAAGjWzBZMB0GA1Ud
+DgQWBBStTyogRPuAVG6q7yPyav1uvE+7pTA4BgNVHREEMTAvggppZHB0ZXN0YmVk
+hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
+BQADggEBAFMfoOv+oISGjvamq7+Y4G7ep5vxlAPeK3RATYPYvAmyH946qZXh98ni
+QXyuqZW5P5eEt86toY45IwDU5r09SKwHughEe99iiEkxh0mb2qo84qX9/qcg+kyN
+jeLd/OSyolpUCEFNwOFcog7pj7Eer+6AHbwTn1Mjb5TBsKwtDMJsaxPvdj0u7M5r
+xL/wHkFhn1rCo2QiojzjSlV3yLTh49iTyhE3cG+RxaNKDCxhp0jSSLX1BW/ZoPA8
++PMJEA+Q0QbyRD8aJOHN5O8jGxCa/ZzcOnYVL6AsEXoDiY3vAUYh1FUonOWw0m9H
+p+tGUbGS2l873J5PrsbpeKEVR/IIoKo=
+                        </ds:X509Certificate>
+                    </ds:X509Data>
+            </ds:KeyInfo>
+
+        </KeyDescriptor>
+
+        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+
+        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://__CSPHOSTNAME__/idp/profile/Shibboleth/SSO"/>
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://__CSPHOSTNAME__/idp/profile/SAML2/POST/SSO"/>
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://__CSPHOSTNAME__/idp/profile/SAML2/POST-SimpleSign/SSO"/>
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://__CSPHOSTNAME__/idp/profile/SAML2/Redirect/SSO"/>
+
+    </IDPSSODescriptor>
+
+
+    <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
+
+        <Extensions>
+            <shibmd:Scope regexp="false">localhost</shibmd:Scope>
+        </Extensions>
+
+        <KeyDescriptor use="signing">
+            <ds:KeyInfo>
+                    <ds:X509Data>
+                        <ds:X509Certificate>
+MIIDEzCCAfugAwIBAgIUS9SuTXwsFVVG+LjOEAbLqqT/el0wDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMjZaFw0zNTEy
+MTEwMjIwMjZaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCMAoDHx8xCIfv/6QKqt9mcHYmEJ8y2dKprUbpdcOjH
+YvNPIl/lHPsUyrb+Nc+q2CDeiWjVk1mWYq0UpIwpBMuw1H6+oOqr4VQRi65pin0M
+SfE0MWIaFo5FPvpvoptkHD4gvREbm4swyXGMczcMRfqgalFXhUD2wz8W3XAM5Cq2
+03XeJbj6TwjvKatG5XPdeUe2FBGuOO2q54L1hcIGnLMCQrg7D31lR13PJbjnJ0No
+5C3k8TPuny6vJsBC03GNLNKfmrKVTdzr3VKp1uay1G3DL9314fgmbl8HA5iRQmy+
+XInUU6/8NXZSF59p3ITAOvZQeZsbJjg5gGDip5OZo9YlAgMBAAGjWzBZMB0GA1Ud
+DgQWBBRPlM4VkKZ0U4ec9GrIhFQl0hNbLDA4BgNVHREEMTAvggppZHB0ZXN0YmVk
+hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
+BQADggEBAIZ0a1ov3my3ljJG588I/PHx+TxAWONWmpKbO9c/qI3Drxk4oRIffiac
+ANxdvtabgIzrlk5gMMisD7oyqHJiWgKv5Bgctd8w3IS3lLl7wHX65mTKQRXniG98
+NIjkvfrhe2eeJxecOqnDI8GOhIGCIqZUn8ShdM/yHjhQ2Mh0Hj3U0LlKvnmfGSQl
+j0viGwbFCaNaIP3zc5UmCrdE5h8sWL3Fu7ILKM9RyFa2ILHrJScV9t623IcHffHP
+IeaY/WtuapsrqRFxuQL9QFWN0FsRIdLmjTq+00+B/XnnKRKFBuWfjhHLF/uu8f+E
+t6Lf23Kb8yD6ZR7dihMZAGHnYQ/hlhM=
+                        </ds:X509Certificate>
+                    </ds:X509Data>
+            </ds:KeyInfo>
+
+        </KeyDescriptor>
+        <KeyDescriptor use="signing">
+            <ds:KeyInfo>
+                    <ds:X509Data>
+                        <ds:X509Certificate>
+MIIDFDCCAfygAwIBAgIVAN3vv+b7KN5Se9m1RZsCllp/B/hdMA0GCSqGSIb3DQEB
+CwUAMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwHhcNMTUxMjExMDIyMDE0WhcNMzUx
+MjExMDIyMDE0WjAVMRMwEQYDVQQDDAppZHB0ZXN0YmVkMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAh91caeY0Q85uhaUyqFwP2bMjwMFxMzRlAoqBHd7g
+u6eo4duaeLz1BaoR2XTBpNNvFR5oHH+TkKahVDGeH5+kcnIpxI8JPdsZml1srvf2
+Z6dzJsulJZUdpqnngycTkGtZgEoC1vmYVky2BSAIIifmdh6s0epbHnMGLsHzMKfJ
+Cb/Q6dYzRWTCPtzE2VMuQqqWgeyMr7u14x/Vqr9RPEFsgY8GIu5jzB6AyUIwrLg+
+MNkv6aIdcHwxYTGL7ijfy6rSWrgBflQoYRYNEnseK0ZHgJahz4ovCag6wZAoPpBs
+uYlY7lEr89Ucb6NHx3uqGMsXlDFdE4QwfDLLhCYHPvJ0uwIDAQABo1swWTAdBgNV
+HQ4EFgQUAkOgED3iYdmvQEOMm6u/JmD/UTQwOAYDVR0RBDEwL4IKaWRwdGVzdGJl
+ZIYhaHR0cHM6Ly9pZHB0ZXN0YmVkL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB
+CwUAA4IBAQBIdd4YWlnvJjql8+zKKgmWgIY7U8DA8e6QcbAf8f8cdE33RSnjI63X
+sv/y9GfmbAVAD6RIAXPFFeRYJ08GOxGI9axfNaKdlsklJ9bk4ducHqgCSWYVer3s
+RQBjxyOfSTvk9YCJvdJVQRJLcCvxwKakFCsOSnV3t9OvN86Ak+fKPVB5j2fM/0fZ
+Kqjn3iqgdNPTLXPsuJLJO5lITRiBa4onmVelAiCstI9PQiaEck+oAHnMTnC9JE/B
+DHv3e4rwq3LznlqPw0GSd7xqNTdMDwNOWjkuOr3sGpWS8ms/ZHHXV1Vd22uPe70i
+s00xrv14zLifcc8oj5DYzOhYRifRXgHX
+                        </ds:X509Certificate>
+                    </ds:X509Data>
+            </ds:KeyInfo>
+
+        </KeyDescriptor>
+        <KeyDescriptor use="encryption">
+            <ds:KeyInfo>
+                    <ds:X509Data>
+                        <ds:X509Certificate>
+MIIDEzCCAfugAwIBAgIUG6Nn1rlERS1vsi88tcdzSYX0oqAwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMTRaFw0zNTEy
+MTEwMjIwMTRaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCBXv0o3fmT8iluyLjJ4lBAVCW+ZRVyEXPYQuRi7vfD
+cO4a6d1kxiJLsaK0W88VNxjFQRr8PgDkWr28vwoH1rgk4pLsszLD48DBzD942peJ
+l/S6FnsIJjmaHcBh4pbNhU4yowu63iKkvttrcZAEbpEro6Z8CziWEx8sywoaYEQG
+ifPkr9ORV6Cn3txq+9gMBePG41GrtZrUGIu+xrndL0Shh4Pq0eq/9MAsVlIIXEa8
+9WfH8J2kFcTOfoWtIc70b7TLZQsx4YnNcnrGLSUEcstFyPLX+Xtv5SNZF89OOIxX
+VNjNvgE5DbJb9hMM4UAFqI+1bo9QqtxwThjc/sOvIxzNAgMBAAGjWzBZMB0GA1Ud
+DgQWBBStTyogRPuAVG6q7yPyav1uvE+7pTA4BgNVHREEMTAvggppZHB0ZXN0YmVk
+hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
+BQADggEBAFMfoOv+oISGjvamq7+Y4G7ep5vxlAPeK3RATYPYvAmyH946qZXh98ni
+QXyuqZW5P5eEt86toY45IwDU5r09SKwHughEe99iiEkxh0mb2qo84qX9/qcg+kyN
+jeLd/OSyolpUCEFNwOFcog7pj7Eer+6AHbwTn1Mjb5TBsKwtDMJsaxPvdj0u7M5r
+xL/wHkFhn1rCo2QiojzjSlV3yLTh49iTyhE3cG+RxaNKDCxhp0jSSLX1BW/ZoPA8
++PMJEA+Q0QbyRD8aJOHN5O8jGxCa/ZzcOnYVL6AsEXoDiY3vAUYh1FUonOWw0m9H
+p+tGUbGS2l873J5PrsbpeKEVR/IIoKo=
+                        </ds:X509Certificate>
+                    </ds:X509Data>
+            </ds:KeyInfo>
+
+        </KeyDescriptor>
+
+        
+        <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://__CSPHOSTNAME__/idp/profile/SAML1/SOAP/AttributeQuery"/>
+        <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://__CSPHOSTNAME__/idp/profile/SAML2/SOAP/AttributeQuery"/> 
+        <!-- If you uncomment the above you should add urn:oasis:names:tc:SAML:2.0:protocol to the protocolSupportEnumeration above -->
+
+    </AttributeAuthorityDescriptor>
+
+</EntityDescriptor>
+
diff --git a/Workbench/comanage_match/container_files/shibboleth/shibboleth2.xml b/Workbench/comanage_match/container_files/shibboleth/shibboleth2.xml
new file mode 100644
index 0000000..8f7972a
--- /dev/null
+++ b/Workbench/comanage_match/container_files/shibboleth/shibboleth2.xml
@@ -0,0 +1,113 @@
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+    clockSkew="180">
+
+    <OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
+  
+    <!--
+    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
+    are used. See example-shibboleth2.xml for samples of explicitly configuring them.
+    -->
+
+    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
+    <ApplicationDefaults entityID="https://comanage-match.workbench/shibboleth"
+        REMOTE_USER="eppn uid subject-id pairwise-id persistent-id"
+        cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
+
+        <!--
+        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+        Each Application has an effectively unique handlerURL, which defaults to "/Shibboleth.sso"
+        and should be a relative path, with the SP computing the full value based on the virtual
+        host. Using handlerSSL="true" will force the protocol to be https. You should also set
+        cookieProps to "https" for SSL-only sites. Note that while we default checkAddress to
+        "false", this makes an assertion stolen in transit easier for attackers to misuse.
+        -->
+    <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" handlerURL="/matchSSO/Shibboleth.sso"
+                  checkAddress="false" handlerSSL="true" cookieProps="https"
+                  redirectLimit="exact">
+
+            <!--
+            Configures SSO for a default IdP. To properly allow for >1 IdP, remove
+            entityID property and adjust discoveryURL to point to discovery service.
+            You can also override entityID on /Login query string, or in RequestMap/htaccess.
+            -->
+            <SSO entityID="https://idptestbed/idp/shibboleth">
+              SAML2
+            </SSO>
+
+            <!-- SAML and local-only logout. -->
+            <Logout>SAML2 Local</Logout>
+
+            <!-- Administrative logout. -->
+            <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
+          
+            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+            <!-- Status reporting service. -->
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1 172.16.0.0/12 192.168.0.0/16"/>
+
+            <!-- Session diagnostic service. -->
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+
+            <!-- JSON feed of discovery information. -->
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+
+        <!--
+        Allows overriding of error template information/filenames. You can
+        also add your own attributes with values that can be plugged into the
+        templates, e.g., helpLocation below.
