diff --git a/midpoint/.env b/midpoint/.env
new file mode 100644
index 0000000..9b1bf15
--- /dev/null
+++ b/midpoint/.env
@@ -0,0 +1,13 @@
+AUTHENTICATION=internal
+ENV=demo
+USERTOKEN=3.9-SNAPSHOT
+REPO_DATABASE_TYPE=mariadb
+REPO_JDBC_URL=default
+REPO_HOST=midpoint-data
+REPO_PORT=3306
+REPO_DATABASE=midpoint
+REPO_USER=root
+REPO_PASSWORD_FILE=/run/secrets/m_database_password.txt
+KEYSTORE_PASSWORD_FILE=/run/secrets/m_keystore_password.txt
+MEM=2048m
+LOGOUT_URL=https://localhost:8443/Shibboleth.sso/Logout
diff --git a/midpoint/README.md b/midpoint/README.md
index 35e9c3a..c796407 100644
--- a/midpoint/README.md
+++ b/midpoint/README.md
@@ -1,56 +1,5 @@
# Overview
-This is a preliminary version of midPoint dockerization for TIER environment.
+This is a midPoint dockerization for TIER environment. It is a work in progress.
-There are two containers there:
-
-- `midpoint-server`: provides the midPoint application
-- `midpoint-data`: provides the default midPoint repository; note that the repository can be implemented in any other way - by another container (perhaps hosting a different database) or by providing it externally: on premises or in cloud.
-
-# Building and starting
-## Downloading midPoint
-
-Before building, please build or download current `midpoint-3.9-SNAPSHOT-dist.tar.gz` file and put it into `midpoint-server` directory. There are the following options:
-1. Build midPoint from sources as described [here](https://wiki.evolveum.com/display/midPoint/Building+MidPoint+From+Source+Code) - *but use `tmp/tier` branch instead of `master`*. It should contain a bit more stable code in comparison with the master branch.
-2. Use `download-midpoint` script.
-3. Download midPoint manually from [Evolveum web site](https://evolveum.com/downloads/midpoint-tier/midpoint-3.9-SNAPSHOT-dist.tar.gz).
-
-Showing e.g. the second option:
-
-```
-$ ./download-midpoint
-Downloading midPoint 3.9-SNAPSHOT
------------------------------------------
- % Total % Received % Xferd Average Speed Time Time Time Current
- Dload Upload Total Spent Left Speed
-100 157M 100 157M 0 0 867k 0 0:03:05 0:03:05 --:--:-- 954k
------------------------------------------
-Checking the download...
-OK
-```
-
-## Creating Docker composition
-
-After midPoint archive is correctly placed into `midpoint-server` directory, please execute the following commands:
-
-```
-$ docker-compose up --build
-```
-
-This will take a while.
-
-Finally, you will see notices like these:
-
-```
-Starting midpoint_midpoint-data_1 ...
-Starting midpoint_midpoint-data_1 ... done
-Recreating midpoint_midpoint-server_1 ...
-Recreating midpoint_midpoint-server_1 ... done
-Attaching to midpoint_midpoint-data_1, midpoint_midpoint-server_1
-```
-
-followed by startup messages from individual Docker containers.
-
-## After installation
-
-After Docker containers are up, check that you can log into midPoint at `http://localhost:8080/midpoint` using `administrator/5ecr3t`.
+Please see a detailed description, including installation instructions [here](https://spaces.at.internet2.edu/display/MID/Dockerized+midPoint).
diff --git a/midpoint/configs-and-secrets/midpoint/database_password.txt b/midpoint/configs-and-secrets/midpoint/application/database_password.txt
similarity index 100%
rename from midpoint/configs-and-secrets/midpoint/database_password.txt
rename to midpoint/configs-and-secrets/midpoint/application/database_password.txt
diff --git a/midpoint/configs-and-secrets/midpoint/keystore_password.txt b/midpoint/configs-and-secrets/midpoint/application/keystore_password.txt
similarity index 100%
rename from midpoint/configs-and-secrets/midpoint/keystore_password.txt
rename to midpoint/configs-and-secrets/midpoint/application/keystore_password.txt
diff --git a/midpoint/configs-and-secrets/midpoint/httpd/host-cert.pem b/midpoint/configs-and-secrets/midpoint/httpd/host-cert.pem
new file mode 100644
index 0000000..9b1021b
--- /dev/null
+++ b/midpoint/configs-and-secrets/midpoint/httpd/host-cert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDqDCCApCgAwIBAgIJAMOSkn4oS2aAMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJNSTESMBAGA1UEBwwJQW5uIEFyYm9yMRcwFQYDVQQK
+DA5JbnRlcm5ldDIvVElFUjEgMB4GA1UEAwwXbWlkcG9pbnQuc3AuZXhhbXBsZS5v
+cmcwHhcNMTgwOTE0MDU1OTQ1WhcNMTkwOTE0MDU1OTQ1WjBpMQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCTUkxEjAQBgNVBAcMCUFubiBBcmJvcjEXMBUGA1UECgwOSW50
