diff --git a/Workbench/idp/shibboleth-idp/conf/access-control.xml b/Workbench/idp/shibboleth-idp/conf/access-control.xml
index e8cc5fb..1399b0d 100644
--- a/Workbench/idp/shibboleth-idp/conf/access-control.xml
+++ b/Workbench/idp/shibboleth-idp/conf/access-control.xml
@@ -34,7 +34,7 @@
         </entry>
         
         <!--
-        <entry key="AccessByUser">
+        <entry key="AccessByAdminUser">
             <bean parent="shibboleth.PredicateAccessControl">
                 <constructor-arg>
                     <bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'jdoe'}" />
diff --git a/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml b/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml
index 092fc77..d3a9b34 100644
--- a/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml
+++ b/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml
@@ -1,10 +1,100 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!-- 
+    This file is an EXAMPLE policy file.  While the policy presented in this 
+    example file is illustrative of some simple cases, it relies on the names of
+    non-existent example services and the example attributes demonstrated in the
+    default attribute-resolver.xml file.
+
+    This example does contain some usable "general purpose" policies that may be
+    useful in conjunction with specific deployment choices, but those policies may
+    not be applicable to your specific needs or constraints.    
+-->
 <AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
         xmlns="urn:mace:shibboleth:2.0:afp"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
 
-    <!-- Release some attributes to an SP. -->
+    <!--
+    Example rule relying on a locally applied tag in metadata to trigger attribute
+    release of some specific attributes. Add additional attributes as desired.
+    -->
+	<AttributeFilterPolicy id="Per-Attribute-singleValued">
+	    <PolicyRequirementRule xsi:type="ANY" />
+	 
+	    <AttributeRule attributeID="eduPersonPrincipalName">
+	        <PermitValueRule xsi:type="EntityAttributeExactMatch"
+	            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+	            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+	            attributeValue="eduPersonPrincipalName" />
+	    </AttributeRule>
+	 
+	    <AttributeRule attributeID="mail">
+	        <PermitValueRule xsi:type="EntityAttributeExactMatch"
+	            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+	            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+	            attributeValue="mail" />
+	    </AttributeRule>
+	</AttributeFilterPolicy>
+
+    <!--
+    Same as above but more efficient form for an attribute with multiple values.
+    -->
+    <AttributeFilterPolicy id="Per-Attribute-Affiliation">
+        <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+            attributeValue="eduPersonScopedAffiliation" />
+     
+        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
+    </AttributeFilterPolicy>
+
+    <!--
+    Example rule for honoring Subject ID requirement tag in metadata.
+    The example supplies pairwise-id if subject-id isn't explicitly required.
+    -->
+    <AttributeFilterPolicy id="subject-identifiers">
+        <PolicyRequirementRule xsi:type="ANY" />
+
+        <AttributeRule attributeID="samlPairwiseID">
+            <PermitValueRule xsi:type="OR">
+                <Rule xsi:type="EntityAttributeExactMatch"
+                    attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
+                    attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                    attributeValue="pairwise-id" />
+                <Rule xsi:type="EntityAttributeExactMatch"
+                    attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
+                    attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                    attributeValue="any" />
+            </PermitValueRule>
+        </AttributeRule>
+
+        <AttributeRule attributeID="samlSubjectID">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
+                attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                attributeValue="subject-id" />
+        </AttributeRule>
+    </AttributeFilterPolicy>
+
+    <!-- Release an additional attribute to an SP. -->
+    <AttributeFilterPolicy id="example1">
+        <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />
+
+        <AttributeRule attributeID="uid" permitAny="true" />
+    </AttributeFilterPolicy>
+
+    <!-- Release eduPersonScopedAffiliation to two specific SPs. -->
+    <AttributeFilterPolicy id="example2">
+        <PolicyRequirementRule xsi:type="OR">
+            <Rule xsi:type="Requester" value="https://sp.example.org" />
+            <Rule xsi:type="Requester" value="https://another.example.org/shibboleth" />
+        </PolicyRequirementRule>
+
+        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
+    </AttributeFilterPolicy>
+
+
+    <!-- workbench SPs -->
     <AttributeFilterPolicy id="grouper">
         <PolicyRequirementRule xsi:type="Requester" value="https://grouperdemo/shibboleth" />
         <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
@@ -25,7 +115,7 @@
         <AttributeRule attributeID="uid" permitAny="true" />
         <AttributeRule attributeID="mail" permitAny="true" />
     </AttributeFilterPolicy>
-	
+
     <AttributeFilterPolicy id="midpoint">
         <PolicyRequirementRule xsi:type="Requester" value="https://midpointdemo/shibboleth" />
         <AttributeRule attributeID="uid" permitAny="true" />
@@ -37,15 +127,15 @@
         <AttributeRule attributeID="uid" permitAny="true" />
         <AttributeRule attributeID="mail" permitAny="true" />
     </AttributeFilterPolicy>
-	
-	<AttributeFilterPolicy id="shibui">
+
+    <AttributeFilterPolicy id="shibui">
         <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org/shibui" />
         <AttributeRule attributeID="uid" permitAny="true" />
-		<AttributeRule attributeID="mail" permitAny="true" />
+                <AttributeRule attributeID="mail" permitAny="true" />
     </AttributeFilterPolicy>
-	
-	<!-- Supports annotated metadata supplied by the Shibb UI -->
-	<AttributeFilterPolicy id="Per-Attribute-singleValued">
+
+      <!-- Supports annotated metadata supplied by the Shibb UI -->
+      <AttributeFilterPolicy id="Per-Attribute-singleValued">
         <PolicyRequirementRule xsi:type="ANY"/>
         <AttributeRule attributeID="eduPersonPrincipalName">
             <PermitValueRule xsi:type="EntityAttributeExactMatch"
@@ -108,6 +198,7 @@
                              attributeValue="employeeNumber" />
         </AttributeRule>
     </AttributeFilterPolicy>
-	
-	
+
+    
 </AttributeFilterPolicyGroup>
+
diff --git a/Workbench/idp/shibboleth-idp/conf/attribute-resolver.xml b/Workbench/idp/shibboleth-idp/conf/attribute-resolver.xml
index cd2fb55..a3f3451 100644
--- a/Workbench/idp/shibboleth-idp/conf/attribute-resolver.xml
+++ b/Workbench/idp/shibboleth-idp/conf/attribute-resolver.xml
@@ -1,4 +1,14 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!--
+    This file is an EXAMPLE configuration file containing some example attributes
+    based on some commonly used approaches when LDAP is the principal data source.
+     
+    Not all attribute definitions or data connectors are demonstrated, but some
+    LDAP attributes common to Shibboleth deployments (and some not so common) are
+    included.
+
+    This example is in no way usable as a substitute for reading the documentation.    
+-->
 <AttributeResolver
         xmlns="urn:mace:shibboleth:2.0:resolver"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -8,6 +18,7 @@
     <!--      Attribute Definitions                 -->
     <!-- ========================================== -->
 
+    <!-- Simple attributes are exported directly from the LDAP connector. -->
     <!-- Schema: Core schema attributes-->
     <AttributeDefinition xsi:type="Simple" id="uid">
         <InputDataConnector ref="myLDAP" attributeNames="uid"/>
@@ -24,55 +35,91 @@
     </AttributeDefinition>
 
