diff --git a/Workbench/comanage_midpoint_data/container_files/seed-data/createDBforMP.sql b/Workbench/comanage_midpoint_data/container_files/seed-data/createDBforMP.sql
new file mode 100644
index 0000000..b5c6541
--- /dev/null
+++ b/Workbench/comanage_midpoint_data/container_files/seed-data/createDBforMP.sql
@@ -0,0 +1,99 @@
+CREATE DATABASE grouper_to_midpoint WITH ENCODING=utf8;
+CREATE USER grouper WITH PASSWORD 'password';
+GRANT ALL PRIVILEGES ON DATABASE grouper_to_midpoint TO grouper;
+
+\connect grouper_to_midpoint;
+set role grouper;
+
+CREATE TABLE gr_mp_groups (
+    group_name varchar(1024) NULL, -- Name of group mapped in some way
+    id_index int8 NOT NULL, -- This is the integer identifier for a group and foreign key to group attributes and memberships
+    display_name varchar(1024) NULL, -- Display name of group mapped in some way
+    description varchar(1024) NULL, -- Description of group mapped in some way
+    last_modified int8 NOT NULL, -- Millis since 1970, will be sequential and unique
+    deleted varchar(1) NOT NULL, -- T or F.  Deleted rows will be removed after they have had time to be processed
+    CONSTRAINT gr_mp_groups_pkey PRIMARY KEY (id_index)
+);
+CREATE INDEX gr_mp_groups_ddx ON gr_mp_groups(display_name);
+CREATE INDEX gr_mp_groups_gdx ON gr_mp_groups(group_name);
+CREATE UNIQUE INDEX gr_mp_groups_idx ON gr_mp_groups(id_index);
+CREATE UNIQUE INDEX gr_mp_groups_ldx ON gr_mp_groups(last_modified);
+COMMENT ON TABLE gr_mp_groups IS 'This table holds groups';
+ 
+COMMENT ON COLUMN gr_mp_groups.group_name IS 'Name of group mapped in some way';
+COMMENT ON COLUMN gr_mp_groups.id_index IS 'This is the integer identifier for a group and foreign key to group attributes and memberships';
+COMMENT ON COLUMN gr_mp_groups.display_name IS 'Display name of group mapped in some way';
+COMMENT ON COLUMN gr_mp_groups.description IS 'Description of group mapped in some way';
+COMMENT ON COLUMN gr_mp_groups.last_modified IS 'Millis since 1970, will be sequential and unique';
+COMMENT ON COLUMN gr_mp_groups.deleted IS 'T or F.  Deleted rows will be removed after they have had time to be processed';
+ 
+CREATE TABLE gr_mp_subjects (
+    subject_id_index int8 NOT NULL, -- This is the integer identifier for a subject and foreign key to subject attributes and memberships
+    subject_id varchar(1024) NULL, -- Subject ID mapped in some way
+    last_modified int8 NOT NULL, -- Millis since 1970, will be sequential and unique
+    deleted varchar(1) NOT NULL, -- T or F.  Deleted rows will be removed after they have had time to be processed
+    CONSTRAINT gr_mp_subjects_pkey PRIMARY KEY (subject_id_index)
+);
+CREATE UNIQUE INDEX gr_mp_subjects_idx ON gr_mp_subjects(subject_id_index);
+CREATE UNIQUE INDEX gr_mp_subjects_ldx ON gr_mp_subjects(last_modified);
+CREATE INDEX gr_mp_subjects_sdx ON gr_mp_subjects(subject_id);
+COMMENT ON TABLE gr_mp_subjects IS 'This table holds subjects';
+ 
+COMMENT ON COLUMN gr_mp_subjects.subject_id_index IS 'This is the integer identifier for a subject and foreign key to subject attributes and memberships';
+COMMENT ON COLUMN gr_mp_subjects.subject_id IS 'Subject ID mapped in some way';
+COMMENT ON COLUMN gr_mp_subjects.last_modified IS 'Millis since 1970, will be sequential and unique';
+COMMENT ON COLUMN gr_mp_subjects.deleted IS 'T or F.  Deleted rows will be removed after they have had time to be processed';
+ 
+CREATE TABLE gr_mp_group_attributes (
+    group_id_index int8 NOT NULL, -- This is the integer identifier for a group and foreign key to groups and memberships
+    attribute_name varchar(1000) NOT NULL, -- Attribute name for attributes not in the main group table
+    attribute_value varchar(4000) NULL, -- Attribute value could be null
+    last_modified int8 NOT NULL, -- Millis since 1970, will be sequential and unique
+    deleted varchar(1) NOT NULL, -- T or F.  Deleted rows will be removed after they have had time to be processed
+    CONSTRAINT gr_mp_group_attributes_fk FOREIGN KEY (group_id_index) REFERENCES gr_mp_groups(id_index)
+);
+CREATE UNIQUE INDEX gr_mp_group_attributes_idx ON gr_mp_group_attributes(group_id_index, attribute_name, attribute_value);
+CREATE UNIQUE INDEX gr_mp_group_attributes_ldx ON gr_mp_group_attributes(last_modified);
+COMMENT ON TABLE gr_mp_group_attributes IS 'This table holds group attributes which are one to one or one to many to the groups table';
+ 
+COMMENT ON COLUMN gr_mp_group_attributes.group_id_index IS 'This is the integer identifier for a group and foreign key to groups and memberships';
+COMMENT ON COLUMN gr_mp_group_attributes.attribute_name IS 'Attribute name for attributes not in the main group table';
+COMMENT ON COLUMN gr_mp_group_attributes.attribute_value IS 'Attribute value could be null';
+COMMENT ON COLUMN gr_mp_group_attributes.last_modified IS 'Millis since 1970, will be sequential and unique';
+COMMENT ON COLUMN gr_mp_group_attributes.deleted IS 'T or F.  Deleted rows will be removed after they have had time to be processed';
+ 
+CREATE TABLE gr_mp_memberships (
+    group_id_index int8 NOT NULL, -- This is the foreign key to groups
+    subject_id_index int8 NOT NULL, -- This is the foreign key to subjects
+    last_modified int8 NOT NULL, -- Millis since 1970, will be sequential and unique
+    deleted varchar(1) NOT NULL, -- T or F.  Deleted rows will be removed after they have had time to be processed
+    CONSTRAINT gr_mp_memberships_gfk FOREIGN KEY (group_id_index) REFERENCES gr_mp_groups(id_index),
+    CONSTRAINT gr_mp_memberships_sfk FOREIGN KEY (subject_id_index) REFERENCES gr_mp_subjects(subject_id_index)
+);
+CREATE UNIQUE INDEX gr_mp_memberships_idx ON gr_mp_memberships(group_id_index, subject_id_index);
+CREATE UNIQUE INDEX gr_mp_memberships_ldx ON gr_mp_memberships(last_modified);
+COMMENT ON TABLE gr_mp_memberships IS 'This table holds memberships.  The primary key is group_id_index and subject_id_index';
+ 
+COMMENT ON COLUMN gr_mp_memberships.group_id_index IS 'This is the foreign key to groups';
+COMMENT ON COLUMN gr_mp_memberships.subject_id_index IS 'This is the foreign key to subjects';
+COMMENT ON COLUMN gr_mp_memberships.last_modified IS 'Millis since 1970, will be sequential and unique';
+COMMENT ON COLUMN gr_mp_memberships.deleted IS 'T or F.  Deleted rows will be removed after they have had time to be processed';
+ 
+CREATE TABLE gr_mp_subject_attributes (
+    subject_id_index int8 NOT NULL, -- This is the integer identifier and foreign key to subjects
+    attribute_name varchar(1000) NOT NULL, -- Attribute name for attributes not in the main subject table
+    attribute_value varchar(4000) NULL, -- Attribute value could be null
+    last_modified int8 NOT NULL, -- Millis since 1970, will be sequential and unique
+    deleted varchar(1) NOT NULL, -- T or F.  Deleted rows will be removed after they have had time to be processed
+    CONSTRAINT gr_mp_subject_attributes_fk FOREIGN KEY (subject_id_index) REFERENCES gr_mp_subjects(subject_id_index)
+);
+CREATE UNIQUE INDEX gr_mp_subject_attributes_idx ON gr_mp_subject_attributes(subject_id_index, attribute_name, attribute_value);
+CREATE UNIQUE INDEX gr_mp_subject_attributes_ldx ON gr_mp_subject_attributes(last_modified);
+COMMENT ON TABLE gr_mp_subject_attributes IS 'This table holds subject attributes which are one to one or one to many to the subjects table';
+ 
+COMMENT ON COLUMN gr_mp_subject_attributes.subject_id_index IS 'This is the integer identifier and foreign key to subjects';
+COMMENT ON COLUMN gr_mp_subject_attributes.attribute_name IS 'Attribute name for attributes not in the main subject table';
+COMMENT ON COLUMN gr_mp_subject_attributes.attribute_value IS 'Attribute value could be null';
+COMMENT ON COLUMN gr_mp_subject_attributes.last_modified IS 'Millis since 1970, will be sequential and unique';
+COMMENT ON COLUMN gr_mp_subject_attributes.deleted IS 'T or F.  Deleted rows will be removed after they have had time to be processed';
+
diff --git a/Workbench/configs-and-secrets/grouper/application/grouper-loader.properties b/Workbench/configs-and-secrets/grouper/application/grouper-loader.properties
index a3d5c61..7d66bbd 100755
--- a/Workbench/configs-and-secrets/grouper/application/grouper-loader.properties
+++ b/Workbench/configs-and-secrets/grouper/application/grouper-loader.properties
@@ -51,13 +51,11 @@ db.sis.pass = 49321420423
 db.sis.url = jdbc:mysql://sources:3306/sis
 db.sis.driver = com.mysql.jdbc.Driver
 
