From e40ac6319694252254b864057ea63787ec0a3d80 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Thu, 10 Dec 2020 11:00:14 -0600
Subject: [PATCH] midpoint/shib + new grouper

---
 Workbench/docker-compose.yml                  |   1 +
 Workbench/grouper_daemon/Dockerfile           |   2 +-
 Workbench/grouper_ui/Dockerfile               |   2 +-
 Workbench/grouper_ws/Dockerfile               |   2 +-
 .../container_files/system/setservername.sh   |   2 +-
 .../shibboleth-idp/conf/attribute-filter.xml  |  16 +-
 .../conf/attribute-resolver.xml               |  14 +-
 .../idp/shibboleth-idp/conf/idp.properties    |   3 +
 Workbench/idp/shibboleth-idp/conf/logback.xml | 175 ++++++++++++++++++
 .../metadata/midpoint-sp-new.xml              |  37 ----
 .../shibboleth-idp/metadata/midpoint-sp.xml   | 103 +++++++----
 Workbench/midpoint_server/Dockerfile          |  15 ++
 .../container_files/httpd/shib.conf           |  58 ++++++
 .../resources/100-grouper.xml                 |   2 +-
 .../securityPolicy/000-security-policy.xml    |  43 +++--
 .../shibboleth/attribute-map.xml              | 168 +++++++++++++++++
 .../shibboleth/shibboleth2.xml                | 112 +++++++++++
 .../container_files/shibboleth/shibd.logger   |  60 ++++++
 .../shibboleth/sp-encrypt-cert.pem            |  24 +++
 .../shibboleth/sp-encrypt-key.pem             |  40 ++++
 .../shibboleth/sp-signing-cert.pem            |  24 +++
 .../shibboleth/sp-signing-key.pem             |  40 ++++
 .../supervisor/supervisord.conf               |  32 ++++
 .../container_files/system/setservername.sh   |   8 +
 .../webproxy/container_files/httpd/proxy.conf |   2 +
 25 files changed, 870 insertions(+), 115 deletions(-)
 create mode 100644 Workbench/idp/shibboleth-idp/conf/logback.xml
 delete mode 100644 Workbench/idp/shibboleth-idp/metadata/midpoint-sp-new.xml
 create mode 100644 Workbench/midpoint_server/container_files/httpd/shib.conf
 create mode 100644 Workbench/midpoint_server/container_files/shibboleth/attribute-map.xml
 create mode 100644 Workbench/midpoint_server/container_files/shibboleth/shibboleth2.xml
 create mode 100644 Workbench/midpoint_server/container_files/shibboleth/shibd.logger
 create mode 100644 Workbench/midpoint_server/container_files/shibboleth/sp-encrypt-cert.pem
 create mode 100644 Workbench/midpoint_server/container_files/shibboleth/sp-encrypt-key.pem
 create mode 100644 Workbench/midpoint_server/container_files/shibboleth/sp-signing-cert.pem
 create mode 100644 Workbench/midpoint_server/container_files/shibboleth/sp-signing-key.pem
 create mode 100644 Workbench/midpoint_server/container_files/supervisor/supervisord.conf
 create mode 100644 Workbench/midpoint_server/container_files/system/setservername.sh

diff --git a/Workbench/docker-compose.yml b/Workbench/docker-compose.yml
index e333f8b..d2597f6 100644
--- a/Workbench/docker-compose.yml
+++ b/Workbench/docker-compose.yml
@@ -209,6 +209,7 @@ services:
      - midpoint_data
     ports:
      - 10443:443
+    command: /usr/local/bin/startup.sh
     environment:
      - ENV
      - USERTOKEN
diff --git a/Workbench/grouper_daemon/Dockerfile b/Workbench/grouper_daemon/Dockerfile
index f2811ea..d5ae613 100644
--- a/Workbench/grouper_daemon/Dockerfile
+++ b/Workbench/grouper_daemon/Dockerfile
@@ -1,4 +1,4 @@
-FROM tier/grouper:2.4.0-a47-u25-w5-p6-20190611
+FROM tier/grouper:2.5.37.1
 
 LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
 
diff --git a/Workbench/grouper_ui/Dockerfile b/Workbench/grouper_ui/Dockerfile
index 3e54b51..ed5d179 100644
--- a/Workbench/grouper_ui/Dockerfile
+++ b/Workbench/grouper_ui/Dockerfile
@@ -1,4 +1,4 @@
-FROM tier/grouper:2.4.0-a96-u57-w11-p12-20200324-rc1
+FROM i2incommon/grouper:2.5.37.1
 
 LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
 
diff --git a/Workbench/grouper_ws/Dockerfile b/Workbench/grouper_ws/Dockerfile
index 272205f..dc0dfbd 100644
--- a/Workbench/grouper_ws/Dockerfile
+++ b/Workbench/grouper_ws/Dockerfile
@@ -1,4 +1,4 @@
-FROM tier/grouper:2.4.0-a47-u25-w5-p6-20190611
+FROM i2incommon/grouper:2.5.37.1
 
 LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
 
diff --git a/Workbench/idp/container_files/system/setservername.sh b/Workbench/idp/container_files/system/setservername.sh
index 9277d74..2c32d77 100644
--- a/Workbench/idp/container_files/system/setservername.sh
+++ b/Workbench/idp/container_files/system/setservername.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-files="/opt/shibboleth-idp/metadata/idp-metadata.xml /opt/shibboleth-idp/metadata/grouper-sp.xml /opt/shibboleth-idp/metadata/proxy-sp.xml /opt/shibboleth-idp/metadata/comanage-sp.xml"
+files="/opt/shibboleth-idp/metadata/idp-metadata.xml /opt/shibboleth-idp/metadata/grouper-sp.xml /opt/shibboleth-idp/metadata/proxy-sp.xml /opt/shibboleth-idp/metadata/comanage-sp.xml /opt/shibboleth-idp/metadata/midpoint-sp.xml"
 
 for file in $files
   do
diff --git a/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml b/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml
index 0ced5e4..393d7db 100644
--- a/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml
+++ b/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml
@@ -7,41 +7,27 @@
     <!-- Release some attributes to an SP. -->
     <AttributeFilterPolicy id="grouper">
         <PolicyRequirementRule xsi:type="Requester" value="https://grouperdemo/shibboleth" />
-
         <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
-
         <AttributeRule attributeID="uid" permitAny="true" />
-
         <AttributeRule attributeID="mail" permitAny="true" />
-
     </AttributeFilterPolicy>
         
     <AttributeFilterPolicy id="comanage">
         <PolicyRequirementRule xsi:type="Requester" value="https://comanagedemo/shibboleth" />
-
         <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
-
         <AttributeRule attributeID="uid" permitAny="true" />
-
         <AttributeRule attributeID="mail" permitAny="true" />
-
     </AttributeFilterPolicy>
 
     <AttributeFilterPolicy id="midpoint">
-        <PolicyRequirementRule xsi:type="Requester" value="midpointdemo-shibboleth" />
-
+        <PolicyRequirementRule xsi:type="Requester" value="https://midpointdemo/shibboleth" />
         <AttributeRule attributeID="uid" permitAny="true" />
-
     </AttributeFilterPolicy>
 
     <AttributeFilterPolicy id="proxy">
         <PolicyRequirementRule xsi:type="Requester" value="https://proxysp.example.org/shibboleth" />
-
         <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
-
         <AttributeRule attributeID="uid" permitAny="true" />
-
         <AttributeRule attributeID="mail" permitAny="true" />
-
     </AttributeFilterPolicy>
 </AttributeFilterPolicyGroup>
diff --git a/Workbench/idp/shibboleth-idp/conf/attribute-resolver.xml b/Workbench/idp/shibboleth-idp/conf/attribute-resolver.xml
index 03df80f..ac97ff2 100644
--- a/Workbench/idp/shibboleth-idp/conf/attribute-resolver.xml
+++ b/Workbench/idp/shibboleth-idp/conf/attribute-resolver.xml
@@ -11,36 +11,24 @@
     <!-- Schema: Core schema attributes-->
     <AttributeDefinition xsi:type="Simple" id="uid">
         <InputDataConnector ref="myLDAP" attributeNames="uid"/>
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
     </AttributeDefinition>
-
+	
     <AttributeDefinition xsi:type="Simple" id="mail">
         <InputDataConnector ref="myLDAP" attributeNames="mail"/>
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
     </AttributeDefinition>
     <AttributeDefinition xsi:type="Simple" id="surname">
         <InputDataConnector ref="myLDAP" attributeNames="sn"/>
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
     </AttributeDefinition>
     <AttributeDefinition xsi:type="Simple" id="givenName">
         <InputDataConnector ref="myLDAP" attributeNames="givenName"/>
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
     </AttributeDefinition>
 
     <!-- Schema: eduPerson attributes -->
     <AttributeDefinition xsi:type="Simple" id="eduPersonAffiliation">
         <InputDataConnector ref="myLDAP" attributeNames="cn"/>
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonAffiliation" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" encodeType="false" />
     </AttributeDefinition>
     <AttributeDefinition xsi:type="Scoped" id="eduPersonPrincipalName" scope="%{idp.scope}">
         <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalName"/>
-        <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
     </AttributeDefinition>
 