     <!-- Schema: eduPerson attributes -->
-    <AttributeDefinition xsi:type="Simple" id="eduPersonAffiliation">
-        <InputDataConnector ref="myLDAP" attributeNames="cn"/>
-    </AttributeDefinition>
     <AttributeDefinition xsi:type="Scoped" id="eduPersonPrincipalName" scope="%{idp.scope}">
         <InputDataConnector ref="myLDAP" attributeNames="uid"/>
     </AttributeDefinition>
 
+
+    <!-- eduPerson attributes requiring post-lookup manipulation -->
+<!-- 
+
+    <AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalName">
+        <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalName"/>
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalNamePrior">
+        <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalNamePrior"/>
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}">
+        <InputDataConnector ref="myLDAP" attributeNames="eduPersonAffiliation"/>
+    </AttributeDefinition>
+-->
+
+    <!-- Schema: SAML Subject ID Attributes -->
+<!--
+    <AttributeDefinition xsi:type="Scoped" id="samlSubjectID" scope="%{idp.scope}">
+        <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}"/>
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Scoped" id="samlPairwiseID" scope="%{idp.scope}">
+        <InputDataConnector ref="computed" attributeNames="computedId"/>
+    </AttributeDefinition>
+-->
+
     <!-- ========================================== -->
     <!--      Data Connectors                       -->
     <!-- ========================================== -->
 
-    <!-- Example Static Connector -->
-    <!--
-    <DataConnector id="staticAttributes" xsi:type="Static">
-        <Attribute id="eduPersonAffiliation">
-            <Value>member</Value>
-        </Attribute>
-    </DataConnector>
-    -->
-
-    <!-- Example Relational Database Connector -->
-    <!--
-    <DataConnector id="mySIS" xsi:type="RelationalDatabase">
-        <ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver"
-                                         jdbcURL="jdbc:oracle:thin:@db.example.org:1521:SomeDB" 
-                                         jdbcUserName="myid" 
-                                         jdbcPassword="mypassword" />
-        <QueryTemplate>
-            <![CDATA[
-                SELECT * FROM student WHERE gzbtpid = '$requestContext.principalName'
-            ]]>
-        </QueryTemplate>
-
-        <Column columnName="gzbtpid" attributeID="uid" />
-        <Column columnName="fqlft" attributeID="gpa" />
-    </DataConnector>
-     -->
+    <!-- Example LDAP Connector -->
 
     <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
         ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
         baseDN="%{idp.attribute.resolver.LDAP.baseDN}" 
         principal="%{idp.attribute.resolver.LDAP.bindDN}"
         principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
-        useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}">
+        useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
+        connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
+        responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"
+        connectionStrategy="%{idp.attribute.resolver.LDAP.connectionStrategy}"
+        noResultIsError="true"
+        multipleResultsIsError="true"
+        excludeResolutionPhases="c14n/attribute"
+        exportAttributes="mail displayName sn givenName departmentNumber employeeNumber eduPersonEntitlement eduPersonAssurance">
         <FilterTemplate>
             <![CDATA[
                 %{idp.attribute.resolver.LDAP.searchFilter}
             ]]>
         </FilterTemplate>
+        <ConnectionPool
+            minPoolSize="%{idp.pool.LDAP.minSize:3}"
+            maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
+            blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
+            validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
+            validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
+            validateDN="%{idp.pool.LDAP.validateDN:}"
+            validateFilter="%{idp.pool.LDAP.validateFilter:(objectClass=*)}"
+            expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"/>
     </DataConnector>
 
+    <!--
+    DataConnector for pairwise-id (example depends in part on saml-nameid.properties).
+    Note that this relies on BASE32 encoding in accordance with the attribute definition.
+    Older uses of this plugin for legacy eduPersonTargetedID/NameID values may require
+    different settings.
+    -->
+<!-- 
+    <DataConnector id="computed" xsi:type="ComputedId"
+        excludeResolutionPhases="c14n/attribute"
+	    generatedAttributeID="computedId"
+	    salt="%{idp.persistentId.salt}"
+	    algorithm="%{idp.persistentId.algorithm:SHA}"
+        encoding="BASE32">
+	    
+        <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}" />
+        
+	</DataConnector>
+-->
+
 </AttributeResolver>
+
diff --git a/Workbench/idp/shibboleth-idp/conf/idp.properties b/Workbench/idp/shibboleth-idp/conf/idp.properties
index 9a7e6fa..1710fb6 100644
--- a/Workbench/idp/shibboleth-idp/conf/idp.properties
+++ b/Workbench/idp/shibboleth-idp/conf/idp.properties
@@ -1,18 +1,47 @@
-# Load any additional property resources from a comma-delimited list
-idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties
+# Auto-load all files matching conf/**/*.properties
+# Disable if you want to manually maintain a list of sources.
+idp.searchForProperties=true
+
+# Load any "outside-tree" property sources from a comma-delimited list
+idp.additionalProperties=/credentials/secrets.properties
+
+# In most cases (and unless noted in the surrounding comments) the
+# commented settings in the distributed files document default behavior.
+# Uncomment them and change the value to change functionality.
+#
+# Uncommented properties are either required or ship non-defaulted.
 
 # Set the entityID of the IdP
-idp.entityID= https://idptestbed/idp/shibboleth
+idp.entityID=https://idptestbed/idp/shibboleth
+
+# Set the file path which backs the IdP's own metadata publishing endpoint at /shibboleth.
+# Set to empty value to disable and return a 404.
+#idp.entityID.metadataFile=%{idp.home}/metadata/idp-metadata.xml
 
 # Set the scope used in the attribute resolver for scoped attributes
-idp.scope= example.org
+idp.scope=example.org
 
 # General cookie properties (maxAge only applies to persistent cookies)
-#idp.cookie.secure = false
+#idp.cookie.secure = true
 #idp.cookie.httpOnly = true
 #idp.cookie.domain =
 #idp.cookie.path =
 #idp.cookie.maxAge = 31536000
+# These control operation of the SameSite filter, which is off by default.
+#idp.cookie.sameSite = None
+#idp.cookie.sameSiteCondition = shibboleth.Conditions.FALSE
+
+# Enable cross-site request forgery mitigation for views.
+idp.csrf.enabled=true
+# Name of the HTTP parameter that stores the CSRF token.
+#idp.csrf.token.parameter = csrf_token
+
+# HSTS/CSP response headers
+#idp.hsts = max-age=0
+# X-Frame-Options value, set to DENY or SAMEORIGIN to block framing
+#idp.frameoptions = DENY
+# Content-Security-Policy value, set to match X-Frame-Options default
+#idp.csp = frame-ancestors 'none';
 
 # Set the location of user-supplied web flow definitions
 #idp.webflows = %{idp.home}/flows
@@ -21,38 +50,44 @@ idp.scope= example.org
 #idp.views = %{idp.home}/views
 
 # Settings for internal AES encryption key
+#idp.sealer.keyStrategy = shibboleth.DataSealerKeyStrategy
 #idp.sealer.storeType = JCEKS
 #idp.sealer.updateInterval = PT15M
 #idp.sealer.aliasBase = secret
-idp.sealer.storeResource= %{idp.home}/credentials/sealer.jks
-idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver
-idp.sealer.storePassword= password
-idp.sealer.keyPassword= password
+idp.sealer.storeResource=%{idp.home}/credentials/sealer.jks
+idp.sealer.versionResource=%{idp.home}/credentials/sealer.kver
 
