From 633ada5afb580dea9c755554c9a9a66b64434e4c Mon Sep 17 00:00:00 2001
From: Markus Krogh <markus@nordu.net>
Date: Wed, 27 Sep 2017 15:06:13 +0200
Subject: Structure cleanup + docker compose

---
 Dockerfile                                         |  31 --
 apache-sp/apache-conf/sp.conf                      |   2 +
 apache-sp/entrypoint.sh                            |   8 +-
 compose-dev.yml                                    |  19 ++
 idp/Dockerfile                                     |  33 ++
 idp/install.properties                             |  48 +++
 idp/jetty_base/etc/jetty-http-forwarded.xml        |  20 ++
 idp/jetty_base/start.d/http.ini                    |  34 ++
 idp/jetty_base/webapps/idp.xml                     |   7 +
 idp/nordu-ldap.properties                          |  10 +
 idp/shib-entrypoint.sh                             |   9 +
 idp/shibboleth-identity-provider-3.3.0.tar.gz      | Bin 0 -> 41527189 bytes
 ...hibboleth-identity-provider-3.3.0.tar.gz.sha256 |   1 +
 idp/shibboleth.db.ddl                              |  11 +
 idp/shibboleth.properties                          |   6 +
 idp/template-config/README.md                      |   5 +
 idp/template-config/attribute-filter.xml           |  56 ++++
 idp/template-config/attribute-resolver.xml         | 227 +++++++++++++
 idp/template-config/metadata-providers.xml         |  57 ++++
 idp/template-config/test.xml                       |  57 ++++
 install.properties                                 |  48 ---
 jetty_base/etc/jetty-http-forwarded.xml            |  20 --
 jetty_base/start.d/http.ini                        |  34 --
 jetty_base/webapps/idp.xml                         |   7 -
 metadata/test-rw.txt                               |   0
 nordu-ldap.properties                              |  10 -
 shibboleth-identity-provider-3.3.0.tar.gz          | Bin 41527189 -> 0 bytes
 shibboleth-identity-provider-3.3.0.tar.gz.sha256   |   1 -
 shibboleth.db.ddl                                  |  11 -
 shibboleth.properties                              |   6 -
 template-config/README.md                          |   5 -
 template-config/attribute-filter.xml               | 122 -------
 template-config/attribute-resolver.xml             | 373 ---------------------
 template-config/metadata-providers.xml             |  64 ----
 template-config/relying-party.xml                  |  78 -----
 35 files changed, 609 insertions(+), 811 deletions(-)
 delete mode 100644 Dockerfile
 create mode 100644 compose-dev.yml
 create mode 100644 idp/Dockerfile
 create mode 100644 idp/install.properties
 create mode 100644 idp/jetty_base/etc/jetty-http-forwarded.xml
 create mode 100644 idp/jetty_base/start.d/http.ini
 create mode 100644 idp/jetty_base/webapps/idp.xml
 create mode 100644 idp/nordu-ldap.properties
 create mode 100755 idp/shib-entrypoint.sh
 create mode 100644 idp/shibboleth-identity-provider-3.3.0.tar.gz
 create mode 100644 idp/shibboleth-identity-provider-3.3.0.tar.gz.sha256
 create mode 100644 idp/shibboleth.db.ddl
 create mode 100644 idp/shibboleth.properties
 create mode 100644 idp/template-config/README.md
 create mode 100644 idp/template-config/attribute-filter.xml
 create mode 100644 idp/template-config/attribute-resolver.xml