+ZXJuZXQyL1RJRVIxIDAeBgNVBAMMF21pZHBvaW50LnNwLmV4YW1wbGUub3JnMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApj/b7MEUSfu3oXMfNgRwTse7
+a5UV7Jswf1M/ZN/ZZkAkIxNBevZgozjesvLPWrmsTgONi7XigJUJvCjdjmlW9eDM
+lri/rkD8HuOR1DQCVKL9nvoS2c3D7sq5Emda3V8Tlj82VqfEmePd3sajx7mcTfbH
+8jwAL9NhkC+WMib5IpjLGpG0FEAC0ha7Lxb+7jIiqHVJaqLXJGCyGN4mh6c1Q9S1
+f8RVTiW2a8x22G+9wnZYbkiA2Kxls177imHlhSz8EdvV4IpGw1amrEWhhuDEum7B
+vZ1xQDLatgRqh4qAKLIVYeRnJ8H1FelMa90qB4G08MIPifmTsQwqJyBYaEdgWQID
+AQABo1MwUTAdBgNVHQ4EFgQUqb9BteODF6wv5R57aEON/wGXMiowHwYDVR0jBBgw
+FoAUqb9BteODF6wv5R57aEON/wGXMiowDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
+9w0BAQsFAAOCAQEAAcKhxI+tSItrXmqC0PSmgWyAYpqbkz6W/cefTutXqhIgY09f
+h0LSv7ogTahoGpyiZk9vy6u3OE9bYwxapEfa4KBjO6HxBMIVBBb3RegVjoPzjElN
+BDwAx0VGFcZTXwMxDWycWdG8ql7rCZBvS50w04uTaIgnGmqXAdWWmBgfJ9cRbxW+
+JwO/mOl1QM1lR/5142NpvuUVWlmZSKEGydE5A1qPz2wpDbBR1ym1BQNS4NEqw6Kp
+GSB8jKyCS1Ve0v2wVze2038Wukz02dq9uKPTIO3T+B+ibZmxn6Op/kFCc1/kK5NS
+Q6JdO1B6KquGAYdGmKAcQ19mv+jqGktqWEEf0g==
+-----END CERTIFICATE-----
diff --git a/midpoint/configs-and-secrets/midpoint/httpd/host-key.pem b/midpoint/configs-and-secrets/midpoint/httpd/host-key.pem
new file mode 100644
index 0000000..5746e59
--- /dev/null
+++ b/midpoint/configs-and-secrets/midpoint/httpd/host-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCmP9vswRRJ+7eh
+cx82BHBOx7trlRXsmzB/Uz9k39lmQCQjE0F69mCjON6y8s9auaxOA42LteKAlQm8
+KN2OaVb14MyWuL+uQPwe45HUNAJUov2e+hLZzcPuyrkSZ1rdXxOWPzZWp8SZ493e
+xqPHuZxN9sfyPAAv02GQL5YyJvkimMsakbQUQALSFrsvFv7uMiKodUlqotckYLIY
+3iaHpzVD1LV/xFVOJbZrzHbYb73CdlhuSIDYrGWzXvuKYeWFLPwR29XgikbDVqas
+RaGG4MS6bsG9nXFAMtq2BGqHioAoshVh5GcnwfUV6Uxr3SoHgbTwwg+J+ZOxDCon
+IFhoR2BZAgMBAAECggEAEIRBpjjceiku6jRUwnoYaks/nIWYQwR8AfpUTwJKR/VR
+Yca097Fokm7A+UhUP3A45RtHQb0VPq8P44iv0kk24YCu8r5yFK7SHYOAZnOwU5ZJ
+2jSAEPF3aM7tKh3okhuzB3dKP7u1NZDE5zAW723KUJiW7sL1RcsbY0bHBj6G+9/H
+NplmsjuGt684vRBB0qOBfKF7EiG7mT69tHuNj4gRza9SMY31UtKbZdt2fNY6mp5V
+HscMba7egZP+Ke0pVX4+go9j7K8GG8hYaQDLjrzlPqrxZ2c5X9cC+CRDI/CHuL/s
+V/2yGZJ6n6UabwZoH83RdFrbQ94rU8Hkli6EvxXvMQKBgQDRpheNW5jDG5TfeJKh
+yfKTDQqH2Tk3BsBYYBN7Hf3m7vbkzlxnAKJAoSLmtRMuoeXvI5MrhzaHGsNIUS76
+LDIZnvB7DLUxhFUZsCPkpAA1QHuTWY96oR3PHnPjpk8lSUvtbOPwDLdzVApeFJgZ
+VqMNArZ7AHsK3Kkyi+f4WVQjbQKBgQDLAWiGb5dx6fAM2W6B6HjNmzjBWOuVEXa2
+76to9jzupBZmETfZgxtWUaWUDuNS+f7dtVUTE+p6v/w8clrHEhEZYkqunIOLo/UA
+LFPiuoTfEsWb1rh+nsCjCgy4uimixj/bSkf7NC6NyKTvCygA1mGnVVJUEPegYlDy
+LXCkaKWxHQKBgQCmyHSKL2lrJkEcOwakEU2acNCE3Gno/cT9SYmV83kvQ8JEqmrW
+QqnRsp9aXIljGscapPmKsmnNt5vNp1AxFAHTYh88NRLczsMIyZj0ZwgHVUI6KhC7
+5Psa78YQQBlMt2/g9TSsnuE+rYgF6mpKFiNm0Vasqeg47uzn2mdzqlUGTQKBgE04
+JutkTUY+h1pL5vYxWKpVDfy19z7H2tFxT1FowPrBneeLSyRI88Ac5I/yLdRlVeY9
+0LOmEr5Igwj3MsKgg7KVKfVLgdo/LrW3Jt2Kt3onKNXDkoBPoNUjwH0QC0Boiue+
+VK0gR0kVdm+bXccbxR+im+NwZNE0NLg6Qqu3RredAoGBALuVoqbPPmTCZXYG328H
+bzOs2aiR7BzPSVByV+qG6jW7w03RAnFPJZp7HMU+ViI5VY0wabUscMSvz5163+gM
+4KwY3v9ZjZzZGukIfLuudkdqtaiVOx/KeAC0n+nG21YU+wpZww8gkfHh1/sa2CME
+CWYCgOnmiTHcj83UaTqEXtmv
+-----END PRIVATE KEY-----
diff --git a/midpoint/configs-and-secrets/midpoint/shibboleth/idp-metadata.xml b/midpoint/configs-and-secrets/midpoint/shibboleth/idp-metadata.xml
new file mode 100644
index 0000000..35914b7
--- /dev/null
+++ b/midpoint/configs-and-secrets/midpoint/shibboleth/idp-metadata.xml
@@ -0,0 +1,207 @@
+
+
+
+
+
+
+
+ example.org
+
+
+
+
+
+
+
+MIIDEzCCAfugAwIBAgIUS9SuTXwsFVVG+LjOEAbLqqT/el0wDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMjZaFw0zNTEy
+MTEwMjIwMjZaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCMAoDHx8xCIfv/6QKqt9mcHYmEJ8y2dKprUbpdcOjH
+YvNPIl/lHPsUyrb+Nc+q2CDeiWjVk1mWYq0UpIwpBMuw1H6+oOqr4VQRi65pin0M
+SfE0MWIaFo5FPvpvoptkHD4gvREbm4swyXGMczcMRfqgalFXhUD2wz8W3XAM5Cq2
+03XeJbj6TwjvKatG5XPdeUe2FBGuOO2q54L1hcIGnLMCQrg7D31lR13PJbjnJ0No
+5C3k8TPuny6vJsBC03GNLNKfmrKVTdzr3VKp1uay1G3DL9314fgmbl8HA5iRQmy+
+XInUU6/8NXZSF59p3ITAOvZQeZsbJjg5gGDip5OZo9YlAgMBAAGjWzBZMB0GA1Ud
+DgQWBBRPlM4VkKZ0U4ec9GrIhFQl0hNbLDA4BgNVHREEMTAvggppZHB0ZXN0YmVk
+hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
+BQADggEBAIZ0a1ov3my3ljJG588I/PHx+TxAWONWmpKbO9c/qI3Drxk4oRIffiac
+ANxdvtabgIzrlk5gMMisD7oyqHJiWgKv5Bgctd8w3IS3lLl7wHX65mTKQRXniG98
+NIjkvfrhe2eeJxecOqnDI8GOhIGCIqZUn8ShdM/yHjhQ2Mh0Hj3U0LlKvnmfGSQl
+j0viGwbFCaNaIP3zc5UmCrdE5h8sWL3Fu7ILKM9RyFa2ILHrJScV9t623IcHffHP
+IeaY/WtuapsrqRFxuQL9QFWN0FsRIdLmjTq+00+B/XnnKRKFBuWfjhHLF/uu8f+E
+t6Lf23Kb8yD6ZR7dihMZAGHnYQ/hlhM=
+
+
+
+
+
+
+
+
+
