diff --git a/app/src/Controller/AppController.php b/app/src/Controller/AppController.php
index 4eb2bedec..0e02ae767 100644
--- a/app/src/Controller/AppController.php
+++ b/app/src/Controller/AppController.php
@@ -109,7 +109,8 @@ public function beforeRender(\Cake\Event\Event $event) {
     parent::beforeRender($event);
     
     // The current user, if authenticated
-    $this->set('vv_user', $this->request->getSession()->read('Auth.User'));
+    $curUser = $this->request->getSession()->read('Auth.User');
+    $this->set('vv_user', $curUser);
     
     // The current Matchgrid, as determined in beforeFilter()
     $mgid = null;
@@ -123,7 +124,7 @@ public function beforeRender(\Cake\Event\Event $event) {
     $this->set('vv_matchgrids', $this->Matchgrids->find('list')->find('activeMatchGrids')->toArray());
     
     // The set of menu permissions, so the layout knows what to render
-    if($this->Authorization) {
+    if($this->Authorization && $curUser) {
       // Ordinarily $this->Authorization will be set, but under certain error conditions
       // it won't, which will prevent error messages from rendering
       
diff --git a/app/src/Controller/MatchgridsController.php b/app/src/Controller/MatchgridsController.php
index f377c6041..c686734cb 100644
--- a/app/src/Controller/MatchgridsController.php
+++ b/app/src/Controller/MatchgridsController.php
@@ -96,6 +96,9 @@ public function isAuthorized(Array $user) {
       'manage'    => $platformAdmin || $mgAdmin,
       'pending'   => $platformAdmin || $mgAdmin || $recMgr,
       'reconcile' => $platformAdmin || $mgAdmin || $recMgr,
+      // We allow anyone to access select since we don't have a matchgrid context yet.
+      // If $user has no meaningful permissions, they'll get no menu options.
+      'select'    => true,
       'view'      => false
     ];
     
@@ -251,4 +254,15 @@ public function reconcile(string $id) {
       $this->Flash->error(__('match.er.reconcile', [$e->getMessage()]));
     }
   }
+  
+  /**
+   * Provide a set of Matchgrids to operate on.
+   *
+   * @since  COmanage Match v1.0.0
+   * @param  String $id Matchgrid ID
+   */
+  
+  public function select() {
+    $this->set('vv_title', __('match.op.select.mg'));
+  }
 }
\ No newline at end of file
diff --git a/app/src/Controller/PagesController.php b/app/src/Controller/PagesController.php
index 63debee9d..58f120679 100644
--- a/app/src/Controller/PagesController.php
+++ b/app/src/Controller/PagesController.php
@@ -28,7 +28,33 @@
  */
 class PagesController extends AppController
 {
-
+  /**
+   * Callback run prior to the request action.
+   *
+   * @since  COmanage Match v1.0.0
+   * @param  Event $event Cake Event
+   */
+  
+  public function beforeFilter(\Cake\Event\Event $event) {
+    parent::beforeFilter($event);
+    
+    $param = $this->request->getParam('pass.0');
+    
+    if($param == 'home') {
+      // Allow rendering to get the login button. If we're already logged in,
+      // redirect to the landing page.
+      if($this->request->getSession()->read('Auth')) {
+        $this->redirect([
+          'controller' => 'matchgrids',
+          'action'     => 'select',
+          'plugin'     => false
+        ]);
+      }
+      
+      $this->Auth->allow(['display']);
+    }
+  }
+  
     /**
      * Displays a view
      *
diff --git a/app/src/Controller/UsersController.php.not b/app/src/Controller/UsersController.php.not
deleted file mode 100644
index fb591f3a4..000000000
--- a/app/src/Controller/UsersController.php.not
+++ /dev/null
@@ -1,70 +0,0 @@
-<?php
-/**
- * COmanage Match Users Controller
- *
- * Portions licensed to the University Corporation for Advanced Internet
- * Development, Inc. ("UCAID") under one or more contributor license agreements.
- * See the NOTICE file distributed with this work for additional information
- * regarding copyright ownership.
- *
- * UCAID licenses this file to you under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with the
- * License. You may obtain a copy of the License at:
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * @link          http://www.internet2.edu/comanage COmanage Project
- * @package       match
- * @since         COmanage Match v1.0.0
- * @license       Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
- */
-
-declare(strict_types = 1);
-
-namespace App\Controller;
-
-use Cake\Event\Event;
-use Cake\Log\Log;
-
-// XXX currently we don't need this file -- or do we?
-// can we get rid of users controller in Registry v4.0.0
-
-class UsersController extends AppController {
-  public function beforeFilter(Event $event) {
-    parent::beforeFilter($event);
-    
-        // Allow users to register and logout.
-        // You should not add the "login" action to allow list. Doing so would
-        // cause problems with normal functioning of AuthComponent.
-    $this->Auth->allow(['logout']);
-  }
-
-  public function login() {
-    /*
-    Log::write('debug', 'UsersController::login()');
-    
-    Log::write('debug', 'target=' . $request->session()->read('Auth.target'));
-    Log::write('debug', 'user=' . $request->session()->read('Auth.external.user'));
-    
-    $this->Auth->setUser($user);
-    return $this->redirect($request->session()->read('Auth.target'));
-    
-    /*
-debug('in login');
-    if ($this->request->is('post')) {
-      $user = $this->Auth->identify();
-debug($user);
-      if ($user) {
-          $this->Auth->setUser($user);
-          return $this->redirect($this->Auth->redirectUrl());
-      }
-      $this->Flash->error('Your username or password is incorrect.');
-    }*/
-  }
-}
diff --git a/app/src/Locale/en_US/default.po b/app/src/Locale/en_US/default.po
index c4d67ad0f..a01d436f3 100644
--- a/app/src/Locale/en_US/default.po
+++ b/app/src/Locale/en_US/default.po
@@ -197,6 +197,9 @@ msgstr "Request ID {0} not found"
 msgid "match.er.save"
 msgstr "Save Failed ({0})"
 