 create mode 100644 idp/template-config/metadata-providers.xml
 create mode 100644 idp/template-config/test.xml
 delete mode 100644 install.properties
 delete mode 100644 jetty_base/etc/jetty-http-forwarded.xml
 delete mode 100644 jetty_base/start.d/http.ini
 delete mode 100644 jetty_base/webapps/idp.xml
 delete mode 100644 metadata/test-rw.txt
 delete mode 100644 nordu-ldap.properties
 delete mode 100644 shibboleth-identity-provider-3.3.0.tar.gz
 delete mode 100644 shibboleth-identity-provider-3.3.0.tar.gz.sha256
 delete mode 100644 shibboleth.db.ddl
 delete mode 100644 shibboleth.properties
 delete mode 100644 template-config/README.md
 delete mode 100644 template-config/attribute-filter.xml
 delete mode 100644 template-config/attribute-resolver.xml
 delete mode 100644 template-config/metadata-providers.xml
 delete mode 100644 template-config/relying-party.xml

diff --git a/Dockerfile b/Dockerfile
deleted file mode 100644
index 824481c..0000000
--- a/Dockerfile
+++ /dev/null
@@ -1,31 +0,0 @@
-FROM jetty:9-alpine
-EXPOSE 80 443
-MAINTAINER Jesper B. Rosenkilde <jbr@nordu.net>
-
-ENV IDP_VERSION 3.3.0
-COPY install.properties /opt/
-COPY nordu-ldap.properties /opt/
-COPY shibboleth-identity-provider-${IDP_VERSION}.tar.gz.sha256 /opt/
-COPY shibboleth-identity-provider-${IDP_VERSION}.tar.gz /opt/
-COPY template-config/ /opt/template-config
-COPY shibboleth.db.ddl /tmp/
-COPY apache-sp/nordunet.png /tmp/
-WORKDIR /opt
-RUN apk --no-cache add bash apache-ant sqlite curl && \
-    #curl -O https://shibboleth.net/downloads/identity-provider/${IDP_VERSION}/shibboleth-identity-provider-${IDP_VERSION}.tar.gz && \
-    sha256sum -c shibboleth-identity-provider-$IDP_VERSION.tar.gz.sha256 && \
-    tar xf shibboleth-identity-provider-$IDP_VERSION.tar.gz && \
-    mv shibboleth-identity-provider-$IDP_VERSION shibboleth-identity-provider && \
-    cp /tmp/nordunet.png ./shibboleth-identity-provider/webapp/images/dummylogo.png && \
-    ./shibboleth-identity-provider/bin/install.sh -propertyfile install.properties && \
-    apk --no-cache del apache-ant && \
-    cp /opt/template-config/*.xml /opt/shibboleth-idp/conf && \
-    rm -rf shibboleth-identity-provider* install.properties nordu-ldap.properties
-
-RUN chown -R jetty:jetty /opt/shibboleth-idp
-
-
-#RUN mkdir -p persistent-id && sqlite3 persistent-id/shibboleth.db < /tmp/shibboleth.db.ddl && rm -f /tmp/shibboleth.db.ddl
-
-COPY jetty_base $JETTY_BASE
-WORKDIR $JETTY_BASE
diff --git a/apache-sp/apache-conf/sp.conf b/apache-sp/apache-conf/sp.conf
index 5e32cbc..6678f8e 100644
--- a/apache-sp/apache-conf/sp.conf
+++ b/apache-sp/apache-conf/sp.conf
@@ -37,6 +37,8 @@ SSLHonorCipherOrder     on
         CustomLog /proc/self/fd/1 combined
         ServerSignature off
 
+        DirectoryIndex index.html index.shtml
+
 
         <Location /secure>
            AuthType shibboleth
diff --git a/apache-sp/entrypoint.sh b/apache-sp/entrypoint.sh
index 156b5ac..34589e3 100644
--- a/apache-sp/entrypoint.sh
+++ b/apache-sp/entrypoint.sh
@@ -29,7 +29,13 @@ if [ ! -f "$KEYDIR/private/${SP_HOSTNAME}.key" -o ! -f "$KEYDIR/certs/${SP_HOSTN
 fi
 
 # Fetch metadata
-curl http://shibboleth-docker:8080/idp/shibboleth -o /var/www/metadata.xml
+if [ -z "$SKIP_METADATA" ]; then