+MIIDFDCCAfygAwIBAgIVAN3vv+b7KN5Se9m1RZsCllp/B/hdMA0GCSqGSIb3DQEB
+CwUAMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwHhcNMTUxMjExMDIyMDE0WhcNMzUx
+MjExMDIyMDE0WjAVMRMwEQYDVQQDDAppZHB0ZXN0YmVkMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAh91caeY0Q85uhaUyqFwP2bMjwMFxMzRlAoqBHd7g
+u6eo4duaeLz1BaoR2XTBpNNvFR5oHH+TkKahVDGeH5+kcnIpxI8JPdsZml1srvf2
+Z6dzJsulJZUdpqnngycTkGtZgEoC1vmYVky2BSAIIifmdh6s0epbHnMGLsHzMKfJ
+Cb/Q6dYzRWTCPtzE2VMuQqqWgeyMr7u14x/Vqr9RPEFsgY8GIu5jzB6AyUIwrLg+
+MNkv6aIdcHwxYTGL7ijfy6rSWrgBflQoYRYNEnseK0ZHgJahz4ovCag6wZAoPpBs
+uYlY7lEr89Ucb6NHx3uqGMsXlDFdE4QwfDLLhCYHPvJ0uwIDAQABo1swWTAdBgNV
+HQ4EFgQUAkOgED3iYdmvQEOMm6u/JmD/UTQwOAYDVR0RBDEwL4IKaWRwdGVzdGJl
+ZIYhaHR0cHM6Ly9pZHB0ZXN0YmVkL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB
+CwUAA4IBAQBIdd4YWlnvJjql8+zKKgmWgIY7U8DA8e6QcbAf8f8cdE33RSnjI63X
+sv/y9GfmbAVAD6RIAXPFFeRYJ08GOxGI9axfNaKdlsklJ9bk4ducHqgCSWYVer3s
+RQBjxyOfSTvk9YCJvdJVQRJLcCvxwKakFCsOSnV3t9OvN86Ak+fKPVB5j2fM/0fZ
+Kqjn3iqgdNPTLXPsuJLJO5lITRiBa4onmVelAiCstI9PQiaEck+oAHnMTnC9JE/B
+DHv3e4rwq3LznlqPw0GSd7xqNTdMDwNOWjkuOr3sGpWS8ms/ZHHXV1Vd22uPe70i
+s00xrv14zLifcc8oj5DYzOhYRifRXgHX
+
+
+
+
+
+
+
+
+
+MIIDEzCCAfugAwIBAgIUG6Nn1rlERS1vsi88tcdzSYX0oqAwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMTRaFw0zNTEy
+MTEwMjIwMTRaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCBXv0o3fmT8iluyLjJ4lBAVCW+ZRVyEXPYQuRi7vfD
+cO4a6d1kxiJLsaK0W88VNxjFQRr8PgDkWr28vwoH1rgk4pLsszLD48DBzD942peJ
+l/S6FnsIJjmaHcBh4pbNhU4yowu63iKkvttrcZAEbpEro6Z8CziWEx8sywoaYEQG
+ifPkr9ORV6Cn3txq+9gMBePG41GrtZrUGIu+xrndL0Shh4Pq0eq/9MAsVlIIXEa8
+9WfH8J2kFcTOfoWtIc70b7TLZQsx4YnNcnrGLSUEcstFyPLX+Xtv5SNZF89OOIxX
+VNjNvgE5DbJb9hMM4UAFqI+1bo9QqtxwThjc/sOvIxzNAgMBAAGjWzBZMB0GA1Ud
+DgQWBBStTyogRPuAVG6q7yPyav1uvE+7pTA4BgNVHREEMTAvggppZHB0ZXN0YmVk
+hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
+BQADggEBAFMfoOv+oISGjvamq7+Y4G7ep5vxlAPeK3RATYPYvAmyH946qZXh98ni
+QXyuqZW5P5eEt86toY45IwDU5r09SKwHughEe99iiEkxh0mb2qo84qX9/qcg+kyN
+jeLd/OSyolpUCEFNwOFcog7pj7Eer+6AHbwTn1Mjb5TBsKwtDMJsaxPvdj0u7M5r
+xL/wHkFhn1rCo2QiojzjSlV3yLTh49iTyhE3cG+RxaNKDCxhp0jSSLX1BW/ZoPA8
++PMJEA+Q0QbyRD8aJOHN5O8jGxCa/ZzcOnYVL6AsEXoDiY3vAUYh1FUonOWw0m9H
+p+tGUbGS2l873J5PrsbpeKEVR/IIoKo=
+
+
+
+
+
+
+ urn:mace:shibboleth:1.0:nameIdentifier
+ urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+
+
+
+
+
+
+
+
+
+
+
+
+ localhost
+
+
+
+
+
+
+MIIDEzCCAfugAwIBAgIUS9SuTXwsFVVG+LjOEAbLqqT/el0wDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMjZaFw0zNTEy
+MTEwMjIwMjZaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCMAoDHx8xCIfv/6QKqt9mcHYmEJ8y2dKprUbpdcOjH
+YvNPIl/lHPsUyrb+Nc+q2CDeiWjVk1mWYq0UpIwpBMuw1H6+oOqr4VQRi65pin0M
+SfE0MWIaFo5FPvpvoptkHD4gvREbm4swyXGMczcMRfqgalFXhUD2wz8W3XAM5Cq2
+03XeJbj6TwjvKatG5XPdeUe2FBGuOO2q54L1hcIGnLMCQrg7D31lR13PJbjnJ0No
+5C3k8TPuny6vJsBC03GNLNKfmrKVTdzr3VKp1uay1G3DL9314fgmbl8HA5iRQmy+
+XInUU6/8NXZSF59p3ITAOvZQeZsbJjg5gGDip5OZo9YlAgMBAAGjWzBZMB0GA1Ud
+DgQWBBRPlM4VkKZ0U4ec9GrIhFQl0hNbLDA4BgNVHREEMTAvggppZHB0ZXN0YmVk
+hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
+BQADggEBAIZ0a1ov3my3ljJG588I/PHx+TxAWONWmpKbO9c/qI3Drxk4oRIffiac
+ANxdvtabgIzrlk5gMMisD7oyqHJiWgKv5Bgctd8w3IS3lLl7wHX65mTKQRXniG98
+NIjkvfrhe2eeJxecOqnDI8GOhIGCIqZUn8ShdM/yHjhQ2Mh0Hj3U0LlKvnmfGSQl
+j0viGwbFCaNaIP3zc5UmCrdE5h8sWL3Fu7ILKM9RyFa2ILHrJScV9t623IcHffHP
+IeaY/WtuapsrqRFxuQL9QFWN0FsRIdLmjTq+00+B/XnnKRKFBuWfjhHLF/uu8f+E
+t6Lf23Kb8yD6ZR7dihMZAGHnYQ/hlhM=
+
+
+
+
+
+
+
+
+
+MIIDFDCCAfygAwIBAgIVAN3vv+b7KN5Se9m1RZsCllp/B/hdMA0GCSqGSIb3DQEB
+CwUAMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwHhcNMTUxMjExMDIyMDE0WhcNMzUx
+MjExMDIyMDE0WjAVMRMwEQYDVQQDDAppZHB0ZXN0YmVkMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAh91caeY0Q85uhaUyqFwP2bMjwMFxMzRlAoqBHd7g
+u6eo4duaeLz1BaoR2XTBpNNvFR5oHH+TkKahVDGeH5+kcnIpxI8JPdsZml1srvf2
+Z6dzJsulJZUdpqnngycTkGtZgEoC1vmYVky2BSAIIifmdh6s0epbHnMGLsHzMKfJ
+Cb/Q6dYzRWTCPtzE2VMuQqqWgeyMr7u14x/Vqr9RPEFsgY8GIu5jzB6AyUIwrLg+
+MNkv6aIdcHwxYTGL7ijfy6rSWrgBflQoYRYNEnseK0ZHgJahz4ovCag6wZAoPpBs
+uYlY7lEr89Ucb6NHx3uqGMsXlDFdE4QwfDLLhCYHPvJ0uwIDAQABo1swWTAdBgNV
+HQ4EFgQUAkOgED3iYdmvQEOMm6u/JmD/UTQwOAYDVR0RBDEwL4IKaWRwdGVzdGJl
+ZIYhaHR0cHM6Ly9pZHB0ZXN0YmVkL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB
+CwUAA4IBAQBIdd4YWlnvJjql8+zKKgmWgIY7U8DA8e6QcbAf8f8cdE33RSnjI63X
+sv/y9GfmbAVAD6RIAXPFFeRYJ08GOxGI9axfNaKdlsklJ9bk4ducHqgCSWYVer3s
+RQBjxyOfSTvk9YCJvdJVQRJLcCvxwKakFCsOSnV3t9OvN86Ak+fKPVB5j2fM/0fZ
+Kqjn3iqgdNPTLXPsuJLJO5lITRiBa4onmVelAiCstI9PQiaEck+oAHnMTnC9JE/B
