diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..c5dfa11
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,9 @@
+AWS-Trng-1.pem
+bin
+include
+lib
+share
+ssh_config
+ssh_mux*
+ec2.py
+.*.swp
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..b26409d
--- /dev/null
+++ b/README.md
@@ -0,0 +1,215 @@
+# Ansible Deployment for InCommon COmanage Registry Training
+
+This repository contains the necessary Ansible and other files for
+deploying the InCommon COmanage Registry Training environment.
+
+The primary Ansible playbook when run will create
+
+* a AWS Virtual Private Cloud (VPC) with the name `comanage_training`.
+All infrastructure is created within the VPC and can be deprovisioned by
+deleting the VPC.
+
+* an internet gateway (IG) to connect the VPC to the internet.
+
+* public and private subnets within the VPC.
+
+* NATs to allow virtual machines in the private subnets to open
+connections to the internet (e.g. to execute `yum update`).
+
+* appropriate security groups.
+
+* SSH bastion hosts (one per public subnet).
+
+* a host for a Shibboleth IdP. The IdP is deployed using the TAP image
+and a Docker Swarm service stack (compose) file, and includes an LDAP server
+pre-populated with user accounts for SAML authentication.
+
+* N hosts for trainees. Each host is a single-node Docker Swarm
+pre-populated with most details necessary for deploying COmanage Registry
+using the TAP image.
+
+* Target groups and an application load balancer (ALB) that terminates
+TLS and is configured to route web traffic to the IdP and the COmanage
+Registry hosts.
+
+* Route53 DNS configurations so that the IdP and the training nodes can
+all be easily reached.
+
+## Secrets
+
+There are no unencrypted secrets in this repository. All secrets, 
+including SAML keys, are encrypted using the Ansible vault tooling.
+Refer to the Ansible documentation for details on how to manage the
+encrypted files and strings.
+
+## Prerequisites
+
+You will need to have an AWS access key and AWS secret access key provisioned
+by an administrator for the internet2-training AWS account.
+
+You will need to have the Ansible vault password used with this ansible
+deployment.
+
+You will need to have the AWS-Trng-1.pem (or other approved key) used
+for the initial login access to virtual machines.
+
+You will need to use the AWS Console to access the Certificate Manager
+and provision (or renew) an X.509 wildcard certificate for the domain
+`*.comanage.incommon.training`.
+
+## Set up Environment
+
+To set up the environment for ansible the first time:
+
+```
+git clone https://github.com/cilogon/comanage-registry-ansible.git
+cd comanage-registry-training-deployment
+virtualenv -p python3.7 ./
+source bin/activate
+pip install --upgrade pip
+pip install git+https://github.com/ansible/ansible.git@devel
+pip install boto
+pip install boto3
+wget https://raw.githubusercontent.com/ansible/ansible/devel/contrib/inventory/ec2.py
+chmod 755 ec2.py
+cp /path/to/AWS-Trng-1.pem .
+```
+
+Some ansible files are encrypted using `ansible-vault`. When running
+a playbook ansible needs to be able to find the password for the 
+vault.
+
+Create a file outside of the clone of this repository to hold
+the vault password, e.g.
+
+```
+touch ~/.vault_pass.txt
+chmod 600 ~/.vault_pass.txt
+```
+Find the vault password from and enter it into the file you just created.
+
+## Initialization Before Running Playbooks
+
+Do this each time to run ansible commands or playbooks
+to set up the environment:
+
+```
+cd comanage-registry-training-deployment
+source bin/activate
+export AWS_ACCESS_KEY_ID='XXXXXXXX'
+export AWS_SECRET_ACCESS_KEY='XXXXXXXX'
+export ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt
+export AWS_REGION=us-west-2
+rm ./ssh_mux_*
+kill $SSH_AGENT_PID
+unset SSH_AUTH_SOCK
+eval `ssh-agent -s`
+ssh-add ./AWS-Trng-1.pem
+```
+
+## Configuration
+
+Most of the configurable details, including the number of training nodes to
+deploye, are set in the file
+
+```
+vars/global.yml
+```
+
+Review that file before running the playbook.
+
+
+## Provision the COmanage Training Infrastructure
+
+To provision the infrastructure execute the playbook:
+
+```
+ansible-playbook -i ./ec2.py comanage_registry_training.yml
+```
+
+## SSH Access
+
+Trainers may use their provisioned SSH keys to access all nodes. Each trainer
+has a dedicated account on each node.
+
+Trainees may SSH using the account `training` and the provisioned password.
+
+Begin by logging into the bastion node, e.g.
+
+```
+$ ssh training@ssh.comanage.incommon.training
+training@ssh.comanage.incommon.training's password: 
+Last login: Thu Nov  7 15:12:40 2019 from some/host
+[training@ssh ~]$
+```
+
+From there each trainee may SSH into their assigned host:
+
+```
+[training@ssh ~]$ ssh registry1-private
+training@registry1-private's password: 
+Last login: Thu Nov  7 17:43:27 2019 from ip-192-168-10-10.us-west-2.compute.internal
+[training@registry1-private ~]$
+```
+
+Only trainers may SSH into the IdP node:
+
+```
+skoranda@paprika:~$ ssh -A ssh.comanage.incommon.training
+Last login: Thu Nov  7 15:01:48 2019 from some.host
+[skoranda@ssh ~]$ ssh login-private
+Last login: Thu Nov  7 17:43:56 2019 from ip-192-168-10-10.us-west-2.compute.internal
+```
+
+## Deploying the IdP
+
+The Ansible tooling does not automatically start the IdP service stack.
+To start the stack log into the IdP node and execute
+
+```
+docker stack deploy --compose-file /opt/shibboleth-idp-stack.yml idp
+```
+
+Useful Docker Swarm commands for the IdP node are
+
+```
+docker stack ls
+
+docker service ls
+
+docker service ps idp_shibboleth-idp
+
+docker service ps idp_ldap
+
+docker service logs -f idp_shibboleth-idp
+
+docker service logs -f idp_ldap
+
+docker stack rm idp
+```
+
+## Deploying COmanage Registry
+
+Each trainee is expected to SSH to the bastion host and then to their
+assigned node. In the home directory for the `training` user the trainee
+will find the Docker Swarm services stack (compose) file for deploying
+COmanage Registry, a MariaDB database, and an LDAP server. 
+
+Before deploying the service stack the trainee must first, as an exercise,
+create some Docker Swarm secrets (see the training materials for details).
+Most secrets have been pre-populated using Ansible to save time, but the
+trainee is expected to create a few secrets.
+
+Once successfully deployed, COmanage Registry is available at the URL
+
+```
+https://registry1.comanage.incommon.training
+```
+
+for node 1, and
+
+```
+https://registry2.comanage.incommon.training
+```
+
+for node 2, and so on.
diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000..0a93037
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,494 @@
+# config file for ansible -- https://ansible.com/
+# ===============================================
+
+# nearly all parameters can be overridden in ansible-playbook
+# or with command line flags. ansible will read ANSIBLE_CONFIG,
+# ansible.cfg in the current working directory, .ansible.cfg in
+# the home directory or /etc/ansible/ansible.cfg, whichever it
+# finds first
+
+[defaults]
+
+# some basic default values...
+
+#inventory      = /etc/ansible/hosts
+#library        = /usr/share/my_modules/
+#module_utils   = /usr/share/my_module_utils/
+#remote_tmp     = ~/.ansible/tmp
+remote_tmp     = /tmp
+#local_tmp      = ~/.ansible/tmp
+#plugin_filters_cfg = /etc/ansible/plugin_filters.yml
+#forks          = 5
+#poll_interval  = 15
+#sudo_user      = root
+#ask_sudo_pass = True
+#ask_pass      = True
+#transport      = smart
+#remote_port    = 22
+#module_lang    = C
+#module_set_locale = False
+
+# plays will gather facts by default, which contain information about
+# the remote system.
+#
+# smart - gather by default, but don't regather if already gathered
+# implicit - gather by default, turn off with gather_facts: False
+# explicit - do not gather by default, must say gather_facts: True
+#gathering = implicit
+
+# This only affects the gathering done by a play's gather_facts directive,
+# by default gathering retrieves all facts subsets
+# all - gather all subsets
+# network - gather min and network facts
+# hardware - gather hardware facts (longest facts to retrieve)
+# virtual - gather min and virtual facts
+# facter - import facts from facter
+# ohai - import facts from ohai
+# You can combine them using comma (ex: network,virtual)
+# You can negate them using ! (ex: !hardware,!facter,!ohai)
+# A minimal set of facts is always gathered.
+#gather_subset = all
+
+# some hardware related facts are collected
+# with a maximum timeout of 10 seconds. This
+# option lets you increase or decrease that
+# timeout to something more suitable for the
+# environment.
+# gather_timeout = 10
+
+# Ansible facts are available inside the ansible_facts.* dictionary
+# namespace. This setting maintains the behaviour which was the default prior
+# to 2.5, duplicating these variables into the main namespace, each with a
+# prefix of 'ansible_'.
+# This variable is set to True by default for backwards compatibility. It
+# will be changed to a default of 'False' in a future release.
+# ansible_facts.
+# inject_facts_as_vars = True
+
+# additional paths to search for roles in, colon separated
+#roles_path    = /etc/ansible/roles
+
+# uncomment this to disable SSH key host checking
+#host_key_checking = False
+
+# change the default callback, you can only have one 'stdout' type  enabled at a time.
+#stdout_callback = skippy
+
+
+## Ansible ships with some plugins that require whitelisting,
+## this is done to avoid running all of a type by default.
+## These setting lists those that you want enabled for your system.
+## Custom plugins should not need this unless plugin author specifies it.
+
+# enable callback plugins, they can output to stdout but cannot be 'stdout' type.
+#callback_whitelist = timer, mail
+
+# Determine whether includes in tasks and handlers are "static" by
+# default. As of 2.0, includes are dynamic by default. Setting these
+# values to True will make includes behave more like they did in the
+# 1.x versions.
+#task_includes_static = False
+#handler_includes_static = False
+
+# Controls if a missing handler for a notification event is an error or a warning
+#error_on_missing_handler = True
+
+# change this for alternative sudo implementations
+#sudo_exe = sudo
+
+# What flags to pass to sudo
+# WARNING: leaving out the defaults might create unexpected behaviours
+#sudo_flags = -H -S -n
+
+# SSH timeout
+#timeout = 10
+timeout = 60
+
+# default user to use for playbooks if user is not specified
+# (/usr/bin/ansible will use current user as default)
+#remote_user = root
+
+# logging is off by default unless this path is defined
+# if so defined, consider logrotate
+#log_path = /var/log/ansible.log
+
+# default module name for /usr/bin/ansible
+#module_name = command
+
+# use this shell for commands executed under sudo
+# you may need to change this to bin/bash in rare instances
+# if sudo is constrained
+#executable = /bin/sh
+
+# if inventory variables overlap, does the higher precedence one win
+# or are hash values merged together?  The default is 'replace' but
+# this can also be set to 'merge'.
+#hash_behaviour = replace
+
+# by default, variables from roles will be visible in the global variable
+# scope. To prevent this, the following option can be enabled, and only
+# tasks and handlers within the role will see the variables there
+#private_role_vars = yes
+
+# list any Jinja2 extensions to enable here:
+#jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n
+
+# if set, always use this private key file for authentication, same as
+# if passing --private-key to ansible or ansible-playbook
+#private_key_file = /path/to/file
+
+# If set, configures the path to the Vault password file as an alternative to
+# specifying --vault-password-file on the command line.
+#vault_password_file = /path/to/vault_password_file
+
+# format of string {{ ansible_managed }} available within Jinja2
+# templates indicates to users editing templates files will be replaced.
+# replacing {file}, {host} and {uid} and strftime codes with proper values.
+#ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
+# {file}, {host}, {uid}, and the timestamp can all interfere with idempotence
+# in some situations so the default is a static string:
+#ansible_managed = Ansible managed
+
+# by default, ansible-playbook will display "Skipping [host]" if it determines a task
+# should not be run on a host.  Set this to "False" if you don't want to see these "Skipping"
+# messages. NOTE: the task header will still be shown regardless of whether or not the
+# task is skipped.
+#display_skipped_hosts = True
+
+# by default, if a task in a playbook does not include a name: field then
+# ansible-playbook will construct a header that includes the task's action but
+# not the task's args.  This is a security feature because ansible cannot know
+# if the *module* considers an argument to be no_log at the time that the
+# header is printed.  If your environment doesn't have a problem securing
+# stdout from ansible-playbook (or you have manually specified no_log in your
+# playbook on all of the tasks where you have secret information) then you can
+# safely set this to True to get more informative messages.
+#display_args_to_stdout = False
+
+# by default (as of 1.3), Ansible will raise errors when attempting to dereference
+# Jinja2 variables that are not set in templates or action lines. Uncomment this line
+# to revert the behavior to pre-1.3.
+#error_on_undefined_vars = False
+
+# by default (as of 1.6), Ansible may display warnings based on the configuration of the
+# system running ansible itself. This may include warnings about 3rd party packages or
+# other conditions that should be resolved if possible.
+# to disable these warnings, set the following value to False:
+#system_warnings = True
+
+# by default (as of 1.4), Ansible may display deprecation warnings for language
+# features that should no longer be used and will be removed in future versions.
+# to disable these warnings, set the following value to False:
+#deprecation_warnings = True
+
+# (as of 1.8), Ansible can optionally warn when usage of the shell and
+# command module appear to be simplified by using a default Ansible module
+# instead.  These warnings can be silenced by adjusting the following
+# setting or adding warn=yes or warn=no to the end of the command line
+# parameter string.  This will for example suggest using the git module
+# instead of shelling out to the git command.
+# command_warnings = False
+
+
+# set plugin path directories here, separate with colons
+#action_plugins     = /usr/share/ansible/plugins/action
+#become_plugins     = /usr/share/ansible/plugins/become
+#cache_plugins      = /usr/share/ansible/plugins/cache
+#callback_plugins   = /usr/share/ansible/plugins/callback
+#connection_plugins = /usr/share/ansible/plugins/connection
+#lookup_plugins     = /usr/share/ansible/plugins/lookup
+#inventory_plugins  = /usr/share/ansible/plugins/inventory
+#vars_plugins       = /usr/share/ansible/plugins/vars
+#filter_plugins     = /usr/share/ansible/plugins/filter
+#test_plugins       = /usr/share/ansible/plugins/test
+#terminal_plugins   = /usr/share/ansible/plugins/terminal
+#strategy_plugins   = /usr/share/ansible/plugins/strategy
+
+
+# by default, ansible will use the 'linear' strategy but you may want to try
+# another one
+#strategy = free
+
+# by default callbacks are not loaded for /bin/ansible, enable this if you
+# want, for example, a notification or logging callback to also apply to
+# /bin/ansible runs
+#bin_ansible_callbacks = False
+
+
+# don't like cows?  that's unfortunate.
+# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1
+#nocows = 1
+
+# set which cowsay stencil you'd like to use by default. When set to 'random',
+# a random stencil will be selected for each task. The selection will be filtered
+# against the `cow_whitelist` option below.
+#cow_selection = default
+#cow_selection = random
+
+# when using the 'random' option for cowsay, stencils will be restricted to this list.
+# it should be formatted as a comma-separated list with no spaces between names.
+# NOTE: line continuations here are for formatting purposes only, as the INI parser
+#       in python does not support them.
+#cow_whitelist=bud-frogs,bunny,cheese,daemon,default,dragon,elephant-in-snake,elephant,eyes,\
+#              hellokitty,kitty,luke-koala,meow,milk,moofasa,moose,ren,sheep,small,stegosaurus,\
+#              stimpy,supermilker,three-eyes,turkey,turtle,tux,udder,vader-koala,vader,www
+
+# don't like colors either?
+# set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1
+#nocolor = 1
+
+# if set to a persistent type (not 'memory', for example 'redis') fact values
+# from previous runs in Ansible will be stored.  This may be useful when
+# wanting to use, for example, IP information from one group of servers
+# without having to talk to them in the same playbook run to get their
+# current IP information.
+#fact_caching = memory
+
+#This option tells Ansible where to cache facts. The value is plugin dependent.
+#For the jsonfile plugin, it should be a path to a local directory.
+#For the redis plugin, the value is a host:port:database triplet: fact_caching_connection = localhost:6379:0
+
+#fact_caching_connection=/tmp
+
+
+
+# retry files
+# When a playbook fails by default a .retry file will be created in ~/
+# You can disable this feature by setting retry_files_enabled to False
+# and you can change the location of the files by setting retry_files_save_path
+
+#retry_files_enabled = False
+#retry_files_save_path = ~/.ansible-retry
+
+# squash actions
+# Ansible can optimise actions that call modules with list parameters
+# when looping. Instead of calling the module once per with_ item, the
+# module is called once with all items at once. Currently this only works
+# under limited circumstances, and only with parameters named 'name'.
+#squash_actions = apk,apt,dnf,homebrew,pacman,pkgng,yum,zypper
+
+# prevents logging of task data, off by default
+#no_log = False
+
+# prevents logging of tasks, but only on the targets, data is still logged on the master/controller
+#no_target_syslog = False
+
+# controls whether Ansible will raise an error or warning if a task has no
+# choice but to create world readable temporary files to execute a module on
+# the remote machine.  This option is False by default for security.  Users may
+# turn this on to have behaviour more like Ansible prior to 2.1.x.  See
+# https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user
+# for more secure ways to fix this than enabling this option.
+#allow_world_readable_tmpfiles = False
+
+# controls the compression level of variables sent to
+# worker processes. At the default of 0, no compression
+# is used. This value must be an integer from 0 to 9.
+#var_compression_level = 9
+
+# controls what compression method is used for new-style ansible modules when
+# they are sent to the remote system.  The compression types depend on having
+# support compiled into both the controller's python and the client's python.
+# The names should match with the python Zipfile compression types:
+# * ZIP_STORED (no compression. available everywhere)
+# * ZIP_DEFLATED (uses zlib, the default)
+# These values may be set per host via the ansible_module_compression inventory
+# variable
+#module_compression = 'ZIP_DEFLATED'
+
+# This controls the cutoff point (in bytes) on --diff for files
+# set to 0 for unlimited (RAM may suffer!).
+#max_diff_size = 1048576
+
+# This controls how ansible handles multiple --tags and --skip-tags arguments
+# on the CLI.  If this is True then multiple arguments are merged together.  If
+# it is False, then the last specified argument is used and the others are ignored.
+# This option will be removed in 2.8.
+#merge_multiple_cli_flags = True
+
+# Controls showing custom stats at the end, off by default
+#show_custom_stats = True
+
+# Controls which files to ignore when using a directory as inventory with
+# possibly multiple sources (both static and dynamic)
+#inventory_ignore_extensions = ~, .orig, .bak, .ini, .cfg, .retry, .pyc, .pyo
+
+# This family of modules use an alternative execution path optimized for network appliances
+# only update this setting if you know how this works, otherwise it can break module execution
+#network_group_modules=eos, nxos, ios, iosxr, junos, vyos
+
+# When enabled, this option allows lookups (via variables like {{lookup('foo')}} or when used as
+# a loop with `with_foo`) to return data that is not marked "unsafe". This means the data may contain
+# jinja2 templating language which will be run through the templating engine.
+# ENABLING THIS COULD BE A SECURITY RISK
+#allow_unsafe_lookups = False
+
+# set default errors for all plays
+#any_errors_fatal = False
+
+[inventory]
+# enable inventory plugins, default: 'host_list', 'script', 'auto', 'yaml', 'ini', 'toml'
+#enable_plugins = host_list, virtualbox, yaml, constructed
+
+# ignore these extensions when parsing a directory as inventory source
+#ignore_extensions = .pyc, .pyo, .swp, .bak, ~, .rpm, .md, .txt, ~, .orig, .ini, .cfg, .retry
+
+# ignore files matching these patterns when parsing a directory as inventory source
+#ignore_patterns=
+
+# If 'true' unparsed inventory sources become fatal errors, they are warnings otherwise.
+#unparsed_is_failed=False
+
+[privilege_escalation]
+#become=True
+#become_method=sudo
+#become_user=root
+#become_ask_pass=False
+
+[paramiko_connection]
+
+# uncomment this line to cause the paramiko connection plugin to not record new host
+# keys encountered.  Increases performance on new host additions.  Setting works independently of the
+# host key checking setting above.
+#record_host_keys=False
+
+# by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this
+# line to disable this behaviour.
+#pty=False
+
+# paramiko will default to looking for SSH keys initially when trying to
+# authenticate to remote devices.  This is a problem for some network devices
+# that close the connection after a key failure.  Uncomment this line to
+# disable the Paramiko look for keys function
+#look_for_keys = False
+
+# When using persistent connections with Paramiko, the connection runs in a
+# background process.  If the host doesn't already have a valid SSH key, by
+# default Ansible will prompt to add the host key.  This will cause connections
+# running in background processes to fail.  Uncomment this line to have
+# Paramiko automatically add host keys.
+#host_key_auto_add = True
+
+[ssh_connection]
+
+# ssh arguments to use
+# Leaving off ControlPersist will result in poor performance, so use
+# paramiko on older platforms rather than removing it, -C controls compression use
+#ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s
+ssh_args = -F ./ssh_config -C -o ControlMaster=auto -o ControlPersist=3600s
+
+# The base directory for the ControlPath sockets.
+# This is the "%(directory)s" in the control_path option
+#
+# Example:
+# control_path_dir = /tmp/.ansible/cp
+#control_path_dir = ~/.ansible/cp
+
+# The path to use for the ControlPath sockets. This defaults to a hashed string of the hostname,
+# port and username (empty string in the config). The hash mitigates a common problem users
+# found with long hostnames and the conventional %(directory)s/ansible-ssh-%%h-%%p-%%r format.
+# In those cases, a "too long for Unix domain socket" ssh error would occur.
+#
+# Example:
+# control_path = %(directory)s/%%h-%%r
+#control_path =
+control_path = ssh_mux_%%h_%%p
+
+# Enabling pipelining reduces the number of SSH operations required to
+# execute a module on the remote server. This can result in a significant
+# performance improvement when enabled, however when using "sudo:" you must
+# first disable 'requiretty' in /etc/sudoers
+#
+# By default, this option is disabled to preserve compatibility with
+# sudoers configurations that have requiretty (the default on many distros).
+#
+#pipelining = False
+
+# Control the mechanism for transferring files (old)
+#   * smart = try sftp and then try scp [default]
+#   * True = use scp only
+#   * False = use sftp only
+#scp_if_ssh = smart
+
+# Control the mechanism for transferring files (new)
+# If set, this will override the scp_if_ssh option
+#   * sftp  = use sftp to transfer files
+#   * scp   = use scp to transfer files
+#   * piped = use 'dd' over SSH to transfer files
+#   * smart = try sftp, scp, and piped, in that order [default]
+#transfer_method = smart
+
+# if False, sftp will not use batch mode to transfer files. This may cause some
+# types of file transfer failures impossible to catch however, and should
+# only be disabled if your sftp version has problems with batch mode
+#sftp_batch_mode = False
+
+# The -tt argument is passed to ssh when pipelining is not enabled because sudo 
+# requires a tty by default. 
+#usetty = True
+
+# Number of times to retry an SSH connection to a host, in case of UNREACHABLE.
+# For each retry attempt, there is an exponential backoff,
+# so after the first attempt there is 1s wait, then 2s, 4s etc. up to 30s (max).
+#retries = 3
+
+[persistent_connection]
+
+# Configures the persistent connection timeout value in seconds.  This value is
+# how long the persistent connection will remain idle before it is destroyed.
+# If the connection doesn't receive a request before the timeout value
+# expires, the connection is shutdown. The default value is 30 seconds.
+#connect_timeout = 30
+
+# The command timeout value defines the amount of time to wait for a command
+# or RPC call before timing out. The value for the command timeout must
+# be less than the value of the persistent connection idle timeout (connect_timeout)
+# The default value is 30 second.
+#command_timeout = 30
+
+[accelerate]
+#accelerate_port = 5099
+#accelerate_timeout = 30
+#accelerate_connect_timeout = 5.0
+
+# The daemon timeout is measured in minutes. This time is measured
+# from the last activity to the accelerate daemon.
+#accelerate_daemon_timeout = 30
+
+# If set to yes, accelerate_multi_key will allow multiple
+# private keys to be uploaded to it, though each user must
+# have access to the system via SSH to add a new key. The default
+# is "no".