+  until curl http://shibboleth-docker:8080/idp/shibboleth -o /var/www/metadata.xml
+  do
+    sleep 5
+  done
+fi
+
 chown -R www-data:www-data /var/www/
 chmod -R a+r /var/www/
 
diff --git a/compose-dev.yml b/compose-dev.yml
new file mode 100644
index 0000000..ea227a3
--- /dev/null
+++ b/compose-dev.yml
@@ -0,0 +1,19 @@
+version: '3'
+services:
+  shibboleth-docker:
+    build: ./idp
+    environment:
+      JAVA_OPTIONS: '-Xmx1g'
+    volumes:
+      - ./data/idp/metadata:/metadata
+  sp:
+    build: ./apache-sp
+    volumes:
+      - ./data/apache-sp:/metadata/apache-sp
+    environment:
+      - SP_HOSTNAME=sp.nordu.dev
+    links:
+      - shibboleth-docker
+    ports:
+      - '80:80'
+      - '443:443'
diff --git a/idp/Dockerfile b/idp/Dockerfile
new file mode 100644
index 0000000..a411674
--- /dev/null
+++ b/idp/Dockerfile
@@ -0,0 +1,33 @@
+FROM jetty:9-alpine
+EXPOSE 80 443
+MAINTAINER Jesper B. Rosenkilde <jbr@nordu.net>
+
+ENV IDP_VERSION 3.3.0
+COPY install.properties /opt/
+COPY nordu-ldap.properties /opt/
+COPY shibboleth-identity-provider-${IDP_VERSION}.tar.gz.sha256 /opt/
+COPY shibboleth-identity-provider-${IDP_VERSION}.tar.gz /opt/
+COPY template-config/ /opt/template-config
+COPY shibboleth.db.ddl /tmp/
+COPY apache-sp/nordunet.png /tmp/
+WORKDIR /opt
+RUN apk --no-cache add bash apache-ant sqlite curl && \
+    #curl -O https://shibboleth.net/downloads/identity-provider/${IDP_VERSION}/shibboleth-identity-provider-${IDP_VERSION}.tar.gz && \
+    sha256sum -c shibboleth-identity-provider-$IDP_VERSION.tar.gz.sha256 && \
+    tar xf shibboleth-identity-provider-$IDP_VERSION.tar.gz && \
+    mv shibboleth-identity-provider-$IDP_VERSION shibboleth-identity-provider && \
+    ./shibboleth-identity-provider/bin/install.sh -propertyfile install.properties && \
+    apk --no-cache del apache-ant && \
+    cp /opt/template-config/*.xml /opt/shibboleth-idp/conf && \
+    sed -i '/p:postAuthenticationFlows=/ s/p:postAuthenticationFlows="attribute-release" //' /opt/shibboleth-idp/conf/relying-party.xml && \
+    rm -rf shibboleth-identity-provider* install.properties nordu-ldap.properties
+ADD https://mds.swamid.se/md/md-signer2.crt /opt/shibboleth-idp/credentials/
+
+RUN chown -R jetty:jetty /opt/shibboleth-idp
+
+#RUN mkdir -p persistent-id && sqlite3 persistent-id/shibboleth.db < /tmp/shibboleth.db.ddl && rm -f /tmp/shibboleth.db.ddl
+
+COPY jetty_base $JETTY_BASE
+COPY shib-entrypoint.sh /shib-entrypoint.sh
+ENTRYPOINT /shib-entrypoint.sh
+WORKDIR $JETTY_BASE
diff --git a/idp/install.properties b/idp/install.properties
new file mode 100644
index 0000000..13ca6ad
--- /dev/null
+++ b/idp/install.properties
@@ -0,0 +1,48 @@
+idp.src.dir=/opt/shibboleth-identity-provider
+idp.target.dir=/opt/shibboleth-idp
+idp.host.name=idp.nordu.dev
+idp.scope=nordu.dev
+# Shibboleth default password, don't change not used on runtime
+idp.sealer.password=password
+idp.keystore.password=password
+
+# Found via build.xml
+ldap.merge.properties=/opt/nordu-ldap.properties
+
+# Skinning it
+idp.title = IDP Dev Web Login Service
+idp.title.suffix = Error
+idp.logo = /images/nordunet.png
+idp.logo.alt-text = Nordic Gateway for Research & Education
+idp.message = An unidentified error occurred.
