diff --git a/shibM.adoc b/shibM.adoc
index 0114328..7322a02 100644
--- a/shibM.adoc
+++ b/shibM.adoc
@@ -2,10 +2,43 @@
 
 All that’s needful
 
-. Protect the admin GUI with shib
-.. Edit .../midpoint.conf.auth.shibboleth to match this file: https://github.internet2.edu/docker/midPoint_container/blob/master/container_files/httpd/conf/midpoint.conf.auth.shibboleth
+* Protect the admin GUI with shib
+** Edit .../midpoint.conf.auth.shibboleth to match this file: https://github.internet2.edu/docker/midPoint_container/blob/master/container_files/httpd/conf/midpoint.conf.auth.shibboleth
+** Set the user name header to REMOTE_USER: Edit .../SecurityPolicy.xml
+[source,xml]
+----
+<modules>
+...
+  <httpHeader>
+    <name>httpHeader</name>
+    <logoutUrl>https://localhost:8443/Shibboleth.sso/Logout</logoutUrl>
+    <usernameHeader>REMOTE_USER</usernameHeader>
+  </httpHeader>
+</modules>...
+----
+
+** Set authentication via Shibboleth in the flexible authentication section of SecurityPolicy.xml. Include the following in the list of <sequence> statements that follow after </modules>
+
+[source,xml]
+----
+        <sequence>
+            <name>admin-gui-default</name>
+            <description>
+                Special GUI authentication sequence using Shibboleth SP
+            </description>
+            <channel>
+                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
+                <default>true</default>
+                <urlSuffix>shib</urlSuffix>
+            </channel>
+            <module>
+                <name>httpHeader</name>
+                <order>30</order>
+                <necessity>sufficient</necessity>
+            </module>
+        </sequence>
+----
 
-. mP sec pol: HTTP header module to use REMOTE_USER
 
 ### Links to documentation