+#accelerate_multi_key = yes
+
+[selinux]
+# file systems that require special treatment when dealing with security context
+# the default behaviour that copies the existing context or uses the user default
+# needs to be changed to use the file system dependent context.
+#special_context_filesystems=nfs,vboxsf,fuse,ramfs,9p
+
+# Set this to yes to allow libvirt_lxc connections to work without SELinux.
+#libvirt_lxc_noseclabel = yes
+
+[colors]
+#highlight = white
+#verbose = blue
+#warn = bright purple
+#error = red
+#debug = dark gray
+#deprecate = purple
+#skip = cyan
+#unreachable = red
+#ok = green
+#changed = yellow
+#diff_add = green
+#diff_remove = red
+#diff_lines = cyan
+
+
+[diff]
+# Always print diff when running ( same as always running with -D/--diff )
+# always = no
+
+# Set how many context lines to show in diff
+# context = 3
diff --git a/comanage_registry_training.yml b/comanage_registry_training.yml
new file mode 100644
index 0000000..e17b5f3
--- /dev/null
+++ b/comanage_registry_training.yml
@@ -0,0 +1,25 @@
+---
+- hosts: localhost
+  connection: local
+  gather_facts: False
+
+  tasks:
+    - name: import global variables
+      include_vars:
+        file: "vars/global.yml"
+
+# Combine multiple playbooks
+- name: configure COmanage training VPC
+  import_playbook: vpc.yml
+
+- name: configure SSH bastion host
+  import_playbook: ssh_bastion.yml
+
+- name: configure IdP host
+  import_playbook: idp_node.yml
+
+- name: configure training nodes
+  import_playbook: training_nodes.yml
+
+- name: set nice hostnames
+  import_playbook: hostnames.yml
diff --git a/ec2.ini b/ec2.ini
new file mode 100644
index 0000000..488ffd0
--- /dev/null
+++ b/ec2.ini
@@ -0,0 +1,222 @@
+# Ansible EC2 external inventory script settings
+#
+
+[ec2]
+
+# to talk to a private eucalyptus instance uncomment these lines
+# and edit edit eucalyptus_host to be the host name of your cloud controller
+#eucalyptus = True
+#eucalyptus_host = clc.cloud.domain.org
+
+# AWS regions to make calls to. Set this to 'all' to make request to all regions
+# in AWS and merge the results together. Alternatively, set this to a comma
+# separated list of regions. E.g. 'us-east-1,us-west-1,us-west-2' and do not
+# provide the 'regions_exclude' option. If this is set to 'auto', AWS_REGION or
+# AWS_DEFAULT_REGION environment variable will be read to determine the region.
+#regions = all
+regions = us-west-2
+regions_exclude = us-gov-west-1, cn-north-1
+
+# When generating inventory, Ansible needs to know how to address a server.
+# Each EC2 instance has a lot of variables associated with it. Here is the list:
+#   http://docs.pythonboto.org/en/latest/ref/ec2.html#module-boto.ec2.instance
+# Below are 2 variables that are used as the address of a server:
+#   - destination_variable
+#   - vpc_destination_variable
+
+# This is the normal destination variable to use. If you are running Ansible
+# from outside EC2, then 'public_dns_name' makes the most sense. If you are
+# running Ansible from within EC2, then perhaps you want to use the internal
+# address, and should set this to 'private_dns_name'. The key of an EC2 tag
+# may optionally be used; however the boto instance variables hold precedence
+# in the event of a collision.
+#destination_variable = public_dns_name
+destination_variable = private_dns_name
+
+# This allows you to override the inventory_name with an ec2 variable, instead
+# of using the destination_variable above. Addressing (aka ansible_ssh_host)
+# will still use destination_variable. Tags should be written as 'tag_TAGNAME'.
+#hostname_variable = tag_Name
+
+# For server inside a VPC, using DNS names may not make sense. When an instance
+# has 'subnet_id' set, this variable is used. If the subnet is public, setting
+# this to 'ip_address' will return the public IP address. For instances in a
+# private subnet, this should be set to 'private_ip_address', and Ansible must
+# be run from within EC2. The key of an EC2 tag may optionally be used; however
+# the boto instance variables hold precedence in the event of a collision.
+# WARNING: - instances that are in the private vpc, _without_ public ip address
+# will not be listed in the inventory until You set:
+# vpc_destination_variable = private_ip_address
+#vpc_destination_variable = ip_address
+vpc_destination_variable = private_ip_address
+
+# The following two settings allow flexible ansible host naming based on a
+# python format string and a comma-separated list of ec2 tags.  Note that:
+#
+# 1) If the tags referenced are not present for some instances, empty strings
+#    will be substituted in the format string.
+# 2) This overrides both destination_variable and vpc_destination_variable.
+#
+#destination_format = {0}.{1}.example.com
+#destination_format_tags = Name,environment
+
+# To tag instances on EC2 with the resource records that point to them from
+# Route53, set 'route53' to True.
+route53 = False
+
+# To use Route53 records as the inventory hostnames, uncomment and set
+# to equal the domain name you wish to use. You must also have 'route53' (above)
+# set to True.
+# route53_hostnames = .example.com
+
+# To exclude RDS instances from the inventory, uncomment and set to False.
+#rds = False
+
+# To exclude ElastiCache instances from the inventory, uncomment and set to False.
+#elasticache = False
+
+# Additionally, you can specify the list of zones to exclude looking up in
+# 'route53_excluded_zones' as a comma-separated list.
+# route53_excluded_zones = samplezone1.com, samplezone2.com
+
+# By default, only EC2 instances in the 'running' state are returned. Set
+# 'all_instances' to True to return all instances regardless of state.
+all_instances = False
+
+# By default, only EC2 instances in the 'running' state are returned. Specify
+# EC2 instance states to return as a comma-separated list. This
+# option is overridden when 'all_instances' is True.
+# instance_states = pending, running, shutting-down, terminated, stopping, stopped
+
+# By default, only RDS instances in the 'available' state are returned.  Set
+# 'all_rds_instances' to True return all RDS instances regardless of state.
+all_rds_instances = False
+
+# Include RDS cluster information (Aurora etc.)
+include_rds_clusters = False
+
+# By default, only ElastiCache clusters and nodes in the 'available' state
+# are returned. Set 'all_elasticache_clusters' and/or 'all_elastic_nodes'
+# to True return all ElastiCache clusters and nodes, regardless of state.
+#
+# Note that all_elasticache_nodes only applies to listed clusters. That means
+# if you set all_elastic_clusters to false, no node will be return from
+# unavailable clusters, regardless of the state and to what you set for
+# all_elasticache_nodes.
+all_elasticache_replication_groups = False
+all_elasticache_clusters = False
+all_elasticache_nodes = False
+
+# API calls to EC2 are slow. For this reason, we cache the results of an API
+# call. Set this to the path you want cache files to be written to. Two files
+# will be written to this directory:
+#   - ansible-ec2.cache
+#   - ansible-ec2.index
+cache_path = ~/.ansible/tmp
+
+# The number of seconds a cache file is considered valid. After this many
+# seconds, a new API call will be made, and the cache file will be updated.
+# To disable the cache, set this value to 0
+#cache_max_age = 300
+
+# Organize groups into a nested/hierarchy instead of a flat namespace.
+nested_groups = False
+
+# Replace - tags when creating groups to avoid issues with ansible
+replace_dash_in_groups = True
+
+# If set to true, any tag of the form "a,b,c" is expanded into a list
+# and the results are used to create additional tag_* inventory groups.
+expand_csv_tags = False
+
+# The EC2 inventory output can become very large. To manage its size,
+# configure which groups should be created.
+group_by_instance_id = True
+group_by_region = True
+group_by_availability_zone = True
+group_by_aws_account = False
+group_by_ami_id = True
+group_by_instance_type = True
+group_by_instance_state = False
+group_by_platform = True
+group_by_key_pair = True
+group_by_vpc_id = True
+group_by_security_group = True
+group_by_tag_keys = True
+group_by_tag_none = True
+group_by_route53_names = True
+group_by_rds_engine = True
+group_by_rds_parameter_group = True
+group_by_elasticache_engine = True
+group_by_elasticache_cluster = True
+group_by_elasticache_parameter_group = True
+group_by_elasticache_replication_group = True
+
+# If you only want to include hosts that match a certain regular expression
+# pattern_include = staging-*
+
+# If you want to exclude any hosts that match a certain regular expression
+# pattern_exclude = staging-*
+
+# Instance filters can be used to control which instances are retrieved for
+# inventory. For the full list of possible filters, please read the EC2 API
+# docs: http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ApiReference-query-DescribeInstances.html#query-DescribeInstances-filters
+# Filters are key/value pairs separated by '=', to list multiple filters use
+# a list separated by commas. To "AND" criteria together, use "&". Note that
+# the "AND" is not useful along with stack_filters and so such usage is not allowed.
+# See examples below.
+
+# If you want to apply multiple filters simultaneously, set stack_filters to
+# True. Default behaviour is to combine the results of all filters. Stacking
+# allows the use of multiple conditions to filter down, for example by
+# environment and type of host.
+stack_filters = False
+
+# Retrieve only instances with (key=value) env=staging tag
+# instance_filters = tag:env=staging
+
+# Retrieve only instances with role=webservers OR role=dbservers tag
+# instance_filters = tag:role=webservers,tag:role=dbservers
+
+# Retrieve only t1.micro instances OR instances with tag env=staging
+# instance_filters = instance-type=t1.micro,tag:env=staging
+
+# You can use wildcards in filter values also. Below will list instances which
+# tag Name value matches webservers1*
+# (ex. webservers15, webservers1a, webservers123 etc)
+# instance_filters = tag:Name=webservers1*
+
+# Retrieve only instances of type t1.micro that also have tag env=stage
+# instance_filters = instance-type=t1.micro&tag:env=stage
+
+# Retrieve instances of type t1.micro AND tag env=stage, as well as any instance
+# that are of type m3.large, regardless of env tag
+# instance_filters = instance-type=t1.micro&tag:env=stage,instance-type=m3.large
+
+# An IAM role can be assumed, so all requests are run as that role.
+# This can be useful for connecting across different accounts, or to limit user
+# access
+# iam_role = role-arn
+
+# A boto configuration profile may be used to separate out credentials
+# see https://boto.readthedocs.io/en/latest/boto_config_tut.html
+# boto_profile = some-boto-profile-name
+
+
+[credentials]
+
+# The AWS credentials can optionally be specified here. Credentials specified
+# here are ignored if the environment variable AWS_ACCESS_KEY_ID or
+# AWS_PROFILE is set, or if the boto_profile property above is set.
+#
+# Supplying AWS credentials here is not recommended, as it introduces
+# non-trivial security concerns. When going down this route, please make sure
+# to set access permissions for this file correctly, e.g. handle it the same
+# way as you would a private SSH key.
+#
+# Unlike the boto and AWS configure files, this section does not support
+# profiles.
+#
+# aws_access_key_id = AXXXXXXXXXXXXXX
+# aws_secret_access_key = XXXXXXXXXXXXXXXXXXX
+# aws_security_token = XXXXXXXXXXXXXXXXXXXXXXXXXXXX
diff --git a/hostnames.yml b/hostnames.yml
new file mode 100644
index 0000000..ccdfaa3
--- /dev/null
+++ b/hostnames.yml
@@ -0,0 +1,11 @@
+---
+- hosts: tag_comanage_training_True
+  become: yes
+  gather_facts: True
+  strategy: free
+
+  tasks:
+
+    - name: Set FQDN for node
+      command: "hostnamectl set-hostname {{ ec2_tag_private_fqdn }}"
+      when: ansible_facts['nodename'] != ec2_tag_private_fqdn 
diff --git a/idp_node.yml b/idp_node.yml
new file mode 100644
index 0000000..6cb9905
--- /dev/null
+++ b/idp_node.yml
@@ -0,0 +1,92 @@
+---
+- hosts: localhost
+  connection: local
+  gather_facts: False
+
+  tasks:
+
+    - name: Build idp_node_rules security group rules - bastion hosts - SSH tcp/22
+      set_fact:
+        idp_node_rules: "{{ idp_node_rules | default([]) | union( [{ 'proto': 'tcp' , 'ports': '22', 'cidr_ip': item, 'rule_desc': 'SSH from bastion'}] ) }}"
+      loop: "{{ bastion_internal_ip }}"
+
+    - name: Build idp_node_rules security group rules - ALB port tcp/8080
+      set_fact:
+        idp_node_rules: "{{ idp_node_rules | default([]) | union( [{ 'proto': 'tcp' , 'ports': '8080', 'cidr_ip': '192.168.0.0/16', 'rule_desc': 'web traffic port 8080'}] ) }}"
+
+    - name: Security group COmanage IdP node
+      ec2_group:
+        name: "comanage-idp-node"
+        tags:
+          Name: "comanage-idp-node"
+        description: "COmanage idp node"
+        vpc_id: "{{ comanage_training_vpc.vpc.id }}"
+        region: "{{ comanage_training_region }}"
+        rules: "{{ idp_node_rules }}"
+      register: idp_node_sg
+
+    - name: Provision COmanage IdP node
+      ec2:
+        key_name: AWS-Trng-1
+        group_id: "{{ idp_node_sg.group_id }}"
+        instance_type: "{{ idp_node_instance_type }}"
+        image: "{{ idp_node_ami_id }}"
+        region: "{{ comanage_training_region }}"
+        assign_public_ip: no
+        instance_initiated_shutdown_behavior: stop
+        monitoring: no
+        # We only provision into one subnet since we do not need high
+        # availability for training.
+        vpc_subnet_id: "{{ private_subnet_id_by_az | dictsort | first | last }}"
+        volumes:
+          - device_name: "{{ idp_node_device_name }}"
+            volume_type: "{{ idp_node_volume_type }}"
+            volume_size: "{{ idp_node_volume_size }}"
+            delete_on_termination: yes
+        instance_tags:
+            Name: "comanage-idp-node"
+            private_fqdn: "login-private.{{ r53_dns_domain }}"
+            public_fqdn: "login.{{ r53_dns_domain }}"
+            comanage_training: True
+            role: idp
+        count_tag:
+            Name: "comanage-idp-node"
+        exact_count: 1
+        wait: true
+      register: idp_node
+
+    - name: Build Ansible inventory host group of IdP node
+      add_host:
+        name: "{{ idp_node.tagged_instances[0].private_ip }}"
+        groups: ssh_idp_node_host
+
+    - name: Create A record entry for IdP node private interface
+      route53:
+        state: present
+        zone: "{{ r53_hosted_zone }}"
+        record: "{{ idp_node.tagged_instances[0].tags.private_fqdn }}"
+        value: "{{ idp_node.tagged_instances[0].private_ip }}"
+        type: A
+        ttl: 30
+        overwrite: yes
+        wait: no
+
+    - name: Wait for SSH to come up on IdP node
+      delegate_to: "{{ idp_node.tagged_instances[0].private_ip }}"
+      wait_for_connection:
+        timeout: 300
+      register: idp_node_ssh_connection
+
+- hosts: ssh_idp_node_host
+  become: yes
+  gather_facts: True
+  strategy: free
+
+  tasks:
+
+    - import_role:
+        name: common
+    - import_role:
+        name: swarm
+    - import_role:
+        name: idp
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
new file mode 100644
index 0000000..3be4274
--- /dev/null
+++ b/roles/common/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+  - name: restart sshd
+    systemd:
+      name: sshd
+      state: restarted
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
new file mode 100644
index 0000000..711cd88
--- /dev/null
+++ b/roles/common/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+  - name: Run yum update to get latest packages
+    yum:
+        name: '*'
+        state: latest
+
+  - name: Install convenience packages
+    yum:
+      name:
+        - bash-completion
+        - bind-utils
+        - screen
+        - vim
+      state: present
+
+  - include: users.yml
diff --git a/roles/common/tasks/users.yml b/roles/common/tasks/users.yml
new file mode 100644
index 0000000..44eb45f
--- /dev/null
+++ b/roles/common/tasks/users.yml
@@ -0,0 +1,72 @@
+---
+  - name: Enable password authentication for SSH
+    lineinfile:
+      path: /etc/ssh/sshd_config
+      regexp: '^PasswordAuthentication'
+      line: PasswordAuthentication yes
+    notify:
+      - restart sshd
+
+  - name: Passwordless sudo
+    lineinfile:
+      dest: /etc/sudoers
+      state: present
+      regexp: '^%wheel'
+      line: '%wheel ALL=(ALL) NOPASSWD: ALL'
+      validate: 'visudo -cf %s'
+
+  - name: Trainers unix group
+    group:
+      name: trainers
+      gid: 1001
+
+  - name: Scott Koranda
+    user:
+      name: skoranda
+      comment: Scott Koranda
+      uid: 1010
+      home: /home/skoranda
+      password: "*"
+      shell: /bin/bash
+      group: trainers
+      append: yes
+      groups: wheel
+
+  - name: Scott Koranda authorized ssh key
+    authorized_key:
+      user: skoranda
+      key: "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAr9amUAycDrDj2f2kLkK6b5X5DYr+4kmRcYfjcOQG9capsUDh44E8C1KKKRtVZNCM4QAXjHHuIQhb7/YysH6XpjUypzHciDNyJ6f3H0Phrcu9X5HSXlPNuyHlq1rtxtuXnd/UPmrZlSuy1Kt4bjjk5EYI6XMXQjlZMet9mT8y0kB1NALGqfLm1LesjShEmKCqP97fj//jRakm661TDdphjKR7e/O6wB80BHZAUznd+4XqYoQ8wPMWFKk21ZtwNWEpgooPhwC956BmsGRXHzySct/LISNAwbQdNaxTKeWdLGvsD6uivBsbBe2egrkCB0UKzcyXTuQv3W4cElAzDFROEQ== skoranda@oregano.local"
+
+  - name: Paul Caskey
+    user:
+      name: pcaskey
+      comment: Paul Caskey
+      uid: 1011
+      home: /home/pcaskey
+      password: "*"
+      shell: /bin/bash
+      group: trainers
+      append: yes
+      groups: wheel
+
+  - name: Paul Caskey authorized ssh key
+    authorized_key:
+      user: pcaskey
+      key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ3+4TSLAruT/RLBHL9aGTDeP4I0XxuqICWj1Ag8H+JVdwrRtW7uGFiFrTbqqfCsBKFIgl64C3ioRixzA4RW8SxeGQj33xJAR+B9EdJg1neIaCwPAdm0snv7A0sRU/0PltHInd2Dcm6EzjIfzyMMPc+t78p9kgyisIKxOTKTjT+Ucty3HoxL2g4Vs3o3T61aM+k1mBGPYIoJxpRkNKho/VviTkJiooemKl4w5sXAzxY7FNpJ18Ir/iUo4hk1Z2766EDObaM1CECSXrEAfo0LA6LbV9ns4BJ1xq9HS4DWxJ6rp1YJcsmihX6nBjnvkM4h+ihjZgxi4iYVWxmAX7OjLV"
+
+  - name: Training unix group
+    group:
+      name: training
+      gid: 2000
+
+  - name: Training user
+    user:
+      name: training
+      comment: COmanage Training User
+      uid: 2000
+      home: /home/training
+      password: "$6$bvMJpaKk$glM0iapwOVJFiN7//FY9PdXLIs3sGPUkOODrQgXAaCIXP/P6kly9ZucehBryh2j10giTuNmuosQcepZ2a103T."