     <!-- ========================================== -->
diff --git a/Workbench/idp/shibboleth-idp/conf/idp.properties b/Workbench/idp/shibboleth-idp/conf/idp.properties
index 6294a30..f221411 100644
--- a/Workbench/idp/shibboleth-idp/conf/idp.properties
+++ b/Workbench/idp/shibboleth-idp/conf/idp.properties
@@ -193,3 +193,6 @@ idp.cas.StorageService=shibboleth.StorageService
 #idp.fticks.federation=MyFederation
 #idp.fticks.algorithm=SHA-256
 #idp.fticks.salt=somethingsecret
+
+#custom/added
+idp.loglevel.messages=DEBUG
diff --git a/Workbench/idp/shibboleth-idp/conf/logback.xml b/Workbench/idp/shibboleth-idp/conf/logback.xml
new file mode 100644
index 0000000..817de02
--- /dev/null
+++ b/Workbench/idp/shibboleth-idp/conf/logback.xml
@@ -0,0 +1,175 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+
+    <!--
+    Variables for simplifying logging configuration.
+    http://logback.qos.ch/manual/configuration.html#variableSubstitution
+    -->
+
+    <!--
+    If you want to use custom properties in this config file,
+    we load the main property file for you.
+    -->
+    <variable file="${idp.home}/conf/idp.properties" />
+
+    <!-- Location and retention. -->
+    
+    <variable name="idp.logfiles" value="${idp.home}/logs" />
+    <variable name="idp.loghistory" value="${idp.loghistory:-180}" />
+    
+    <!-- Much higher performance if you operate on DEBUG. -->
+    <!-- <variable name="idp.process.appender" value="ASYNC_PROCESS" /> -->
+    
+    <!-- Logging level shortcuts. -->
+    <variable name="idp.loglevel.idp" value="${idp.loglevel.idp:-INFO}" />
+    <variable name="idp.loglevel.ldap" value="${idp.loglevel.ldap:-WARN}" />
+    <variable name="idp.loglevel.messages" value="${idp.loglevel.messages:-INFO}" />
+    <variable name="idp.loglevel.encryption" value="${idp.loglevel.encryption:-INFO}" />
+    <variable name="idp.loglevel.opensaml" value="${idp.loglevel.opensaml:-INFO}" />
+    <variable name="idp.loglevel.props" value="${idp.loglevel.props:-INFO}" />
+    <variable name="idp.loglevel.httpclient" value="${idp.loglevel.httpclient:-INFO}" />
+    
+    <!-- Don't turn these up unless you want a *lot* of noise. -->
+    <variable name="idp.loglevel.spring" value="${idp.loglevel.spring:-ERROR}" />
+    <variable name="idp.loglevel.container" value="${idp.loglevel.container:-ERROR}" />
+    <variable name="idp.loglevel.xmlsec" value="${idp.loglevel.xmlsec:-INFO}" />
+
+    <!-- =========================================================== -->
+    <!-- ============== Logging Categories and Levels ============== -->
+    <!-- =========================================================== -->
+
+    <!-- Logs IdP, but not OpenSAML, messages -->
+    <logger name="net.shibboleth.idp" level="${idp.loglevel.idp}"/>
+
+    <!-- Logs OpenSAML, but not IdP, messages -->
+    <logger name="org.opensaml.saml" level="${idp.loglevel.opensaml}"/>
+    
+    <!-- Logs LDAP related messages -->
+    <logger name="org.ldaptive" level="${idp.loglevel.ldap}"/>
+
+    <!-- Logs embedded HTTP client messages -->
+    <logger name="org.apache.http" level="${idp.loglevel.httpclient}"/>
+    
+    <!-- Logs inbound and outbound protocols messages at DEBUG level -->
+    <logger name="PROTOCOL_MESSAGE" level="${idp.loglevel.messages}" />
+
+    <!-- Logs unencrypted SAML at DEBUG level -->
+    <logger name="org.opensaml.saml.saml2.encryption.Encrypter" level="${idp.loglevel.encryption}" />
+
+    <!-- Logs system properties during startup at DEBUG level -->
+    <logger name="net.shibboleth.idp.log.LogbackLoggingService" level="${idp.loglevel.props}" />
+
+    <!-- Especially chatty. -->
+    <logger name="org.apache.xml.security" level="${idp.loglevel.xmlsec}" />
+    <logger name="org.springframework" level="${idp.loglevel.spring}"/>
+    <logger name="org.apache.catalina" level="${idp.loglevel.container}"/>
+    <logger name="org.eclipse.jetty" level="${idp.loglevel.container}"/>
+
+
+    <!-- =========================================================== -->
+    <!-- ============== Low Level Details or Changes =============== -->
+    <!-- =========================================================== -->
+    
+    <!-- Process log. -->
+    <appender name="IDP_PROCESS" class="ch.qos.logback.core.FileAppender">
+        <File>/tmp/logidp-process</File>
+        
+
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{short}</Pattern>
+        </encoder>
+
+        <!-- Ignore Velocity status page error. -->
+        <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
+            <evaluator>
+                <matcher>
+                    <Name>VelocityStatusMatcher</Name>
+                    <regex>ResourceManager\s*: unable to find resource 'status\.vm' in any resource loader\.</regex>
+                </matcher>
+                <expression>VelocityStatusMatcher.matches(formattedMessage)</expression>
+            </evaluator>
+            <OnMatch>DENY</OnMatch>
+        </filter>
+    </appender>
+
+    <appender name="ASYNC_PROCESS" class="ch.qos.logback.classic.AsyncAppender">
+        <appender-ref ref="IDP_PROCESS" />
+        <discardingThreshold>0</discardingThreshold>
+    </appender>
+
+    <appender name="IDP_WARN" class="ch.qos.logback.core.FileAppender">
+        <!-- Suppress anything below WARN. -->
+        <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
+            <level>WARN</level>
+        </filter>
+        
+        <File>/tmp/logidp-warn</File>
+        
+        
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{full}</Pattern>
+        </encoder>
+        
+        <!-- Ignore Velocity status page error. -->
+        <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
+            <evaluator>
+                <matcher>
+                    <Name>VelocityStatusMatcher</Name>
+                    <regex>ResourceManager\s*: unable to find resource 'status\.vm' in any resource loader\.</regex>
+                </matcher>
+                <expression>VelocityStatusMatcher.matches(formattedMessage)</expression>
+            </evaluator>
+            <OnMatch>DENY</OnMatch>
+        </filter>
+    </appender>
+    
+    <!-- Audit log. -->
+    <appender name="IDP_AUDIT" class="ch.qos.logback.core.FileAppender">
+        <File>/tmp/logidp-audit</File>
+
+
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%msg%n</Pattern>
+        </encoder>
+    </appender>
+    
+    <!-- Consent audit log. -->
+    <appender name="IDP_CONSENT_AUDIT" class="ch.qos.logback.core.FileAppender">
+        <File>/tmp/logidp-consent-audit</File>
+
+
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%msg%n</Pattern>
+        </encoder>
+    </appender>
+
+    <!-- F-TICKS syslog destination. -->
+    <appender name="IDP_FTICKS" class="ch.qos.logback.classic.net.SyslogAppender">
+        <syslogHost>${idp.fticks.loghost:-localhost}</syslogHost>
+        <port>${idp.fticks.logport:-514}</port>
+        <facility>AUTH</facility>
+        <suffixPattern>[%thread] %logger %msg</suffixPattern>
+    </appender>
+
+    <logger name="Shibboleth-Audit" level="ALL">
+        <appender-ref ref="${idp.audit.appender:-IDP_AUDIT}"/>
+    </logger>
+
+    <logger name="Shibboleth-FTICKS" level="ALL" additivity="false">
+        <appender-ref ref="${idp.fticks.appender:-IDP_FTICKS}"/>
+    </logger>
+
+    <logger name="Shibboleth-Consent-Audit" level="ALL">
+        <appender-ref ref="${idp.consent.appender:-IDP_CONSENT_AUDIT}"/>
+    </logger>
+    
+    <root level="${idp.loglevel.root:-INFO}">
+        <appender-ref ref="${idp.process.appender:-IDP_PROCESS}"/>
+        <appender-ref ref="${idp.warn.appender:-IDP_WARN}" />
+    </root>
+
+</configuration>
diff --git a/Workbench/idp/shibboleth-idp/metadata/midpoint-sp-new.xml b/Workbench/idp/shibboleth-idp/metadata/midpoint-sp-new.xml
deleted file mode 100644
index a819f4b..0000000
--- a/Workbench/idp/shibboleth-idp/metadata/midpoint-sp-new.xml
+++ /dev/null
@@ -1,37 +0,0 @@
-<EntityDescriptor entityID="https://midpointdemo/idp/shibboleth" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-  <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-    <Extensions>
-      <shibmd:Scope regexp="false">midpointdemo</shibmd:Scope>
-    </Extensions>
-    <KeyDescriptor use="signing">
-      <ds:KeyInfo>
-        <ds:X509Data>
-          <ds:X509Certificate>
-MIIDHDCCAgSgAwIBAgIJAPEnL5jgbeVoMA0GCSqGSIb3DQEBCwUAMBoxGDAWBgNV
-BAMMD2lkcC5leGFtcGxlLmVkdTAeFw0xODEwMTAyMDM1NDBaFw0yMzEwMDkyMDM1
-NDBaMBoxGDAWBgNVBAMMD2lkcC5leGFtcGxlLmVkdTCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBAKwTrvQhmFX3SUNgJAhQ/YV0UX56Rt53mwbiKuH+Ez83
-7z6XRynBVsfzHfbWe0IpNKx5mIr84dfbGhQKQBEKzQuek7ihW3J6PIVZN1A3icZZ
-B9i7gow902bT0ZfRG8QW49gl7pk3ASutPcO9Dq5Xc/AqWr3OSO/Pei0yBtTdzG3b
-rm0u0gbj3P2tjt7BN77wIB+yjJsND3ITtP0MFXIJxLTlty8thwqQOAOAYcF+rhC5
-znnBLsRNo0E57PtzZs8i/BpEX2uPTxpEyvlU1vtyxcKUiHtK5ZjOsDEkS2rEualr
-+FILYg/Oxw1gi0+mNO1a94Ft+UoLiREztq6MQt8OK98CAwEAAaNlMGMwQgYDVR0R
-BDswOYIPaWRwLmV4YW1wbGUuZWR1hiZodHRwczovL2lkcC5leGFtcGxlLmVkdS9p
-ZHAvc2hpYmJvbGV0aDAdBgNVHQ4EFgQU3ZJ8oHkmlgPtZuZAxnzONccPsb8wDQYJ
-KoZIhvcNAQELBQADggEBAIJ4oZKSMGpF8J3qdfjLZGkc3iVbu/eiE1MD77no0oCz
-nelY0CNUBuFJk1Xv+Bv0fW0cVugtMPz4xi7zv0zkpS2IVxpPZWBosuVabUD9k+V4
-iN5woJdO7e2KRGvhlWmbkmoZUvhygDe0u0vblNfLzDwFQvxHXiWG//P7SanoQrjP
-dE8U21tYz+EFm6s5TvHxVhr9id8c+UacAFCpAtzUB+J8K1abx05XlKsySflkOQV9
-JbM4zOy5gXSI5dY9dGUF77g0muyC+jAhIhLSt/7v3vJgvBurrxPoeBFXOU3D+siT
-VZlKtYzYjJhVqXx1vKrWEE1hkpqm+iYgZe4MvgcdswY=
-          </ds:X509Certificate>
-        </ds:X509Data>
-      </ds:KeyInfo>
-    </KeyDescriptor>
-    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost/idp/profile/SAML2/Redirect/SSO"/>
-    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost/idp/profile/SAML2/POST/SSO"/>
-    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://localhost/idp/profile/SAML2/POST-SimpleSign/SSO"/>
-    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost/idp/profile/SAML2/SOAP/ECP"/>
-  </IDPSSODescriptor>
-</EntityDescriptor>
-
diff --git a/Workbench/idp/shibboleth-idp/metadata/midpoint-sp.xml b/Workbench/idp/shibboleth-idp/metadata/midpoint-sp.xml
index b04e2e1..c2a1548 100644
--- a/Workbench/idp/shibboleth-idp/metadata/midpoint-sp.xml
+++ b/Workbench/idp/shibboleth-idp/metadata/midpoint-sp.xml
@@ -1,8 +1,4 @@
-<!--
-This is example metadata only. Do *NOT* supply it as is without review,
-and do *NOT* provide it in real time to your partners.
- -->
-<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_57114916ca68943103854cb57a3a3b1c7c38bb81" entityID="midpointdemo-shibboleth">
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_1e3421dab00d0fec40e78d5d03bd49ca5d9b1b08" entityID="https://midpointdemo/shibboleth">
 