 # Settings for public/private signing and encryption key(s)
 # During decryption key rollover, point the ".2" properties at a second
 # keypair, uncomment in credentials.xml, then publish it in your metadata.
-idp.signing.key= %{idp.home}/credentials/idp-signing.key
-idp.signing.cert= %{idp.home}/credentials/idp-signing.crt
-idp.encryption.key= %{idp.home}/credentials/idp-encryption.key
-idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt
+idp.signing.key=%{idp.home}/credentials/idp-signing.key
+idp.signing.cert=%{idp.home}/credentials/idp-signing.crt
+idp.encryption.key=%{idp.home}/credentials/idp-encryption.key
+idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt
 #idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key
 #idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt
 
 # Sets the bean ID to use as a default security configuration set
 #idp.security.config = shibboleth.DefaultSecurityConfiguration
 
-# To default to SHA-1, set to shibboleth.SigningConfiguration.SHA1
+# To downgrade to SHA-1, set to shibboleth.SigningConfiguration.SHA1
 #idp.signing.config = shibboleth.SigningConfiguration.SHA256
 
+# The new install default for encryption is now AES-GCM.
+idp.encryption.config=shibboleth.EncryptionConfiguration.GCM
+
+# Sets the default strategy for key agreement key wrap usage for credentials from metadata,
+# if not otherwise configured on the security configuration
+#idp.encryption.keyagreement.metadata.defaultUseKeyWrap = Default
+
 # Configures trust evaluation of keys used by services at runtime
-# Defaults to supporting both explicit key and PKIX using SAML metadata.
-#idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine
-# To pick only one set to one of:
-#   shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine
-#idp.trust.certificates = shibboleth.ChainingX509TrustEngine
-# To pick only one set to one of:
-#   shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine
+# Internal default is Chaining, overriden for new installs
+idp.trust.signatures=shibboleth.ExplicitKeySignatureTrustEngine
+# Other options:
+#   shibboleth.ChainingSignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine
+idp.trust.certificates=shibboleth.ExplicitKeyX509TrustEngine
+# Other options:
+#   shibboleth.ChainingX509TrustEngine, shibboleth.PKIXX509TrustEngine
 
 # If true, encryption will happen whenever a key to use can be located, but
 # failure to encrypt won't result in request failure.
@@ -60,7 +95,7 @@ idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt
 
 # Configuration of client- and server-side storage plugins
 #idp.storage.cleanupInterval = PT10M
-#idp.storage.htmlLocalStorage = false
+idp.storage.htmlLocalStorage=true
 
 # Set to true to expose more detailed errors in responses to SPs
 #idp.errors.detailed = false
@@ -78,7 +113,6 @@ idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt
 
 # Set to "shibboleth.StorageService" for server-side storage of user sessions
 #idp.session.StorageService = shibboleth.ClientSessionStorageService
-idp.session.StorageService = shibboleth.StorageService
 
 # Size of session IDs
 #idp.session.idSize = 32
@@ -91,42 +125,29 @@ idp.session.StorageService = shibboleth.StorageService
 # Tolerate storage-related errors
 #idp.session.maskStorageFailure = false
 # Track information about SPs logged into
-idp.session.trackSPSessions = true
+idp.session.trackSPSessions=true
 # Support lookup by SP for SAML logout
-idp.session.secondaryServiceIndex = true
+idp.session.secondaryServiceIndex=true
 # Length of time to track SP sessions
 #idp.session.defaultSPlifetime = PT2H
 
-# Regular expression matching login flows to enable, e.g. IPAddress|Password
-idp.authn.flows= Password
-
-# Regular expression of forced "initial" methods when no session exists,
-# usually in conjunction with the idp.authn.resolveAttribute property below.
-#idp.authn.flows.initial = Password
-
-# Set to an attribute ID to resolve prior to selecting authentication flows;
-# its values are used to filter the flows to allow.
-#idp.authn.resolveAttribute = eduPersonAssurance
-
-# Default lifetime and timeout of various authentication methods
-#idp.authn.defaultLifetime = PT60M
-#idp.authn.defaultTimeout = PT30M
-
-# Whether to prioritize "active" results when an SP requests more than
-# one possible matching login method (V2 behavior was to favor them)
-#idp.authn.favorSSO = true
-
-# Whether to fail requests when a user identity after authentication
-# doesn't match the identity in a pre-existing session.
-#idp.authn.identitySwitchIsError = false
-
 # Set to "shibboleth.StorageService" or custom bean for alternate storage of consent
 #idp.consent.StorageService = shibboleth.ClientPersistentStorageService
 
+# Default consent auditing formats
+#idp.consent.terms-of-use.auditFormat = %T|%SP|%e|%u|%CCI|%CCV|%CCA
+#idp.consent.attribute-release.auditFormat = %T|%SP|%e|%u|%CCI|%CCV|%CCA
+
 # Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute
 # to key user consent storage records (and set the attribute name)
-#idp.consent.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey
-#idp.consent.userStorageKeyAttribute = uid
+#idp.consent.attribute-release.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey
+#idp.consent.attribute-release.userStorageKeyAttribute = uid
+#idp.consent.terms-of-use.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey
+#idp.consent.terms-of-use.userStorageKeyAttribute = uid
+
+# Suffix of message property used as value of consent storage records when idp.consent.compareValues is true.
+# Defaults to text displayed to the user.
+#idp.consent.terms-of-use.consentValueMessageCodeSuffix = .text
 
 # Flags controlling how built-in attribute consent feature operates
 #idp.consent.allowDoNotRemember = true
@@ -141,21 +162,36 @@ idp.authn.flows= Password
 #idp.consent.expandedMaxStoredRecords = 0
 
 # Time in milliseconds to expire consent storage records.
-#idp.consent.storageRecordLifetime = P1Y
+# Leave commented out for the default of infinite
+#idp.consent.storageRecordLifetime =
+
+# Path to use with External interceptor flow
+#idp.intercept.External.externalPath = contextRelative:intercept.jsp
+
+# Policies to use with Impersonate interceptor flow
+#idp.impersonate.generalPolicy = GeneralImpersonationPolicy
+#idp.impersonate.specificPolicy = SpecificImpersonationPolicy
+
+# Picks outbound bindings more sensibly than based on metadata order
+idp.bindings.inMetadataOrder=false
 
 # Whether to lookup metadata, etc. for every SP involved in a logout
 # for use by user interface logic; adds overhead so off by default.
 #idp.logout.elaboration = false
 
-# Whether to require logout requests be signed/authenticated.
+# Whether to require logout requests/responses be signed/authenticated.
 #idp.logout.authenticated = true
 
+# Bean to determine whether user should be allowed to cancel logout
+#idp.logout.promptUser=shibboleth.Conditions.FALSE
+
 # Message freshness and replay cache tuning
 #idp.policy.messageLifetime = PT3M
 #idp.policy.clockSkew = PT3M
 
 # Set to custom bean for alternate storage of replay cache
 #idp.replayCache.StorageService = shibboleth.StorageService
+#idp.replayCache.strict = true
 
 # Toggles whether to allow outbound messages via SAML artifact
 #idp.artifact.enabled = true
@@ -166,33 +202,33 @@ idp.authn.flows= Password
 # Set to custom bean for alternate storage of artifact map state
 #idp.artifact.StorageService = shibboleth.StorageService
 
