diff --git a/.DS_Store b/.DS_Store
index 786a627..88daab5 100644
Binary files a/.DS_Store and b/.DS_Store differ
diff --git a/.nojekyll b/.nojekyll
new file mode 100644
index 0000000..e69de29
diff --git a/async-message-resources.adoc b/async-message-resources.adoc
deleted file mode 100644
index 594705d..0000000
--- a/async-message-resources.adoc
+++ /dev/null
@@ -1,46 +0,0 @@
-# Async Message Resources
-
-#### The Protocol
-https://www.amqp.org/specification/0-9-1/amqp-org-download
- <= AMQP Protocol 0.9.1 +
-http://docs.oasis-open.org/amqp/core/v1.0/amqp-core-complete-v1.0.pdf
- <= AMQP Core Complete v1.0 (pdf) +
-
-#### Rabbit AMQP
-https://rabbitmq.com/reliability.html
- <= +
-https://rabbitmq.com/download.html
- <= download and install page +
-https://github.com/rabbitmq/rabbitmq-server
- <= +
-https://rabbitmq.com/documentation.html
- <= +
-https://rabbitmq.com/configure.html
- <= +
-https://rabbitmq.com/queues.html
- <= +
-
-#### Apache QPID
-https://qpid.apache.org/index.html
- <= +
-https://github.com/amqphub/quarkus-qpid-jms-quickstart
- <= +
-
-#### Intros and Tutorials
-
-https://ably.com/topic/intro-to-amqp-0-9-1
- <= AMQP 0.9.1 +
-https://ably.com/topic/intro-to-amqp-1-0
- <= AMQP 1.0 +
-https://jstobigdata.com/rabbitmq/complete-rabbitmq-tutorial-in-java/
- <= +
-https://spring.io/projects/spring-amqp
- <= +
-
-#### Challenges: Ordering of Event
-https://medium.com/baseds/ordering-distributed-events-29c1dd9d1eff
- <= +
-https://medium.com/baseds/logical-time-and-lamport-clocks-part-1-d0317e407112
- <= +
-https://medium.com/baseds/logical-time-and-lamport-clocks-part-2-272c097dcdda
- <= +
diff --git a/docSystem.adoc b/docSystem.adoc
new file mode 100644
index 0000000..e3baed3
--- /dev/null
+++ b/docSystem.adoc
@@ -0,0 +1,78 @@
+docSystems.adoc
+
+
+- - -
+_2023-10-18 12:03 chat w SteveZ_
+
+I associate hierarchy with
+
+- The organization of a book,
+ - logical sequence of topics,
+ - simple to complex
+ - (book, chapter, verse,..)
+
+- Tree of life (sub-class relations) Kingdom,Phylum,C,O,F,Genus,Species https://images.squarespace-cdn.com/content/5f02d28f35d64d2a5022eeb1/ed2fcad4-bf94-494e-90cc-647d8943a630/30.png?format=1500w&content-type=image%2Fpng[]
+
+.
+
+- - -
+I'd appreciate your reactions to some thoughts I had about the Grouper Survey Initial Recommendations: https://docs.google.com/document/d/1uWRomgUflT6Ec03vo-tL795XUUr2HdpU0WrVLZC-Yvs/edit?usp=sharing[]
+
+Page Warnings
+- Experimental
+- Since
+- Deprecated
+- Obsolete
+- Replaced By
+- Outdated
+
+
+*- Steve Zoppi -*
+
+I have a similar "sense" of those taxonomies from the survey feedback too...
+
+I think that the missing "prescription" is how to maintain documentation in alignment with the version - so right now (the way you've written it up) it lacks the information hierarchy ands presumes "tagging" may be the primary means of categorizing a given article or document.
+
+The thing I'm wrestling with (in my head) is
+- the _information hierarchy_ that encapsulates _each group_ of documents.
+
+I don't have good answers (yet) but I'm considering that there needs to be
+- _two branches_ (at least) of hierarchy:
+(1) Global/Persistent Concepts and Facilities artifacts/documents/articles
+(2) Ephemeral/Version-bound artifacts/documents/articles.
+
+- - -
+_2023-04-06 11:18:07 Setting up evolveum-like doc site_
+
+https://docs.evolveum.com/about/jekyll-environment/[] <- install, config, build, run jekyll site +
+
+*- local jekyll instance of Evolveum Docs running: -*
+
+http://localhost:4000/ +
+
+- - -
+_2023-04-04 11:28:40 adding commenting to a static site_
+
+https://github.com/eduardoboucas/staticman[] <- open source commenting system +
+https://staticman.net/docs/index.html[] +
+https://mademistakes.com/mastering-jekyll/static-comments-improved/[] <- staticman plus +
+
+https://averagelinuxuser.com/static-website-commenting/[] +
+https://docs.evolveum.com/about/jekyll-environment/[] +
+
+https://remark42.com/docs/getting-started/installation/[] +
+
+https://simondosda.github.io/posts/2021-09-13-blog-github-pages-1-introduction.html[] +
+... +
+https://simondosda.github.io/posts/2021-09-17-blog-github-pages-5-comment-1.html[] +
+https://simondosda.github.io/posts/2021-09-18-blog-github-pages-6-comment-2.html[] +
+
+- - -
+_2023-04-03 13:11:12 evolveum approach to documentation_
+
+https://docs.evolveum.com/about/writing-documentation/[] <- ref manual for Evolveum Documentation +
+https://docs.evolveum.com/about/jekyll-environment/[] <- setting up jekyll
+https://github.com/Evolveum/docs/[] <- Source Code of Evolveum Documentation Site +
+https://docs.evolveum.com/about/asciidoc/[] +
+
+- - -
diff --git a/docs/.nojekyll b/docs/.nojekyll
new file mode 100644
index 0000000..e69de29
diff --git a/Documentation-as-DevOps.adoc b/docs/Documentation-as-DevOps.adoc
similarity index 100%
rename from Documentation-as-DevOps.adoc
rename to docs/Documentation-as-DevOps.adoc
diff --git a/GrouperDMview.adoc b/docs/GrouperDMview.adoc
similarity index 100%
rename from GrouperDMview.adoc
rename to docs/GrouperDMview.adoc
diff --git a/docs/IAMfuncBTAAsurvey-0.adoc b/docs/IAMfuncBTAAsurvey-0.adoc
new file mode 100644
index 0000000..d926a69
--- /dev/null
+++ b/docs/IAMfuncBTAAsurvey-0.adoc
@@ -0,0 +1,290 @@
+
+==== Identity Provisioning Category (1)
+- Identity Matching
+** Does the product provide an identity matching service?
+
+** Describe how the identity matching service is configured, and any scoring or weighting of attributes?
+
+** Describe how low quality matches are handled, and if there is a notion of matches in suspense, what are the mechanisms for making assertions about them.?
+
+** Can the matching service be run against an existing population seeking duplicates?
+
+** Does the product have the ability to use an external matching service?
+
+** Describe the configuration of the external service.
+
+** Describe how low quality matches indications are handled, and if there is a notion of matches in suspense, what are the mechanisms for making assertions about them?
+
+** Describe and standards that are used in messaging or APIs for matching services.
+
+- User Name Assignment
+
+** Does the product support user selected usernames?, if so, how are attempted duplicates handled.
+
+** Does the product support generated usernames?, if so, describe the options and configuration
+
+** Does the product support enrollment of new users?, if so, please describe the configuration of the enrollment portal, and any support for workflow.
+
+** Describe how the product handles username changes, including support for namespace protection and auditing, and any workflows?
+
+** Describe how the product can communicate username changes to other systems that might need to be informed?
+
+- Identifiers
+
+** Describe how the your product handles the creation of Identifiers.
+
+** Describe how does the product handles the use of external vs internal identifiers ?
+
+** Describe how the product maintain immutable/opaque identifiers that are used system to system ? How do these identifiers help when user id's change ?
+
+- Social Id
+
+** Describe the product support for social IDs (Facebook, Google, etc.) in place of local identities.
+
+** Describe the product support for social IDs that are connected to local identities.
+
+** Describe whether social ID can be a step in onboarding/offboarding?
+
+** Describe how does the product consider Level of Assurance LOA when using social IDs.?
+
+** Describe Identity Matching even with Identity matching, even with social ID
+
+
+
+==== Credential Provisioning Category (2)
+- Password Rules and Policies
+
+** Describe how the product the support of limiting the number of different passwords that users need to remember to one central password connected to a central password store or if you have multiple password stores of the same password, how does the product synchronize it?
+
+** Describe the password policies you support with regard to complexity, length, and any dictionary checks. Include character classes supported in complexity checks.
+
+** Does the product support flexible password policy based on password length? For example support pass phrases but requiring additional character sets for shorter passwords..
+
+** Describe the products support for password expiration, including any support for flexible expiration based on grouping, assurance, or other factors such as password quality.
+
+** Describe how the product conveys password quality to end users?
+
+** Describe how the product meets accessibility guidelines?
+
+** Describe how does the product deal with passwordless?
+
+- Password Setting/Activation
+
+** Describe how the product assures initial password setting is being done by the appropriate authority, such as invitations, one time and/or short lived tokens etc.
+
+** Describe the products support for terms of use and informed consent when getting a credential.
+
+** What platforms are supported for end user devices setting initial and subsequent passwords, including any required technologies.
+
+** Describe any features your product has to deter attacks on unclaimed credentials.
+
+** Describe how the product works with identity proofing during the account claiming process?
+
+- Authentication Types (Factors)
+
+** Describe the support for certificate based authentication.
+
+** Describe the product support for multifactor enrollment, specifying supported technologies and products, explicitly address U2F support.
+
+** Describe any support you have for challenge response questions.
+
+** Describe any unlisted additional authentication factors, and any features that help user recognition such as image validation.
+
+** How does the product handle loss of a (perhaps only) two factor device, such as one time tokens?
+
+- Provisioning/De-provisioning of credential
+
+** Describe how the product enforces control over provisioning password to a SP when Federation option is available?
+
+** Describe the states supported by the product for credentials, such as open, expired, disabled, locked/unlocked, security deny, etc.
+
+** Describe any workflow available for deprovisioning, time based, approval based, and any attribute or membership checks that can be used for deprovisioning workflow.
+
+** Describe any controls for sanity checks in your product to prevent accidental mass deprovisioning.
+
+** Describe the administrative capabilities the product has for deprovisioning and deprovisioning intervention, include any delegation features.
+
+** Describe how the product handles deprovisioning of credentials w/r/t propagation to multiple credential stores.?
+
+** Describe how the product handles de-provisioning of MFA (Authentication methods) after the user is no longer active and how do deal with re-provisioning when the same user returns?
+
+==== Service Provisioning Category (3)
+- Provisioning/Reconciliation
+
+** Describe how does the product ensure that source and destination are in sync?
+
+** Describe both targeted and full reconciliation (fully match accounts). Incremental vs full.
+
+** Describe how does the product identify and handle orphan accounts ?
+
+** Describe how the product handles manual intervention by an admin.
+
+** How flexible is customization of the IDM connector that provisions the account?
+
+** Does the product support a threshold to alert for large quantity of updates?
+
+- JIT/JIC (Cloud Services)
+
+** Describe how the product integrate with a “Just-in-Time” provisioning model-- on demand provisioning when the user logs in. How does you product learn about this access from IGA perspective?
+
+** Describe how you support the “Just-in-Case” provisioning model in relation to the Cloud Services?
+
+- WorkFlows
+
+** Describe how the product handles automated workflows.?
+
+** Describe how the product supports end-user self-service workflows.
+
+** Describe how does your product support the Workflow-based provisioning model in general.
+
+- Deprovisioning and repatriation
+
+** Describe how the your product handle a service account de-provisioning with flexibility ( account disabled vs account remove) in accordance with the service and business needs?
+
+** Describe how the product triggers deprovisioning to a service.
+
+** How is authorization removal handled for deprovisioned users?
+
+** Describe how the product supports repatriating a service account from institutional to personal.
+
+** Does the product support a threshold to alert for large quantity of changes?