+idp.footer = IDP dev footer text.
+
+#PROPERTIES:
+#The following properties are used.  If they are not specified on the command line then
+#they will be prompted for if needed.
+#
+#idp.src.dir (update only):  Where to install from.  No default
+#idp.target.dir (all): where to install to.  Default is basedir.
+#idp.host.name: If we are creating certificates
+#idp.uri.subject.alt.name: If we are creating certificates.  Defaulted
+#idp.sealer.password:
+#idp.sealer.alias:
+#idp.keystore.password:
+#idp.scope: The scope to assert.  If present this should also be present in idp.merge.properties
+#idp.merge.properties: The name of a property file to merge with idp.properties.  This file only
+#  used when doing the initial create of idp.properties, and is deleted after processing
+#    - if idp.noprompt is set, then this file should contain a line setting idp.entityID.
+#    - if idp.sealer.password is set, then this file should contain a line setting idp.sealer.storePassword and idp.sealer.keyPassword
+#    - if idp.scope is present, then this file should contain a line setting idp.scope
+#services.merge.properties: The name of a property file to merge with services.properties
+#    - if idp.is.V2 is set, then this file should contain a line setting
+#        idp.service.relyingparty.resources=shibboleth.LegacyRelyingPartyResolverResources
+# nameid.merge.properties: The name of a property file to merge with saml-nameid.properties
+#     - if idp.is.V2 is set, then this file should contain lines enabling legacy nameid generation
+# idp.property.file: The name of a property file to fill in some or all of the above. This file is deleted after processing.
+# idp.no.tidy: Do not delete the two above files (debug only)
+# idp.jetty.config: Copy jetty configuration from distribution (Unsupported)
+# ldap.merge.properties:  The name of a property file to merge with ldap.properties
+# idp.conf.filemode (default "600"): The permissions to mark the files in conf with (UNIX only).
+
+# The property idp.noprompt will cause a failure rather than a prompt.
diff --git a/idp/jetty_base/etc/jetty-http-forwarded.xml b/idp/jetty_base/etc/jetty-http-forwarded.xml
new file mode 100644
index 0000000..50b8097
--- /dev/null
+++ b/idp/jetty_base/etc/jetty-http-forwarded.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">
+<Configure id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
+  <Call name="addCustomizer">
+    <Arg>
+      <New class="org.eclipse.jetty.server.ForwardedRequestCustomizer">
+        <Set name="forwardedOnly"><Property name="jetty.httpConfig.forwardedOnly" default="false"/></Set>
+        <Set name="proxyAsAuthority"><Property name="jetty.httpConfig.forwardedProxyAsAuthority" default="false"/></Set>
+        <Set name="forwardedHeader"><Property name="jetty.httpConfig.forwardedHeader" default="Forwarded"/></Set>
+        <Set name="forwardedHostHeader"><Property name="jetty.httpConfig.forwardedHostHeader" default="X-Forwarded-Host"/></Set>
+        <Set name="forwardedServerHeader"><Property name="jetty.httpConfig.forwardedServerHeader" default="X-Forwarded-Server"/></Set>