+msgid "match.er.unauthorized"
+msgstr "{0} does not have any valid permissions"
+
 # XXX rekey?
 msgid "matchgrid.er.search_type"
 msgstr "Unknown search type '{0}'"
@@ -306,6 +309,9 @@ msgstr "Unique, alphanumeric name for matchgrid (will be prefixed mg_ for actual
 msgid "match.fd.username"
 msgstr "Username"
 
+msgid "match.home.welcome"
+msgstr "Welcome to {0}."
+
 ### Informational Messages
 msgid "match.in.matchgrids.none"
 msgstr "There are no matchgrids currently defined."
@@ -336,6 +342,12 @@ msgstr "Edit"
 msgid "match.op.edit.a"
 msgstr "Edit {0}"
 
+msgid "match.op.login"
+msgstr "Login"
+
+msgid "match.op.logout"
+msgstr "Logout"
+
 msgid "match.op.manage"
 msgstr "Manage"
 
@@ -360,6 +372,9 @@ msgstr "Assign This Reference ID"
 msgid "match.op.save"
 msgstr "Save"
 
+msgid "match.op.select.mg"
+msgstr "Matchgrid Selection"
+
 msgid "match.op.skip_to_content"
 msgstr "Skip to main content"
 
diff --git a/app/src/Template/Element/breadcrumbs.ctp b/app/src/Template/Element/breadcrumbs.ctp
index 29d4d61a6..fb5a5360d 100644
--- a/app/src/Template/Element/breadcrumbs.ctp
+++ b/app/src/Template/Element/breadcrumbs.ctp
@@ -43,7 +43,8 @@ if($this->request->getRequestTarget(false) != '/') {
 