   <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
     <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
@@ -23,36 +19,68 @@ and do *NOT* provide it in real time to your partners.
     <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
   </md:Extensions>
 
-  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
     <md:Extensions>
-      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://localhost/Shibboleth.sso/Login"/>
-      <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://localhost/Shibboleth.sso/Login" index="1"/>
+      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://__CSPHOSTNAME__/MPSSO/Shibboleth.sso/Login"/>
     </md:Extensions>
-    <md:KeyDescriptor>
+    <md:KeyDescriptor use="signing">
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-        <ds:KeyName>midpoint.sp.example.org</ds:KeyName>
         <ds:X509Data>
-          <ds:X509SubjectName>CN=sptest.example.edu,O=Internet2/TIER,L=Ann Arbor,ST=MI,C=US</ds:X509SubjectName>
-          <ds:X509Certificate>MIID/TCCAmWgAwIBAgIJAJZqOL69C6nRMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNVBAMTEnNwdGVz
-dC5leGFtcGxlLmVkdTAeFw0xODEyMjAyMjM4NDhaFw0yODEyMTcyMjM4NDhaMB0xGzAZBgNVBAMT
-EnNwdGVzdC5leGFtcGxlLmVkdTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBANJ1OC6Q
-l4te2/7PArBkuM/EF1NcQILv7bJaecJDGYBVoWgL0a2KQ0XMESusgkVmVjj/jcbtvwIiXI/6BEu8
-15OF6eSZIwxWdQBpeKbrWTbt07GiGgdXoXot6oMs5a9YXuWLt8pTXrFVMmwXU+ZfWJtuU8OIgm9e
-sAEIQBHvDVOJtdKdBMWJFa5nUzkaVvA0Fr8r+/FHUvSCnlKOMaUIfTgtoS9AQnaRQ1dVl39Z2KAh
-87JYvRIxvbaPaKgar2eGQ+PQD8rqsB5K5wgnADAxYM9Vo0YXSpPH+FvwN3EJgURUSEY2E0Jx8JOx
-368ERNLXx3kfnRxCiZRDkTZF9WP6lBnDwc1WXRwpVCDTRnF+SIh6IC1Bj/qpkpCD3nri7tycejoe
-AtVj1YZHWarf9iqdcLYOAWmeyGbFl3hjv6qcXnIfy1KyHLCAdIrg1TymLovXXKW09pEbVLdsHmLz
-0h+DxPs4FsinK2AQBMn16u8BJJ/+spCzIQ2QNPcGORh6XemBpQIDAQABo0AwPjAdBgNVHREEFjAU
-ghJzcHRlc3QuZXhhbXBsZS5lZHUwHQYDVR0OBBYEFPC8rkASWHQxrtCQ4wwtnsJRy6K5MA0GCSqG
-SIb3DQEBCwUAA4IBgQCks2nY7YzdIKV02NHD9STWD3yPtEwPYZZ3NBno0WW20rS6cU+fxFx37nY8
-ULve4cFQkLR8fOO44e1qIuTgLGCauSGTx/Ts/tbmZXbpGTwV7cjZDCfC7yEFAVrfQFOMNKeQEssu
-LFj+d4STGLorxsM+2YygdOgohJz0e3xOcmCNHqEuC9RbzrnLc/A4/mOHKwnwCCg71zA1/Ew9NUoR
-m2n8IfaONIUaMg9opNiHxX4eu3UFaaPmn/mInuWYYMXzbIbdlU/XhKvXrujWYWj7anTDWvGQmNEe
-csQH92SrO0pf+9WwcWUQTQiWUdq8/OxjXfzs1PrQnSlp0eizgcdKHDKbCUaSuK1i2wdxfEsu5sbZ
-AIW0+dXJ2IyzM+0sv2g4DOsXsnSvinGqjr82A54mXGSr7edhPdlQhILFkJfhTwLq+mjnyQSNe3s2
-4VNeGc76jbHIrkEWuA460QGqz1Fa2CsQo5SH1IkxNIKpBZWt+w2LdAza/NzYyDruY5IJCrZa9Qw=
-</ds:X509Certificate>
-        </ds:X509Data>
+          <ds:X509Certificate>
+MIID9DCCAlygAwIBAgIJAIW1yx9Mk7PoMA0GCSqGSIb3DQEBCwUAMBoxGDAWBgNV
+BAMTD21pZHBvaW50LXNlcnZlcjAeFw0yMDEyMDkxNjA3MjJaFw00MDEyMDQxNjA3
+MjJaMBoxGDAWBgNVBAMTD21pZHBvaW50LXNlcnZlcjCCAaIwDQYJKoZIhvcNAQEB
+BQADggGPADCCAYoCggGBAOg1IYyqfHrEAjlr0kjPwKcZsPjqqmZQEe9SJm32ilF+
+irV46G79d/9kpN7lKQI2pE7x0BN0HnQ4u4Xbin97hpIr2gWjFM8KfhcPVR4pXDWl
+CHDGD4ClbAyyVLRh48BLWjAwcYyKQSU4K0ZFVD4E7OGfLRfN/brOt6VvOOps+mZK
+0coQfOJL5DaFjEVQPiLpaO7jJYSZ8/gpjmb4i3bCJ/xj8hJWr0fTe7AO+O4G5szK
+xT4A2W9glKAidRNyWbTaGHbXDk2YcXlbPSx3e9CqBRQSVu8wPUVHfBGb9F/N4QFW
+zqhOTYu5YOBqt/2feAftboGr3KCYALC2aQjiqaWtNs8Ejs+9f5KGC3qYT6uutFU9
+tZevzGfvJRx8apQAIrPeI3pxNOn2+nyiHdjjCLotGfmuoRTqd2JjP7aP1QPu+e08
+BZRA2+P/rZEVND6L+5YFhCEljBt+d+iXuw/OTFs7TkmEBR0qX12c7JdHRGlONF0v
+6x4EB88GFkBEJLG8DQFZhwIDAQABoz0wOzAaBgNVHREEEzARgg9taWRwb2ludC1z
+ZXJ2ZXIwHQYDVR0OBBYEFDV/6G0zCgqnARcuL8S1tWiz+LL9MA0GCSqGSIb3DQEB
+CwUAA4IBgQDncP3twqQ1ke2i3OR1bPzBJC4VV8gTCmqOLWqVW2l5TLFWzk0fxoKi
+gnzkHDGGGOzPjOLFR+9nV0uctmUKUj7A2p9NETYfGUWGt2wSBXS8QjQihxOi4ffI
+/VFWJiUct2dzUxb1U6BSqrl/CHi+0dDgm8JDhqe/sOrgnVdKzWNiCGMVqiTgcL4r
+xLp7ndeFLFhtgO81LEXcEIBgOkH08hTQBzmJNOQugGtk4IdxMr2LFPbTggmiH1I7
+Zdo2pkTcRNwQsLuZ0WT3Y83bu9eRDkFppV9++AMRl+WpdTCTJwLBSDNGok20IrUS
+qMXLT+mGQ+7q7NYr49dQRMRjxFCJ42vO0ZJcr3Fzh1Y0uMWRWH1/RdLpKt2MOVyz
+be8ac/gO/kWAGk2UTg0YRu6JZNo9R/U3C0mMRVOrlvy7GCj4mgDGWW/mUXXrrDQK
+whxaadNg9gY4vUHozDULByHhWd4qMUi2LimjmosWnXrUxDGAV7KwkMLlnsS02HiF
+swAqI5MX1PE=
+		</ds:X509Certificate>
+       </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:KeyDescriptor use="encryption">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>
+MIID9DCCAlygAwIBAgIJALFh7uXJgyS+MA0GCSqGSIb3DQEBCwUAMBoxGDAWBgNV
+BAMTD21pZHBvaW50LXNlcnZlcjAeFw0yMDEyMDkxNjA3MjlaFw00MDEyMDQxNjA3
+MjlaMBoxGDAWBgNVBAMTD21pZHBvaW50LXNlcnZlcjCCAaIwDQYJKoZIhvcNAQEB
+BQADggGPADCCAYoCggGBAL8R/VkQX7Rji6f+hSLU0PnzjnJQ/DmWGlUW0EGE2x1t
+cyXGyavo20eDhd0WNpfqsyxot4KmD2SLKEbcXoqo2pt6gpm+bxWiUKoHHLVGIEvu
+cyI30HfFYN7akAO2QL7Oed4CWg6boFFiDtVnsqU3UPw1zVPesz1SVY1CNxfA4VCi
+XPpbkeH74SDIZkigZtba24b9ZDGGhhYjqFUvCB9ADfDwD8fOuph0bLHN8qzoB72T
+8ZgUUPdUqYz775yoYBnjnVJycGxC26DLh8F9c4kNfsc1UaPTfLievcPD7ELZk+91
+/vQrNbrGDbhZ/irc5Jk/IFWghN3ANG3AQvpOd/syJJvkyxRdAX5dVJvkplskNmpH
+Ko1uECv2JQEFl6jY/21nizkPsoocC+djOX6yrvLSQAwZ0nvstKbxlWmpNrjHTvBr
+Co0RS1NyCCdbfcrHR9dAeBRIATFnItv9xs0KDS6RW9qZnNX/svcGdEiGQtDcVc3o
+fZVomwzeZQa71UA7T+nEowIDAQABoz0wOzAaBgNVHREEEzARgg9taWRwb2ludC1z
+ZXJ2ZXIwHQYDVR0OBBYEFAee9h1HZSSn83oSD5Reg7WPJ5eRMA0GCSqGSIb3DQEB
+CwUAA4IBgQCAnG+pW2ZdVTjnNeONL3wUsDgnITcz/+HozB9hdyLIvCLtUXzs4csy
+sbZLtwTMY4r1VsbKXGqszjrP0QK/5N6z8IWnkoyA5L4MvdtHRQlXxwUMUC4OctAk
+XZJraQtWhFUR71ZM4d1we88yEjla2MZ8SAsOk3H2k5Ls/LVyEXY6T+uln4De0/Dk
+4lJv3OKabkFRX4+3z2b7sCyyCkwOzIfdaF8J+PD39h9GFUHKy/DwTX25KkSA3TRI
+YfXO+sneir8aEME6JgdLLMEt+lIPXG92FkWOCxRF4Ji0OKqGJ5ROtcrII6/Ii4jK
+skpa/OXv1g5NKTSJ98+3YOK4RLf9namMsdbc/ndRR5LRUkwjxCbEz0iSSlWFDjca
+b8VZfbg4GW4hEg5yAE9PvIs8vbeCL+dnKSYESYENW9OJ1Mv/o9GFoCd/U6ec4uWY
+id1FQaV1SczfdvhksQ7csSl3TcHJ+rw4jBC23RjpILV7Vw1Y7Cx02SsJ/BFnqjRq
+LvCM5Tz1Nt4=
+		</ds:X509Certificate>
+       </ds:X509Data>
       </ds:KeyInfo>
       <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
       <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
@@ -64,8 +92,15 @@ AIW0+dXJ2IyzM+0sv2g4DOsXsnSvinGqjr82A54mXGSr7edhPdlQhILFkJfhTwLq+mjnyQSNe3s2
       <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
       <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
     </md:KeyDescriptor>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost/midpoint/auth/gui-default/mySamlSso/logout/alias/midpointdemo-shibbolet"/>
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost/midpoint/auth/gui-default/mySamlSso/SSO/alias/midpointdemo-shibboleth" index="1"/>
+    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://__CSPHOSTNAME__/MPSSO/Shibboleth.sso/Artifact/SOAP" index="1"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://__CSPHOSTNAME__/MPSSO/Shibboleth.sso/SLO/SOAP"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://__CSPHOSTNAME__/MPSSO/Shibboleth.sso/SLO/Redirect"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://__CSPHOSTNAME__/MPSSO/Shibboleth.sso/SLO/POST"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://__CSPHOSTNAME__/MPSSO/Shibboleth.sso/SLO/Artifact"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://__CSPHOSTNAME__/MPSSO/Shibboleth.sso/SAML2/POST" index="1"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://__CSPHOSTNAME__/MPSSO/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://__CSPHOSTNAME__/MPSSO/Shibboleth.sso/SAML2/Artifact" index="3"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://__CSPHOSTNAME__/MPSSO/Shibboleth.sso/SAML2/ECP" index="4"/>
   </md:SPSSODescriptor>
 
-</md:EntityDescriptor>
+</md:EntityDescriptor>
\ No newline at end of file
diff --git a/Workbench/midpoint_server/Dockerfile b/Workbench/midpoint_server/Dockerfile
index f818701..cd162ee 100644
--- a/Workbench/midpoint_server/Dockerfile
+++ b/Workbench/midpoint_server/Dockerfile
@@ -8,3 +8,18 @@ RUN mkdir ${MP_DIR}/csv
 VOLUME ${MP_DIR}/var
 