-# Name of access control policy for various admin flows
-idp.status.accessPolicy= AccessByIPAddress
-idp.resolvertest.accessPolicy= AccessByIPAddress
-idp.reload.accessPolicy= AccessByIPAddress
-
 # Comma-delimited languages to use if not match can be found with the
 # browser-supported languages, defaults to an empty list.
-idp.ui.fallbackLanguages= en,fr,de
+idp.ui.fallbackLanguages=en,fr,de
 
-# Storage service used by CAS protocol
+# Storage service used by CAS protocol for chained proxy-granting tickets
+# and when using server-managed "simple" TicketService.
 # Defaults to shibboleth.StorageService (in-memory)
 # MUST be server-side storage (e.g. in-memory, memcached, database)
-# NOTE that idp.session.StorageService requires server-side storage
-# when CAS protocol is enabled
-idp.cas.StorageService=shibboleth.StorageService
+#idp.cas.StorageService=shibboleth.StorageService
 
 # CAS service registry implementation class
 #idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry
 
-# Profile flows in which the ProfileRequestContext should be exposed
-# in servlet request under the key "opensamlProfileRequestContext"
-#idp.profile.exposeProfileRequestContextInServletRequest = SAML2/POST/SSO,SAML2/Redirect/SSO
+# If true, CAS services provisioned with SAML metadata are identified via entityID
+#idp.cas.relyingPartyIdFromMetadata=false
 
-# F-TICKS auditing - set salt to include hashed username
-#idp.fticks.federation=MyFederation
-#idp.fticks.algorithm=SHA-256
-#idp.fticks.salt=somethingsecret
+# F-TICKS auditing - set a salt to include hashed username
+#idp.fticks.federation = MyFederation
+#idp.fticks.condition = MyFTICKSCondition
+#idp.fticks.algorithm = SHA-256
+#idp.fticks.salt = somethingsecret
+#idp.fticks.loghost = localhost
+#idp.fticks.logport = 514
+
+# Set false if you want SAML bindings "spelled out" in audit log
+idp.audit.shortenBindings=true
 
 #custom/added
 idp.loglevel.messages=INFO
+
diff --git a/Workbench/idp/shibboleth-idp/conf/ldap.properties b/Workbench/idp/shibboleth-idp/conf/ldap.properties
index 726f145..57f1296 100644
--- a/Workbench/idp/shibboleth-idp/conf/ldap.properties
+++ b/Workbench/idp/shibboleth-idp/conf/ldap.properties
@@ -1,58 +1,69 @@
 # LDAP authentication configuration, see authn/ldap-authn-config.xml
+# Note, this doesn't apply to the use of JAAS
 
 ## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator
 #idp.authn.LDAP.authenticator                   = anonSearchAuthenticator
 
 ## Connection properties ##
-idp.authn.LDAP.ldapURL                          = ldap://directory:389
+idp.authn.LDAP.ldapURL=ldap://directory:389
 idp.authn.LDAP.useStartTLS                     = false
 idp.authn.LDAP.useSSL                          = false
-#idp.authn.LDAP.connectTimeout                  = 3000
+# Time in milliseconds that connects will block
+#idp.authn.LDAP.connectTimeout                  = PT3S
+# Time in milliseconds to wait for responses
+#idp.authn.LDAP.responseTimeout                 = PT3S
+# Connection strategy to use when multiple URLs are supplied, either ACTIVE_PASSIVE, ROUND_ROBIN, RANDOM
+#idp.authn.LDAP.connectionStrategy               = ACTIVE_PASSIVE
 
 ## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust
 #idp.authn.LDAP.sslConfig                       = certificateTrust
 ## If using certificateTrust above, set to the trusted certificate's path
-idp.authn.LDAP.trustCertificates                = %{idp.home}/credentials/ldap-server.crt
+idp.authn.LDAP.trustCertificates=%{idp.home}/credentials/ldap-server.crt
 ## If using keyStoreTrust above, set to the truststore path
-idp.authn.LDAP.trustStore                       = %{idp.home}/credentials/ldap-server.truststore
+idp.authn.LDAP.trustStore=%{idp.home}/credentials/ldap-server.truststore
 
 ## Return attributes during authentication
-## NOTE: this is not used during attribute resolution; configure that directly in the
-## attribute-resolver.xml configuration via a DataConnector's <dc:ReturnAttributes> element
-idp.authn.LDAP.returnAttributes                 = cn,businessCategory,mail
+idp.authn.LDAP.returnAttributes=passwordExpirationTime,loginGraceRemaining,cn,mail
 
 ## DN resolution properties ##
 
 # Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator
 # for AD: CN=Users,DC=example,DC=org
-idp.authn.LDAP.baseDN                           = ou=people,dc=internet2,dc=edu
+idp.authn.LDAP.baseDN=ou=people,dc=internet2,dc=edu
 #idp.authn.LDAP.subtreeSearch                   = false
-idp.authn.LDAP.userFilter                       = (uid={user})
+idp.authn.LDAP.userFilter=(uid={user})
 # bind search configuration
 # for AD: idp.authn.LDAP.bindDN=adminuser@domain.com
-idp.authn.LDAP.bindDN                           = cn=admin,dc=internet2,dc=edu
-idp.authn.LDAP.bindDNCredential                 = password
+idp.authn.LDAP.bindDN=cn=admin,dc=internet2,dc=edu
 
 # Format DN resolution, used by directAuthenticator, adAuthenticator
 # for AD use idp.authn.LDAP.dnFormat=%s@domain.com
-idp.authn.LDAP.dnFormat                         = uid=%s,ou=people,dc=internet2,dc=edu
+idp.authn.LDAP.dnFormat=uid=%s,ou=people,dc=example,dc=org
+
+# pool passivator, either none, bind or anonymousBind
+#idp.authn.LDAP.bindPoolPassivator                  = none
 
 # LDAP attribute configuration, see attribute-resolver.xml
-idp.attribute.resolver.LDAP.ldapURL             = %{idp.authn.LDAP.ldapURL}
-idp.attribute.resolver.LDAP.baseDN              = %{idp.authn.LDAP.baseDN}
-idp.attribute.resolver.LDAP.bindDN              = %{idp.authn.LDAP.bindDN}
-idp.attribute.resolver.LDAP.bindDNCredential    = %{idp.authn.LDAP.bindDNCredential}
-idp.attribute.resolver.LDAP.useStartTLS         = %{idp.authn.LDAP.useStartTLS:true}
-idp.attribute.resolver.LDAP.trustCertificates   = %{idp.authn.LDAP.trustCertificates}
-idp.attribute.resolver.LDAP.searchFilter        = (uid=$requestContext.principalName)
+# Note, this likely won't apply to the use of legacy V2 resolver configurations
+idp.attribute.resolver.LDAP.ldapURL=%{idp.authn.LDAP.ldapURL}
+idp.attribute.resolver.LDAP.connectTimeout=%{idp.authn.LDAP.connectTimeout:PT3S}
+idp.attribute.resolver.LDAP.responseTimeout=%{idp.authn.LDAP.responseTimeout:PT3S}
+idp.attribute.resolver.LDAP.connectionStrategy=%{idp.authn.LDAP.connectionStrategy:ACTIVE_PASSIVE}
+idp.attribute.resolver.LDAP.baseDN=%{idp.authn.LDAP.baseDN:undefined}
+idp.attribute.resolver.LDAP.bindDN=%{idp.authn.LDAP.bindDN:undefined}
+idp.attribute.resolver.LDAP.useStartTLS=%{idp.authn.LDAP.useStartTLS:true}
+idp.attribute.resolver.LDAP.trustCertificates=%{idp.authn.LDAP.trustCertificates:undefined}
+idp.attribute.resolver.LDAP.searchFilter=(uid=$resolutionContext.principal)
 