+DHv3e4rwq3LznlqPw0GSd7xqNTdMDwNOWjkuOr3sGpWS8ms/ZHHXV1Vd22uPe70i
+s00xrv14zLifcc8oj5DYzOhYRifRXgHX
+
+
+
+
+
+
+
+
+
+MIIDEzCCAfugAwIBAgIUG6Nn1rlERS1vsi88tcdzSYX0oqAwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMTRaFw0zNTEy
+MTEwMjIwMTRaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCBXv0o3fmT8iluyLjJ4lBAVCW+ZRVyEXPYQuRi7vfD
+cO4a6d1kxiJLsaK0W88VNxjFQRr8PgDkWr28vwoH1rgk4pLsszLD48DBzD942peJ
+l/S6FnsIJjmaHcBh4pbNhU4yowu63iKkvttrcZAEbpEro6Z8CziWEx8sywoaYEQG
+ifPkr9ORV6Cn3txq+9gMBePG41GrtZrUGIu+xrndL0Shh4Pq0eq/9MAsVlIIXEa8
+9WfH8J2kFcTOfoWtIc70b7TLZQsx4YnNcnrGLSUEcstFyPLX+Xtv5SNZF89OOIxX
+VNjNvgE5DbJb9hMM4UAFqI+1bo9QqtxwThjc/sOvIxzNAgMBAAGjWzBZMB0GA1Ud
+DgQWBBStTyogRPuAVG6q7yPyav1uvE+7pTA4BgNVHREEMTAvggppZHB0ZXN0YmVk
+hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
+BQADggEBAFMfoOv+oISGjvamq7+Y4G7ep5vxlAPeK3RATYPYvAmyH946qZXh98ni
+QXyuqZW5P5eEt86toY45IwDU5r09SKwHughEe99iiEkxh0mb2qo84qX9/qcg+kyN
+jeLd/OSyolpUCEFNwOFcog7pj7Eer+6AHbwTn1Mjb5TBsKwtDMJsaxPvdj0u7M5r
+xL/wHkFhn1rCo2QiojzjSlV3yLTh49iTyhE3cG+RxaNKDCxhp0jSSLX1BW/ZoPA8
++PMJEA+Q0QbyRD8aJOHN5O8jGxCa/ZzcOnYVL6AsEXoDiY3vAUYh1FUonOWw0m9H
+p+tGUbGS2l873J5PrsbpeKEVR/IIoKo=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/midpoint/configs-and-secrets/midpoint/shibboleth/shibboleth2.xml b/midpoint/configs-and-secrets/midpoint/shibboleth/shibboleth2.xml
new file mode 100644
index 0000000..a644264
--- /dev/null
+++ b/midpoint/configs-and-secrets/midpoint/shibboleth/shibboleth2.xml
@@ -0,0 +1,136 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SAML2
+
+
+
+ SAML2 Local
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/midpoint/configs-and-secrets/midpoint/shibboleth/sp-cert.pem b/midpoint/configs-and-secrets/midpoint/shibboleth/sp-cert.pem
new file mode 100644
index 0000000..0f5474e
--- /dev/null
+++ b/midpoint/configs-and-secrets/midpoint/shibboleth/sp-cert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDqDCCApCgAwIBAgIJAKUZrfriIt9cMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJNSTESMBAGA1UEBwwJQW5uIEFyYm9yMRcwFQYDVQQK
+DA5JbnRlcm5ldDIvVElFUjEgMB4GA1UEAwwXZXZvbHZldW0uc3AuZXhhbXBsZS5v
+cmcwHhcNMTgwOTE0MDU0NjU3WhcNMTkwOTE0MDU0NjU3WjBpMQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCTUkxEjAQBgNVBAcMCUFubiBBcmJvcjEXMBUGA1UECgwOSW50
+ZXJuZXQyL1RJRVIxIDAeBgNVBAMMF2V2b2x2ZXVtLnNwLmV4YW1wbGUub3JnMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw5v1zxlM94yaBssgNNbIUJwW
+XxbGxgSs2AWBeg2aEi/VQd2UE5ivZakNJlqWSJyHo2xE4kxeSyBBxinjSyhmpNao
+xIcqQsgW0gxo4SEHo3kUXWPo+of/pj6CslutsSJZWGTRV0dHITvaWX+NM8eXMfgu
+mJFwy3RMdLaWQhY1Dyi2jNoO+DZnfNgPyPeEZcmORaoeEID9QdZfHtcgTf2QfSHq
++xsTwHB6Ro5t7YD2ma8Krb/XcDTfsq3qJemd7LhPj5lGmhYSMgDbgwEkZgZ1kBOP
+lfsP2BvX5nipv7Vd1C5YXmv+NDR8V3yAWBC7ZAenxGmrnkaSVXnpUplUsGGm1QID
+AQABo1MwUTAdBgNVHQ4EFgQUuxSZwW6V1P/b0tsTM32OU/v/n+UwHwYDVR0jBBgw
+FoAUuxSZwW6V1P/b0tsTM32OU/v/n+UwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
+9w0BAQsFAAOCAQEAJWLXEfZkPeUyiGvsIUjczzdF3ptqXoP9aETS2pOV9sTri19R
+TsQZW6XQRHGtuEOsqEGH8yiTdGR5hbGC+ynH/xTJnK+tBn/R3KrgxLKyMvoUzAPl
+mhVq1dh+ZEtbsRpQRRubP6nm9kXNma0cXrkJSzuWM0W+l/xSOOYiSRRk3XWJfVjn
+9jQlcJRh5SOkKN08oZHrCYKxToEuOfV8PtRj3T80DhsBTv2SHqhg4cBhzQPb0Kjm
+9m4IkYOz8c5ZtuHDGnqMHw60Nyt+jyik4mMFP2frcOVP0W0sgwcfHllYzHoA/Khq
+Yk3TBVs1BjPuNDJWHct8Eo68YP2/ZvzqfVM87Q==
+-----END CERTIFICATE-----
diff --git a/midpoint/configs-and-secrets/midpoint/shibboleth/sp-key.pem b/midpoint/configs-and-secrets/midpoint/shibboleth/sp-key.pem
new file mode 100644
index 0000000..b4c7a68
--- /dev/null
+++ b/midpoint/configs-and-secrets/midpoint/shibboleth/sp-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDDm/XPGUz3jJoG
+yyA01shQnBZfFsbGBKzYBYF6DZoSL9VB3ZQTmK9lqQ0mWpZInIejbETiTF5LIEHG
+KeNLKGak1qjEhypCyBbSDGjhIQejeRRdY+j6h/+mPoKyW62xIllYZNFXR0chO9pZ
+f40zx5cx+C6YkXDLdEx0tpZCFjUPKLaM2g74Nmd82A/I94RlyY5Fqh4QgP1B1l8e
+1yBN/ZB9Ier7GxPAcHpGjm3tgPaZrwqtv9dwNN+yreol6Z3suE+PmUaaFhIyANuD
+ASRmBnWQE4+V+w/YG9fmeKm/tV3ULlhea/40NHxXfIBYELtkB6fEaaueRpJVeelS
+mVSwYabVAgMBAAECggEAeQxOdTaG9ro/puyUpZ40oA23mmiR4YCLJbNiiJFaQt7u
+7a+dLvNRt2uCA7YTQiP7nBooFpKD16HCkkrhqWT7AA8GqXero2AHHz0mugqim3sW
+KyTkzATVI5+TaaRqPC+xco4RLh2h2uMbID9atixRWE7pJuj6EC2MEr3bBlKPyyyj
+gYEi7PLZC5oEMHCZSteVik0yXI3kJJEneuVgFHTc+mwuz/qzqJP7f93i77c/FcRd
+pWCo1fg0Xuxh3M17Y/0e0ZzSBowbRVv7VkJDKZmdAYE+DaODdaIR8rrQVqkIEX4A
+4m/ufAS5j2Rck0MEY9mu5STQByo1EGiAsxTp8pVCkQKBgQD905GZiMIZ+yBM1aXa
+ZJj/BF2a/s/wf3N6YLtfobWGDAGXDIe07lr+jSK1+vYRcqHW/a6/H0JsVg+gD9Gs
