diff --git a/Workbench/configs-and-secrets/grouper/httpd/shib.conf b/Workbench/configs-and-secrets/grouper/httpd/shib.conf
new file mode 100644
index 0000000..9c33671
--- /dev/null
+++ b/Workbench/configs-and-secrets/grouper/httpd/shib.conf
@@ -0,0 +1,54 @@
+# https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig
+
+# RPM installations on platforms with a conf.d directory will
+# result in this file being copied into that directory for you
+# and preserved across upgrades.
+
+# For non-RPM installs, you should copy the relevant contents of
+# this file to a configuration location you control.
+
+#
+# Load the Shibboleth module.
+#
+LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
+
+#
+# Turn this on to support "require valid-user" rules from other
+# mod_authn_* modules, and use "require shib-session" for anonymous
+# session-based authorization in mod_shib.
+#
+ShibCompatValidUser Off
+
+#
+# Ensures handler will be accessible.
+#
+<Location /grouperSSO/Shibboleth.sso>
+  AuthType None
+  Require all granted
+  SetHandler shib
+</Location>
+
+#
+# Used for example style sheet in error templates.
+#
+<IfModule mod_alias.c>
+  <Location /shibboleth-sp>
+    AuthType None
+    Require all granted
+  </Location>
+  Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
+</IfModule>
+
+#
+# Configure the module for content.
+#
+# You MUST enable AuthType shibboleth for the module to process
+# any requests, and there MUST be a require command as well. To
+# enable Shibboleth but not specify any session/access requirements
+# use "require shibboleth".
+#
+<Location /secure>
+  AuthType shibboleth
+  ShibRequestSetting requireSession 1
+  require shib-session
+</Location>
diff --git a/Workbench/configs-and-secrets/grouper/shibboleth/shibboleth2.xml b/Workbench/configs-and-secrets/grouper/shibboleth/shibboleth2.xml
index 0c38f82..7ea21f0 100644
--- a/Workbench/configs-and-secrets/grouper/shibboleth/shibboleth2.xml
+++ b/Workbench/configs-and-secrets/grouper/shibboleth/shibboleth2.xml
@@ -1,60 +1,53 @@
-<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
-    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
-    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
-    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
     clockSkew="180">
 
+    <OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
+  
     <!--
     By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
     are used. See example-shibboleth2.xml for samples of explicitly configuring them.
     -->
 
-    <!--
-    To customize behavior for specific resources on Apache, and to link vhosts or
-    resources to ApplicationOverride settings below, use web server options/commands.
-    See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
-    
-    For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
-    file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
-    -->
     <TCPListener address="127.0.0.1" port="1600"/> 
 
-
     <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
     <ApplicationDefaults entityID="https://grouperdemo/shibboleth"
-                         REMOTE_USER="uid">
+        REMOTE_USER="uid"
+        cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
 
         <!--
         Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
-        You MUST supply an effectively unique handlerURL value for each of your applications.
-        The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
-        a relative value based on the virtual host. Using handlerSSL="true", the default, will force
-        the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
-        Note that while we default checkAddress to "false", this has a negative impact on the
-        security of your site. Stealing sessions via cookie theft is much easier with this disabled.
+        Each Application has an effectively unique handlerURL, which defaults to "/Shibboleth.sso"
+        and should be a relative path, with the SP computing the full value based on the virtual
+        host. Using handlerSSL="true" will force the protocol to be https. You should also set
+        cookieProps to "https" for SSL-only sites. Note that while we default checkAddress to
+        "false", this makes an assertion stolen in transit easier for attackers to misuse.
         -->
-        <Sessions lifetime="28800" timeout="28800" relayState="ss:mem"
-                  checkAddress="false" handlerSSL="true" cookieProps="https">
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" handlerURL="/grouperSSO/Shibboleth.sso"
+                  checkAddress="false" handlerSSL="true" cookieProps="https"
+                  redirectLimit="exact">
 
             <!--
-            Configures SSO for a default IdP. To allow for >1 IdP, remove
+            Configures SSO for a default IdP. To properly allow for >1 IdP, remove
             entityID property and adjust discoveryURL to point to discovery service.
-            (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
             You can also override entityID on /Login query string, or in RequestMap/htaccess.
             -->
-		<SSO entityID="https://idptestbed/idp/shibboleth">
-			SAML2
-		</SSO>
+            <SSO entityID="https://idptestbed/idp/shibboleth">
+              SAML2
+            </SSO>
 
             <!-- SAML and local-only logout. -->
             <Logout>SAML2 Local</Logout>
-            
+
+            <!-- Administrative logout. -->
+            <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
+          
             <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
             <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
 
             <!-- Status reporting service. -->
-            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1 172.16.0.0/12"/>
 
             <!-- Session diagnostic service. -->
             <Handler type="Session" Location="/Session" showAttributeValues="true"/>
@@ -65,19 +58,25 @@
 
         <!--
         Allows overriding of error template information/filenames. You can
-        also add attributes with values that can be plugged into the templates.
+        also add your own attributes with values that can be plugged into the
+        templates, e.g., helpLocation below.
         -->
         <Errors supportContact="root@localhost"
             helpLocation="/about.html"
             styleSheet="/shibboleth-sp/main.css"/>
-        
+
+        <!-- Example of locally maintained metadata. -->
+        <!--
+        <MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/>
+        -->
+
         <!-- Example of remotely supplied batch of signed metadata. -->
         <!--
         <MetadataProvider type="XML" validate="true"
-	      uri="http://example.org/federation-metadata.xml"
-              backingFilePath="federation-metadata.xml" reloadInterval="7200">
+	            url="http://federation.org/federation-metadata.xml"
+              backingFilePath="federation-metadata.xml" maxRefreshDelay="7200">
             <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
-            <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
+            <MetadataFilter type="Signature" certificate="fedsigner.pem" verifyBackup="false"/>
             <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
               attributeName="http://macedir.org/entity-category"
               attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
@@ -85,46 +84,29 @@
         </MetadataProvider>
         -->
 
-        <MetadataProvider type="XML" validate="true" file="idp-metadata.xml"/>
-
+        <!-- Example of remotely supplied "on-demand" signed metadata. -->
         <!--
-        InCommon
-	  <MetadataProvider type="XML" validate="true"
-		uri="http://md.incommon.org/InCommon/InCommon-metadata.xml"
-              backingFilePath="federation-metadata.xml" reloadInterval="7200">
+        <MetadataProvider type="MDQ" validate="true" cacheDirectory="mdq"
+	            baseUrl="http://mdq.federation.org" ignoreTransport="true">
             <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
-		<MetdataFilter type="Signature" certificate="inc-md-cert.pem"/>
-            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
-              attributeName="http://macedir.org/entity-category"
-              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
-              attributeValue="http://refeds.org/category/hide-from-discovery" />
+            <MetadataFilter type="Signature" certificate="mdqsigner.pem" />
         </MetadataProvider>
         -->
+        
+        <MetadataProvider type="XML" validate="true" path="idp-metadata.xml"/>
 
         <!-- Map to extract attributes from SAML assertions. -->
         <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
-        
-        <!-- Use a SAML query if no attributes are supplied during SSO. -->
-        <AttributeResolver type="Query" subjectMatch="true"/>
 
         <!-- Default filtering policy for recognized attributes, lets other data pass. -->
         <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
 
-        <!-- Simple file-based resolver for using a single keypair. -->
-        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
-
-        <!--
-        The default settings can be overridden by creating ApplicationOverride elements (see
-        the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
-        Resource requests are mapped by web server commands, or the RequestMapper, to an
-        applicationId setting.
+        <!-- Simple file-based resolvers for separate signing/encryption keys. -->
+        <CredentialResolver type="File" use="signing"
+            key="sp-key.pem" certificate="sp-cert.pem"/>
+        <CredentialResolver type="File" use="encryption"
+            key="sp-key.pem" certificate="sp-cert.pem"/>
         
-        Example of a second application (for a second vhost) that has a different entityID.
-        Resources on the vhost would map to an applicationId of "admin":
-        -->
-        <!--
-        <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
-        -->
     </ApplicationDefaults>
     
     <!-- Policies that determine how to process and authenticate runtime messages. -->
diff --git a/Workbench/directory/Dockerfile b/Workbench/directory/Dockerfile
index 6e34ead..5d5fd92 100644
--- a/Workbench/directory/Dockerfile
+++ b/Workbench/directory/Dockerfile
@@ -4,11 +4,13 @@ LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
 
 RUN yum install -y epel-release \
     && yum update -y \
-    && yum install -y 389-ds-base \
+    && yum install -y 389-ds-base phpMyAdmin phpldapadmin mod_ssl \
     && yum clean all \
     && rm -rf /var/cache/yum
 
 COPY container_files/seed-data/ /seed-data/
+COPY container_files/httpd/* /etc/httpd/conf.d/
+COPY container_files/etc/ /etc/
 
 RUN useradd ldapadmin \
     && rm -fr /var/lock /usr/lib/systemd/system \
@@ -23,6 +25,6 @@ RUN useradd ldapadmin \
     && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \
     ldapadd -H ldap:/// -f /seed-data/data.ldif -x -D "cn=Directory Manager" -w password
 