+        -->
+        <Errors supportContact="root@localhost"
+            helpLocation="/about.html"
+            styleSheet="/shibboleth-sp/main.css"/>
+
+        <!-- Example of locally maintained metadata. -->
+        <MetadataProvider type="XML" validate="true" path="idp-metadata.xml"/>
+
+        <!-- Example of remotely supplied batch of signed metadata. -->
+        <!--
+        <MetadataProvider type="XML" validate="true"
+	            url="http://federation.org/federation-metadata.xml"
+              backingFilePath="federation-metadata.xml" maxRefreshDelay="7200">
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+            <MetadataFilter type="Signature" certificate="fedsigner.pem" verifyBackup="false"/>
+            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
+              attributeName="http://macedir.org/entity-category"
+              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+              attributeValue="http://refeds.org/category/hide-from-discovery" />
+        </MetadataProvider>
+        -->
+
+        <!-- Example of remotely supplied "on-demand" signed metadata. -->
+        <!--
+        <MetadataProvider type="MDQ" validate="true" cacheDirectory="mdq"
+	            baseUrl="http://mdq.federation.org" ignoreTransport="true">
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+            <MetadataFilter type="Signature" certificate="mdqsigner.pem" />
+        </MetadataProvider>
+        -->
+
+        <!-- Map to extract attributes from SAML assertions. -->
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+
+        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+        <!-- Simple file-based resolvers for separate signing/encryption keys. -->
+        <CredentialResolver type="File" use="signing"
+            key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
+        <CredentialResolver type="File" use="encryption"
+            key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
+        
+    </ApplicationDefaults>
+    
+    <!-- Policies that determine how to process and authenticate runtime messages. -->
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+    <!-- Low-level configuration about protocols and bindings available for use. -->
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
+
diff --git a/Workbench/comanage_match/container_files/shibboleth/sp-encrypt-cert.pem b/Workbench/comanage_match/container_files/shibboleth/sp-encrypt-cert.pem
new file mode 100644
index 0000000..a1a8978
--- /dev/null
+++ b/Workbench/comanage_match/container_files/shibboleth/sp-encrypt-cert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIERzCCAq+gAwIBAgIUMC5kAwOH+9io4LQZ7Km3GoOZCjQwDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAxMYY29tYW5hZ2UtbWF0Y2gud29ya2JlbmNoMB4XDTI0MTIx
+OTE0NDEyNVoXDTM0MTIxNzE0NDEyNVowIzEhMB8GA1UEAxMYY29tYW5hZ2UtbWF0
+Y2gud29ya2JlbmNoMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAupwd
+OA+j10PAlvPoCnl85MGUuV/atEBO2zASjPUP8izSBNqqVptgh3fpRDoNj0v2/dMp
+WUUdSV4j8qkGBq5TMu+/zpweAYAH0jKZtftUpe1olVly4xeGH+SNPmiY6zIWYGZk
+uSiIcN2WWNFZfgWwgqHxkaB9NiQPsPyYyaABumzRoNXNtJvyuEo2uDJoxG76r6Ae
+wUp2EQJ9mxN1I5vIdPkXLig+iTirNPmZoprfAFNP7tVwQJ4GU1hW0rWHeJxVy5Dm
+4RGCdfUwoEPwxct+Yugh2kwDCCIwAoxdMInYgFWg7jBCYu4axU/99E9FFrlrTyTn
+Y4IV8dsDnZiy8msPWKPUics8wNKnbacROXAqn01Q6HsSqpcybk/QgBxrfAi2jQU/
+jbkjafD6ppKhRRF+r6Csb2bFDNwAOWrb/ifihMgVgbUNpKjliFuF9laojwi64QmR
+3bC/RVotvABi5Y5GR9C0J+P7YXE/cJP0GKtiz9oq/j1xYCWuAGOBLj06+MY3AgMB
+AAGjczBxMFAGA1UdEQRJMEeCGGNvbWFuYWdlLW1hdGNoLndvcmtiZW5jaIYraHR0
+cHM6Ly9jb21hbmFnZS1tYXRjaC53b3JrYmVuY2gvc2hpYmJvbGV0aDAdBgNVHQ4E
+FgQUdznHRrLMtzRfjf3SoLhtK/7wZykwDQYJKoZIhvcNAQELBQADggGBALeMd3G8
+ZDFMW0RzmBZCXLG/1F8UB0QiLZcbeT70GSNzBFNHhb9JEOSVVdO3HY/Y9/FZkhhZ
+fzL4hP4EmalS+qSH7doAtbVbA6b86iXqqKbWpMNC+U3iiEGqWIB6vkthajvD0RXv
+0k6Uq0zIpKyzjoh+vraw1F6F0yxg5XuaZHW6/c0iOLgxG2qLJzDbjtMxqsBYONqZ
+CEqFlwEY4JRNMssq96R8lHxi5DSwD3paHAvvZ6wItUO/RZnJxEIm65PXxIpPvK3U
+093zKljkj1H6ib64ZC4oAic7fAeA6xes9LAz+iaj4MUxMUCXjvFElhJIOQAI8eI4