+10p0ry8AVWqR+5GRRDUKBMBXVDxMFZybXvMzRnR67SJA6TVEirMHYeawtzEjzha0
+csIo0kCe3Ke22mR8aebFSFDonwKBgQDFSMTvC/y18k8n9NQ3Rsu2Z4itH3nZ3fM3
+e7+gFxQyCXJHR/kTaAPVb2HAsuA+lAemnEHJUhOjao0QiUilWkE44wSfx7LwFPWP
+XO89oOWGKhOclkzs2nvxOcC/pEjWm83cgOz/IPWqkw0/wefmh6RDcPz1JgwO2Jij
+P14FGG9YCwKBgQDPdmOlODBeB/Iomt+Kl3qtxaW0j9zp12JNfk7oJUY3IA0Uprss
+2T0qnbTnRQ5myGkbThHMSQKDhfwTeZqJSRakNKOYBDisxQ//yd4IKEYFmuYF0gxE
+ueDR4h5GcxfyMirFsRAPUqe5fKH/f+zy5HFp6B/FONkkDXDgd7aVPTxURQKBgF8q
+sUUXJTqnvqNpqQ1ZK1+8JeRNcLw2IuM64L9bIrTYdbYI9A/2dxL4fdE0+JN3WRF4
+AwwYeby044N8lfydwySr7kkdTiYeFi6oCAhUmyPTHE7G+iivZGaDE4Xeu/w6gF3E
+G48e2SMFeLiu0y0TdZvK31tqlRp8RXVKVhJjLSLtAoGBAP01ZMUJu5AU19c7xRTy
+kfVzE6PI+E8ZZ6qEWMs2Xt3NQL4Bffh94QQCmQYX3AY7xVD1gAQgbLXx4lEDQdzu
+i/kV4t+oeYwXSn1UEgOQj504qwR3gi4JZdfa0LbiMzhp9qyxofyk7Lre7Tc3Xmu1
+jyigTF7oAYoPBWk/mAthK1wO
+-----END PRIVATE KEY-----
diff --git a/midpoint/docker-compose.yml b/midpoint/docker-compose.yml
index 88d6af0..d0b435d 100644
--- a/midpoint/docker-compose.yml
+++ b/midpoint/docker-compose.yml
@@ -24,40 +24,62 @@ services:
depends_on:
- midpoint-data
expose:
- - 8080
+ - 443
ports:
- - 8080:8080
- volumes:
- - midpoint_home:/opt/midpoint/var
+ - 8443:443
+ environment:
+ - AUTHENTICATION
+ - ENV
+ - USERTOKEN
+ - REPO_DATABASE_TYPE
+ - REPO_JDBC_URL
+ - REPO_HOST
+ - REPO_PORT
+ - REPO_DATABASE
+ - REPO_USER
+ - REPO_PASSWORD_FILE
+ - KEYSTORE_PASSWORD_FILE
+ - MEM
networks:
- - back
+ - back
secrets:
- - m_database_password.txt
- - m_keystore_password.txt
-# the following is just to demonstrate required normalization of logging parameters
-# environment:
-# - LOGFILE=midpoint.log
-# - COMPONENT=midpoint;tier
-# - "USERTOKEN=user token "
-# - ENV=demo only
-#
-# repository configuration examples
-# - REPO_DATABASE_TYPE=mariadb
-# - REPO_HOST=xyz
-# - REPO_PORT=10000
-# the following overrides default URL construction
-# - REPO_JDBC_URL=jdbc:mariadb://midpoint-data:3306/midpoint
+ - m_database_password.txt
+ - m_keystore_password.txt
+ - source: m_sp-key.pem
+ target: shib_sp-key.pem
+ - source: m_host-key.pem
+ target: host-key.pem
+ volumes:
+ - midpoint_home:/opt/midpoint/var
+ - type: bind
+ source: ./configs-and-secrets/midpoint/shibboleth/sp-cert.pem
+ target: /etc/shibboleth/sp-cert.pem
+ - type: bind
+ source: ./configs-and-secrets/midpoint/shibboleth/shibboleth2.xml
+ target: /etc/shibboleth/shibboleth2.xml
+ - type: bind
+ source: ./configs-and-secrets/midpoint/shibboleth/idp-metadata.xml
+ target: /etc/shibboleth/idp-metadata.xml
+ - type: bind
+ source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
+ target: /etc/pki/tls/certs/host-cert.pem
+ - type: bind
+ source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
+ target: /etc/pki/tls/certs/cachain.pem
networks:
back:
driver: bridge
-
secrets:
+ m_host-key.pem:
+ file: ./configs-and-secrets/midpoint/httpd/host-key.pem
+ m_sp-key.pem:
+ file: ./configs-and-secrets/midpoint/shibboleth/sp-key.pem
m_database_password.txt:
- file: ./configs-and-secrets/midpoint/database_password.txt
+ file: ./configs-and-secrets/midpoint/application/database_password.txt
m_keystore_password.txt:
- file: ./configs-and-secrets/midpoint/keystore_password.txt
+ file: ./configs-and-secrets/midpoint/application/keystore_password.txt
volumes:
midpoint_mysql:
diff --git a/midpoint/midpoint-data/Dockerfile b/midpoint/midpoint-data/Dockerfile
index fcaa4e0..3249b23 100644
--- a/midpoint/midpoint-data/Dockerfile
+++ b/midpoint/midpoint-data/Dockerfile
@@ -23,13 +23,9 @@ RUN mysql_install_db \
&& echo "/usr/bin/mysqld_safe &" > /tmp/config \
&& echo "mysqladmin --silent --wait=30 ping || exit 1" >> /tmp/config \
&& echo "mysql -e \"CREATE USER 'root'@'%' IDENTIFIED BY '`cat /tmp/database_password.txt`';\"" >> /tmp/config \
- && echo "echo ok0" >> /tmp/config \
&& echo "mysql -e 'GRANT ALL PRIVILEGES ON *.* TO \"root\"@\"%\" WITH GRANT OPTION;'" >> /tmp/config \
- && echo "echo ok1" >> /tmp/config \
&& echo "mysql -e 'CREATE DATABASE midpoint CHARACTER SET utf8 COLLATE utf8_bin;'" >> /tmp/config \
- && echo "echo ok2" >> /tmp/config \
&& echo "mysql -e \"SET PASSWORD FOR 'root'@'localhost' = PASSWORD('`cat /tmp/database_password.txt`');\"" >> /tmp/config \
- && echo "echo ok3" >> /tmp/config \
&& cat /tmp/config \
&& bash /tmp/config \
&& rm -f /tmp/config /tmp/database_password.txt
diff --git a/midpoint/midpoint-server/Dockerfile b/midpoint/midpoint-server/Dockerfile