-EXPOSE 389
+EXPOSE 389 443
 
-CMD rm -rf /var/lock/dirsrv/slapd-dir/server/* && /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir && sleep infinity
+CMD rm -rf /var/lock/dirsrv/slapd-dir/server/* && /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir && httpd -DFOREGROUND && sleep infinity
diff --git a/Workbench/directory/container_files/etc/phpMyAdmin/config.inc.php b/Workbench/directory/container_files/etc/phpMyAdmin/config.inc.php
new file mode 100644
index 0000000..fd8ac2d
--- /dev/null
+++ b/Workbench/directory/container_files/etc/phpMyAdmin/config.inc.php
@@ -0,0 +1,261 @@
+<?php
+/**
+ * phpMyAdmin configuration file, you can use it as base for the manual
+ * configuration. For easier setup you can use "setup/".
+ *
+ * All directives are explained in Documentation.html and on phpMyAdmin
+ * wiki <http://wiki.phpmyadmin.net>.
+ */
+
+/*
+ * This is needed for cookie based authentication to encrypt password in
+ * cookie
+ */
+$cfg['blowfish_secret'] = 'd7Y5iRSDpGaQkvSqxKWPwHfazswioRBO'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
+
+/**
+ * Server(s) configuration
+ */
+$i = 0;
+
+// The $cfg['Servers'] array starts with $cfg['Servers'][1].  Do not use
+// $cfg['Servers'][0]. You can disable a server config entry by setting host
+// to ''. If you want more than one server, just copy following section
+// (including $i incrementation) serveral times. There is no need to define
+// full server array, just define values you need to change.
+$i++;
+$cfg['Servers'][$i]['host']          = 'grouper_data'; // MySQL hostname or IP address
+$cfg['Servers'][$i]['port']          = '3306';          // MySQL port - leave blank for default port
+$cfg['Servers'][$i]['socket']        = '';          // Path to the socket - leave blank for default socket
+$cfg['Servers'][$i]['connect_type']  = 'tcp';       // How to connect to MySQL server ('tcp' or 'socket')
+$cfg['Servers'][$i]['extension']     = 'mysqli';    // The php MySQL extension to use ('mysql' or 'mysqli')
+$cfg['Servers'][$i]['compress']      = FALSE;       // Use compressed protocol for the MySQL connection
+                                                    // (requires PHP >= 4.3.0)
+$cfg['Servers'][$i]['controluser']   = '';          // MySQL control user settings
+                                                    // (this user must have read-only
+$cfg['Servers'][$i]['controlpass']   = '';          // access to the "mysql/user"
+                                                    // and "mysql/db" tables).
+                                                    // The controluser is also
+                                                    // used for all relational
+                                                    // features (pmadb)
+$cfg['Servers'][$i]['auth_type']     = 'config';    // Authentication method (config, http or cookie based)?
+$cfg['Servers'][$i]['user']          = 'root';          // MySQL user
+$cfg['Servers'][$i]['password']      = '';          // MySQL password (only needed
+                                                    // with 'config' auth_type)
+$cfg['Servers'][$i]['only_db']       = 'grouper';          // If set to a db-name, only
+                                                    // this db is displayed in left frame
+                                                    // It may also be an array of db-names, where sorting order is relevant.
+$cfg['Servers'][$i]['hide_db']       = '';          // Database name to be hidden from listings
+$cfg['Servers'][$i]['verbose']       = '';          // Verbose name for this host - leave blank to show the hostname
+
+$cfg['Servers'][$i]['pmadb']         = '';          // Database used for Relation, Bookmark and PDF Features
+                                                    // (see scripts/create_tables.sql)
+                                                    //   - leave blank for no support
+                                                    //     DEFAULT: 'phpmyadmin'
+$cfg['Servers'][$i]['bookmarktable'] = '';          // Bookmark table
+                                                    //   - leave blank for no bookmark support
+                                                    //     DEFAULT: 'pma_bookmark'
+$cfg['Servers'][$i]['relation']      = '';          // table to describe the relation between links (see doc)
+                                                    //   - leave blank for no relation-links support
+                                                    //     DEFAULT: 'pma_relation'
+$cfg['Servers'][$i]['table_info']    = '';          // table to describe the display fields
+                                                    //   - leave blank for no display fields support
+                                                    //     DEFAULT: 'pma_table_info'
+$cfg['Servers'][$i]['table_coords']  = '';          // table to describe the tables position for the PDF schema
+                                                    //   - leave blank for no PDF schema support
+                                                    //     DEFAULT: 'pma_table_coords'
+$cfg['Servers'][$i]['pdf_pages']     = '';          // table to describe pages of relationpdf
+                                                    //   - leave blank if you don't want to use this
+                                                    //     DEFAULT: 'pma_pdf_pages'
+$cfg['Servers'][$i]['column_info']   = '';          // table to store column information
+                                                    //   - leave blank for no column comments/mime types
+                                                    //     DEFAULT: 'pma_column_info'
+$cfg['Servers'][$i]['history']       = '';          // table to store SQL history
+                                                    //   - leave blank for no SQL query history
+                                                    //     DEFAULT: 'pma_history'
+$cfg['Servers'][$i]['verbose_check'] = TRUE;        // set to FALSE if you know that your pma_* tables
+                                                    // are up to date. This prevents compatibility
+                                                    // checks and thereby increases performance.
+$cfg['Servers'][$i]['AllowRoot']     = TRUE;        // whether to allow root login
+$cfg['Servers'][$i]['AllowDeny']['order']           // Host authentication order, leave blank to not use
+                                     = '';
+$cfg['Servers'][$i]['AllowDeny']['rules']           // Host authentication rules, leave blank for defaults
+                                     = array();
+$cfg['Servers'][$i]['AllowNoPassword']              // Allow logins without a password. Do not change the FALSE
+                                     = TRUE;       // default unless you're running a passwordless MySQL server
+$cfg['Servers'][$i]['designer_coords']              // Leave blank (default) for no Designer support, otherwise
+                                     = '';          // set to suggested 'pma_designer_coords' if really needed
+$cfg['Servers'][$i]['bs_garbage_threshold']         // Blobstreaming: Recommented default value from upstream
+                                     = 50;          //   DEFAULT: '50'
+$cfg['Servers'][$i]['bs_repository_threshold']      // Blobstreaming: Recommented default value from upstream
+                                     = '32M';       //   DEFAULT: '32M'
+$cfg['Servers'][$i]['bs_temp_blob_timeout']         // Blobstreaming: Recommented default value from upstream
+                                     = 600;         //   DEFAULT: '600'
+$cfg['Servers'][$i]['bs_temp_log_threshold']        // Blobstreaming: Recommented default value from upstream
+                                     = '32M';       //   DEFAULT: '32M'
+
+$i++;
+$cfg['Servers'][$i]['host']          = 'midpoint_data'; // MySQL hostname or IP address
+$cfg['Servers'][$i]['port']          = '3306';          // MySQL port - leave blank for default port
+$cfg['Servers'][$i]['socket']        = '';          // Path to the socket - leave blank for default socket
+$cfg['Servers'][$i]['connect_type']  = 'tcp';       // How to connect to MySQL server ('tcp' or 'socket')
+$cfg['Servers'][$i]['extension']     = 'mysqli';    // The php MySQL extension to use ('mysql' or 'mysqli')
+$cfg['Servers'][$i]['compress']      = FALSE;       // Use compressed protocol for the MySQL connection
+                                                    // (requires PHP >= 4.3.0)
+$cfg['Servers'][$i]['controluser']   = '';          // MySQL control user settings
+                                                    // (this user must have read-only
+$cfg['Servers'][$i]['controlpass']   = '';          // access to the "mysql/user"
+                                                    // and "mysql/db" tables).
+                                                    // The controluser is also
+                                                    // used for all relational
+                                                    // features (pmadb)
+$cfg['Servers'][$i]['auth_type']     = 'config';    // Authentication method (config, http or cookie based)?
+$cfg['Servers'][$i]['user']          = 'registry_user';          // MySQL user
+$cfg['Servers'][$i]['password']      = 'WJzesbe3poNZ91qIbmR7';          // MySQL password (only needed
+                                                    // with 'config' auth_type)
+$cfg['Servers'][$i]['only_db']       = 'registry';          // If set to a db-name, only
+                                                    // this db is displayed in left frame
+                                                    // It may also be an array of db-names, where sorting order is relevant.
+$cfg['Servers'][$i]['hide_db']       = '';          // Database name to be hidden from listings
+$cfg['Servers'][$i]['verbose']       = '';          // Verbose name for this host - leave blank to show the hostname
+
+$cfg['Servers'][$i]['pmadb']         = '';          // Database used for Relation, Bookmark and PDF Features
+                                                    // (see scripts/create_tables.sql)
+                                                    //   - leave blank for no support
+                                                    //     DEFAULT: 'phpmyadmin'
+$cfg['Servers'][$i]['bookmarktable'] = '';          // Bookmark table
+                                                    //   - leave blank for no bookmark support
+                                                    //     DEFAULT: 'pma_bookmark'
+$cfg['Servers'][$i]['relation']      = '';          // table to describe the relation between links (see doc)
+                                                    //   - leave blank for no relation-links support
+                                                    //     DEFAULT: 'pma_relation'
+$cfg['Servers'][$i]['table_info']    = '';          // table to describe the display fields
+                                                    //   - leave blank for no display fields support
+                                                    //     DEFAULT: 'pma_table_info'
+$cfg['Servers'][$i]['table_coords']  = '';          // table to describe the tables position for the PDF schema
+                                                    //   - leave blank for no PDF schema support
+                                                    //     DEFAULT: 'pma_table_coords'
+$cfg['Servers'][$i]['pdf_pages']     = '';          // table to describe pages of relationpdf
+                                                    //   - leave blank if you don't want to use this
+                                                    //     DEFAULT: 'pma_pdf_pages'
+$cfg['Servers'][$i]['column_info']   = '';          // table to store column information
+                                                    //   - leave blank for no column comments/mime types
+                                                    //     DEFAULT: 'pma_column_info'
+$cfg['Servers'][$i]['history']       = '';          // table to store SQL history
+                                                    //   - leave blank for no SQL query history
+                                                    //     DEFAULT: 'pma_history'
+$cfg['Servers'][$i]['verbose_check'] = TRUE;        // set to FALSE if you know that your pma_* tables
+                                                    // are up to date. This prevents compatibility
+                                                    // checks and thereby increases performance.
+$cfg['Servers'][$i]['AllowRoot']     = TRUE;        // whether to allow root login
+$cfg['Servers'][$i]['AllowDeny']['order']           // Host authentication order, leave blank to not use