+EU+BYcdX/HNwXMfBpDQbt1hY6K+sLJE5cH6rig03crJtstUPXtJN18+fNQNIFNcX
+WAxfOhDTCgRXADolugX3VpQ70HoyL4aZug9+4VonGpNPe4GTxMMiN3GvF5mfZNjQ
+5U8L8uXOKN4oqZjecmSnDoZaU3elTKyiD6yDmDk+GVBWZtErcQzx/T3Wrg==
+-----END CERTIFICATE-----
diff --git a/Workbench/comanage_match/container_files/shibboleth/sp-encrypt-key.pem b/Workbench/comanage_match/container_files/shibboleth/sp-encrypt-key.pem
new file mode 100644
index 0000000..61ba62a
--- /dev/null
+++ b/Workbench/comanage_match/container_files/shibboleth/sp-encrypt-key.pem
@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQC6nB04D6PXQ8CW
+8+gKeXzkwZS5X9q0QE7bMBKM9Q/yLNIE2qpWm2CHd+lEOg2PS/b90ylZRR1JXiPy
+qQYGrlMy77/OnB4BgAfSMpm1+1Sl7WiVWXLjF4Yf5I0+aJjrMhZgZmS5KIhw3ZZY
+0Vl+BbCCofGRoH02JA+w/JjJoAG6bNGg1c20m/K4Sja4MmjEbvqvoB7BSnYRAn2b
+E3Ujm8h0+RcuKD6JOKs0+Zmimt8AU0/u1XBAngZTWFbStYd4nFXLkObhEYJ19TCg
+Q/DFy35i6CHaTAMIIjACjF0widiAVaDuMEJi7hrFT/30T0UWuWtPJOdjghXx2wOd
+mLLyaw9Yo9SJyzzA0qdtpxE5cCqfTVDoexKqlzJuT9CAHGt8CLaNBT+NuSNp8Pqm
+kqFFEX6voKxvZsUM3AA5atv+J+KEyBWBtQ2kqOWIW4X2VqiPCLrhCZHdsL9FWi28
+AGLljkZH0LQn4/thcT9wk/QYq2LP2ir+PXFgJa4AY4EuPTr4xjcCAwEAAQKCAYAd
+9daTG5+4ff47vikxFVRB/fp80LDyY6jFdDBmRSosPZnygZD7mrKizVO8Sn3G1fFv
+yylGVdxf3Sd0XELFa9Obx/ZJm7MNlpqq2sjm+NUcVsOFxvi1ER/Nmwo6TNzQVhhV
+ndrqB2HwjQMIe4QcwZkXQBzivpubx6plRgjZxkDAx5vYcLs4FhmgEPo8FIvRjefd
+rp2Bdw0Bqh60eSlDcE18ykk4demkal7CgJh0DN1k1fttYwNEvJpTY0l9RvvbF25A
+agyhoc2Hqbu7yAXkiYnnSVF7lY7g9HCBVZgNasY6I9oQv1VdDXB08ER0RRgh+3b1
+X6dkn3adHeWfrteE51TORv6bNDp013JNeDImfJRlBCLrWtGwTi2c1/Xol2D6ildS
+FwBQ9UQAQzytMky5CYgs+/cUuyVNI5rmcCnrB8zcMa5mq0p/ESl0OUR3fSBOM2p5
+jSJS7PWKDr6vnq58if3fpzhO7I2F4XS7Ms9fOOrE8dtueCD9fyVxZSEzFJDvaIEC
+gcEA70O/y4YxoL1Qha7h+9yHKUJOi4KkyYs/4JFth/JtN1rmjsZSZk0MrpZKIpEI
+6VphRhN4aG6UoUZLMQA3jMVy+5bSGnVbXhBcvLHuVYCQDZfVYGBlt3qwFDfPtsmz
+Ti+1PFY1ozyrYlpr3yEXeYJ6VQ/Ltty5Dm5KZCYYtQ/EWLvmIA9iGCu9LeNH1DdQ
+rvbkfCqGeK4nemhmFh4jHf/j8i25Rrl3TXZbyySH8EdvsobHWOwNFDL2uJQx0ySx
+c1PhAoHBAMepiFCCbm5eejjB4arahI/w1yFDo6t1YDO9GrKxUJjgi0FbScFLCUMi
+Yn7WaMWvyrVbq4HLdVSPAllQoXSQmMWssKH4XT97nBO5omlYAbB/bEPKwCSaDclX
+PiIYoUMg7Yx6n0EccH+zDLNSvQzap1of40hr1AcqULd2fBEkYgERVBx1zxxJkL5y
+xqebSQBvcVo5aLkQNNejRfXY89cdoQRlhf6uhP32QGzB75ZnTrIpSgruPGeVaXXH
+jv95kJPdFwKBwQDJW6jjrXHCptBHUSBaCAOv01+qxS3Nd+UwJvOY/4qulU+HRJxA
+AAP2QgDuCkUHrcpDYUtqB/YJq9DH0jjtvZXA6fKz1aQpC3ggTVYYmvOgnPE0BKxV
+t2jL+xRR7nl6CWhq+Np3IC3TvekehQjud8JgJ8T3hdYvsN3mXrFYX4aMbsWCoa+a
+S+UP40Cl9k9uj9VGMbutgFM1DvsrDf3b12iMfbJ5NMiUZlFmKr5ElroH8ql9ylpP
+b3x3ZjBwU2cLecECgcBPddb8Q4xzfEIkCHUpK+IJ7w2O/X5LpGDu9lmDuDGdRe/l
+yNDnjldXUn3kgKwd0MJZvuvYsgI17tw+c2puG4XRVdLOAywJMcaByyUpy46QkYWi
+zTP+3RiTgpcFtsunDZm8iKiMnybei4GIdGssjHCB26L2lYNCfsK04QCrSdF/H0hc
+Mz6DwXtLcB5DYfeBpthz0dktnZeKIj6bgwY4HGCSgVz8aLQg5jnpjp0tPFwDZ49C
+HmIHz1yzNQJiBh1V220CgcAGRt05uQakG/5/8H5Fbntgd/Pf/UiR99sa/D0LMdGO
+FLFkq+ut4/oGiTYU18vPXI/N78R3QXZmOVpxvZNQQU16q3jb/S9RSkMiEJvhHOD+
+J+0Ix7+q4tJKbWsAAcFFMUfxJeLJJvOpone6yl5t8179voDCsHe39pWRZfm2osTw
+1jL9yBshtmbdGDnLcru7+uX9VFoEe+rUYP8g1d0+ePG+h3YiOcSB1NNaZJ46s8io
+nGtWNRODGXsz8Jg/emR5/5s=
+-----END PRIVATE KEY-----
diff --git a/Workbench/comanage_match/container_files/shibboleth/sp-signing-cert.pem b/Workbench/comanage_match/container_files/shibboleth/sp-signing-cert.pem
new file mode 100644
index 0000000..b8d2e38
--- /dev/null
+++ b/Workbench/comanage_match/container_files/shibboleth/sp-signing-cert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIERzCCAq+gAwIBAgIUXj29r7vhVtrbJcAUX8B87tW2ziEwDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAxMYY29tYW5hZ2UtbWF0Y2gud29ya2JlbmNoMB4XDTI0MTIx
+OTE0NDEwM1oXDTM0MTIxNzE0NDEwM1owIzEhMB8GA1UEAxMYY29tYW5hZ2UtbWF0
+Y2gud29ya2JlbmNoMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA9qZI
+5W74/kT+jNlGnCUEBQFwTqH1YVDshhtt2rWdKCOh6mnlcg2udFQJTMZKoD8t9NqT
+WLUvzAAIHuuiRTdhPwpxBRUvN8eDC3hX47ENapRqRI/ysKudM8f2TayrOsfJoa4D
+6k9nqfiCGpUcJMczFpCIltK8aHvTjbXI3myes5yE/CX5vZCMJ3bqLLKrE+Oll3b3
+Vs55wQTttelD4zbGJwdTW1sDJOmsr2TPaPzWw/b5TbjBOpmZbEjMSlU1bP/A+yKb
+RRXH9dY/8luOC+kgT/YqEMAPvyRQi9YSc7rO0TBhkD8RDn1EsHgro473Ffe0AIe6