+
+- Life Cycle
+
+** Describe how does the product captures changes in affiliations/roles that matter for service entitlements?
+
+** Describe how does the product handle grace periods used in extending services to users beyond a specific period of time . Does the product have a Business Rule Engine to handle this need?
+
+** Does the product support the establishments of policies and processes to reinstate disabled identities/services?
+
+==== Target directory provisioning Category (4)
+- Linking identities between directories or services
+** Describe how the product links an identity in a source directory to the same identity in the target (and service?)
+
+** Are your user linkage attributes characterized as follows:
+
+*** Immutable
+*** Static
+*** Globally unique
+
+** What is the process of account matching if accounts already exist?
+
+- Reconciliation
+** How does the product ensure the target directory or service has state in sync with the source?
+
+** Does the product support rollback or transaction?
+
+** Does the product support incremental/full sync with the target directories ?
+
+- Deprovisioning and repatriation
+** Describe how the product triggers deprovisioning of identities in a target directory or service.
+
+** Describe the process of deprovisioning identities in a target directory or service.
+
+** How is authorization removal handled for deprovisioned users?
+
+** Does the product support a threshold to alert for large quantity of changes?
+
+==== Roles and Groups Category (5)+
+- Type of Roles/Groups
+** Describe how the product support RBAC/ABAC/Groups models ?
+
+** Describe how the product supports a list of definable /extendible groups/roles?.
+
+
+** Describe how the product supports a hierarchy of groups (i.e., nesting and relationships between groups/roles)
+
+** What upstream data sources does the product readily support to derive roles/groups?
+
+** Does the product support sets of groups/roles associated together? (i.e., base, exceptions, includes/excludes).
+
+- Administration
+** Describe delegated access administration features for group management.
+
+** How does the product deal with “orphaned” delegation? (When previous admins are no longer there.)
+
+** Does the product provide APIs that would allow an external group and access management tool to drive your product’s groups and group memberships?
+
+** Does the product support attribute-based (ABAC) or role-based (RBAC) concepts to drive groups and group membership?
+
+** Can groups have permissions associated with them?
+
+** What sort of attributes or metadata about groups are available?
+
+** Does the product support automatic review of roles/groups (attestation)
+
+** How does the product expose or link groups or roles for fine-grained service authorizations?
+
+- Guidance for architecting
+** How does your product define a default role or template (set of groups) for new entities?
+
+** Does the product provide any tool for role mining ?
+
+** Does the product provide a deployment /architecture guidelines for implementing roles/groups ?
+
+==== Reporting/Auditing Category (6)+
+- Integration with External Reporting Engine
+** Does the product support the export of data to external sources for building reports?
+
+- Target Systems
+** Does the product support reports on:
+
+*** Access for an application (target system)
+
+*** All access for a user, all users in a unit, all users for a supervisor
+
+*** Elevated or high-risk access
+
+*** Separation of Duties
+
+- Auditing
+** Can the product provide a tool to compare intended provisioning to the actual state of an application on demand?
+
+** Does the product audit changes made within it (eg, who made a change to group membership logic when, and what the change was)?
+
+** Does the product support Separation of Duties audits?
+ (If you do access reviews / attestations) does the product provide adequate support?
+
+*** review by person, unit, application
+
+*** review of only manually-decided access, exceptions only, etc
+
+** Can audit results include “comments” (eg, “access being removed because …”) that become part of the record
+
+** Can the auditing work with an external ticketing system (eg, ServiceNow, Remedy)
+
+** How does the product define and schedule reviews, notify and remind reviewers, etc? Can the product send emails and/or use an external ticketing system? Are reviews done within the product, or in a document sent to the reviewer?
+
+** How does the reviewer to report results? Is the effort required proportional to the number of changes?
+
+** Does the product support workflows, logic, etc. needed to implement access changes determined by a review?
+
+==== Cost/Vendor Considerations Category (7)+
+- On Going Maintenance/Cost
+** What is the product on-goin service support contract structure ?
+
+** What is the Software licensing cost structure (Enterprise vs non)?
+
+** If one of the product license model is pay-per-active-account , how does the product consider the following populations? :
+*** Alumni users
+*** Guest users
+*** Extended Community users (Parents, Propsect Students , Applicants, Continuing Ed students ,ec..)
+*** Social identities that are linked to Idm system
+
+** Does the product provide any Higher Ed discount ?
+
+- Vendor Stability
+** How long is the product being in the market ?
+
+** How many Higher Ed clients does the product have ?
+
+- Ease Of Deployment
+** Ease of Deployment under the following categories:
+*** Software Package
+*** Cloud ready
+*** Containers/orchestration support
+*** Install from binary
+*** Install from source code
+*** Security Updates
+*** Patch updates
+*** Install/Deploy/Tuning Documentations
diff --git a/docs/IAMfuncGTAAsurvey.adoc b/docs/IAMfuncGTAAsurvey.adoc
new file mode 100644
index 0000000..8f7d4c5
--- /dev/null
+++ b/docs/IAMfuncGTAAsurvey.adoc
@@ -0,0 +1,288 @@
+
+=== Identity Provisioning Category (1)
+
+====== Identity Matching
+
+** Does the product provide an identity matching service?
+
+** Describe how the identity matching service is configured, and any scoring or weighting of attributes?
+
+** Describe how low quality matches are handled, and if there is a notion of matches in suspense, what are the mechanisms for making assertions about them.?
+
+** Can the matching service be run against an existing population seeking duplicates?
+
+** Does the product have the ability to use an external matching service?
+
+** Describe the configuration of the external service.
+
+** Describe how low quality matches indications are handled, and if there is a notion of matches in suspense, what are the mechanisms for making assertions about them?
+
+** Describe and standards that are used in messaging or APIs for matching services.
+
+====== User Name Assignment
+
+** Does the product support user selected usernames?, if so, how are attempted duplicates handled.
+
+** Does the product support generated usernames?, if so, describe the options and configuration
+
+** Does the product support enrollment of new users?, if so, please describe the configuration of the enrollment portal, and any support for workflow.
+
+** Describe how the product handles username changes, including support for namespace protection and auditing, and any workflows?
+
+** Describe how the product can communicate username changes to other systems that might need to be informed?
+
+====== Identifiers
+
+** Describe how the your product handles the creation of Identifiers.
+
+** Describe how does the product handles the use of external vs internal identifiers ?
+
+** Describe how the product maintain immutable/opaque identifiers that are used system to system ? How do these identifiers help when user id's change ?
+
+** Describe the product support for social IDs (Facebook, Google, etc.) in place of local identities.
+
+** Describe the product support for social IDs that are connected to local identities.
+
+** Describe whether social ID can be a step in onboarding/offboarding?
+
+** Describe how does the product consider Level of Assurance LOA when using social IDs.?
+
+** Describe Identity Matching even with Identity matching, even with social ID
+
+=== Credential Provisioning Category (2)
+====== Password Rules and Policies
+
+** Describe how the product the support of limiting the number of different passwords that users need to remember to one central password connected to a central password store or if you have multiple password stores of the same password, how does the product synchronize it?
+
+** Describe the password policies you support with regard to complexity, length, and any dictionary checks. Include character classes supported in complexity checks.
+
+** Does the product support flexible password policy based on password length? For example support pass phrases but requiring additional character sets for shorter passwords..
+
+** Describe the products support for password expiration, including any support for flexible expiration based on grouping, assurance, or other factors such as password quality.
+
+** Describe how the product conveys password quality to end users?
+
+** Describe how the product meets accessibility guidelines?
+
+** Describe how does the product deal with passwordless?
+
+====== Password Setting/Activation
+
+** Describe how the product assures initial password setting is being done by the appropriate authority, such as invitations, one time and/or short lived tokens etc.
+
+** Describe the products support for terms of use and informed consent when getting a credential.
+
+** What platforms are supported for end user devices setting initial and subsequent passwords, including any required technologies.
+
+** Describe any features your product has to deter attacks on unclaimed credentials.
+
+** Describe how the product works with identity proofing during the account claiming process?
+
+====== Authentication Types (Factors)
+
+** Describe the support for certificate based authentication.
+
+** Describe the product support for multifactor enrollment, specifying supported technologies and products, explicitly address U2F support.
+
+** Describe any support you have for challenge response questions.
+
+** Describe any unlisted additional authentication factors, and any features that help user recognition such as image validation.
+
+** How does the product handle loss of a (perhaps only) two factor device, such as one time tokens?
+
+====== Provisioning/De-provisioning of credential
+
+** Describe how the product enforces control over provisioning password to a SP when Federation option is available?
+
+** Describe the states supported by the product for credentials, such as open, expired, disabled, locked/unlocked, security deny, etc.
+
+** Describe any workflow available for deprovisioning, time based, approval based, and any attribute or membership checks that can be used for deprovisioning workflow.
+
+** Describe any controls for sanity checks in your product to prevent accidental mass deprovisioning.
+
+** Describe the administrative capabilities the product has for deprovisioning and deprovisioning intervention, include any delegation features.
+
+** Describe how the product handles deprovisioning of credentials w/r/t propagation to multiple credential stores.?
+
+** Describe how the product handles de-provisioning of MFA (Authentication methods) after the user is no longer active and how do deal with re-provisioning when the same user returns?
+
+=== Service Provisioning (3)
+====== Provisioning/Reconciliation
+
+** Describe how does the product ensure that source and destination are in sync?
+
+** Describe both targeted and full reconciliation (fully match accounts). Incremental vs full.
+
+** Describe how does the product identify and handle orphan accounts ?
+
+** Describe how the product handles manual intervention by an admin.
+
+** How flexible is customization of the IDM connector that provisions the account?
+
+** Does the product support a threshold to alert for large quantity of updates?
+
+====== JIT/JIC (Cloud Services)
+
+** Describe how the product integrate with a “Just-in-Time” provisioning model-- on demand provisioning when the user logs in. How does you product learn about this access from IGA perspective?
+
+** Describe how you support the “Just-in-Case” provisioning model in relation to the Cloud Services?
+
+====== WorkFlows
+
+** Describe how the product handles automated workflows.?
+
+** Describe how the product supports end-user self-service workflows.
+
+** Describe how does your product support the Workflow-based provisioning model in general.
+
+====== Deprovisioning and repatriation
+
+** Describe how the your product handle a service account de-provisioning with flexibility ( account disabled vs account remove) in accordance with the service and business needs?
+
+** Describe how the product triggers deprovisioning to a service.
+
+** How is authorization removal handled for deprovisioned users?
+
+** Describe how the product supports repatriating a service account from institutional to personal.
+
+** Does the product support a threshold to alert for large quantity of changes?
+
+====== Life Cycle
+
+** Describe how does the product captures changes in affiliations/roles that matter for service entitlements?
+
+** Describe how does the product handle grace periods used in extending services to users beyond a specific period of time . Does the product have a Business Rule Engine to handle this need?
+
+** Does the product support the establishments of policies and processes to reinstate disabled identities/services?
+
+=== Target directory provisioning Category (4)
+====== Linking identities between directories or services
+** Describe how the product links an identity in a source directory to the same identity in the target (and service?)
+
+** Are your user linkage attributes characterized as follows:
+
+*** Immutable
+*** Static
+*** Globally unique
+
+** What is the process of account matching if accounts already exist?
+
+====== Reconciliation
+** How does the product ensure the target directory or service has state in sync with the source?
+
+** Does the product support rollback or transaction?
+
+** Does the product support incremental/full sync with the target directories ?
+
+====== Deprovisioning and repatriation
+** Describe how the product triggers deprovisioning of identities in a target directory or service.
+
+** Describe the process of deprovisioning identities in a target directory or service.
+
+** How is authorization removal handled for deprovisioned users?
+
+** Does the product support a threshold to alert for large quantity of changes?
+
+=== Roles and Groups Category (5)
+====== Type of Roles/Groups
+** Describe how the product support RBAC/ABAC/Groups models ?
+
+** Describe how the product supports a list of definable /extendible groups/roles?.
+
+
+** Describe how the product supports a hierarchy of groups (i.e., nesting and relationships between groups/roles)
+
+** What upstream data sources does the product readily support to derive roles/groups?