+                                     = '';
+$cfg['Servers'][$i]['AllowDeny']['rules']           // Host authentication rules, leave blank for defaults
+                                     = array();
+$cfg['Servers'][$i]['AllowNoPassword']              // Allow logins without a password. Do not change the FALSE
+                                     = TRUE;       // default unless you're running a passwordless MySQL server
+$cfg['Servers'][$i]['designer_coords']              // Leave blank (default) for no Designer support, otherwise
+                                     = '';          // set to suggested 'pma_designer_coords' if really needed
+$cfg['Servers'][$i]['bs_garbage_threshold']         // Blobstreaming: Recommented default value from upstream
+                                     = 50;          //   DEFAULT: '50'
+$cfg['Servers'][$i]['bs_repository_threshold']      // Blobstreaming: Recommented default value from upstream
+                                     = '32M';       //   DEFAULT: '32M'
+$cfg['Servers'][$i]['bs_temp_blob_timeout']         // Blobstreaming: Recommented default value from upstream
+                                     = 600;         //   DEFAULT: '600'
+$cfg['Servers'][$i]['bs_temp_log_threshold']        // Blobstreaming: Recommented default value from upstream
+                                     = '32M';       //   DEFAULT: '32M'
+
+$i++;
+$cfg['Servers'][$i]['host']          = 'sources'; // MySQL hostname or IP address
+$cfg['Servers'][$i]['port']          = '3306';          // MySQL port - leave blank for default port
+$cfg['Servers'][$i]['socket']        = '';          // Path to the socket - leave blank for default socket
+$cfg['Servers'][$i]['connect_type']  = 'tcp';       // How to connect to MySQL server ('tcp' or 'socket')
+$cfg['Servers'][$i]['extension']     = 'mysqli';    // The php MySQL extension to use ('mysql' or 'mysqli')
+$cfg['Servers'][$i]['compress']      = FALSE;       // Use compressed protocol for the MySQL connection
+                                                    // (requires PHP >= 4.3.0)
+$cfg['Servers'][$i]['controluser']   = '';          // MySQL control user settings
+                                                    // (this user must have read-only
+$cfg['Servers'][$i]['controlpass']   = '';          // access to the "mysql/user"
+                                                    // and "mysql/db" tables).
+                                                    // The controluser is also
+                                                    // used for all relational
+                                                    // features (pmadb)
+$cfg['Servers'][$i]['auth_type']     = 'config';    // Authentication method (config, http or cookie based)?
+$cfg['Servers'][$i]['user']          = 'sis_user';          // MySQL user
+$cfg['Servers'][$i]['password']      = '49321420423';          // MySQL password (only needed
+                                                    // with 'config' auth_type)
+$cfg['Servers'][$i]['only_db']       = '';          // If set to a db-name, only
+                                                    // this db is displayed in left frame
+                                                    // It may also be an array of db-names, where sorting order is relevant.
+$cfg['Servers'][$i]['hide_db']       = '';          // Database name to be hidden from listings
+$cfg['Servers'][$i]['verbose']       = '';          // Verbose name for this host - leave blank to show the hostname
+
+$cfg['Servers'][$i]['pmadb']         = '';          // Database used for Relation, Bookmark and PDF Features
+                                                    // (see scripts/create_tables.sql)
+                                                    //   - leave blank for no support
+                                                    //     DEFAULT: 'phpmyadmin'
+$cfg['Servers'][$i]['bookmarktable'] = '';          // Bookmark table
+                                                    //   - leave blank for no bookmark support
+                                                    //     DEFAULT: 'pma_bookmark'
+$cfg['Servers'][$i]['relation']      = '';          // table to describe the relation between links (see doc)
+                                                    //   - leave blank for no relation-links support
+                                                    //     DEFAULT: 'pma_relation'
+$cfg['Servers'][$i]['table_info']    = '';          // table to describe the display fields
+                                                    //   - leave blank for no display fields support
+                                                    //     DEFAULT: 'pma_table_info'
+$cfg['Servers'][$i]['table_coords']  = '';          // table to describe the tables position for the PDF schema
+                                                    //   - leave blank for no PDF schema support
+                                                    //     DEFAULT: 'pma_table_coords'
+$cfg['Servers'][$i]['pdf_pages']     = '';          // table to describe pages of relationpdf
+                                                    //   - leave blank if you don't want to use this
+                                                    //     DEFAULT: 'pma_pdf_pages'
+$cfg['Servers'][$i]['column_info']   = '';          // table to store column information
+                                                    //   - leave blank for no column comments/mime types
+                                                    //     DEFAULT: 'pma_column_info'
+$cfg['Servers'][$i]['history']       = '';          // table to store SQL history
+                                                    //   - leave blank for no SQL query history
+                                                    //     DEFAULT: 'pma_history'
+$cfg['Servers'][$i]['verbose_check'] = TRUE;        // set to FALSE if you know that your pma_* tables
+                                                    // are up to date. This prevents compatibility
+                                                    // checks and thereby increases performance.
+$cfg['Servers'][$i]['AllowRoot']     = TRUE;        // whether to allow root login
+$cfg['Servers'][$i]['AllowDeny']['order']           // Host authentication order, leave blank to not use
+                                     = '';
+$cfg['Servers'][$i]['AllowDeny']['rules']           // Host authentication rules, leave blank for defaults
+                                     = array();
+$cfg['Servers'][$i]['AllowNoPassword']              // Allow logins without a password. Do not change the FALSE
+                                     = TRUE;       // default unless you're running a passwordless MySQL server
+$cfg['Servers'][$i]['designer_coords']              // Leave blank (default) for no Designer support, otherwise
+                                     = '';          // set to suggested 'pma_designer_coords' if really needed
+$cfg['Servers'][$i]['bs_garbage_threshold']         // Blobstreaming: Recommented default value from upstream
+                                     = 50;          //   DEFAULT: '50'
+$cfg['Servers'][$i]['bs_repository_threshold']      // Blobstreaming: Recommented default value from upstream
+                                     = '32M';       //   DEFAULT: '32M'
+$cfg['Servers'][$i]['bs_temp_blob_timeout']         // Blobstreaming: Recommented default value from upstream
+                                     = 600;         //   DEFAULT: '600'
+$cfg['Servers'][$i]['bs_temp_log_threshold']        // Blobstreaming: Recommented default value from upstream
+                                     = '32M';       //   DEFAULT: '32M'
+
+/*
+ * End of servers configuration
+ */
+
+/*
+ * Directories for saving/loading files from server
+ */
+$cfg['UploadDir'] = '/var/lib/phpMyAdmin/upload';
+$cfg['SaveDir']   = '/var/lib/phpMyAdmin/save';
+
+/*
+ * Disable the default warning that is displayed on the DB Details Structure
+ * page if any of the required Tables for the relation features is not found
+ */
+$cfg['PmaNoRelation_DisableWarning'] = TRUE;
+
+/*
+ * phpMyAdmin 4.4.x is no longer maintained by upstream, but security fixes
+ * are still backported by downstream.
+ */
+$cfg['VersionCheck'] = FALSE;
+?>
+
diff --git a/Workbench/directory/container_files/etc/phpldapadmin/config.php b/Workbench/directory/container_files/etc/phpldapadmin/config.php
new file mode 100644
index 0000000..eafe857
--- /dev/null
+++ b/Workbench/directory/container_files/etc/phpldapadmin/config.php
@@ -0,0 +1,584 @@
+<?php
+/** NOTE **
+ ** Make sure that <?php is the FIRST line of this file!
+ ** IE: There should NOT be any blank lines or spaces BEFORE <?php
+ **/
+
+/**
+ * The phpLDAPadmin config file
+ * See: http://phpldapadmin.sourceforge.net/wiki/index.php/Config.php
+ *
+ * This is where you can customise some of the phpLDAPadmin defaults
+ * that are defined in config_default.php.
+ *
+ * To override a default, use the $config->custom variable to do so.
+ * For example, the default for defining the language in config_default.php
+ *
+ * $this->default->appearance['language'] = array(
+ *  'desc'=>'Language',
+ *  'default'=>'auto');
+ *
+ * to override this, use $config->custom->appearance['language'] = 'en_EN';
+ *
+ * This file is also used to configure your LDAP server connections.
+ *
+ * You must specify at least one LDAP server there. You may add
+ * as many as you like. You can also specify your language, and
+ * many other options.
+ *
+ * NOTE: Commented out values in this file prefixed by //, represent the
+ * defaults that have been defined in config_default.php.
+ * Commented out values prefixed by #, dont reflect their default value, you can
+ * check config_default.php if you want to see what the default is.
+ *
+ * DONT change config_default.php, you changes will be lost by the next release
+ * of PLA. Instead change this file - as it will NOT be replaced by a new
+ * version of phpLDAPadmin.
+ */
+
+/*********************************************
+ * Useful important configuration overrides  *
+ *********************************************/
+
+/* If you are asked to put PLA in debug mode, this is how you do it: */
+#  $config->custom->debug['level'] = 255;
+#  $config->custom->debug['syslog'] = true;
+#  $config->custom->debug['file'] = '/tmp/pla_debug.log';
+
+/* phpLDAPadmin can encrypt the content of sensitive cookies if you set this
+   to a big random string. */
+$config->custom->session['blowfish'] = 'beee41ae7ca5107fc9a61946c4734264';  # Autogenerated for 66388f647a9e
+
+/* If your auth_type is http, you can override your HTTP Authentication Realm. */
+// $config->custom->session['http_realm'] = sprintf('%s %s',app_name(),'login');
+
+/* The language setting. If you set this to 'auto', phpLDAPadmin will attempt
+   to determine your language automatically.
+   If PLA doesnt show (all) strings in your language, then you can do some
+   translation at http://translations.launchpad.net/phpldapadmin and download
+   the translation files, replacing those provided with PLA.
+   (We'll pick up the translations before making the next release too!) */
+// $config->custom->appearance['language'] = 'auto';
+
+/* The temporary storage directory where we will put jpegPhoto data
+   This directory must be readable and writable by your web server. */
+// $config->custom->jpeg['tmpdir'] = '/tmp';     // Example for Unix systems
+#  $config->custom->jpeg['tmpdir'] = 'c:\\temp'; // Example for Windows systems
+
+/* Set this to (bool)true if you do NOT want a random salt used when
+   calling crypt().  Instead, use the first two letters of the user's
+   password.  This is insecure but unfortunately needed for some older
+   environments. */
+#  $config->custom->password['no_random_crypt_salt'] = true;
+
+/* PHP script timeout control. If php runs longer than this many seconds then
+   PHP will stop with an Maximum Execution time error. Increase this value from
+   the default if queries to your LDAP server are slow. The default is either
+   30 seconds or the setting of max_exection_time if this is null. */
+// $config->custom->session['timelimit'] = 30;
+
+// $config->custom->appearance['show_clear_password'] = false;
+
+// $config->custom->search['size_limit'] = 50;
+#  $config->custom->search['size_limit'] = 1000;
+
+/* Our local timezone
+   This is to make sure that when we ask the system for the current time, we
+   get the right local time. If this is not set, all time() calculations will
+   assume UTC if you have not set PHP date.timezone. */
+// $config->custom->appearance['timezone'] = null;
+#  $config->custom->appearance['timezone'] = 'Australia/Melbourne';
+
+/*********************************************