+IH6TAz5kZ7lmpzLPQ4YVP6ePmdlQ+kH5CjkI9DAGQjYYPgXkHUyHG9R43hFznVrb
+75Bgd5O0QyrWknOqWJuyBJich9HR9VmZGQo0lG8IsGjryd6i7lVLgijRfZwpbIi0
+F0b98luW8c8ui/c2IyEk5xlF/WE7bL/WQuYJUCLPnOCJfX8rcR/HyhKeMqVbAgMB
+AAGjczBxMFAGA1UdEQRJMEeCGGNvbWFuYWdlLW1hdGNoLndvcmtiZW5jaIYraHR0
+cHM6Ly9jb21hbmFnZS1tYXRjaC53b3JrYmVuY2gvc2hpYmJvbGV0aDAdBgNVHQ4E
+FgQUHMZ/ShedHfCvlxm4Hgsm/fO1GPMwDQYJKoZIhvcNAQELBQADggGBAHeyhP6r
+je3fR+y9tTGO7N2K32Fjb7k5TTSOPCZSCqpk0BQbZy6nELn5z3zfen8TKAAz7j0Y
+BuoUvrKa1TCKVvOcJGe3fTgy/c9iXjutNGcjMbbx3AA2+Lfm4k5qrc3GdO3pNK0w
+vIGLom1/aWo7bC5CWmGKx4PNxSmaY1rrHWgyS9SBMaGheyKPj70Vmjf7WUEH5rdV
+STqqWy3d+tN1BI6vmn1MlxqO4uFFouYaGdu3jpB39Z9Qu7do1GW19LWDRPVSf/ZP
+gr93YHYv+jtlW1JboI69+pl8sCBWxiSvLH7Miq2G4AGUtWI12aFWmix8WXSNjPY8
+wqkzT6drukBVCT1pJWzFk/e+XIv2MC5bYlDohI/ySV8wlr0sXHI85nsjdaRRleo/
+yebI1Pxqhy8dCOYUdMDtpaVSaC55uVVt4V7tQdTCoYTKoN5iBc1jrkwirp4URknf
+OmwywddKMz6rTHLCBSrTs+F+5Q1XCN4UZy9RUbjWAzcvrZRD5gGa7MtUiA==
+-----END CERTIFICATE-----
diff --git a/Workbench/comanage_match/container_files/shibboleth/sp-signing-key.pem b/Workbench/comanage_match/container_files/shibboleth/sp-signing-key.pem
new file mode 100644
index 0000000..bc08212
--- /dev/null
+++ b/Workbench/comanage_match/container_files/shibboleth/sp-signing-key.pem
@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQD2pkjlbvj+RP6M
+2UacJQQFAXBOofVhUOyGG23atZ0oI6HqaeVyDa50VAlMxkqgPy302pNYtS/MAAge
+66JFN2E/CnEFFS83x4MLeFfjsQ1qlGpEj/Kwq50zx/ZNrKs6x8mhrgPqT2ep+IIa
+lRwkxzMWkIiW0rxoe9ONtcjebJ6znIT8Jfm9kIwnduossqsT46WXdvdWznnBBO21
+6UPjNsYnB1NbWwMk6ayvZM9o/NbD9vlNuME6mZlsSMxKVTVs/8D7IptFFcf11j/y
+W44L6SBP9ioQwA+/JFCL1hJzus7RMGGQPxEOfUSweCujjvcV97QAh7ogfpMDPmRn
+uWanMs9DhhU/p4+Z2VD6QfkKOQj0MAZCNhg+BeQdTIcb1HjeEXOdWtvvkGB3k7RD
+KtaSc6pYm7IEmJyH0dH1WZkZCjSUbwiwaOvJ3qLuVUuCKNF9nClsiLQXRv3yW5bx
+zy6L9zYjISTnGUX9YTtsv9ZC5glQIs+c4Il9fytxH8fKEp4ypVsCAwEAAQKCAYA9
+MlfO2UBdMjgoMTakQkjjhw5a7DNKQH5W7dJNXBdQoLqpQzoDGOLqiPk/u8lDRjm8
+UUkSzu27g1yAc31xCAMQVaJiHPX4tH9Opr7DxyephIZzWXXhIMth0CDL9+YKMQzV
+mSvuhGIXmYmKV+nCNEx4Mkc5iLLnh6WfOPXMPg4ISXLzbuaugoFLv2TtzyzERAzP
+blyDBLrPyc3C/0vxQaNbhqVHeubmTzYh1HTjuyv8Njh38Lm8tOSMqelKHich0riN
+xBeZOvN0hdDpV60HP8ljWUTRGSBnFpY6rSxmx1DJkbP7acFqrL2qavDlYxnntwuj
+7ze1FlT3Kc3KdCWPeWpFdvN3bkDieWV7mjXSE125CAxirpzZLY7ETgv/uPrYcNr9
+MEJmpzgH/xhPD+bfxcSZMROezpI+b/gTFXXmdTOncw5QGC7+e7ZtyA6JUF3yNuZo
+4zNXDTGMVDYteidx/oG7SjXUEe2JX2hFjf/Z1srMnNp1xaSrL+z4r54OymqJj3EC
+gcEA/Y4Xstqq8ej1dm5ps1uNG7bSkjHOGkoxwhWnFkKxZmG+JdmKUVwFROdDpcz/
+X0INqVx/3IT3d8Kv7gHrEWwM8jqhbA1x2pRD/KCK93kVQtFj9XKk63biPBOBH1AD
+qH8GqVMD9OXj1tVEXsH3KWyjAxDnnxopU6pWnL18BqMRo+hD5bgHjqSu3HlhXCXS
+GLltRnwTnaWpuQIZDM1gA2KITYD6x7XA9SyG58dlzXpjxNvDbbaiLcxzcJYVKhhx
+QcUxAoHBAPkHJVEPJ3Io69CcNK5f7JAkCiXVRq+5I+CEveTqnhuZ1VA4D6+spxDv
+l3MGRFdPwk00kbmGSMvSyLGzxFu41HTHCJMcyqYBLC3RpWxqOxWK2fU+ksoeGDbf
+CyNhiY0km1FS4GlJeK5EBnRRuwIV0GGpel2GTiiiZn4obea0Z5hn4iS6prXXvOVq
+NXXbdg+MrZbNxEOvGGPMXYnQgbW+BLQRpKCp9IYl9Xx8/JyEhPzVkOjHq/3ogywl
+fklZHNPgSwKBwQC5iEbZDd62QuOSNHrNzjjzxZRRe3Y3kIDWZuerh0OuCemMYqEu
+pWoJoDvEz7sxpfC/M7svznASRvha7TZnuivC95n0qeXcrk8NRSBKs2QWT4eYK7p3
+vbcPhKogEnmKyuBB+EfV5H4STl3IBKBpxF+Ht8/0gL0qxmK4MILXjG01BZjhOAb3
+npOBKqROPDJ++vf18oab/YOyp9FSp9kQwQHBzJY0mk9GV72jTim08FCe1LwsxM3p
+O0hhYsC728TL/pECgcA+r3bMRcVHLlfV5kw4jLruubO4PEyT1UXbsW5fnlN4XSve
+Co6gSRSw5a647J3tYI1ng9Ee41eVvxR37umBsTAByUw2Q+wbB3aIfhpnBQKkdJRS
+8JJgwFyWC2UxXc8TMWDLgtIsjqsLKuJ5C03Iw5b1zoSX4EPyZJbqMOEhTs45BgVd
++4IVih3pneehKEI6vc3AhUFfTEcWcA4nr83G4vMqJLrNGpsL3ahC0u9/srgLMPNO
+NVztCEdkqHd2nTDtgKsCgcB+ECuCBmNICj9qEiQ29HCjtvfKrHv8WUwKamuHzM+p
+dEbzJJVZ/XJ1cOpqfE1/iIJso1dv4BlfiJd/hpQYlXbqbREV9NCkJhe4i8MBAhTb
+cQPuzO2/6Vp2544pD2JGg/PXqzNI5U7a0m6HvBxDgMbPUZ2QxLmk1ju02mPGe+5x
+l3AGQBSoUqzgc+V/qRZM3mFBBK+8688NdL5aLjeZGXcMn86EAg+wcqaYNJnC4TWY
+vy0oyINVpOQFRXbBpdUjQb4=
+-----END PRIVATE KEY-----
diff --git a/Workbench/comanage_match/container_files/system/setservername.sh b/Workbench/comanage_match/container_files/system/setservername.sh
new file mode 100644
index 0000000..a2ab30d
--- /dev/null