+
+** Does the product support sets of groups/roles associated together? (i.e., base, exceptions, includes/excludes).
+
+====== Administration
+** Describe delegated access administration features for group management.
+
+** How does the product deal with “orphaned” delegation? (When previous admins are no longer there.)
+
+** Does the product provide APIs that would allow an external group and access management tool to drive your product’s groups and group memberships?
+
+** Does the product support attribute-based (ABAC) or role-based (RBAC) concepts to drive groups and group membership?
+
+** Can groups have permissions associated with them?
+
+** What sort of attributes or metadata about groups are available?
+
+** Does the product support automatic review of roles/groups (attestation)
+
+** How does the product expose or link groups or roles for fine-grained service authorizations?
+
+====== Guidance for architecting
+** How does your product define a default role or template (set of groups) for new entities?
+
+** Does the product provide any tool for role mining ?
+
+** Does the product provide a deployment /architecture guidelines for implementing roles/groups ?
+
+=== Reporting/Auditing Category (6)+
+====== Integration with External Reporting Engine
+** Does the product support the export of data to external sources for building reports?
+
+====== Target Systems
+** Does the product support reports on:
+
+*** Access for an application (target system)
+
+*** All access for a user, all users in a unit, all users for a supervisor
+
+*** Elevated or high-risk access
+
+*** Separation of Duties
+
+====== Auditing
+** Can the product provide a tool to compare intended provisioning to the actual state of an application on demand?
+
+** Does the product audit changes made within it (eg, who made a change to group membership logic when, and what the change was)?
+
+** Does the product support Separation of Duties audits?
+ (If you do access reviews / attestations) does the product provide adequate support?
+
+*** review by person, unit, application
+
+*** review of only manually-decided access, exceptions only, etc
+
+** Can audit results include “comments” (eg, “access being removed because …”) that become part of the record
+
+** Can the auditing work with an external ticketing system (eg, ServiceNow, Remedy)
+
+** How does the product define and schedule reviews, notify and remind reviewers, etc? Can the product send emails and/or use an external ticketing system? Are reviews done within the product, or in a document sent to the reviewer?
+
+** How does the reviewer to report results? Is the effort required proportional to the number of changes?
+
+** Does the product support workflows, logic, etc. needed to implement access changes determined by a review?
+
+=== Cost/Vendor Considerations Category (7)
+====== On Going Maintenance/Cost
+** What is the product on-goin service support contract structure ?
+
+** What is the Software licensing cost structure (Enterprise vs non)?
+
+** If one of the product license model is pay-per-active-account , how does the product consider the following populations? :
+*** Alumni users
+*** Guest users
+*** Extended Community users (Parents, Propsect Students , Applicants, Continuing Ed students ,ec..)
+*** Social identities that are linked to Idm system
+
+** Does the product provide any Higher Ed discount ?
+
+====== Vendor Stability
+** How long is the product being in the market ?
+
+** How many Higher Ed clients does the product have ?
+
+====== Ease Of Deployment
+** Ease of Deployment under the following categories:
+*** Software Package
+*** Cloud ready
+*** Containers/orchestration support
+*** Install from binary
+*** Install from source code
+*** Security Updates
+*** Patch updates
+*** Install/Deploy/Tuning Documentations
diff --git a/README.adoc b/docs/README.adoc
similarity index 100%
rename from README.adoc
rename to docs/README.adoc
diff --git a/docs/README.md b/docs/README.md
new file mode 100644
index 0000000..da2056b
--- /dev/null
+++ b/docs/README.md
@@ -0,0 +1,3 @@
+# Headline
+
+> An awesome project.
diff --git a/Screenshot 2023-02-23 at 14.55.33.png b/docs/Screenshot 2023-02-23 at 14.55.33.png
similarity index 100%
rename from Screenshot 2023-02-23 at 14.55.33.png
rename to docs/Screenshot 2023-02-23 at 14.55.33.png
diff --git a/WebAuthNiamOnline.txt b/docs/WebAuthNiamOnline.txt
similarity index 100%
rename from WebAuthNiamOnline.txt
rename to docs/WebAuthNiamOnline.txt
diff --git a/asciidocTemplate.adoc b/docs/asciidocTemplate.adoc
similarity index 100%
rename from asciidocTemplate.adoc
rename to docs/asciidocTemplate.adoc
diff --git a/docs/async-msg-resources.adoc b/docs/async-msg-resources.adoc
new file mode 100644
index 0000000..b52a457
--- /dev/null
+++ b/docs/async-msg-resources.adoc
@@ -0,0 +1,31 @@
+=== async-msg-resources.adoc
+
+# Async Message Resources
+
+#### The Protocol
+https://www.amqp.org/specification/0-9-1/amqp-org-download <- AMQP Protocol 0.9.1 +
+http://docs.oasis-open.org/amqp/core/v1.0/amqp-core-complete-v1.0.pdf <- AMQP Core Complete v1.0 (pdf) +
+
+#### Rabbit AMQP
+https://rabbitmq.com/reliability.html <- +
+https://rabbitmq.com/download.html <- download and install page +
+https://github.com/rabbitmq/rabbitmq-server <- +
+https://rabbitmq.com/documentation.html <- +
+https://rabbitmq.com/configure.html <- +
+https://rabbitmq.com/queues.html <- +
+
+#### Apache QPID
+https://qpid.apache.org/index.html <- +
+https://github.com/amqphub/quarkus-qpid-jms-quickstart <- +
+
+#### Intros and Tutorials
+
+https://ably.com/topic/intro-to-amqp-0-9-1 <- AMQP 0.9.1 +
+https://ably.com/topic/intro-to-amqp-1-0 <- AMQP 1.0 +
+https://jstobigdata.com/rabbitmq/complete-rabbitmq-tutorial-in-java/ <- +
+https://spring.io/projects/spring-amqp <- +
+
+#### Challenges: Ordering of Event
+https://medium.com/baseds/ordering-distributed-events-29c1dd9d1eff <- +
+https://medium.com/baseds/logical-time-and-lamport-clocks-part-1-d0317e407112 <- +
+https://medium.com/baseds/logical-time-and-lamport-clocks-part-2-272c097dcdda <- +
diff --git a/comanage-wb-registry.adoc b/docs/comanage-wb-registry.adoc
similarity index 100%
rename from comanage-wb-registry.adoc
rename to docs/comanage-wb-registry.adoc
diff --git a/connector-howto.adoc b/docs/connector-howto.adoc
similarity index 100%
rename from connector-howto.adoc
rename to docs/connector-howto.adoc
diff --git a/connectors.adoc b/docs/connectors.adoc
similarity index 100%
rename from connectors.adoc
rename to docs/connectors.adoc
diff --git a/csv-resource-def.adoc b/docs/csv-resource-def.adoc
similarity index 100%
rename from csv-resource-def.adoc
rename to docs/csv-resource-def.adoc
diff --git a/dataMgmt.adoc b/docs/dataMgmt.adoc
similarity index 100%
rename from dataMgmt.adoc
rename to docs/dataMgmt.adoc
diff --git a/docs/do-not-use-different-archetypes-for-student-and-employees.adoc b/docs/do-not-use-different-archetypes-for-student-and-employees.adoc
new file mode 100644
index 0000000..e174a00
--- /dev/null
+++ b/docs/do-not-use-different-archetypes-for-student-and-employees.adoc
@@ -0,0 +1,40 @@
+
+==== Do Not Use Different Archetypes for Student and Employees
+
+Trevor Lucas +
+Hello, I am trying to understand the relationship between Archetypes and Object Templates. Specifically, I'm looking at the built-in Person Archetype and the Person Object Template in midPoint 4.8 and trying to understand how they are linked together so that I can extrapolate them to other Archetypes and Object Templates. I can't see any assignments or links between the two object types within the XML. I have looked at examples within the Workbench and the midPoint demos and have read the Archetype and Object Template docs several times trying to find this answer.
+
+The end goal is to try to mimic the Workbench and have a Student Archetype for the SIS resource and an Employee Archetype for the HR Resource. Then I would like to extend those by adding Object Templates that could specifically affect the respective Archetype Users. Those Object Templates would have specific name and email constructions, auto-assigned roles, etc, just like the Person Object Template can have by default. Ultimately I'd like to know how a specific Template is applied to a specific Archetype.
+
+Slavek Licehammer +
+Hi Trevor. You are looking for objectTemplateRef in the archetype configuration. For example: https://github.com/Evolveum/midpoint/blob/master/config/initial-objects/archetype/702-archetype-person.xml#L22
+
+Having separate archetype for students and separate for employees might be problematic if a single user can be both employee and student at the same time. I'm still looking for a universal design pattern how to represent affiliations, but I'm not sure if there is any. Because different universities are handling it differently.
+
+Trevor Lucas +
+Hi Slavek, that's exactly it. Thank you! I see that now in the Person Archetype and am wondering how I didn't see it before.
+I was wondering the same thing about splitting into separate archetypes versus using the Person archetype. We can have Students who are also Student Employees, but I was thinking of handling that with Roles. So a Student Archetype User could have a role of Student Employee and get their account created, roles assigned, all that stuff. These would be different than Employee Archetype Users in ways like software licensing.
+
+Either way we do it we'll have to have some kind of logic to determine which Person is staff, which is student, and grant them roles that way. Would you recommend for a new midPoint deployment to use the Person archetype and build out from there?
+
+Trevor Lucas +
+After pondering some more today, I think it will be the best approach to use Person Archetype and not try to split it out by "user type". We would immediately run into collisions with people who are both Students and Employees, and you can't really make those Users owner of other Users. I think we'll rely on roles and getting those auto-assigned to get people their correct accounts and everything else.
+
+Thank you, again!
+
+Amol Athawale +
+We had also tried to use different archetypes for different user types, however, after some brainstorming we ended up using the single USDPerson Archetype (custom) for all our users (employee, student, student workers etc). I remember reading a statement in the Archetype chapter, that it is not recommended to change the archetype of the user in the entire life cycle. We have scenarios where employees enroll for full time degree programs and students become full time employees (different from student worker).
+
+Trevor Lucas +
+@Amol Athawale
+Why did you go with a custom Archetype rather than use Person? There must have been some benefits that I'm not thinking of. The immediate one would be insulation from changes that get made to "Person" over different versions of midPoint. If you don't mind sharing, what were the pros/cons?
+
+Amol Athawale +
+Hello Trevor, I apologize if this isn't the answer you were expecting, but part of the reason lies in my preference for avoiding defaults. Initially, we created a hierarchical structure of Archetypes but quickly realized it wasn't working for us, so we reverted to using the parent archetype (USDPerson). As I'm still fairly new to Midpoint, I wanted to thoroughly understand the relationships between various objects like Archetypes, Object Templates, Resources, etc. Creating custom components wherever possible is helping me do that.
+
+FYI - We are still in development phase.
+
+Trevor Lucas +
+Fair enough, we are in a similar boat. Very much in development and trying lots of different things. Thank you for the reply, I appreciate it.
+
+Thank you, Amol! We would have similar scenarios. We also have staff who are faculty, students and student employees who make that transition to FTE (and sometimes back again), etc. Better to keep them all as "Person" or equivalent, especially if Archetype should never change on a user.
diff --git a/docToolRec.adoc b/docs/docToolRec.adoc
similarity index 100%
rename from docToolRec.adoc
rename to docs/docToolRec.adoc
diff --git a/docuwiki.adoc b/docs/docuwiki.adoc
similarity index 100%
rename from docuwiki.adoc
rename to docs/docuwiki.adoc
diff --git a/docs/entra.adoc b/docs/entra.adoc
new file mode 100644
index 0000000..b68fcad
--- /dev/null
+++ b/docs/entra.adoc
@@ -0,0 +1,10 @@
+entra.adoc
+
+- - -
+_2024-01-10 17:08 M$ move to Entra as new name for AzureAD_
+
+https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/aad/apps/integration/[] <- Brian Arkills on Entra app integrations +
+https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/[] <- rich links to UDub MS materials +
+https://staff.washington.edu/barkills/[] <- presentations from 2000 to 2023 +
+
+
diff --git a/docs/f2f-midpoint.adoc b/docs/f2f-midpoint.adoc
new file mode 100644
index 0000000..088c6a7
--- /dev/null
+++ b/docs/f2f-midpoint.adoc
@@ -0,0 +1,29 @@
+
+===== *MIDPOINT*
+
+*- current mP integrations -*
+
+* LDAP
+
+* Grouper
+
+* Canvas
+
+* Grafana/Loki
+
+*
+
+* ...