+      shell: /bin/bash
+      group: training
+      append: yes
+
diff --git a/roles/idp/files/attribute-filter.xml b/roles/idp/files/attribute-filter.xml
new file mode 100644
index 0000000..ef654ce
--- /dev/null
+++ b/roles/idp/files/attribute-filter.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
+        xmlns="urn:mace:shibboleth:2.0:afp"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
+
+    <AttributeFilterPolicy id="releaseToAll">
+        <PolicyRequirementRule xsi:type="ANY" />
+
+        <AttributeRule attributeID="eduPersonPrincipalName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="mail">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="givenName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="sn">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="displayName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+    </AttributeFilterPolicy>
+    
+</AttributeFilterPolicyGroup>
diff --git a/roles/idp/files/attribute-resolver.xml b/roles/idp/files/attribute-resolver.xml
new file mode 100644
index 0000000..1992b9d
--- /dev/null
+++ b/roles/idp/files/attribute-resolver.xml
@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<AttributeResolver
+        xmlns="urn:mace:shibboleth:2.0:resolver" 
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
+
+    <AttributeDefinition id="uid" xsi:type="Simple">
+        <InputDataConnector ref="LDAP" attributeNames="uid"/>
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}">
+        <InputAttributeDefinition ref="uid"/>
+        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="mail" xsi:type="Simple">
+        <InputDataConnector ref="LDAP" attributeNames="mail"/>
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="givenName" xsi:type="Simple">
+        <InputDataConnector ref="LDAP" attributeNames="givenName"/>
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="sn" xsi:type="Simple">
+        <InputDataConnector ref="LDAP" attributeNames="sn"/>
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="displayName" xsi:type="Simple">
+        <InputDataConnector ref="LDAP" attributeNames="cn"/>
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
+    </AttributeDefinition>
+
+    <DataConnector id="LDAP" xsi:type="LDAPDirectory"
+        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+        baseDN="%{idp.attribute.resolver.LDAP.baseDN}" 
+        principal="%{idp.attribute.resolver.LDAP.bindDN}"
+        principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
+        useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
+        connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
+        responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
+        <FilterTemplate>
+            <![CDATA[
+                %{idp.attribute.resolver.LDAP.searchFilter}
+            ]]>
+        </FilterTemplate>
+            <ConnectionPool
+            minPoolSize="%{idp.pool.LDAP.minSize:3}"
+            maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
+            blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
+            validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
+            validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
+            expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
+            failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
+    </DataConnector>
+
+</AttributeResolver>
diff --git a/roles/idp/files/config-always-01.ldif b/roles/idp/files/config-always-01.ldif
new file mode 100644
index 0000000..6abcbfc
--- /dev/null
+++ b/roles/idp/files/config-always-01.ldif
@@ -0,0 +1,155 @@
+dn: o=Training,dc=comanage,dc=incommon,dc=training
+changetype: add
+objectclass: dcObject
+objectclass: organization
+dc: comanage
+o: Training
+
+dn: ou=system,o=Training,dc=comanage,dc=incommon,dc=training
+changetype: add
+objectClass: organizationalUnit
+ou: system
+
+dn: uid=idp_user,ou=system,o=Training,dc=comanage,dc=incommon,dc=training
+changetype: add
+objectClass: account
+objectClass: simpleSecurityObject
+uid: idp_user
+description: IdP user for Training
+userPassword: {CRYPT}$6$rounds=5000$N2pgShkatLTpwCWg$23WA6pNtEIjosaF/avflqlKhQTuyE6VphopmiATN2P/E2MvviLlqOGBfzQk7ie0ZWME.cW9hj9ACKS.fzddVr1
+
+dn: ou=people,o=Training,dc=comanage,dc=incommon,dc=training
+changetype: add
+objectClass: organizationalUnit
+ou: people
+
+dn: employeeNumber=1000,ou=people,o=Training,dc=comanage,dc=incommon,dc=training
+changetype: add
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+employeeNumber: 1000
+givenName: Phil
+sn: Hines
+cn: Phil Hines
+uid: phil.hines
+mail: phil.hines@mailinator.com
+userPassword: {CRYPT}$6$rounds=5000$RMNH6IpoChSTxPzx$r9c67vaf.vP7HExQTFeR.7kioNEWU5/BiJHfs/.3xjcYmJ9R594IIRpey.IyENS5iBdTnpfBOvOYqS/cCM/8.0
+
+dn: employeeNumber=1001,ou=people,o=Training,dc=comanage,dc=incommon,dc=training
+changetype: add
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+employeeNumber: 1001
+givenName: Cinda
+sn: Causar
+cn: Cinda Causar
+uid: cinda.causar
+mail: cinda.causar@mailinator.com
+userPassword: {CRYPT}$6$rounds=5000$RMNH6IpoChSTxPzx$r9c67vaf.vP7HExQTFeR.7kioNEWU5/BiJHfs/.3xjcYmJ9R594IIRpey.IyENS5iBdTnpfBOvOYqS/cCM/8.0
+
+dn: employeeNumber=1002,ou=people,o=Training,dc=comanage,dc=incommon,dc=training
+changetype: add
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+employeeNumber: 1002
+givenName: David
+sn: Fair
+cn: David Fair
+uid: david.fair
+mail: david.fair@mailinator.com
+userPassword: {CRYPT}$6$rounds=5000$RMNH6IpoChSTxPzx$r9c67vaf.vP7HExQTFeR.7kioNEWU5/BiJHfs/.3xjcYmJ9R594IIRpey.IyENS5iBdTnpfBOvOYqS/cCM/8.0
+
+dn: employeeNumber=1003,ou=people,o=Training,dc=comanage,dc=incommon,dc=training
+changetype: add
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+employeeNumber: 1003
+givenName: Rose
+sn: Martinez
+cn: Rose Martinez
+uid: rose.martinez
+mail: rose.martinez@mailinator.com
+userPassword: {CRYPT}$6$rounds=5000$RMNH6IpoChSTxPzx$r9c67vaf.vP7HExQTFeR.7kioNEWU5/BiJHfs/.3xjcYmJ9R594IIRpey.IyENS5iBdTnpfBOvOYqS/cCM/8.0
+
+dn: employeeNumber=1004,ou=people,o=Training,dc=comanage,dc=incommon,dc=training
+changetype: add
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+employeeNumber: 1004
+givenName: Charlene
+sn: Melton
+cn: Charlene Melton
+uid: charlene.melton
+mail: charlene.melton@mailinator.com
+userPassword: {CRYPT}$6$rounds=5000$RMNH6IpoChSTxPzx$r9c67vaf.vP7HExQTFeR.7kioNEWU5/BiJHfs/.3xjcYmJ9R594IIRpey.IyENS5iBdTnpfBOvOYqS/cCM/8.0
+
+dn: employeeNumber=1005,ou=people,o=Training,dc=comanage,dc=incommon,dc=training
+changetype: add
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+employeeNumber: 1005
+givenName: Brenda
+sn: Messer
+cn: Brenda Messer
+uid: brenda.messer
+mail: brenda.messer@mailinator.com
+userPassword: {CRYPT}$6$rounds=5000$RMNH6IpoChSTxPzx$r9c67vaf.vP7HExQTFeR.7kioNEWU5/BiJHfs/.3xjcYmJ9R594IIRpey.IyENS5iBdTnpfBOvOYqS/cCM/8.0
+
+dn: employeeNumber=1006,ou=people,o=Training,dc=comanage,dc=incommon,dc=training
+changetype: add
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+employeeNumber: 1006
+givenName: Carol
+sn: Pak
+cn: Carol Pak
+uid: carol.pak
+mail: carol.pak@mailinator.com
+userPassword: {CRYPT}$6$rounds=5000$RMNH6IpoChSTxPzx$r9c67vaf.vP7HExQTFeR.7kioNEWU5/BiJHfs/.3xjcYmJ9R594IIRpey.IyENS5iBdTnpfBOvOYqS/cCM/8.0
+
+dn: employeeNumber=1007,ou=people,o=Training,dc=comanage,dc=incommon,dc=training
+changetype: add
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+employeeNumber: 1007
+givenName: Kim
+sn: Soto
+cn: Kim Soto
+uid: kim.soto
+mail: kim.soto@mailinator.com
+userPassword: {CRYPT}$6$rounds=5000$RMNH6IpoChSTxPzx$r9c67vaf.vP7HExQTFeR.7kioNEWU5/BiJHfs/.3xjcYmJ9R594IIRpey.IyENS5iBdTnpfBOvOYqS/cCM/8.0
+
+dn: employeeNumber=1008,ou=people,o=Training,dc=comanage,dc=incommon,dc=training
+changetype: add
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+employeeNumber: 1008
+givenName: Jolie
+sn: Rodriguez
+cn: Jolie Rodriguez
+uid: jolie.rodriguez
+mail: jolie.rodriguez@mailinator.com
+userPassword: {CRYPT}$6$rounds=5000$RMNH6IpoChSTxPzx$r9c67vaf.vP7HExQTFeR.7kioNEWU5/BiJHfs/.3xjcYmJ9R594IIRpey.IyENS5iBdTnpfBOvOYqS/cCM/8.0
+
+dn: employeeNumber=1009,ou=people,o=Training,dc=comanage,dc=incommon,dc=training
+changetype: add
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+employeeNumber: 1009
+givenName: Carla
+sn: Woo
+cn: Carla Woo
+uid: carla.woo
+mail: carla.woo@mailinator.com
+userPassword: {CRYPT}$6$rounds=5000$RMNH6IpoChSTxPzx$r9c67vaf.vP7HExQTFeR.7kioNEWU5/BiJHfs/.3xjcYmJ9R594IIRpey.IyENS5iBdTnpfBOvOYqS/cCM/8.0
+
diff --git a/roles/idp/files/config-always-all-olcAccess.ldif b/roles/idp/files/config-always-all-olcAccess.ldif
new file mode 100644
index 0000000..a9c9145
--- /dev/null
+++ b/roles/idp/files/config-always-all-olcAccess.ldif
@@ -0,0 +1,7 @@
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to dn.base="cn=admin,dc=comanage,dc=incommon,dc=training" by sockname.regex=/var/run/slapd/ldapi auth by users none by * none
+olcAccess: {1}to dn.base="uid=idp_user,ou=system,o=Training,dc=comanage,dc=incommon,dc=training" by self auth by anonymous auth by * none
+olcAccess: {2}to dn.subtree="o=Training,dc=comanage,dc=incommon,dc=training" by dn="uid=idp_user,ou=system,o=Training,dc=comanage,dc=incommon,dc=training" read by self auth by anonymous auth by * none
+olcAccess: {3}to * by * none
diff --git a/roles/idp/files/idp-encryption.crt b/roles/idp/files/idp-encryption.crt
new file mode 100644
index 0000000..ff1dd17
--- /dev/null
+++ b/roles/idp/files/idp-encryption.crt
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEbTCCAtWgAwIBAgIUcTRpI/FV5HHIK3a/KRIplDRf53owDQYJKoZIhvcNAQEL
+BQAwKzEpMCcGA1UEAxMgbG9naW4uY29tYW5hZ2UuaW5jb21tb24udHJhaW5pbmcw
+HhcNMTkxMTA3MTE1NDE5WhcNMjkxMTA0MTE1NDE5WjArMSkwJwYDVQQDEyBsb2dp
+bi5jb21hbmFnZS5pbmNvbW1vbi50cmFpbmluZzCCAaIwDQYJKoZIhvcNAQEBBQAD
+ggGPADCCAYoCggGBAPpyVyb4ZpuAqYLD5iKfZk1X7vQpbiXK25HbhHYQ1k+/SXO+
+knysldnsexABocy017/mMThZWTLkixFl9be+yBqLPSvEsTNaP+IpS6lK8hrYAmPf
+atLbsLWrYYn5XgKdUtIw5N3osYvDQy+YGjfC/sEvuczeeXK50MHtTezlTOIDgMtM
+UZyxLeqsfiNs84gjubCAHWODgZF3Gm59ROT8bRc9/XkZydD34Xoc6l6D+U18Gve/
+a4KwAZB0SY82MJrbUV7T6k+UavwNE4FSuxGP2/qQhlK0UGCgPBdt+O0lIwFC1wzU
+IE5iGEIlJPOAaqoyNwWcr/1znRT5R7l6cV8jRo6+KLT4MVh/sKcS2ZxfRYFHVU0o
+YblneUr1WVZTWadi9fMiK0jVvEYmGCJOFQXdt/IC71V/TNWshCUKdJDTLJM5CyH0
+RNvgkFvbgsrM7PTtBfFPdcCOQwTcslFohUGhgvNJ5Hynm7EYIsFTAXXGdhhoSezv
+SKEAKbBGgscVag5ITQIDAQABo4GIMIGFMGQGA1UdEQRdMFuCIGxvZ2luLmNvbWFu
+YWdlLmluY29tbW9uLnRyYWluaW5nhjdodHRwczovL2xvZ2luLmNvbWFuYWdlLmlu
+Y29tbW9uLnRyYWluaW5nL2lkcC9zaGliYm9sZXRoMB0GA1UdDgQWBBTCOEDUGSK6
+GBza8l36VKz7YgPayDANBgkqhkiG9w0BAQsFAAOCAYEAEJqXSOcjENwiUSyZTF37
+rFiPMUJXH3Qss57fP3+iVCi/OJUTkEUkeAcsVqKwPs9gu8JgPs0WyFDce6P6PQMm
+UUdlOLN9zkGaTXSfjDR1tJkcYI5UFvqvQArzVpveBHW64uq616cvCsDFTwR+D2Vb
+DkPha1Sfi5x9I3BVNMyxC5qiYYHalbqLfELQWngRxHIScw5JtlYWmYaFIPHNxRA5
+oM3PjfFfcU/kO737GKJ95BSXHdmXZxc+ve0OfwDnGpZ5YSNvPC0fXwgzGBdyvj0h
+cuzGuyqS4VOn6eKJNpUQ5PNv1h5DnV9e14QApSlVGC8cdi/dni9LwJZLVhTdiHct
+jP8SE8XN+X7E7HBCw3P7Xz/fuUsnfm/yXuaziaJxGxWuM7EyKt+gnBdFrQ6PV2rm
+DVFuOTw1mXYfrgFiK+sJedQ5IsPJ5BREJeslWR7nsFk8QT4H52ulQ9bSUIw6CqG1
+tYllsZx6BeVKZtSOcKmnEU4jEbGW7teWesrA1zGByoYp
+-----END CERTIFICATE-----
diff --git a/roles/idp/files/idp-encryption.key b/roles/idp/files/idp-encryption.key
new file mode 100644
index 0000000..255235b
--- /dev/null
+++ b/roles/idp/files/idp-encryption.key
@@ -0,0 +1,130 @@
+$ANSIBLE_VAULT;1.1;AES256
+64643365376361306531643036306161376330333230373038666135643439343734626536663339
+3030383332623133323730333761323861653836623563300a623564626462393939363635303634
+37396433663539303133323361393534663930326535663839353031336631393339613538653566
+3739316466323431390a623433373362353766613966306438316634653861623633313134396464
+30356531643430643866613939613230373138663061616533646131653030633564393431633532
+65323737366565386133303861303336313731613462653137633161313438363636393634643833
+64323835303465633039653863383238386639613033383636623332656132393563373534646535
+35623035313435356230623461373230656462313163323965646463666135383835356538393838
+34373833626538303562653536623635363239336365646161353232666663633537343130643162
+30333034363766643331303537663136306530653131656264373337393039616235613866363435
+31626434323966663430313633646438343166663737333666613263316166393631393935356532
+30613665353832316132663734306233633834386433353635613333343437353065623839393963
+31393161393334346235396639363034653266656434616331323132663265316535373934366463
+34333535666463326565616530653262373265643130643333633636323962383234326261393762
+36646335383363653738313430336363343330343732626131356366303235666635376632626434
+33653166666336663733663439663439393365653832393562313432386432393566633438653165
+65333134366436396165333862383138383438643563373939626130343462383639386331393532
+30663035613266303039363836616639386262626166626161653166353234393266383161386132
+33623763303434306330386539623065353231393939666137666363313930383338623734353564
+36386132393736323432323134343934663339396533626365393136643463653234363834643264
+65363162356234303862326561303061323038646237366436346139646162303665383462323635
+65343738376137653331653638333139356231333839653333663839353063343466376535613939
+33663635326566396337303931396361373362376133383837316431376236366263363765653236
+61643662393838303363653737333665656464373436316332303036623638316264666366376136
+65656631393833616336376566366230653134633736613734303161353433626332653838343461
+66626535386234616463313265313932333338623539353532656166396635316261633064373136
+65613533376139366430353535306430303565393135353936303332623932633136643331343863
+62316637366331613938316661343137636361373330323137396636326262663233663033313239
+30303232323136323935353437303737663638393331323337383530313665663534386132626366
+38326561393833626639353534376637393839313833336565646661393562336663616639623638
+35313331653533383736626239363666646331353862356362643637306562363731366437393361
+31333335636631373161633365343839376664373461323735333731343838633931663462626561
+32643262653238646265623865616135656532353963316233663032376366636231633465393166
+65313361356462343939356530646664613932336265393236396565363535396465343633313539
+31336134393730323264613433623562313134326665393831633737313631346361643065303534
+63613030333334613031393633633935616663613765393331323931366438373761303365613231
+64633435323638333532306464303336646238366362653963303166623838363635313239626532
+65373632336437336630323165393730303335636136303431613465353862646366643338356539
+66323932646164653237653061633966616662373737326535353262323233386635623065656564
+31613461333261626135346230373463323338333763343833313435313962346234616238346333
+61373431633163643764306362653232653033343632336630333936636563363963643262386135
+33393866643938396535666639393464393862653664353237393332376530653137346336313734
+64666461383335613765336130343164303264343135323837613064356165633236376561346332
+35343834393166306364336236353733343434366430626566633761336665663238383164343965
+62323739306337366266383837383336643631613266346436643234363632336333366466616534
+36393434353562616131323835393433383538313335353964303336643262393938303964303335
+35353036363761363838303339613132303131396434623134316530303537643432393131353761
+62386633653931303463346365623034323237613633626438666636356635383237333534623936
+34363835646635306232396230373130643263353835616137656430363435613631313266396464
+63623963613236326232646436336431363038373163666161623161653061326232616130663335
+34633263613661646463363465353935636638396337626331363633383732623463643965616463
+36353266336539636261313163386438653763363731666230646434616362356335386234343962
+35393763383266373661656564336236656463303864663464653462303536386139663763623338
+65343338666139356636386161363339303166373030356235366330393530386338316661366436
+36666339313366653339653931383230613432303830643563366365366633663332616338626166
+30313239376135333634623266653739306536393863363761636635396330366636363135653661
+65346464333731663030643130363030636631643235373334323235626263616535393937653661
+61633838656638326464666335383062313236373961313930373033653036363234623761323231
+38613436613666666665326434623461626136396438303465616163643063333235313236343730
+39323130353836326566393863303337323931326438363437303338663961613666363365373235
+62373263623338613732353730663935636264316335303930386666653637633633653634336536
+36616536363736383764353161623631633135386164383533383439333965633262656634353732
+37646637626264653533303736303034333534353563393230636631393135343365343230336232
+32376136623439643061393738303631616132373230626465613961326633366662623538383731
+64393562343131376166353538663637306632653865363739303339373039613364336331336166
+39643263353366626138396534356464643362363135663837626631396565636631386537623332
+39363732303831346530663934353261323238316138333237393731643432356335373538326632
+61643736623232663232653636346339353936643665386266326164376137303239363064666564
+37373865666437646538373233633231666530663337633762326631383631623062373832396534
+30663965653966306261326134373063626434303730636439653063373634633730316161376438
+64313665383463396139626334326339343966663066346263656631353732376133636565663465
+34633861633239383865303664316336383333373431366266373632643034333261353632393862
+32616632346433613462386162616363666234363439356136336465643332373731333261393765
+31326338343135666461343937663166306435343830376266656132363537393766316330303463
+35663639303366326532393231333934386634633034356363666263393165626530636161383864
+33373931333332366630393565636461633764666438623563646338623132363665386330326163
+35323464353035373339666139396361323836303534363637343630653062643962663766383838
+39346461396136666262316237626337666465346635366237326433323135353366626134353562
+64663636636335643433373839663337383131346461383664656639623534303362326335363462
+30313466346535383731626334646136346332653565383766343030343139373134363934326632
+31356337323861653365336637633038393937376635363839343630343133336337616665616634
+64373666636635663632666364346663336663313262613166666535346633353164656233656463
+35393739396530343235386335663963373137376332616430376365633036616133366431396363
+65356136666530366461363033666563396230316638333964303334323037303036366561646532
+35333839383562633734396563383731303061613038336633363466313063653730386336376161
+38373738303233373863366135653933393039383835653364326431313365613663333831336561
+32356230633635633564333433383236333764633761306565366164633532386630653266393633
+35393762643966323963623166333831616365343361386435393935653439303965376433333534
+38393834666534316530666163646535326363383133646531623930303937623339663763343237
+62646337643336303133623637363761323837346263353236386336643863356439306538303564
+62323332646637313831373132343765386335346461623932393166383565316564613835613634
+62646138303832653562383436656239643638653634363039363335623839653266353866623165
+34396131373266373438646138613365633336393862636131376233656366653063333036376364
+64363137613938313139333237323930323664343539616636636331343434623863343834393734
+35323831343038346433643730303533346563616135386331323563393463663339316663616430
+36633035653737303364353463353164393737363764653334363763303365626161373334616439
+32643961323062663231616432653833396433616162396433623231366131356438383935326362
+31636562373932643534356330313639643030306431346631633035313739663830396231386663
+33376439316561346435346539656239393939396135356432373234353532323661643164303637
+61333430363063303963633735636233313230343231646365343061623566336630326631333031
+62363236396430373365666330396634343063366531346234383535653464376462336335646163
+32316635333939393837346232646232373132323931303064386233363966656233343034653563
+62353663333735353734393536353130346132656238393737376665616236653331663237336366
+32316330653138653062633363396266633839316339633236303931366261393937623334633964
+61356332363366386133613231333164643463373236653861663535366166633039363932356430
+32303833323565343837336530373864636332343561336235393333373531383165333764653833
+61333637646163343365363065323663313962663635633464363731313735353832653234393231
+62323462383665373431633134623634633265336335643530323962366161353436316433653336
+64366166303239376636366335393231383465393039313465313130653837306435616332343636
+31636637373338626235623936363735313064663665316565363933666436353330396531646661
+63616561333033323833363865613466323132383765316363393834303864643335323366333035
+61373863666465356566323166653534376630363432393237326135326562663532333862663063
+65343831303063333435663132323865393863643137623536643765373264306131656434666362
+31373238353130653735333933343131353637636566376235656135353134373639306265393435
+35613030386430636263633038636466303561393439643265643137376565633338383635366163
+38623634323934343731616331393765656138373630666162656639643562643064616461663462
+61636132333665623136666233616265633332653564343961306566646635313232383361623934
+39376363366564613731643931373965626632363562613038393436613764356537396364363662
+35386666343130303535353963373766356366393664343736623561613830316639333637623866
+31326163633538363261373134633837643165613432616261396564393937623934373862313834
+61373163643863316165646534306533643031636263383334393234303332666562343430303564
+65646663303061646433396364343862306266396561313932353364653865323635313637646365
+66383437636433373537633566633764663962633032613838373939626662396534383035626539
+30333437363365356339313836313663613134386633303465366261656535333561326337646434
+63376432623639306534353431663534353036646464363435396235373039613831623764366635
+63613665623834353033366136623839353238346333616465323636613432353363303230643435
+34343836333132316530343666313136653939383732323835623865633834393466616537306133
+35303735386466396137653964386431363935613666663132346436643862393361363963326632
+6665
diff --git a/roles/idp/files/idp-signing.crt b/roles/idp/files/idp-signing.crt
new file mode 100644
index 0000000..7b79066
--- /dev/null
+++ b/roles/idp/files/idp-signing.crt
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEbTCCAtWgAwIBAgIULKreZOvFFiKQgsjeINP5wieDXLYwDQYJKoZIhvcNAQEL
+BQAwKzEpMCcGA1UEAxMgbG9naW4uY29tYW5hZ2UuaW5jb21tb24udHJhaW5pbmcw
+HhcNMTkxMTA3MTE0ODU3WhcNMjkxMTA0MTE0ODU3WjArMSkwJwYDVQQDEyBsb2dp
+bi5jb21hbmFnZS5pbmNvbW1vbi50cmFpbmluZzCCAaIwDQYJKoZIhvcNAQEBBQAD
+ggGPADCCAYoCggGBAMtiOuuMqApzFCrD1pg8fiSrK2ndJqmH25iAR9+k5lqdTkV0
+5Wio0vWGQSgVSS/Rc0yNTWvfyNpYo4EncH1FhhgwvwBMphk7dbR+xaOI/AA3QBob
+Ax1jP1BjTAf7N+JXKkkg8PCsDZroOhRfTG8DM8e4c6QY5rqHh3NY0fqCIUVCunRz
+3MbkVRuvHiIodgpWat5f2DKBs2iEFq2GANgyoL/Tr5dFBHjBpwBYX7K5WVTN7IiP
+0AwxOFdT0za/QE+JUt3Nvk3/f411bl58PHj3sGUb43mxSa3208mXQ2LlvHlTg34x
+oYcXtDqwEMKV91G24P9gJCBBxbQ1a/YoIAJcs1y3bZci2HEMn7lHM1BdxqimCfNY
+rM29JIuy7VB2OjMnqfCS7jWJQOgKkq0P95DHFP1iMHniZeWBHWpScR3I7yaCzcDT
+bsFMoFteQmtzLW3uDf9mk9fcXIOzjHULwlE+X/m4WCahAvdwoC3loW7sUyTRNZJo
+o8C8d9f9AbuQ3/R5jQIDAQABo4GIMIGFMGQGA1UdEQRdMFuCIGxvZ2luLmNvbWFu
+YWdlLmluY29tbW9uLnRyYWluaW5nhjdodHRwczovL2xvZ2luLmNvbWFuYWdlLmlu
+Y29tbW9uLnRyYWluaW5nL2lkcC9zaGliYm9sZXRoMB0GA1UdDgQWBBTP/FFsblKv
+7iIAJsUHdbVRZcm/yTANBgkqhkiG9w0BAQsFAAOCAYEAi5Kf8EFjjxlHWDhrCWAj
+N5sx6AWi1QNxHbDahNuD6sFEKMVQwugHsYjJmjN+NeuzowG4a/1QlTxX+m8jpqKs
+8i8+/h6sJI+IkaLS9ITVluZO6haemVwvOlWPjKX3558c3BVlAqu4Pgxe4NXgAai1
+zn9KXfch55L3de/6w4purxavYdRH16aVlJzeZ9Zzd5i+C3MH0fQUmjFsFrbRkH6u
+LqbW9MOSbZeeKV5zxB14NzOLYE6RbuHzdnDKZEDWcyG/N41IZtLHZ/Qzi/9hk47o
+MM+0NZQtxCyfw8WAIn/MmzDm0EluW64SJwZNljnBiFelB8eNKNAsFaC6l/v2YYuZ
+7n/uFssZPh5EXRn4kNqL2so7i+XbXzyU4oV2nmDwdE94EuD6hU0AWLY2+ew8r/T5
+9UTTnZ/SThQEyqUufOIxzJIh9aMdCi3O6XD7RMqei9HKlh1LvSiq97l1byZIeIK4
+tWc0EHubiXGtYVs77EhA7wLWh8S6rv2dHCF3PZiYmRjT
+-----END CERTIFICATE-----
diff --git a/roles/idp/files/idp-signing.key b/roles/idp/files/idp-signing.key
new file mode 100644
index 0000000..3704f5a
--- /dev/null
+++ b/roles/idp/files/idp-signing.key
@@ -0,0 +1,130 @@
+$ANSIBLE_VAULT;1.1;AES256
+38373932346464363363333132646366666161313861643266303262666463646330333036633138
+3834396337396232646334343965643932393738353438320a623262383238653639363635366639
+63643433646563633431336130616639316237653566303439356637656130363138373261396634
+3333393333306632300a646465353566346238613534386366653630323634386135376361623236
+61303037396462326465346163383934393063613663393137326332636532333834666564343635
+31366132343339653731333831613035393165613837343831363362323535353332633431663031
+64643862373266306636303262323365663563316136323663646432343132373163356566383532
+35356162653933383236366235663534373933636131633630306332663332313032363334633264
+33666539333033626330303130633037663934393338373163393266313762366138366534376561
+35333132643563343338653362323031623033303664353262316163323735626264353861626261
+61343732306361376231363832656630333430653734623034306635316564363734653731626232
+34656563626236646662636234393437353663323936356432323032656139386236343039333862
+39353431323863633336643762653866363531383333303039393664343331616638653137333466
+64323631666266363863313061356333373637306463313537653238346538346431353832366163
+62326462303932353931363436616362313166313030363338616164396431373365396632636166