+++ b/Workbench/comanage_match/container_files/system/setservername.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+files="/etc/shibboleth/idp-metadata.xml"
+
+for file in $files
+  do
+    sed -i "s|__CSPHOSTNAME__|$CSPHOSTNAME|g" $file
+  done
+
+
diff --git a/Workbench/comanage_match_data/Dockerfile b/Workbench/comanage_match_data/Dockerfile
new file mode 100644
index 0000000..34035c3
--- /dev/null
+++ b/Workbench/comanage_match_data/Dockerfile
@@ -0,0 +1,5 @@
+FROM postgres:12
+
+COPY container_files/seed-data/ /docker-entrypoint-initdb.d/
+
+
diff --git a/Workbench/comanage_match_data/container_files/seed-data/addExtension.sql b/Workbench/comanage_match_data/container_files/seed-data/addExtension.sql
new file mode 100644
index 0000000..3b939a7
--- /dev/null
+++ b/Workbench/comanage_match_data/container_files/seed-data/addExtension.sql
@@ -0,0 +1,2 @@
+create extension fuzzystrmatch;
+
diff --git a/Workbench/docker-compose.yml b/Workbench/docker-compose.yml
index adceab6..8a21970 100644
--- a/Workbench/docker-compose.yml
+++ b/Workbench/docker-compose.yml
@@ -238,6 +238,26 @@ services:
     volumes:
      - comanage_data:/var/lib/postgresql/data
 
+  comanage_match_data:
+    build: ./comanage_match_data/
+    environment:
+      POSTGRES_USER: match_user
+      POSTGRES_PASSWORD: Password1
+      POSTGRES_DB: match
+    networks:
+      net:
+        aliases:
+         - comanage-match-data
+    ports:
+      - 55432:5432
+    healthcheck:
+      test: /usr/bin/pg_isready
+      interval: 30s
+      timeout: 30s
+      retries: 3
+    volumes:
+     - comanage_match_data:/var/lib/postgresql/data
+
   comanage_midpoint_data:
     build: ./comanage_midpoint_data/
     environment:
@@ -593,6 +613,26 @@ services:
         aliases:
           - comanage-cron
 
+  comanage_match:
+    build: 
+      context: ./comanage_match/
+      args:
+        - CSPHOSTNAME
+    depends_on:
+     - comanage_match_data
+    environment:
+     - ENV
+     - USERTOKEN
+    networks:
+     - net
+    ports:
+     - 19443:443
+    healthcheck:
+      test: curl -kf https://127.0.0.1/match/ || exit 1
+      interval: 30s
+      timeout: 30s
+      retries: 3
+
   ad:
     build:
       context: ./ad/
@@ -665,6 +705,7 @@ volumes:
   grouper_data_2:
   source_data:
   comanage_data:
+  comanage_match_data:
   comanage_midpoint_data:
   comanage_mysql:
   source_mysql:
diff --git a/Workbench/webproxy/container_files/httpd/index.html b/Workbench/webproxy/container_files/httpd/index.html
index a087f80..00650d7 100644
--- a/Workbench/webproxy/container_files/httpd/index.html
+++ b/Workbench/webproxy/container_files/httpd/index.html
@@ -13,6 +13,7 @@ <h3>Welcome to the InCommon TAP Workbench!</h3>
 <li><a href="https://__CSPHOSTNAME__/midpoint" target="TAP-WB-MIDPOINT">midPoint (4.9)</a></li>
 <ul><li><a href="https://__CSPHOSTNAME__/midPoint-doc.html" target="TAP-WB-MIDPOINT-CONFIG">Technical doc on midPoint's configuration</a></li></ul>
 <li><a href="https://__CSPHOSTNAME__/registry" target="TAP-WB-COMANAGE">COmanage Registry (4.4.0)</a></li>
+<li><a href="https://__CSPHOSTNAME__/match" target="TAP-WB-COMANAGEMATCH">COmanage Match (1.2.0)</a></li>
 <li><a href="https://__CSPHOSTNAME__/idpui/" target="TAP-WB-IDPUI">Shibboleth IdP UI (1.18.0)</a></li>
 </ul>
 
@@ -39,6 +40,7 @@ <h3>Welcome to the InCommon TAP Workbench!</h3>
   <li><a href="https://__CSPHOSTNAME__/grouperSSO/Shibboleth.sso/Status" target="TAP-WB-gSP">Grouper SP (3.4.1) status</a></li>
   <li><a href="https://__CSPHOSTNAME__/mppSSO/Shibboleth.sso/Status" target="TAP-WB-mSP">midPoint SP (3.4.1) status</a></li>
   <li><a href="https://__CSPHOSTNAME__/registrySSO/Shibboleth.sso/Status" target="TAP-WB-cSP">COmanage SP (3.4.1) status</a></li>
+  <li><a href="https://__CSPHOSTNAME__/matchSSO/Shibboleth.sso/Status" target="TAP-WB-cmSP">COmanage Match SP (3.4.1) status</a></li>
   <li><a href="https://__CSPHOSTNAME__/wordpressSSO/Shibboleth.sso/Status" target="TAP-WB-wSP">Wordpress SP (3.4.1) status</a></li>