+ * Commands                                  *
+ *********************************************/
+
+/* Command availability ; if you don't authorize a command the command
+   links will not be shown and the command action will not be permitted.
+   For better security, set also ACL in your ldap directory. */
+/*
+$config->custom->commands['cmd'] = array(
+	'entry_internal_attributes_show' => true,
+	'entry_refresh' => true,
+	'oslinks' => true,
+	'switch_template' => true
+);
+
+$config->custom->commands['script'] = array(
+	'add_attr_form' => true,
+	'add_oclass_form' => true,
+	'add_value_form' => true,
+	'collapse' => true,
+	'compare' => true,
+	'compare_form' => true,
+	'copy' => true,
+	'copy_form' => true,
+	'create' => true,
+	'create_confirm' => true,
+	'delete' => true,
+	'delete_attr' => true,
+	'delete_form' => true,
+	'draw_tree_node' => true,
+	'expand' => true,
+	'export' => true,
+	'export_form' => true,
+	'import' => true,
+	'import_form' => true,
+	'login' => true,
+	'logout' => true,
+	'login_form' => true,
+	'mass_delete' => true,
+	'mass_edit' => true,
+	'mass_update' => true,
+	'modify_member_form' => true,
+	'monitor' => true,
+	'purge_cache' => true,
+	'query_engine' => true,
+	'rename' => true,
+	'rename_form' => true,
+	'rdelete' => true,
+	'refresh' => true,
+	'schema' => true,
+	'server_info' => true,
+	'show_cache' => true,
+	'template_engine' => true,
+	'update_confirm' => true,
+	'update' => true
+);
+*/
+
+/*********************************************
+ * Appearance                                *
+ *********************************************/
+
+/* If you want to choose the appearance of the tree, specify a class name which
+   inherits from the Tree class. */
+// $config->custom->appearance['tree'] = 'AJAXTree';
+#  $config->custom->appearance['tree'] = 'HTMLTree';
+
+/* Just show your custom templates. */
+// $config->custom->appearance['custom_templates_only'] = false;
+
+/* Disable the default template. */
+// $config->custom->appearance['disable_default_template'] = false;
+
+/* Hide the warnings for invalid objectClasses/attributes in templates. */
+// $config->custom->appearance['hide_template_warning'] = false;
+
+/* Set to true if you would like to hide header and footer parts. */
+// $config->custom->appearance['minimalMode'] = false;
+
+/* Configure what objects are shown in left hand tree */
+// $config->custom->appearance['tree_filter'] = '(objectclass=*)';
+
+/* The height and width of the tree. If these values are not set, then
+   no tree scroll bars are provided. */
+// $config->custom->appearance['tree_height'] = null;
+#  $config->custom->appearance['tree_height'] = 600;
+// $config->custom->appearance['tree_width'] = null;
+#  $config->custom->appearance['tree_width'] = 250;
+
+/* Confirm create and update operations, allowing you to review the changes
+   and optionally skip attributes during the create/update operation. */
+// $config->custom->confirm['create'] = true;
+// $config->custom->confirm['update'] = true;
+
+/* Confirm copy operations, and treat them like create operations. This allows
+   you to edit the attributes (thus changing any that might conflict with
+   uniqueness) before creating the new entry. */
+// $config->custom->confirm['copy'] = true;
+
+/*********************************************
+ * User-friendly attribute translation       *
+ *********************************************/
+
+/* Use this array to map attribute names to user friendly names. For example, if
+   you don't want to see "facsimileTelephoneNumber" but rather "Fax". */
+// $config->custom->appearance['friendly_attrs'] = array();
+$config->custom->appearance['friendly_attrs'] = array(
+	'facsimileTelephoneNumber' => 'Fax',
+	'gid'                      => 'Group',
+	'mail'                     => 'Email',
+	'telephoneNumber'          => 'Telephone',
+	'uid'                      => 'User Name',
+	'userPassword'             => 'Password'
+);
+
+/*********************************************
+ * Hidden attributes                         *
+ *********************************************/
+
+/* You may want to hide certain attributes from being edited. If you want to
+   hide attributes from the user, you should use your LDAP servers ACLs.
+   NOTE: The user must be able to read the hide_attrs_exempt entry to be
+   excluded. */
+// $config->custom->appearance['hide_attrs'] = array();
+#  $config->custom->appearance['hide_attrs'] = array('objectClass');
+
+/* Members of this list will be exempt from the hidden attributes. */
+// $config->custom->appearance['hide_attrs_exempt'] = null;
+#  $config->custom->appearance['hide_attrs_exempt'] = 'cn=PLA UnHide,ou=Groups,c=AU';
+
+/*********************************************
+ * Read-only attributes                      *
+ *********************************************/
+
+/* You may want to phpLDAPadmin to display certain attributes as read only,
+   meaning that users will not be presented a form for modifying those
+   attributes, and they will not be allowed to be modified on the "back-end"
+   either. You may configure this list here:
+   NOTE: The user must be able to read the readonly_attrs_exempt entry to be
+   excluded. */
+// $config->custom->appearance['readonly_attrs'] = array();
+
+/* Members of this list will be exempt from the readonly attributes. */
+// $config->custom->appearance['readonly_attrs_exempt'] = null;
+#  $config->custom->appearance['readonly_attrs_exempt'] = 'cn=PLA ReadWrite,ou=Groups,c=AU';
+
+/*********************************************
+ * Group attributes                          *
+ *********************************************/
+
+/* Add "modify group members" link to the attribute. */
+// $config->custom->modify_member['groupattr'] = array('member','uniqueMember','memberUid');
+
+/* Configure filter for member search. This only applies to "modify group members" feature */
+// $config->custom->modify_member['filter'] = '(objectclass=Person)';
+
+/* Attribute that is added to the group member attribute. */
+// $config->custom->modify_member['attr'] = 'dn';
+
+/* For Posix attributes */
+// $config->custom->modify_member['posixattr'] = 'uid';
+// $config->custom->modify_member['posixfilter'] = '(uid=*)';
+// $config->custom->modify_member['posixgroupattr'] = 'memberUid';
+
+/*********************************************
+ * Support for attrs display order           *
+ *********************************************/
+
+/* Use this array if you want to have your attributes displayed in a specific
+   order. You can use default attribute names or their fridenly names.
+   For example, "sn" will be displayed right after "givenName". All the other
+   attributes that are not specified in this array will be displayed after in
+   alphabetical order. */
+// $config->custom->appearance['attr_display_order'] = array();
+#  $config->custom->appearance['attr_display_order'] = array(
+#   'givenName',
+#   'sn',
+#   'cn',
+#   'displayName',
+#   'uid',
+#   'uidNumber',
+#   'gidNumber',
+#   'homeDirectory',
+#   'mail',
+#   'userPassword'
+#  );
+
+/*********************************************
+ * Define your LDAP servers in this section  *
+ *********************************************/
+
+$servers = new Datastore();
+
+/* $servers->NewServer('ldap_pla') must be called before each new LDAP server
+   declaration. */
+$servers->newServer('ldap_pla');
+
+/* A convenient name that will appear in the tree viewer and throughout
+   phpLDAPadmin to identify this LDAP server to users. */
+$servers->setValue('server','name','Example LDAP Server');
+
+/* Examples:
+   'ldap.example.com',
+   'ldaps://ldap.example.com/',
+   'ldapi://%2fusr%local%2fvar%2frun%2fldapi'
+           (Unix socket at /usr/local/var/run/ldap) */
+$servers->setValue('server','host','127.0.0.1');
+
+/* The port your LDAP server listens on (no quotes). 389 is standard. */
+$servers->setValue('server','port',389);
+
+/* Array of base DNs of your LDAP server. Leave this blank to have phpLDAPadmin
+   auto-detect it for you. */
+$servers->setValue('server','base',array('dc=internet2,dc=edu'));
+
+/* Five options for auth_type:
+   1. 'cookie': you will login via a web form, and a client-side cookie will
+      store your login dn and password.
+   2. 'session': same as cookie but your login dn and password are stored on the
+      web server in a persistent session variable.
+   3. 'http': same as session but your login dn and password are retrieved via
+      HTTP authentication.
+   4. 'config': specify your login dn and password here in this config file. No
+      login will be required to use phpLDAPadmin for this server.
+   5. 'sasl': login will be taken from the webserver's kerberos authentication.
+      Currently only GSSAPI has been tested (using mod_auth_kerb).
+
+   Choose wisely to protect your authentication information appropriately for
+   your situation. If you choose 'cookie', your cookie contents will be
+   encrypted using blowfish and the secret your specify above as
+   session['blowfish']. */
+$servers->setValue('login','auth_type','cookie');
+
+/* The DN of the user for phpLDAPadmin to bind with. For anonymous binds or
+   'cookie','session' or 'sasl' auth_types, LEAVE THE LOGIN_DN AND LOGIN_PASS
+   BLANK. If you specify a login_attr in conjunction with a cookie or session
+   auth_type, then you can also specify the bind_id/bind_pass here for searching
+   the directory for users (ie, if your LDAP server does not allow anonymous
+   binds. */
+// $servers->setValue('login','bind_id','');
+$servers->setValue('login','bind_id','cn=admin,dc=internet2,dc=edu');
+
+/* Your LDAP password. If you specified an empty bind_id above, this MUST also
+   be blank. */
+// $servers->setValue('login','bind_pass','');
+$servers->setValue('login','bind_pass','password');
+
+/* Use TLS (Transport Layer Security) to connect to the LDAP server. */
+// $servers->setValue('server','tls',false);
+
+/************************************
+ *      SASL Authentication         *
+ ************************************/
+
+/* Enable SASL authentication LDAP SASL authentication requires PHP 5.x
+   configured with --with-ldap-sasl=DIR. If this option is disabled (ie, set to
+   false), then all other sasl options are ignored. */
+// $servers->setValue('login','auth_type','sasl');
+
+/* SASL auth mechanism */
+// $servers->setValue('sasl','mech','GSSAPI');
+
+/* SASL authentication realm name */
+// $servers->setValue('sasl','realm','');
+#  $servers->setValue('sasl','realm','EXAMPLE.COM');
+
+/* SASL authorization ID name
+   If this option is undefined, authorization id will be computed from bind DN,
+   using authz_id_regex and authz_id_replacement. */
+// $servers->setValue('sasl','authz_id', null);
+
+/* SASL authorization id regex and replacement
+   When authz_id property is not set (default), phpLDAPAdmin will try to
+   figure out authorization id by itself from bind distinguished name (DN).
+
+   This procedure is done by calling preg_replace() php function in the
+   following way:
+
+   $authz_id = preg_replace($sasl_authz_id_regex,$sasl_authz_id_replacement,
+    $bind_dn);
+
+   For info about pcre regexes, see:
+   - pcre(3), perlre(3)
+   - http://www.php.net/preg_replace */
+// $servers->setValue('sasl','authz_id_regex',null);
+// $servers->setValue('sasl','authz_id_replacement',null);
+#  $servers->setValue('sasl','authz_id_regex','/^uid=([^,]+)(.+)/i');
+#  $servers->setValue('sasl','authz_id_replacement','$1');
+
+/* SASL auth security props.
+   See http://beepcore-tcl.sourceforge.net/tclsasl.html#anchor5 for explanation. */
+// $servers->setValue('sasl','props',null);
+
+/* Default password hashing algorithm. One of md5, ssha, sha, md5crpyt, smd5,
+   blowfish, crypt or leave blank for now default algorithm. */
+// $servers->setValue('appearance','password_hash','md5');
+$servers->setValue('appearance','password_hash','');
+
+/* If you specified 'cookie' or 'session' as the auth_type above, you can
+   optionally specify here an attribute to use when logging in. If you enter
+   'uid' and login as 'dsmith', phpLDAPadmin will search for (uid=dsmith)
+   and log in as that user.
+   Leave blank or specify 'dn' to use full DN for logging in. Note also that if
+   your LDAP server requires you to login to perform searches, you can enter the
+   DN to use when searching in 'bind_id' and 'bind_pass' above. */
+// $servers->setValue('login','attr','dn');
+$servers->setValue('login','attr','dn');
+
+/* Base DNs to used for logins. If this value is not set, then the LDAP server
+   Base DNs are used. */
+// $servers->setValue('login','base',array());
+
+/* If 'login,attr' is used above such that phpLDAPadmin will search for your DN
+   at login, you may restrict the search to a specific objectClasses. EG, set this