+63353266343362393137356234313564666163366238633632333064383463323066333433373863
+64646238343133373432313932346564323439373262393063333833653465323364396361393334
+62646234646464646534623731623735383839633563336236626561663136656337373563616239
+36363964336437643364623439393634396234356462343337363637376361316162333763356435
+33316634633738633632326630306132366664343965626538346630653739666531666365653933
+63343735373762323132636361366231303638343161643735346663643335343231306666346330
+31656137336662633033393561663461653231303333616634636632306434333565363433366333
+63343237363833373938616531333135616564386233656139623738636462633766643162653734
+30383738636232656335633035316364313533373464396535366530336461333531323434613636
+31366561363561323436336334633538363534616135383934346164653063326635616362363339
+35373462363738313563326538306238613361666232623864303966316233373538303961666565
+61386666356461333230373466336334376664653061356136353231336531656261666432643937
+36633561386537353064383964643062313966616437626465393936303339643961643130366166
+34333164393932623365333132396336303730336234343466316463316530616431336138653664
+32363038633338353931356631393263363865343362353933633033636234393236623266346334
+62333836303339343962353134346437373636633765643265323431656338663230646336666162
+65373132616332623533393330653630623062306534303436633232316235336637383938366539
+31386534383838643735313738613137316230346535626435613762643361323861393333363037
+65323137393939323138383865656637373137323366666366653564613331333033366161363131
+63383930336462313563646361366165326163666232326532653637613933323734323861336562
+39376136353537336230643232363136326437333530356434383661323932616435396565616332
+66613265663733333864663136343537306366316235653233336338366238613632346234333563
+39353139626662616462663234326166656230633233356439643839613361323039653332336339
+36313238343434636133643235656436666435336437613063616166643763663964633331356666
+34613338613336343263303532366266303361396166656639613563343166353337643337396365
+63343831306265343433626230393332323136393866613130326162313832366561346638626239
+61366532623333386662393134316130393365363566363733393561393137633135643066386437
+63393561363466383666626339353062376163383133666131633538373737316163636161323464
+62333337363537336566343033653135343533306166393331666561303163613332666135343662
+66666439343863663433303136663066336435343433356162323530626463353431663638393139
+37663139636430386235313130356665643333303239303265613934666337643565663362306531
+33366136643838383266313464393664363630313234623865353435616261393865326239656462
+37623335373236386534623736343734643932646138316263316366353630643631653165303561
+31353734616461396637336162383438653134613064323137666262363937613363326663313536
+38393932363433643337376638306638373964343435623065666431326438363765346534616630
+38373765343539316535373237386138386333353466653330623538326231376562393232333362
+64363137336338386434366430313232353133373531353430333233663038646664326239393365
+35336231633832396262653333373434306136383039316666646431666436623364323335316564
+65376537303130373264323437303165613538613266306532356634383761646333643861663339
+34643130343134383363356130323239613537663531353665343963346431386665316334336534
+35303934623662306334353764383736326631366261626230353434396237386163656163343530
+65393238303665646433356230623461613463313439613138636466656634373861306337373238
+65323336623534373636343833303066326566326130666562336338353838653332333734613230
+39383064636432386234663735653130633436653666636434373135393362346134393137356265
+36373136346437643131303738306431343164326233656137306637343636626534316638613630
+38383630626338666332343039336261633730303965653030643266626236653636653966323765
+37393636383832393936386231373430623930393733303036373633356563343835313236313731
+66663535626533346438316232613633643132393533303433643634383936616633623830646361
+37643065623939306536636264383331393930623933393262656332333536633533316434616661
+62666563336138316565616338336536616535313437376366396436366562383830656361386532
+63363132393332323730616431383033646561316239643362623266393761616432316166623737
+34356132323462613438336536303562643231636234643537346665383237393930396539373734
+32333730663863363737663237623065373436626162333831383863386166613439373864306264
+61636433396234396639376462316265626530343239333231393133643438346161353761303936
+38383637303235333065643264343437623034633430646461623533656135313235326138613665
+64653139623936386237613934613936633438303532303763336238613831333537336339346166
+37396537643630306434633536666466353239626462646636346632333161353837666565316231
+38666135396333396361306138393034633761626433616531393865303235643337383161386536
+65326263356532393439323264626566313362383363336663376266356266353337626365326665
+64633637383966303230303465643466363433336530343665616462643531356334306430653762
+38633632336530343361656161323032626138376235666465663864303937333364646462633438
+38396537333036666430666537393765393932333230333166363930643631653839646264396634
+39656336343762323733653763616564376463383438313236373831663438336436396132313238
+62366563326432323935383837316336663330373561363230313039393736396436666437323834
+63616164333034383862373735643039613032656638333535343638303530336365386138316430
+31353935616132323664653333636534376264306137336662666233306136373662396439306233
+33353837626466616562633230663633626265356638303336653831626538613733653763643866
+38326330613763326136333537316130383462336135643861373565383533613964633439333865
+65393266613061663365633538303761306332353762613236366431653832623163666162646263
+30663937643761366632363337663636646664333433383433356465363262623937656632316334
+34613138383232346634386666333666663830393964613138376566633361663936656163396439
+39343963353365363564656339383034613931646466613131633664353138303231663661363265
+32333362363638646461326561306436613163326665396562363636646566653139323662613763
+35633334393134383030623862656238323939313762613431336139333134303732383432383265
+38333438393939613564333036653662393663373637636661623235383264656532633536353236
+61653038616637623330353431613066336430646635313030643261313936383461303935396434
+39353036316161353135383766663032383566643331636462646263323866346530306239316136
+63313039633632653661356435353361306438613530313537616565633665396661656664356235
+63383439653037383735653832626532656564383066623862643232383939383961636363366164
+32323838373334316363363638353562663533386437306666313536366633656362316165666236
+35666534353134383034306232386430343435373062336231363232383663343831656430303262
+64623932616364323561646134346631313362636232656365636536346430343631363737326530
+65343465323061656266643964363635353637376538323739643339646134663538643330393030
+35616264363062383936333261303562393366646262333563303564383863336239613363343363
+34333065626131343937323665643136653233633436653964303263653765633931366338323636
+35366531653635656639653032333632656662383364303739373063636437336461656637613331
+33386130633739366163303135633764326538373066646531323439376566393066633933353165
+66386664636239393930356565313138323133636164636432616466653430366165373063613062
+37643062383730376638393638663238353036393730393262363565386637313034656438653138
+32366265376665653862353361343732313065346131386534343832363139623264386232626262
+39393233613234316338376533393061373061393337316333623939383965653161363863373839
+62363330346436363365626363373136383037353762646639353864376533363237386233326235
+30386535393937643134616130636236623932333163396138656337646666346438336261386430
+34633962323936383637616336313364363732383464353633613036623930613366396439396531
+38643963393232653330326539373064373261383431376332303564343064343632303466633133
+35643935613933393434383664356133393036613566326166663337323632303862316635393535
+63333036626465633133316337666139323865333036373030656338353738313037343065353434
+36363438356339396537306666616430336430306536623938313830666237643138636133643363
+32643638653033373235373637643064383562326136353630326334333037343830393266336163
+34323330326133363466376136306431633332343262663830666136396366323133303663343463
+36373961326138636462616563333230633739313464353863353537636662646632613934393037
+33333238636662303863626334346138363732623433643838643864653466363831316364353731
+33613563636666613137383938326337313366303135396139333039353232653565323035313335
+65386162366532626333623330323635376436633730616333366432303036663030316333333034
+31363839313737383166356531653534346533666138343235333032653066346665663266636165
+66663263663130623133306232373661353239643035653863316331623563303162336534633764
+62623439326338623863346436326137353536383363383964646661326530323036343139393238
+64663361646636353937313936383733376264386664353362326562386262643339333866383565
+66666537656162353634656661303337356333653530396339633066356139386162313236313636
+62643430343665313438323933636632623639643762333031346162373031373764373833653331
+35656666633034376531373739333439346631303832363637373863613533383363393062623738
+37653664316364663764613832313331353137353331623237383962633862346137363734386534
+62336363386138303538643739373538313837303663363033613734393439336666623434366437
+6630
diff --git a/roles/idp/files/metadata-providers.xml b/roles/idp/files/metadata-providers.xml
new file mode 100644
index 0000000..0279acb
--- /dev/null
+++ b/roles/idp/files/metadata-providers.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- This file is an EXAMPLE metadata configuration file. -->
+<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
+    xmlns="urn:mace:shibboleth:2.0:metadata"
+    xmlns:resource="urn:mace:shibboleth:2.0:resource"
+    xmlns:security="urn:mace:shibboleth:2.0:security"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
+                        urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd 
+                        urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
+                        urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">
+
+    <MetadataProvider id="LocalMetadata"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/registry-metadata.xml"/>
+
+
+</MetadataProvider>
diff --git a/roles/idp/files/relying-party.xml b/roles/idp/files/relying-party.xml
new file mode 100644
index 0000000..5eb9219
--- /dev/null
+++ b/roles/idp/files/relying-party.xml
@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <bean id="shibboleth.UnverifiedRelyingParty" parent="RelyingParty">
+        <property name="profileConfigurations">
+            <list>
+            <!-- <bean parent="SAML2.SSO" p:encryptAssertions="false" /> -->
+            </list>
+        </property>
+    </bean>
+
+    <!-- Do not encrypt assertions for the training environment to aid in any debugging -->
+    <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
+        <property name="profileConfigurations">
+            <list>
+                <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
+                <ref bean="SAML1.AttributeQuery" />
+                <ref bean="SAML1.ArtifactResolution" />
+                <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" p:encryptAssertions="false" />
+                <ref bean="SAML2.ECP" />
+                <ref bean="SAML2.Logout" />
+                <ref bean="SAML2.AttributeQuery" />
+                <ref bean="SAML2.ArtifactResolution" />
+                <ref bean="Liberty.SSOS" />
+            </list>
+        </property>
+    </bean>
+
+    <!-- Container for any overrides you want to add. -->
+
+    <util:list id="shibboleth.RelyingPartyOverrides">
+    
+        <!--
+        Override example that identifies a single RP by name and configures it
+        for SAML 2 SSO without encryption. This is a common "vendor" scenario.
+        -->
+        <!--
+        <bean parent="RelyingPartyByName" c:relyingPartyIds="https://sp.example.org">
+            <property name="profileConfigurations">
+                <list>
+                    <bean parent="SAML2.SSO" p:encryptAssertions="false" />
+                </list>
+            </property>
+        </bean>
+        -->
+        
+    </util:list>
+
+</beans>
diff --git a/roles/idp/files/sealer.jks b/roles/idp/files/sealer.jks
new file mode 100644
index 0000000..3e905b2
Binary files /dev/null and b/roles/idp/files/sealer.jks differ
diff --git a/roles/idp/files/server.xml b/roles/idp/files/server.xml
new file mode 100644
index 0000000..28b4782
--- /dev/null
+++ b/roles/idp/files/server.xml
@@ -0,0 +1,24 @@
+<?xml version='1.0' encoding='utf-8'?>
+<Server port="8005" shutdown="SHUTDOWN">
+  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
+
+  <Service name="Catalina">
+<Connector
+          protocol="org.apache.coyote.http11.Http11NioProtocol"
+          port="8080" maxThreads="200"
+          scheme="https" secure="true" SSLEnabled="false"
+          clientAuth="false" />
+    <Engine name="Catalina" defaultHost="localhost">
+
+      <Host name="localhost"  appBase="webapps"
+            unpackWARs="true" autoDeploy="true">
+
+        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
+               prefix="localhost_access_log." suffix=".txt"
+               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
+
+      </Host>
+    </Engine>
+  </Service>
+</Server>
diff --git a/roles/idp/files/shibboleth-idp-stack.yml b/roles/idp/files/shibboleth-idp-stack.yml
new file mode 100644
index 0000000..74088c6
--- /dev/null
+++ b/roles/idp/files/shibboleth-idp-stack.yml
@@ -0,0 +1,63 @@
+version: '3.7'
+
+services:
+    shibboleth-idp:
+        image: tier/shib-idp:3.4.6_20191002
+        volumes:
+            - /srv/docker/usr/local/tomcat/conf/server.xml:/usr/local/tomcat/conf/server.xml
+            - /srv/docker/opt/shibboleth-idp/conf/idp.properties:/opt/shibboleth-idp/conf/idp.properties
+            - /srv/docker/opt/shibboleth-idp/conf/ldap.properties:/opt/shibboleth-idp/conf/ldap.properties
+            - /srv/docker/opt/shibboleth-idp/conf/attribute-filter.xml:/opt/shibboleth-idp/conf/attribute-filter.xml
+            - /srv/docker/opt/shibboleth-idp/conf/attribute-resolver.xml:/opt/shibboleth-idp/conf/attribute-resolver.xml
+            - /srv/docker/opt/shibboleth-idp/conf/relying-party.xml:/opt/shibboleth-idp/conf/relying-party.xml
+            - /srv/docker/opt/shibboleth-idp/conf/metadata-providers.xml:/opt/shibboleth-idp/conf/metadata-providers.xml
+            - /srv/docker/opt/shibboleth-idp/credentials/idp-signing.key:/opt/shibboleth-idp/credentials/idp-signing.key
+            - /srv/docker/opt/shibboleth-idp/credentials/idp-signing.crt:/opt/shibboleth-idp/credentials/idp-signing.crt
+            - /srv/docker/opt/shibboleth-idp/credentials/idp-encryption.key:/opt/shibboleth-idp/credentials/idp-encryption.key
+            - /srv/docker/opt/shibboleth-idp/credentials/idp-encryption.crt:/opt/shibboleth-idp/credentials/idp-encryption.crt
+            - /srv/docker/opt/shibboleth-idp/credentials/sealer.jks:/opt/shibboleth-idp/credentials/sealer.jks
+            - /srv/docker/opt/shibboleth-idp/metadata/registry-metadata.xml:/opt/shibboleth-idp/metadata/registry-metadata.xml
+        # Sleep for 10 seconds to give time for LDAP to come up and then start the IdP.
+        entrypoint: 
+            - "/usr/bin/bash"
+            - "-c"
+            - "/usr/bin/sleep 10 && /usr/bin/startup.sh"
+        ports:
+            - "8080:8080"
+        healthcheck:
+            disable: true
+        deploy:
+            replicas: 1
+        logging:
+            driver: journald
+            options:
+                tag: "shibboleth-idp_{{.Name}}"
+
+    ldap:
+        image: sphericalcowgroup/comanage-registry-slapd:2
+        command: ["slapd", "-d", "256", "-h", "ldapi:/// ldap:///", "-u", "openldap", "-g", "openldap"]
+        volumes:
+            - /srv/docker/var/lib/ldap:/var/lib/ldap
+            - /srv/docker/etc/ldap/slapd.d:/etc/ldap/slapd.d
+            - /srv/docker/ldif/config-always-all-olcAccess.ldif:/ldif/config/olcAccess.ldif
+            - /srv/docker/ldif/config-always-01.ldif:/ldif/admin/01.ldif
+        environment:
+            - OLC_ROOT_PW_FILE=/run/secrets/olc_root_pw
+            - OLC_SUFFIX=dc=comanage,dc=incommon,dc=training
+            - OLC_ROOT_DN=cn=admin,dc=comanage,dc=incommon,dc=training
+            - OLC_ROOT_DN_PASSWORD_FILE=/run/secrets/olc_root_dn_password
+        secrets:
+            - olc_root_pw
+            - olc_root_dn_password
+        deploy:
+            replicas: 1
+        logging:
+            driver: journald
+            options:
+                tag: "ldap_{{.Name}}"
+          
+secrets:
+    olc_root_pw:
+        external: true
+    olc_root_dn_password:
+        external: true
diff --git a/roles/idp/tasks/main.yml b/roles/idp/tasks/main.yml
new file mode 100644
index 0000000..b0412a9
--- /dev/null
+++ b/roles/idp/tasks/main.yml
@@ -0,0 +1,166 @@
+---
+  - name: import global variables
+    include_vars:
+      file: "vars/global.yml"
+
+  - name: Create volume mount point directories
+    file:
+      path: "{{ item }}"
+      state: directory
+      mode: '0755'
+    loop:
+      - /srv/docker
+      - /srv/docker/usr
+      - /srv/docker/usr/local
+      - /srv/docker/usr/local/tomcat
+      - /srv/docker/usr/local/tomcat/conf
+      - /srv/docker/var
+      - /srv/docker/var/lib
+      - /srv/docker/var/lib/ldap
+      - /srv/docker/etc
+      - /srv/docker/etc/ldap
+      - /srv/docker/etc/ldap/slapd.d
+      - /srv/docker/ldif
+      - /srv/docker/opt/shibboleth-idp/conf
+      - /srv/docker/opt/shibboleth-idp/credentials
+      - /srv/docker/opt/shibboleth-idp/metadata
+
+  - name: Copy Tomcat server.xml file
+    copy:
+      src: server.xml
+      dest: /srv/docker/usr/local/tomcat/conf/server.xml
+      owner: root
+      group: root
+      mode: '0644'
+
+  - name: Copy service stack file
+    copy:
+      src: shibboleth-idp-stack.yml
+      dest: /opt/shibboleth-idp-stack.yml
+      owner: root
+      group: root
+      mode: '0644'
+
+  - name: Copy structure LDIF input file
+    copy:
+      src: config-always-01.ldif
+      dest: /srv/docker/ldif/config-always-01.ldif
+      owner: root
+      group: root
+      mode: '0644'
+
+  - name: Copy olcAccess LDIF input file
+    copy:
+      src: config-always-all-olcAccess.ldif
+      dest: /srv/docker/ldif/config-always-all-olcAccess.ldif
+      owner: root
+      group: root
+      mode: '0644'
+
+  - name: Create secret olc_root_pw
+    docker_secret:
+      name: olc_root_pw
+      data: "{{ olc_root_pw }}"
+      state: present
+
+  - name: Create secret olc_root_dn_password
+    docker_secret:
+      name: olc_root_dn_password
+      data: "{{ olc_root_dn_password }}"
+      state: present
+
+  - name: Copy IdP sealer key store
+    copy:
+      src: sealer.jks
+      dest: /srv/docker/opt/shibboleth-idp/credentials/sealer.jks
+      owner: root
+      group: root
+      mode: '0600'
+
+  - name: Copy IdP signing certificate
+    copy:
+      src: idp-signing.crt
+      dest: /srv/docker/opt/shibboleth-idp/credentials/idp-signing.crt
+      owner: root
+      group: root
+      mode: '0644'
+
+  - name: Copy IdP signing private key
+    copy:
+      src: idp-signing.key
+      dest: /srv/docker/opt/shibboleth-idp/credentials/idp-signing.key
+      owner: root
+      group: root
+      mode: '0600'
+
+  - name: Copy IdP encryption certificate
+    copy:
+      src: idp-encryption.crt
+      dest: /srv/docker/opt/shibboleth-idp/credentials/idp-encryption.crt
+      owner: root
+      group: root
+      mode: '0644'
+
+  - name: Copy IdP encryption private key
+    copy:
+      src: idp-encryption.key
+      dest: /srv/docker/opt/shibboleth-idp/credentials/idp-encryption.key
+      owner: root
+      group: root
+      mode: '0600'
+
+  - name: Copy idp.properties file
+    template:
+      src: idp.properties
+      dest: /srv/docker/opt/shibboleth-idp/conf/idp.properties
+      owner: root
+      group: root
+      mode: '0600'
+
+  - name: Copy ldap.properties file
+    template:
+      src: ldap.properties
+      dest: /srv/docker/opt/shibboleth-idp/conf/ldap.properties
+      owner: root
+      group: root
+      mode: '0600'
+
+  - name: Copy attribute-filter.xml
+    copy:
+      src: attribute-filter.xml
+      dest: /srv/docker/opt/shibboleth-idp/conf/attribute-filter.xml
+      owner: root
+      group: root
+      mode: '0644'
+
+  - name: Copy attribute-resolver.xml
+    copy:
+      src: attribute-resolver.xml
+      dest: /srv/docker/opt/shibboleth-idp/conf/attribute-resolver.xml
+      owner: root
+      group: root
+      mode: '0644'
+
+  - name: Copy relying-party.xml
+    copy:
+      src: relying-party.xml
+      dest: /srv/docker/opt/shibboleth-idp/conf/relying-party.xml
+      owner: root
+      group: root
+      mode: '0644'
+
+  - name: Copy metadata-providers.xml
+    copy:
+      src: metadata-providers.xml
+      dest: /srv/docker/opt/shibboleth-idp/conf/metadata-providers.xml
+      owner: root
+      group: root
+      mode: '0644'
+
+  - name: Copy registry-metadata.xml file
+    template:
+      src: registry-metadata.xml
+      dest: /srv/docker/opt/shibboleth-idp/metadata/registry-metadata.xml
+      owner: root
+      group: root
+      mode: '0644'
diff --git a/roles/idp/templates/idp.properties b/roles/idp/templates/idp.properties
new file mode 100644
index 0000000..5fdcfc6
--- /dev/null
+++ b/roles/idp/templates/idp.properties
@@ -0,0 +1,212 @@
+# Load any additional property resources from a comma-delimited list
+idp.additionalProperties=/conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties
+
+# In most cases (and unless noted in the surrounding comments) the
+# commented settings in the distributed files are the default
+# behavior for V3.
+#
+# Uncomment them and change the value to change functionality.
+
+# Set the entityID of the IdP
+idp.entityID=https://login.comanage.incommon.training/idp/shibboleth
+
+# Set the file path which backs the IdP's own metadata publishing endpoint at /shibboleth.
+# Set to empty value to disable and return a 404.
+#idp.entityID.metadataFile=%{idp.home}/metadata/idp-metadata.xml
+
+# Set the scope used in the attribute resolver for scoped attributes
+idp.scope=comanage.incommon.training
+
+# General cookie properties (maxAge only applies to persistent cookies)
+# Note the default for idp.cookie.secure, you will usually want it set.
+#idp.cookie.secure = false
+#idp.cookie.httpOnly = true
+#idp.cookie.domain =
+#idp.cookie.path =
+#idp.cookie.maxAge = 31536000
+
+# HSTS/CSP response headers
+#idp.hsts = max-age=0
+# X-Frame-Options value, set to DENY or SAMEORIGIN to block framing
+#idp.frameoptions = DENY
+# Content-Security-Policy value, set to match X-Frame-Options default
+#idp.csp = frame-ancestors 'none';
+
+# Set the location of user-supplied web flow definitions
+#idp.webflows = %{idp.home}/flows
+
+# Set the location of Velocity view templates
+#idp.views = %{idp.home}/views
+
+# Settings for internal AES encryption key
+#idp.sealer.storeType = JCEKS
+#idp.sealer.updateInterval = PT15M
+#idp.sealer.aliasBase = secret
+idp.sealer.storeResource=%{idp.home}/credentials/sealer.jks
+idp.sealer.versionResource=%{idp.home}/credentials/sealer.kver
+idp.sealer.storePassword={{ idp_sealer_storePassword }}
+idp.sealer.keyPassword={{ idp_sealer_storePassword }}
+
+# Settings for public/private signing and encryption key(s)
+# During decryption key rollover, point the ".2" properties at a second
+# keypair, uncomment in credentials.xml, then publish it in your metadata.
+idp.signing.key=%{idp.home}/credentials/idp-signing.key
+idp.signing.cert=%{idp.home}/credentials/idp-signing.crt
+idp.encryption.key=%{idp.home}/credentials/idp-encryption.key
+idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt
+#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key
+#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt
+
+# Sets the bean ID to use as a default security configuration set
+#idp.security.config = shibboleth.DefaultSecurityConfiguration
+
+# To downgrade to SHA-1, set to shibboleth.SigningConfiguration.SHA1
+#idp.signing.config = shibboleth.SigningConfiguration.SHA256
+
+# To upgrade to AES-GCM encryption, set to shibboleth.EncryptionConfiguration.GCM
+# This is unlikely to work for all SPs, but this is a quick way to test them.
+#idp.encryption.config = shibboleth.EncryptionConfiguration.CBC
+
+# Configures trust evaluation of keys used by services at runtime
+# Defaults to supporting both explicit key and PKIX using SAML metadata.
+#idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine
+# To pick only one set to one of:
+#   shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine
+#idp.trust.certificates = shibboleth.ChainingX509TrustEngine
+# To pick only one set to one of:
+#   shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine
+
+# If true, encryption will happen whenever a key to use can be located, but
+# failure to encrypt won't result in request failure.