 </ul>
 </ul>
diff --git a/Workbench/webproxy/container_files/httpd/proxy.conf b/Workbench/webproxy/container_files/httpd/proxy.conf
index 27c9e3f..9ab8fa7 100644
--- a/Workbench/webproxy/container_files/httpd/proxy.conf
+++ b/Workbench/webproxy/container_files/httpd/proxy.conf
@@ -72,6 +72,11 @@ ProxyPass /registry https://comanage/registry
 ProxyPassReverse /registry https://comanage/registry
 ProxyPass /registrySSO https://comanage/registrySSO
 
+ProxyPass /match https://comanage_match/match
+ProxyPassReverse /match https://comanage_match/match
+ProxyPass /matchSSO https://comanage_match/matchSSO
+ProxyPassReverse /matchSSO https://comanage_match/matchSSO
+
 #ProxyPreserveHost on
 ProxyPass /wordpressSSO https://wordpress_server/wordpressSSO
 ProxyPass /wordpress https://wordpress_server/wordpress
diff --git a/Workbench/webproxy/container_files/mdload/match-sp.xml b/Workbench/webproxy/container_files/mdload/match-sp.xml
new file mode 100644
index 0000000..7cf37bc
--- /dev/null
+++ b/Workbench/webproxy/container_files/mdload/match-sp.xml
@@ -0,0 +1,113 @@
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://comanage-match.workbench/shibboleth">
+
+  <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
+  </md:Extensions>
+
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:Extensions>
+    <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://__CSPHOSTNAME__/matchSSO/Shibboleth.sso/Login"/>
+    </md:Extensions>
+    <md:KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:KeyName>comanage-match.workbench</ds:KeyName>
+        <ds:X509Data>
+          <ds:X509SubjectName>CN=comanage-match.workbench</ds:X509SubjectName>
+	  <ds:X509Certificate>
+MIIERzCCAq+gAwIBAgIUXj29r7vhVtrbJcAUX8B87tW2ziEwDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAxMYY29tYW5hZ2UtbWF0Y2gud29ya2JlbmNoMB4XDTI0MTIx
+OTE0NDEwM1oXDTM0MTIxNzE0NDEwM1owIzEhMB8GA1UEAxMYY29tYW5hZ2UtbWF0
+Y2gud29ya2JlbmNoMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA9qZI
+5W74/kT+jNlGnCUEBQFwTqH1YVDshhtt2rWdKCOh6mnlcg2udFQJTMZKoD8t9NqT
+WLUvzAAIHuuiRTdhPwpxBRUvN8eDC3hX47ENapRqRI/ysKudM8f2TayrOsfJoa4D
+6k9nqfiCGpUcJMczFpCIltK8aHvTjbXI3myes5yE/CX5vZCMJ3bqLLKrE+Oll3b3
+Vs55wQTttelD4zbGJwdTW1sDJOmsr2TPaPzWw/b5TbjBOpmZbEjMSlU1bP/A+yKb
+RRXH9dY/8luOC+kgT/YqEMAPvyRQi9YSc7rO0TBhkD8RDn1EsHgro473Ffe0AIe6
+IH6TAz5kZ7lmpzLPQ4YVP6ePmdlQ+kH5CjkI9DAGQjYYPgXkHUyHG9R43hFznVrb
+75Bgd5O0QyrWknOqWJuyBJich9HR9VmZGQo0lG8IsGjryd6i7lVLgijRfZwpbIi0
+F0b98luW8c8ui/c2IyEk5xlF/WE7bL/WQuYJUCLPnOCJfX8rcR/HyhKeMqVbAgMB
+AAGjczBxMFAGA1UdEQRJMEeCGGNvbWFuYWdlLW1hdGNoLndvcmtiZW5jaIYraHR0
+cHM6Ly9jb21hbmFnZS1tYXRjaC53b3JrYmVuY2gvc2hpYmJvbGV0aDAdBgNVHQ4E
+FgQUHMZ/ShedHfCvlxm4Hgsm/fO1GPMwDQYJKoZIhvcNAQELBQADggGBAHeyhP6r
+je3fR+y9tTGO7N2K32Fjb7k5TTSOPCZSCqpk0BQbZy6nELn5z3zfen8TKAAz7j0Y
+BuoUvrKa1TCKVvOcJGe3fTgy/c9iXjutNGcjMbbx3AA2+Lfm4k5qrc3GdO3pNK0w
+vIGLom1/aWo7bC5CWmGKx4PNxSmaY1rrHWgyS9SBMaGheyKPj70Vmjf7WUEH5rdV
+STqqWy3d+tN1BI6vmn1MlxqO4uFFouYaGdu3jpB39Z9Qu7do1GW19LWDRPVSf/ZP
+gr93YHYv+jtlW1JboI69+pl8sCBWxiSvLH7Miq2G4AGUtWI12aFWmix8WXSNjPY8
+wqkzT6drukBVCT1pJWzFk/e+XIv2MC5bYlDohI/ySV8wlr0sXHI85nsjdaRRleo/
+yebI1Pxqhy8dCOYUdMDtpaVSaC55uVVt4V7tQdTCoYTKoN5iBc1jrkwirp4URknf
+OmwywddKMz6rTHLCBSrTs+F+5Q1XCN4UZy9RUbjWAzcvrZRD5gGa7MtUiA==
+</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:KeyDescriptor use="encryption">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:KeyName>comanage-match.workbench</ds:KeyName>
+        <ds:X509Data>
+          <ds:X509SubjectName>CN=comanage-match.workbench</ds:X509SubjectName>
+          <ds:X509Certificate>
+MIIERzCCAq+gAwIBAgIUMC5kAwOH+9io4LQZ7Km3GoOZCjQwDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAxMYY29tYW5hZ2UtbWF0Y2gud29ya2JlbmNoMB4XDTI0MTIx
+OTE0NDEyNVoXDTM0MTIxNzE0NDEyNVowIzEhMB8GA1UEAxMYY29tYW5hZ2UtbWF0
+Y2gud29ya2JlbmNoMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAupwd
+OA+j10PAlvPoCnl85MGUuV/atEBO2zASjPUP8izSBNqqVptgh3fpRDoNj0v2/dMp
+WUUdSV4j8qkGBq5TMu+/zpweAYAH0jKZtftUpe1olVly4xeGH+SNPmiY6zIWYGZk