+        <Set name="forwardedProtoHeader"><Property name="jetty.httpConfig.forwardedProtoHeader" default="X-Forwarded-Proto"/></Set>
+        <Set name="forwardedForHeader"><Property name="jetty.httpConfig.forwardedForHeader" default="X-Forwarded-For"/></Set>
+        <Set name="forwardedHttpsHeader"><Property name="jetty.httpConfig.forwardedHttpsHeader" default="X-Proxied-Https"/></Set>
+        <Set name="forwardedSslSessionIdHeader"><Property name="jetty.httpConfig.forwardedSslSessionIdHeader" default="Proxy-ssl-id" /></Set>
+        <Set name="forwardedCipherSuiteHeader"><Property name="jetty.httpConfig.forwardedCipherSuiteHeader" default="Proxy-auth-cert"/></Set>
+      </New>
+    </Arg>
+  </Call>
+</Configure>
diff --git a/idp/jetty_base/start.d/http.ini b/idp/jetty_base/start.d/http.ini
new file mode 100644
index 0000000..cda6a26
--- /dev/null
+++ b/idp/jetty_base/start.d/http.ini
@@ -0,0 +1,34 @@
+# ---------------------------------------
+# Module: http
+--module=http
+
+### HTTP Connector Configuration
+
+## Connector host/address to bind to
+# jetty.http.host=0.0.0.0
+
+## Connector port to listen on
+jetty.http.port=8080
+
+## Connector idle timeout in milliseconds
+# jetty.http.idleTimeout=30000
+
+## Connector socket linger time in seconds (-1 to disable)
+# jetty.http.soLingerTime=-1
+
+## Number of acceptors (-1 picks default based on number of cores)
+# jetty.http.acceptors=-1
+
+## Number of selectors (-1 picks default based on number of cores)
+# jetty.http.selectors=-1
+
+## ServerSocketChannel backlog (0 picks platform default)
+# jetty.http.acceptorQueueSize=0
+
+## Thread priority delta to give to acceptor threads
+# jetty.http.acceptorPriorityDelta=0
+
+## HTTP Compliance: RFC7230, RFC2616, LEGACY
+# jetty.http.compliance=RFC7230
+
+etc/jetty-http-forwarded.xml
diff --git a/idp/jetty_base/webapps/idp.xml b/idp/jetty_base/webapps/idp.xml
new file mode 100644
index 0000000..dbe3671
--- /dev/null
+++ b/idp/jetty_base/webapps/idp.xml
@@ -0,0 +1,7 @@
+<Configure class="org.eclipse.jetty.webapp.WebAppContext">
+  <Set name="war">/opt/shibboleth-idp/war/idp.war</Set>
+  <Set name="contextPath">/idp</Set>
+  <Set name="extractWAR">false</Set>
+  <Set name="copyWebDir">false</Set>
+  <Set name="copyWebInf">true</Set>
+</Configure>
diff --git a/idp/nordu-ldap.properties b/idp/nordu-ldap.properties
new file mode 100644
index 0000000..d265541
--- /dev/null
+++ b/idp/nordu-ldap.properties
@@ -0,0 +1,10 @@
+idp.authn.LDAP.ldapURL=ldaps://ldap.nordu.net
+idp.authn.LDAP.authenticator = anonSearchAuthenticator
+idp.authn.LDAP.useStartTLS = false
+idp.authn.LDAP.useSSL = true
+idp.authn.LDAP.sslConfig = jvmTrust
+#idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt
+idp.authn.LDAP.baseDN = ou=People,dc=nordu,dc=net
+#idp.authn.LDAP.userFilter = (uid=$requestContext.principalName)
+idp.authn.LDAP.bindDN = dc=nordu,dc=net
+idp.authn.LDAP.bindDNCredential = blahblah
diff --git a/idp/shib-entrypoint.sh b/idp/shib-entrypoint.sh
new file mode 100755
index 0000000..eec7dcd
--- /dev/null
+++ b/idp/shib-entrypoint.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+ 
+# if there is a metadata file for the test sp, enable it.