-
 # midpoint External System
-#db.midPoint.driver = com.mysql.jdbc.Driver
-db.midPoint.driver = com.mysql.cj.jdbc.Driver
+db.midPoint.driver = org.postgresql.Driver
 #db.midPoint.pass = ${java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD_FILE') != null ? org.apache.commons.io.FileUtils.readFileToString(java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD_FILE'), "utf-8") : java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD') }
 db.midPoint.pass = password
-db.midPoint.url = jdbc:mysql://grouper_data:3306/grouper_to_midpoint?CharSet=utf8&useUnicode=true&characterEncoding=utf8
+db.midPoint.url = jdbc:postgresql://comanage_midpoint_data:5432/grouper_to_midpoint?CharSet=utf8
 db.midPoint.user = grouper
 
 # provisioner midpoint
@@ -66,9 +64,14 @@ provisioner.midPoint.customizeEntityCrud = true
 provisioner.midPoint.customizeGroupCrud = true
 provisioner.midPoint.customizeMembershipCrud = true
 provisioner.midPoint.dbExternalSystemConfigId = midPoint
-provisioner.midPoint.deleteEntities = false
-provisioner.midPoint.deleteGroups = false
-provisioner.midPoint.deleteMemberships = false
+provisioner.midPoint.deleteEntities = true
+provisioner.midPoint.deleteEntitiesIfNotExistInGrouper = false
+provisioner.midPoint.deleteEntitiesIfGrouperDeleted = true
+provisioner.midPoint.deleteGroups = true
+provisioner.midPoint.deleteGroupsIfNotExistInGrouper = true
+provisioner.midPoint.deleteMemberships = true
+provisioner.midPoint.deleteMembershipsIfNotExistInGrouper = false
+provisioner.midPoint.deleteMembershipsIfGrouperDeleted = true
 provisioner.midPoint.makeChangesToEntities = true
 provisioner.midPoint.midPointDeletedColumnName = deleted
 provisioner.midPoint.midPointLastModifiedColumnName = last_modified
diff --git a/Workbench/grouper_data/Dockerfile b/Workbench/grouper_data/Dockerfile
index 07cc0bd..56990ae 100644
--- a/Workbench/grouper_data/Dockerfile
+++ b/Workbench/grouper_data/Dockerfile
@@ -10,8 +10,7 @@ RUN yum install -y epel-release \
 
 COPY container_files/conf/ /opt/grouper/grouperWebapp/WEB-INF/classes/
 COPY container_files/bootstrap/ /tmp/
-COPY container_files/mysql/createDBforMP.sql /
-COPY container_files/mysql/setupDBforMP.sql /
+COPY container_files/mysql/createSQLuser.sql /
 
 RUN ln -s /usr/bin/resolveip /usr/libexec/resolveip
 
@@ -27,15 +26,15 @@ RUN mysql_install_db \
     && echo "mysqladmin --silent --wait=30 ping || exit 1" >> /tmp/config \
     && echo "mysql -e 'GRANT ALL PRIVILEGES ON *.* TO \"root\"@\"%\" WITH GRANT OPTION;'" >> /tmp/config \
     && echo "mysql -e 'CREATE DATABASE grouper CHARACTER SET utf8 COLLATE utf8_bin;'" >> /tmp/config \
-    && echo "mysql < /createDBforMP.sql" >> /tmp/config \
-    && echo "mysql -u grouper -p'password' grouper_to_midpoint < /setupDBforMP.sql" >> /tmp/config \
+    && echo "mysql < /createSQLuser.sql" >> /tmp/config \
     && bash /tmp/config \
     && rm -f /tmp/config
 
 RUN (mysqld_safe & ) \
     && while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to start; sleep 1; done; \
     /opt/grouper/grouperWebapp/WEB-INF/bin/gsh.sh -registry -check -runscript -noprompt && \
-    /opt/grouper/grouperWebapp/WEB-INF/bin/gsh.sh /tmp/initialize.gsh
+    /opt/grouper/grouperWebapp/WEB-INF/bin/gsh.sh /tmp/initialize.gsh && \
+    /opt/grouper/grouperWebapp/WEB-INF/bin/gsh.sh /tmp/set-prov.gsh
 
 EXPOSE 3306
 
diff --git a/Workbench/grouper_data/container_files/bootstrap/initialize.gsh b/Workbench/grouper_data/container_files/bootstrap/initialize.gsh
index 2ea77f7..2412b28 100644
--- a/Workbench/grouper_data/container_files/bootstrap/initialize.gsh
+++ b/Workbench/grouper_data/container_files/bootstrap/initialize.gsh
@@ -9,8 +9,16 @@ addStem("", "org", "org")
 addStem("", "test", "test")
 
 addRootStem("ref", "ref")
-addStem("ref", "course", "course")
-addStem("ref", "affiliation", "affiliation")
+addStem("ref", "course", "Course")
+addStem("ref", "dept", "Department")
+addStem("ref", "affiliation", "Affiliation")
+
+new GroupSave().assignName("ref:affiliation:alum").assignDisplayName("Alumni").assignCreateParentStemsIfNotExist(true).save();
+new GroupSave().assignName("ref:affiliation:community").assignDisplayName("Community").assignCreateParentStemsIfNotExist(true).save();
+new GroupSave().assignName("ref:affiliation:faculty").assignDisplayName("Faculty").assignCreateParentStemsIfNotExist(true).save();
+new GroupSave().assignName("ref:affiliation:member").assignDisplayName("Member").assignCreateParentStemsIfNotExist(true).save();
+new GroupSave().assignName("ref:affiliation:staff").assignDisplayName("Staff").assignCreateParentStemsIfNotExist(true).save();
+new GroupSave().assignName("ref:affiliation:student").assignDisplayName("Student").assignCreateParentStemsIfNotExist(true).save();
 