+#idp.encryption.optional = false
+
+# Configuration of client- and server-side storage plugins
+#idp.storage.cleanupInterval = PT10M
+#idp.storage.htmlLocalStorage = false
+
+# Set to true to expose more detailed errors in responses to SPs
+#idp.errors.detailed = false
+# Set to false to skip signing of SAML response messages that signal errors
+#idp.errors.signed = true
+# Name of bean containing a list of Java exception classes to ignore
+#idp.errors.excludedExceptions = ExceptionClassListBean
+# Name of bean containing a property set mapping exception names to views
+#idp.errors.exceptionMappings = ExceptionToViewPropertyBean
+# Set if a different default view name for events and exceptions is needed
+#idp.errors.defaultView = error
+
+# Set to false to disable the IdP session layer
+#idp.session.enabled = true
+
+# Set to "shibboleth.StorageService" for server-side storage of user sessions
+#idp.session.StorageService = shibboleth.ClientSessionStorageService
+
+# Size of session IDs
+#idp.session.idSize = 32
+# Bind sessions to IP addresses
+#idp.session.consistentAddress = true
+# Inactivity timeout
+#idp.session.timeout = PT60M
+# Extra time to store sessions for logout
+#idp.session.slop = PT0S
+# Tolerate storage-related errors
+#idp.session.maskStorageFailure = false
+# Track information about SPs logged into
+#idp.session.trackSPSessions = false
+# Support lookup by SP for SAML logout
+#idp.session.secondaryServiceIndex = false
+# Length of time to track SP sessions
+#idp.session.defaultSPlifetime = PT2H
+
+# Regular expression matching login flows to enable, e.g. IPAddress|Password
+idp.authn.flows=Password
+
+# Default lifetime and timeout of various authentication methods
+#idp.authn.defaultLifetime = PT60M
+#idp.authn.defaultTimeout = PT30M
+
+# Whether to populate relying party user interface information for display
+# during authentication, consent, terms-of-use.
+#idp.authn.rpui = true
+
+# Whether to prioritize "active" results when an SP requests more than
+# one possible matching login method (V2 behavior was to favor them)
+#idp.authn.favorSSO = false
+
+# Whether to fail requests when a user identity after authentication
+# doesn't match the identity in a pre-existing session.
+#idp.authn.identitySwitchIsError = false
+
+# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent
+#idp.consent.StorageService = shibboleth.ClientPersistentStorageService
+
+# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute
+# to key user consent storage records (and set the attribute name)
+#idp.consent.attribute-release.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey
+#idp.consent.attribute-release.userStorageKeyAttribute = uid
+#idp.consent.terms-of-use.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey
+#idp.consent.terms-of-use.userStorageKeyAttribute = uid
+
+# Suffix of message property used as value of consent storage records when idp.consent.compareValues is true.
+# Defaults to text displayed to the user.
+#idp.consent.terms-of-use.consentValueMessageCodeSuffix = .text
+
+# Flags controlling how built-in attribute consent feature operates
+#idp.consent.allowDoNotRemember = true
+#idp.consent.allowGlobal = true
+#idp.consent.allowPerAttribute = false
+
+# Whether attribute values and terms of use text are compared
+#idp.consent.compareValues = false
+# Maximum number of consent records for space-limited storage (e.g. cookies)
+#idp.consent.maxStoredRecords = 10
+# Maximum number of consent records for larger/server-side storage (0 = no limit)
+#idp.consent.expandedMaxStoredRecords = 0
+
+# Time in milliseconds to expire consent storage records.
+#idp.consent.storageRecordLifetime = P1Y
+
+# Whether to lookup metadata, etc. for every SP involved in a logout
+# for use by user interface logic; adds overhead so off by default.
+#idp.logout.elaboration = false
+
+# Whether to require logout requests/responses be signed/authenticated.
+#idp.logout.authenticated = true
+
+# Message freshness and replay cache tuning
+#idp.policy.messageLifetime = PT3M
+#idp.policy.clockSkew = PT3M
+
+# Set to custom bean for alternate storage of replay cache
+#idp.replayCache.StorageService = shibboleth.StorageService
+#idp.replayCache.strict = true
+
+# Toggles whether to allow outbound messages via SAML artifact
+#idp.artifact.enabled = true
+# Suppresses typical signing/encryption when artifact binding used
+#idp.artifact.secureChannel = true
+# May differ to direct SAML 2 artifact lookups to specific server nodes
+#idp.artifact.endpointIndex = 2
+# Set to custom bean for alternate storage of artifact map state
+#idp.artifact.StorageService = shibboleth.StorageService
+
+# Comma-delimited languages to use if not match can be found with the
+# browser-supported languages, defaults to an empty list.
+idp.ui.fallbackLanguages=en,fr,de
+
+# Storage service used by CAS protocol
+# Defaults to shibboleth.StorageService (in-memory)
+# MUST be server-side storage (e.g. in-memory, memcached, database)
+# NOTE that idp.session.StorageService requires server-side storage
+# when CAS protocol is enabled
+#idp.cas.StorageService=shibboleth.StorageService
+
+# CAS service registry implementation class
+#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry
+
+# F-TICKS auditing - set a salt to include hashed username
+#idp.fticks.federation=MyFederation
+#idp.fticks.algorithm=SHA-256
+#idp.fticks.salt=somethingsecret
+#idp.fticks.loghost=localhost
+#idp.fticks.logport=514
diff --git a/roles/idp/templates/ldap.properties b/roles/idp/templates/ldap.properties
new file mode 100644
index 0000000..613fedc
--- /dev/null
+++ b/roles/idp/templates/ldap.properties
@@ -0,0 +1,63 @@
+# LDAP authentication configuration, see authn/ldap-authn-config.xml
+# Note, this doesn't apply to the use of JAAS
+
+## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator
+idp.authn.LDAP.authenticator                   = bindSearchAuthenticator
+
+## Connection properties ##
+idp.authn.LDAP.ldapURL=ldap://ldap
+idp.authn.LDAP.useStartTLS                     = false
+idp.authn.LDAP.useSSL                          = false
+# Time in milliseconds that connects will block
+#idp.authn.LDAP.connectTimeout                  = PT3S
+# Time in milliseconds to wait for responses
+#idp.authn.LDAP.responseTimeout                 = PT3S
+
+## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust
+idp.authn.LDAP.sslConfig                       = jvmTrust
+## If using certificateTrust above, set to the trusted certificate's path
+#idp.authn.LDAP.trustCertificates=%{idp.home}/credentials/ldap-server.crt
+## If using keyStoreTrust above, set to the truststore path
+#idp.authn.LDAP.trustStore=%{idp.home}/credentials/ldap-server.truststore
+
+## Return attributes during authentication
+#idp.authn.LDAP.returnAttributes=passwordExpirationTime,loginGraceRemaining
+
+## DN resolution properties ##
+
+# Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator
+# for AD: CN=Users,DC=example,DC=org
+idp.authn.LDAP.baseDN=ou=people,o=Training,dc=comanage,dc=incommon,dc=training
+#idp.authn.LDAP.subtreeSearch                   = false
+idp.authn.LDAP.userFilter=(uid={user})
+# bind search configuration
+# for AD: idp.authn.LDAP.bindDN=adminuser@domain.com
+idp.authn.LDAP.bindDN=uid=idp_user,ou=system,o=Training,dc=comanage,dc=incommon,dc=training
+idp.authn.LDAP.bindDNCredential={{ idp_user_ldap_bind_password }}
+
+# Format DN resolution, used by directAuthenticator, adAuthenticator
+# for AD use idp.authn.LDAP.dnFormat=%s@domain.com
+idp.authn.LDAP.dnFormat=uid=%s,ou=people,dc=example,dc=org
+
+# LDAP attribute configuration, see attribute-resolver.xml
+# Note, this likely won't apply to the use of legacy V2 resolver configurations
+idp.attribute.resolver.LDAP.ldapURL=%{idp.authn.LDAP.ldapURL}
+idp.attribute.resolver.LDAP.connectTimeout=%{idp.authn.LDAP.connectTimeout:PT3S}
+idp.attribute.resolver.LDAP.responseTimeout=%{idp.authn.LDAP.responseTimeout:PT3S}
+idp.attribute.resolver.LDAP.baseDN=%{idp.authn.LDAP.baseDN:undefined}
+idp.attribute.resolver.LDAP.bindDN=%{idp.authn.LDAP.bindDN:undefined}
+idp.attribute.resolver.LDAP.bindDNCredential=%{idp.authn.LDAP.bindDNCredential:undefined}
+idp.attribute.resolver.LDAP.useStartTLS=%{idp.authn.LDAP.useStartTLS:true}
+idp.attribute.resolver.LDAP.trustCertificates=%{idp.authn.LDAP.trustCertificates:undefined}
+idp.attribute.resolver.LDAP.searchFilter=(uid=$resolutionContext.principal)
+
+# LDAP pool configuration, used for both authn and DN resolution
+#idp.pool.LDAP.minSize                          = 3
+#idp.pool.LDAP.maxSize                          = 10
+#idp.pool.LDAP.validateOnCheckout               = false
+#idp.pool.LDAP.validatePeriodically             = true
+#idp.pool.LDAP.validatePeriod                   = PT5M
+#idp.pool.LDAP.prunePeriod                      = PT5M
+#idp.pool.LDAP.idleTime                         = PT10M
+#idp.pool.LDAP.blockWaitTime                    = PT3S
+#idp.pool.LDAP.failFastInitialize               = false
diff --git a/roles/idp/templates/registry-metadata.xml b/roles/idp/templates/registry-metadata.xml
new file mode 100644
index 0000000..705ab46
--- /dev/null
+++ b/roles/idp/templates/registry-metadata.xml
@@ -0,0 +1,92 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntitiesDescriptor 
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata" 
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" 
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" 
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" 
+    xmlns:remd="http://refeds.org/metadata"
+    xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata 
+        sstc-saml-schema-metadata-2.0.xsd 
+        urn:mace:shibboleth:metadata:1.0 
+        shibboleth-metadata-1.0.xsd 
+        http://www.w3.org/2000/09/xmldsig# 
+        xmldsig-core-schema.xsd">
+
+    <EntityDescriptor entityID="https://registry.comanage.incommon.training/sp/shibboleth">
+        <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+
+            <Extensions>
+              <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
+                <mdui:DisplayName xml:lang="en">COmanange Registry InCommon Training</mdui:DisplayName>
+                <mdui:Description xml:lang="en">COmanage Registry InCommon Training</mdui:Description>
+              </mdui:UIInfo>
+            </Extensions>
+
+            <KeyDescriptor>
+                <ds:KeyInfo>
+                    <ds:X509Data>
+                        <ds:X509Certificate>
+MIIEeTCCAuGgAwIBAgIUSw2abU/5sbXqeomeVFrY16p6o/owDQYJKoZIhvcNAQEL
+BQAwLjEsMCoGA1UEAxMjcmVnaXN0cnkuY29tYW5hZ2UuaW5jb21tb24udHJhaW5p
+bmcwHhcNMTkxMTA3MTI0OTE5WhcNMjkxMTA0MTI0OTE5WjAuMSwwKgYDVQQDEyNy
+ZWdpc3RyeS5jb21hbmFnZS5pbmNvbW1vbi50cmFpbmluZzCCAaIwDQYJKoZIhvcN
+AQEBBQADggGPADCCAYoCggGBALrfZW6jBlijGZPNBodKxCqcaYfBinXbtJ+ssAYZ
+7CNpaoc5KFfQTzfrfyhJqImCMsrnu5Yx8zJMm0i8SzgdckWnd7/qQw6PwDEmOsOw
+x5bYRASMJz0K9iQM66EFWpTcYjuATpn7D3Scgj6bquFSw36pg14UiBhWRljHCe1a
+6RpVSRt+rVChZtbJwoqNR66dYJL3FxaTqjTm9dA1xS3rC2KpwRZF15mHzrLxT2gd
+3VLWlG70n1Xi+PcP3xFt/r4h+ZFGF+R0rOMp3YYpoHnYNJbR9VKwdsN6vfYp5UMZ
+XsBheniCr/JpKzzike+Ailp+sIqcZv2cTPNqbkTrP184lrL2seW9yl16htpJoW+e
+30UCu3RDMvsqH/rH4a5UBK37BoSISY5T4qwYU6yKfu9yL52CiWBrG2PlwZSk/dMF
+JZBV0pgb0m1Ftgd7pvYRzEKBEKtJksD/r6dZ4T4MxRtovHXfA4bqx7leoaqnOMTf
+KGGBQPvd75svPH5qwJ4X13OF+wIDAQABo4GOMIGLMGoGA1UdEQRjMGGCI3JlZ2lz
+dHJ5LmNvbWFuYWdlLmluY29tbW9uLnRyYWluaW5nhjpodHRwczovL3JlZ2lzdHJ5
+LmNvbWFuYWdlLmluY29tbW9uLnRyYWluaW5nL2lkcC9zaGliYm9sZXRoMB0GA1Ud
+DgQWBBQz33LUyesyD7f0x74z5XEfaLnsajANBgkqhkiG9w0BAQsFAAOCAYEAhc5U
+AZRJioScG3gTyOmej4p6GQPcn9Tchb1ktTBc9CLsop0E7bWwhc9kzEsVkrdvGiFx
++I+plxnNjw/I/fNflxVj+phiCCYo5ozwXCCjtz7JFvKSb1UBpagudAky9UonNZoZ
+ovPmtrJsRVcnsqJVji1jdyFrQrgMfb/cQiJcw+lrlZvNO0+cG3+VSQuc5NOBwigw
+HjB0OSoLMLtTs6depQCCrqYh18y9NiY+4H20AWpXVS1ATPof2AvHQEsizSeNQ9rB
+3m7vDUd7ZSY2Y2+YIbUwLxDk1yXwH1X2/q6m+XwfZc4y5aXaWTmyAYAiyTPjDp16
+Ex6ibXPpyTNy1Qq+h1k0fNeMsuDx8rTfrSgaROdXzTAysOz3bLb2g0+u0gUK5rwM
+E+M/1FURO5+w6Q0wIjoraFRnfrBrIKCozNssAvbClcwHuiFuNX8hUmGBnbs7i6KX
+60kXmGfISTW8E58ouQGmz4yrjI+9WUlstak4hWLSL9LOwPLGGCLmvwDkgVPQ
+                        </ds:X509Certificate>
+                    </ds:X509Data>
+                </ds:KeyInfo>
+            </KeyDescriptor>
+
+{% for myindex in range(1, lookup('vars', 'training_node_count') + 1, 1) | list %}
+            <AssertionConsumerService 
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
+                Location="https://registry{{ myindex }}.comanage.incommon.training/Shibboleth.sso/SAML2/POST" 
+                index="{{ myindex }}"/>
+{% endfor %}
+
+        </SPSSODescriptor>
+
+        <Organization>
+            <OrganizationName xml:lang="en">InCommon COmanage Training</OrganizationName>
+            <OrganizationDisplayName xml:lang="en">InCommon Comanage Training</OrganizationDisplayName>
+            <OrganizationURL xml:lang="en">https://incommon.org</OrganizationURL>
+        </Organization>
+        <ContactPerson contactType="support">
+            <GivenName>Internet2 Technical Services Group</GivenName>
+            <EmailAddress>techsupport@internet2.edu</EmailAddress>
+        </ContactPerson>
+        <ContactPerson contactType="administrative">
+            <GivenName>InCommon Administration</GivenName>
+            <EmailAddress>admin@incommon.org</EmailAddress>
+        </ContactPerson>
+        <ContactPerson contactType="technical">
+            <GivenName>InCommon Operations</GivenName>
+            <EmailAddress>admin@incommon.org</EmailAddress>
+        </ContactPerson>
+        <ContactPerson contactType="other" remd:contactType="http://refeds.org/metadata/contactType/security">
+            <GivenName>Internet2 Technical Services Group</GivenName>
+            <EmailAddress>techsupport@internet2.edu</EmailAddress>
+        </ContactPerson>
+    </EntityDescriptor>
+
+</EntitiesDescriptor>
diff --git a/roles/idp/vars/main.yml b/roles/idp/vars/main.yml
new file mode 100644
index 0000000..d514b98
--- /dev/null
+++ b/roles/idp/vars/main.yml
@@ -0,0 +1,23 @@
+---
+   olc_root_pw: "{CRYPT}$6$rounds=5000$j/iQaEJ5Fd3Jkq8W$wyxJLiQEDEX/s.2T7PHWQ5OP3v0XYkrRY/HuQFwwJ1AIwM2n.zMiyO8iKpDuEJ5UUIOTaV7a0IxtIDbViS6ev."
+   olc_root_dn_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          32356162386562653538356461663666643534626539303537626134643435616137346161396137
+          6430303233343539646461383764636531663536316435620a623030313839633336373461306636
+          61343238666634663833626331613861353330383336653764336433386163643333623761343764
+          3235346439653666630a373863653662656236646231666136663061663463383731336662663237
+          65313632373065303134626461623635376337323264353231653065663238326131
+   idp_sealer_storePassword: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          35656536343964643633613063343938666663353966366661623635316564303339353763393938
+          3135363635363232303132613064613134396534323366330a356437333834373737373664323732
+          65376232316164383635393965336563646566623334383239343764306636376463303832616539
+          3964383965333236390a346430633838336534343536333766353036646436646262333866363535
+          62626365396232346536363964383961653839353338313835653262353933353033
+   idp_user_ldap_bind_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          65343061373531663031623762323330633939373537316130306366663231316434353963666530
+          3231643262343730653131323530663163316264393334350a326538663834643537636265646331
+          63653733383739346237366534653566636333313039373939626431306639313164663338356130
+          3066313066623066640a306437336531356536663234373739363661353066383161653866313137
+          37306562346363396638653832323433376365613736376530623763646663303336
diff --git a/roles/swarm/files/daemon.json b/roles/swarm/files/daemon.json
new file mode 100644
index 0000000..8eb6a13
--- /dev/null
+++ b/roles/swarm/files/daemon.json
@@ -0,0 +1,3 @@
+{
+    "log-driver" : "journald"
+}
diff --git a/roles/swarm/handlers/main.yml b/roles/swarm/handlers/main.yml
new file mode 100644
index 0000000..572d854
--- /dev/null
+++ b/roles/swarm/handlers/main.yml
@@ -0,0 +1,11 @@
+---
+  - name: reload systemd
+    command: systemctl daemon-reload
+  - name: reload docker
+    systemd:
+      name: docker
+      state: reloaded
+  - name: reload systemd-journald
+    systemd:
+      name: systemd-journald
+      state: restarted
diff --git a/roles/swarm/tasks/main.yml b/roles/swarm/tasks/main.yml
new file mode 100644
index 0000000..c83f98d
--- /dev/null
+++ b/roles/swarm/tasks/main.yml
@@ -0,0 +1,101 @@
+---
+  - name: Configure journald for persistent storage
+    ini_file:
+      dest: /etc/systemd/journald.conf
+      section: Journal
+      option: Storage
+      value: Persistent
+      no_extra_spaces: yes
+    notify:
+      - reload systemd-journald
+
+  - name: Install docker-ce required/recommended packages
+    yum:
+      name:
+        - yum-utils
+        - device-mapper-persistent-data
+        - lvm2
+      state: present
+
+  # Off for (at minimum) preventing shibboleth unix domain socket creation
+  - name: Put SELinux in permissive mode, logging actions that would be blocked.
+    selinux:
+      policy: targeted
+      state: permissive
+
+  - name: Add Docker repo
+    get_url:
+      url: https://download.docker.com/linux/centos/docker-ce.repo
+      dest: /etc/yum.repos.d/docker-ce.repo
+    become: yes
+
+  - name: Install Docker
+    package:
+      name: docker-ce
+      state: present
+    become: yes
+
+  - name: Start Docker service
+    service:
+      name: docker
+      state: started
+      enabled: yes
+    become: yes
+
+  - name: Configure Docker daemon
+    copy:
+      src: daemon.json
+      dest: /etc/docker/daemon.json
+      owner: root
+      group: root
+      mode: 0644
+    notify:
+      - reload docker
+
+  - name: Make sure Docker is running
+    systemd:
+      name: docker
+      state: started
+      enabled: yes
+
+  - name: Add users to Docker group
+    user:
+      name: "{{ item }}"
+      groups: docker
+      append: yes
+    loop:
+      - skoranda
+      - pcaskey
+
+  - name: Install bash completion
+    yum:
+      name:
+        - bash-completion
+      state: present
+
+  - name: Configure bash completion for Docker
+    get_url:
+      url: https://raw.githubusercontent.com/docker/compose/1.24.1/contrib/completion/bash/docker-compose
+      dest: /etc/bash_completion.d/docker-compose
+      mode: '0644'
+
+  # Pip installed docker module in python is required for ansible docker_secret action
+  # on Centos 7
+  - name: Install epel on swarm node
+    yum:
+      name:
+        - epel-release
+      state: present
+
+  - name: Install pip on swarm node
+    yum:
+      name:
+        - python2-pip
+      state: present
+
+  - name: Pip install docker python module
+    command: pip install docker
+
+  - name: Initialize single node swarm
+    docker_swarm:
+      state: present
diff --git a/roles/training/files/attribute-map.xml b/roles/training/files/attribute-map.xml
new file mode 100644
index 0000000..3871a64
--- /dev/null
+++ b/roles/training/files/attribute-map.xml
@@ -0,0 +1,11 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="ENV_OIS_EPPN">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:oid:2.5.4.4" id="ENV_OIS_NAME_FAMILY"/>
+    <Attribute name="urn:oid:2.5.4.42" id="ENV_OIS_NAME_GIVEN"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="ENV_OIS_MAIL"/>
+
+</Attributes>
diff --git a/roles/training/files/comanage-registry-stack.yml b/roles/training/files/comanage-registry-stack.yml
new file mode 100644
index 0000000..01c59d4
--- /dev/null
+++ b/roles/training/files/comanage-registry-stack.yml
@@ -0,0 +1,112 @@
+version: '3.7'
+
+services:
+    database:
+        image: mariadb:10.4.8
+        volumes:
+            - /srv/docker/var/lib/mysql:/var/lib/mysql
+        environment:
+            - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password
+            - MYSQL_DATABASE=registry
+            - MYSQL_USER=registry_user
+            - MYSQL_PASSWORD_FILE=/run/secrets/mysql_registry_user_password
+        secrets:
+            - mysql_root_password
+            - mysql_registry_user_password
+        deploy:
+            replicas: 1
+        logging:
+            driver: journald
+            options:
+                tag: "mariadb-{{.Name}}"
+
+    registry:
+        # Change this to TAP image when it is ready.