 # LDAP pool configuration, used for both authn and DN resolution
 #idp.pool.LDAP.minSize                          = 3
 #idp.pool.LDAP.maxSize                          = 10
 #idp.pool.LDAP.validateOnCheckout               = false
 #idp.pool.LDAP.validatePeriodically             = true
-#idp.pool.LDAP.validatePeriod                   = 300
-#idp.pool.LDAP.prunePeriod                      = 300
-#idp.pool.LDAP.idleTime                         = 600
-#idp.pool.LDAP.blockWaitTime                    = 3000
-#idp.pool.LDAP.failFastInitialize               = false
+#idp.pool.LDAP.validatePeriod                   = PT5M
+#idp.pool.LDAP.validateDN                       =
+#idp.pool.LDAP.validateFilter                   = (objectClass=*)
+#idp.pool.LDAP.prunePeriod                      = PT5M
+#idp.pool.LDAP.idleTime                         = PT10M
+#idp.pool.LDAP.blockWaitTime                    = PT3S
+
diff --git a/Workbench/idp/shibboleth-idp/conf/logback.xml b/Workbench/idp/shibboleth-idp/conf/logback.xml
index 817de02..25afcf5 100644
--- a/Workbench/idp/shibboleth-idp/conf/logback.xml
+++ b/Workbench/idp/shibboleth-idp/conf/logback.xml
@@ -14,7 +14,7 @@
 
     <!-- Location and retention. -->
     
-    <variable name="idp.logfiles" value="${idp.home}/logs" />
+    <variable name="idp.logfiles" value="${idp.logfiles:-${idp.home}/logs}" />
     <variable name="idp.loghistory" value="${idp.loghistory:-180}" />
     
     <!-- Much higher performance if you operate on DEBUG. -->
@@ -71,9 +71,13 @@
     <!-- =========================================================== -->
     
     <!-- Process log. -->
-    <appender name="IDP_PROCESS" class="ch.qos.logback.core.FileAppender">
+    <appender name="IDP_PROCESS" class="ch.qos.logback.core.rolling.RollingFileAppender">
         <File>/tmp/logidp-process</File>
         
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+            <fileNamePattern>${idp.logfiles}/idp-process-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+            <maxHistory>${idp.loghistory}</maxHistory>
+        </rollingPolicy>
 
         <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
             <charset>UTF-8</charset>
@@ -98,7 +102,7 @@
         <discardingThreshold>0</discardingThreshold>
     </appender>
 
-    <appender name="IDP_WARN" class="ch.qos.logback.core.FileAppender">
+    <appender name="IDP_WARN" class="ch.qos.logback.core.rolling.RollingFileAppender">
         <!-- Suppress anything below WARN. -->
         <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
             <level>WARN</level>
@@ -106,6 +110,10 @@
         
         <File>/tmp/logidp-warn</File>
         
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+            <fileNamePattern>${idp.logfiles}/idp-warn-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+            <maxHistory>${idp.loghistory}</maxHistory>
+        </rollingPolicy>
         
         <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
             <charset>UTF-8</charset>
@@ -126,9 +134,13 @@
     </appender>
     
     <!-- Audit log. -->
-    <appender name="IDP_AUDIT" class="ch.qos.logback.core.FileAppender">
+    <appender name="IDP_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
         <File>/tmp/logidp-audit</File>
 
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+            <fileNamePattern>${idp.logfiles}/idp-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+            <maxHistory>${idp.loghistory}</maxHistory>
+        </rollingPolicy>
 
         <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
             <charset>UTF-8</charset>
@@ -137,9 +149,13 @@
     </appender>
     
     <!-- Consent audit log. -->
-    <appender name="IDP_CONSENT_AUDIT" class="ch.qos.logback.core.FileAppender">
+    <appender name="IDP_CONSENT_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
         <File>/tmp/logidp-consent-audit</File>
 
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+            <fileNamePattern>${idp.logfiles}/idp-consent-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+            <maxHistory>${idp.loghistory}</maxHistory>
+        </rollingPolicy>
 
         <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
             <charset>UTF-8</charset>
@@ -173,3 +189,4 @@
     </root>
 
 </configuration>
+
diff --git a/Workbench/idp/shibboleth-idp/conf/metadata-providers.xml b/Workbench/idp/shibboleth-idp/conf/metadata-providers.xml
index c1f9f62..4126c67 100644
--- a/Workbench/idp/shibboleth-idp/conf/metadata-providers.xml
+++ b/Workbench/idp/shibboleth-idp/conf/metadata-providers.xml
@@ -1,92 +1,103 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <MetadataProvider id="IdPShibbolethMetadata" xsi:type="ChainingMetadataProvider"
     xmlns="urn:mace:shibboleth:2.0:metadata"
-    xmlns:resource="urn:mace:shibboleth:2.0:resource"
     xmlns:security="urn:mace:shibboleth:2.0:security"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:ds11="http://www.w3.org/2009/xmldsig11#"
+    xmlns:enc="http://www.w3.org/2001/04/xmlenc#"
+    xmlns:enc11="http://www.w3.org/2009/xmlenc11#"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
-                        urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd 
                         urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
-                        urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">
-                        
-    <!-- ========================================================================================== -->
-    <!--                             Metadata Configuration                                         -->
-    <!--                                                                                            -->
-    <!--  Below you place the mechanisms which define how to load the metadata for the SP you will  -->
-    <!--  provide a service to.                                                                     -->
-    <!--                                                                                            -->
-    <!--  Two examples are provided.  The Shibboleth Documentation at                               -->
-    <!--  https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration                -->
-    <!--  provides more details.                                                                    --> 
-    <!--                                                                                            -->
-    <!--  NOTE.  This file SHOULD NOT contain the metadata for this IdP.                            -->
-    <!--                                                                                            -->
-    <!-- ========================================================================================== -->
+                        urn:oasis:names:tc:SAML:2.0:assertion http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd
+                        urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd
+                        urn:oasis:names:tc:SAML:metadata:algsupport http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-algsupport-v1.0.xsd
+                        http://www.w3.org/2000/09/xmldsig# http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd
+                        http://www.w3.org/2009/xmldsig11# http://www.w3.org/TR/2013/REC-xmldsig-core1-20130411/xmldsig11-schema.xsd
+                        http://www.w3.org/2001/04/xmlenc# http://www.w3.org/TR/xmlenc-core/xenc-schema.xsd
+                        http://www.w3.org/2009/xmlenc11# http://www.w3.org/TR/2013/REC-xmlenc-core1-20130411/xenc-schema-11.xsd"
+    sortKey="1">
 