+   to array('posixAccount') or array('inetOrgPerson',..), depending upon your
+   setup. */
+// $servers->setValue('login','class',array());
+
+/* If you specified something different from 'dn', for example 'uid', as the
+   login_attr above, you can optionally specify here to fall back to
+   authentication with dn.
+   This is useful, when users should be able to log in with their uid, but
+   the ldap administrator wants to log in with his root-dn, that does not
+   necessarily have the uid attribute.
+   When using this feature, login_class is ignored. */
+// $servers->setValue('login','fallback_dn',false);
+
+/* Specify true If you want phpLDAPadmin to not display or permit any
+   modification to the LDAP server. */
+// $servers->setValue('server','read_only',false);
+
+/* Specify false if you do not want phpLDAPadmin to draw the 'Create new' links
+   in the tree viewer. */
+// $servers->setValue('appearance','show_create',true);
+
+/* Set to true if you would like to initially open the first level of each tree. */
+// $servers->setValue('appearance','open_tree',false);
+
+/* This feature allows phpLDAPadmin to automatically determine the next
+   available uidNumber for a new entry. */
+// $servers->setValue('auto_number','enable',true);
+
+/* The mechanism to use when finding the next available uidNumber. Two possible
+   values: 'uidpool' or 'search'.
+   The 'uidpool' mechanism uses an existing uidPool entry in your LDAP server to
+   blindly lookup the next available uidNumber. The 'search' mechanism searches
+   for entries with a uidNumber value and finds the first available uidNumber
+   (slower). */
+// $servers->setValue('auto_number','mechanism','search');
+
+/* The DN of the search base when the 'search' mechanism is used above. */
+#  $servers->setValue('auto_number','search_base','ou=People,dc=example,dc=com');
+
+/* The minimum number to use when searching for the next available number
+   (only when 'search' is used for auto_number. */
+// $servers->setValue('auto_number','min',array('uidNumber'=>1000,'gidNumber'=>500));
+
+/* If you set this, then phpldapadmin will bind to LDAP with this user ID when
+   searching for the uidnumber. The idea is, this user id would have full
+   (readonly) access to uidnumber in your ldap directory (the logged in user
+   may not), so that you can be guaranteed to get a unique uidnumber for your
+   directory. */
+// $servers->setValue('auto_number','dn',null);
+
+/* The password for the dn above. */
+// $servers->setValue('auto_number','pass',null);
+
+/* Enable anonymous bind login. */
+// $servers->setValue('login','anon_bind',true);
+
+/* Use customized page with prefix when available. */
+#  $servers->setValue('custom','pages_prefix','custom_');
+
+/* If you set this, then only these DNs are allowed to log in. This array can
+   contain individual users, groups or ldap search filter(s). Keep in mind that
+   the user has not authenticated yet, so this will be an anonymous search to
+   the LDAP server, so make your ACLs allow these searches to return results! */
+#  $servers->setValue('login','allowed_dns',array(
+#   'uid=stran,ou=People,dc=example,dc=com',
+#   '(&(gidNumber=811)(objectClass=groupOfNames))',
+#   '(|(uidNumber=200)(uidNumber=201))',
+#   'cn=callcenter,ou=Group,dc=example,dc=com'));
+
+/* Set this if you dont want this LDAP server to show in the tree */
+// $servers->setValue('server','visible',true);
+
+/* Set this if you want to hide the base DNs that dont exist instead of
+   displaying the message "The base entry doesnt exist, create it?"
+// $servers->setValue('server','hide_noaccess_base',false);
+#  $servers->setValue('server','hide_noaccess_base',true);
+
+/* This is the time out value in minutes for the server. After as many minutes
+   of inactivity you will be automatically logged out. If not set, the default
+   value will be ( session_cache_expire()-1 ) */
+#  $servers->setValue('login','timeout',30);
+
+/* Set this if you want phpldapadmin to perform rename operation on entry which
+   has children. Certain servers are known to allow it, certain are not. */
+// $servers->setValue('server','branch_rename',false);
+
+/* If you set this, then phpldapadmin will show these attributes as
+   internal attributes, even if they are not defined in your schema. */
+// $servers->setValue('server','custom_sys_attrs',array(''));
+#  $servers->setValue('server','custom_sys_attrs',array('passwordExpirationTime','passwordAllowChangeTime'));
+
+/* If you set this, then phpldapadmin will show these attributes on
+   objects, even if they are not defined in your schema. */
+// $servers->setValue('server','custom_attrs',array(''));
+#  $servers->setValue('server','custom_attrs',array('nsRoleDN','nsRole','nsAccountLock'));
+
+/* These attributes will be forced to MAY attributes and become option in the
+   templates. If they are not defined in the templates, then they wont appear
+   as per normal template processing. You may want to do this because your LDAP
+   server may automatically calculate a default value.
+   In Fedora Directory Server using the DNA Plugin one could ignore uidNumber,
+   gidNumber and sambaSID. */
+// $servers->setValue('server','force_may',array(''));
+#  $servers->setValue('server','force_may',array('uidNumber','gidNumber','sambaSID'));
+
+/*********************************************
+ * Unique attributes                         *
+ *********************************************/
+
+/* You may want phpLDAPadmin to enforce some attributes to have unique values
+   (ie: not belong to other entries in your tree. This (together with
+   'unique','dn' and 'unique','pass' option will not let updates to
+   occur with other attributes have the same value. */
+#  $servers->setValue('unique','attrs',array('mail','uid','uidNumber'));
+
+/* If you set this, then phpldapadmin will bind to LDAP with this user ID when
+   searching for attribute uniqueness. The idea is, this user id would have full
+   (readonly) access to your ldap directory (the logged in user may not), so
+   that you can be guaranteed to get a unique uidnumber for your directory. */
+// $servers->setValue('unique','dn',null);
+
+/* The password for the dn above. */
+// $servers->setValue('unique','pass',null);
+
+/**************************************************************************
+ * If you want to configure additional LDAP servers, do so below.         *
+ * Remove the commented lines and use this section as a template for all  *
+ * your other LDAP servers.                                               *
+ **************************************************************************/
+
+/*
+$servers->newServer('ldap_pla');
+$servers->setValue('server','name','LDAP Server');
+$servers->setValue('server','host','127.0.0.1');
+$servers->setValue('server','port',389);
+$servers->setValue('server','base',array(''));
+$servers->setValue('login','auth_type','cookie');
+$servers->setValue('login','bind_id','');
+$servers->setValue('login','bind_pass','');
+$servers->setValue('server','tls',false);
+
+# SASL auth
+$servers->setValue('login','auth_type','sasl');
+$servers->setValue('sasl','mech','GSSAPI');
+$servers->setValue('sasl','realm','EXAMPLE.COM');
+$servers->setValue('sasl','authz_id',null);
+$servers->setValue('sasl','authz_id_regex','/^uid=([^,]+)(.+)/i');
+$servers->setValue('sasl','authz_id_replacement','$1');
+$servers->setValue('sasl','props',null);
+
+$servers->setValue('appearance','password_hash','md5');
+$servers->setValue('login','attr','dn');
+$servers->setValue('login','fallback_dn',false);
+$servers->setValue('login','class',null);
+$servers->setValue('server','read_only',false);
+$servers->setValue('appearance','show_create',true);
+
+$servers->setValue('auto_number','enable',true);
+$servers->setValue('auto_number','mechanism','search');
+$servers->setValue('auto_number','search_base',null);
+$servers->setValue('auto_number','min',array('uidNumber'=>1000,'gidNumber'=>500));
+$servers->setValue('auto_number','dn',null);
+$servers->setValue('auto_number','pass',null);
+
+$servers->setValue('login','anon_bind',true);
+$servers->setValue('custom','pages_prefix','custom_');
+$servers->setValue('unique','attrs',array('mail','uid','uidNumber'));
+$servers->setValue('unique','dn',null);
+$servers->setValue('unique','pass',null);
+
+$servers->setValue('server','visible',true);
+$servers->setValue('login','timeout',30);
+$servers->setValue('server','branch_rename',false);
+$servers->setValue('server','custom_sys_attrs',array('passwordExpirationTime','passwordAllowChangeTime'));
+$servers->setValue('server','custom_attrs',array('nsRoleDN','nsRole','nsAccountLock'));
+$servers->setValue('server','force_may',array('uidNumber','gidNumber','sambaSID'));
+*/
+?>
+
diff --git a/Workbench/directory/container_files/httpd/phpMyAdmin.conf b/Workbench/directory/container_files/httpd/phpMyAdmin.conf
new file mode 100644
index 0000000..98e9d17
--- /dev/null
+++ b/Workbench/directory/container_files/httpd/phpMyAdmin.conf
@@ -0,0 +1,77 @@
+# phpMyAdmin - Web based MySQL browser written in php
+#
+# Allows only localhost by default
+#
+# But allowing phpMyAdmin to anyone other than localhost should be considered
+# dangerous unless properly secured by SSL
+
+Alias /phpMyAdmin /usr/share/phpMyAdmin
+Alias /phpmyadmin /usr/share/phpMyAdmin
+
+<Directory /usr/share/phpMyAdmin/>
+   AddDefaultCharset UTF-8
+
+   <IfModule mod_authz_core.c>
+     # Apache 2.4
+     <RequireAny>
+       Require all granted
+       Require ip 127.0.0.1
+       Require ip ::1
+     </RequireAny>
+   </IfModule>
+   <IfModule !mod_authz_core.c>
+     # Apache 2.2
+     Order Deny,Allow
+     Deny from All
+     Allow from 127.0.0.1
+     Allow from ::1
+   </IfModule>
+</Directory>
+
+<Directory /usr/share/phpMyAdmin/setup/>
+   <IfModule mod_authz_core.c>
+     # Apache 2.4
+     <RequireAny>
+     Require all granted
+       Require ip 127.0.0.1
+       Require ip ::1
+     </RequireAny>
+   </IfModule>
+   <IfModule !mod_authz_core.c>
+     # Apache 2.2
+     Order Deny,Allow
+     Deny from All
+     Allow from 127.0.0.1
+     Allow from ::1
+   </IfModule>
+</Directory>
+
+# These directories do not require access over HTTP - taken from the original
+# phpMyAdmin upstream tarball
+#
+<Directory /usr/share/phpMyAdmin/libraries/>
+    Order Deny,Allow
+    Deny from All
+    Allow from None
+</Directory>
+
+<Directory /usr/share/phpMyAdmin/setup/lib/>
+    Order Deny,Allow
+    Deny from All
+    Allow from None
+</Directory>
+
+<Directory /usr/share/phpMyAdmin/setup/frames/>
+    Order Deny,Allow
+    Deny from All
+    Allow from None
+</Directory>
+
+# This configuration prevents mod_security at phpMyAdmin directories from
+# filtering SQL etc.  This may break your mod_security implementation.
+#
+#<IfModule mod_security.c>
+#    <Directory /usr/share/phpMyAdmin/>
+#        SecRuleInheritance Off
+#    </Directory>
+#</IfModule>
diff --git a/Workbench/directory/container_files/httpd/phpldapadmin.conf b/Workbench/directory/container_files/httpd/phpldapadmin.conf
new file mode 100644
index 0000000..a4264ec
--- /dev/null
+++ b/Workbench/directory/container_files/httpd/phpldapadmin.conf
@@ -0,0 +1,21 @@
+#
+#  Web-based tool for managing LDAP servers
+#
+
+Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
+Alias /ldapadmin /usr/share/phpldapadmin/htdocs
+
+<Directory /usr/share/phpldapadmin/htdocs>
+  <IfModule mod_authz_core.c>
+    # Apache 2.4
+    Require all granted
+  </IfModule>
+  <IfModule !mod_authz_core.c>
+    # Apache 2.2
+    Order Deny,Allow
+    Deny from all
+    Allow from 127.0.0.1
+    Allow from ::1
+  </IfModule>
+</Directory>
+
diff --git a/Workbench/docker-compose.yml b/Workbench/docker-compose.yml
index 83071fc..b7e03df 100644
--- a/Workbench/docker-compose.yml
+++ b/Workbench/docker-compose.yml
@@ -56,7 +56,7 @@ services:
         aliases:
          - grouper-ui
     ports:
-     - 4443:443
+     - 8443:443
     secrets:
      - g_database_password.txt
      - source: grouper.hibernate.properties
@@ -85,6 +85,9 @@ services:
      - type: bind
        source: ./configs-and-secrets/grouper/shibboleth/idp-metadata.xml
        target: /etc/shibboleth/idp-metadata.xml
+     - type: bind
+       source: ./configs-and-secrets/grouper/httpd/shib.conf
+       target: /etc/httpd/conf.d/shib.conf
      - type: bind
        source: ./configs-and-secrets/grouper/httpd/host-cert.pem
        target: /etc/pki/tls/certs/host-cert.pem
@@ -191,7 +194,7 @@ services:
     depends_on:
      - midpoint_data
     ports:
-     - 8443:443
+     - 10443:443
     environment:
      - ENV
      - USERTOKEN
@@ -242,7 +245,7 @@ services:
     networks:
      - net
     ports:
-     - 443:443
+     - 13443:443
 