+        image: sphericalcowgroup/comanage-registry:hotfix-3.2.x-shibboleth-sp-4
+        volumes:
+            - /srv/docker/srv/comanage-registry/local:/srv/comanage-registry/local
+            - /srv/docker/etc/shibboleth/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml
+            - /srv/docker/etc/shibboleth/attribute-map.xml:/etc/shibboleth/attribute-map.xml
+            - /srv/docker/etc/shibboleth/idp-metadata.xml:/etc/shibboleth/idp-metadata.xml
+            - /srv/docker/etc/apache2/sites-available/000-comanage.conf:/etc/apache2/sites-available/000-comanage.conf
+        environment:
+            - COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=
+            - COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=
+            - COMANAGE_REGISTRY_ADMIN_USERNAME=
+            - COMANAGE_REGISTRY_DATASOURCE=Database/Mysql
+            - COMANAGE_REGISTRY_DATABASE=registry
+            - COMANAGE_REGISTRY_DATABASE_HOST=database
+            - COMANAGE_REGISTRY_DATABASE_USER=registry_user
+            - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/run/secrets/mysql_registry_user_password
+            - COMANAGE_REGISTRY_EMAIL_TRANSPORT=Smtp
+            - COMANAGE_REGISTRY_EMAIL_HOST=tls://smtp.gmail.com
+            - COMANAGE_REGISTRY_EMAIL_PORT=465
+            - COMANAGE_REGISTRY_EMAIL_ACCOUNT=comanagetraining@gmail.com
+            - COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD_FILE=/run/secrets/comanage_registry_email_account_password
+            - COMANAGE_REGISTRY_EMAIL_FROM=comanagetraining@gmail.com
+            - SHIBBOLETH_SP_ENCRYPT_CERT=/run/secrets/shibboleth_sp_encrypt_cert
+            - SHIBBOLETH_SP_ENCRYPT_PRIVKEY=/run/secrets/shibboleth_sp_encrypt_privkey
+            - SHIBBOLETH_SP_SIGNING_CERT=/run/secrets/shibboleth_sp_signing_cert
+            - SHIBBOLETH_SP_SIGNING_PRIVKEY=/run/secrets/shibboleth_sp_signing_privkey
+        secrets:
+            - mysql_registry_user_password
+            - comanage_registry_email_account_password
+            - shibboleth_sp_encrypt_cert
+            - shibboleth_sp_encrypt_privkey
+            - shibboleth_sp_signing_cert
+            - shibboleth_sp_signing_privkey
+        ports:
+            - "80:80"
+        deploy:
+            replicas: 1
+        logging:
+            driver: journald
+            options:
+                tag: "registry_{{.Name}}"
+
+    ldap:
+        image: sphericalcowgroup/comanage-registry-slapd:2
+        command: ["slapd", "-d", "256", "-h", "ldapi:/// ldap:///", "-u", "openldap", "-g", "openldap"]
+        volumes:
+            - /srv/docker/var/lib/ldap:/var/lib/ldap
+            - /srv/docker/etc/ldap/slapd.d:/etc/ldap/slapd.d
+            - /srv/docker/ldif/config-always-all-olcAccess.ldif:/ldif/config/olcAccess.ldif
+            - /srv/docker/ldif/config-always-01.ldif:/ldif/admin/01.ldif
+        environment:
+            - OLC_ROOT_PW_FILE=/run/secrets/olc_root_pw
+            - OLC_SUFFIX=dc=comanage,dc=incommon,dc=training
+            - OLC_ROOT_DN=cn=admin,dc=comanage,dc=incommon,dc=training
+            - OLC_ROOT_DN_PASSWORD_FILE=/run/secrets/olc_root_dn_password
+        secrets:
+            - olc_root_pw
+            - olc_root_dn_password
+        ports:
+            - "389:389"
+        deploy:
+            replicas: 1
+        logging:
+            driver: journald
+            options:
+                tag: "ldap_{{.Name}}"
+          
+secrets:
+    comanage_registry_email_account_password:
+        external: true
+    mysql_registry_user_password:
+        external: true
+    mysql_registry_user_password:
+        external: true
+    mysql_root_password:
+        external: true
+    olc_root_pw:
+        external: true
+    olc_root_dn_password:
+        external: true
+    shibboleth_sp_encrypt_cert:
+        external: true
+    shibboleth_sp_encrypt_privkey:
+        external: true
+    shibboleth_sp_signing_cert:
+        external: true
+    shibboleth_sp_signing_privkey:
+        external: true
diff --git a/roles/training/files/config-always-01.ldif b/roles/training/files/config-always-01.ldif
new file mode 100644
index 0000000..2dfcdf3
--- /dev/null
+++ b/roles/training/files/config-always-01.ldif
@@ -0,0 +1,29 @@
+dn: o=Training,dc=comanage,dc=incommon,dc=training
+changetype: add
+objectclass: dcObject
+objectclass: organization
+dc: comanage
+o: Training
+
+dn: ou=system,o=Training,dc=comanage,dc=incommon,dc=training
+changetype: add
+objectClass: organizationalUnit
+ou: system
+
+dn: uid=registry_user,ou=system,o=Training,dc=comanage,dc=incommon,dc=training
+changetype: add
+objectClass: account
+objectClass: simpleSecurityObject
+uid: registry_user
+description: COmanage Registry user
+userPassword: {CRYPT}$6$rounds=5000$RMNH6IpoChSTxPzx$r9c67vaf.vP7HExQTFeR.7kioNEWU5/BiJHfs/.3xjcYmJ9R594IIRpey.IyENS5iBdTnpfBOvOYqS/cCM/8.0
+
+dn: ou=people,o=Training,dc=comanage,dc=incommon,dc=training
+changetype: add
+objectClass: organizationalUnit
+ou: people
+
+dn: ou=groups,o=Training,dc=comanage,dc=incommon,dc=training
+changetype: add
+objectClass: organizationalUnit
+ou: groups
diff --git a/roles/training/files/config-always-all-olcAccess.ldif b/roles/training/files/config-always-all-olcAccess.ldif
new file mode 100644
index 0000000..73bde37
--- /dev/null
+++ b/roles/training/files/config-always-all-olcAccess.ldif
@@ -0,0 +1,7 @@
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to dn.base="cn=admin,dc=comanage,dc=incommon,dc=training" by sockname.regex=/var/run/slapd/ldapi auth by users none by * none
+olcAccess: {1}to dn.base="uid=registry_user,ou=system,o=Training,dc=comanage,dc=incommon,dc=training" by self auth by anonymous auth by * none
+olcAccess: {2}to dn.subtree="o=Training,dc=comanage,dc=incommon,dc=training" by dn="uid=registry_user,ou=system,o=Training,dc=comanage,dc=incommon,dc=training" write by self auth by anonymous auth by * none
+olcAccess: {3}to * by * none
diff --git a/roles/training/files/idp-metadata.xml b/roles/training/files/idp-metadata.xml
new file mode 100644
index 0000000..ac4e87d
--- /dev/null
+++ b/roles/training/files/idp-metadata.xml
@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntityDescriptor
+        xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+        xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+        xmlns:remd="http://refeds.org/metadata"
+        entityID="https://login.comanage.incommon.training/idp/shibboleth">
+
+    <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+
+        <Extensions>
+            <shibmd:Scope regexp="false">comanage.incommon.training</shibmd:Scope>
+            <mdui:UIInfo>
+                <mdui:DisplayName xml:lang="en">COmanage Training Login</mdui:DisplayName>
+            </mdui:UIInfo>
+        </Extensions>
+
+        <KeyDescriptor use="signing">
+            <ds:KeyInfo>
+                <ds:X509Data>
+                    <ds:X509Certificate>
+MIIEbTCCAtWgAwIBAgIULKreZOvFFiKQgsjeINP5wieDXLYwDQYJKoZIhvcNAQEL
+BQAwKzEpMCcGA1UEAxMgbG9naW4uY29tYW5hZ2UuaW5jb21tb24udHJhaW5pbmcw
+HhcNMTkxMTA3MTE0ODU3WhcNMjkxMTA0MTE0ODU3WjArMSkwJwYDVQQDEyBsb2dp
+bi5jb21hbmFnZS5pbmNvbW1vbi50cmFpbmluZzCCAaIwDQYJKoZIhvcNAQEBBQAD
+ggGPADCCAYoCggGBAMtiOuuMqApzFCrD1pg8fiSrK2ndJqmH25iAR9+k5lqdTkV0
+5Wio0vWGQSgVSS/Rc0yNTWvfyNpYo4EncH1FhhgwvwBMphk7dbR+xaOI/AA3QBob
+Ax1jP1BjTAf7N+JXKkkg8PCsDZroOhRfTG8DM8e4c6QY5rqHh3NY0fqCIUVCunRz
+3MbkVRuvHiIodgpWat5f2DKBs2iEFq2GANgyoL/Tr5dFBHjBpwBYX7K5WVTN7IiP
+0AwxOFdT0za/QE+JUt3Nvk3/f411bl58PHj3sGUb43mxSa3208mXQ2LlvHlTg34x
+oYcXtDqwEMKV91G24P9gJCBBxbQ1a/YoIAJcs1y3bZci2HEMn7lHM1BdxqimCfNY
+rM29JIuy7VB2OjMnqfCS7jWJQOgKkq0P95DHFP1iMHniZeWBHWpScR3I7yaCzcDT
+bsFMoFteQmtzLW3uDf9mk9fcXIOzjHULwlE+X/m4WCahAvdwoC3loW7sUyTRNZJo
+o8C8d9f9AbuQ3/R5jQIDAQABo4GIMIGFMGQGA1UdEQRdMFuCIGxvZ2luLmNvbWFu
+YWdlLmluY29tbW9uLnRyYWluaW5nhjdodHRwczovL2xvZ2luLmNvbWFuYWdlLmlu
+Y29tbW9uLnRyYWluaW5nL2lkcC9zaGliYm9sZXRoMB0GA1UdDgQWBBTP/FFsblKv
+7iIAJsUHdbVRZcm/yTANBgkqhkiG9w0BAQsFAAOCAYEAi5Kf8EFjjxlHWDhrCWAj
+N5sx6AWi1QNxHbDahNuD6sFEKMVQwugHsYjJmjN+NeuzowG4a/1QlTxX+m8jpqKs
+8i8+/h6sJI+IkaLS9ITVluZO6haemVwvOlWPjKX3558c3BVlAqu4Pgxe4NXgAai1
+zn9KXfch55L3de/6w4purxavYdRH16aVlJzeZ9Zzd5i+C3MH0fQUmjFsFrbRkH6u
+LqbW9MOSbZeeKV5zxB14NzOLYE6RbuHzdnDKZEDWcyG/N41IZtLHZ/Qzi/9hk47o
+MM+0NZQtxCyfw8WAIn/MmzDm0EluW64SJwZNljnBiFelB8eNKNAsFaC6l/v2YYuZ
+7n/uFssZPh5EXRn4kNqL2so7i+XbXzyU4oV2nmDwdE94EuD6hU0AWLY2+ew8r/T5
+9UTTnZ/SThQEyqUufOIxzJIh9aMdCi3O6XD7RMqei9HKlh1LvSiq97l1byZIeIK4
+tWc0EHubiXGtYVs77EhA7wLWh8S6rv2dHCF3PZiYmRjT
+                    </ds:X509Certificate>
+                </ds:X509Data>
+            </ds:KeyInfo>
+        </KeyDescriptor>
+        
+        <SingleSignOnService
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+                Location="https://login.comanage.incommon.training/idp/profile/SAML2/Redirect/SSO"/>
+    </IDPSSODescriptor>
+
+    <Organization>
+        <OrganizationName xml:lang="en">InCommon COmanage Training</OrganizationName>
+        <OrganizationDisplayName xml:lang="en">InCommon Comanage Training</OrganizationDisplayName>
+        <OrganizationURL xml:lang="en">https://incommon.org</OrganizationURL>
+    </Organization>
+    <ContactPerson contactType="support">
+        <GivenName>Internet2 Technical Services Group</GivenName>
+        <EmailAddress>techsupport@internet2.edu</EmailAddress>
+    </ContactPerson>
+    <ContactPerson contactType="administrative">
+        <GivenName>InCommon Administration</GivenName>
+        <EmailAddress>admin@incommon.org</EmailAddress>
+    </ContactPerson>
+    <ContactPerson contactType="technical">
+        <GivenName>InCommon Operations</GivenName>
+        <EmailAddress>admin@incommon.org</EmailAddress>
+    </ContactPerson>
+    <ContactPerson contactType="other" remd:contactType="http://refeds.org/metadata/contactType/security">
+        <GivenName>Internet2 Technical Services Group</GivenName>
+        <EmailAddress>techsupport@internet2.edu</EmailAddress>
+    </ContactPerson>
+    
+</EntityDescriptor>
diff --git a/roles/training/files/shibboleth2.xml b/roles/training/files/shibboleth2.xml
new file mode 100644
index 0000000..5108e2d
--- /dev/null
+++ b/roles/training/files/shibboleth2.xml
@@ -0,0 +1,53 @@
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+
+    <OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
+  
+    <ApplicationDefaults entityID="https://registry.comanage.incommon.training/sp/shibboleth"
+        REMOTE_USER="ENV_OIS_EPPN"
+        cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
+
+        <Sessions lifetime="28800" timeout="28800" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https">
+
+            <SSO entityID="https://login.comanage.incommon.training/idp/shibboleth">
+              SAML2
+            </SSO>
+
+            <Logout>Local</Logout>
+
+            <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
+          
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+
+            <Handler type="Session" Location="/Session" showAttributeValues="true"/>
+
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+
+        <Errors supportContact="root@localhost"
+            helpLocation="/about.html"
+            styleSheet="/shibboleth-sp/main.css"/>
+
+        <MetadataProvider type="XML" validate="true" path="idp-metadata.xml"/>
+
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+        <CredentialResolver type="File" use="signing"
+            key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
+        <CredentialResolver type="File" use="encryption"
+            key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
+        
+    </ApplicationDefaults>
+    
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
diff --git a/roles/training/tasks/main.yml b/roles/training/tasks/main.yml
new file mode 100644
index 0000000..13c91eb
--- /dev/null
+++ b/roles/training/tasks/main.yml
@@ -0,0 +1,127 @@
+---
+  - name: Add training user to Docker group
+    user:
+      name: training
+      groups: docker
+      append: yes
+
+  - name: Add training user to wheel group
+    user:
+      name: training
+      groups: wheel
+      append: yes
+
+  - name: Install convenience packages
+    yum:
+      name:
+        - emacs
+        - nano
+      state: present
+
+  - name: import global variables
+    include_vars:
+      file: "vars/global.yml"
+
+  - name: Create volume mount point directories
+    file:
+      path: "{{ item }}"
+      state: directory
+      mode: '0755'
+    loop:
+      - /srv/docker/srv/comanage-registry/local
+      - /srv/docker/var/lib/ldap
+      - /srv/docker/var/lib/mysql
+      - /srv/docker/etc/ldap/slapd.d
+      - /srv/docker/etc/shibboleth
+      - /srv/docker/etc/apache2/sites-available
+      - /srv/docker/ldif
+
+  - name: Copy service stack file
+    copy:
+      src: comanage-registry-stack.yml
+      dest: /home/training/comanage-registry-stack.yml
+      owner: training
+      group: training
+      mode: '0644'
+
+  - name: Copy structure LDIF input file
+    copy:
+      src: config-always-01.ldif
+      dest: /srv/docker/ldif/config-always-01.ldif
+      owner: root
+      group: root
+      mode: '0644'
+
+  - name: Copy olcAccess LDIF input file
+    copy:
+      src: config-always-all-olcAccess.ldif
+      dest: /srv/docker/ldif/config-always-all-olcAccess.ldif
+      owner: root
+      group: root
+      mode: '0644'
+
+  - name: Create secret olc_root_pw
+    docker_secret:
+      name: olc_root_pw
+      data: "{{ olc_root_pw }}"
+      state: present
+
+  - name: Create secret olc_root_dn_password
+    docker_secret:
+      name: olc_root_dn_password
+      data: "{{ olc_root_dn_password }}"
+      state: present
+
+  - name: Create secret comanage_registry_email_account_password
+    docker_secret:
+      name: comanage_registry_email_account_password
+      data: "{{ comanage_registry_email_account_password }}"
+      state: present
+
+  - name: Create secret shibboleth_sp_encrypt_cert
+    docker_secret:
+      name: shibboleth_sp_encrypt_cert
+      data: "{{ shibboleth_sp_encrypt_cert }}"
+      state: present
+
+  - name: Create secret shibboleth_sp_encrypt_privkey
+    docker_secret:
+      name: shibboleth_sp_encrypt_privkey
+      data: "{{ shibboleth_sp_encrypt_privkey }}"
+      state: present
+
+  - name: Create secret shibboleth_sp_signing_cert
+    docker_secret:
+      name: shibboleth_sp_signing_cert
+      data: "{{ shibboleth_sp_signing_cert }}"
+      state: present
+
+  - name: Create secret shibboleth_sp_signing_privkey
+    docker_secret:
+      name: shibboleth_sp_signing_privkey
+      data: "{{ shibboleth_sp_signing_privkey }}"
+      state: present
+
+  - name: Copy Shibboleth SP configuration files
+    copy:
+      src: "{{ item }}"
+      dest: "/srv/docker/etc/shibboleth/{{ item }}"
+      owner: root
+      group: root
+      mode: '0644'
+    loop:
+      - shibboleth2.xml
+      - attribute-map.xml
+      - idp-metadata.xml
+
+  - name: Copy Apache configuration file
+    template:
+      src: 000-comanage.conf
+      dest: /srv/docker/etc/apache2/sites-available/000-comanage.conf
+      owner: root
+      group: root
+      mode: '0644'
+
+
+
+
diff --git a/roles/training/templates/000-comanage.conf b/roles/training/templates/000-comanage.conf
new file mode 100644
index 0000000..bed9d73
--- /dev/null
+++ b/roles/training/templates/000-comanage.conf
@@ -0,0 +1,53 @@
+# COmanage Registry Apache HTTP Server configuration
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+<VirtualHost *:80>
+
+ServerName https://{{ ec2_tag_public_fqdn }}:443
+UseCanonicalName On
+
+DocumentRoot /var/www/html
+
+RedirectMatch ^/$ /registry/
+
+ErrorLog ${APACHE_LOG_DIR}/error.log
+CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+Include apache-include-directory-registry
+
+<Location "/Shibboleth.sso">
+SetHandler shib
+</Location>
+
+<Directory /var/www/html/registry/auth/login>
+AuthType shibboleth
+ShibRequestSetting requireSession 1
+Require valid-user
+</Directory>
+
+<Location />
+AuthType shibboleth
+Require shibboleth
+</Location>
+
+RewriteEngine On
+RewriteCond %{QUERY_STRING} !after_redirect
+RewriteRule ^/registry/auth/logout.* https://%{HTTP_HOST}/Shibboleth.sso/Logout?return=https://%{HTTP_HOST}/registry/auth/logout/?after_redirect [L,R]
+
+</VirtualHost>
diff --git a/roles/training/vars/main.yml b/roles/training/vars/main.yml
new file mode 100644
index 0000000..0335e14
--- /dev/null
+++ b/roles/training/vars/main.yml
@@ -0,0 +1,452 @@
+---
+   olc_root_pw: "{CRYPT}$6$rounds=5000$RMNH6IpoChSTxPzx$r9c67vaf.vP7HExQTFeR.7kioNEWU5/BiJHfs/.3xjcYmJ9R594IIRpey.IyENS5iBdTnpfBOvOYqS/cCM/8.0"
+   olc_root_dn_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          39366562316237336539383637633263626163663337303965326336623465636638656437383764
+          6330366633326538366565366330353930613265313263320a356435613832336364356539363130
+          66343361316665626164306662383233346365373464303832633232373233343535333930613462
+          3831666436363563620a393262653439313332333534383834373466313638623961656632346466
+          3632
+   comanage_registry_email_account_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          31663330663137616439376165326430396237303033333337626161373531653337393033643532
+          3461633833376439313931363938393738623564656462630a323339316338383634386561666561
+          62373032643133653565623762373137303637643230306632303662336438373233346432333135
+          3165303964376435350a356662653739653464623632313065646162313463333331653361613262
+          32386165373435373336653334336435616530623631393834623334313537363230
+   shibboleth_sp_encrypt_cert: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          37343565666561303437386533663331643131616137353437333865376566346161333764643839
+          3832373330323862303066643063316530353561356637320a643737626665393866383932636131
+          30373162663035396135343264386265323633643661663639393335613532363164306536346331
+          6235383535663538360a383939363066336135393864313235386264333935333964373563336233
+          38366366666538663334396534326439386134383439616635326462303736326464616534326532
+          37623430663562613733336261373334636231356666613536313333393965363665666161343164
+          36373438303333393832346337396366643661353862323163353861353865633438663639326164
+          33643233313265316231323734306432383338316334656666363230333932333466656164363766
+          39353635326637376538376639656565613831613031666366306537306430636337376332626637
+          65323465376336383933336461396231643962323834386266323633376134666139346336653733
+          36666330356431366162303933353863363539326562643436316137326630316166393866366263
+          61636462646565383431343938663733623530653835653332393865643361323539316366393337
+          30303531336264356538666566313932336632313231616234366237636164643638346438316232
+          31643634323231343933363165623465616230333164373637633333303835633762656135633533
+          64363432306334313465623364353636333839343330396136356536373262386465386365643461
+          65613531383863663865643433663337373439353333396431363830313330626430356534393465
+          36333764626639663337333631656432393134393030653336313061323439366462643334336661
+          37313463376234663233643230323831616235373439326435643839316436626466646331383834
+          35356538656663613738343438363366613738373963333339633564343138653439653261356230
+          62663466373163613433663764666262366565383337653261346433343934346639396130623564
+          63626234613961366535323830636661656436393165356562303164356237643731353935653461
+          31646232303061336133613864376639323264663237653731346639356466656264393939353863
+          64663762623133633461363932356635336631666237383332376530623437646461386430636532
+          64393766363966316131393631323164643062633534643937373731613030313230376335363137
+          34336233383065353637626162633564626331383939626632333464316661333539373837373336
+          61633332626463363365626135653932323662346139393439313364653035333263313939613338
+          64656335303863663139383761333639666365313566656161343865663265303334383463343838
+          66303536643864366666643139653835636638303666313831356439366262386161666561393931
+          37623034663931643061363131663536323361666365396464366362663264336665623165623464
+          66326231366535633634383833383361303364623637393532386330386662393038306465386661
+          63366165333936613130666663383061643836336539316535313730333061643265636165613934
+          30313538656636623737373264636466303261373461626164373833623663393136643232346635
+          31623837386534366130343634633238666330303038633538643763316562663034653034346131
+          34323361396464323038623465643862626137643135343135613139386438333338346435636136
+          36333361323436323730326365623961383332323535333161653962396635323261623665396235
+          63656662396264323462396131303438326165663439343032366232383965663166333332323836
+          39383139653435376364633637343738623963346464356362623464343333323763346665616636
+          30393864363836613564376332343131633561383361393562316339613165306232636164313562
+          64396137636639363431663661313334613131336461363339373361383135363863346232383836
+          34336263653438616433306439653633386637316530633534313762326363643932323636316233
+          31623332363130303238393737653133626339343332343139343236363463376234663066643366
+          64366662343561653762643235623530383337646166636239393265353061613330313465623034
+          33373662653166663830663239323337623366326563666135313963616433393265656132666137
+          30303930623637643462353963306262323836616135303066363033656337346637333565663038
+          64376430396331353564346166303765393437653638633365363136616361623865633535383333
+          32303437353739613365643566666435376138613461396238633432633135386262333861333931
+          66366634613738636632333362396566373363636239393330326630326131626163313364373339
+          65633734363935333139383036643430376635336566356137663964383364643064363038383132
+          33393538333262336338356432386236613666376561623537663937623966316135613039303866
+          33386164393238653334656533373438303439386636313831646139626263656237373430343661
+          30343735663638333965646637623537326162623630386164306266613531356631383938356133
+          33343535366261303666343062343939626437633062633433343463366133626664666430663536
+          38613563316162643339396636333232323538323866616165303532666238393235386462666138
+          36306334616639623465383131626664636331373435306230663738636239656438613233316439
+          66663964613064393066663664373635343739303166393761303239346533373762306330653862
+          38336332313966356439323732323338643739613361396364383236326131313633393235636439
+          38613134333632336636643836663130383764613565303536643138623566663763346238616531
+          61383030623231366663613066326130636438313666373664353433393135616432336231326434
+          39373034396133356237633164336565356531356666633232306366393361373832663236643066
+          63383564353564313336666565306562386232383461333336396362353832653661613932353833
+          35636164646163663562386535366535613566623130343432356233656665373537303539623365
+          64386438666636353962313830653930623761383930326439386536323732353533353166306538
+          62366633396261323331383031373264316464343532303032633238343434313765346661393335
+          36613866656134396139333039303364396161323666373439646134336338666330386631306663
+          35326639613932323565643330646433393937373938323935656536333261346664313864663561
+          66303663363039306663353164666432386266613362663330376235623331356131343533313539
+          61393430396231643134656238643864393835626531643236623937613839313862616165366365
+          64373164373065626637616564326264373431633637333539663366393930326232383962356135
+          36393363393035353366616531336165643236306266613337353865643261613234636266383233
+          36626439323135343130636362626465316465623334613133653832363439613639663366313366
+          31633162656637393030616530373937653564316336643536616366633063613766363338376461
+          38643566626165333865323363303236656265386338646266383038393862663734333338633336
+          64633039363837346532343431616565616130396332373061333564316538613233306235653332
+          62616436613565363562616664356633663139356434386136323335323839636434656433656537
+          62633062303863656532656234663161333062383534653761376661653538306232646531363261
+          31646334396136646266376637363239666263366539666562343737613732613234323134393661
+          30643266656334656662383039366364643435623965663031643438653937643037343434363937
+          34343537636364656664626338343532656231323761656130303834316165383831623165653832
+          32653630646436653736336263613432383839386262323362363965616330373033633164306166
+          63366435376530623339383431626662613663363936656530393239383864643339333363356364
+          34386565653231376664623063383934656537616635343761393966396466613864383837626337
+          64393563383431633338663133646631303731373866313536343436303762613030373537323233
+          38376461336537316432383261313864616166316538366631373535303735333366646664383861
+          37653832323465373234316333613361353430316437656133333934616430643539343862346532
+          6238
+   shibboleth_sp_encrypt_privkey: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          62383033623238343762326539373365646163396534326264646562393066336262336563666437
+          3430303734323062646239366230663862326132623561610a333466623763383238346332643836
+          61623163663765396638306135316264346434346534313735623233303232343265343637363834
+          3930316232316262300a353637633938313464326365353736376636366134303266643036316633
+          36396533626664386561633133626135613965313434646465326361633035393564303038633033
+          62646339656165373435373131353639646664663665313936356566623062356265303735333631