-    <MetadataProvider id="GrouperSP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/grouper-sp.xml"/>
-    <MetadataProvider id="MidpointSP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/midpoint-sp.xml"/>
-    <MetadataProvider id="ComanageSP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/comanage-sp.xml"/>
-    <MetadataProvider id="WordpressSP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/wordpress-sp.xml"/>
-    <MetadataProvider id="ProxySP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/proxy-sp.xml"/>
-	<MetadataProvider id="ShibUISP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/idpui-sp.xml"/>
-	
-	<!-- For metadata generated by the Shib UI -->
-	<MetadataProvider id="LocalDynamic"
-                      xsi:type="LocalDynamicMetadataProvider"
-                      sourceDirectory="%{idp.home}/metadata/generated"
-                      minCacheDuration="PT10S"
-                      maxCacheDuration="PT30S"/>
-					  
+    <!--
+    Below you place the mechanisms which define how to load the metadata for SP(s) you will
+    provide service to.
+    
+    Some simple examples are provided. The documentation provides more details; in most cases,
+    the modern replacement for these older plugins are the "DynamicHTTPMetadataProvider" and
+    "LocalDynamic" variants, which provide dramatic memory savings and more reliable operation.
+     
+    NOTE: You do NOT need to load metadata for this IdP itself within this configuration.
+    -->
+    
+    <!-- Workbench SPs --> 
+    <MetadataProvider id="GrouperSP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/grouper-sp.xml"/>
+    <MetadataProvider id="MidpointSP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/midpoint-sp.xml"/>
+    <MetadataProvider id="ComanageSP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/comanage-sp.xml"/>
+    <MetadataProvider id="WordpressSP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/wordpress-sp.xml"/>
+    <MetadataProvider id="ProxySP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/proxy-sp.xml"/>
+    <MetadataProvider id="ShibUISP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/idpui-sp.xml"/>
+
+    <!-- For metadata generated by the Shib UI -->
+    <MetadataProvider id="LocalDynamic"
+                    xsi:type="LocalDynamicMetadataProvider"
+                    sourceDirectory="%{idp.home}/metadata/generated"
+                    minCacheDuration="PT10S"
+                    maxCacheDuration="PT30S"/>
+    
+    <!--
+    Example HTTP metadata provider.  Use this if you want to download the metadata
+    from a remote source.
 
-    <!-- Example HTTP metadata provider.  Use this if you want to download
-         the metadata from a remote service.
-         
-         You *MUST*  provider the SignatureValidationFilter in order to function securely.
-         Get the PubLic key, and validate it via some out of band mechanism, from the
-         party publishing the metadata
-         
-         The EntityRoleWhiteList saves memory by only loading metadata from entity types
-         that you will interoperate with. 
+    You *MUST* provide the SignatureValidationFilter in order to function securely.
+    Get the public key certificate from the party publishing the metadata, and validate
+    it with them via some out of band mechanism (e.g., a fingerprint on a secure page).
+
+    The EntityRole filter saves memory by only loading metadata from SAML roles
+    that the IdP needs to interoperate with.
+    -->
     
+    <!--
     <MetadataProvider id="HTTPMetadata"
                       xsi:type="FileBackedHTTPMetadataProvider"
                       backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
-                      metadataURL="http://WHATEVER"> 
+                      metadataURL="http://WHATEVER"
+                      failFastInitialization="false">
         
-        <MetadataFilter xsi:type="SignatureValidation"
-            requireSignedMetadata="false">
-            <PublicKey>
-                THIS IS AN EXAMPLE
-            
-                MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxg0TyQAP/tIvOH89EtaX
-                uRRn8SYzTj7W1TbNY4VvBmobjkRmSkki4hH9x4sQpi635wn6WtXTN/FNNmkTK3N/
-                LspmBWxfZS+n+cc7I82E5yvCAPX67QsZgqgglp2W5dvK/FsMMCS6X6SVqzBLMP88
-                NenXKxY+HMxMs0sT0UKYh1cAEqadrHRBO65aDBcm5a0sBVYt9K6pgaOHrp/zSIbh
-                nR5tFFLjBbtFktDpHL3AdGBH3OYidNGKBO3tJ3Ms7LeKXsM0+0Y4P+9fHZINL2X3
-                E2N6GVnKs5PZTg9sP0FtIpAbYm/+zCx7Yj1ET/Er8mDd6tNVGSQsn9s5xUBwGqn1
-                4wIDAQAB
-            </PublicKey>
-        </MetadataFilter>
-        <MetadataFilter xsi:type="EntityRoleWhiteList">
+        <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
+        <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
+        <MetadataFilter xsi:type="EntityRole">
             <RetainedRole>md:SPSSODescriptor</RetainedRole>
         </MetadataFilter>
-        
     </MetadataProvider>
-    
     -->   
 
-    <!-- Example file metadata provider.  Use this if you want to load metadata
-         from a local file.  You might use this if you have some local SPs
-         which are not "federated" but you wish to offer a service to.
-         
-         If you do not provide a SignatureValidation filter then you *have*
-         to know that the file is valid.
-         
-
+    <!--
+    Example file metadata provider.  Use this if you want to load metadata
+    from a local file. You use this if you have some local SPs which are not
+    "federated" but you wish to offer a service to.
+    
+    If you do not provide a SignatureValidation filter, then you have the
+    responsibility to ensure that the contents on disk are trustworthy.
+    -->
+    
+    <!--
     <MetadataProvider id="LocalMetadata"  xsi:type="FilesystemMetadataProvider" metadataFile="PATH_TO_YOUR_METADATA"/>
+    -->
+
+
+    <!--
+    Example CAS metadata source for managing CAS services using SAML metadata.
+    -->
+
+    <!--
+    <MetadataProvider id="CASMetadata"
+                      xsi:type="FilesystemMetadataProvider"
+                      metadataFile="PATH_TO_YOUR_METADATA"
+                      indexesRef="shibboleth.CASMetadataIndices" />
+    -->
 
-     -->
-          
-    
 </MetadataProvider>
+
diff --git a/Workbench/idp/shibboleth-idp/conf/relying-party.xml b/Workbench/idp/shibboleth-idp/conf/relying-party.xml
index 19ca696..44af797 100644
--- a/Workbench/idp/shibboleth-idp/conf/relying-party.xml
+++ b/Workbench/idp/shibboleth-idp/conf/relying-party.xml
@@ -27,21 +27,17 @@
         </property>
     </bean>
 
-    <!--
-    Default configuration, with default settings applied for all profiles, and enables
-    the attribute-release consent flow.
-    -->
+    <!-- Default configuration, with default settings applied for all profiles. -->
     <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
         <property name="profileConfigurations">
             <list>
                 <!-- SAML 1.1 and SAML 2.0 AttributeQuery are disabled by default. -->
                 <!--
-                <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
+                <bean parent="Shibboleth.SSO" />
                 <ref bean="SAML1.AttributeQuery" />
                 <ref bean="SAML1.ArtifactResolution" />
                 -->
-				<bean parent="SAML2.SSO.MDDriven" p:postAuthenticationFlows="attribute-release"/>
-                <!--<bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" />-->
+                <bean parent="SAML2.SSO.MDDriven" />
                 <ref bean="SAML2.ECP" />
                 <ref bean="SAML2.Logout" />
                 <!--
@@ -61,8 +57,17 @@
         Override example that identifies a single RP by name and configures it
         for SAML 2 SSO without encryption. This is a common "vendor" scenario.
         -->
-        
-        <bean parent="RelyingPartyByName" c:relyingPartyIds="https://sp.example.org/shibui">
+        <!--
+        <bean id="ExampleSP" parent="RelyingPartyByName" c:relyingPartyIds="https://sp.example.org">
+            <property name="profileConfigurations">
+                <list>
+                    <bean parent="SAML2.SSO" p:encryptAssertions="false" />
+                </list>
+            </property>
+        </bean>
+        -->
+
+        <bean id="ShibUI" parent="RelyingPartyByName" c:relyingPartyIds="https://sp.example.org/shibui">
             <property name="profileConfigurations">
                 <list>
                     <bean parent="SAML2.SSO" p:encryptionOptional="true" />
@@ -72,4 +77,5 @@
         