 group = GroupFinder.findByName(gs, "etc:sysadmingroup", true)
 group.getAttributeDelegate().assignAttribute(LoaderLdapUtils.grouperLoaderLdapAttributeDefName()).getAttributeAssign()
diff --git a/Workbench/grouper_data/container_files/bootstrap/set-prov.gsh b/Workbench/grouper_data/container_files/bootstrap/set-prov.gsh
new file mode 100644
index 0000000..2cc4bbc
--- /dev/null
+++ b/Workbench/grouper_data/container_files/bootstrap/set-prov.gsh
@@ -0,0 +1,37 @@
+
+provisioner_name="midPoint";
+GrouperSession grouperSession = GrouperSession.startRootSession();
+
+def setProvOnStem(grouperSession,provisioner_name,folder_name) {
+  AttributeAssign attributeAssignMarker = null;
+  attributeAssignMarker = new AttributeAssignSave(grouperSession).assignOwnerStemName(folder_name).assignNameOfAttributeDefName("etc:provisioning:provisioningMarker").save();
+  new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningDirectAssign").addValue("true").save();
+  new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningDoProvision").addValue(provisioner_name).save();
+  new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningStemScope").addValue("sub").save();
+  new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningTarget").addValue(provisioner_name).save();
+  new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningMetadataJson").addValue("{\"destination\":\"midpoint\",\"actor\":\"initial load\"}").save();
+
+}
+
+def setProvOnGroup(grouperSession,provisioner_name,group_name) {
+  AttributeAssign attributeAssignMarker = null;
+  attributeAssignMarker = new AttributeAssignSave(grouperSession).assignOwnerGroupName(group_name).assignNameOfAttributeDefName("etc:provisioning:provisioningMarker").save();
+  new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningDirectAssign").addValue("true").save();
+  new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningDoProvision").addValue(provisioner_name).save();
+  new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningStemScope").addValue("sub").save();
+  new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningTarget").addValue(provisioner_name).save();
+  new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningMetadataJson").addValue("{\"destination\":\"midpoint\",\"actor\":\"initial load\"}").save();
+
+}
+
+setProvOnStem(grouperSession,provisioner_name,"app")
+setProvOnStem(grouperSession,provisioner_name,"test")
+setProvOnStem(grouperSession,provisioner_name,"ref:dept")
+setProvOnStem(grouperSession,provisioner_name,"ref:course")
+setProvOnGroup(grouperSession,provisioner_name,"ref:affiliation:alum")
+setProvOnGroup(grouperSession,provisioner_name,"ref:affiliation:community")
+setProvOnGroup(grouperSession,provisioner_name,"ref:affiliation:faculty")
+setProvOnGroup(grouperSession,provisioner_name,"ref:affiliation:member")
+setProvOnGroup(grouperSession,provisioner_name,"ref:affiliation:staff")
+setProvOnGroup(grouperSession,provisioner_name,"ref:affiliation:student")
+
diff --git a/Workbench/grouper_data/container_files/mysql/createDBforMP.sql b/Workbench/grouper_data/container_files/mysql/createSQLuser.sql
similarity index 75%
rename from Workbench/grouper_data/container_files/mysql/createDBforMP.sql
rename to Workbench/grouper_data/container_files/mysql/createSQLuser.sql
index 8cf329f..f89839f 100644
--- a/Workbench/grouper_data/container_files/mysql/createDBforMP.sql
+++ b/Workbench/grouper_data/container_files/mysql/createSQLuser.sql
@@ -1,7 +1,5 @@
-CREATE DATABASE grouper_to_midpoint CHARACTER SET utf8 COLLATE utf8_bin;
 CREATE USER 'grouper'@'%' IDENTIFIED BY 'password';
 CREATE USER 'grouper'@'localhost' IDENTIFIED BY 'password';
 GRANT ALL PRIVILEGES ON * . * TO 'grouper'@'%';
 GRANT ALL PRIVILEGES ON * . * TO 'grouper'@'localhost';
 FLUSH PRIVILEGES;
-
diff --git a/Workbench/grouper_data/container_files/mysql/setupDBforMP.sql b/Workbench/grouper_data/container_files/mysql/setupDBforMP.sql
deleted file mode 100644
index be1e73e..0000000
--- a/Workbench/grouper_data/container_files/mysql/setupDBforMP.sql
+++ /dev/null
@@ -1,60 +0,0 @@
-USE grouper_to_midpoint;
-CREATE TABLE gr_mp_groups (
-          group_name varchar(1024) DEFAULT NULL,
-          id_index bigint NOT NULL,
-          display_name varchar(1024) DEFAULT NULL,
-          description varchar(1024) DEFAULT NULL,
-          last_modified bigint NOT NULL,
-          deleted varchar(1) NOT NULL,
-          PRIMARY KEY (id_index),
-          UNIQUE KEY gr_mp_groups_ldx (last_modified),
-          UNIQUE KEY gr_mp_groups_idx (id_index),
-          KEY gr_mp_groups_ddx (display_name(255)),
-          KEY gr_mp_groups_gdx (group_name(255))
-);
- 
-CREATE TABLE gr_mp_group_attributes (
-          group_id_index bigint NOT NULL,
-          attribute_name varchar(1000) NOT NULL,
-          attribute_value varchar(4000) DEFAULT NULL,
-          last_modified bigint NOT NULL,
-          deleted varchar(1) NOT NULL,
-          UNIQUE KEY gr_mp_group_attributes_ldx (last_modified),
-          UNIQUE KEY gr_mp_group_attributes_idx (group_id_index,attribute_name(100),attribute_value(155)),
-          CONSTRAINT gr_mp_group_attributes_fk FOREIGN KEY (group_id_index) REFERENCES gr_mp_groups (id_index)
-);
- 
-CREATE TABLE gr_mp_subjects (
-          subject_id_index bigint NOT NULL,
-          subject_id varchar(1024) DEFAULT NULL,
-          last_modified bigint NOT NULL,
-          deleted varchar(1) NOT NULL,
-          PRIMARY KEY (subject_id_index),
-          UNIQUE KEY gr_mp_subjects_ldx (last_modified),
-          UNIQUE KEY gr_mp_subjects_idx (subject_id_index),
-          KEY gr_mp_subjects_sdx (subject_id(255))
-);
- 
-CREATE TABLE gr_mp_subject_attributes (
-          subject_id_index bigint NOT NULL,
-          attribute_name varchar(1000) NOT NULL,
-          attribute_value varchar(4000) DEFAULT NULL,
-          last_modified bigint NOT NULL,
-          deleted varchar(1) NOT NULL,
-          UNIQUE KEY gr_mp_subject_attributes_ldx (last_modified),
-          UNIQUE KEY gr_mp_subject_attributes_idx (subject_id_index,attribute_name(100),attribute_value(155)),
-          CONSTRAINT gr_mp_subject_attributes_fk FOREIGN KEY (subject_id_index) REFERENCES gr_mp_subjects (subject_id_index)
-);
- 
-CREATE TABLE gr_mp_memberships (
-          group_id_index bigint NOT NULL,
-          subject_id_index bigint NOT NULL,
-          last_modified bigint NOT NULL,
-          deleted varchar(1) NOT NULL,
-          UNIQUE KEY gr_mp_memberships_ldx (last_modified),
-          UNIQUE KEY gr_mp_memberships_idx (group_id_index,subject_id_index),
-          KEY gr_mp_memberships_sfk (subject_id_index),
-          CONSTRAINT gr_mp_memberships_gfk FOREIGN KEY (group_id_index) REFERENCES gr_mp_groups (id_index),
-          CONSTRAINT gr_mp_memberships_sfk FOREIGN KEY (subject_id_index) REFERENCES gr_mp_subjects (subject_id_index)
-);
-
diff --git a/Workbench/idp_ui/Dockerfile b/Workbench/idp_ui/Dockerfile
index 2fef2b7..5cf77c6 100644
--- a/Workbench/idp_ui/Dockerfile
+++ b/Workbench/idp_ui/Dockerfile
@@ -1,4 +1,4 @@
-FROM i2incommon/shib-idp-ui:1.17.4
+FROM i2incommon/shib-idp-ui:1.18.0
 
 ARG CSPHOSTNAME=localhost
 ENV CSPHOSTNAME=$CSPHOSTNAME
diff --git a/Workbench/idp_ui_api/Dockerfile b/Workbench/idp_ui_api/Dockerfile
index fefbdec..2aaa200 100644
--- a/Workbench/idp_ui_api/Dockerfile
+++ b/Workbench/idp_ui_api/Dockerfile
@@ -1,4 +1,4 @@
-FROM i2incommon/shib-idp-ui:1.17.4
+FROM i2incommon/shib-idp-ui:1.18.0
 