 COPY container_files/mp-home/ ${MP_DIR}/var/
+
+#Shibb SP
+COPY container_files/shibboleth/ /etc/shibboleth/
+COPY container_files/httpd/shib.conf /etc/httpd/conf.d
+
+#set dynamic hostname
+COPY container_files/system/setservername.sh /usr/local/bin/
+RUN chmod 755 /usr/local/bin/setservername.sh
+#set hostname
+RUN /usr/local/bin/setservername.sh
+
+COPY container_files/supervisor/supervisord.conf /etc/supervisor/
+
+#set shib auth in apache
+RUN mv /etc/httpd/conf.d/midpoint.conf /etc/httpd/conf.d/midpoint.conf.default && mv /etc/httpd/conf.d/midpoint.conf.auth.shibboleth /etc/httpd/conf.d/midpoint.conf
diff --git a/Workbench/midpoint_server/container_files/httpd/shib.conf b/Workbench/midpoint_server/container_files/httpd/shib.conf
new file mode 100644
index 0000000..e7bc2e1
--- /dev/null
+++ b/Workbench/midpoint_server/container_files/httpd/shib.conf
@@ -0,0 +1,58 @@
+# https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig
+
+# RPM installations on platforms with a conf.d directory will
+# result in this file being copied into that directory for you
+# and preserved across upgrades.
+
+# For non-RPM installs, you should copy the relevant contents of
+# this file to a configuration location you control.
+
+#
+# Load the Shibboleth module.
+#
+LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
+
+#
+# Turn this on to support "require valid-user" rules from other
+# mod_authn_* modules, and use "require shib-session" for anonymous
+# session-based authorization in mod_shib.
+#
+ShibCompatValidUser Off
+
+#
+# Ensures handler will be accessible.
+#
+<Location /MPSSO/Shibboleth.sso>
+  AuthType None
+  Require all granted
+  SetHandler shib
+</Location>
+
+#
+# Used for example style sheet in error templates.
+#
+<IfModule mod_alias.c>
+  <Location /shibboleth-sp>
+    AuthType None
+    Require all granted
+  </Location>
+  Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
+</IfModule>
+
+#
+# Configure the module for content.
+#
+# You MUST enable AuthType shibboleth for the module to process
+# any requests, and there MUST be a require command as well. To
+# enable Shibboleth but not specify any session/access requirements
+# use "require shibboleth".
+#
+<Location /secure>
+  AuthType shibboleth
+  ShibRequestSetting requireSession 1
+  require shibboleth
+</Location>
+
+#for midpoint
+RewriteRule   "^/midpoint/$"  "/midpoint/auth/shib"  [R]
+
diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-grouper.xml b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-grouper.xml
index 74fd191..d10c821 100644
--- a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-grouper.xml
+++ b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-grouper.xml
@@ -63,7 +63,7 @@
                 <amqp091>
                     <uri>amqp://mq:5672</uri>
                     <username>guest</username>
-                    <password>guest</password>
+                    <password>password</password>
                     <queue>sampleQueue</queue>
                 </amqp091>
             </conf:sources>
diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml
index 4b39fd3..83e7c3c 100644
--- a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml
+++ b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml
@@ -28,7 +28,7 @@
                     <singleLogoutEnabled>true</singleLogoutEnabled>
                     <nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</nameId>
                     <keys>
-                        <activeKeyStoreKey>
+			<activeKeyStoreKey>
     				<keyStorePath>/etc/pki/mp/sp-shibboleth-keys.jks</keyStorePath>
     				<keyStorePassword>
         				<t:clearValue>changeit</t:clearValue>
@@ -63,19 +63,24 @@
                     </provider>
                 </serviceProvider>
             </saml2>
+            <httpHeader>
+              <name>httpHeader</name>
+              <logoutUrl>https://__CSPHOSTNAME__/MPSSO/Shibboleth.sso/Logout</logoutUrl>
+              <usernameHeader>uid</usernameHeader>
+            </httpHeader>
         </modules>
         <sequence>
-            <name>admin-gui-default</name>
+            <name>admin-gui-saml-internal</name>
             <description>
-                Default GUI authentication sequence.
+                Internal SAML2 GUI authentication sequence.
             </description>
             <channel>
-                <channelId>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</channelId>
-                <default>true</default>
-                <urlSuffix>gui-default</urlSuffix>
+                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
+                <default>false</default>
+                <urlSuffix>saml-internal</urlSuffix>
             </channel>
             <module>
-                <name>internalLoginForm</name>
+                <name>mySamlSso</name>
                 <order>30</order>
                 <necessity>sufficient</necessity>
             </module>
@@ -86,7 +91,7 @@
                 Special GUI authentication sequence that is using just the internal user password.
             </description>
             <channel>
-                <channelId>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</channelId>
+                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
                 <default>false</default>
                 <urlSuffix>emergency</urlSuffix>
             </channel>
@@ -98,13 +103,29 @@
                 <necessity>sufficient</necessity>
             </module>
         </sequence>
+        <sequence>
+            <name>admin-gui-default</name>
+            <description>
+                Special GUI authentication sequence that is using Shibboleth SP
+            </description>
+            <channel>
+                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
+                <default>true</default>
+                <urlSuffix>shib</urlSuffix>
+            </channel>
+            <module>
+                <name>httpHeader</name>
+                <order>30</order>
+                <necessity>sufficient</necessity>
+            </module>
+        </sequence>
         <sequence>
             <name>rest</name>
             <description>
                 Authentication sequence for REST service.
             </description>
             <channel>
-                <channelId>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#rest</channelId>
+                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest</channelId>
                 <default>true</default>
                 <urlSuffix>rest-default</urlSuffix>
             </channel>
@@ -120,7 +141,7 @@
                 Authentication sequence for actuator.
             </description>
             <channel>
-                <channelId>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#actuator</channelId>
+                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#actuator</channelId>
                 <default>true</default>
                 <urlSuffix>actuator-default</urlSuffix>
             </channel>
@@ -145,4 +166,4 @@
     </credentials>
 </securityPolicy>
 