+          39653261376536333037363133653030323264613332326634656431643136306266623561303231
+          63346264653766623164643161386130623061343263343164613730653036643261366261313064
+          35353266346530643833653635373430323962396530633335326236346133663136663734333238
+          61313936653363336165303539636235646436396534653633633563346666343031303164393463
+          66323131306231323563373534306439653265323136346164373439373734353937383064613961
+          39366430383764616230323261626661663262363964363266333565383665656136376233396138
+          33653939663934326330613432663330313630366465343833393231626466623136653632366562
+          62306464363464643830316538393662616162383539303863313036626463373639323666653364
+          30313131623338373431643933356666663930663365646636616133316137613832326132626439
+          62326639303063366236663433393665376661333834666137303035373238626635333866636430
+          34306338313137623035343465663261653866653335646335633665643839323231303063643938
+          34316564376362643165356161333862386461356136386161623731363836393337636232306435
+          63653964623365656265653035646337663736623362326437353965343536656235336336336363
+          34393639653331356530626266306238376332666335336238383730313865366363383463636437
+          36633937373462323830636263633534343066393133393430613861396333616231353166323830
+          65336236616463303831663562613062356433326535356166653337363763313364356261336537
+          32336532373232303031346363343033396133336565303765373530316431376337643032656331
+          31313639623438386263376361383864353435323633643261646331376666393264313631653139
+          34626339626530353563313564626166383039613430316534333034613536366564333233396338
+          63656664313334383666343733393937323232646266383566386230376264656566353137326638
+          62303264303866613165346632303564376333303130326466643636653132666133386437343864
+          63623734393030616531323634366138333465636632356165623030333936376464653835623738
+          65343862666534336238396266343133373164623331323330346263346237333534323532356430
+          64656261663066376662346663663732336662646165663031326662613339616234383364623362
+          39343162326532393064356463636163393735623434653863313639356666393236613732636561
+          61613538353738326638383430306538633163306238396638386133666238353064343639653938
+          64636362303637363264653930303434303163653434386261623463376238363137326635343666
+          31656136393165663636326462623234393238303033353933646363633631626336343031386439
+          62323438666263656430646238353739653631363831353135623461363061396662396161383461
+          61663533343263383664353838373762663461383038303233633264663433383739303462333262
+          36393165383962356563656636386265386236656439646661323966616335326463333834636635
+          66333661356436616366663634666432623963353564383334656436646630313664333561396361
+          33626533316235396133633063633565326361623365633964346366643739613464393965633464
+          39333365633230373037646137643166376635306237326562306661383432653066313337343164
+          36623835396434393332343736376466613232323364393834393632353438643562363336333864
+          37393236663436333238653565636335376331396332666237303539386561383434393938383438
+          61323537313066326165333732363861333337386532396537306439323233636137366537393366
+          64636433653061343036336230386364333239363033643332306635633464356633333139613837
+          32646139346430363637656239326235316363336634396334333331393030623636363034306233
+          65333531323964633565346666613238663739323234643839393565636363663063363036613464
+          65663162383364626663613465313863663866303464366561633731643863333238613035646264
+          31366537623561323435643936343661383433353365313532303232613131646234323532613937
+          32386133323439643163363161623436613930336131633137316566363866363236333131363132
+          32376466373032666634333438333664613665363634633234346135346562663533373431313030
+          34623937363834343836326563623832643965376134326161333430353562626537386433356338
+          31333362313466313661393862323864626638363233643135663335383464666263663639663136
+          65626132396362363134633630336132353638396639653963333137326339643164363864623463
+          65643964656564646533353330303731313837646531663039376435343336373763383937373832
+          37376563376236313165646237356666616536363235333439323465366231643832613835613565
+          30326363343065333232326162346565613738346264663936656335366365633136376531363064
+          66303365633139303062343664376439373537633764653731303431303639336161383132663036
+          34386532643264326462303737313637346336356633363733393839323062383164373738383736
+          36646165303336316539373565303938393661333939383934373039636531643738623263383161
+          38313231626261373966373065373039613466373662623731633032643039353039643931366432
+          35623261356265333932663962343863363832356631313532313165393963336363663433333063
+          33343865313339613131633037363363326165376634373730346332313136313563306163326135
+          62323061393735316333643638643363316431396461623238373839613134383934656161636466
+          33613538386464363463666265643361636638383431653239383066373631383463303237313335
+          30343863366664303163393262626233313435346332323164313066646138386635656432346365
+          65383964363661373235343636613035623263653333353735643731633338636536336132663661
+          66376635366164643165333362616337646134366565363063333035666630616565633963343363
+          39343438313361646161363631316664313366343664343138376635373333313930373333306331
+          30323132316164316165346138373562646536383964353436306461323032623832303362626630
+          38303461343266303563333066396230663962643534636637356131343236623736373361393966
+          36623937626664393436356365613436373435363565643361636532623262316435373531386239
+          30386663653634623737663363386363326432326637323334323039356438613332336264613431
+          39643439663465396635313238353832303137633037386535386530613763343765636431353831
+          65653736643964333265373363636262643430333938653430363537306630666239636532316531
+          62346364633166643064303566373330666366306562376565373164353634346237336461643064
+          34373739373531333663376663326135646332323362396265313666313438613565373861623830
+          64616261616563313463343230383538353230336264636239353038326533323964656633336435
+          31623563383639633633356338666531363837373434396361303361316533316363323862386262
+          63326431346237653462643238313865346231656335613738323538383231303863646539333965
+          62313932623039396432623364653362366630313032653763653464663638363233376231313233
+          65393565636263306137346636613865393862633466386538643061663665653831383833306534
+          61656235363830396239366632333861643138656666333337343336303966356539373463626131
+          34613836353637363863333737363636343664313361303637653532336364326363323734396237
+          34613638393862353262653063343435656666373663653030646337333761353463653335653962
+          66653438316633653333323836383231663965376136346464643231333633656636623832313063
+          31336434373230336335663435386237663836643433376666623766353065376433333261643539
+          66376563646237636434306135346335666631363238323362306664353864393435646436623337
+          39376463633532356439343636613538343735356463303664663866303834336135343639366163
+          37333163343565383664363764656662653463366135316435663366323335333231663361303563
+          30623332333561353663313861346536643838336164396164386533386638383164313163363936
+          36356162656635313163336534623936636437643866613961316465313338336462343931363332
+          30626339663563306464313861636532326132613961373362663037323439646164333164316533
+          33343833373662333262333735636366383263376564313837613838323462636132386635616365
+          66643037656435613162616665613038613933333265316234393536396262646364636263326461
+          33316237626130356237663134623037653134656132646530373963656465623263366538333062
+          62306463323833323337343663396662323538636366326566613835613462366436323131643835
+          34393139353136306538326435303563386439386437356530346339373732323865626134646164
+          38653936653934663862653439393536323435396639613663666331343562333335633834353239
+          64356564333634663061316135303966343931396533306161636636366530646238353438356337
+          61643931636439323831333363363266646533613835643939393761383366623535353734353064
+          31303930386633393636333136373938613237636230656430356532323435393863373465666439
+          33646637613462306339303664366363353731623337626639633234383464306431656366303038
+          32356332363036663538386365363936313931393639343132616432643534613164313136653061
+          62323735363262356165666561636365333661363434326238353034386338633161323933316363
+          35343465616338653365303663303563393161343639663938663331386564396234636536346663
+          66636136303661313833656134326563646361386437356337383537363265393963643038656536
+          64323832343435356137666331653934316636306534306639346437303730626134313336306333
+          39316665636462326632633233353162643833343366353263643535646432663163333132646330
+          33376664653938643366326433623735336235393062316130646232306461646535353364323664
+          62663564306539363536303130643039376265663038333266353863363035323132343433643537
+          39326633613964303134323134396265353361636239363636623633393830383037336632623666
+          34333532376130346164323662373963333134646530393165666537323135333330643062666466
+          31663838326364343965653662396438396563643735623963636466633038353235333561666566
+          30333964643235386136323531623331653863656164386366336563383637353939306666643833
+          32383132323632306233613335383533623536646437396634633839613230623661646263353231
+          33366264396436653363663261333861653634613632636665646264656263353138376433323832
+          61313335343466653164643439396533376633613636393835663137663530663733633931656337
+          63353035353062323366616666333637356131613937663534626333633936313865393466363834
+          64346133646133306436653364383065376163653831666564376130613766353865636165633664
+          32346136663030623632326130313365653431343862336138326634613661303632373863323366
+          62616531626534326261643563393661303164346336623466613933333231656264343563313132
+          34373566643763666630376132373534623761643064656331353836613938366130623934303961
+          38616134353432636339313362656533313562643665636336323635336363396139333535333265
+          65653866663266376564343831323937393032666431366364373234663263636235333831633561
+          36303935376436363864383364643639373737313431303537643134346132363630306662383466
+          65343031363964346236393037313864373137333734666437356532653562616231333136663636
+          61373630316665633961663531396134626536666438626332356437353330633731333938613565
+          31303232333139633833393939666162376364636264656466343136663163643138373131313264
+          3662
+   shibboleth_sp_signing_cert: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          38393365303066356139663563643464663266663732303631303065313664653963353833366435
+          3262623664383230613466333166616531666639643631380a653434376566366436346265383465
+          62376566626438333662356138666539633066633630333133616163333432303064336266313166
+          3731383839333630330a656461353765353365373664653238363235383833646230313564396631
+          38643435613639383665316334396363356334393237663266323765626362323062303739663536
+          66346435316336306532653362333636343133336664633265643635306365336335643062623365
+          66353164343635646332303137313435326538643062366462313338663734353463353937303863
+          63376164323262393961326362613662623737616539326334623233333036626464353130366463
+          30616164353030356330373235303361643437313666643237376263373538653137323836656165
+          36613637366566383861336363636234623965623662353631366430383764386565353634666465
+          31353263373962336435653132303535363238636262313964623437383333303835373666346438
+          66616465616566363739383637393862333337336531336630373064353365366262366666656566
+          35353532363962666438656639373330346334303830376661653131346361636336303861633366
+          33643437323766343236623863643032306432643964313939646232653432643438623135653039
+          64313732376466336362373434346339633330356461633930303738323766613637383235613538
+          39383938316232643435313566386334323638613839613632653062643137643139313762326462
+          37356363343031663637383962376633616264343435626136313135626236363463663738323362
+          38373234303166653631353733663737313934366634383833313333656530383462373838343735
+          32633564626335303133343332383032386330303235393239346563613463363335363531323235
+          62636563303635623764356535323835656563653566393565313630376661363962613864643463
+          61613433306638653562386637396437623130333831373730623939333538383939373066393265
+          32396139336435623465323734363137643762346435396130663961666561333734356532373766
+          31663135336661343234623265393336666565326234376365353731646236303833326162363232
+          31333662376536393632346439613331656439623937616538363263663837306361366630353538
+          38653133383463643937663833343132643831383264613463316261373630393935383232343439
+          35356639656263356333356138393466613434633461313038303663656465333738636462316332
+          37393130326237626638336635653839333731666132323061646430396133366439376432386162
+          64663436313030356437376430303939396363623661623433633332646361616263323562383561
+          38393335393439326464313866363430643236623330323864656536303138343239373761616265
+          35636364613938646464376438666439653362346135666332346165333138356333653161343036
+          35313063313866393635653335303030316265633437656133323266303239623333383138333961
+          34316631646261313666666263316165646164363466633434343731613030326537623837373862
+          34643962656639356335356633613630613461323836656430343838336163326232316664343564
+          36313234613435386466366333613939373933663066386265356139633231656336363664643461
+          38313366373038643435313762373639623063666533613933393533663033623566323965643630
+          35623565666434376135373464346166366363346239326535386633316434613365303464633136
+          65633236623935353836373638353666396637626165626265303734336433306430393766376331
+          39633436356137363632633038323166336536313133643463313533313565306465663365623838
+          39623762393266333239343131343661373533346662643430313234623836306632633435376263
+          31313332323335336263366332336638346565313466386366343537396264313566626665363735
+          38633331653566393535623031666139306134366539643036333035313739666238303130346338
+          35363631316361653135383237623139323931373338343137626363353865356433616534633464
+          38396466613936646365636335616466626131323530643164366363393666663935386234313634
+          32363036613162303132646537356263653336653339666231656437663065653930666238653830
+          32346132393837616538353034313161323130623831383737646539373838326439376432383961
+          63373931353439316530326333616431633738613035656330376336363933376639616533366361
+          63666231316436373761346661336632333665653536613637343736333934616434356436363764
+          33616433373461656139323438646165616134353333636661616639376666646234636532356133
+          61343464663232393963633735633330626636336335333961343362646631633134313765656332
+          64656137616631326165396566353938383862313063646339343066623035666666663563396262
+          39303735303737623930343139626538373263313837373437613666303639333836636565326261
+          32363937666335643062393237363730383335333762366431623037316666356139363966313138
+          31633030666331613036336466616663343534623432366135636639333531316232303364353136
+          38373266666633396133343761386334343136333431623066383132346632663832353633326363
+          31336362633232373737663862313861376534616433363939316465643366376362373932323337
+          33316464303961313732313862376561653737656535376332633466356336393433376636316462
+          32373166376362303139326462613762333239326235386261393662363930646136306261376139
+          31623865313466396536363765353162316139376530383331623864633665323964393538646339
+          36623064376439333032363334653964326339343262333364373965356635623765613236366638
+          66356232356530653130326439633535663665316164303536393736376134323562353238626231
+          30376630613131363031343333333634323231643263663666373866326430626562646335353961
+          36666331363562613739356266313237653338383036666265383439646363373364646537306164
+          65303636303432636366626432316434393565643530626239396161663663343261323366313465
+          39626439636466353139323538363034666164623062616333626439306432656232343330616666
+          66383365316538316666613635376163613534333166383165626464633031353862336235626362
+          64663864613531343237643163386134333132643234303234663961366230623434656466656639
+          66326630613838316166393030346437616435623263393438323236616562633166346230333330
+          39376339383963326638383164306537646333376535356464336537326131393333646463316532
+          36613430376537653665656133323362333566323166643965326265613965636263393230626138
+          35393639623465643961316463643330306633376666313634343834303566333038333765383336
+          66326662616261333436363733366264653739393537356135303131626161333730626634616536
+          66653465356631623764663161653636353632346636613936306235663061636665623635383334
+          38346163643364643261643734393738313837386564646263343630653861323031343932323930
+          66346461303732633461343036626163633331636466643832363935363731303837326163623664
+          38376637666138616534386437366462633966613563363132613237636161306239663738306531
+          34353964373536343838643031653962396338376339386461373037323363336465613734363930
+          65396332343466623332613566313135613731333930366461656363383565373266323431653666
+          39383666393332383766303735623862626136663637363131633537633136626565396561653239
+          34323733306230653864663435353130666162313136343232663839316434666632313563656463
+          32343137383538623639663331303330636433313034336461666635643532316662353530336562
+          37306538623231313630316466646134336263306366363233376663363566643962383537616363
+          39653139303131356634343864313266613931663264623631356334306431643965666366613634
+          64303163323838383331363334643433303932306264623564386630313366336536663534653136
+          38313834656539636633306331656261383561303539626636383236353166383130386430643262
+          6233
+   shibboleth_sp_signing_privkey: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          66353132613966656531393330326266623665306631386161393563653930326661346437336236
+          6336306233366637376233643638616264313934626566370a303934343436346266363463343937
+          37616633376132636262326531626361616334626430653961663334613463656635373264643038
+          6135623035303364650a393231666231663631636532303162366438366461353332323731343462
+          63666235373265653031326263363735333762333830313334343037323935343534303733353832
+          66626365646365636139316332313763356536346433373265373136633465623361396133383132
+          62653830613434376133653237343730353933646530653863366462323237396362613035666530
+          64383632643339613331373234633265313438653163626138366466616130393030316537643063
+          66613335306437336237303738626539336131396664656165633362383861386465363839326464
+          36383536393362306430343834636138653061623736363937616432333639346434353830376336
+          62363435323535633564343134623634633035643233353065646339313637363061336437613364
+          30323166373332336265306334616533646134393034666664636562373132633865663761313738
+          38376261663639633338643939633636353962363935663934633664383163393565366139353536
+          35393732363365323432393035613034323434343336303362643038386436663438373366323530
+          35316431343239353732636461396364313966376433316432333666373034656535613839353139
+          64616362656263363063326631616363393032386638633535303165626435336633646437396433
+          64376161366431326164323735326236646666353232646637653961393230613433613732363534
+          37623139336438363862653737366136616638303335346133363331663836636634643036336561
+          64643364653062353861323933636336393739383533376238383764366631303761656530623837
+          62343436666334643938656361653061656330396162666337306437646236393963316465396362
+          33386666393230343565623330303933363135303065366135383737656436666662653632623931
+          33333832623637303462346136653639336362383265363563633732656132643632626364373364
+          38653966663933303762346234343231326263316133303833343835633933306166393231646663
+          37326432313961633431663265363634623339313630313566316230396232333664636430643435
+          37393839666338303565343436363430326362363365313135363061626135383164633133366236
+          62346637643432303464663633323632636337393862646161303865373638313537333565383338
+          64626432666639373136316432353763383566643963633363623566336235313036626466356564
+          64666333353266623436333963663034643230666662646664386634636633376565363434323034
+          62636264356435653439636139633230383039666331393838313461376337646464326661633137
+          63616562356637643535323931643765313730363035633432663936373738333233356538386366
+          64643566376235643531633239663031666436383731396431356637383635373864656164663437
+          32386137383530353066386236373666303465323166373334396237353837373531663264626432
+          33323837306664343834363864316238636139353964343763393362643161313332366236356237
+          38633461313933343436316535353036643035323832306130356463653536623530316139366532
+          63613034646639383135326530316632653761333536346139303034656632626236396232376334
+          35626536646162636432376633636564303462376663326536346531336362343164376332613762
+          33666537633636633266623531393231613764363933646163653164643736393162333866393434
+          62343361653463323466663664653065656265386333633463636337383464303464626634653439
+          63306535383066323537633034373930346666346137646664656438646430666633373764396566
+          38303035333861396466616339326437366639303138373538623130333861646333303163393232
+          32356661666536396462393061356461376234303264326539666238316332363664363834336536
+          32376130313635386332613062346364633561633932396139306237636262356134343933663161
+          31616533633231663338643636306163376237356633353337643233346138633665363333326536
+          63636364336265353139643561656562626333313936643330623830366165383031366230653466
+          36343066326336356535336336646137376235626265356338646563393461316439623464646639
+          34313139643865663262303136646438626538616261323838336335316631353836643465326463
+          35316266316466373362336534393733383432656234303365326331313134326534643366323662
+          32633263623262336530653861333230636135326463383737353937316637393436626263623634
+          64396537346564613030663635393338396139373232643038366131653339306362636430333038
+          30343633613431656234356264613139306538626664306661613530383030663439383633623639
+          37396132393638663536396131336537376431623966636134663365323562643132306439623838
+          61623565643936656662373735636432656637303134646631383534313531663661346131396465
+          34633063383935393436336230653136613664656330653731616630643636646366356466306632
+          64393763343961376130613661623436316536336165346133663730353531666465306563613836
+          35363233303936663666313238646131333937393934623737633236376530343930623966643234
+          63396336613861353662356563666164663062383335666538646231316334346430356564303235
+          66343564366164666438366162646434386135343536336331323131653837313939373634353335
+          37313462656261393433633339363466633436313932623535663731356664653735663235323536
+          66356238626330366537303538333339643935646162376333616466383565343036663763663837
+          63616630313661346232373238373230643130333031396461323933343061383330643063336663
+          33623134396330656666643064326230636432366634303362336635666464663632373566613266
+          66623163366131313139623230336233323939323066663663613462336634636534653938656536
+          65333137643835336166303966336238373261666265386338633635336436333631323461623666
+          35393438643062653333323266623930646130313039386335373931316537326261343866623631
+          66336334323130353338383630323532623634376363396132336361373934646231653839366232
+          64383961303237333736346132613831353631666161316638616238313163356238323834393530
+          62303035343862616537336335373765373164396464613864636538613139646262353164616239
+          38376633646465386164613965373134303565613430373964386362316639373065393238393463
+          37383363633332383138336539626137633364616665663866623232666530636236643733313762
+          62366162653135633533313963616463623661636536363334643738613732333433623139346561
+          61366366393564356637323332386235383038343938663334386662336133653733613534363831
+          34383235333134633633663535633433343738633739626461343534343635663039643038656461
+          36316331336265383535333739316533376162363566303636393439396166663239386436643039
+          64653933646566666530306565326366316662646530663138343963646665353965323636303366
+          37623734653165393965616234663666393666393034623261366631623366346634353161373465
+          39633265636566316337363532323235386134363535383461383236393933363832666332373162