 ARG CSPHOSTNAME=localhost
 ENV CSPHOSTNAME=$CSPHOSTNAME
diff --git a/Workbench/midpoint_server/container_files/mp-home/icf-connectors/connector-grouper-1.0-SNAPSHOT.jar b/Workbench/midpoint_server/container_files/mp-home/icf-connectors/connector-grouper-1.0-SNAPSHOT.jar
new file mode 100644
index 0000000..74e744b
Binary files /dev/null and b/Workbench/midpoint_server/container_files/mp-home/icf-connectors/connector-grouper-1.0-SNAPSHOT.jar differ
diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/objectTemplates/100-template-user.xml b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/objectTemplates/100-template-user.xml
index b81206b..fb5239a 100644
--- a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/objectTemplates/100-template-user.xml
+++ b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/objectTemplates/100-template-user.xml
@@ -126,86 +126,4 @@
 			</condition>
 		</mapping>
 	</item>
-
-    <mapping>
-        <strength>strong</strength>
-        <source>
-            <path>employeeNumber</path>
-        </source>
-        <expression>
-            <script>
-                <code>
-                    import com.evolveum.midpoint.xml.ns._public.common.common_3.*
-                    import com.evolveum.midpoint.schema.constants.*
-                    import com.evolveum.midpoint.schema.* 
-                    import javax.xml.namespace.*
-                    import com.evolveum.midpoint.util.*
-                    import com.evolveum.midpoint.prism.path.*
-                    
-                    GROUPER_RESOURCE_OID = '1eff65de-5bb6-483d-9edf-8cc2c2ee0233'
-                    MEMBER_NAME = new QName(MidPointConstants.NS_RI, 'member')
-                    
-                    memberDef = prismContext.definitionFactory().createPropertyDefinition(MEMBER_NAME, DOMUtil.XSD_STRING)
-                    memberDef.setMaxOccurs(-1)
-
-                    shadowQuery = prismContext.queryFor(ShadowType.class)
-                        .item(ShadowType.F_RESOURCE_REF).ref(GROUPER_RESOURCE_OID)
-                        .and().item(ShadowType.F_SYNCHRONIZATION_SITUATION).eq(SynchronizationSituationType.LINKED)
-                        .and().item(ShadowType.F_KIND).eq(ShadowKindType.ENTITLEMENT)
-                        .and().item(ShadowType.F_INTENT).eq('group')
-                        .and().block().item(ShadowType.F_DEAD).isNull().or().item(ShadowType.F_DEAD).eq(false).endBlock()
-                        .and().item(ItemPath.create(ShadowType.F_ATTRIBUTES, MEMBER_NAME), memberDef).eq(basic.stringify(employeeNumber))
-                        .build()
-                        
-                    //log.info('shadowQuery = {}\n{}', shadowQuery, shadowQuery.debugDump())
-                    options = SelectorOptions.createCollection(GetOperationOptions.createNoFetch())
-                    shadows = midpoint.searchObjects(ShadowType.class, shadowQuery, options)
-                    //log.info('shadows found for {}: {}', employeeNumber, shadows)
-                    
-                    orgNames = shadows.collect { basic.stringify(it.name) }            // todo - use attributes
-                    log.info('org names = {}', orgNames)
-                    
-                    if (!orgNames.isEmpty()) { 
-                        orgQueryBuilder = prismContext.queryFor(OrgType.class)
-                        
-                        first = true
-                        for (orgName in orgNames) {
-                            if (first) {
-                                first = false
-                            } else {
-                                orgQueryBuilder = orgQueryBuilder.or()
-                            }
-                            orgQueryBuilder = orgQueryBuilder.item(ItemPath.create(OrgType.F_EXTENSION, 'grouperName')).eq(orgName)
-                        }
-                            
-                        orgQuery = orgQueryBuilder.build()
-                        //log.info('org query:\n', orgQuery.debugDump())
-                        
-                        orgs = midpoint.searchObjects(OrgType.class, orgQuery, null)
-                        log.info('orgs found: {}', orgs)
-                        
-                        orgs.collect {
-                            new AssignmentType(prismContext)
-                                .subtype('grouper-group')
-                                .targetRef(it.oid, OrgType.COMPLEX_TYPE)
-                        }
-                    } else {
-                        null
-                    }
-                </code>
-            </script>
-        </expression>
-        <target>
-            <path>assignment</path>
-            <set>
-                <condition>
-                    <script>
-                        <code>
-                            assignment?.subtype.contains('grouper-group')
-                        </code>
-                    </script>
-                </condition>
-            </set>
-        </target>
-    </mapping>
 </objectTemplate>
diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-grouper-new.xml b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-grouper-new.xml
new file mode 100644
index 0000000..12ff683
--- /dev/null
+++ b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-grouper-new.xml
@@ -0,0 +1,339 @@
+<!--
+  ~ Copyright (c) 2010-2023 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<resource xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          oid="fb0bbf07-e33f-4ddd-85a1-16a7edc237f2">
+
+    <name>Source: Groups</name>
+
+    <!--
+<abstract>true</abstract>
+<template>true</template>
+    -->
+
+    <connectorRef relation="org:default" type="c:ConnectorType">
+        <filter>
+            <q:and>
+                <q:equal>
+                    <q:path>c:connectorType</q:path>
+                    <q:value>com.evolveum.polygon.connector.grouper.GrouperConnector</q:value>
+                </q:equal>
+                <q:equal>
+                    <q:path>connectorVersion</q:path>
+                    <q:value>1.0-SNAPSHOT</q:value>
+                </q:equal>
+            </q:and>
+        </filter>
+    </connectorRef>
+    <connectorConfiguration xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3">
+        <icfc:configurationProperties xmlns:grpconf="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector.connector-grouper/com.evolveum.polygon.connector.grouper.GrouperConnector">
+            <grpconf:host>comanage_midpoint_data</grpconf:host>
+            <grpconf:port>5432</grpconf:port>
+            <grpconf:userName>grouper</grpconf:userName>
+            <grpconf:password>password</grpconf:password>
+            <grpconf:databaseName>grouper_to_midpoint</grpconf:databaseName>
+        </icfc:configurationProperties>
+        <icfc:resultsHandlerConfiguration>
+            <icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
+            <icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
+            <icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
+	</icfc:resultsHandlerConfiguration>
+        <icfc:legacySchema>true</icfc:legacySchema>
+    </connectorConfiguration>
+
+    <schemaHandling>
+        <objectType>
+            <kind>account</kind>
+            <intent>default</intent>
+            <displayName>Default Account</displayName>
+            <default>true</default>
+            <objectClass>ri:CustomSubjectObjectClass</objectClass>
+
+            <focus>
+                <type>c:UserType</type>
+            </focus>
+
+            <attribute>
+                <ref>ri:subject_id</ref>
+                <inbound>
+                    <target>
+                        <path>$user/name</path>
+                    </target>
+                </inbound>
+            </attribute>
+
+            <!--<attribute>
+                <ref>icfs:uid</ref>
+                <inbound>
+                    <target>
+                        <path>$user/employeeNumber</path>
+                    </target>
+                </inbound>
+            </attribute>-->
+
+            <attribute>
+                <ref>ri:member_of</ref>
+                <fetchStrategy>explicit</fetchStrategy>
+            </attribute>
+            <association>
+                <ref>ri:group</ref>
+                <inbound>
+                    <expression>
+                        <assignmentTargetSearch>
+                            <targetType>c:OrgType</targetType>
+                            <filter>
+                                <q:equal>
+                                    <q:path>name</q:path>
+                                    <expression>
+                                        <script>
+                                            <code>
+
+                                                def attrs = entitlement.getAttributes();
+                                                pcvi = attrs.asPrismContainerValue().getItems();
+                                                def groupName;
+
+                                                for (obj in pcvi){
+                                                    if (obj.isSingleValue()){
+
+                                                        if("uid".equals(obj?.getElementName().toString())){
+
+                                                            groupName = obj?.getValue()?.getRealValue()
+                                                            return groupName
+                                                        }
+                                                    }
+                                                }
+                                                return groupName;
+                                            </code>
+                                        </script>
+                                    </expression>
+                                </q:equal>
+                            </filter>
+                        </assignmentTargetSearch>
+                    </expression>
+                    <target>
+                        <path>assignment</path>
+                    </target>
+                </inbound>
+                <kind>entitlement</kind>
+                <intent>group</intent>
+                <direction>objectToSubject</direction>
+                <associationAttribute>ri:members</associationAttribute>
+                <valueAttribute>icfs:uid</valueAttribute>
+                <shortcutAssociationAttribute>ri:member_of</shortcutAssociationAttribute>
+                <shortcutValueAttribute>icfs:uid</shortcutValueAttribute>
+                <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
+            </association>
+
+            <correlation>
+                <correlators>
+                    <items>
+                        <name>unique_index</name>
+                        <item>
+                            <ref>name</ref>
+                        </item>
+                    </items>
+                </correlators>
+            </correlation>
+
+            <synchronization>
+                <reaction>
+                    <situation>unmatched</situation>
+                    <actions>
+                        <addFocus>
+                            <synchronize>true</synchronize>
+                        </addFocus>
+                    </actions>
+                </reaction>
+                <reaction>
+                    <situation>unlinked</situation>
+                    <actions>
+                        <link>
+                            <synchronize>true</synchronize>
+                        </link>
+                    </actions>
+                </reaction>
+                <reaction>
+                    <situation>linked</situation>
+                    <actions>
+                        <synchronize/>
+                    </actions>
+                </reaction>
+            </synchronization>
+
+        </objectType>
+
+        <objectType>
+            <kind>entitlement</kind>
+            <intent>group</intent>
+            <displayName>Group</displayName>
+            <default>true</default>
+            <objectClass>ri:GroupObjectClass</objectClass>
+
+            <focus>
+                <type>c:OrgType</type>
+            </focus>
+
+            <attribute>
+                <ref>icfs:uid</ref>
+                <inbound>
+                    <target>
+                        <path>$focus/name</path>
+                    </target>
+                </inbound>
+            </attribute>
+
+            <attribute>
+                <ref>ri:group_name</ref>
+                <inbound>
+                    <strength>strong</strength>
+                    <target>
+                        <path>extension/grouperName</path>
+                    </target>
+                </inbound>
+                <inbound>
+                    <strength>strong</strength>
+                    <expression>
+                        <script>
+                            <code>
+                                import com.evolveum.midpoint.schema.util.*
+                                import com.evolveum.midpoint.schema.constants.*
+
+                                if (input == null) {
+                                    null
+                                } else {
+                                    archetypeOid = '5f2b96d2-49b5-4a8a-9601-14457309a69b'       // generic-grouper-group archetype
+                                    switch (input) {
+                                        case ~/ref:affiliation:.*/: archetypeOid = '56f53812-047d-4b69-83e8-519a73d161e1'; break;   // affiliation archetype
+                                        case ~/ref:dept:.*/: archetypeOid = '1cec5f78-8fba-459b-9547-ef7485009f40'; break;          // department archetype
+                                        case ~/ref:course:.*/: archetypeOid = '3dab9a72-118b-4e40-a138-bb691c335eca'; break;        // course archetype
+                                        case ~/app:mailinglist:.*/: archetypeOid = '1645d1dc-1f7c-4508-b50b-97b501ccdee3'; break;   // mailing-list archetype
+                                    }
+                                    ObjectTypeUtil.createAssignmentTo(archetypeOid, ObjectTypes.ARCHETYPE, prismContext)
+                                }
+                            </code>
+                        </script>
+                    </expression>
+                    <target>
+                        <path>assignment</path>
+                        <set>
+                            <predefined>all</predefined>
+                        </set>
+                    </target>
+                </inbound>
+            </attribute>
+            <attribute>
+                <ref>ri:display_name</ref>
+                <inbound>
+                    <target>
+                        <path>extension/grouperDisplayName</path>
+                    </target>
+		</inbound>
+                <inbound>
+                    <target>
+                        <path>$focus/displayName</path>
+                    </target>
+                </inbound>
+            </attribute>
+            <attribute>
+                <ref>ri:description</ref>
+                <inbound>