+
+
+*- potential new integrations -*
+
+* Box, git, AD, AAD
+
+* Google handled by TSG, not federated
+
+* Sympa
+
+* AWS Ident Ctr: SCIM 2; Gietz: Inbound to mP SCIM overlay
+
+* ...
diff --git a/docs/foo.adoc b/docs/foo.adoc
new file mode 100644
index 0000000..d926a69
--- /dev/null
+++ b/docs/foo.adoc
@@ -0,0 +1,290 @@
+
+==== Identity Provisioning Category (1)
+- Identity Matching
+** Does the product provide an identity matching service?
+
+** Describe how the identity matching service is configured, and any scoring or weighting of attributes?
+
+** Describe how low quality matches are handled, and if there is a notion of matches in suspense, what are the mechanisms for making assertions about them.?
+
+** Can the matching service be run against an existing population seeking duplicates?
+
+** Does the product have the ability to use an external matching service?
+
+** Describe the configuration of the external service.
+
+** Describe how low quality matches indications are handled, and if there is a notion of matches in suspense, what are the mechanisms for making assertions about them?
+
+** Describe and standards that are used in messaging or APIs for matching services.
+
+- User Name Assignment
+
+** Does the product support user selected usernames?, if so, how are attempted duplicates handled.
+
+** Does the product support generated usernames?, if so, describe the options and configuration
+
+** Does the product support enrollment of new users?, if so, please describe the configuration of the enrollment portal, and any support for workflow.
+
+** Describe how the product handles username changes, including support for namespace protection and auditing, and any workflows?
+
+** Describe how the product can communicate username changes to other systems that might need to be informed?
+
+- Identifiers
+
+** Describe how the your product handles the creation of Identifiers.
+
+** Describe how does the product handles the use of external vs internal identifiers ?
+
+** Describe how the product maintain immutable/opaque identifiers that are used system to system ? How do these identifiers help when user id's change ?
+
+- Social Id
+
+** Describe the product support for social IDs (Facebook, Google, etc.) in place of local identities.
+
+** Describe the product support for social IDs that are connected to local identities.
+
+** Describe whether social ID can be a step in onboarding/offboarding?
+
+** Describe how does the product consider Level of Assurance LOA when using social IDs.?
+
+** Describe Identity Matching even with Identity matching, even with social ID
+
+
+
+==== Credential Provisioning Category (2)
+- Password Rules and Policies
+
+** Describe how the product the support of limiting the number of different passwords that users need to remember to one central password connected to a central password store or if you have multiple password stores of the same password, how does the product synchronize it?
+
+** Describe the password policies you support with regard to complexity, length, and any dictionary checks. Include character classes supported in complexity checks.
+
+** Does the product support flexible password policy based on password length? For example support pass phrases but requiring additional character sets for shorter passwords..
+
+** Describe the products support for password expiration, including any support for flexible expiration based on grouping, assurance, or other factors such as password quality.
+
+** Describe how the product conveys password quality to end users?
+
+** Describe how the product meets accessibility guidelines?
+
+** Describe how does the product deal with passwordless?
+
+- Password Setting/Activation
+
+** Describe how the product assures initial password setting is being done by the appropriate authority, such as invitations, one time and/or short lived tokens etc.
+
+** Describe the products support for terms of use and informed consent when getting a credential.
+
+** What platforms are supported for end user devices setting initial and subsequent passwords, including any required technologies.
+
+** Describe any features your product has to deter attacks on unclaimed credentials.
+
+** Describe how the product works with identity proofing during the account claiming process?
+
+- Authentication Types (Factors)
+
+** Describe the support for certificate based authentication.
+
+** Describe the product support for multifactor enrollment, specifying supported technologies and products, explicitly address U2F support.
+
+** Describe any support you have for challenge response questions.
+
+** Describe any unlisted additional authentication factors, and any features that help user recognition such as image validation.
+
+** How does the product handle loss of a (perhaps only) two factor device, such as one time tokens?
+
+- Provisioning/De-provisioning of credential
+
+** Describe how the product enforces control over provisioning password to a SP when Federation option is available?
+
+** Describe the states supported by the product for credentials, such as open, expired, disabled, locked/unlocked, security deny, etc.
+
+** Describe any workflow available for deprovisioning, time based, approval based, and any attribute or membership checks that can be used for deprovisioning workflow.
+
+** Describe any controls for sanity checks in your product to prevent accidental mass deprovisioning.
+
+** Describe the administrative capabilities the product has for deprovisioning and deprovisioning intervention, include any delegation features.
+
+** Describe how the product handles deprovisioning of credentials w/r/t propagation to multiple credential stores.?
+
+** Describe how the product handles de-provisioning of MFA (Authentication methods) after the user is no longer active and how do deal with re-provisioning when the same user returns?
+
+==== Service Provisioning Category (3)
+- Provisioning/Reconciliation
+
+** Describe how does the product ensure that source and destination are in sync?
+
+** Describe both targeted and full reconciliation (fully match accounts). Incremental vs full.
+
+** Describe how does the product identify and handle orphan accounts ?
+
+** Describe how the product handles manual intervention by an admin.
+
+** How flexible is customization of the IDM connector that provisions the account?
+
+** Does the product support a threshold to alert for large quantity of updates?
+
+- JIT/JIC (Cloud Services)
+
+** Describe how the product integrate with a “Just-in-Time” provisioning model-- on demand provisioning when the user logs in. How does you product learn about this access from IGA perspective?
+
+** Describe how you support the “Just-in-Case” provisioning model in relation to the Cloud Services?
+
+- WorkFlows
+
+** Describe how the product handles automated workflows.?
+
+** Describe how the product supports end-user self-service workflows.
+
+** Describe how does your product support the Workflow-based provisioning model in general.
+
+- Deprovisioning and repatriation
+
+** Describe how the your product handle a service account de-provisioning with flexibility ( account disabled vs account remove) in accordance with the service and business needs?
+
+** Describe how the product triggers deprovisioning to a service.
+
+** How is authorization removal handled for deprovisioned users?
+
+** Describe how the product supports repatriating a service account from institutional to personal.
+
+** Does the product support a threshold to alert for large quantity of changes?
+
+- Life Cycle
+
+** Describe how does the product captures changes in affiliations/roles that matter for service entitlements?
+
+** Describe how does the product handle grace periods used in extending services to users beyond a specific period of time . Does the product have a Business Rule Engine to handle this need?
+
+** Does the product support the establishments of policies and processes to reinstate disabled identities/services?
+
+==== Target directory provisioning Category (4)
+- Linking identities between directories or services
+** Describe how the product links an identity in a source directory to the same identity in the target (and service?)
+
+** Are your user linkage attributes characterized as follows:
+
+*** Immutable
+*** Static
+*** Globally unique
+
+** What is the process of account matching if accounts already exist?
+
+- Reconciliation
+** How does the product ensure the target directory or service has state in sync with the source?
+
+** Does the product support rollback or transaction?
+
+** Does the product support incremental/full sync with the target directories ?
+
+- Deprovisioning and repatriation
+** Describe how the product triggers deprovisioning of identities in a target directory or service.
+
+** Describe the process of deprovisioning identities in a target directory or service.
+
+** How is authorization removal handled for deprovisioned users?
+
+** Does the product support a threshold to alert for large quantity of changes?
+
+==== Roles and Groups Category (5)+
+- Type of Roles/Groups
+** Describe how the product support RBAC/ABAC/Groups models ?
+
+** Describe how the product supports a list of definable /extendible groups/roles?.
+
+
+** Describe how the product supports a hierarchy of groups (i.e., nesting and relationships between groups/roles)
+
+** What upstream data sources does the product readily support to derive roles/groups?
+
+** Does the product support sets of groups/roles associated together? (i.e., base, exceptions, includes/excludes).
+
+- Administration
+** Describe delegated access administration features for group management.
+
+** How does the product deal with “orphaned” delegation? (When previous admins are no longer there.)
+
+** Does the product provide APIs that would allow an external group and access management tool to drive your product’s groups and group memberships?
+
+** Does the product support attribute-based (ABAC) or role-based (RBAC) concepts to drive groups and group membership?
+
+** Can groups have permissions associated with them?
+
+** What sort of attributes or metadata about groups are available?
+
+** Does the product support automatic review of roles/groups (attestation)
+
+** How does the product expose or link groups or roles for fine-grained service authorizations?
+
+- Guidance for architecting
+** How does your product define a default role or template (set of groups) for new entities?
+
+** Does the product provide any tool for role mining ?
+
+** Does the product provide a deployment /architecture guidelines for implementing roles/groups ?
+
+==== Reporting/Auditing Category (6)+
+- Integration with External Reporting Engine
+** Does the product support the export of data to external sources for building reports?
+
+- Target Systems
+** Does the product support reports on:
+
+*** Access for an application (target system)
+
+*** All access for a user, all users in a unit, all users for a supervisor
+
+*** Elevated or high-risk access
+
+*** Separation of Duties
+
+- Auditing
+** Can the product provide a tool to compare intended provisioning to the actual state of an application on demand?
+
+** Does the product audit changes made within it (eg, who made a change to group membership logic when, and what the change was)?
+
+** Does the product support Separation of Duties audits?
+ (If you do access reviews / attestations) does the product provide adequate support?
+
+*** review by person, unit, application
+
+*** review of only manually-decided access, exceptions only, etc
+
+** Can audit results include “comments” (eg, “access being removed because …”) that become part of the record
+
+** Can the auditing work with an external ticketing system (eg, ServiceNow, Remedy)
+
+** How does the product define and schedule reviews, notify and remind reviewers, etc? Can the product send emails and/or use an external ticketing system? Are reviews done within the product, or in a document sent to the reviewer?
+
+** How does the reviewer to report results? Is the effort required proportional to the number of changes?
+
+** Does the product support workflows, logic, etc. needed to implement access changes determined by a review?
+
+==== Cost/Vendor Considerations Category (7)+
+- On Going Maintenance/Cost
+** What is the product on-goin service support contract structure ?
+
+** What is the Software licensing cost structure (Enterprise vs non)?
+
+** If one of the product license model is pay-per-active-account , how does the product consider the following populations? :
+*** Alumni users
+*** Guest users
+*** Extended Community users (Parents, Propsect Students , Applicants, Continuing Ed students ,ec..)
+*** Social identities that are linked to Idm system
+
+** Does the product provide any Higher Ed discount ?
+
+- Vendor Stability
+** How long is the product being in the market ?
+
+** How many Higher Ed clients does the product have ?
+
+- Ease Of Deployment
+** Ease of Deployment under the following categories:
+*** Software Package
+*** Cloud ready
+*** Containers/orchestration support
+*** Install from binary
+*** Install from source code
+*** Security Updates
+*** Patch updates
+*** Install/Deploy/Tuning Documentations
diff --git a/future-proofed-and-federation-ready-enterprise-ids.adoc b/docs/future-proofed-and-federation-ready-enterprise-ids.adoc
similarity index 100%
rename from future-proofed-and-federation-ready-enterprise-ids.adoc
rename to docs/future-proofed-and-federation-ready-enterprise-ids.adoc
diff --git a/docs/grouper-midpoint-testing.adoc b/docs/grouper-midpoint-testing.adoc
new file mode 100644
index 0000000..f93caf9
--- /dev/null
+++ b/docs/grouper-midpoint-testing.adoc
@@ -0,0 +1,89 @@
+testGroups.adoc
+
+- - -
+_2023-07-31 08:25:11 MidPoint-Grouper performance testing for large groups and large numbers of small groups_
+
+==== Setting up a performance testing environment for midPoint - Grouper integration
+
+- Create your own test platform as a local instance of the https://spaces.at.internet2.edu/display/TAPW/Build+the+TAP+Workbench+in+your+local+environment[Workbench], for example, {my}.workbench.example.edu'
+
+- SSH to the workbench host as user 'csprootuser'
+
+- Create a sudo-capable account for this host. The simplest way is to create a new user and add them to the wheel group.