-</objects>
+</objects>
\ No newline at end of file
diff --git a/Workbench/midpoint_server/container_files/shibboleth/attribute-map.xml b/Workbench/midpoint_server/container_files/shibboleth/attribute-map.xml
new file mode 100644
index 0000000..5924514
--- /dev/null
+++ b/Workbench/midpoint_server/container_files/shibboleth/attribute-map.xml
@@ -0,0 +1,168 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!--
+    The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth
+    community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a
+    few exceptions for newer attributes where the name is the same for both versions. You will
+    usually want to uncomment or map the names for both SAML versions as a unit.
+    -->
+
+    <!-- New standard identifier attributes for SAML. -->
+
+    <Attribute name="urn:oasis:names:tc:SAML:attribute:subject-id" id="subject-id">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:oasis:names:tc:SAML:attribute:pairwise-id" id="pairwise-id">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <!-- The most typical eduPerson attributes. -->
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
+
+    <!--
+    Legacy pairwise identifier attribute / NameID format, intended to be replaced by the
+    simpler pairwise-id attribute (see top of file).
+    -->
+
+    <!-- The eduPerson attribute version (note the OID-style name): -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+    <!-- The SAML 2.0 NameID Format: -->
+    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+    <!-- Other eduPerson attributes (SAML 2 names followed by SAML 1 names)... -->
+    <!--
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>    
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
+    -->
+
+    <!-- Older LDAP-defined attributes (SAML 2.0 names followed by SAML 1 names)... -->
+    <!--
+    <Attribute name="urn:oid:2.5.4.3" id="cn"/>
+    <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+    <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+    -->
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
+    <!--
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+    <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
+    <Attribute name="urn:oid:2.5.4.12" id="title"/>
+    <Attribute name="urn:oid:2.5.4.43" id="initials"/>
+    <Attribute name="urn:oid:2.5.4.13" id="description"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
+    <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
+    <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
+    <Attribute name="urn:oid:2.5.4.9" id="street"/>
+    <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
+    <Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
+    <Attribute name="urn:oid:2.5.4.8" id="st"/>
+    <Attribute name="urn:oid:2.5.4.7" id="l"/>
+    <Attribute name="urn:oid:2.5.4.10" id="o"/>
+    <Attribute name="urn:oid:2.5.4.11" id="ou"/>
+    <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
+    <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
+    <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
+    <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
+    <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
+    <Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>
+    <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
+    <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
+    <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
+    <Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
+    <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
+    <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
+    <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
+    <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
+    <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
+    <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
+    <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
+    <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
+    <Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
+    <Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
+    <Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
+    <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
+    <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
+    <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>
+    -->
+
+    <!-- SCHAC attributes... -->
+    <!--
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="schacHomeOrganization">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10" id="schacHomeOrganizationType">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.14" id="schacPersonalUniqueCode">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.15" id="schacPersonalUniqueID"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.19" id="schacUserStatus">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.20" id="schacProjectMembership">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.21" id="schacProjectSpecificRole">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    -->
+
+</Attributes>
\ No newline at end of file
diff --git a/Workbench/midpoint_server/container_files/shibboleth/shibboleth2.xml b/Workbench/midpoint_server/container_files/shibboleth/shibboleth2.xml
new file mode 100644
index 0000000..b43f001
--- /dev/null
+++ b/Workbench/midpoint_server/container_files/shibboleth/shibboleth2.xml
@@ -0,0 +1,112 @@
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+    clockSkew="180">
+
+    <OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
+  
+    <!--
+    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
+    are used. See example-shibboleth2.xml for samples of explicitly configuring them.
+    -->
+
+    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
+    <ApplicationDefaults entityID="https://midpointdemo/shibboleth"
+        REMOTE_USER="uid eppn subject-id pairwise-id persistent-id"
+        cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
+
+        <!--
+        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+        Each Application has an effectively unique handlerURL, which defaults to "/Shibboleth.sso"