+if [ -f /metadata/sp-metadata.xml ]; then
+  sed -i -e '/sp.nordu.dev/ s/<!--//' -e '/sp.nordu.dev/ s/-->//' /opt/shibboleth-idp/conf/metadata-providers.xml
+fi
+
+/docker-entrypoint.sh "$@"
diff --git a/idp/shibboleth-identity-provider-3.3.0.tar.gz b/idp/shibboleth-identity-provider-3.3.0.tar.gz
new file mode 100644
index 0000000..d076c1d
Binary files /dev/null and b/idp/shibboleth-identity-provider-3.3.0.tar.gz differ
diff --git a/idp/shibboleth-identity-provider-3.3.0.tar.gz.sha256 b/idp/shibboleth-identity-provider-3.3.0.tar.gz.sha256
new file mode 100644
index 0000000..ea5cafa
--- /dev/null
+++ b/idp/shibboleth-identity-provider-3.3.0.tar.gz.sha256
@@ -0,0 +1 @@
+558c6b71e6eba8fbdff19ee8857368d1a6facdfe2c703afc70d5b1655411f552  shibboleth-identity-provider-3.3.0.tar.gz
diff --git a/idp/shibboleth.db.ddl b/idp/shibboleth.db.ddl
new file mode 100644
index 0000000..3799b91
--- /dev/null
+++ b/idp/shibboleth.db.ddl
@@ -0,0 +1,11 @@
+CREATE TABLE shibpid (
+  localEntity VARCHAR(255) NOT NULL,
+  peerEntity VARCHAR(255) NOT NULL,
+  persistentId VARCHAR(50) NOT NULL,
+  principalName VARCHAR(50) NOT NULL,
+  localId VARCHAR(50) NOT NULL,
+  peerProvidedId VARCHAR(50) NULL,
+  creationDate TIMESTAMP NOT NULL,
+  deactivationDate TIMESTAMP NULL,
+  PRIMARY KEY (localEntity, peerEntity, persistentId)
+);
diff --git a/idp/shibboleth.properties b/idp/shibboleth.properties
new file mode 100644
index 0000000..da0a7e7
--- /dev/null
+++ b/idp/shibboleth.properties
@@ -0,0 +1,6 @@
+idp.src.dir=/opt/shibboleth-identity-provider
+idp.target.dir=/opt/shibboleth-idp
+idp.host.name=idp.nordu.dev
+idp.scope=nordu.dev
+idp.keystore.password=lemonade
+idp.sealer.password=lemonade
diff --git a/idp/template-config/README.md b/idp/template-config/README.md
new file mode 100644
index 0000000..6002238
--- /dev/null
+++ b/idp/template-config/README.md
@@ -0,0 +1,5 @@
+# IDP config templates
+
+This directory contains the files which are being replaced after running install.
+
+Dockerfile should install these after running install.
diff --git a/idp/template-config/attribute-filter.xml b/idp/template-config/attribute-filter.xml
new file mode 100644
index 0000000..4543e99
--- /dev/null
+++ b/idp/template-config/attribute-filter.xml
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    This file is an EXAMPLE policy file.  While the policy presented in this
+    example file is illustrative of some simple cases, it relies on the names of
+    non-existent example services and the example attributes demonstrated in the
+    default attribute-resolver.xml file.
+
+    Deployers should refer to the documentation for a complete list of components
+    and their options.
+-->
+<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
+        xmlns="urn:mace:shibboleth:2.0:afp"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
+
+        <!-- Release some attributes to an SP. -->
+        <!-- Note: requester seems to need the path /shibboleth to be included to match this! -->
+        <AttributeFilterPolicy id="sp.nordu.dev">
+            <PolicyRequirementRule xsi:type="Requester" value="https://sp.nordu.dev/shibboleth" />
+            <!-- <PolicyRequirementRule xsi:type="ANY" /> -->
+            <AttributeRule attributeID="eduPersonPrincipalName">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="uid">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="mail">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="givenName">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="surname">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="displayName">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="commonName">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="employeeType">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="email">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="eduPersonEntitlement">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="mailLocalAddress">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+
+        </AttributeFilterPolicy>
+</AttributeFilterPolicyGroup>
diff --git a/idp/template-config/attribute-resolver.xml b/idp/template-config/attribute-resolver.xml
new file mode 100644
index 0000000..e761920
--- /dev/null
+++ b/idp/template-config/attribute-resolver.xml
@@ -0,0 +1,227 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    This file is an EXAMPLE configuration file. While the configuration
+    presented in this example file is semi-functional, it isn't very
+    interesting. It is here only as a starting point for your deployment
+    process.