+
+- Connect to the Workbench host as the new user:
+```
+ssh me@{my}.workbench.example.edu
+```
+
+- Twenty-six 40,000+ record csv files organized by affiliation were created by Benn Oshrin for COmange testing purposes. With thanks to the COmanage project, we have initially made two of them available as follows:
+```
+https://github.internet2.edu/internet2/iam-use-cases/blob/main/Matched/hrms.csv
+https://github.internet2.edu/internet2/iam-use-cases/blob/main/Matched/sis.csv
+```
+
+==== With midPoint 4.6
+
+- download the provided test csv files and move them to the defined locations:
+
+```
+cp hrms.csv Workbench/midpoint_server/container_files/csv/source-hrms.csv
+cp sis.csv Workbench/midpoint_server/container_files/csv/source-sis.csv
+```
+
+- Edit Workbench/docker-compose.yml to bind these files into the container by adding the following to the existing list of bound volumes for midPoint +
+
+```
+...
+- type: bind
+ source: ./midpoint_server/container_files/csv/source-sis.csv
+ target: /opt/midpoint/csv/source-sis.csv
+- type: bind
+ source: ./midpoint_server/container_files/csv/source-hrms.csv
+ target: /opt/midpoint/csv/source-hrms.csv
+ ...
+```
+- Connect to the workbench instance using _midPoint Studio_
+
+- Model the resource definitions for source-hrms and source-sis on the existing csv resource file, +
+ {midPoint Studio workbench project} /objects/resources/SourceHRSystem.xml +
+naming them +
+ {midPoint Studio workbench project} /objects/resources/SourceTestHrmsSystem.xml +
+ {midPoint Studio workbench project} /objects/resources/SourceTestSisSystem.xml
+
+==== Import the csv files below into the newly defined midPoint resources, _Source: HRMS System (large N)_ and _Source: SIS System (large N)_
+
+NOTE: The first line of these .csv files contains comma-delimited field names,
+ for these test .csv files the field names are: sorid, given, surname, email, ph#, cntry-code, uid, occup, dept, RefID
+
+==== Import into a midPoint organization, ‘Test’
+
+- Define the schema extensions needed for test HR and test SIS sources
+
+- Create assignments to LDAP and to the Test Org in the schema handling section of the HR and SIS resource definition
+
+- Run the import and reconcile tasks on the HR and SIS resources
+
+- Import a sample user and verify the correctness of midPoint objects
+
+- Import all the resource accounts
+
+==== Switching over to Grouper-side setup
+
+- Create a 'test' reference folder and create groups 'test:hrms' and 'test:sis' under it
+
+Use Grouper loader jobs with LDAP as a subject source to put all the imported users into one of two large reference groups of something over 40,000 users each:
+ ref:test:hrms
+and
+ ref:test:sis
+
+- To create a large number of small groups, take the last three digits of the
+‘uid' attribute, +
+which is a string formatted as a US social security number: _xxxx-xx-abcd_ +
+For example, with the above uid, the user would be added to the group _‘ref:test:bcd’_
+
+- Loading all records this way will create up to 1000 groups with an average of around 80 members.
+
+==== Proceed to performance testing with this newly prepared Workbench instance
+
+- - -
diff --git a/grouperNewData.adoc b/docs/grouperNewData.adoc
similarity index 100%
rename from grouperNewData.adoc
rename to docs/grouperNewData.adoc
diff --git a/iam-features.adoc b/docs/iam-features.adoc
similarity index 100%
rename from iam-features.adoc
rename to docs/iam-features.adoc
diff --git a/iam-func-list.adoc b/docs/iam-func-list.adoc
similarity index 100%
rename from iam-func-list.adoc
rename to docs/iam-func-list.adoc
diff --git a/iam-functions-list.adoc b/docs/iam-functions-list.adoc
similarity index 100%
rename from iam-functions-list.adoc
rename to docs/iam-functions-list.adoc
diff --git a/iamPatterns.adoc b/docs/iamPatterns.adoc
similarity index 100%
rename from iamPatterns.adoc
rename to docs/iamPatterns.adoc
diff --git a/identifier-guidance.adoc b/docs/identifier-guidance.adoc
similarity index 100%
rename from identifier-guidance.adoc
rename to docs/identifier-guidance.adoc
diff --git a/iga-grouper.adoc b/docs/iga-grouper.adoc
similarity index 100%
rename from iga-grouper.adoc
rename to docs/iga-grouper.adoc
diff --git a/docs/index.html b/docs/index.html
new file mode 100644
index 0000000..04dd4a7
--- /dev/null
+++ b/docs/index.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+ <meta charset="UTF-8">
+ <title>Document</title>
+ <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
+ <meta name="description" content="Description">
+ <meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0">
+ <link rel="stylesheet" href="//cdn.jsdelivr.net/npm/docsify@4/lib/themes/vue.css">
+</head>
+<body>
+ <div id="app"></div>
+ <script>
+ window.$docsify = {
+ name: '',
+ repo: ''
+ }
+ </script>
+ <!-- Docsify v4 -->
+ <script src="//cdn.jsdelivr.net/npm/docsify@4"></script>
+</body>
+</html>
diff --git a/its.adoc b/docs/its.adoc
similarity index 100%
rename from its.adoc
rename to docs/its.adoc
diff --git a/kh-bk-links.adoc b/docs/kh-bk-links.adoc
similarity index 100%
rename from kh-bk-links.adoc
rename to docs/kh-bk-links.adoc
diff --git a/markdown-asciidoc.adoc b/docs/markdown-asciidoc.adoc
similarity index 100%
rename from markdown-asciidoc.adoc
rename to docs/markdown-asciidoc.adoc
diff --git a/midpoint-db-table-res-def.adoc b/docs/midpoint-db-table-res-def.adoc
similarity index 100%
rename from midpoint-db-table-res-def.adoc
rename to docs/midpoint-db-table-res-def.adoc
diff --git a/midscribe.adoc b/docs/midscribe.adoc
similarity index 100%
rename from midscribe.adoc
rename to docs/midscribe.adoc
diff --git a/mp-grouper-package.adoc b/docs/mp-grouper-package.adoc
similarity index 100%
rename from mp-grouper-package.adoc
rename to docs/mp-grouper-package.adoc
diff --git a/mp-ldap-howto.adoc b/docs/mp-ldap-howto.adoc
similarity index 100%
rename from mp-ldap-howto.adoc
rename to docs/mp-ldap-howto.adoc
diff --git a/oidc.adoc b/docs/oidc.adoc
similarity index 100%
rename from oidc.adoc
rename to docs/oidc.adoc
diff --git a/docs/password-reset-by-api.adoc b/docs/password-reset-by-api.adoc
new file mode 100644
index 0000000..1dbf723
--- /dev/null
+++ b/docs/password-reset-by-api.adoc
@@ -0,0 +1,17 @@
+
+
+==== Password Reset by API Call, 27 Aug 2024
+John Bigornia, +
+I know there's a password reset feature via security question on the UI. Is it possible to do this through a REST call? This is to test a client self service password reset.
+
+Dennis Antrobus +
+Yes, it's possible to do this via a REST call. An example can be found on this Evolveum docs page by searching for the string "Execute Password Reset" : https://docs.evolveum.com/midpoint/reference/master/interfaces/rest/endpoints/users/#modify-user-objects
+
+If you use Java in your organization there is also the option of using the MidPoint Client Library to execute these types of operations. See: https://docs.evolveum.com/midpoint/reference/support-4.8/interfaces/midpoint-client-java/
+
+John Bigornia +
+Hi Dennis. Thanks for the reply. Does this prompt the security questions to be answered? In this example we are using the administrator to reset the password. I'm currently looking for documentation about the resetMethod. I'm assuming there's more than just that one listed in the example +
+
+TBD: Check API documentation for full list of operations.
+
+--- page labels: midPoint, API, password
diff --git a/person-identifiers.adoc b/docs/person-identifiers.adoc
similarity index 100%
rename from person-identifiers.adoc
rename to docs/person-identifiers.adoc
diff --git a/perydAffilFwork.adoc b/docs/perydAffilFwork.adoc
similarity index 100%
rename from perydAffilFwork.adoc
rename to docs/perydAffilFwork.adoc
diff --git a/perydAffilFwork.adoc1 b/docs/perydAffilFwork.adoc1
similarity index 100%
rename from perydAffilFwork.adoc1
rename to docs/perydAffilFwork.adoc1
diff --git a/plantuml-c4-structurizr.adoc b/docs/plantuml-c4-structurizr.adoc
similarity index 100%
rename from plantuml-c4-structurizr.adoc
rename to docs/plantuml-c4-structurizr.adoc
diff --git a/docs/postgres-only-workbench.adoc b/docs/postgres-only-workbench.adoc
new file mode 100644
index 0000000..256372f
--- /dev/null
+++ b/docs/postgres-only-workbench.adoc
@@ -0,0 +1,469 @@
+== Modifying the Workbench so the HR source and the Wordpress instance shift from Mariadb to Postgres
+
+This will make Postgres the only database in the Workbench
+
+
+=== Prerequisites
+
+==== From Zero to a Running Workbench Instance
+
+===== Specs for an adequate workbench host machine
+
+. host machine of recent vintage with 32Gb memory
+. rocky linux (ubuntu works, too)
+. Docker installed
+
+===== Obtain and build the Workbench image
+
+```
+export CSPHOSTNAME=localhost # the environment variable that the containers will use as the hostname of the host running the containers