+        and should be a relative path, with the SP computing the full value based on the virtual
+        host. Using handlerSSL="true" will force the protocol to be https. You should also set
+        cookieProps to "https" for SSL-only sites. Note that while we default checkAddress to
+        "false", this makes an assertion stolen in transit easier for attackers to misuse.
+        -->
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" handlerURL="/MPSSO/Shibboleth.sso"
+                  checkAddress="false" handlerSSL="true" cookieProps="https"
+                  redirectLimit="exact">
+
+            <!--
+            Configures SSO for a default IdP. To properly allow for >1 IdP, remove
+            entityID property and adjust discoveryURL to point to discovery service.
+            You can also override entityID on /Login query string, or in RequestMap/htaccess.
+            -->
+            <SSO entityID="https://idptestbed/idp/shibboleth">
+              SAML2
+            </SSO>
+
+            <!-- SAML and local-only logout. -->
+            <Logout>SAML2 Local</Logout>
+
+            <!-- Administrative logout. -->
+            <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
+          
+            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+            <!-- Status reporting service. -->
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+
+            <!-- Session diagnostic service. -->
+            <Handler type="Session" Location="/Session" showAttributeValues="true"/>
+
+            <!-- JSON feed of discovery information. -->
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+
+        <!--
+        Allows overriding of error template information/filenames. You can
+        also add your own attributes with values that can be plugged into the
+        templates, e.g., helpLocation below.
+        -->
+        <Errors supportContact="root@localhost"
+            helpLocation="/about.html"
+            styleSheet="/shibboleth-sp/main.css"/>
+
+        <!-- Example of locally maintained metadata. -->
+        <MetadataProvider type="XML" validate="true" path="idp-metadata.xml"/>
+
+        <!-- Example of remotely supplied batch of signed metadata. -->
+        <!--
+        <MetadataProvider type="XML" validate="true"
+	            url="http://federation.org/federation-metadata.xml"
+              backingFilePath="federation-metadata.xml" maxRefreshDelay="7200">
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+            <MetadataFilter type="Signature" certificate="fedsigner.pem" verifyBackup="false"/>
+            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
+              attributeName="http://macedir.org/entity-category"
+              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+              attributeValue="http://refeds.org/category/hide-from-discovery" />
+        </MetadataProvider>
+        -->
+
+        <!-- Example of remotely supplied "on-demand" signed metadata. -->
+        <!--
+        <MetadataProvider type="MDQ" validate="true" cacheDirectory="mdq"
+	            baseUrl="http://mdq.federation.org" ignoreTransport="true">
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+            <MetadataFilter type="Signature" certificate="mdqsigner.pem" />
+        </MetadataProvider>
+        -->
+
+        <!-- Map to extract attributes from SAML assertions. -->
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+
+        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+        <!-- Simple file-based resolvers for separate signing/encryption keys. -->
+        <CredentialResolver type="File" use="signing"
+            key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
+        <CredentialResolver type="File" use="encryption"
+            key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
+        
+    </ApplicationDefaults>
+    
+    <!-- Policies that determine how to process and authenticate runtime messages. -->
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+    <!-- Low-level configuration about protocols and bindings available for use. -->
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
diff --git a/Workbench/midpoint_server/container_files/shibboleth/shibd.logger b/Workbench/midpoint_server/container_files/shibboleth/shibd.logger
new file mode 100644
index 0000000..d3b26cd
--- /dev/null
+++ b/Workbench/midpoint_server/container_files/shibboleth/shibd.logger
@@ -0,0 +1,60 @@
+# set overall behavior
+log4j.rootCategory=INFO, shibd_log
+
+# fairly verbose for DEBUG, so generally leave at INFO
+log4j.category.XMLTooling.XMLObject=INFO
+log4j.category.XMLTooling.KeyInfoResolver=INFO
+log4j.category.Shibboleth.IPRange=INFO
+log4j.category.Shibboleth.PropertySet=INFO
+
+# raise for low-level tracing of SOAP client HTTP/SSL behavior
+log4j.category.XMLTooling.libcurl=INFO
+
+# useful categories to tune independently:
+#
+# tracing of SAML messages and security policies
+#log4j.category.OpenSAML.MessageDecoder=DEBUG
+#log4j.category.OpenSAML.MessageEncoder=DEBUG
+#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
+#log4j.category.XMLTooling.SOAPClient=DEBUG
+# interprocess message remoting
+#log4j.category.Shibboleth.Listener=DEBUG
+# mapping of requests to applicationId
+#log4j.category.Shibboleth.RequestMapper=DEBUG
+# high level session cache operations
+#log4j.category.Shibboleth.SessionCache=DEBUG
+# persistent storage and caching
+#log4j.category.XMLTooling.StorageService=DEBUG
+
+# logs XML being signed or verified if set to DEBUG
+log4j.category.XMLTooling.Signature.Debugger=INFO, sig_log
+log4j.additivity.XMLTooling.Signature.Debugger=false
+
+# the tran log blocks the "default" appender(s) at runtime
+# Level should be left at INFO for this category
+log4j.category.Shibboleth-TRANSACTION=INFO, tran_log
+log4j.additivity.Shibboleth-TRANSACTION=false
+# uncomment to suppress particular event types
+#log4j.category.Shibboleth-TRANSACTION.AuthnRequest=WARN
+#log4j.category.Shibboleth-TRANSACTION.Login=WARN
+#log4j.category.Shibboleth-TRANSACTION.Logout=WARN
+
+# define the appenders