+                    <target>
+                        <path>$focus/description</path>
+                    </target>
+                </inbound>
+            </attribute>
+
+            <attribute>
+                <ref>ri:members</ref>
+                <fetchStrategy>explicit</fetchStrategy>
+            </attribute>
+
+            <correlation>
+                <correlators>
+                    <items>
+                        <name>unique_index</name>
+                        <item>
+                            <ref>name</ref>
+                        </item>
+                    </items>
+                </correlators>
+            </correlation>
+
+            <synchronization>
+                <reaction>
+                    <situation>unmatched</situation>
+                    <actions>
+
+                        <addFocus>
+                            <synchronize>true</synchronize>
+                        </addFocus>
+                    </actions>
+                </reaction>
+                <reaction>
+                    <situation>unlinked</situation>
+                    <actions>
+                        <link>
+                            <synchronize>true</synchronize>
+                        </link>
+                    </actions>
+                </reaction>
+                <reaction>
+                    <situation>linked</situation>
+                    <actions>
+                        <synchronize/>
+                    </actions>
+                </reaction>
+                <reaction>
+                    <situation>deleted</situation>
+		    <actions>
+		        <deleteFocus>
+		            <synchronize>true</synchronize>
+			</deleteFocus>
+                    </actions>
+                </reaction>
+            </synchronization>
+        </objectType>
+
+    </schemaHandling>
+
+    <capabilities>
+        <cachingMetadata>
+            <retrievalTimestamp>2023-05-24T13:23:53.145+02:00</retrievalTimestamp>
+            <serialNumber>d991389de17be20e-55b20a5934dbcc31</serialNumber>
+        </cachingMetadata>
+        <native xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">
+            <cap:schema/>
+            <cap:read>
+                <cap:returnDefaultAttributesOption>false</cap:returnDefaultAttributesOption>
+            </cap:read>
+            <cap:testConnection/>
+            <cap:script>
+                <cap:host>
+                    <cap:type>connector</cap:type>
+                </cap:host>
+	    </cap:script>
+	    <cap:liveSync/>
+        </native>
+    </capabilities>
+</resource>
+
diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-grouper.xml b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-grouper.xml
deleted file mode 100644
index d57f3c0..0000000
--- a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-grouper.xml
+++ /dev/null
@@ -1,246 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  ~ Copyright (c) 2019 Evolveum and contributors
-  ~
-  ~ This work is dual-licensed under the Apache License 2.0
-  ~ and European Union Public License. See LICENSE file for details.
-  -->
-
-<resource oid="1eff65de-5bb6-483d-9edf-8cc2c2ee0233"
-		  xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
-          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
-          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
-		  xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"
-		  xmlns:rest="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-grouper-rest/com.evolveum.polygon.connector.grouper.rest.GrouperConnector"
-		  xmlns:conf="http://midpoint.evolveum.com/xml/ns/public/connector/builtin-1/bundle/com.evolveum.midpoint.provisioning.ucf.impl.builtin.async.update/AsyncUpdateConnector"
-          xmlns:xsd="http://www.w3.org/2001/XMLSchema"
-          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-
-    <name>Source: Groups</name>
-    <description>Groups from Grouper</description>
-    <connectorRef type="c:ConnectorType">
-        <filter>
-            <q:equal>
-                <q:path>connectorType</q:path>
-                <q:value>com.evolveum.polygon.connector.grouper.rest.GrouperConnector</q:value>
-            </q:equal>
-        </filter>
-    </connectorRef>
-    <connectorConfiguration>
-        <icfc:configurationProperties>
-            <rest:baseUrl>https://grouper-ws:443</rest:baseUrl>
-            <rest:username>banderson</rest:username>
-            <rest:password>password1</rest:password>
-            <rest:testStem>:</rest:testStem>
-            <!-- no testGroup: we cannot be sure that banderson is a member of sysadmingroup when doing the first test -->
-            <rest:baseStem>:</rest:baseStem>
-            <rest:groupIncludePattern>app:.*</rest:groupIncludePattern>
-            <rest:groupIncludePattern>test:.*</rest:groupIncludePattern>
-            <rest:groupIncludePattern>ref:.*</rest:groupIncludePattern>
-            <rest:groupExcludePattern>.*_(includes|excludes|systemOfRecord|systemOfRecordAndIncludes)</rest:groupExcludePattern>
-            <rest:subjectSource>ldap</rest:subjectSource>
-            <rest:ignoreSslValidation>true</rest:ignoreSslValidation>
-        </icfc:configurationProperties>
-        <icfc:resultsHandlerConfiguration>
-            <icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
-            <icfc:enableFilteredResultsHandler>true</icfc:enableFilteredResultsHandler>
-            <icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
-        </icfc:resultsHandlerConfiguration>
-    </connectorConfiguration>
-        <additionalConnector>
-        <name>AMQP async update connector</name>
-        <connectorRef type="c:ConnectorType">
-            <filter>
-                <q:equal>
-                    <q:path>connectorType</q:path>
-                    <q:value>AsyncUpdateConnector</q:value>
-                </q:equal>
-            </filter>
-        </connectorRef>
-        <connectorConfiguration>
-            <conf:sources>
-                <amqp091>
-                    <uri>amqp://mq:5672</uri>
-                    <username>guest</username>
-                    <password>password</password>
-                    <queue>sampleQueue</queue>
-                </amqp091>
-            </conf:sources>
-            <conf:transformExpression>
-                <script>
-                    <code>
-                        // ------------------ START OF CONFIGURATION ------------------
-
-                        parameters = [
-                            groupIncludePattern: [ 'app:.*', 'test:.*', 'ref:.*' ],
-                            groupExcludePattern: [ '.*_(includes|excludes|systemOfRecord|systemOfRecordAndIncludes)' ],
-                            relevantSourceId: 'ldap'
-                        ]
-
-                        // ------------------ END OF CONFIGURATION ------------------
-
-                        parameters.put('message', message)
-                        grouper.execute('createUcfChange', parameters)
-                    </code>
-                </script>
-            </conf:transformExpression>
-        </connectorConfiguration>
-    </additionalConnector>
-    <schemaHandling>
-        <objectType>
-            <kind>entitlement</kind>
-            <intent>group</intent>
-            <objectClass>ri:Group</objectClass>
-            <default>true</default>
-            <attribute>
-                <ref>ri:name</ref>
-                <inbound>
-                    <strength>strong</strength>
-                    <target>
-                        <path>extension/grouperName</path>
-                    </target>
-                </inbound>
-                <inbound>
-                    <strength>strong</strength>
-                    <expression>
-                        <script>
-                            <code>
-                                import com.evolveum.midpoint.schema.util.*
-                                import com.evolveum.midpoint.schema.constants.*
-                                
-                                if (input == null) {
-                                    null
-                                } else {
-                                    archetypeOid = '5f2b96d2-49b5-4a8a-9601-14457309a69b'       // generic-grouper-group archetype
-                                    switch (input) {
-                                        case ~/ref:affiliation:.*/: archetypeOid = '56f53812-047d-4b69-83e8-519a73d161e1'; break;   // affiliation archetype
-                                        case ~/ref:dept:.*/: archetypeOid = '1cec5f78-8fba-459b-9547-ef7485009f40'; break;          // department archetype
-                                        case ~/ref:course:.*/: archetypeOid = '3dab9a72-118b-4e40-a138-bb691c335eca'; break;        // course archetype
-                                        case ~/app:mailinglist:.*/: archetypeOid = '1645d1dc-1f7c-4508-b50b-97b501ccdee3'; break;   // mailing-list archetype
-                                    }
-                                    ObjectTypeUtil.createAssignmentTo(archetypeOid, ObjectTypes.ARCHETYPE, prismContext)
-                                }
-                            </code>
-                        </script>
-                    </expression>
-                    <target>
-                        <path>assignment</path>
-                        <set>
-                            <predefined>all</predefined>    <!--  we tolerate no other assignments -->
-                        </set>
-                    </target>
-                </inbound>
-                <inbound>
-                    <strength>strong</strength>
-                    <expression>
-                        <assignmentTargetSearch xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="c:AssignmentTargetSearchExpressionEvaluatorType">
-                            <targetType>RoleType</targetType>
-                            <oid>30082d24-0bea-4f22-b558-d0ee2a399c38</oid>
-                        </assignmentTargetSearch>
-                    </expression>
-                    <target>
-                        <path>assignment</path>
-                        <set>
-                            <predefined>all</predefined>
-                        </set>
-                    </target>
-                    <condition>
-                        <script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="c:ScriptExpressionEvaluatorType">
-                            <code>
-                             input.startsWith('app:wordpress:editors')
-                          </code>
-                        </script>
-                    </condition>
-                </inbound>
-                <inbound>
-                    <strength>strong</strength>
-                    <expression>
-                        <assignmentTargetSearch xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="c:AssignmentTargetSearchExpressionEvaluatorType">
-                            <targetType>RoleType</targetType>
-                            <oid>9e5a82fc-7969-4fd8-9f74-e0857969cdbb</oid>
-                        </assignmentTargetSearch>
-                    </expression>
-                    <target>
-                        <path>assignment</path>
-                        <set>
-                            <predefined>all</predefined>
-                        </set>
-                    </target>
-                    <condition>
-                        <script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="c:ScriptExpressionEvaluatorType">
-                            <code>
-                             input.startsWith('app:wordpress:admins')
-                          </code>
-                        </script>
-                    </condition>
-                </inbound>
-            </attribute>
-            <attribute>
-                <ref>ri:member</ref>
-                <fetchStrategy>explicit</fetchStrategy>
-                <storageStrategy>indexOnly</storageStrategy>
-            </attribute>
-        </objectType>
-    </schemaHandling>
-    <synchronization>
-        <objectSynchronization>
-            <enabled>true</enabled>
-            <kind>entitlement</kind>
-            <intent>group</intent>
-            <objectClass>ri:Group</objectClass>
-            <focusType>OrgType</focusType>
-            <correlation>
-                <q:equal>
-                    <q:path>extension/grouperName</q:path>
-                    <expression>
-                        <path>$projection/attributes/name</path>
-                    </expression>
-                </q:equal>
-            </correlation>
-            <reaction>
-                <situation>linked</situation>
-                <channel>http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#asyncUpdate</channel>
-                <condition>
-                    <script>
-                        <code>import com.evolveum.midpoint.prism.path.ItemPath
-                        import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType
-
-                        // member-only updates should _NOT_ be synchronized
-                        resourceObjectDelta != null &amp;&amp; resourceObjectDelta.isModify() &amp;&amp;
-                                resourceObjectDelta.modifications.size() == 1 &amp;&amp;
-                                ItemPath.create(ShadowType.F_ATTRIBUTES, 'member').equivalent(resourceObjectDelta.modifications.iterator().next().path)
-                        </code>
-                    </script>
-                </condition>
-                <synchronize>false</synchronize>
-            </reaction>
-            <reaction>
-                <situation>linked</situation>
-                <synchronize>true</synchronize>
-            </reaction>
-            <reaction>
-                <situation>deleted</situation>
-                <!-- a separate task will take care of deleted groups -->
-                <!-- we don't even need to unlink the shadow -->
-                <synchronize>true</synchronize>
-            </reaction>
-            <reaction>
-                <situation>unlinked</situation>
-                <action>
-                    <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
-                </action>
-            </reaction>
-            <reaction>
-                <situation>unmatched</situation>
-                <action>
-                    <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>
-                </action>
-            </reaction>
-        </objectSynchronization>
-    </synchronization>
-    <caching>
-        <cachingStategy>passive</cachingStategy>
-    </caching>
-</resource>
diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/roles/200-metarole-grouper-provided-group.xml b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/roles/200-metarole-grouper-provided-group.xml
index 03e0b57..a9351a4 100644
--- a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/roles/200-metarole-grouper-provided-group.xml
+++ b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/roles/200-metarole-grouper-provided-group.xml
@@ -90,97 +90,6 @@
                 </target>
             </mapping>
 