index 4e58c39..c2e274a 100644
--- a/midpoint/midpoint-server/Dockerfile
+++ b/midpoint/midpoint-server/Dockerfile
@@ -6,22 +6,34 @@ FROM tier/shibboleth_sp
MAINTAINER info@evolveum.com
-# TODO switch to other appropriate Java implementation
-
RUN yum -y install java-1.8.0-openjdk
+RUN rm /etc/shibboleth/sp-key.pem /etc/shibboleth/sp-cert.pem
+
+COPY container_files/httpd/conf/* /etc/httpd/conf.d/
+COPY container_files/shibboleth/* /etc/shibboleth/
+COPY container_files/usr-local-bin/* /usr/local/bin/
+
+RUN cp /dev/null /etc/httpd/conf.d/ssl.conf \
+ && sed -i 's/LogFormat "/LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;/g' /etc/httpd/conf/httpd.conf \
+ && echo -e "\nErrorLogFormat \"httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf/httpd.conf \
+ && sed -i 's/CustomLog "logs\/access_log"/CustomLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
+ && sed -i 's/ErrorLog "logs\/error_log"/ErrorLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
+ && echo -e "\nPassEnv ENV" >> /etc/httpd/conf/httpd.conf \
+ && echo -e "\nPassEnv USERTOKEN" >> /etc/httpd/conf/httpd.conf
+
# Build arguments
ARG MP_VERSION=3.9-SNAPSHOT
ARG MP_DIST_FILE=midpoint-${MP_VERSION}-dist.tar.gz
-ENV MP_DIR=/opt/midpoint
-
-# Copying files
+ENV MP_DIR /opt/midpoint
RUN mkdir -p ${MP_DIR}/var
+
COPY ${MP_DIST_FILE} ${MP_DIR}
-COPY container_files/ ${MP_DIR}/
+COPY container_files/mp-dir/ ${MP_DIR}/
+
RUN echo 'Extracting midPoint archive...' \
&& tar xzf ${MP_DIR}/midpoint-${MP_VERSION}-dist.tar.gz -C ${MP_DIR} --strip-components=1
@@ -37,32 +49,22 @@ ENV REPO_JDBC_URL default
ENV REPO_PASSWORD_FILE /run/secrets/m_database_password.txt
ENV REPO_DATABASE_TYPE mariadb
-ENV KEYSTORE_PASSWORD_FILE /run/secrets/m_keystore_password.txt
-
# Logging parameters
-ENV COMPONENT midpoint
-ENV LOGFILE midpoint.log
ENV ENV demo
ENV USERTOKEN $MP_VERSION
+# Authentication/web
+
+ENV AUTHENTICATION internal
+ENV SSO_HEADER uid
+ENV AJP_ENABLED true
+ENV AJP_PORT 9090
+ENV LOGOUT_URL https://localhost:8443/Shibboleth.sso/Logout
+
# Other parameters
-ENV MEM 2048M
-
-# Execution
-
-CMD java -Xmx$MEM -Xms2048M -Dfile.encoding=UTF8 \
- -Dmidpoint.home=$MP_DIR/var \
- -Dmidpoint.repository.database=$REPO_DATABASE_TYPE \
- -Dmidpoint.repository.jdbcUsername=$REPO_USER \
- -Dmidpoint.repository.jdbcPassword_FILE=$REPO_PASSWORD_FILE \
- -Dmidpoint.repository.jdbcUrl="`$MP_DIR/repository-url`" \
- -Dmidpoint.repository.hibernateHbm2ddl=none \
- -Dmidpoint.repository.missingSchemaAction=create \
- -Dmidpoint.repository.initializationFailTimeout=60000 \
- -Dmidpoint.keystore.keyStorePassword_FILE=$KEYSTORE_PASSWORD_FILE \
- -Dmidpoint.logging.console.enabled=true \
- -Dmidpoint.logging.console.prefix="`$MP_DIR/log-prefix`" \
- -Dmidpoint.logging.console.timezone=UTC \
- -jar $MP_DIR/lib/midpoint.war
+ENV KEYSTORE_PASSWORD_FILE /run/secrets/m_keystore_password.txt
+ENV MEM 2048m
+
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
diff --git a/midpoint/midpoint-server/container_files/httpd/conf/midpoint.conf.auth.internal b/midpoint/midpoint-server/container_files/httpd/conf/midpoint.conf.auth.internal
new file mode 100644
index 0000000..690a4cd
--- /dev/null
+++ b/midpoint/midpoint-server/container_files/httpd/conf/midpoint.conf.auth.internal
@@ -0,0 +1,6 @@
+
+Timeout 2400
+ProxyTimeout 2400
+ProxyBadHeader Ignore
+
+ProxyPass /midpoint ajp://localhost:9090/midpoint timeout=2400
\ No newline at end of file
diff --git a/midpoint/midpoint-server/container_files/httpd/conf/midpoint.conf.auth.shibboleth b/midpoint/midpoint-server/container_files/httpd/conf/midpoint.conf.auth.shibboleth
new file mode 100644
index 0000000..e827b9f
--- /dev/null
+++ b/midpoint/midpoint-server/container_files/httpd/conf/midpoint.conf.auth.shibboleth
@@ -0,0 +1,15 @@
+
+Timeout 2400
+ProxyTimeout 2400
+ProxyBadHeader Ignore
+
+ProxyPass /midpoint ajp://localhost:9090/midpoint timeout=2400
+
+
+
+ AuthType shibboleth
+ ShibRequestSetting requireSession 1
+ ShibRequireSession on
+ ShibUseHeaders On
+ require shibboleth
+
diff --git a/midpoint/midpoint-server/container_files/httpd/conf/ssl-enable.conf b/midpoint/midpoint-server/container_files/httpd/conf/ssl-enable.conf
new file mode 100644
index 0000000..35bf295
--- /dev/null
+++ b/midpoint/midpoint-server/container_files/httpd/conf/ssl-enable.conf
@@ -0,0 +1,28 @@
+# modern configuration, tweak to your needs
+SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+SSLHonorCipherOrder on
+SSLCompression off
+
+# OCSP Stapling, only in httpd 2.3.3 and later
+SSLUseStapling on
+SSLStaplingResponderTimeout 5
+SSLStaplingReturnResponderErrors off
+SSLStaplingCache shmcb:/var/run/ocsp(128000)
+
+Listen 443 https
+
+ RewriteEngine on
+ RewriteRule "^/$" "/midpoint/" [R]
+
+
+ SSLEngine on
+ SSLCertificateChainFile /etc/pki/tls/certs/cachain.pem
+
+ SSLCertificateFile /etc/pki/tls/certs/host-cert.pem
+
+ SSLCertificateKeyFile /etc/pki/tls/private/host-key.pem
+
+ # HSTS (mod_headers is required) (15768000 seconds = 6 months)
+ Header always set Strict-Transport-Security "max-age=15768000"
+
diff --git a/midpoint/midpoint-server/container_files/log-prefix b/midpoint/midpoint-server/container_files/log-prefix
deleted file mode 100755
index fb7c278..0000000
--- a/midpoint/midpoint-server/container_files/log-prefix
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/bash
-
-C=${COMPONENT//[;]/_}
-L=${LOGFILE//[;]/_}
-E=${ENV//[; ]/_}
-U=${USERTOKEN//[; ]/_}
-echo $C\;$L\;$E\;$U\;
diff --git a/midpoint/midpoint-server/container_files/mp-dir/active-spring-profiles b/midpoint/midpoint-server/container_files/mp-dir/active-spring-profiles
new file mode 100755
index 0000000..40058e6
--- /dev/null
+++ b/midpoint/midpoint-server/container_files/mp-dir/active-spring-profiles
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+case $AUTHENTICATION in
+ shibboleth)
+ echo "default,sso"
+ ;;
+ internal)
+ echo "default"
+ ;;
+ *)
+ echo "default"
+esac
+
diff --git a/midpoint/midpoint-server/container_files/repository-url b/midpoint/midpoint-server/container_files/mp-dir/repository-url
similarity index 100%
rename from midpoint/midpoint-server/container_files/repository-url
rename to midpoint/midpoint-server/container_files/mp-dir/repository-url
diff --git a/midpoint/midpoint-server/container_files/shibboleth/attribute-map.xml b/midpoint/midpoint-server/container_files/shibboleth/attribute-map.xml
new file mode 100644
index 0000000..a6725f3
--- /dev/null
+++ b/midpoint/midpoint-server/container_files/shibboleth/attribute-map.xml
@@ -0,0 +1,153 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/midpoint/midpoint-server/container_files/shibboleth/native.logger b/midpoint/midpoint-server/container_files/shibboleth/native.logger
new file mode 100644
index 0000000..0b01f32
--- /dev/null
+++ b/midpoint/midpoint-server/container_files/shibboleth/native.logger
@@ -0,0 +1,39 @@
+# set overall behavior
+log4j.rootCategory=INFO, native_log, warn_log
+
+# fairly verbose for DEBUG, so generally leave at INFO
+log4j.category.XMLTooling.XMLObject=INFO
+log4j.category.XMLTooling.KeyInfoResolver=INFO
+log4j.category.Shibboleth.IPRange=INFO
+log4j.category.Shibboleth.PropertySet=INFO
+
+# raise for low-level tracing of SOAP client HTTP/SSL behavior
+log4j.category.XMLTooling.libcurl=INFO
+
+# useful categories to tune independently:
+#
+# tracing of SAML messages and security policies
+#log4j.category.OpenSAML.MessageDecoder=DEBUG
+#log4j.category.OpenSAML.MessageEncoder=DEBUG
+#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
+# interprocess message remoting
+#log4j.category.Shibboleth.Listener=DEBUG
+# mapping of requests to applicationId
+#log4j.category.Shibboleth.RequestMapper=DEBUG
+# high level session cache operations
+#log4j.category.Shibboleth.SessionCache=DEBUG
+# persistent storage and caching
+#log4j.category.XMLTooling.StorageService=DEBUG
+
+# define the appender
+
+log4j.appender.native_log=org.apache.log4j.FileAppender
+log4j.appender.native_log.fileName=/tmp/logpipe
+log4j.appender.native_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.native_log.layout.ConversionPattern=shibd;native.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+log4j.appender.warn_log=org.apache.log4j.FileAppender
+log4j.appender.warn_log.fileName=/tmp/logpipe
+log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.warn_log.layout.ConversionPattern=shibd;native_warn.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+log4j.appender.warn_log.threshold=WARN
diff --git a/midpoint/midpoint-server/container_files/shibboleth/shibd.logger b/midpoint/midpoint-server/container_files/shibboleth/shibd.logger
new file mode 100644
index 0000000..c5685b2
--- /dev/null
+++ b/midpoint/midpoint-server/container_files/shibboleth/shibd.logger
@@ -0,0 +1,59 @@