   $this->Breadcrumbs->prepend(
     __('match.meta.match'),
-    '/'
+    ['controller'   => 'matchgrids',
+     'action'       => 'select']
   );
   
   if(!empty($vv_cur_mg) 
diff --git a/app/src/Template/Element/menuUser.ctp b/app/src/Template/Element/menuUser.ctp
index 93642aebf..e776d14d2 100644
--- a/app/src/Template/Element/menuUser.ctp
+++ b/app/src/Template/Element/menuUser.ctp
@@ -38,27 +38,27 @@
     <ul id="user-links-menu" class="mdl-menu mdl-menu--bottom-right mdl-js-menu mdl-js-ripple-effect" for="user-links">
       <li id="user-links-cn">XXX Put something here</li>
       <li id="logout-in-menu" class="co-menu-button">
-        <?php // XXX these links aren't right
-          $args = array('controller' => 'auth',
-            'action'     => 'logout',
-            'plugin'     => false);
-          print $this->Html->link("XXX LOGOUT" . ' <span class="fa fa-sign-out"></span>',
-            $args, array('escape'=>false, 'class' => 'mdl-button mdl-js-button mdl-js-ripple-effect'));
+        <?php
+          print $this->Html->link(__('match.op.logout') . ' <span class="fa fa-sign-out"></span>',
+                                  '/auth/logout/logout.php',
+                                  ['escape'     => false,
+                                   'class'      => 'mdl-button mdl-js-button mdl-js-ripple-effect']);
         ?>
       </li>
     </ul>
   </div>
-<?php endif ?>
+<?php endif; ?>
 
 <?php if(!isset($noLoginLogout) || !$noLoginLogout) : ?>
-  <?php // Print the login button XXX this isn't right
+  <?php
     if(!$vv_user) {
-      $args = array('controller' => 'auth',
-                    'action'     => 'login',
-                    'plugin'     => false
-                   );
-      print $this->Html->link("XXX LOGIN" . ' <span class="fa fa-sign-in"></span>',
-            $args, array('escape'=>false, 'id' => 'login', 'class' => ''));
+      print $this->Html->link(__('match.op.login') . ' <span class="fa fa-sign-in"></span>',
+                              ['controller' => 'matchgrids',
+                               'action'     => 'select',
+                               'plugin'     => false],
+                              ['escape'     => false, 
+                               'id'         => 'login',
+                               'class'      => '']);
     }
   ?>
 <?php endif; ?>
diff --git a/app/src/Template/Matchgrids/manage.ctp b/app/src/Template/Matchgrids/manage.ctp
index a6c64f147..40f63b18d 100644
--- a/app/src/Template/Matchgrids/manage.ctp
+++ b/app/src/Template/Matchgrids/manage.ctp
@@ -26,9 +26,20 @@
  */
 