-            <mapping>
-                <name>name</name>
-                <description>This mapping fills-in org name (e.g. 'affiliation_member') from identifier (e.g. 'member').
-                It uses extension/midPointNamePrefix information from the archetype (e.g. 'affiliation_' defined in affiliation archetype)</description>
-                <strength>strong</strength>
-                <source>
-                    <path>identifier</path>
-                </source>
-                <expression>
-                    <script>
-                        <code>
-                            if (identifier == null) {
-                                null
-                            } else {
-                                // e.g. identifier = 'member'
-                                archetype = assignmentPath[-2].source         // e.g. affiliation archetype
-                                if (archetype == null) {
-                                    throw new IllegalStateException('No archetype in assignment path: ' + assignmentPath)
-                                }
-                                prefix = basic.getExtensionPropertyValue(archetype, 'midPointNamePrefix')        // e.g. 'affiliation_'
-                                prefix + identifier                                                             // e.g. 'affiliation_member'
-                            }
-                        </code>
-                    </script>
-                </expression>
-                <target>
-                    <path>name</path>
-                </target>
-            </mapping>
-            
-            <mapping>
-                <name>displayName</name>
-                <description>This mapping fills-in org displayName (e.g. 'Affiliation: member') from identifier (e.g. 'member').
-                It uses extension/midPointDisplayNamePrefix information from the archetype (e.g. 'Affiliation: ' defined in affiliation archetype)</description>
-                <strength>strong</strength>
-                <source>
-                    <path>identifier</path>
-                </source>
-                <expression>
-                    <script>
-                        <code>
-                            if (identifier == null) {
-                                null
-                            } else {
-                                archetype = assignmentPath[-2].source                                                        // e.g. affiliation archetype
-                                if (archetype == null) {
-                                    throw new IllegalStateException('No archetype in assignment path: ' + assignmentPath)
-                                }
-                                prefix = basic.getExtensionPropertyValue(archetype, 'midPointDisplayNamePrefix')         // e.g. 'Affiliation: '
-                                prefix + identifier                                                                     // e.g. 'Affiliation: member'
-                            }
-                        </code>
-                    </script>
-                </expression>
-                <target>
-                    <path>displayName</path>
-                </target>
-            </mapping>
-            <mapping>
-                <name>lifecycle state</name>
-                <description>This mapping sets org lifecycle state to be either "active" or "retired", depending on
-                    whether Grouper group for this org still exists. Orgs in the latter state are on the way to deletion:
-                    their members are unassigned and after no members are there, the org is automatically deleted.</description>
-                <strength>strong</strength>
-                <expression>
-                    <script>
-                        <code>
-                            import com.evolveum.midpoint.model.impl.expr.*
-                            import com.evolveum.midpoint.schema.*
-                            import com.evolveum.midpoint.xml.ns._public.common.common_3.*
-                            import com.evolveum.midpoint.model.common.expression.ModelExpressionThreadLocalHolder
-                            import com.evolveum.midpoint.model.api.context.ProjectionContextKey
-
-                            GROUPER_RESOURCE_OID = '1eff65de-5bb6-483d-9edf-8cc2c2ee0233'
-
-                            modelContext = ModelExpressionThreadLocalHolder.lensContext
-
-                            if (modelContext.findProjectionContextByKeyExact(ProjectionContextKey.classified(GROUPER_RESOURCE_OID, ShadowKindType.ENTITLEMENT, 'group', null)) != null) {
-                                log.info('Projection context for Grouper group found, marking as "active"')
-                                'active'
-                            } else {
-                                log.info('No projection context for Grouper group, marking as "retired"')
-                                'retired'
-                            }
-                        </code>
-                    </script>
-                </expression>
-                <target>
-                    <path>lifecycleState</path>
-                </target>
-            </mapping>
         </focusMappings>
         