+
+git clone https://github.internet2.edu/internet2/InCommonTAP-Examples.git
+cd /csp-tap/InCommonTAP-Examples/Workbench
+docker-compose up --build
+```
+
+<< long coffee break here >>
+
+===== Check that all Workbench Containers are up and healthy
+
+```
+docker ps
+```
+
+===== Browse to the CSPHOSTNAME server
+
+. Pass the Basic Auth lint trap with username csp and password workbench
+. You will see a kiosk-like interface with links to the TAP components and to other supporting services
+. COmanage, Grouper, midPoint and a Shib IdP are directly accessible
+
+- - -
+
+== 1. Isolating references to mysql and postgres in the TAP Workbench
+
+=== In docker-compose.yml
+
+*- mysql/mariadb -*
+
+```
+200: sources:
+ build: ./sources/
+ volumes:
+ - source_mysql:/var/lib/mysql
+ - source_data:/var/lib/mysqlmounted
+
+480: wordpress_server:
+ build:
+ context: ./wordpress_server/
+ command: bash -c 'if [ ! -s /var/www/html/wp-config.php ]; then while ! nc -z wordpress_data 3306 ; do echo waiting for mysql on wordpress_data to start; sleep 3; done;
+
+511: wordpress_data:
+ build: ./wordpress_data/
+ volumes:
+ - wordpress_data:/var/lib/mysql
+
+650: volumes:
+ source_data:
+ comanage_mysql:
+ source_mysql:
+ target_data:
+ wordpress_data:
+ mariadb-data:
+```
+*- postgres -*
+
+```
+221: comanage_data:
+ build: ./comanage_data/
+ environment:
+ POSTGRES_USER: registry_user
+ POSTGRES_PASSWORD: Password1
+ POSTGRES_DB: registry
+ volumes:
+ - comanage_data:/var/lib/postgresql/data
+
+242: comanage_midpoint_data:
+ build: ./comanage_midpoint_data/
+ environment:
+ POSTGRES_USER: comanage_midpoint_loader
+ POSTGRES_PASSWORD: Password1
+ POSTGRES_DB: comanage_midpoint_loader
+ networks:
+ net:
+ aliases:
+ - comanage-midpoint-data
+ volumes:
+ - comanage_midpoint_data:/var/lib/postgresql/data
+
+ 282: midpoint_data:
+ image: postgres:13-alpine
+ command: >
+ rm -f /var/lib/postgresql/data/postmaster.pid ;
+ docker-entrypoint.sh postgres
+ environment:
+ - POSTGRES_PASSWORD_FILE=/run/secrets/m_database_password.txt
+ - POSTGRES_USER=midpoint
+ - POSTGRES_INITDB_ARGS=--lc-collate=en_US.utf8 --lc-ctype=en_US.utf8
+ secrets:
+ - m_database_password.txt
+ volumes:
+ - midpoint_data:/var/lib/postgresql/data
+ - db_init:/docker-entrypoint-initdb.d/
+ - mp_pw:/opt/mp-pw
+
+324: midpoint_server:
+ build:
+ context: ./midpoint_server/
+ environment:
+ - REPO_DATABASE_TYPE=postgresql
+ m_database_password.txt
+ - MP_SET_midpoint_repository_jdbcUrl=jdbc:postgresql://midpoint_data:5432/midpoint
+
+432: idp_ui_data:
+ image: postgres
+ environment:
+ POSTGRES_USER: shibui
+ POSTGRES_PASSWORD: secret
+ POSTGRES_DB: shibui
+ volumes:
+ - idpui_data:/var/lib/postgresql/data
+
+```
+
+- - -
+
+== 2. Migrate MySQL databases to Postgres
+
+
+*- MySQL in Dockerfiles -*
+
+===== ./sources/Dockerfile
+
+```
+FROM tier/mariadb:mariadb10
+
+COPY container_files/seed-data/ /seed-data/
+
+ENV MYSQL_DATABASE sis
+ENV MYSQL_USER sis_user
+ENV MYSQL_PASSWORD 49321420423
+ENV MYSQL_DATADIR /var/lib/mysqlmounted
+ENV AFTER_FIRST_TIME_SQL /seed-data/persons-and-courses.sql
+
+[csprootuser@ip-172-31-53-134 Workbench]$ cat sources/Dockerfile
+FROM tier/mariadb:mariadb10
+
+COPY container_files/seed-data/ /seed-data/
+
+ENV MYSQL_DATABASE sis
+ENV MYSQL_USER sis_user
+ENV MYSQL_PASSWORD 49321420423
+ENV MYSQL_DATADIR /var/lib/mysqlmounted
+ENV AFTER_FIRST_TIME_SQL /seed-data/persons-and-courses.sql
+```
+
+- - -
+
+== Other relevant selections from Docker-compose.yml and the per-component Dockerfiles
+
+*- Running Workbench Containers -*
+```
+[csprootuser@ip-172-31-53-134 ~]$ docker ps
+
+bcac3920984a workbench-comanage_cron "docker-comanage-cro…" 11 days ago Up 11 days (healthy) 80/tcp, 443/tcp workbench-comanage_cron-1
+
+73d6df7dc964 workbench-midpoint_server "/usr/local/bin/star…" 11 days ago Up 11 days (healthy) 80/tcp, 0.0.0.0:10443->443/tcp, :::10443->443/tcp workbench-midpoint_server-1
+
+a7f80a6c2eb4 workbench-idp_ui_api "/usr/bin/supervisor…" 11 days ago Up 11 days (healthy) 8443/tcp workbench-idp_ui_api-1
+
+1cdf5c3baf5d workbench-grouper_ui "/usr/local/bin/entr…" 11 days ago Up 11 days (healthy) 80/tcp, 8080/tcp, 8443/tcp, 0.0.0.0:8443->443/tcp, :::8443->443/tcp
+
+bfc26f8e0c9d workbench-grouper_daemon "/usr/local/bin/entr…" 11 days ago Up 11 days (healthy) 80/tcp, 443/tcp, 8080/tcp, 8443/tcp
+
+a3594f0d5542 workbench-grouper_ws "/usr/local/bin/entr…" 11 days ago Up 11 days (healthy) 80/tcp, 8080/tcp, 8443/tcp, 0.0.0.0:9443->443/tcp, :::9443->443/tcp
+
+30d2bb6f3835 workbench-idp "/usr/bin/startup.sh" 11 days ago Up 11 days (healthy) 0.0.0.0:13443->443/tcp, :::13443->443/tcp
+
+d12c56e97b9a postgres:13-alpine "docker-entrypoint.s…" 11 days ago Up 11 days (healthy) 0.0.0.0:5432->5432/tcp, :::5432->5432/tcp workbench-midpoint_data-1
+
+a8f06373fdff workbench-comanage "docker-supervisord-…" 11 days ago Up 11 days (healthy) 80/tcp, 8080/tcp, 0.0.0.0:11443->443/tcp, :::11443->443/tcp
+
+b0d5d8ac7193 workbench-wordpress_server "bash -c 'if [ ! -s …" 11 days ago Up 11 days (healthy) 0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:12443->443/tcp, :::12443->443/tcp
+
+ff75fa2311c7 workbench-directory "/bin/sh -c 'rm -rf …" 11 days ago Up 11 days (healthy) 443/tcp, 0.0.0.0:1389->389/tcp, :::1389->389/tcp
+
+f949dd8a2791 workbench-idp_ui "/usr/bin/supervisor…" 11 days ago Up 11 days (healthy) 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp, 8443/tcp
+
+342372c932b4 workbench-sources "/opt/bin/start.sh" 11 days ago Up 11 days (healthy) 0.0.0.0:13306->3306/tcp, :::13306->3306/tcp
+
+e3349853f115 workbench-webproxy "/usr/local/bin/star…" 11 days ago Up 11 days (healthy) 80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp
+
+46483b5008e7 workbench-comanage_midpoint_data "docker-entrypoint.s…" 11 days ago Up 11 days (healthy) 0.0.0.0:35432->5432/tcp, :::35432->5432/tcp
+
+a5aac809e4bc workbench-grouper_data "/usr/local/bin/entr…" 11 days ago Up 11 days (healthy) 80/tcp, 443/tcp, 8080/tcp, 8443/tcp, 0.0.0.0:45432->5432/tcp, :::45432->5432/tcp
+
+55637013b5c7 workbench-mq "/usr/local/bin/demo…" 11 days ago Up 11 days (healthy) 4369/tcp, 5671/tcp, 0.0.0.0:5672->5672/tcp, :::5672->5672/tcp, 15671/tcp, 25672/tcp, 0.0.0.0:15672->15672/tcp, :::15672->15672/tcp
+
+00b1baa4939d workbench-wordpress_data "docker-entrypoint.s…" 11 days ago Up 11 days (healthy) 0.0.0.0:32773->3306/tcp, :::32773->3306/
+
+be8bbd009ead workbench-ad "/bin/sh -c '/start.…" 11 days ago Up 11 days 0.0.0.0:53->53/tcp, ...
+
+
+ba5775b6dbe7 workbench-comanage_data "docker-entrypoint.s…" 11 days ago Up 11 days (healthy) 0.0.0.0:25432->5432/tcp, :::25432->5432/
+
+c54f3a94e07f postgres "docker-entrypoint.s…" 11 days ago Up 11 days (healthy) 0.0.0.0:15432->5432/tcp, :::15432->5432/
+```
+
+*- Workbench directory -*
+
+```
+[csprootuser@ip-172-31-53-134 csp-tap]$ cd /csp-tap/InCommonTAP-Examples/Workbench
+[csprootuser@ip-172-31-53-134 Workbench]$ ls -la
+total 80
+drwxr-xr-x 23 csprootuser root 4096 Jul 10 17:26 .
+drwxr-xr-x 6 csprootuser root 82 May 10 14:12 ..
+drwxr-xr-x 3 csprootuser root 47 May 10 14:12 ad
+drwxr-xr-x 3 csprootuser root 47 May 10 14:12 comanage
+drwxr-xr-x 3 csprootuser root 47 May 10 14:12 comanage_cron
+drwxr-xr-x 3 csprootuser root 47 May 10 14:12 comanage_data
+drwxr-xr-x 3 csprootuser root 47 May 10 14:12 comanage_midpoint_data
+drwxr-xr-x 6 csprootuser root 70 May 10 14:12 configs-and-secrets
+drwxr-xr-x 3 csprootuser root 47 Jun 10 16:43 directory
+-rw-r--r-- 1 csprootuser csprootuser 20547 Jul 10 16:26 docker-compose.yml
+-rw-r--r-- 1 csprootuser root 20565 Jun 9 19:00 docker-compose.yml.old
+-rw-r--r-- 1 csprootuser root 57 May 10 14:12 .env
+drwxr-xr-x 2 csprootuser root 24 Jun 10 15:17 grouper_daemon
+drwxr-xr-x 3 csprootuser root 47 May 10 14:12 grouper_data
+drwxr-xr-x 3 csprootuser root 47 May 10 14:12 grouper_ui
+drwxr-xr-x 3 csprootuser root 47 May 10 14:12 grouper_ws
+drwxr-xr-x 4 csprootuser root 69 May 10 14:12 idp
+drwxr-xr-x 3 csprootuser root 47 May 10 14:12 idp_ui
+drwxr-xr-x 3 csprootuser root 47 May 10 14:12 idp_ui_api
+drwxr-xr-x 3 csprootuser root 47 May 10 14:12 midpoint_server
+drwxr-xr-x 3 csprootuser root 47 May 10 14:12 mq
+-rw-r--r-- 1 csprootuser root 843 May 10 14:12 README.md
+drwxr-xr-x 2 csprootuser root 232 May 10 14:21 scripts
+drwxr-xr-x 3 csprootuser root 47 May 10 14:12 sources
+-rw-rw-r-- 1 csprootuser csprootuser 17257 Jul 10 17:17 th.xml
+drwxr-xr-x 3 csprootuser root 47 May 10 14:12 webproxy
+drwxr-xr-x 2 csprootuser root 24 May 10 14:12 wordpress_data
+drwxr-xr-x 4 csprootuser root 69 May 10 14:12 wordpress_server
+```
+*- Workbench Dockerfiles and container_file directories for building containers -*
+
+```
+[csprootuser@ip-172-31-53-134 Workbench]$ tree -L 2
+.