 declare(strict_types = 1);
+?>
 
-print $this->Html->link(__('match.op.reconcile'),
-                        ['controller' => 'Matchgrids',
-                         'action' => 'pending',
-                         $vv_cur_mg->id],
-                        ['class' => 'reconcilebutton']);
+<h1><?= $vv_title; ?></h1>
+
+<!-- Matchgrid Management Menu -->
+<section class="inner-content">
+  <ul id="configuration-menu" class="three-col">
+    <li>
+      <em class="material-icons" aria-hidden="true">check_circle</em>
+      <?= $this->Html->link(__('match.op.reconcile'),
+                            ['controller' => 'Matchgrids',
+                             'action' => 'pending',
+                             $vv_cur_mg->id]);
+      ?>
+    </li>
+  </ul>
+</section>
\ No newline at end of file
diff --git a/app/src/Template/Matchgrids/select.ctp b/app/src/Template/Matchgrids/select.ctp
new file mode 100644
index 000000000..5f7fa933e
--- /dev/null
+++ b/app/src/Template/Matchgrids/select.ctp
@@ -0,0 +1,87 @@
+<?php
+/**
+ * COmanage Matchgrid Select Page
+ *
+ * Portions licensed to the University Corporation for Advanced Internet
+ * Development, Inc. ("UCAID") under one or more contributor license agreements.
+ * See the NOTICE file distributed with this work for additional information
+ * regarding copyright ownership.
+ *
+ * UCAID licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with the
+ * License. You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * @link          http://www.internet2.edu/comanage COmanage Project
+ * @package       match
+ * @since         COmanage Match v1.0.0
+ * @license       Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+ */
+
+declare(strict_types = 1);
+
+use \App\Lib\Enum\PermissionEnum;
+?>
+
+<h1><?= $vv_title; ?></h1>
+
+<?php if(count($vv_matchgrids) == 0): ?>
+<div class="co-info-topbox">
+  <em class="material-icons">info</em>
+  <?= __('match.in.matchgrids.none'); ?>
+</div>
+<?php else: // vv_matchgrids ?>
+<div id="fpCoList" class="co-grid co-grid-with-header mdl-shadow--2dp">
+  <div class="mdl-grid co-grid-header">
+    <div class="mdl-cell mdl-cell--6-col"><?= __('match.ct.matchgrids', [1]) ?></div>
+    <div class="mdl-cell mdl-cell--6-col"><?= __('match.fd.action') ?></div>
+  </div>
+  <?php foreach($vv_matchgrids as $id => $name): ?>
+  <?php
+    if(empty($vv_menu_permissions['gridroles'][$id])
+       && !$vv_menu_permissions['matchgrids']) {
+      continue;
+    }
+  ?>
+  <div class="mdl-grid co-row spin">
+    <div class="mdl-cell mdl-cell--6-col collab-name">
+      <?= filter_var($name, FILTER_SANITIZE_SPECIAL_CHARS); ?>
+    </div>
+    <div class="mdl-cell mdl-cell--6-col collab-desc">
+      <?php
+        // Can manage this matchgrid?
+        if((isset($vv_menu_permissions['gridroles'][$id][PermissionEnum::MatchgridAdmin])
+            && $vv_menu_permissions['gridroles'][$id][PermissionEnum::MatchgridAdmin])
+           // Proxy for platform admin
+           || $vv_menu_permissions['matchgrids']) {
+          print $this->Html->link(__('match.op.manage'),
+                                  ['controller' => 'Matchgrids',
+                                   'action'     => 'manage',
+                                   $id],
+                                  ['class' => 'configurebutton']);
+        }
+        
+        // Can reconcile this matchgrid?
+        if((isset($vv_menu_permissions['gridroles'][$id][PermissionEnum::ReconciliationManager])
+            && $vv_menu_permissions['gridroles'][$id][PermissionEnum::ReconciliationManager])
+           // Proxy for platform admin
+           || $vv_menu_permissions['matchgrids']) {
+          print $this->Html->link(__('match.op.reconcile'),
+                                  ['controller' => 'Matchgrids',
+                                   'action'     => 'pending',
+                                   $id],
+                                  ['class' => 'reconcilebutton']);
+        }
+      ?>
+    </div>
+  </div>
+  <?php endforeach; // vv_matchgrids ?>
+</div>
+<?php endif; // vv_matchgrids ?>
diff --git a/app/src/Template/Pages/home.ctp b/app/src/Template/Pages/home.ctp
index 3a40f37f0..35961a6c1 100644
--- a/app/src/Template/Pages/home.ctp
+++ b/app/src/Template/Pages/home.ctp
@@ -26,58 +26,20 @@
  */
 