+
+log4j.appender.shibd_log=org.apache.log4j.FileAppender
+log4j.appender.shibd_log.fileName=/tmp/logpipe
+log4j.appender.shibd_log.maxFileSize=0
+log4j.appender.shibd_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.shibd_log.layout.ConversionPattern=shibd;shibd.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+log4j.appender.tran_log=org.apache.log4j.FileAppender
+log4j.appender.tran_log.fileName=/tmp/logpipe
+log4j.appender.tran_log.maxFileSize=0
+log4j.appender.tran_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.tran_log.layout.ConversionPattern=shibd;transaction.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+log4j.appender.sig_log=org.apache.log4j.FileAppender
+log4j.appender.sig_log.fileName=/tmp/logpipe
+log4j.appender.sig_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.sig_log.layout.ConversionPattern=shibd;signature.log;${ENV};${USERTOKEN};%m
+
diff --git a/Workbench/midpoint_server/container_files/shibboleth/sp-encrypt-cert.pem b/Workbench/midpoint_server/container_files/shibboleth/sp-encrypt-cert.pem
new file mode 100644
index 0000000..00eeba0
--- /dev/null
+++ b/Workbench/midpoint_server/container_files/shibboleth/sp-encrypt-cert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID9DCCAlygAwIBAgIJALFh7uXJgyS+MA0GCSqGSIb3DQEBCwUAMBoxGDAWBgNV
+BAMTD21pZHBvaW50LXNlcnZlcjAeFw0yMDEyMDkxNjA3MjlaFw00MDEyMDQxNjA3
+MjlaMBoxGDAWBgNVBAMTD21pZHBvaW50LXNlcnZlcjCCAaIwDQYJKoZIhvcNAQEB
+BQADggGPADCCAYoCggGBAL8R/VkQX7Rji6f+hSLU0PnzjnJQ/DmWGlUW0EGE2x1t
+cyXGyavo20eDhd0WNpfqsyxot4KmD2SLKEbcXoqo2pt6gpm+bxWiUKoHHLVGIEvu
+cyI30HfFYN7akAO2QL7Oed4CWg6boFFiDtVnsqU3UPw1zVPesz1SVY1CNxfA4VCi
+XPpbkeH74SDIZkigZtba24b9ZDGGhhYjqFUvCB9ADfDwD8fOuph0bLHN8qzoB72T
+8ZgUUPdUqYz775yoYBnjnVJycGxC26DLh8F9c4kNfsc1UaPTfLievcPD7ELZk+91
+/vQrNbrGDbhZ/irc5Jk/IFWghN3ANG3AQvpOd/syJJvkyxRdAX5dVJvkplskNmpH
+Ko1uECv2JQEFl6jY/21nizkPsoocC+djOX6yrvLSQAwZ0nvstKbxlWmpNrjHTvBr
+Co0RS1NyCCdbfcrHR9dAeBRIATFnItv9xs0KDS6RW9qZnNX/svcGdEiGQtDcVc3o
+fZVomwzeZQa71UA7T+nEowIDAQABoz0wOzAaBgNVHREEEzARgg9taWRwb2ludC1z
+ZXJ2ZXIwHQYDVR0OBBYEFAee9h1HZSSn83oSD5Reg7WPJ5eRMA0GCSqGSIb3DQEB
+CwUAA4IBgQCAnG+pW2ZdVTjnNeONL3wUsDgnITcz/+HozB9hdyLIvCLtUXzs4csy
+sbZLtwTMY4r1VsbKXGqszjrP0QK/5N6z8IWnkoyA5L4MvdtHRQlXxwUMUC4OctAk
+XZJraQtWhFUR71ZM4d1we88yEjla2MZ8SAsOk3H2k5Ls/LVyEXY6T+uln4De0/Dk
+4lJv3OKabkFRX4+3z2b7sCyyCkwOzIfdaF8J+PD39h9GFUHKy/DwTX25KkSA3TRI
+YfXO+sneir8aEME6JgdLLMEt+lIPXG92FkWOCxRF4Ji0OKqGJ5ROtcrII6/Ii4jK
+skpa/OXv1g5NKTSJ98+3YOK4RLf9namMsdbc/ndRR5LRUkwjxCbEz0iSSlWFDjca
+b8VZfbg4GW4hEg5yAE9PvIs8vbeCL+dnKSYESYENW9OJ1Mv/o9GFoCd/U6ec4uWY
+id1FQaV1SczfdvhksQ7csSl3TcHJ+rw4jBC23RjpILV7Vw1Y7Cx02SsJ/BFnqjRq
+LvCM5Tz1Nt4=
+-----END CERTIFICATE-----
diff --git a/Workbench/midpoint_server/container_files/shibboleth/sp-encrypt-key.pem b/Workbench/midpoint_server/container_files/shibboleth/sp-encrypt-key.pem
new file mode 100644
index 0000000..730cdc3
--- /dev/null
+++ b/Workbench/midpoint_server/container_files/shibboleth/sp-encrypt-key.pem
@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQC/Ef1ZEF+0Y4un
+/oUi1ND5845yUPw5lhpVFtBBhNsdbXMlxsmr6NtHg4XdFjaX6rMsaLeCpg9kiyhG
+3F6KqNqbeoKZvm8VolCqBxy1RiBL7nMiN9B3xWDe2pADtkC+znneAloOm6BRYg7V
+Z7KlN1D8Nc1T3rM9UlWNQjcXwOFQolz6W5Hh++EgyGZIoGbW2tuG/WQxhoYWI6hV
+LwgfQA3w8A/HzrqYdGyxzfKs6Ae9k/GYFFD3VKmM+++cqGAZ451ScnBsQtugy4fB
+fXOJDX7HNVGj03y4nr3Dw+xC2ZPvdf70KzW6xg24Wf4q3OSZPyBVoITdwDRtwEL6
+Tnf7MiSb5MsUXQF+XVSb5KZbJDZqRyqNbhAr9iUBBZeo2P9tZ4s5D7KKHAvnYzl+
+sq7y0kAMGdJ77LSm8ZVpqTa4x07wawqNEUtTcggnW33Kx0fXQHgUSAExZyLb/cbN
+Cg0ukVvamZzV/7L3BnRIhkLQ3FXN6H2VaJsM3mUGu9VAO0/pxKMCAwEAAQKCAYB2
+cj1+3+KkXe1uaB66d/lQacbNYRzqyf1q8CiL5UM8G+R8752Hf2OoEoWCh8myJWGL
+TyMrz6vNJWMDgortJD3Yknqxulb8r1GYBa6rRVyyFZC0DquiA+7IV+9dDbdXUYJE
+uWqAkcMxkDsn2g/p0b/XibbOnki44/h7CChFBmHm7a/715Y45D8sZm7Z6O23lZbv
+ONfKx90JjnNE01ISpU+/I+J0d9g+uDXFh6k/vNtHj5X+M+H5YTd2WZuxnsNsaSfC
+d0cZZlzKAF7wrzr0i0OqyO4FXYOiud/hcIZv9m+cdJFCZ3nKXWSFrMTMAxavx0IQ
+ylHDHDHXQElmSufpAWLCaGDsOZNl4f30T1cyVbjjImmtCyYOuyBpQ2qwCLRHYftJ
+YdAx9gj81zprTfBrII0YfxqUbKSVh4qSwIk89mpN/mqZK85+KVZLHEPLUSvnOR/I
+PGEkLPFpf7UpYzyIpe5isUNMymCGhK4AMg8z8tT/lsOc28P1S5LRzbM3WnqCjBkC
+gcEA+fh+wHLJqwUpOcLIPUcTy3yJAz6kkhrWOCB7Oh7GRPtqY+3k+EHC0vsMZWMi
+farUhwoM05/eEIBUwLg3xtAXiOLJ3OQJ3f3oCMXCb9jyzWv9H6V4yq29PpgTpqLY
+qym2VGO1Fy/cBMAoV9Ma+UUqivnAJB2PPfN6I1i9TMK63EDlQ+iPuytvcLky6vVt
+4L/I03ZNlCvSEijMYPNn4D3nJmXBzSS8+6ngK8ElUzvyrXIh6i63PhcBnZm5DPTf
+kfH9AoHBAMOtzLD22l/nzDJIj/zmtdqrCR/x3PG1LrwZQAUjiFC3eilV+JAC4owW
+QbxAV+UjE55eS9ipdW0vSo2eQIhodGC9KWiOUxRgO1DrCMiJdLGivq6PsMsq4hbN
+ZTyliuQaSdkaJpjsgjyhOBcPsingG4ppewDJrTaOiU4Llt7pDZBZ2tVDrdByLEdw
+X++FybQH5XQ/rk4YE032LnhCimNJiZuCoJch/hxytiVm/CUDGkNXVF48P2iGhdNb
+J7GCc92DHwKBwC1HPLZhVHQ88BW9WYX3/Pbr7OmAjFDGuaza/Vcuwd026TOGoOXz
+C3Yp8TngNhwrOGnpgR9IIvI8PJ3YAIproQezhLsVN1BVsJT+NVULKBfbirMTxwh3
+ZgMTiuOxNavzV0p78Q5tJd5abDRUUdt7EtSvnoUsMYkYNDR423kvAKfqvVyKoJZX
+rMzvTvDOWgPO2XKsSCshsOCHMVYSYOt2awtCfVNKZ0zynV9vkfI8tp2CQfBoW9rM
+UgeZE7LsHB8UhQKBwQCGFdYpfT3ucfvuiOKBveXnTUQXa7imuCyqH/NKkiqahN9k
+69BDfnaW37lzsfOIxBxxbNQ0Rwp8IufHWyWFU25Ly9NQHha346lBrYx7PhWEk6xu
+GXBgB6adUWmJwTYHUCxCZDUGnSoxOZgh1VOUdkjo85ah15Clzc4weKiNXs04mRnn
+AVVdfJ7y5QIYM2kfwDlvCyP5x22TApqdNZt2pbFxqnU4msZx3/kIcCVfh1y7wF/D
+oy0gBu41AkWU0Xtr0qkCgcAQRTNt7D998VCStGeJ/fxrrrELbWKcs/tHU0Br3kfi
+Rr/+O1wVp4IfE/yWAKLh98L+9PeRSIta9VsE7wbosOwhE5H++uutTSrHAJ9dSpYl
+LjX5TTR4yrPq7h83KOpaOduwKLm6mQgU8D+zTBO/4NThwQht2E05jsOJEQxhb5qX
+ZghUEGoJX7fIVrS0c+N1CdwvTuL/zI6VpH3HU//0fY6aRWOJGDyxpR814PNKYic7
+jVCd9VmPNAWO0sflg8xvINE=
+-----END PRIVATE KEY-----
diff --git a/Workbench/midpoint_server/container_files/shibboleth/sp-signing-cert.pem b/Workbench/midpoint_server/container_files/shibboleth/sp-signing-cert.pem
new file mode 100644
index 0000000..14726b6
--- /dev/null
+++ b/Workbench/midpoint_server/container_files/shibboleth/sp-signing-cert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID9DCCAlygAwIBAgIJAIW1yx9Mk7PoMA0GCSqGSIb3DQEBCwUAMBoxGDAWBgNV
+BAMTD21pZHBvaW50LXNlcnZlcjAeFw0yMDEyMDkxNjA3MjJaFw00MDEyMDQxNjA3
+MjJaMBoxGDAWBgNVBAMTD21pZHBvaW50LXNlcnZlcjCCAaIwDQYJKoZIhvcNAQEB
+BQADggGPADCCAYoCggGBAOg1IYyqfHrEAjlr0kjPwKcZsPjqqmZQEe9SJm32ilF+
+irV46G79d/9kpN7lKQI2pE7x0BN0HnQ4u4Xbin97hpIr2gWjFM8KfhcPVR4pXDWl