   mq:
     build: ./mq/
@@ -256,6 +259,13 @@ services:
     volumes:
      - mq:/var/lib/rabbitmq
 
+  webproxy:
+    build: ./webproxy/
+    networks:
+     - net
+    ports:
+     - 443:443
+
 networks:
   net:    
     driver: bridge
@@ -296,3 +306,4 @@ volumes:
   midpoint_mysql:
   midpoint_home:
   mq:
+
diff --git a/Workbench/grouper_ui/Dockerfile b/Workbench/grouper_ui/Dockerfile
index 60c8015..89fa4b8 100644
--- a/Workbench/grouper_ui/Dockerfile
+++ b/Workbench/grouper_ui/Dockerfile
@@ -1,7 +1,9 @@
-FROM tier/grouper:2.4.0-a47-u25-w5-p6-20190611
+FROM tier/grouper:2.4.0-a96-u57-w11-p12-20200324-rc1
 
 LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
 
 #COPY in custom css, images, etc
 
+RUN yum -y update
+
 CMD ["ui"]
diff --git a/Workbench/idp/Dockerfile b/Workbench/idp/Dockerfile
index 4968448..b4e2b8f 100644
--- a/Workbench/idp/Dockerfile
+++ b/Workbench/idp/Dockerfile
@@ -1,4 +1,4 @@
-FROM tier/shib-idp:3.4.6_20191002
+FROM tier/shib-idp:latest
 
 LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
 
diff --git a/Workbench/idp/shibboleth-idp/conf/access-control.xml b/Workbench/idp/shibboleth-idp/conf/access-control.xml
new file mode 100644
index 0000000..17aea1c
--- /dev/null
+++ b/Workbench/idp/shibboleth-idp/conf/access-control.xml
@@ -0,0 +1,69 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    Map of access control policies used to limit access to administrative functions.
+    The purpose of the map is to label policies with a key/name so they can be reused.
+    -->
+
+    <!--
+    Use the "shibboleth.IPRangeAccessControl" parent bean for IP-based access control.
+    The ranges provided MUST be CIDR network expressions. To specify a single address,
+    add "/32" or "/128" for IPv4 or IPv6 respectively.
+
+    The additional examples below demonstrate how to control access by username
+    and by attribute(s), in the case of authenticated access to admin functions.
+    -->
+
+    <util:map id="shibboleth.AccessControlPolicies">
+    
+        <entry key="AccessByIPAddress">
+            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
+                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '172.16.0.0/12'} }" />
+        </entry>
+        
+        <!--
+        <entry key="AccessByUser">
+            <bean parent="shibboleth.PredicateAccessControl">
+                <constructor-arg>
+                    <bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'jdoe'}" />
+                </constructor-arg>
+            </bean>
+        </entry>
+        -->
+        
+        <!--
+        <entry key="AccessByAttribute">
+            <bean parent="shibboleth.PredicateAccessControl">
+                <constructor-arg>
+                    <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
+                        <property name="attributeValueMap">
+                            <map>
+                                <entry key="eduPersonEntitlement">
+                                    <list>
+                                        <value>https://example.org/entitlement/idpadmin</value>
+                                    </list>
+                                </entry>
+                            </map>
+                        </property>
+                    </bean>
+                </constructor-arg>
+            </bean>
+        </entry>
+        -->
+    
+    </util:map>
+
+</beans>
+
diff --git a/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml b/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml
index b3cfee1..5dfaec8 100644
--- a/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml
+++ b/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml
@@ -1,47 +1,26 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!-- 
-    This file is an EXAMPLE policy file.  While the policy presented in this 
-    example file is illustrative of some simple cases, it relies on the names of
-    non-existent example services and the example attributes demonstrated in the
-    default attribute-resolver.xml file.
-    
-    Deployers should refer to the documentation for a complete list of components
-    and their options.
--->
-<afp:AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
-        xmlns:afp="urn:mace:shibboleth:2.0:afp"
-        xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
-        xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
+<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
+        xmlns="urn:mace:shibboleth:2.0:afp"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd
-                            urn:mace:shibboleth:2.0:afp:mf:basic http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd
-                            urn:mace:shibboleth:2.0:afp:mf:saml http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd">
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
 
     <!-- Release some attributes to an SP. -->
-    <afp:AttributeFilterPolicy id="example1">
-        <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://grouperdemo/shibboleth" />
+    <AttributeFilterPolicy id="grouper">
+        <PolicyRequirementRule xsi:type="Requester" value="https://grouperdemo/shibboleth" />
 
-        <afp:AttributeRule attributeID="eduPersonPrincipalName">
-            <afp:PermitValueRule xsi:type="basic:ANY" />
-        </afp:AttributeRule>
+        <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
 
-        <afp:AttributeRule attributeID="uid">
-            <afp:PermitValueRule xsi:type="basic:ANY" />
-        </afp:AttributeRule>
+        <AttributeRule attributeID="uid" permitAny="true" />
 
-        <afp:AttributeRule attributeID="mail">
-            <afp:PermitValueRule xsi:type="basic:ANY" />
-        </afp:AttributeRule>
+        <AttributeRule attributeID="mail" permitAny="true" />
 
-    </afp:AttributeFilterPolicy>
+    </AttributeFilterPolicy>
 
-    <afp:AttributeFilterPolicy id="midpoint">
-        <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="midpointdemo-shibboleth" />
+    <AttributeFilterPolicy id="midpoint">
+        <PolicyRequirementRule xsi:type="Requester" value="midpointdemo-shibboleth" />
 
-        <afp:AttributeRule attributeID="uid">
-            <afp:PermitValueRule xsi:type="basic:ANY" />
-        </afp:AttributeRule>
+        <AttributeRule attributeID="uid" permitAny="true" />
 
-    </afp:AttributeFilterPolicy>
+    </AttributeFilterPolicy>
 
-</afp:AttributeFilterPolicyGroup>
+</AttributeFilterPolicyGroup>
diff --git a/Workbench/idp/shibboleth-idp/conf/attribute-resolver.xml b/Workbench/idp/shibboleth-idp/conf/attribute-resolver.xml
index ee9519f..03df80f 100644
--- a/Workbench/idp/shibboleth-idp/conf/attribute-resolver.xml
+++ b/Workbench/idp/shibboleth-idp/conf/attribute-resolver.xml
@@ -1,245 +1,47 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!-- 
-    This file is an EXAMPLE configuration file containing lots of commented
-    example attributes, encoders, and a couple of example data connectors.
-    
-    Not all attribute definitions or data connectors are demonstrated, but
-    a variety of LDAP attributes, some common to Shibboleth deployments and
-    many not, are included.
-    
-    Deployers should refer to the Shibboleth 2 documentation for a complete
-    list of components  and their options.
--->
-<resolver:AttributeResolver
-        xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
-        xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
-        xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad"
-        xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
-        xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder"
-        xmlns:sec="urn:mace:shibboleth:2.0:security"
+<AttributeResolver
+        xmlns="urn:mace:shibboleth:2.0:resolver"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
-                            urn:mace:shibboleth:2.0:resolver:pc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-pc.xsd
-                            urn:mace:shibboleth:2.0:resolver:ad http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-ad.xsd
-                            urn:mace:shibboleth:2.0:resolver:dc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd
-                            urn:mace:shibboleth:2.0:attribute:encoder http://shibboleth.net/schema/idp/shibboleth-attribute-encoder.xsd
-                            urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd">
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
 