+          35616465383837623930356139643462336266396663663931333532343036653539613335376139
+          64353037633632326265353139333262613063663838663337383739346161313562653238306136
+          66393039623861343132646565383736373561626563306261653731646332323637613436343236
+          35343833356637633931653765343031626338356430643432386539653231326261633034306135
+          63303635616334663835383633343364373764306132303231323165363034323839313464636263
+          33333165633339313330616237376532303061636237333864363666613737313364636336656462
+          33383438633865363464303337323732663538643861653636353636326630313436666662343935
+          37636336666336373131383363626433653633366662396238383433636565393032323336626463
+          65313036333930376139383563313564623839636533616430386237373461316131613831626435
+          32313964373963653564306564666564383633356637396538386330336131326437353238313961
+          62616631656166383637633562643534336532383365353438636263343839643563666134373830
+          33376337643435383864393337353338333933636462393834353136306634356230313634636335
+          30333333656365353138323938623963383734373434303435633730366230346263643166666666
+          30623034326235383564333366633765396135383661353365353362353232666630636634376332
+          31323037393337656536633037613537643435383237623431343334303737613061616136383066
+          31336263333165303635303537343061343634306231643031656165383839626237373134636162
+          35356238643734396538346439376265356537643438326564363239316439353763313165643939
+          34366434393134356130306666386538663533363938386137393562303461626161613366393234
+          63396263666431313135313364653561306565323439343632316337623036316536636163613562
+          37636263353539666334366437396265633565396336393139663239323038313463373438636631
+          33306138346566663938336136363861653462386331333735303535326131333164306166646135
+          39333638613534356266656461343963623635623965333861356462656536343262623732373864
+          34356562393766353336353665353730353836613966363564396634656531663036323738303036
+          30333961633361323537306630643764323030626339633230373138656638623466623963663834
+          30366333376335313439333931636533666636353965643661613438346664353134393632303331
+          63646362383465643132613135643361663533626434346238636432666133666132303237663939
+          33633639323062613764643665653431636235646332353566326632326663353430393064353166
+          31616536316561373466663137373839666635623136623364666230336334653166643638343633
+          32306132626138373139356435373532663765633038386333393130353439636233643665353264
+          61663938616139323366646238613137393266613762366138313265323830313438343064626661
+          34646336363166633063333233383232343362666264353933303734393834353962393232316336
+          30343665613963373030393233356636626365316535313361336239393734306138353935373864
+          36363330363331353734346164336337333230626163333765656466643461623337613038656231
+          38356432613438636336633836616362633639623137303234303262313163333331393635653339
+          36363564633739326235396534633035386565323834333063643831333835323234643462363335
+          34336535366561316363643838306639656436363530396136353761373437376338633636366634
+          33383338646263353664626235663561643938616665323362386630313838646635613463626334
+          64623933386339633331313633343839316366656462343466353334663139646137663535363036
+          62336534666238353565376132623439326366336632623537366261643364383234363630393638
+          33643030613639396261313730303765663131393734613936636562396133353134623534306430
+          39646534313331643234326532623262393433316536396638353364653737656234623565343966
+          66663266653861396538346336303137303832623364316237363336393066393363373036623665
+          32656464346663616561313239623535663834366366333739393936336163356139356563336365
+          61393538313435656161653931303066326466656238373333383066346665343030626537316165
+          63373137323061363561656135313566663664653033636262316331326530653134336436386532
+          37363135323866636265656361353235353838393533393632326537646433643164326562656463
+          30363061646435396465373933636639623765613635623462663466336233616539653032393762
+          62623532373936656461356134633239393137636239306263643732333036653239383364343636
+          64643966363961623439323634646130613232366234626238646532323236633064663635663931
+          30636362643130383863356161373363393131323630616637643032386636386363333634343833
+          33643666386531646362373336656665316265653666636163353730616262366661323930316532
+          33356539396265366332353363393762373537326565666466323937653733386233313136303862
+          3766
diff --git a/ssh_bastion.yml b/ssh_bastion.yml
new file mode 100644
index 0000000..1a11e23
--- /dev/null
+++ b/ssh_bastion.yml
@@ -0,0 +1,121 @@
+---
+- hosts: localhost
+  connection: local
+  gather_facts: False
+
+  tasks:
+
+    - name: Security group SSH into bastion host
+      ec2_group:
+        name: COmanage Training SSH bastion
+        tags:
+            Name: comanage_training_ssh_bastion
+            tier: all
+        description: COmanage Training SSH bastion
+        vpc_id: "{{ comanage_training_vpc.vpc.id }}"
+        region: "{{ comanage_training_region }}"
+        rules:
+            - proto: tcp
+              ports: 22
+              cidr_ip: 0.0.0.0/0
+              rule_desc: SSH from anywhere
+      register: bastion_ssh_security_group
+
+    # For each public subnet, build a bastion host
+    - name: Provision SSH bastion hosts
+      ec2:
+        key_name: AWS-Trng-1
+        group_id: "{{ bastion_ssh_security_group.group_id }}"
+        instance_type: "{{ ssh_bastion_instance_type }}"
+        image: "{{ ssh_bastion_ami_id }}"
+        wait: true
+        region: "{{ comanage_training_region }}"
+        assign_public_ip: yes
+        instance_initiated_shutdown_behavior: stop
+        monitoring: no
+        vpc_subnet_id: "{{ item.subnet.id }}"
+        private_ip: "{{ item.item.value.bastion_ip }}"
+        volumes:
+          - device_name: "{{ ssh_bastion_device_name }}"
+            volume_type: "{{ ssh_bastion_volume_type }}"
+            volume_size: "{{ ssh_bastion_volume_size }}"
+            delete_on_termination: yes
+        instance_tags:
+            Name: "comanage_training_{{ item.item.value.bastion_hostname }}"
+            public_fqdn: "{{ item.item.value.bastion_hostname }}.{{ r53_dns_domain }}"
+            private_fqdn: "{{ item.item.value.bastion_hostname }}.{{ r53_dns_domain }}"
+            comanage_training: True
+            role : bastion
+        count_tag:
+            Name: "comanage_training_{{ item.item.value.bastion_hostname }}"
+        exact_count: 1
+      register: bastion
+      loop: "{{ subnet_public.results }}"
+
+    - name: List EC2 instance ID information
+      debug:
+        msg: "{{ item.tagged_instances[0].id }}"
+      loop: "{{ bastion.results }}"
+
+    - name: Create CNAME entries for bastion hosts
+      route53:
+        state: present
+        zone: "{{ r53_hosted_zone }}"
+        record: "{{ item.tagged_instances[0].tags.public_fqdn }}"
+        value: "{{ item.tagged_instances[0].public_dns_name }}"
+        type: CNAME
+        ttl: 30
+        overwrite: yes
+        wait: no
+      loop: "{{ bastion.results }}"
+
+    - name: Build Ansible inventory host group of bastions
+      add_host:
+        name: "{{ item.tagged_instances[0].public_dns_name }}"
+        groups: ssh_bastion_hosts
+      loop: "{{ bastion.results }}"
+
+    - name: Build ssh_config from bastion host list
+      template:
+        src: ssh_config.j2
+        dest: ssh_config
+        backup: false
+
+    - name: Build bastion_internal_ip from bastion host list
+      set_fact:
+        bastion_internal_ip: "{{ bastion_internal_ip | default([]) + [item.tagged_instances[0].private_ip + '/32']}}"
+      loop: "{{ bastion.results }}"
+
+    - name: Wait for SSH to come up on SSH bastion hosts
+      delegate_to: "{{ item.tagged_instances[0].public_dns_name }}"
+      wait_for_connection:
+        timeout: 300
+      register: bastion_ssh_connections
+      loop: "{{ bastion.results }}"
+
+# Now provision inside all of the bastion hosts
+- hosts: ssh_bastion_hosts
+  become: yes
+  gather_facts: True
+  # Run in parallel
+  strategy: free
+
+  tasks:
+    - name: Import global variables
+      include_vars:
+        file: "vars/global.yml"
+
+    - import_role:
+        # Refer to the file roles/common/tasks/main.yml
+        name: common
+
+    - name: Configure DHCP to set domain search
+      lineinfile:
+        path: /etc/dhcp/dhclient.conf
+        regexp: "^prepend domain-search"
+        line: "prepend domain-search \"{{ r53_dns_domain }}\";"
+      register: bastion_domain_config
+
+    - name: Reboot bastion host
+      reboot:
+      when: bastion_domain_config.changed
diff --git a/ssh_config.j2 b/ssh_config.j2
new file mode 100644
index 0000000..edb4f65
--- /dev/null
+++ b/ssh_config.j2
@@ -0,0 +1,21 @@
+ControlMaster auto
+ControlPath ssh_mux_%h_%p
+ControlPersist 3600
+
+{% for host in groups['ssh_bastion_hosts'] %}
+Host {{ hostvars[host].inventory_hostname }}
+    User {{ ssh_bastion_user }}
+    StrictHostKeyChecking no
+    ForwardAgent yes
+    IdentitiesOnly no
+{% endfor %}
+
+{# just pick one bastion host for proxying through #}
+{% set proxy_host = groups['ssh_bastion_hosts'][0] %}
+Host 192.168.*
+{# probably should be User {{ ssh_docker_user }} #}
+    User {{ training_node_user }}
+    ProxyCommand ssh {{ ssh_bastion_user }}@{{ hostvars[proxy_host].inventory_hostname }} -W %h:%p
+    StrictHostKeyChecking no
+    ForwardAgent yes
+    IdentitiesOnly no
diff --git a/training_nodes.yml b/training_nodes.yml
new file mode 100644
index 0000000..467d80a
--- /dev/null
+++ b/training_nodes.yml
@@ -0,0 +1,252 @@
+---
+- hosts: localhost
+  connection: local
+  gather_facts: False
+
+  tasks:
+
+    - name: Build training_node_rules security group rules - bastion hosts - SSH tcp/22
+      set_fact:
+        training_node_rules: "{{ training_node_rules | default([]) | union( [{ 'proto': 'tcp' , 'ports': '22', 'cidr_ip': item, 'rule_desc': 'SSH from bastion'}] ) }}"
+      loop: "{{ bastion_internal_ip }}"
+
+    - name: Build training_node_rules security group rules - ALB port tcp/80
+      set_fact:
+        training_node_rules: "{{ training_node_rules | default([]) | union( [{ 'proto': 'tcp' , 'ports': '80', 'cidr_ip': '0.0.0.0/0', 'rule_desc': 'web traffic port 80'}] ) }}"
+
+    - name: Build training_node_rules security group rules - ALB port tcp/443
+      set_fact:
+        training_node_rules: "{{ training_node_rules | default([]) | union( [{ 'proto': 'tcp' , 'ports': '443', 'cidr_ip': '0.0.0.0/0', 'rule_desc': 'web traffic port 443'}] ) }}"
+
+    - name: Security group COmanage training node
+      ec2_group:
+        name: "comanage-training--node"
+        tags:
+          Name: "comanage-training-node"
+        description: "COmanage training node"
+        vpc_id: "{{ comanage_training_vpc.vpc.id }}"
+        region: "{{ comanage_training_region }}"
+        rules: "{{ training_node_rules }}"
+      register: training_node_sg
+
+    - name: Provision COmanage training nodes
+      ec2:
+        key_name: AWS-Trng-1
+        group_id: "{{ training_node_sg.group_id }}"
+        instance_type: "{{ training_node_instance_type }}"
+        image: "{{ training_node_ami_id }}"
+        region: "{{ comanage_training_region }}"
+        assign_public_ip: no
+        instance_initiated_shutdown_behavior: stop
+        monitoring: no
+        # We only provision into one subnet since we do not need high
+        # availability for training.
+        vpc_subnet_id: "{{ private_subnet_id_by_az | dictsort | first | last }}"
+        volumes:
+          - device_name: "{{ training_node_device_name }}"
+            volume_type: "{{ training_node_volume_type }}"
+            volume_size: "{{ training_node_volume_size }}"
+            delete_on_termination: yes
+        instance_tags:
+            Name: "comanage-training-node-{{ item }}"
+            private_fqdn: "registry{{ item }}-private.{{ r53_dns_domain }}"
+            public_fqdn: "registry{{ item }}.{{ r53_dns_domain }}"
+            comanage_training: True
+            role: comanage_registry
+        count_tag:
+            Name: "comanage-training-node-{{ item }}"
+        exact_count: 1
+        wait: true
+      register: training_nodes
+      loop: "{{ range(1, lookup('vars', 'training_node_count') + 1, 1) | list }}"
+
+    - name: Build Ansible inventory host group of training node hosts
+      add_host:
+        name: "{{ item.tagged_instances[0].private_ip }}"
+        groups: ssh_training_node_hosts
+      loop: "{{ training_nodes.results }}"
+
+    - name: Create A record entries for private interface for training node hosts
+      route53:
+        state: present
+        zone: "{{ r53_hosted_zone }}"
+        record: "{{ item.tagged_instances[0].tags.private_fqdn }}"
+        value: "{{ item.tagged_instances[0].private_ip }}"
+        type: A
+        ttl: 30
+        overwrite: yes
+        wait: no
+      loop: "{{ training_nodes.results }}"
+
+    - name: Wait for SSH to come up on training node hosts
+      delegate_to: "{{ item.tagged_instances[0].private_ip }}"
+      wait_for_connection:
+        timeout: 300
+      register: training_nodes_ssh_connections
+      loop: "{{ training_nodes.results }}"
+
+    - name: Create ALB target group for each training node host
+      elb_target_group:
+        name: "{{ item.tagged_instances[0].tags.Name }}"
+        protocol: http
+        port: 80
+        vpc_id: "{{ comanage_training_vpc.vpc.id }}"
+        region: "{{ comanage_training_region }}"
+        health_check_path: /registry/
+        health_check_interval: 15
+        health_check_port: traffic-port
+        health_check_protocol: http
+        healthy_threshold_count: 3
+        successful_response_codes: "200"
+        unhealthy_threshold_count: 5
+        targets:
+          - Id: "{{ item.tagged_instances[0].id }}"
+            Port: 80
+        tags: 
+            Name: "{{ item.tagged_instances[0].tags.Name }}"
+        state: present
+        wait: no
+      register: training_nodes_target_groups
+      loop: "{{ training_nodes.results }}"
+
+    - name: Create ALB target group for IdP node
+      elb_target_group:
+        name: "{{ idp_node.tagged_instances[0].tags.Name }}"
+        protocol: http
+        port: 8080
+        vpc_id: "{{ comanage_training_vpc.vpc.id }}"
+        region: "{{ comanage_training_region }}"
+        health_check_path: /idp/
+        health_check_interval: 15
+        health_check_port: traffic-port
+        health_check_protocol: http
+        healthy_threshold_count: 3
+        successful_response_codes: "200"
+        unhealthy_threshold_count: 5
+        targets:
+          - Id: "{{ idp_node.tagged_instances[0].id }}"
+            Port: 8080
+        tags: 
+            Name: "{{ idp_node.tagged_instances[0].tags.Name }}"
+        state: present
+        wait: no
+      register: idp_node_target_group
+
+    - name: Create default target group for ALB
+      elb_target_group:
+        name: "comanage-default"
+        protocol: http
+        port: 80
+        vpc_id: "{{ comanage_training_vpc.vpc.id }}"
+        region: "{{ comanage_training_region }}"
+        tags: 
+            Name: "comanage-default"
+        state: present
+        wait: no
+
+    - name: Construct rules for application load balancer - training  nodes
+      set_fact:
+        alb_rules: "{{ alb_rules | default([]) | union( [{ 'Conditions': [{'Field': 'host-header', 'Values': [item.tagged_instances[0].tags.public_fqdn]}], 'Priority': my_idx + 1, 'Actions': [{'TargetGroupName': item.tagged_instances[0].tags.Name, 'Type': 'forward'}] }] ) }}"
+      loop: "{{ training_nodes.results }}"
+      loop_control:
+        index_var: my_idx
+
+    - name: Construct rules for application load balancer - idp node
+      set_fact:
+        alb_rules: "{{ alb_rules | default([]) | union( [{ 'Conditions': [{'Field': 'host-header', 'Values': [idp_node.tagged_instances[0].tags.public_fqdn]}], 'Priority': '100', 'Actions': [{'TargetGroupName': idp_node.tagged_instances[0].tags.Name, 'Type': 'forward'}] }] ) }}"
+
+    - name: List application load balancer rules
+      debug:
+        msg: "{{ alb_rules }}"
+
+    - name: Security group COmanage training ALB
+      ec2_group:
+        name: "comanage-training-alb"
+        tags:
+          Name: "comanage-training-alb"
+        description: "COmanage training ALB"
+        vpc_id: "{{ comanage_training_vpc.vpc.id }}"
+        region: "{{ comanage_training_region }}"
+        rules:
+          - proto: tcp
+            ports: 
+              - 80
+              - 443
+            cidr_ip: 0.0.0.0/0
+      register: alb_sg
+
+    - name: List application load balancer security group
+      debug:
+        msg: "{{ alb_sg }}"
+
+    - name: Create application load balancer
+      elb_application_lb:
+        name: comanage-training-alb
+        subnets: "{{ public_subnet_ids }}"
+        security_groups:
+            - "{{ alb_sg.group_name }}"
+        scheme: internet-facing
+        state: present
+        listeners:
+          - Protocol: HTTPS
+            Port: 443
+            DefaultActions:
+                - Type: forward
+                  TargetGroupName: comanage-default
+            Certificates:
+              - CertificateArn: arn:aws:acm:us-west-2:626413038627:certificate/7f3a9449-1fa6-41ed-ac22-a5fe7db9a694
+            SslPolicy: ELBSecurityPolicy-FS-1-2-2019-08
+            Rules: "{{ alb_rules }}"
+          - Protocol: HTTP
+            Port: 80
+            DefaultActions:
+                - Type: redirect
+                  RedirectConfig:
+                    Protocol: HTTPS
+                    Port: "443"
+                    Host: "#{host}"
+                    Path: "/#{path}"
+                    Query: "#{query}"
+                    StatusCode: "HTTP_301"
+      register: alb
+
+    - name: List application load balancer details
+      debug:
+        msg: "{{ alb }}"
+
+    - name: Create CNAME for IdP
+      route53:
+        state: present
+        zone: "{{ r53_hosted_zone }}"
+        record: "{{ idp_node.tagged_instances[0].tags.public_fqdn }}"
+        value: "{{ alb.dns_name }}"
+        type: CNAME 
+        ttl: 30
+        overwrite: yes
+        wait: no
+
+    - name: Create CNAME for training nodes
+      route53:
+        state: present
+        zone: "{{ r53_hosted_zone }}"
+        record: "{{ item.tagged_instances[0].tags.public_fqdn }}"
+        value: "{{ alb.dns_name }}"
+        type: CNAME 
+        ttl: 30
+        overwrite: yes
+        wait: no
+      loop: "{{ training_nodes.results }}"
+              
+- hosts: ssh_training_node_hosts
+  become: yes
+  gather_facts: True
+  strategy: free
+
+  tasks:
+
+    - import_role:
+        name: common
+    - import_role:
+        name: swarm
+    - import_role:
+        name: training
diff --git a/vars/global.yml b/vars/global.yml
new file mode 100644
index 0000000..a0a1616
--- /dev/null
+++ b/vars/global.yml
@@ -0,0 +1,48 @@
+---
+comanage_training_region: "us-west-2"
+
+r53_hosted_zone: incommon.training
+r53_dns_domain: "comanage.{{ r53_hosted_zone }}"
+
+vpc_cidr_block: 192.168.0.0/16
+
+# We need to have at least two private subnets across two availability
+# zones. The application load balancer requires it.
+vpc_availability_zone:
+    a:
+        public_subnet: 192.168.10.0/24
+        private_subnet: 192.168.110.0/24
+        bastion_ip: 192.168.10.10
+        bastion_hostname: ssh
+    b:
+        public_subnet: 192.168.11.0/24
+        private_subnet: 192.168.111.0/24
+        bastion_ip: 192.168.11.10
+        bastion_hostname: ssh-b
+
+ssh_bastion_instance_type: t2.nano
+# Most current CentOS 7 x86_64
+ssh_bastion_ami_id: ami-01ed306a12b7d1c96
+ssh_bastion_user: centos
+ssh_bastion_device_name: /dev/sda1
+ssh_bastion_volume_type: gp2
+ssh_bastion_volume_size: 8
+
+idp_node_instance_type: t2.small
+# Most current CentOS 7 x86_64
+idp_node_ami_id: ami-01ed306a12b7d1c96
+idp_node_user: centos
+idp_node_device_name: /dev/sda1
+idp_node_volume_type: gp2
+idp_node_volume_size: 20
+
+#training_node_count: 10
+training_node_count: 2
+
+training_node_instance_type: t2.small
+# Most current CentOS 7 x86_64
+training_node_ami_id: ami-01ed306a12b7d1c96
+training_node_user: centos
+training_node_device_name: /dev/sda1
+training_node_volume_type: gp2
+training_node_volume_size: 20
diff --git a/vpc.yml b/vpc.yml
new file mode 100644
index 0000000..ace3a4a
--- /dev/null
+++ b/vpc.yml
@@ -0,0 +1,137 @@
+---
+- hosts: localhost
+  connection: local
+  gather_facts: False
+
+  tasks:
+
+    - name: VPC for COmanage Registry training
+      ec2_vpc_net:
+        name: comanage_training
+        cidr_block: "{{ vpc_cidr_block }}"
+        region: "{{ comanage_training_region }}"
+        tags:
+          Name: VPC for COmanage Registry training
+        tenancy: default
+      register: comanage_training_vpc
+        # refer to the VPC id using {{ comanage_training_vpc.vpc.id }}
+
+    - name: List VPC information
+      debug:
+        msg: "vpc_id: {{ comanage_training_vpc.vpc.id }}"
+
+    - name: Internet gateway for COmanage Registry training VPC
+      ec2_vpc_igw:
+        vpc_id: "{{ comanage_training_vpc.vpc.id }}"
+        region: "{{ comanage_training_region }}"
+        state: present
+        tags:
+          Name: comanage_training_igw
+      register: igw
+
+    - name: List IGW information
+      debug:
+        msg: "gateway_id: {{ igw.gateway_id }}"
+
+    - name: Public subnet for COmanage Registry training
+      ec2_vpc_subnet:
+        state: present
+        vpc_id: "{{ comanage_training_vpc.vpc.id }}"
+        region: "{{ comanage_training_region }}"
+        cidr: "{{ item.value.public_subnet }}"
+        az: "{{ comanage_training_region }}{{ item.key }}"
+        tags:
+          Name: "{{ item.key }}-public-comanage-training"
+      register: subnet_public
+      loop: "{{ vpc_availability_zone | dict2items }}"
+
+    - name: List public subnet information
+      debug:
+        msg: "{{ item.subnet.availability_zone }}|{{ item.subnet.id }}|{{ item.subnet.cidr_block }}"
+      loop: "{{ subnet_public.results }}"
+
+    - name: Build public_subnet_id_by_az dictionary
+      set_fact:
+        public_subnet_id_by_az: "{{ public_subnet_id_by_az | default({}) | combine( {item.subnet.availability_zone: item.subnet.id} ) }}"
+      loop: "{{ subnet_public.results }}"
+
+    - name: Build public_subnet_ids
+      set_fact:
+        public_subnet_ids: "{{ public_subnet_ids | default([])  + [ item.subnet.id ] }}"
+      loop: "{{ subnet_public.results }}"
+
+    - name: Route table through Internet gateway for public subnets
+      ec2_vpc_route_table:
+        vpc_id: "{{ comanage_training_vpc.vpc.id }}"
+        region: "{{ comanage_training_region }}"
+        tags:
+          Name: comanage_training_public_igw
+        subnets: "{{ public_subnet_ids }}"
+        routes:
+          - dest: 0.0.0.0/0
+            gateway_id: igw
+
+    - name: NAT gateway for public subnet
+      ec2_vpc_nat_gateway:
+        region: "{{ comanage_training_region }}"
+        state: present
+        subnet_id: "{{ item.subnet.id }}"
+        if_exist_do_not_create: yes
+        wait: yes
+      register: nat_gateway
+      loop: "{{ subnet_public.results }}"
+
+    - name: List NAT GW information
+      debug:
+        msg: "nat_gateway_id: {{ item.nat_gateway_id }} , subnet_id: {{ item.subnet_id }}, cidr_block: {{ item.item.subnet.cidr_block }}"
+      loop: "{{ nat_gateway.results }}"
+
+    - name: Build nat_id_by_az dictionary
+      set_fact:
+        nat_id_by_az: "{{ nat_id_by_az | default({}) | combine( {item.item.subnet.availability_zone: item.nat_gateway_id} ) }}"
+      loop: "{{ nat_gateway.results }}"
+
+    - name: Private subnet for COmanage Registry training
+      ec2_vpc_subnet:
+        state: present
+        vpc_id: "{{ comanage_training_vpc.vpc.id }}"
+        region: "{{ comanage_training_region }}"
+        cidr: "{{ item.value.private_subnet }}"
+        az: "{{ comanage_training_region }}{{ item.key }}"
+        tags:
+          Name: "{{ item.key }}-private-comanage-training"
+      register: subnet_private
+      loop: "{{ vpc_availability_zone | dict2items }}"
+
+    - name: List private subnets
+      debug:
+        msg: "private|{{ item.subnet.id }}|{{ item.subnet.availability_zone }}|{{ item.subnet.cidr_block }}"
+      loop: "{{ subnet_private.results }}"
+
+    - name: Build private_subnet_id_by_az dictionary
+      set_fact:
+        private_subnet_id_by_az: "{{ private_subnet_id_by_az | default({}) | combine( {item.subnet.availability_zone: item.subnet.id} ) }}"
+      loop: "{{ subnet_private.results }}"
+
+    - name: Build private_subnet_cidr_by_az dictionary
+      set_fact:
+        private_subnet_cidr_by_az: "{{ private_subnet_cidr_by_az | default({}) | combine( {item.subnet.availability_zone: item.subnet.cidr_block} ) }}"
+      loop: "{{ subnet_private.results }}"
+
+    - name: Build private_subnet_ids
+      set_fact:
+        private_subnet_ids: "{{ private_subnet_ids | default([])  + [ item.subnet.id ] }}"
+      loop: "{{ subnet_private.results }}"
+
+    - name: Build routing tables for private subnet through NAT GW
+      ec2_vpc_route_table:
+        vpc_id: "{{ comanage_training_vpc.vpc.id }}"
+        region: "{{ comanage_training_region }}"
+        tags:
+          Name: "comanage-training-private-{{ item.item.key }}"
+        subnets:
+          - "{{ item.subnet.id }}"
+        routes:
+          - dest: 0.0.0.0/0
+            gateway_id: "{{ nat_id_by_az[item.subnet.availability_zone] }}"
+      loop: "{{ subnet_private.results }}"