+CHDGD4ClbAyyVLRh48BLWjAwcYyKQSU4K0ZFVD4E7OGfLRfN/brOt6VvOOps+mZK
+0coQfOJL5DaFjEVQPiLpaO7jJYSZ8/gpjmb4i3bCJ/xj8hJWr0fTe7AO+O4G5szK
+xT4A2W9glKAidRNyWbTaGHbXDk2YcXlbPSx3e9CqBRQSVu8wPUVHfBGb9F/N4QFW
+zqhOTYu5YOBqt/2feAftboGr3KCYALC2aQjiqaWtNs8Ejs+9f5KGC3qYT6uutFU9
+tZevzGfvJRx8apQAIrPeI3pxNOn2+nyiHdjjCLotGfmuoRTqd2JjP7aP1QPu+e08
+BZRA2+P/rZEVND6L+5YFhCEljBt+d+iXuw/OTFs7TkmEBR0qX12c7JdHRGlONF0v
+6x4EB88GFkBEJLG8DQFZhwIDAQABoz0wOzAaBgNVHREEEzARgg9taWRwb2ludC1z
+ZXJ2ZXIwHQYDVR0OBBYEFDV/6G0zCgqnARcuL8S1tWiz+LL9MA0GCSqGSIb3DQEB
+CwUAA4IBgQDncP3twqQ1ke2i3OR1bPzBJC4VV8gTCmqOLWqVW2l5TLFWzk0fxoKi
+gnzkHDGGGOzPjOLFR+9nV0uctmUKUj7A2p9NETYfGUWGt2wSBXS8QjQihxOi4ffI
+/VFWJiUct2dzUxb1U6BSqrl/CHi+0dDgm8JDhqe/sOrgnVdKzWNiCGMVqiTgcL4r
+xLp7ndeFLFhtgO81LEXcEIBgOkH08hTQBzmJNOQugGtk4IdxMr2LFPbTggmiH1I7
+Zdo2pkTcRNwQsLuZ0WT3Y83bu9eRDkFppV9++AMRl+WpdTCTJwLBSDNGok20IrUS
+qMXLT+mGQ+7q7NYr49dQRMRjxFCJ42vO0ZJcr3Fzh1Y0uMWRWH1/RdLpKt2MOVyz
+be8ac/gO/kWAGk2UTg0YRu6JZNo9R/U3C0mMRVOrlvy7GCj4mgDGWW/mUXXrrDQK
+whxaadNg9gY4vUHozDULByHhWd4qMUi2LimjmosWnXrUxDGAV7KwkMLlnsS02HiF
+swAqI5MX1PE=
+-----END CERTIFICATE-----
diff --git a/Workbench/midpoint_server/container_files/shibboleth/sp-signing-key.pem b/Workbench/midpoint_server/container_files/shibboleth/sp-signing-key.pem
new file mode 100644
index 0000000..75213d6
--- /dev/null
+++ b/Workbench/midpoint_server/container_files/shibboleth/sp-signing-key.pem
@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/wIBADANBgkqhkiG9w0BAQEFAASCBukwggblAgEAAoIBgQDoNSGMqnx6xAI5
+a9JIz8CnGbD46qpmUBHvUiZt9opRfoq1eOhu/Xf/ZKTe5SkCNqRO8dATdB50OLuF
+24p/e4aSK9oFoxTPCn4XD1UeKVw1pQhwxg+ApWwMslS0YePAS1owMHGMikElOCtG
+RVQ+BOzhny0Xzf26zrelbzjqbPpmStHKEHziS+Q2hYxFUD4i6Wju4yWEmfP4KY5m
++It2wif8Y/ISVq9H03uwDvjuBubMysU+ANlvYJSgInUTclm02hh21w5NmHF5Wz0s
+d3vQqgUUElbvMD1FR3wRm/RfzeEBVs6oTk2LuWDgarf9n3gH7W6Bq9ygmACwtmkI
+4qmlrTbPBI7PvX+Shgt6mE+rrrRVPbWXr8xn7yUcfGqUACKz3iN6cTTp9vp8oh3Y
+4wi6LRn5rqEU6ndiYz+2j9UD7vntPAWUQNvj/62RFTQ+i/uWBYQhJYwbfnfol7sP
+zkxbO05JhAUdKl9dnOyXR0RpTjRdL+seBAfPBhZARCSxvA0BWYcCAwEAAQKCAYEA
+i4EoF8dxI5xQrci+PCo8VufTb6gkGXWvYLVdCyFb9hvtH5t1IQE8r336o0LPwVms
+mxUh6h4QEcjnuEKuUWqX7YdU46AXZ0+pcxcuDwHQORZeHMqRE7vOT05wHzLUTnm2
+xE7GWSXSf5bgQMZ0FxKEcgRcZfnGnw2EPWq1qfkw8nWu1hPTw2zOvYa8QAQ2YGkU
+NrjWmHSZoxTsTaayuvVoanRtQWE8yw0eOSa1nOMelBiaKWb/Oq+uewpYhgdkJ4gC
+l42/ISith815pwwKlQx+2RkL88PflCbou37+x5PqXQyC5UfLS79WktpsP0Y+VsuK
++22/iSRbRb+9ZVR+hBNVKBaNJ31nDJf892E8sG/VcejxYktTPLaMQJ9bC8nHe5zG
+8c0B3a4p5hbScJUFt6tNGFPTq4Ca4i5DNa7vQ7SezoMLp+NeuWkZ4V1haJL7KYta
+7fpeeYh6k4orcng0wkU10//Ssb7pl7v92x8ZBW9AX3867Sj6lTkewMFgEXw0bPHR
+AoHBAPoLM7yd/Tv8Kg4T5GVOKzfuzyK7pRHQfrvcjL6DJ1cMDx5U2yZt9F/1hvvS
+M/RwlBB5Je6ngBaDCYqfZKe+4WKosfwj2a6ENyeRQ8CsyE/MBjoDuaQphYyVHlDJ
+mH5feihYSgHmT52LyLalggMY8apJcONzsTGfeCECIPY/+dLPeZdST1rIdghvmp9C
++55NGY95wJQ9u4i9YWEygL0VA3sAgxw5atmR3pop5UafIxhTWa7k0e2dyJTvNTBr
+pfzo/wKBwQDtvSlYG3kKoWDW2AsRgh85msMmPdbzbJtV3dGo2wkjbGwHmZeC+MT1
+ia9QtLXv/O30Ye5JhPU7qaerqO2QPPW5rnlxycjiTautrrRdhBCq8P2bwsfyaV/S
+naB3y5GNt7SjA5ZEPhsIzIGfrcem3OLdlhHXEpBqHgK9Loj8seCevS65lbWT2PNC
+t5D86q9NK/VypFjuw4IY/Xyc2qXe/KWUH0u3KPeKnov7blh3sdT/cx+uNEJD7Snq
+gOpqP/+nx3kCgcEAw8dVoQ/LIdaVTySAJloIOOlBQh7OZp5rPMi5YsnqWZvVkpg6
+Z2Kcfy4NnMq/Z1tmc2eILc702auMIwAencE1VDxl79haLuzTCqYQ+KHQzbof/fjA
+uCrSqHpxnCvcvMYhLcnDWK1uFRtH8sqwe6BiSETsoQsK6KHGO4IhMO5yu3874yHN
+hHWFBaHs3VpjDVWs98wK34deePhfcO1MI8B6UyrZfZXvdZ9jPi4jmSItJnTMucXs
+ITLzxLlvWhRPiTEdAoHANzybLZB8iB7EvEZIFBJSpPSzYOA/YCGc2c+HFh+GOQfI
+9d8W1+RrBs2twSermg3/T6etUMGmpO0fOwAt6jRvt2u1Zd3HYeU//UO5Pn0fzkfd
+9OHFySn4jJv5G7xdnjrPqox7znFLoLi7aVlcKQXrZCapEHqMuUstwbzdMTE3CkrU
+X2RMYwSmSJsUAd+ZSWnsRm2vCBK+2IWU/XDD11KGOisnUXAgS8HYrluODIlx/sRF
+2RjlSJkDAyxeyr8B7H6pAoHBAJ4FBMaTZ12eYMlP/z5Qo0Kuk3VtCoFPDIPOWKSw
+Akk5rYTTBbejelJoZ0iS+5jpXqNEekuypAxeUls67lTtD03qkI8lmghZ9bXgi47p
++Fa79GzwSlmHo5HRNwLvP7Sbt6Lr9m8MGgFJEXEfUlYGoAEWlbomrqrw0dfQwRP6
+uq5dIX1hZzP3wqNiZghCA/jluJ3IceJb2WTpm83tMYGhBwFzajc4STLEjKs3PXSL
+pzgaHvdjpIAoT8/ZPX4skasdqQ==
+-----END PRIVATE KEY-----
diff --git a/Workbench/midpoint_server/container_files/supervisor/supervisord.conf b/Workbench/midpoint_server/container_files/supervisor/supervisord.conf
new file mode 100644
index 0000000..4a6b5fa
--- /dev/null
+++ b/Workbench/midpoint_server/container_files/supervisor/supervisord.conf
@@ -0,0 +1,32 @@
+[supervisord]
+logfile=/tmp/logsuperd
+logfile_maxbytes=0
+loglevel=error
+nodaemon=true
+user=root
+
+[program:httpd]
+command=/bin/bash -c "/usr/local/bin/start-httpd.sh"
+stdout_logfile=/tmp/loghttpd
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+
+[program:midpoint]
+command=/bin/bash -c "/usr/local/bin/start-midpoint.sh"
+stdout_logfile=/dev/fd/2
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+autorestart=false
+
+[program:shibboleth]
+command=/usr/sbin/shibd -f
+stdout_logfile=/dev/fd/2
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+autorestart=false
+
+[program:crond]
+command=/usr/sbin/crond -n -i -m off
+stdout_logfile=/tmp/logcrond
+stdout_logfile_maxbytes=0
+redirect_stderr=true
\ No newline at end of file
diff --git a/Workbench/midpoint_server/container_files/system/setservername.sh b/Workbench/midpoint_server/container_files/system/setservername.sh
new file mode 100644
index 0000000..9f091a0
--- /dev/null
+++ b/Workbench/midpoint_server/container_files/system/setservername.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+files="/opt/midpoint/var/post-initial-objects/securityPolicy/000-security-policy.xml"
+
+for file in $files
+  do
+    sed -i "s|__CSPHOSTNAME__|$CSPHOSTNAME|g" $file
+  done
\ No newline at end of file
diff --git a/Workbench/webproxy/container_files/httpd/proxy.conf b/Workbench/webproxy/container_files/httpd/proxy.conf
index 62e2593..b03533c 100644
--- a/Workbench/webproxy/container_files/httpd/proxy.conf
+++ b/Workbench/webproxy/container_files/httpd/proxy.conf
@@ -9,6 +9,8 @@ AllowEncodedSlashes On
 
 ProxyPass /midpoint https://midpoint-server/midpoint
 ProxyPassReverse /midpoint https://midpoint-server/midpoint
+ProxyPass /MPSSO https://midpoint-server/MPSSO
+ProxyPassReverse /MPSSO https://midpoint-server/MPSSO
 
 ProxyPass /grouper https://grouper-ui/grouper
 ProxyPassReverse /grouper https://grouper-ui/grouper