+├── ad
+│ ├── container_files
+│ └── Dockerfile
+├── comanage
+│ ├── container_files
+│ └── Dockerfile
+├── comanage_cron
+│ ├── container_files
+│ └── Dockerfile
+├── comanage_data
+│ ├── container_files
+│ └── Dockerfile
+├── comanage_midpoint_data
+│ ├── container_files
+│ └── Dockerfile
+├── configs-and-secrets
+│ ├── comanage
+│ ├── grouper
+│ ├── midpoint
+│ └── wordpress
+├── directory
+│ ├── container_files
+│ └── Dockerfile
+├── docker-compose.yml
+├── docker-compose.yml.old
+├── grouper_daemon
+│ └── Dockerfile
+├── grouper_data
+│ ├── container_files
+│ └── Dockerfile
+├── grouper_ui
+│ ├── container_files
+│ └── Dockerfile
+├── grouper_ws
+│ ├── container_files
+│ └── Dockerfile
+├── idp
+│ ├── container_files
+│ ├── Dockerfile
+│ └── shibboleth-idp
+├── idp_ui
+│ ├── container_files
+│ └── Dockerfile
+├── idp_ui_api
+│ ├── container_files
+│ └── Dockerfile
+├── midpoint_server
+│ ├── container_files
+│ └── Dockerfile
+├── mq
+│ ├── container_files
+│ └── Dockerfile
+├── README.md
+├── scripts
+│ ├── csp-cron
+│ ├── gethealth2.py
+│ ├── gethealth-output.txt
+│ ├── gethealth.py
+│ ├── refreshListener.php
+│ ├── refreshListener.service
+│ ├── refresh-this-instance.sh
+│ ├── setupcron.sh
+│ └── update-health-status.sh
+├── sources
+│ ├── container_files
+│ └── Dockerfile
+├── th.xml
+├── webproxy
+│ ├── container_files
+│ └── Dockerfile
+├── wordpress_data
+│ └── Dockerfile
+└── wordpress_server
+ ├── container_files
+ ├── Dockerfile
+ └── wordpress_data
+
+
+/csp-tap/InCommonTAP-Examples/Workbench$ ls -la sources/container_files/seed-data
+-rw-r--r-- 1 csprootuser root 55516 May 10 14:12 persons-and-courses.sql
+```
+
+== 2. Migrate MySQL databases to Postgres
+
+*- MySQL in Dockerfiles -*
+
+===== ./sources/Dockerfile
+
+```
+FROM tier/mariadb:mariadb10
+
+COPY container_files/seed-data/ /seed-data/
+
+ENV MYSQL_DATABASE sis
+ENV MYSQL_USER sis_user
+ENV MYSQL_PASSWORD 49321420423
+ENV MYSQL_DATADIR /var/lib/mysqlmounted
+ENV AFTER_FIRST_TIME_SQL /seed-data/persons-and-courses.sql
+
+[csprootuser@ip-172-31-53-134 Workbench]$ cat sources/Dockerfile
+FROM tier/mariadb:mariadb10
+
+COPY container_files/seed-data/ /seed-data/
+
+ENV MYSQL_DATABASE sis
+ENV MYSQL_USER sis_user
+ENV MYSQL_PASSWORD 49321420423
+ENV MYSQL_DATADIR /var/lib/mysqlmounted
+ENV AFTER_FIRST_TIME_SQL /seed-data/persons-and-courses.sql
+```
+
+./wordpress_server/Dockerfile
+
+```
+cat wordpress_server/Dockerfile
+FROM i2incommon/shibboleth_sp:3.4.1_06122023_rocky8_multiarch
+
+VOLUME /var/www/html
+
+COPY container_files/wordpress/sed.sh /root
+COPY container_files/wordpress/config-shibb.sql /root
+COPY container_files/wordpress/wp /root
+COPY container_files/wordpress/config.yml /root/.wp-cli
+COPY container_files/wordpress/wp-cli.yml /var/www/html
+COPY container_files/shibboleth/* /etc/shibboleth/
+COPY container_files/system/setservername.sh /usr/local/bin/
+RUN chmod +x /root/wp
+RUN dnf module enable -y php:7.4
+RUN yum update -y
+RUN yum install -y php php-cli php-common php-gd php-curl php-json php-mysqlnd php-pdo php-zip php-mbstring libwebp mariadb wget postfix nc
+RUN rpm -Uvh https://rpms.remirepo.net/enterprise/remi-release-8.rpm
+RUN yum --enablerepo=remi,remi-test install -y gd3php gd3php-devel php74-php-sodium
+
+RUN echo 'date.timezone="UTC"' >> /etc/php.ini
+
+WORKDIR /var/www/html
+
+RUN chown -R apache:apache /var/www/html
+COPY container_files/system/setservername.sh /usr/local/bin/
+RUN chmod 755 /usr/local/bin/setservername.sh #&& rm -f /etc/httpd/conf.d/ssl.conf
+
+#set hostname
+ARG CSPHOSTNAME=localhost
+ENV CSPHOSTNAME=$CSPHOSTNAME
+
+RUN /usr/local/bin/setservername.sh
+RUN mkdir -p /run/php-fpm/
+
+ENV LD_LIBRARY_PATH=/opt/shibboleth/lib64
+```
+
+./wordpress_data/Dockerfile
+
+```
+$ cat wordpress_data/Dockerfile
+from mariadb:latest
+RUN apt-get update
+RUN apt install curl -y
+#RUN apt-get install wget gcc libmysql++-dev librabbitmq-dev pkg-config libbsd-dev -y
+#ENV MYSQL_RANDOM_ROOT_PASSWORD=true
+ENV MYSQL_ROOT_PASSWORD=54y6RxN7GfC7aes3
+ENV MYSQL_DATABASE=wordpress
+ENV MYSQL_USER=wordpress
+ENV MYSQL_PASSWORD=54y6RxN7GfC7aes3
+#WORKDIR /tmp
+#RUN wget https://github.com/ssimicro/lib_mysqludf_amqp/releases/download/v2.0.0/lib_mysqludf_amqp-2.0.0.tar.gz
+#RUN tar zxf lib_mysqludf_amqp-2.0.0.tar.gz
+#WORKDIR /tmp/lib_mysqludf_amqp-2.0.0
+#RUN ./configure && make && make install #mysql -u root --password=54y6RxN7GfC7aes3 < installdb.sql
+RUN cat /etc/resolv.conf
+EXPOSE 3306
+```
+
+*- Use grouper_data Dockerfile as template for migrating MySQL databases -*
+
+./grouper_data/Dockerfile
+
+```
+FROM i2incommon/grouper:4.12.0
+
+LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
+
+RUN yum install -y epel-release \
+ && yum update -y \
+ && dnf module enable -y postgresql:12 \
+ && dnf install -y postgresql-server \
+ && yum clean all \
+ && rm -rf /var/cache/yum
+
+COPY container_files/conf/ /opt/grouper/grouperWebapp/WEB-INF/classes/
+COPY container_files/bootstrap/ /tmp/
+COPY container_files/sql/createSQLuser.sql /
+COPY container_files/sql/createDBforMP.sql /
+
+#setup DB
+RUN chown -R postgres:postgres /var/lib/pgsql/
+RUN echo "password" > /db-user-pwd.txt
+RUN sudo -u postgres initdb -D /var/lib/pgsql/data/ --username=postgres --pwfile=/db-user-pwd.txt
+
+#create grouper DB
+RUN sudo -u postgres pg_ctl start -D /var/lib/pgsql/data/ \
+ && psql -U postgres -f /createSQLuser.sql \
+ && psql -U postgres -f /createDBforMP.sql \
+ && /opt/grouper/grouperWebapp/WEB-INF/bin/gsh.sh -registry -check -runscript -noprompt \
+ && /opt/grouper/grouperWebapp/WEB-INF/bin/gsh.sh /tmp/initialize.gsh \
+ && /opt/grouper/grouperWebapp/WEB-INF/bin/gsh.sh /tmp/set-prov.gsh
+
+RUN echo "host all all 0.0.0.0/0 trust" >> /var/lib/pgsql/data/pg_hba.conf
+
+EXPOSE 5432
+```
+
+
diff --git a/ps2grouper.adoc b/docs/ps2grouper.adoc
similarity index 98%
rename from ps2grouper.adoc
rename to docs/ps2grouper.adoc
index b096fd4..a0d5d85 100644
--- a/ps2grouper.adoc
+++ b/docs/ps2grouper.adoc
@@ -56,7 +56,7 @@ all of those are published. A group or many of them are then published to that t
I should have said this before, but please interrupt with questions as we go along, because I know these paths are fairly divergent.
-Q: So it's a really, really quick one about the diagram that you're showing that Are the arrows correct? Are you taking data from and from Fromatica and sending it to people talk? Or is it the other way?
+Q: So it's a really, really quick one about the diagram that you're showing that Are the arrows correct? Are you taking data from and from Informatica and sending it to people talk? Or is it the other way?
A: I debated which way to point these arrows, but this is our SQL query, so that is Informatica reaching out to Peoplesoft with the SQL query and pulling data back.
diff --git a/recoveredDocToolRec.adoc b/docs/recoveredDocToolRec.adoc
similarity index 100%
rename from recoveredDocToolRec.adoc
rename to docs/recoveredDocToolRec.adoc
diff --git a/shibM.adoc b/docs/shibM.adoc
similarity index 100%
rename from shibM.adoc
rename to docs/shibM.adoc
diff --git a/siwg-2023.adoc b/docs/siwg-2023.adoc
similarity index 100%
rename from siwg-2023.adoc
rename to docs/siwg-2023.adoc
diff --git a/siwg-extracts.adoc b/docs/siwg-extracts.adoc
similarity index 100%
rename from siwg-extracts.adoc
rename to docs/siwg-extracts.adoc
diff --git a/sor-to-access-policy.adoc b/docs/sor-to-access-policy.adoc
similarity index 100%
rename from sor-to-access-policy.adoc
rename to docs/sor-to-access-policy.adoc
diff --git a/docs/stay-with-single-object-type-for-user b/docs/stay-with-single-object-type-for-user
new file mode 100644
index 0000000..d4427f3
--- /dev/null
+++ b/docs/stay-with-single-object-type-for-user
@@ -0,0 +1,36 @@
+
+
+
+
+
+Trevor Lucas
+Hello, I am trying to understand the relationship between Archetypes and Object Templates. Specifically, I'm looking at the built-in Person Archetype and the Person Object Template in midPoint 4.8 and trying to understand how they are linked together so that I can extrapolate them to other Archetypes and Object Templates. I can't see any assignments or links between the two object types within the XML. I have looked at examples within the Workbench and the midPoint demos and have read the Archetype and Object Template docs several times trying to find this answer.
+The end goal is to try to mimic the Workbench and have a Student Archetype for the SIS resource and an Employee Archetype for the HR Resource. Then I would like to extend those by adding Object Templates that could specifically affect the respective Archetype Users. Those Object Templates would have specific name and email constructions, auto-assigned roles, etc, just like the Person Object Template can have by default. Ultimately I'd like to know how a specific Template is applied to a specific Archetype.
+
+Slavek Licehammer
+Hi Trevor. You are looking for objectTemplateRef in archetype configuration. For example: https://github.com/Evolveum/midpoint/blob/master/config/initial-objects/archetype/702-archetype-person.xml#L22
+Having separate archetype for students and separate for employees might be problematic if a single user can be both employee and student at the same time. I'm still looking for a universal design pattern how to represent affiliations, but I'm not sure if there is any. Because different universities are handling it differently.
+
+Trevor Lucas
+Hi Slavek, that's exactly it. Thank you! I see that now in the Person Archetype and am wondering how I didn't see it before.
+I was wondering the same thing about splitting into separate archetypes versus using the Person archetype. We can have Students who are also Student Employees, but I was thinking of handling that with Roles. So a Student Archetype User could have a role of Student Employee and get their account created, roles assigned, all that stuff. These would be different than Employee Archetype Users in ways like software licensing.
+Either way we do it we'll have to have some kind of logic to determine which Person is staff, which is student, and grant them roles that way. Would you recommend for a new midPoint deployment to use the Person archetype and build out from there?
+
+Trevor Lucas
+After pondering some more today, I think it will be the best approach to use Person Archetype and not try to split it out by "user type". We would immediately run into collisions with people who are both Students and Employees, and you can't really make those Users owner of other Users. I think we'll rely on roles and getting those auto-assigned to get people their correct accounts and everything else.
+Thank you, again!
+
+Amol Athawale
+We had also tried to use different archetypes for different user types, however, after some brainstorming we ended up using the single USDPerson Archetype (custom) for all our users (employee, student, student workers etc). I remember reading a statement in the Archetype chapter, that it is not recommended to change the archetype of the user in the entire life cycle. We have scenarios where employees enroll for full time degree programs and students become full time employees (different from student worker).
+
+Trevor Lucas
+@Amol Athawale
+Why did you go with a custom Archetype rather than use Person? There must have been some benefits that I'm not thinking of. The immediate one would be insulation from changes that get made to "Person" over different versions of midPoint. If you don't mind sharing, what were the pros/cons?
+
+Amol Athawale
+Hello Trevor, I apologize if this isn't the answer you were expecting, but part of the reason lies in my preference for avoiding defaults. Initially, we created a hierarchical structure of Archetypes but quickly realized it wasn't working for us, so we reverted to using the parent archetype (USDPerson). As I'm still fairly new to Midpoint, I wanted to thoroughly understand the relationships between various objects like Archetypes, Object Templates, Resources, etc. Creating custom components wherever possible is helping me do that.
+FYI - We are still in development phase.
+
+Trevor Lucas
+Fair enough, we are in a similar boat. Very much in development and trying lots of different things. Thank you for the reply, I appreciate it.