         <!-- 
diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/systemConfigurations/010-system-configuration.xml b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/systemConfigurations/010-system-configuration.xml
index 73b6c7f..5ac96fb 100644
--- a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/systemConfigurations/010-system-configuration.xml
+++ b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/systemConfigurations/010-system-configuration.xml
@@ -8,6 +8,7 @@
 <systemConfiguration oid="00000000-0000-0000-0000-000000000001" version="0"
                      xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+                     xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
                      xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3"
                      xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
                      xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
@@ -129,6 +130,45 @@
             </state>
         </lifecycleStateModel>
     </defaultObjectPolicyConfiguration>
+    <globalPolicyRule>
+        <focusSelector>
+            <type>OrgType</type>
+        </focusSelector>
+        <name>unassign-children-on-org-deletion</name>
+        <documentation>
+            Unassigns members when an org is deleted.
+        </documentation>
+        <policyConstraints>
+            <modification>
+                <operation>delete</operation>
+            </modification>
+        </policyConstraints>
+        <policyActions>
+            <scriptExecution>
+                <object>
+                    <linkSource/> <!-- all objects linked to the current focus -->
+                </object>
+                <executeScript>
+                    <s:unassign>
+                        <s:filter>
+                            <q:ref>
+                                <!-- all assignments targeting the current focus -->
+                                <q:path>targetRef</q:path>
+                                <expression>
+                                    <script>
+                                        <code>
+                                            import com.evolveum.midpoint.schema.util.ObjectTypeUtil
+                                            ObjectTypeUtil.createObjectRef(focus.oid)
+                                        </code>
+                                    </script>
+                                </expression>
+                            </q:ref>
+                        </s:filter>
+                    </s:unassign>
+                </executeScript>
+            </scriptExecution>
+        </policyActions>
+    </globalPolicyRule>
     <cleanupPolicy>
         <auditRecords>
             <maxAge>P3M</maxAge>
diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/tasks/550-task-grouper-groups-livesync.xml b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/tasks/550-task-grouper-groups-livesync.xml
new file mode 100644
index 0000000..c916cf4
--- /dev/null
+++ b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/tasks/550-task-grouper-groups-livesync.xml
@@ -0,0 +1,31 @@
+<task xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+      oid="5a821505-7318-4364-9a2f-501b8bf30b44">
+    <name>Groups: Group Livesync</name>
+    <description>Grouper live synchronization task for groups. It will poll changelog and pull in changes</description>
+    <taskIdentifier>1494860533840-0-1</taskIdentifier>
+    <ownerRef oid="00000000-0000-0000-0000-000000000002"/>
+    <dependent>1494860534232132-0-1</dependent>
+    <executionStatus>running</executionStatus>
+    <category>Recomputation</category>
+    <indestructible>true</indestructible>
+    <objectRef oid="fb0bbf07-e33f-4ddd-85a1-16a7edc237f2" type="c:ResourceType"/>
+    <binding>tight</binding>
+    <schedule>
+        <recurrence>recurring</recurrence>
+        <interval>5</interval>
+    </schedule>
+    <activity>
+        <work>
+            <liveSynchronization>
+                <resourceObjects>
+                    <resourceRef oid="fb0bbf07-e33f-4ddd-85a1-16a7edc237f2"/>
+                    <objectclass>GroupObjectClass</objectclass>
+                </resourceObjects>
+            </liveSynchronization>
+        </work>
+    </activity>
+</task>
+
diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/tasks/550-task-grouper-users-livesync.xml b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/tasks/550-task-grouper-users-livesync.xml
new file mode 100644
index 0000000..007f6f1
--- /dev/null
+++ b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/tasks/550-task-grouper-users-livesync.xml
@@ -0,0 +1,31 @@
+<task xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+      oid="1c59ebd0-39e4-4ed4-9779-4c29f56b3d6d">
+    <name>Groups: User Livesync</name>
+    <description>Grouper live synchronization task for users. It will poll changelog and pull in changes</description>
+    <taskIdentifier>1494860534232132-0-1</taskIdentifier>
+    <ownerRef oid="00000000-0000-0000-0000-000000000002"/>
+    <executionStatus>waiting</executionStatus>
+    <waitingReason>otherTasks</waitingReason>
+    <category>Recomputation</category>
+    <indestructible>true</indestructible>
+    <objectRef oid="fb0bbf07-e33f-4ddd-85a1-16a7edc237f2" type="c:ResourceType"/>
+    <binding>tight</binding>
+    <schedule>
+        <recurrence>recurring</recurrence>
+        <interval>5</interval>
+    </schedule>
+    <activity>
+        <work>
+            <liveSynchronization>
+                <resourceObjects>
+                    <resourceRef oid="fb0bbf07-e33f-4ddd-85a1-16a7edc237f2"/>
+                    <objectclass>CustomSubjectObjectClass</objectclass>
+                </resourceObjects>
+            </liveSynchronization>
+        </work>
+    </activity>
+</task>
+
diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/tasks/610-task-reconcile-grouper-groups.xml b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/tasks/610-task-reconcile-grouper-groups.xml
new file mode 100644
index 0000000..e0d378e
--- /dev/null
+++ b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/tasks/610-task-reconcile-grouper-groups.xml
@@ -0,0 +1,51 @@
+<task xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" oid="22625b6c-e9a7-4151-88f8-013abb1cc158" version="410">
+    <name>Groups: Reconcile groups/entitlements</name>
+
+    <assignment id="1">
+        <targetRef oid="00000000-0000-0000-0000-000000000501" relation="org:default" type="c:ArchetypeType">
+            <!-- Reconciliation task -->
+        </targetRef>
+        <activation>
+            <effectiveStatus>enabled</effectiveStatus>
+        </activation>
+    </assignment>
+    <iteration>0</iteration>
+    <iterationToken/>
+    <archetypeRef oid="00000000-0000-0000-0000-000000000501" relation="org:default" type="c:ArchetypeType">
+        <!-- Reconciliation task -->
+    </archetypeRef>
+    <roleMembershipRef oid="00000000-0000-0000-0000-000000000501" relation="org:default" type="c:ArchetypeType">
+        <!-- Reconciliation task -->
+    </roleMembershipRef>
+    <taskIdentifier>1689973935302-20962-1</taskIdentifier>
+    <ownerRef oid="e897468f-20bd-419c-8fc5-1fe60e2600de" relation="org:default" type="c:UserType">
+        <!-- banderson -->
+    </ownerRef>
+    <executionState>runnable</executionState>
+    <schedulingState>ready</schedulingState>
+    <category>Reconciliation</category>
+    <resultStatus>success</resultStatus>
+    <objectRef oid="fb0bbf07-e33f-4ddd-85a1-16a7edc237f2" relation="org:default" type="c:ResourceType">
+        <!-- Source: Groups-New -->
+    </objectRef>
+    <progress>33</progress>
+    <binding>loose</binding>
+    <schedule>
+        <interval>900</interval>
+    </schedule>
+    <activity>
+        <work>
+            <reconciliation>
+                <resourceObjects>
+                    <resourceRef oid="fb0bbf07-e33f-4ddd-85a1-16a7edc237f2" relation="org:default" type="c:ResourceType">
+                        <!-- Source: Groups-New -->
+                    </resourceRef>
+                    <kind>entitlement</kind>
+                    <intent>group</intent>
+                    <objectclass>ri:GroupObjectClass</objectclass>
+                </resourceObjects>
+            </reconciliation>
+        </work>
+    </activity>
+</task>
+
diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/tasks/630-task-reconcile-grouper-users.xml b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/tasks/630-task-reconcile-grouper-users.xml
new file mode 100644
index 0000000..9c0e32b
--- /dev/null
+++ b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/tasks/630-task-reconcile-grouper-users.xml
@@ -0,0 +1,64 @@
+<task xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" oid="95539396-14ce-4787-aaa8-c93e2aacfbc0" version="125">
+    <name>Groups: Reconcile Users/accounts</name>
+    <assignment id="1">
+        <metadata>
+            <requestTimestamp>2023-07-21T21:12:58.938Z</requestTimestamp>
+            <requestorRef oid="e897468f-20bd-419c-8fc5-1fe60e2600de" relation="org:default" type="c:UserType">
+                <!-- banderson -->
+            </requestorRef>
+            <createTimestamp>2023-07-21T21:12:58.953Z</createTimestamp>
+            <creatorRef oid="e897468f-20bd-419c-8fc5-1fe60e2600de" relation="org:default" type="c:UserType">
+                <!-- banderson -->
+            </creatorRef>
+            <createChannel>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</createChannel>
+        </metadata>
+        <targetRef oid="00000000-0000-0000-0000-000000000501" relation="org:default" type="c:ArchetypeType">
+            <!-- Reconciliation task -->
+        </targetRef>
+        <activation>
+            <effectiveStatus>enabled</effectiveStatus>
+        </activation>
+    </assignment>
+    <iteration>0</iteration>
+    <iterationToken/>
+    <archetypeRef oid="00000000-0000-0000-0000-000000000501" relation="org:default" type="c:ArchetypeType">
+        <!-- Reconciliation task -->
+    </archetypeRef>
+    <roleMembershipRef oid="00000000-0000-0000-0000-000000000501" relation="org:default" type="c:ArchetypeType">
+        <!-- Reconciliation task -->
+    </roleMembershipRef>
+    <taskIdentifier>1689973978954-20962-1</taskIdentifier>
+    <ownerRef oid="e897468f-20bd-419c-8fc5-1fe60e2600de" relation="org:default" type="c:UserType">
+        <!-- banderson -->
+    </ownerRef>
+    <executionState>runnable</executionState>
+    <schedulingState>ready</schedulingState>
+    <category>Reconciliation</category>