     <!-- ========================================== -->
     <!--      Attribute Definitions                 -->
     <!-- ========================================== -->
 
     <!-- Schema: Core schema attributes-->
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="uid">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
-    </resolver:AttributeDefinition>
-
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="mail" sourceAttributeID="mail">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
-    </resolver:AttributeDefinition>
-<!--
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="homePhone" sourceAttributeID="homePhone">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:homePhone" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.20" friendlyName="homePhone" encodeType="false" />
-    </resolver:AttributeDefinition>
-
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="homePostalAddress" sourceAttributeID="homePostalAddress">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:homePostalAddress" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.39" friendlyName="homePostalAddress" encodeType="false" />
-    </resolver:AttributeDefinition>
-
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="mobileNumber" sourceAttributeID="mobile">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mobile" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.41" friendlyName="mobile" encodeType="false" />
-    </resolver:AttributeDefinition>
-
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="pagerNumber" sourceAttributeID="pager">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:pager" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.42" friendlyName="pager" encodeType="false" />
-    </resolver:AttributeDefinition>
--->
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="surname" sourceAttributeID="sn">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
-    </resolver:AttributeDefinition>
-<!--
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="locality" sourceAttributeID="l">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:l" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.7" friendlyName="l" encodeType="false" />
-    </resolver:AttributeDefinition>
-
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="stateProvince" sourceAttributeID="st">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:st" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.8" friendlyName="st" encodeType="false" />
-    </resolver:AttributeDefinition>
-
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="street" sourceAttributeID="street">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:street" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.9" friendlyName="street" encodeType="false" />
-    </resolver:AttributeDefinition>
-
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="organizationName" sourceAttributeID="o">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:o" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" />
-    </resolver:AttributeDefinition>
-
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="organizationalUnit" sourceAttributeID="ou">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:ou" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.11" friendlyName="ou" encodeType="false" />
-    </resolver:AttributeDefinition>
-
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="title" sourceAttributeID="title">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:title" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.12" friendlyName="title" encodeType="false" />
-    </resolver:AttributeDefinition>
-
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="postalAddress" sourceAttributeID="postalAddress">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:postalAddress" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.16" friendlyName="postalAddress" encodeType="false" />
-    </resolver:AttributeDefinition>
-
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="postalCode" sourceAttributeID="postalCode">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:postalCode" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.17" friendlyName="postalCode" encodeType="false" />
-    </resolver:AttributeDefinition>
-
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="postOfficeBox" sourceAttributeID="postOfficeBox">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:postOfficeBox" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.18" friendlyName="postOfficeBox" encodeType="false" />
-    </resolver:AttributeDefinition>
-
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="telephoneNumber" sourceAttributeID="telephoneNumber">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:telephoneNumber" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.20" friendlyName="telephoneNumber" encodeType="false" />
-    </resolver:AttributeDefinition>
--->
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="givenName" sourceAttributeID="givenName">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
-    </resolver:AttributeDefinition>
-<!--
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="initials" sourceAttributeID="initials">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:initials" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.43" friendlyName="initials" encodeType="false" />
-    </resolver:AttributeDefinition>
-     -->
-
-    <!-- Schema: inetOrgPerson attributes-->
-    <!--
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="departmentNumber" sourceAttributeID="departmentNumber">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:departmentNumber" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.2" friendlyName="departmentNumber" encodeType="false" />
-    </resolver:AttributeDefinition>
-    
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="displayName" sourceAttributeID="displayName">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
-    </resolver:AttributeDefinition> 
-
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="employeeNumber" sourceAttributeID="employeeNumber">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:employeeNumber" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.3" friendlyName="employeeNumber" encodeType="false" />
-    </resolver:AttributeDefinition>
-
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="employeeType" sourceAttributeID="employeeType">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:employeeType" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" encodeType="false" />
-    </resolver:AttributeDefinition>
-
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="jpegPhoto" sourceAttributeID="jpegPhoto">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:jpegPhoto" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.60" friendlyName="jpegPhoto" encodeType="false" />
-    </resolver:AttributeDefinition>
-
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="preferredLanguage" sourceAttributeID="preferredLanguage">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:preferredLanguage" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.39" friendlyName="preferredLanguage" encodeType="false" />
-    </resolver:AttributeDefinition>
-    -->
+    <AttributeDefinition xsi:type="Simple" id="uid">
+        <InputDataConnector ref="myLDAP" attributeNames="uid"/>
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="mail">
+        <InputDataConnector ref="myLDAP" attributeNames="mail"/>
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
+    </AttributeDefinition>
+    <AttributeDefinition xsi:type="Simple" id="surname">
+        <InputDataConnector ref="myLDAP" attributeNames="sn"/>
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
+    </AttributeDefinition>
+    <AttributeDefinition xsi:type="Simple" id="givenName">
+        <InputDataConnector ref="myLDAP" attributeNames="givenName"/>
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
+    </AttributeDefinition>
 
     <!-- Schema: eduPerson attributes -->
-    
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonAffiliation" sourceAttributeID="cn">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonAffiliation" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" encodeType="false" />
-    </resolver:AttributeDefinition>
-<!--
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonEntitlement" sourceAttributeID="eduPersonEntitlement">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" encodeType="false" />
-    </resolver:AttributeDefinition>
-
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonNickname" sourceAttributeID="eduPersonNickname">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonNickname" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" friendlyName="eduPersonNickname" encodeType="false" />
-    </resolver:AttributeDefinition>
-
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonPrimaryAffiliation" sourceAttributeID="eduPersonPrimaryAffiliation">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" encodeType="false" />
-    </resolver:AttributeDefinition>
-
-    <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonUniqueId" scope="%{idp.scope}" sourceAttributeID="localUniqueId">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" friendlyName="eduPersonUniqueId" encodeType="false" />
-    </resolver:AttributeDefinition>
--->
-    <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonPrincipalName" scope="%{idp.scope}" sourceAttributeID="eduPersonPrincipalName">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
-    </resolver:AttributeDefinition>
-<!--
-    <resolver:AttributeDefinition xsi:type="ad:Prescoped" id="eduPersonPrincipalNamePrior" sourceAttributeID="eduPersonPrincipalNamePrior">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" friendlyName="eduPersonPrincipalNamePrior" encodeType="false" />
-    </resolver:AttributeDefinition>
-
-    <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}" sourceAttributeID="eduPersonAffiliation">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
-    </resolver:AttributeDefinition>
-    
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonAssurance" sourceAttributeID="eduPersonAssurance">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonAssurance" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" friendlyName="eduPersonAssurance" encodeType="false" />
-    </resolver:AttributeDefinition>
-    -->
+    <AttributeDefinition xsi:type="Simple" id="eduPersonAffiliation">
+        <InputDataConnector ref="myLDAP" attributeNames="cn"/>
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonAffiliation" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" encodeType="false" />
+    </AttributeDefinition>
+    <AttributeDefinition xsi:type="Scoped" id="eduPersonPrincipalName" scope="%{idp.scope}">
+        <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalName"/>
+        <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
+    </AttributeDefinition>
 
     <!-- ========================================== -->
     <!--      Data Connectors                       -->
@@ -247,47 +49,42 @@
 
     <!-- Example Static Connector -->
     <!--
-    <resolver:DataConnector id="staticAttributes" xsi:type="dc:Static">
-        <dc:Attribute id="eduPersonAffiliation">
-            <dc:Value>member</dc:Value>
-        </dc:Attribute>
-    </resolver:DataConnector>
+    <DataConnector id="staticAttributes" xsi:type="Static">
+        <Attribute id="eduPersonAffiliation">
+            <Value>member</Value>
+        </Attribute>
+    </DataConnector>
     -->
 
     <!-- Example Relational Database Connector -->
     <!--
-    <resolver:DataConnector id="mySIS" xsi:type="dc:RelationalDatabase">
-        <dc:ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver"
+    <DataConnector id="mySIS" xsi:type="RelationalDatabase">
+        <ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver"
                                          jdbcURL="jdbc:oracle:thin:@db.example.org:1521:SomeDB" 
                                          jdbcUserName="myid" 
                                          jdbcPassword="mypassword" />
-        <dc:QueryTemplate>
+        <QueryTemplate>
             <![CDATA[
                 SELECT * FROM student WHERE gzbtpid = '$requestContext.principalName'
             ]]>
-        </dc:QueryTemplate>
+        </QueryTemplate>
 
-        <dc:Column columnName="gzbtpid" attributeID="uid" />
-        <dc:Column columnName="fqlft" attributeID="gpa" />
-    </resolver:DataConnector>
+        <Column columnName="gzbtpid" attributeID="uid" />
+        <Column columnName="fqlft" attributeID="gpa" />
+    </DataConnector>
      -->
 
-    <resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
+    <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
         ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
         baseDN="%{idp.attribute.resolver.LDAP.baseDN}" 
         principal="%{idp.attribute.resolver.LDAP.bindDN}"
         principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
         useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}">
-        <dc:FilterTemplate>
+        <FilterTemplate>
             <![CDATA[
                 %{idp.attribute.resolver.LDAP.searchFilter}
             ]]>
-        </dc:FilterTemplate>
-        <!--
-        <dc:StartTLSTrustCredential id="LDAPtoIdPCredential" xsi:type="sec:X509ResourceBacked">
-            <sec:Certificate>%{idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate>
-        </dc:StartTLSTrustCredential>
-    -->
-    </resolver:DataConnector>
+        </FilterTemplate>
+    </DataConnector>
 
-</resolver:AttributeResolver>
\ No newline at end of file
+</AttributeResolver>
diff --git a/Workbench/idp/shibboleth-idp/edit-webapp/images/csp_logo.jpg b/Workbench/idp/shibboleth-idp/edit-webapp/images/csp_logo.jpg
new file mode 100644
index 0000000..cbcdab1
Binary files /dev/null and b/Workbench/idp/shibboleth-idp/edit-webapp/images/csp_logo.jpg differ
diff --git a/Workbench/idp/shibboleth-idp/messages/messages.properties b/Workbench/idp/shibboleth-idp/messages/messages.properties
new file mode 100644
index 0000000..1544641
--- /dev/null
+++ b/Workbench/idp/shibboleth-idp/messages/messages.properties
@@ -0,0 +1,2 @@
+idp.logo = /images/csp_logo.jpg
+idp.logo.alt-text = InCommon CSP
diff --git a/Workbench/idp/shibboleth-idp/metadata/grouper-sp.xml b/Workbench/idp/shibboleth-idp/metadata/grouper-sp.xml
index 5b42a7b..d24b331 100644
--- a/Workbench/idp/shibboleth-idp/metadata/grouper-sp.xml
+++ b/Workbench/idp/shibboleth-idp/metadata/grouper-sp.xml
@@ -1,7 +1,3 @@
-<!--
-This is example metadata only. Do *NOT* supply it as is without review,
-and do *NOT* provide it in real time to your partners.
- -->
 <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_57114916ca68943103854cb57a3a3b1c7c38bb81" entityID="https://grouperdemo/shibboleth">
 
   <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
@@ -25,14 +21,13 @@ and do *NOT* provide it in real time to your partners.
 