+uSiIcN2WWNFZfgWwgqHxkaB9NiQPsPyYyaABumzRoNXNtJvyuEo2uDJoxG76r6Ae
+wUp2EQJ9mxN1I5vIdPkXLig+iTirNPmZoprfAFNP7tVwQJ4GU1hW0rWHeJxVy5Dm
+4RGCdfUwoEPwxct+Yugh2kwDCCIwAoxdMInYgFWg7jBCYu4axU/99E9FFrlrTyTn
+Y4IV8dsDnZiy8msPWKPUics8wNKnbacROXAqn01Q6HsSqpcybk/QgBxrfAi2jQU/
+jbkjafD6ppKhRRF+r6Csb2bFDNwAOWrb/ifihMgVgbUNpKjliFuF9laojwi64QmR
+3bC/RVotvABi5Y5GR9C0J+P7YXE/cJP0GKtiz9oq/j1xYCWuAGOBLj06+MY3AgMB
+AAGjczBxMFAGA1UdEQRJMEeCGGNvbWFuYWdlLW1hdGNoLndvcmtiZW5jaIYraHR0
+cHM6Ly9jb21hbmFnZS1tYXRjaC53b3JrYmVuY2gvc2hpYmJvbGV0aDAdBgNVHQ4E
+FgQUdznHRrLMtzRfjf3SoLhtK/7wZykwDQYJKoZIhvcNAQELBQADggGBALeMd3G8
+ZDFMW0RzmBZCXLG/1F8UB0QiLZcbeT70GSNzBFNHhb9JEOSVVdO3HY/Y9/FZkhhZ
+fzL4hP4EmalS+qSH7doAtbVbA6b86iXqqKbWpMNC+U3iiEGqWIB6vkthajvD0RXv
+0k6Uq0zIpKyzjoh+vraw1F6F0yxg5XuaZHW6/c0iOLgxG2qLJzDbjtMxqsBYONqZ
+CEqFlwEY4JRNMssq96R8lHxi5DSwD3paHAvvZ6wItUO/RZnJxEIm65PXxIpPvK3U
+093zKljkj1H6ib64ZC4oAic7fAeA6xes9LAz+iaj4MUxMUCXjvFElhJIOQAI8eI4
+EU+BYcdX/HNwXMfBpDQbt1hY6K+sLJE5cH6rig03crJtstUPXtJN18+fNQNIFNcX
+WAxfOhDTCgRXADolugX3VpQ70HoyL4aZug9+4VonGpNPe4GTxMMiN3GvF5mfZNjQ
+5U8L8uXOKN4oqZjecmSnDoZaU3elTKyiD6yDmDk+GVBWZtErcQzx/T3Wrg==
+</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+    </md:KeyDescriptor>
+    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://__CSPHOSTNAME__/matchSSO/Shibboleth.sso/Artifact/SOAP" index="1"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://__CSPHOSTNAME__/matchSSO/Shibboleth.sso/SLO/SOAP"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://__CSPHOSTNAME__/matchSSO/Shibboleth.sso/SLO/Redirect"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://__CSPHOSTNAME__/matchSSO/Shibboleth.sso/SLO/POST"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://__CSPHOSTNAME__/matchSSO/Shibboleth.sso/SLO/Artifact"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://__CSPHOSTNAME__/matchSSO/Shibboleth.sso/SAML2/POST" index="1"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://__CSPHOSTNAME__/matchSSO/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://__CSPHOSTNAME__/matchSSO/Shibboleth.sso/SAML2/Artifact" index="3"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://__CSPHOSTNAME__/matchSSO/Shibboleth.sso/SAML2/ECP" index="4"/>
+  </md:SPSSODescriptor>
+
+</md:EntityDescriptor>
+
diff --git a/Workbench/webproxy/container_files/system/setservername.sh b/Workbench/webproxy/container_files/system/setservername.sh
index 0138b69..594ea7d 100755
--- a/Workbench/webproxy/container_files/system/setservername.sh
+++ b/Workbench/webproxy/container_files/system/setservername.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-files="/etc/shibboleth/idp-metadata.xml /var/www/html/index.html /mdload/grouper-sp.xml /mdload/midpoint-sp.xml /mdload/mpproxy-sp.xml /mdload/comanage-sp.xml /mdload/proxy-sp.xml /mdload/wordpress-sp.xml"
+files="/etc/shibboleth/idp-metadata.xml /var/www/html/index.html /mdload/grouper-sp.xml /mdload/midpoint-sp.xml /mdload/mpproxy-sp.xml /mdload/comanage-sp.xml /mdload/proxy-sp.xml /mdload/wordpress-sp.xml /mdload/match-sp.xml"
 
 for file in $files
   do
diff --git a/Workbench/webproxy/container_files/system/startWithMDLoad.sh b/Workbench/webproxy/container_files/system/startWithMDLoad.sh
index 14080d2..3242f6c 100755
--- a/Workbench/webproxy/container_files/system/startWithMDLoad.sh
+++ b/Workbench/webproxy/container_files/system/startWithMDLoad.sh
@@ -9,7 +9,8 @@ pushd /mdload
                                          ./loadMD.sh midPointSP /mdload/midpoint-sp.xml 0 && \
                                          ./loadMD.sh ProxySP /mdload/proxy-sp.xml 0 && \
                                          ./loadMD.sh WordPressSP /mdload/wordpress-sp.xml 0 && \
-                                         ./loadMD.sh COmanageSP /mdload/comanage-sp.xml 0
+                                         ./loadMD.sh COmanageSP /mdload/comanage-sp.xml 0 && \
+                                         ./loadMD.sh COmanageMatchSP /mdload/match-sp.xml 0
 popd
 wait