 declare(strict_types = 1);
-
-use \App\Lib\Enum\PermissionEnum;
 ?>
-<?php if(count($vv_matchgrids) == 0): ?>
-<div class="co-info-topbox">
-  <em class="material-icons">info</em>
-  <?= __('match.in.matchgrids.none'); ?>
-</div>
-<?php else: // vv_matchgrids ?>
-<div id="fpCoList" class="co-grid co-grid-with-header mdl-shadow--2dp">
-  <div class="mdl-grid co-grid-header">
-    <div class="mdl-cell mdl-cell--6-col"><?= __('match.ct.matchgrids', [1]) ?></div>
-    <div class="mdl-cell mdl-cell--6-col"><?= __('match.fd.action') ?></div>
-  </div>
-  <?php foreach($vv_matchgrids as $id => $name): ?>
+<?php if(empty($vv_user)): ?>
+  <h1 class="loginMsg"><?= __('match.home.welcome', [__('match.meta.match')]); ?></h1>
   <?php
-    if(empty($vv_menu_permissions['gridroles'][$id])
-       && !$vv_menu_permissions['matchgrids']) {
-      continue;
-    }
-    
-    // What action to link to?
-    $action = 'none';
-    
-    if((isset($vv_menu_permissions['gridroles'][$id][PermissionEnum::MatchgridAdmin])
-        && $vv_menu_permissions['gridroles'][$id][PermissionEnum::MatchgridAdmin])
-       // Proxy for platform admin
-       || $vv_menu_permissions['matchgrids']) {
-      $action = 'manage';
-      $label = __('match.op.manage');
-    } elseif(isset($vv_menu_permissions['gridroles'][$id][PermissionEnum::ReconciliationManager])
-             && $vv_menu_permissions['gridroles'][$id][PermissionEnum::ReconciliationManager]) {
-      $action = 'pending';
-      $label = __('match.op.reconcile');
-    }
+    // Print the login button
+    $buttonClasses = "mdl-button mdl-js-button mdl-button--raised mdl-js-ripple-effect mdl-button--colored";
+    print '<div id="welcome-login">';
+    print $this->Html->link(__('match.op.login') . ' <span class="fa fa-sign-in"></span>',
+                            ['controller' => 'matchgrids',
+                             'action'     => 'select',
+                             'plugin'     => false],
+                            ['escape'     => false,
+                             'id'         => 'welcome-login-button',
+                             'class' => $buttonClasses]);
+    print '</div>';
   ?>
-  <?php if($action != 'none'): ?>
-  <div class="mdl-grid co-row spin">
-    <div class="mdl-cell mdl-cell--6-col collab-name">
-      <?= filter_var($name, FILTER_SANITIZE_SPECIAL_CHARS); ?>
-    </div>
-    <div class="mdl-cell mdl-cell--6-col collab-desc">
-      <?=
-        $this->Html->link($label,
-                          ['controller' => 'Matchgrids',
-                           'action'     => $action,
-                           $id],
-                          ['class' => 'reconcilebutton']);
-      ?>
-    </div>
-  </div>
-    <?php endif; // $action ?>
-  <?php endforeach; // vv_matchgrids ?>
-</div>
-<?php endif; // vv_matchgrids ?>
+<?php endif; // vv_user ?>
diff --git a/app/src/Template/Standard/index.ctp b/app/src/Template/Standard/index.ctp
index a6a890733..34a5570fd 100644
--- a/app/src/Template/Standard/index.ctp
+++ b/app/src/Template/Standard/index.ctp
@@ -114,7 +114,7 @@ function _column_key($modelsName, $c) {
               // AutoViewVar $foos is set, and if so render the lookup value instead
               $f = null;
               if(preg_match('/^(.*?)_id$/', $col, $f)) {
-                $avv = \Cake\Utility\Inflector::pluralize($f[1]);
+                $avv = \Cake\Utility\Inflector::variable(\Cake\Utility\Inflector::pluralize($f[1]));
                 
                 if(!empty(${$avv}[$entity->$col])) {
                   // We found the viewar (eg: $foos), and it has a corresponding value
diff --git a/app/webroot/auth/login/login.php b/app/webroot/auth/login/login.php
index 2cb866496..f2f1cc3e7 100644
--- a/app/webroot/auth/login/login.php
+++ b/app/webroot/auth/login/login.php
@@ -43,5 +43,7 @@
 
 $_SESSION['Auth']['external']['user'] = $_SERVER['REMOTE_USER'];
 
+$target = !empty($_SESSION['Auth']['target']) ? $_SESSION['Auth']['target'] : "/";
+
 // XXX fix hardcoded prefix?
-header("Location: /match" . $_SESSION['Auth']['target']);
+header("Location: /match" . $target);
diff --git a/app/webroot/auth/logout/logout.php b/app/webroot/auth/logout/logout.php
index 0bfa1169f..aa79ef376 100644
--- a/app/webroot/auth/logout/logout.php
+++ b/app/webroot/auth/logout/logout.php
@@ -28,12 +28,12 @@
 // We need to be in webroot and not use index.php in order to not interfere with
 // Cake's desire to turn everything into a Controller.
 
-// The webserver should be configured to do the bulk of the work here, we
-// simply grab REMOTE_USER and stuff it into the session so the app can see it.
+// Unset the Authentication information. We do this here (rather than in a controller)
+// so we can trigger whatever webserver logout needs to run.
 
 session_name("MATCHCAKEPHP");
 session_start();
 
 unset($_SESSION['Auth']);
 
-header("Location: " . "/match/users/logout");
+header("Location: " . "/match");