   <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
     <md:Extensions>
-      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://localhost:4443/Shibboleth.sso/Login"/>
-      <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://localhost:4443/Shibboleth.sso/Login" index="1"/>
+      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://localhost/grouperSSO/Shibboleth.sso/Login"/>
+      <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://localhost/grouperSSO/Shibboleth.sso/Login" index="1"/>
     </md:Extensions>
     <md:KeyDescriptor>
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:KeyName>sp.example.org</ds:KeyName>
         <ds:X509Data>
-          <ds:X509SubjectName>CN=sp.example.org,O=Internet2/TIER,L=Ann Arbor,ST=MI,C=US</ds:X509SubjectName>
           <ds:X509Certificate>MIIDPDCCAiQCCQDNZe8r0hVtuTANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJV
 UzELMAkGA1UECAwCTUkxEjAQBgNVBAcMCUFubiBBcmJvcjEXMBUGA1UECgwOSW50
 ZXJuZXQyL1RJRVIxFzAVBgNVBAMMDnNwLmV4YW1wbGUub3JnMB4XDTE3MDkyMjE5
@@ -64,15 +59,15 @@ Z75p+JrWYZJYrx/vpWxL8g==
       <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
       <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
     </md:KeyDescriptor>
-    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost:4443/Shibboleth.sso/Artifact/SOAP" index="1"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost:4443/Shibboleth.sso/SLO/SOAP"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:4443/Shibboleth.sso/SLO/Redirect"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:4443/Shibboleth.sso/SLO/POST"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://localhost:4443/Shibboleth.sso/SLO/Artifact"/>
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:4443/Shibboleth.sso/SAML2/POST" index="1"/>
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://localhost:4443/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://localhost:4443/Shibboleth.sso/SAML2/Artifact" index="3"/>
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://localhost:4443/Shibboleth.sso/SAML2/ECP" index="4"/>
+    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost/grouperSSO/Shibboleth.sso/Artifact/SOAP" index="1"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost/grouperSSO/Shibboleth.sso/SLO/SOAP"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost/grouperSSO/Shibboleth.sso/SLO/Redirect"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost/grouperSSO/Shibboleth.sso/SLO/POST"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://localhost/grouperSSO/Shibboleth.sso/SLO/Artifact"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost/grouperSSO/Shibboleth.sso/SAML2/POST" index="1"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://localhost/grouperSSO/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://localhost/grouperSSO/Shibboleth.sso/SAML2/Artifact" index="3"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://localhost/grouperSSO/Shibboleth.sso/SAML2/ECP" index="4"/>
   </md:SPSSODescriptor>
 
 </md:EntityDescriptor>
diff --git a/Workbench/idp/shibboleth-idp/metadata/midpoint-sp.xml b/Workbench/idp/shibboleth-idp/metadata/midpoint-sp.xml
index 5789ed8..b04e2e1 100644
--- a/Workbench/idp/shibboleth-idp/metadata/midpoint-sp.xml
+++ b/Workbench/idp/shibboleth-idp/metadata/midpoint-sp.xml
@@ -25,8 +25,8 @@ and do *NOT* provide it in real time to your partners.
 
   <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
     <md:Extensions>
-      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://localhost:8443/Shibboleth.sso/Login"/>
-      <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://localhost:8443/Shibboleth.sso/Login" index="1"/>
+      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://localhost/Shibboleth.sso/Login"/>
+      <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://localhost/Shibboleth.sso/Login" index="1"/>
     </md:Extensions>
     <md:KeyDescriptor>
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
@@ -64,8 +64,8 @@ AIW0+dXJ2IyzM+0sv2g4DOsXsnSvinGqjr82A54mXGSr7edhPdlQhILFkJfhTwLq+mjnyQSNe3s2
       <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
       <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
     </md:KeyDescriptor>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8443/midpoint/auth/gui-default/mySamlSso/logout/alias/midpointdemo-shibbolet"/>
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8443/midpoint/auth/gui-default/mySamlSso/SSO/alias/midpointdemo-shibboleth" index="1"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost/midpoint/auth/gui-default/mySamlSso/logout/alias/midpointdemo-shibbolet"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost/midpoint/auth/gui-default/mySamlSso/SSO/alias/midpointdemo-shibboleth" index="1"/>
   </md:SPSSODescriptor>
 
 </md:EntityDescriptor>
diff --git a/Workbench/midpoint_server/Dockerfile b/Workbench/midpoint_server/Dockerfile
index 34ce0cd..33f4f5b 100644
--- a/Workbench/midpoint_server/Dockerfile
+++ b/Workbench/midpoint_server/Dockerfile
@@ -3,6 +3,7 @@ FROM tier/midpoint:latest
 MAINTAINER info@evolveum.com
 
 ENV MP_DIR /opt/midpoint
+ENV MP_MEM_MAX 2048m
 
 VOLUME ${MP_DIR}/var
 
diff --git a/Workbench/mq/container_files/etc-rabbitmq/rabbitmq.conf b/Workbench/mq/container_files/etc-rabbitmq/rabbitmq.conf
index 4c789ba..6f9abed 100644
--- a/Workbench/mq/container_files/etc-rabbitmq/rabbitmq.conf
+++ b/Workbench/mq/container_files/etc-rabbitmq/rabbitmq.conf
@@ -1,2 +1,3 @@
 # Allow guest access from anywhere (change this in production!)
 loopback_users = none
+
diff --git a/Workbench/webproxy/Dockerfile b/Workbench/webproxy/Dockerfile
new file mode 100644
index 0000000..160806d
--- /dev/null
+++ b/Workbench/webproxy/Dockerfile
@@ -0,0 +1,6 @@
+FROM tier/shibboleth_sp:latest
+
+COPY container_files/httpd/proxy.conf /etc/httpd/conf.d/
+COPY container_files/httpd/index.html /var/www/html/
+COPY container_files/httpd/csp_logo.jpg /var/www/html/
+
diff --git a/Workbench/webproxy/container_files/httpd/csp_logo.jpg b/Workbench/webproxy/container_files/httpd/csp_logo.jpg
new file mode 100644
index 0000000..cbcdab1
Binary files /dev/null and b/Workbench/webproxy/container_files/httpd/csp_logo.jpg differ
diff --git a/Workbench/webproxy/container_files/httpd/index.html b/Workbench/webproxy/container_files/httpd/index.html
new file mode 100644
index 0000000..6476c86
--- /dev/null
+++ b/Workbench/webproxy/container_files/httpd/index.html
@@ -0,0 +1,22 @@
+<img src="csp_logo.jpg">
+<br /><br />
+<h3>Welcome to the InCommon TAP Workbench!</h3>
+<br />
+This is your own personal instance of the InCommon <i>Trusted Access Platform</i> Workbench.
+<br /><br />
+It is running on your local machine.
+<br /><br />
+For more information, see <a href="https://spaces.at.internet2.edu/display/MID/Grouper+integration+demo#Grouperintegrationdemo-CheckingthemidPointstate(optional)" target="_blank">this page</a>.
+<br /><br />
+The system contains the following TAP components (click the links to access each component in its own tab):
+<ul>
+<li><a href="https://localhost/idp/status" target="TAP-WB-IDP">Shibboleth IdP</a></li>
+<li><a href="https://localhost/grouperSSO/Shibboleth.sso/Status" target="TAP-WB-SP">Shibboleth SP</a></li>
+<li><a href="https://localhost/grouper" target="TAP-WB-GROUPER">Grouper</a></li>
+<li><a href="https://localhost/midpoint" target="TAP-WB-MIDPOINT">midPoint</a></li>
+<li><a href="https://localhost/rabbit" target="TAP-WB-RABBIT">Rabbit MQ</a></li>
+<li><a href="https://localhost/ldapadmin" target="TAP-WB-LDAPADMIN">LDAP Admin</a></li>
+<li><a href="https://localhost/phpmyadmin" target="TAP-WB-SQLADMIN">SQL Admin</a></li>
+<li>COmanage (coming soon)</li>
+</ul>
+
diff --git a/Workbench/webproxy/container_files/httpd/proxy.conf b/Workbench/webproxy/container_files/httpd/proxy.conf
new file mode 100644
index 0000000..4530105
--- /dev/null
+++ b/Workbench/webproxy/container_files/httpd/proxy.conf
@@ -0,0 +1,43 @@
+#Proxy config
+SSLProxyEngine on
+SSLProxyVerify none
+SSLProxyCheckPeerCN off
+SSLProxyCheckPeerName off
+SSLProxyCheckPeerExpire off
+ProxyPreserveHost On
+AllowEncodedSlashes On
+
+ProxyPass /midpoint https://midpoint-server/midpoint
+ProxyPassReverse /midpoint https://midpoint-server/midpoint
+
+ProxyPass /grouper https://grouper-ui/grouper
+ProxyPassReverse /grouper https://grouper-ui/grouper
+ProxyPass /grouperSSO https://grouper-ui/grouperSSO
+ProxyPassReverse /grouperSSO https://grouper-ui/grouperSSO
+
+ProxyPass /grouper-ws https://grouper-ws/grouper-ws
+ProxyPassReverse /grouper-ws https://grouper-ws/grouper-ws
+
+ProxyPass /idp https://idp/idp
+ProxyPassReverse /idp https://idp/idp
+
+ProxyPass /rabbit http://mq:15672/ nocanon
+ProxyPassReverse /rabbit http://mq:15672/
+ProxyPass /js http://mq:15672/js
+ProxyPassReverse /js http://mq:15672/js
+ProxyPass /css http://mq:15672/css
+ProxyPassReverse /css http://mq:15672/css
+ProxyPass /img http://mq:15672/img
+ProxyPassReverse /img http://mq:15672/img
+ProxyPass /api http://mq:15672/api
+ProxyPassReverse /api http://mq:15672/api
+
+ProxyPass /ldapadmin https://directory/ldapadmin
+ProxyPassReverse /ldapadmin https://directory/ldapadmin
+
+ProxyPass /phpmyadmin https://directory/phpmyadmin
+ProxyPassReverse /phpmyadmin https://directory/phpmyadmin
+
+ProxyPass /comanage https://comanage/
+ProxyPassReverse /comanage https://comanage/
+