     </util:list>
 
-</beans>
\ No newline at end of file
+</beans>
+
diff --git a/Workbench/idp/shibboleth-idp/conf/services.xml b/Workbench/idp/shibboleth-idp/conf/services.xml
index e5cceb5..714ed33 100644
--- a/Workbench/idp/shibboleth-idp/conf/services.xml
+++ b/Workbench/idp/shibboleth-idp/conf/services.xml
@@ -11,17 +11,14 @@
                                
     <!-- By default we look at resources whose names are derived from %{idp.home}. -->
 
-    <!-- This set of resources supports a native Spring relying-party.xml file. -->
     <util:list id="shibboleth.RelyingPartyResolverResources">
         <value>%{idp.home}/conf/relying-party.xml</value>
         <value>%{idp.home}/conf/credentials.xml</value>
-        <value>%{idp.home}/system/conf/relying-party-system.xml</value>
     </util:list>
 
     <util:list id="shibboleth.MetadataResolverResources">
         <value>%{idp.home}/conf/metadata-providers.xml</value>
-		<value>%{idp.home}/conf/generated/shibui-metadata-providers.xml</value>
-        <value>%{idp.home}/system/conf/metadata-providers-system.xml</value>
+        <value>%{idp.home}/conf/generated/shibui-metadata-providers.xml</value>
     </util:list>
 
     <util:list id ="shibboleth.AttributeResolverResources">
@@ -34,7 +31,6 @@
     -->
     <util:list id ="shibboleth.AttributeRegistryResources">
         <value>%{idp.home}/conf/attribute-registry.xml</value>
-        <value>%{idp.home}/system/conf/attribute-registry-system.xml</value>
         <value>%{idp.home}/conf/attributes/default-rules.xml</value>
         <value>%{idp.home}/conf/attribute-resolver.xml</value>
     </util:list>
@@ -45,16 +41,10 @@
 
     <util:list id ="shibboleth.NameIdentifierGenerationResources">
         <value>%{idp.home}/conf/saml-nameid.xml</value>
-        <value>%{idp.home}/system/conf/saml-nameid-system.xml</value>
     </util:list>
     
     <util:list id="shibboleth.AccessControlResources">
         <value>%{idp.home}/conf/access-control.xml</value>
-        <value>%{idp.home}/system/conf/access-control-system.xml</value>
-    </util:list>
-
-    <util:list id="shibboleth.CASServiceRegistryResources">
-        <value>%{idp.home}/conf/cas-protocol.xml</value>
     </util:list>
 
     <!--
@@ -64,7 +54,7 @@
     -->
     <util:list id="shibboleth.MessageSourceResources">
         <value>%{idp.home}/messages/messages</value>
-        <value>%{idp.home}/system/messages/messages</value>
     </util:list>
     