+    <resultStatus>success</resultStatus>
+    <objectRef oid="fb0bbf07-e33f-4ddd-85a1-16a7edc237f2" relation="org:default" type="c:ResourceType">
+        <!-- Source: Groups-New -->
+    </objectRef>
+    <lastRunStartTimestamp>2023-07-21T22:20:16.993Z</lastRunStartTimestamp>
+    <lastRunFinishTimestamp>2023-07-21T22:20:33.812Z</lastRunFinishTimestamp>
+    <completionTimestamp>2023-07-21T21:15:14.922Z</completionTimestamp>
+    <progress>98</progress>
+    <binding>loose</binding>
+    <schedule>
+	<interval>900</interval>
+    </schedule>
+    <activity>
+        <work>
+            <reconciliation>
+                <resourceObjects>
+                    <resourceRef oid="fb0bbf07-e33f-4ddd-85a1-16a7edc237f2" relation="org:default" type="c:ResourceType">
+                        <!-- Source: Groups-New -->
+                    </resourceRef>
+                    <kind>account</kind>
+                    <intent>default</intent>
+                    <objectclass>ri:CustomSubjectObjectClass</objectclass>
+                </resourceObjects>
+            </reconciliation>
+        </work>
+    </activity>
+</task>
+
diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/tasks/995-task-group-scavenger.xml b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/tasks/995-task-group-scavenger.xml
deleted file mode 100644
index a4213aa..0000000
--- a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/tasks/995-task-group-scavenger.xml
+++ /dev/null
@@ -1,86 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  ~ Copyright (c) 2019 Evolveum and contributors
-  ~
-  ~ This work is dual-licensed under the Apache License 2.0
-  ~ and European Union Public License. See LICENSE file for details.
-  -->
-
-<!--
-
-Looks for groups with the lifecycleState of 'retired' and completes their deletion:
- - unassigns all the users (simply by recomputing them)
-
--->
-
-<task xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-	  xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-	  xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
-	  xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
-	  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	  xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3"
-	  xmlns:scext="http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3"
-	  oid="1d7bef40-953e-443e-8e9a-ec6e313668c4">
-	<name>Groups: Group Scavenger</name>
-	<extension>
-		<scext:executeScript>
-			<s:action>
-				<s:type>execute-script</s:type>
-				<s:parameter>
-					<s:name>script</s:name>
-					<c:value xsi:type="c:ScriptExpressionEvaluatorType">
-						<c:code>import com.evolveum.midpoint.xml.ns._public.common.common_3.*
-
-						result = midpoint.currentResult
-						log.info('Processing dead group: {}', input)
-						query = prismContext.queryFor(UserType.class)
-								.item(UserType.F_ROLE_MEMBERSHIP_REF).ref(input.oid)
-								.build()
-						members = midpoint.repositoryService.searchObjects(UserType.class, query, null, result)
-						log.info('Found {} members: {}', members.size(), members)
-
-						for (member in members) {
-							log.info('Going to recompute {}', member)
-							try {
-								midpoint.recompute(UserType.class, member.oid)
-							} catch (Throwable t) {
-								log.error('Couldn\'t recompute {}: {}', member, t.message, t)
-							}
-						}
-						log.info('Members recomputed; checking if the org is still in "retired" state')
-						orgAfter = midpoint.repositoryService.getObject(OrgType.class, input.oid, null, result)
-						currentState = orgAfter.asObjectable().lifecycleState
-						log.info('Current state = {}', currentState)
-						if (currentState == 'retired') {
-							log.info('Deleting the org: {}', orgAfter)
-							midpoint.deleteObject(OrgType.class, orgAfter.oid, null)
-						} else {
-							log.info('State has changed, not deleting the org: {}', orgAfter)
-						}
-						log.info('Dead group processing done: {}', input)
-						</c:code>
-					</c:value>
-				</s:parameter>
-			</s:action>
-		</scext:executeScript>
-		<mext:objectType>OrgType</mext:objectType>
-		<mext:objectQuery>
-			<q:filter>
-				<q:equal>
-					<q:path>lifecycleState</q:path>
-					<q:value>retired</q:value>
-				</q:equal>
-			</q:filter>
-		</mext:objectQuery>
-	</extension>
-	<assignment>
-		<targetRef oid="00000000-0000-0000-0000-000000000509" type="ArchetypeType" /> <!-- Iterative bulk action task -->
-	</assignment>
-	<ownerRef oid="00000000-0000-0000-0000-000000000002"/>
-	<executionStatus>runnable</executionStatus>
-	<category>BulkActions</category>
-	<recurrence>recurring</recurrence>
-	<schedule>
-		<interval>60</interval>
-	</schedule>
-</task>
diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/tasks/997-task-async-update-grouper.xml b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/tasks/997-task-async-update-grouper.xml
deleted file mode 100644
index fbd150f..0000000
--- a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/tasks/997-task-async-update-grouper.xml
+++ /dev/null
@@ -1,40 +0,0 @@
-<!--
-  ~ Copyright (c) 2010-2019 Evolveum
-  ~
-  ~ Licensed under the Apache License, Version 2.0 (the "License");
-  ~ you may not use this file except in compliance with the License.
-  ~ You may obtain a copy of the License at
-  ~
-  ~     http://www.apache.org/licenses/LICENSE-2.0
-  ~
-  ~ Unless required by applicable law or agreed to in writing, software
-  ~ distributed under the License is distributed on an "AS IS" BASIS,
-  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  ~ See the License for the specific language governing permissions and
-  ~ limitations under the License.
-  -->
-
-<task xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-	  xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-	  xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
-	  oid="47fc57bd-8c34-4555-9b9f-7087ff179860">
-	<name>Groups: Live updates</name>
-	<extension xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3">
-		<mext:workerThreads>1</mext:workerThreads>
-	</extension>
-	<assignment>
-		<targetRef oid="00000000-0000-0000-0000-000000000505" type="ArchetypeType" /> <!-- Asynchronous update task -->
-	</assignment>
-	<taskIdentifier>1552664339630-0-2</taskIdentifier>
-	<ownerRef oid="00000000-0000-0000-0000-000000000002" relation="org:default" type="c:UserType">
-		<!-- administrator -->
-	</ownerRef>
-	<executionStatus>runnable</executionStatus>
-	<category>AsynchronousUpdate</category>
-	<objectRef oid="1eff65de-5bb6-483d-9edf-8cc2c2ee0233" relation="org:default" type="c:ResourceType">
-		<!-- Grouper Resource -->
-	</objectRef>
-	<recurrence>single</recurrence>
-	<binding>loose</binding>
-	<threadStopAction>restart</threadStopAction>
-</task>
diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/tasks/998-task-reconciliation-grouper-groups.xml b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/tasks/998-task-reconciliation-grouper-groups.xml
deleted file mode 100644
index 5180680..0000000
--- a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/tasks/998-task-reconciliation-grouper-groups.xml
+++ /dev/null
@@ -1,43 +0,0 @@
-<!--
-  ~ Copyright (c) 2010-2019 Evolveum
-  ~
-  ~ Licensed under the Apache License, Version 2.0 (the "License");
-  ~ you may not use this file except in compliance with the License.
-  ~ You may obtain a copy of the License at
-  ~
-  ~     http://www.apache.org/licenses/LICENSE-2.0
-  ~
-  ~ Unless required by applicable law or agreed to in writing, software
-  ~ distributed under the License is distributed on an "AS IS" BASIS,
-  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  ~ See the License for the specific language governing permissions and
-  ~ limitations under the License.
-  -->
-
-<task xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-	  xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-	  xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
-	  xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
-	  oid="605a0127-a313-442a-9d5e-151eac8b0745">
-	<name>Groups: Full Reconciliation</name>
-	<extension xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3">
-		<mext:objectclass>ri:Group</mext:objectclass>
-	</extension>
-	<assignment>
-		<targetRef oid="00000000-0000-0000-0000-000000000501" type="ArchetypeType" /> <!-- Reconciliation task -->
-	</assignment>
-	<ownerRef oid="00000000-0000-0000-0000-000000000002" relation="org:default" type="c:UserType">
-		<!-- administrator -->
-	</ownerRef>
-   <dependent>1494860531232132-0-2</dependent>
-    <taskIdentifier>1494860531232132-0-1</taskIdentifier>
-	<executionStatus>waiting</executionStatus>
-   <waitingReason>otherTasks</waitingReason>
-	<category>Reconciliation</category>
-	<objectRef oid="1eff65de-5bb6-483d-9edf-8cc2c2ee0233" relation="org:default" type="c:ResourceType">
-		<!-- Grouper Resource -->
-	</objectRef>
-	<recurrence>single</recurrence>
-	<binding>loose</binding>
-	<threadStopAction>restart</threadStopAction>
-</task>
diff --git a/Workbench/midpoint_server/container_files/mp-home/schema/internet2.xsd b/Workbench/midpoint_server/container_files/mp-home/schema/internet2.xsd
index e09d7ae..9dac09f 100644
--- a/Workbench/midpoint_server/container_files/mp-home/schema/internet2.xsd
+++ b/Workbench/midpoint_server/container_files/mp-home/schema/internet2.xsd
@@ -65,6 +65,7 @@
     </xsd:annotation>
     <xsd:sequence>
         <xsd:element name="grouperName" type="xsd:string" minOccurs="0"/>
+        <xsd:element name="grouperDisplayName" type="xsd:string" minOccurs="0"/>
         <xsd:element name="ldapDn" type="xsd:string" minOccurs="0"/>
     </xsd:sequence>
   </xsd:complexType>  
diff --git a/Workbench/webproxy/container_files/httpd/index.html b/Workbench/webproxy/container_files/httpd/index.html
index 06ea312..1d8da5e 100644
--- a/Workbench/webproxy/container_files/httpd/index.html
+++ b/Workbench/webproxy/container_files/httpd/index.html
@@ -13,7 +13,7 @@ <h3>Welcome to the InCommon TAP Workbench!</h3>
 <li><a href="https://__CSPHOSTNAME__/midpoint" target="TAP-WB-MIDPOINT">midPoint (4.6)</a></li>
 <ul><li><a href="https://__CSPHOSTNAME__/midPoint-doc.html" target="TAP-WB-MIDPOINT-CONFIG">Technical doc on midPoint's configuration</a></li></ul>
 <li><a href="https://__CSPHOSTNAME__/registry" target="TAP-WB-COMANAGE">COmanage Registry (4.1.0)</a></li>
-<li><a href="https://__CSPHOSTNAME__/idpui/" target="TAP-WB-IDPUI">Shibboleth IdP UI (1.17.4)</a></li>
+<li><a href="https://__CSPHOSTNAME__/idpui/" target="TAP-WB-IDPUI">Shibboleth IdP UI (1.18.0)</a></li>
 </ul>
 
 <br />