+# set overall behavior
+log4j.rootCategory=INFO, shibd_log
+
+# fairly verbose for DEBUG, so generally leave at INFO
+log4j.category.XMLTooling.XMLObject=INFO
+log4j.category.XMLTooling.KeyInfoResolver=INFO
+log4j.category.Shibboleth.IPRange=INFO
+log4j.category.Shibboleth.PropertySet=INFO
+
+# raise for low-level tracing of SOAP client HTTP/SSL behavior
+log4j.category.XMLTooling.libcurl=INFO
+
+# useful categories to tune independently:
+#
+# tracing of SAML messages and security policies
+#log4j.category.OpenSAML.MessageDecoder=DEBUG
+#log4j.category.OpenSAML.MessageEncoder=DEBUG
+#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
+#log4j.category.XMLTooling.SOAPClient=DEBUG
+# interprocess message remoting
+#log4j.category.Shibboleth.Listener=DEBUG
+# mapping of requests to applicationId
+#log4j.category.Shibboleth.RequestMapper=DEBUG
+# high level session cache operations
+#log4j.category.Shibboleth.SessionCache=DEBUG
+# persistent storage and caching
+#log4j.category.XMLTooling.StorageService=DEBUG
+
+# logs XML being signed or verified if set to DEBUG
+log4j.category.XMLTooling.Signature.Debugger=INFO, sig_log
+log4j.additivity.XMLTooling.Signature.Debugger=false
+
+# the tran log blocks the "default" appender(s) at runtime
+# Level should be left at INFO for this category
+log4j.category.Shibboleth-TRANSACTION=INFO, tran_log
+log4j.additivity.Shibboleth-TRANSACTION=false
+# uncomment to suppress particular event types
+#log4j.category.Shibboleth-TRANSACTION.AuthnRequest=WARN
+#log4j.category.Shibboleth-TRANSACTION.Login=WARN
+#log4j.category.Shibboleth-TRANSACTION.Logout=WARN
+
+# define the appenders
+
+log4j.appender.shibd_log=org.apache.log4j.FileAppender
+log4j.appender.shibd_log.fileName=/tmp/logpipe
+log4j.appender.shibd_log.maxFileSize=0
+log4j.appender.shibd_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.shibd_log.layout.ConversionPattern=shibd;shibd.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+log4j.appender.tran_log=org.apache.log4j.FileAppender
+log4j.appender.tran_log.fileName=/tmp/logpipe
+log4j.appender.tran_log.maxFileSize=0
+log4j.appender.tran_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.tran_log.layout.ConversionPattern=shibd;transaction.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+log4j.appender.sig_log=org.apache.log4j.FileAppender
+log4j.appender.sig_log.fileName=/tmp/logpipe
+log4j.appender.sig_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.sig_log.layout.ConversionPattern=shibd;signature.log;${ENV};${USERTOKEN};%m
diff --git a/midpoint/midpoint-server/container_files/usr-local-bin/entrypoint.sh b/midpoint/midpoint-server/container_files/usr-local-bin/entrypoint.sh
new file mode 100755
index 0000000..a275bd2
--- /dev/null
+++ b/midpoint/midpoint-server/container_files/usr-local-bin/entrypoint.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+# normalizing logging variables as required by TIER
+export ENV=${ENV//[; ]/_}
+export USERTOKEN=${USERTOKEN//[; ]/_}
+
+echo "Linking secrets and config files; using authentication: $AUTHENTICATION"
+ln -sf /run/secrets/shib_sp-key.pem /etc/shibboleth/sp-key.pem
+ln -sf /run/secrets/host-key.pem /etc/pki/tls/private/host-key.pem
+ln -sf /etc/httpd/conf.d/midpoint.conf.auth.$AUTHENTICATION /etc/httpd/conf.d/midpoint.conf
+
+httpd-shib-foreground &
+
+if [ "$AUTHENTICATION" = "shibboleth" ]; then
+ LOGOUT_URL_DIRECTIVE="-Dauth.logout.url=$LOGOUT_URL"
+else
+ LOGOUT_URL_DIRECTIVE=
+fi
+
+java -Xmx$MEM -Xms2048m -Dfile.encoding=UTF8 \
+ -Dmidpoint.home=$MP_DIR/var \
+ -Dmidpoint.repository.database=$REPO_DATABASE_TYPE \
+ -Dmidpoint.repository.jdbcUsername=$REPO_USER \
+ -Dmidpoint.repository.jdbcPassword_FILE=$REPO_PASSWORD_FILE \
+ -Dmidpoint.repository.jdbcUrl="`$MP_DIR/repository-url`" \
+ -Dmidpoint.repository.hibernateHbm2ddl=none \
+ -Dmidpoint.repository.missingSchemaAction=create \
+ -Dmidpoint.repository.initializationFailTimeout=60000 \
+ -Dmidpoint.keystore.keyStorePassword_FILE=$KEYSTORE_PASSWORD_FILE \
+ -Dmidpoint.logging.console.enabled=true \
+ -Dmidpoint.logging.console.prefix="midpoint;midpoint.log;$ENV;$USERTOKEN;" \
+ -Dmidpoint.logging.console.timezone=UTC \
+ -Dspring.profiles.active="`$MP_DIR/active-spring-profiles`" \
+ -Dauth.sso.header=$SSO_HEADER \
+ $LOGOUT_URL_DIRECTIVE \
+ -Dserver.tomcat.ajp.enabled=$AJP_ENABLED \
+ -Dserver.tomcat.ajp.port=$AJP_PORT \
+ -jar $MP_DIR/lib/midpoint.war