-</beans>
\ No newline at end of file
+</beans>
+
diff --git a/Workbench/idp/shibboleth-idp/credentials/secrets.properties b/Workbench/idp/shibboleth-idp/credentials/secrets.properties
new file mode 100644
index 0000000..913256f
--- /dev/null
+++ b/Workbench/idp/shibboleth-idp/credentials/secrets.properties
@@ -0,0 +1,13 @@
+# This is a reserved spot for most properties containing passwords or other secrets.
+
+# Access to internal AES encryption key
+idp.sealer.storePassword = password
+idp.sealer.keyPassword = password
+
+# Default access to LDAP authn and attribute stores. 
+idp.authn.LDAP.bindDNCredential              = password
+idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}
+
+# Salt used to generate persistent/pairwise IDs, must be kept secret
+#idp.persistentId.salt = changethistosomethingrandom
+
diff --git a/Workbench/idp/shibboleth-idp/edit-webapp/css/consent.css b/Workbench/idp/shibboleth-idp/edit-webapp/css/consent.css
new file mode 100644
index 0000000..bab55df
--- /dev/null
+++ b/Workbench/idp/shibboleth-idp/edit-webapp/css/consent.css
@@ -0,0 +1,151 @@
+.box {
+    width:600px;
+    margin-left: auto;
+    margin-right: auto;
+    margin-top: 50px;
+    background-color: white;
+   -webkit-box-shadow: 1px 1px 15px #999999;
+    -moz-box-shadow: 1px 1px 15px #999999;
+    box-shadow: 1px 1px 15px #999999;
+    -webkit-border-radius: 8px;
+    -moz-border-radius: 8px;
+    border-radius: 8px;
+    overflow: auto;
+    padding: 1.268em;
+}
+
+body {
+    font-family:Verdana, Geneva, sans-serif;
+    font-size: 12px;
+}
+
+h1 {
+    font-size: 13px;
+    padding-bottom: 12px;
+}
+
+a {
+    color: #00247D;
+    text-decoration: underline;
+}
+
+a:visited {
+    color: #00247D;
+    text-decoration: underline;
+}
+
+a:focus, a:hover, a:active {
+    color: #F39800;
+    text-decoration: underline;
+}
+
+#tou-content {
+    font-family:monospace;
+    width: 95%;
+    border: solid 1px #666;
+    margin: 4px;
+    padding: 10px;
+    overflow: hidden;
+}
+
+#tou-content li{
+    margin-bottom:10px;
+}
+
+#tou-acceptance {
+    width: 95%;
+    border: solid 1px #666;
+    background-color: #F0F0F0;
+    margin: 4px;
+    padding: 10px;
+    text-align: left;
+    overflow: hidden;
+}
+
+.service_name {
+    font-weight: bold;
+}
+
+.service_description {
+    font-style: italic;
+}
+
+.organization_name {
+}
+
+#attributeRelease-consent {
+    width: 95%;
+    border: solid 1px #666;
+    background-color: #F0F0F0;
+    margin: 4px;
+    overflow: hidden;
+}
+
+#attributeRelease {
+    width: 95%;
+    margin: 4px;
+    border: solid 1px black;
+    overflow: auto;
+}
+
+#attributeRelease table {
+    border-collapse: collapse;
+    border: none 0px white;
+    width: 100%;
+}
+
+#attributeRelease td {
+    padding: 3px 7px;
+    vertical-align: top;
+}
+
+#attributeRelease th  {
+    text-align: left;
+    font-size: 18px;
+    padding: 5px 7px;
+    background-color:#00247D;
+    color: white;
+}
+
+#attributeRelease tr:nth-of-type(even) {
+    background-color: #E4E5E3;
+}
+
+.federation_logo
+{
+	width: 50%;
+    float: left;
+    padding-top: 35px;
+    border: 0;
+}
+.organization_logo
+{
+	width: 50%;
+    float: right;
+    border: 0;
+}
+
+.form-error {
+  padding: 0;
+  color: #B61601;
+}
+
+/* Device specific styles */
+@media only screen and (max-device-width: 721px){
+  .box {
+      width: auto;
+      box-shadow: none;
+      border-radius: 0;
+      -webkit-box-shadow: none;
+      -webkit-border-radius: 0;
+      -moz-box-shadow: none;
+      -moz-border-radius: 0;
+      padding: 0;
+      margin-top:0;
+  }
+  #tou-content, #tou-acceptance{
+    /*width:87%;*/
+    width:auto;
+  }
+}
+
diff --git a/Workbench/idp/shibboleth-idp/edit-webapp/css/logout.css b/Workbench/idp/shibboleth-idp/edit-webapp/css/logout.css
new file mode 100644
index 0000000..da91dfe
--- /dev/null
+++ b/Workbench/idp/shibboleth-idp/edit-webapp/css/logout.css
@@ -0,0 +1,18 @@
+/* Success/Failure indicators for logout propagation. */
+li.logout {
+    line-height: 36px;
+    padding-left: 36px;
+}
+li.logout.success {
+    background: url(../images/success-32x32.png) no-repeat left center;
+}
+li.logout.failure {
+    background: url(../images/failure-32x32.png) no-repeat left center;
+}
+li.logout.pending{
+
+}
+li.logout.na {
+    background: url(../images/failure-32x32.png) no-repeat left center;
+}
+
diff --git a/Workbench/idp/shibboleth-idp/edit-webapp/css/main.css b/Workbench/idp/shibboleth-idp/edit-webapp/css/main.css
new file mode 100644
index 0000000..10f86c7
--- /dev/null
+++ b/Workbench/idp/shibboleth-idp/edit-webapp/css/main.css
@@ -0,0 +1,166 @@
+* {
+    margin: 0;
+    padding: 0;
+}
+header, footer, section, nav {
+    display: block;
+}
+html, body {
+    height: 100%;
+}
+body {
+    font-family:Verdana, Geneva, sans-serif;
+    font-size: 12px;
+    line-height: 1.5;
+    color: #717171;
+    background: #717171;
+}
+a:link,
+a:visited {
+    text-decoration: none;
+    color: #717171;
+}
+img {
+    max-width: 100%;
+    margin-bottom: 12px;
+}
+
+.wrapper {
+    background: #ffffff;
+}
+
+.container {
+    position: relative;
+    left: 34%;
+    width: 540px;
+    margin-left: -270px;
+}
+.container-footer {
+    padding-top: 12px;
+}
+@media only screen and (max-width: 1020px) {
+    .container {
+        left: 45%;
+    }
+}
+@media only screen and (max-width: 650px) {
+    .container {
+        position: static;
+        margin: 0 auto;
+        width: 280px;
+    }
+}
+
+header {
+    padding: 20px 0;
+}
+
+.logo img {
+    border: none;
+}
+@media only screen and (max-width: 650px) {
+    .logo img {
+        display: none;
+    }
+    .logo {
+        background: url(../images/dummylogo-mobile.png) no-repeat top center;
+        display: block;
+        height: 115px;
+        width: 100px;
+        margin: 0 auto;
+    }
+}
+
+.content {
+    padding-bottom: 80px;
+    overflow: hidden;
+}
+
+.column {
+    float: left;
+}
+.column.one {
+    width: 50%;
+    margin-right: 48px;
+}
+
+form {
+    width: 240px;
+    padding-bottom: 21px;
+}
+form label { /* labels are hidden */
+    font-weight: bold;
+}
+form legend {
+    font-size:1.2em;
+    margin-bottom: 12px;
+}
+.form-element-wrapper {
+    margin-bottom: 12px;
+}
+.form-element {
+    width: 100%;
+    padding: 13px 12px;
+    border: none;
+    font-size: 14px;
+    border-radius: 4px;
+    -webkit-border-radius: 4px;
+    -moz-border-radius: 4px;
+}
+.form-field {
+    color: #B7B7B7;
+    border: 1px solid #B7B7B7;
+}
+.form-field-focus,
+.form-field:focus,
+input[type="text"]:focus {
+    color: #333333;
+    border-color: #333;
+}
+.form-button {
+    background: #B61601;
+    box-sizing: content-box;
+    -moz-box-sizing: content-box;
+    color: #ffffff;
+    cursor: pointer;
+}
+.form-button:hover {
+    background: #FF6400;
+}
+.form-error {
+    padding: 0;
+    color: #B61601;
+}
+
+.list-help {
+    margin-top: 40px; /* offset padding on first anchor */
+    list-style: none;
+}
+.list-help-item a {
+    display: block;
+    padding: 6px 0;
+}
+.item-marker {
+    color: #be0000;
+}
+
+footer {
+    color: #ffffff;
+    font-size: 11px;
+    background: #717171;
+}
+.footer-text {
+    margin-bottom: 12px;
+}
+.footer-links a:link,
+.footer-links a:visited {
+    color: #ffffff;
+    font-weight: bold;
+}
+.footer-links a:after {
+    content: "\00a0\00a0\00a0|\00a0\00a0";
+}
+.footer-links a.last:after {
+    content: "";
+}
+
diff --git a/Workbench/idp/shibboleth-idp/edit-webapp/images/dummylogo-mobile.png b/Workbench/idp/shibboleth-idp/edit-webapp/images/dummylogo-mobile.png
new file mode 100644
index 0000000..8ba3c95
Binary files /dev/null and b/Workbench/idp/shibboleth-idp/edit-webapp/images/dummylogo-mobile.png differ
diff --git a/Workbench/idp/shibboleth-idp/edit-webapp/images/dummylogo.png b/Workbench/idp/shibboleth-idp/edit-webapp/images/dummylogo.png
new file mode 100644
index 0000000..e89ede6
Binary files /dev/null and b/Workbench/idp/shibboleth-idp/edit-webapp/images/dummylogo.png differ
diff --git a/Workbench/idp/shibboleth-idp/edit-webapp/images/failure-32x32.png b/Workbench/idp/shibboleth-idp/edit-webapp/images/failure-32x32.png
new file mode 100644
index 0000000..3c48e46
Binary files /dev/null and b/Workbench/idp/shibboleth-idp/edit-webapp/images/failure-32x32.png differ
diff --git a/Workbench/idp/shibboleth-idp/edit-webapp/images/success-32x32.png b/Workbench/idp/shibboleth-idp/edit-webapp/images/success-32x32.png
new file mode 100644
index 0000000..aa51204
Binary files /dev/null and b/Workbench/idp/shibboleth-idp/edit-webapp/images/success-32x32.png differ
diff --git a/Workbench/webproxy/container_files/httpd/index.html b/Workbench/webproxy/container_files/httpd/index.html
index 6f4a9a5..3a316f9 100644
--- a/Workbench/webproxy/container_files/httpd/index.html
+++ b/Workbench/webproxy/container_files/httpd/index.html
@@ -29,7 +29,7 @@ <h3>Welcome to the InCommon TAP Workbench!</h3>
 <br />
 Shibboleth SAML Identity Provider and Service Providers:
 <ul>
-<li><a href="https://__CSPHOSTNAME__/idp/status" target="TAP-WB-IDP">Shibboleth IdP (4.0.1) status</a></li>
+<li><a href="https://__CSPHOSTNAME__/idp/status" target="TAP-WB-IDP">Shibboleth IdP (4.1.0) status</a></li>
 <li>Shibboleth SPs:</li>
 <ul>
   <li><a href="https://__CSPHOSTNAME__/grouperSSO/Shibboleth.sso/Status" target="TAP-WB-gSP">Grouper SP (3.2.0) status</a></li>