+Thank you, Amol! We would have similar scenarios. We also have staff who are faculty, students and student employees who make that transition to FTE (and sometimes back again), etc. Better to keep them all as "Person" or equivalent, especially if Archetype should never change on a user.
diff --git a/tap-azure-ad-iam.adoc b/docs/tap-azure-ad-iam.adoc
similarity index 100%
rename from tap-azure-ad-iam.adoc
rename to docs/tap-azure-ad-iam.adoc
diff --git a/docs/test-data-howto.adoc b/docs/test-data-howto.adoc
new file mode 100644
index 0000000..86fc2f4
--- /dev/null
+++ b/docs/test-data-howto.adoc
@@ -0,0 +1,329 @@
+=== test-data-how-to.adoc
+
+- - -
+_2024-01-09 19:52 picking up the large N group study on khazelton.workbench_
+
+import MBProMax:Downloads/alumni-meds-1.csv as resource 'alumni'
+or
+import MBProMax:/Users/kh/opt/opt.rec/kh-wb4/csv/source-hrms.csv
+
+set up target LDAP resource and define outbound mappings from alumni
+define this ldap as subject source and group source for Grouper
+
+sis resource definition: /Users/kh/opt/opt.rec/kh-wb4/objects/resources/SISlargeN.xml
+
+- - -
+_2023-08-16 18:10:25 Importing a small sample csv SIS file_
+
+*- CSV connector How-to: Bring a new resource into a Worbench instance -* +
+
+- (example modified from The Book, Chapter 8, HR section)
+
+- Start with the small csv resource definition from Chapter 8 of the Book
+
+- hr.csv contents:
+```
+"empno","firstname","lastname"
+"001","Alice","Anderson"
+"002","Bob","Brown"
+```
+
+- Place the new comma-delimited hr.csv file in the proper place on the Workbench host
+
+- Replace {Workbench Directory} with the actual path to your Workbench folder
+
+```
+{Workbench Directory}/midpoint_server/container_files/mp-home/csv/hr.csv
+```
+
+- Add the new .csv data file to the volume bind section of the midpoint_server segment of the docker-compose.yml file
+
+```
+ ...
+ midpoint_server:
+ ...
+ volumes:
+ - midpoint_home:/opt/midpoint/var
+ ...
+ - type: bind
+ source: ./midpoint_server/container_files/mp-home/csv/hr.csv
+ target: /opt/midpoint/csv/hr.csv
+ ...
+```
+
+---
+
+*- The following template from Ch. 8 of THE BOOK can be used to create your own simple inbound csv resource definition -*
+
+```
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- https://docs.evolveum.com/book/practical-identity-management-with-midpoint.html#08-obhject-templates
+ ~
+ ~ Copyright (c) 2010-2019 Evolveum
+ ~
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<resource oid="03c3ceea-78e2-11e6-954d-dfdfa9ace0cf"
+ xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+ xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+ xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+ xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+ xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+ xmlns:ext="http://midpoint.evolveum.com/xml/ns/story/orgsync/ext"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3">
+
+ <name>HR System, Book ch 8</name>
+
+ <description>
+ HR resource using CSV connector. This is the HR feed (source) resource.
+ This is a sample used in the "Practical Identity Management with MidPoint"
+ book, chapter 8.
+ </description>
+
+ <connectorRef type="ConnectorType">
+ <filter>
+ <q:equal>
+ <q:path>c:connectorType</q:path>
+ <q:value>com.evolveum.polygon.connector.csv.CsvConnector</q:value>
+ </q:equal>
+ </filter>
+ </connectorRef>
+```
+* In the connectorConfiguration section
+** filepath should match the path defined in the docker-compose.yml for the target location of the bind element
+** {filename.csv} should be your .csv file name
+** uniqueAttribute should identify the field in the csv file that carries the unique identifier for each row
+
+```
+ <connectorConfiguration>
+ <!-- Configuration specific for the CSV connector -->
+ <icfc:configurationProperties
+ xmlns:icfccsvfile="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-csv/com.evolveum.polygon.connector.csv.CsvConnector">
+ <icfccsvfile:filePath>/opt/midpoint/csv/{filename.csv}</icfccsvfile:filePath>
+ <icfccsvfile:encoding>utf-8</icfccsvfile:encoding>
+ <icfccsvfile:fieldDelimiter>,</icfccsvfile:fieldDelimiter>
+ <icfccsvfile:multivalueDelimiter>;</icfccsvfile:multivalueDelimiter>
+ <icfccsvfile:uniqueAttribute>empno</icfccsvfile:uniqueAttribute>
+ </icfc:configurationProperties>
+ </connectorConfiguration>
+```
+- NOTE: The <schema> section that goes here will be added automatically
+ when the first connection to the resource takes place
+
+- The schema handling section should use the attribute names that match the "element" definitions in the auto-loaded schema section of the resource definition
+
+- Near the top of the schema handling section, the element for the unique attribute should look like this
+
+```
+ <schemaHandling>
+
+ <objectType>
+ <displayName>Default Account</displayName>
+ <default>true</default>
+ <objectClass>ri:AccountObjectClass</objectClass>
+ <attribute>
+ <ref>ri:empno</ref>
+ <displayName>Name (book hr empno)</displayName>
+ <limitations>
+ <minOccurs>0</minOccurs>
+ <access>
+ <read>true</read>
+ <add>true</add>
+ <modify>true</modify>
+ </access>
+ </limitations>
+ <inbound>
+ <target>
+ <path>$focus/employeeNumber</path>
+ </target>
+ </inbound>
+ </attribute>
+```
+- Now the rest of the attribute mappings
+
+```
+ <attribute>
+ <ref>ri:firstname</ref>
+ <displayName>First name</displayName>
+ <inbound>
+ <target>
+ <path>$focus/givenName</path>
+ </target>
+ </inbound>
+ </attribute>
+ <attribute>
+ <ref>ri:lastname</ref>
+ <displayName>Last name</displayName>
+ <inbound>
+ <target>
+ <path>$focus/familyName</path>
+ </target>
+ </inbound>
+ </attribute>
+ <activation>
+ <administrativeStatus>
+ <inbound/>
+ </administrativeStatus>
+ </activation>
+
+ <credentials>
+ <password>
+ <inbound>
+ <strength>weak</strength>
+ <expression>
+ <generate/>
+ </expression>
+ </inbound>
+ </password>
+ </credentials>
+ </objectType>
+
+ </schemaHandling>
+
+ <projection>
+ <assignmentPolicyEnforcement>none</assignmentPolicyEnforcement>
+ </projection>
+
+
+ <synchronization>
+ <objectSynchronization>
+ <enabled>true</enabled>
+```
+- The correlation element should look like this:
+
+```
+ <correlation>
+ <q:equal>
+ <q:path>employeeNumber</q:path>
+ <expression>
+ <path>$projection/attributes/empno</path>
+ </expression>
+ </q:equal>
+ </correlation>
+```
+
+- The rest of the synchronization element follows
+
+```
+ <reaction>
+ <situation>linked</situation>
+ <synchronize>true</synchronize>
+ </reaction>
+ <reaction>
+ <situation>deleted</situation>
+ <synchronize>true</synchronize>
+ <action>
+ <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#deleteFocus</handlerUri>
+ </action>
+ </reaction>
+ <reaction>
+ <situation>unlinked</situation>
+ <synchronize>true</synchronize>
+ <action>
+ <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
+ </action>
+ </reaction>
+ <reaction>
+ <situation>unmatched</situation>
+ <synchronize>true</synchronize>
+ <action>
+ <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>
+ </action>
+ </reaction>
+ </objectSynchronization>
+ </synchronization>
+</resource>
+```
+
+*- The resource definition file is now ready to upload with midPoint Studio -*
+
+- - -
+_2023-08-17 08:44:37 Import 50,000 users from source-sis-full.csv_
+
+*- process for importing large csv files into fresh instance of midPoint -*
+
+Assumes you have already done this once and we start from that instance
+
+Save the existing edited docker-compose.yml with data file binds: +
+/csp-tap/InCommonTAP-Examples-0816/Workbench/docker-compose.yml
+
+Bring the full test SIS population (50k) file into midPoint Workbench
+
+Save the contents of the ../csv directory
+
+```
+$ pwd
+/csp-tap/InCommonTAP-Examples/Workbench/midpoint_server/container_files/mp-home/csv
+
+ls -la
+-rw-r--r-- 1 csprootuser csprootuser 6826528 Aug 5 22:54 source-hrms.csv
+-rw-r--r-- 1 csprootuser csprootuser 8386727 Aug 5 22:54 source-sis.csv
+```
+
+*- Wipe all existing Workbench images and files -*
+
+```
+docker stop $(docker ps -a -q); docker rm $(docker ps -a -q); docker rmi $(docker images -q) --force; docker volume rm $(docker volume ls -q)
+```
+
+Replace downloaded ../csv directory with saved version
+
+Replace repo version of docker-compose.yml with saved version
+
+*- Build and bring up the fresh Workbench -*
+
+```
+docker-compose up --build -d
+```
+
+- Create a new (midpoint) project in midPoint Studio and edit the default configuration to point to the new Workbench host
+
+*- import the full sis resource -*
+
+```
+*Schema mapping and extension attributes*
+
+CSV MIDPOINT USER
+___ _____________
+sorid org
+given givenName
+surname familyName
+email emailAddress
+ph telephoneNumber
+cntry-code ex-cntryCode
+unid uid
+occup title
+dept orgUnit
+refid ex-refid
+
+59614 (closed) Last object processed: 641-64-5552 +
+8/17/23, 3:22:57 PM - +
+8/17/23, 5:05:57 PM (01:42:59.164)
+```
+
+- The import task incorporates the synchronization process, so the sis records have created corresponding user records
+
+*- Next Steps -*
+
+Give all users the ldap-basic role which will provision all users into LDAP
+
+Have Grouper treat LDAP as its subject source and create HRMS and SIS Grouper groups with loader jobs
+
+Compare performance of LDAP subject source with a custom sql db table subject source
+
+Change groups and group memberships with Grouper and track the performance of the Grouper - midPoint connector
+
+---
diff --git a/thoughts.adoc b/docs/thoughts.adoc
similarity index 100%
rename from thoughts.adoc
rename to docs/thoughts.adoc
diff --git a/f2f-midpoint.adoc b/f2f-midpoint.adoc
deleted file mode 100644
index 98bfaa1..0000000
--- a/f2f-midpoint.adoc
+++ /dev/null
@@ -1,30 +0,0 @@
-
-===== *MIDPOINT*
-
-*- current mP integrations -*
-
-* LDAP
-
-* Grouper
-
-* Canvas
-
-* SaaS
-
-* ...
-
-*- planned fixes and enhancements for existing integrations -*
-
-* ...
-
-*- potential new integrations -*
-
-* ...
-
-*- gaps -*
-
-* ...
-
-*- other points to mention -*
-
-* ...
diff --git a/grouperSurveyResponses.adoc b/grouperSurveyResponses.adoc
new file mode 100644
index 0000000..900ca72
--- /dev/null
+++ b/grouperSurveyResponses.adoc
@@ -0,0 +1,22 @@
+=== grouperSurveyResponse.adoc
+
+
+*- Responses to Grouper Survey Initial Recommentations -*
+
+Ensure that each 'page' or unit of documentation carries helpful metadata (tags, keywords, with a controlled vocabulary of primary terms)
+
+- type of documentation: How-to, tutorial, reference, explanation (ConOps)
+- context: Deployment, Tech Dev & Integration, Administration, data structures, UI guides
+- other keywords to support search terms
+- versions to which documentation applies (e.g. Grouper >= 4.7)
+- links to related documentation units
+- date created, date last modified
+
+The above categories align fairly well with the responses to the "Improvement Priority" question on the Grouper Survey
+
+Keep in mind creation and maintenance costs when formulating documentation guidelines
+
+*- Harvest Slack problems posed and solutions offered on Slack; -*
+
+- Collect in a well-known, well-organized documentation resource
+- Addresses the "Same question 100 times" problem
diff --git a/id/.DS_Store b/id/.DS_Store
new file mode 100644
index 0000000..6b56b0f
Binary files /dev/null and b/id/.DS_Store differ