+
+    Very few attribute definitions and data connectors are demonstrated,
+    and the data is derived statically from the logged-in username and a
+    static example connector.
+
+    Attribute-resolver-full.xml contains more examples of attributes,
+    encoders, and data connectors. Deployers should refer to the Shibboleth
+    documentation for a complete list of components and their options.
+
+    NOTE: This file is from the Nordunet template-config
+
+-->
+<AttributeResolver
+        xmlns="urn:mace:shibboleth:2.0:resolver"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
+
+
+    <!-- ========================================== -->
+    <!--      Attribute Definitions                 -->
+    <!-- ========================================== -->
+
+    <!--
+    The EPPN is the "standard" federated username in higher ed.
+    For guidelines on the implementation of this attribute, refer
+    to the Shibboleth and eduPerson documentation. Above all, do
+    not expose a value for this attribute without considering the
+    long term implications.
+    -->
+    <!-- This version not used at NORDUnet, see below
+    <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
+    </AttributeDefinition>
+    -->
+    <!--
+    The uid is the closest thing to a "standard" LDAP attribute
+    representing a local username, but you should generally *never*
+    expose uid to federated services, as it is rarely globally unique.
+    -->
+    <AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
+    </AttributeDefinition>
+
+    <!--
+    In the rest of the world, the email address is the standard identifier,
+    despite the problems with that practice. Consider making the EPPN value
+    the same as your official email addresses whenever possible.
+    -->
+    <AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="mail">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="email" xsi:type="Simple" sourceAttributeID="mail">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="commonName" xsi:type="Simple" sourceAttributeID="cn">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:cn" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="displayName" xsi:type="Simple" sourceAttributeID="cn"><!-- yes for ndn ldap this is correct -->
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="surname" xsi:type="Simple" sourceAttributeID="sn">
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="organizationName" xsi:type="Simple" sourceAttributeID="o">
+      <Dependency ref="staticAttributes" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" encodeType="false" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="givenName" xsi:type="Simple" sourceAttributeID="givenName">
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
+    </AttributeDefinition>
+
+    <!-- Schema: inetOrgPerson attributes-->
+    <AttributeDefinition id="employeeType" xsi:type="Simple" sourceAttributeID="employeeType">
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" encodeType="false" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" encodeType="false" />
+    </AttributeDefinition>
+
+    <!-- Schema: eduPerson attributes -->
+    <AttributeDefinition id="memberOf" xsi:type="Simple" sourceAttributeID="memberOf">
+      <Dependency ref="myLDAP" />
+    </AttributeDefinition>
+	  <!-- Idp-Installer: the source for this attribute is from the database StoredId and no longer the classic computedID  -->
+    <!--
+    <AttributeDefinition xsi:type="ad:SAML2NameID" id="eduPersonTargetedID"
+                                  nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" sourceAttributeID="persistentId">
+        <Dependency ref="StoredId" />
+        <AttributeEncoder xsi:type="enc:SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
+        <AttributeEncoder xsi:type="enc:SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
+    </AttributeDefinition>
+    -->
+
+
+<AttributeDefinition id="eduPersonPrimaryAffiliation" xsi:type="Simple" sourceAttributeID="eduPersonPrimaryAffiliation">
+    <Dependency ref="myLDAP" />
+    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" encodeType="false" />
+    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" encodeType="false" />
+</AttributeDefinition>
+
+<AttributeDefinition id="eduPersonPrincipalName" xsi:type="Simple" sourceAttributeID="uid"><!-- In ndn it is uid -->
+    <Dependency ref="myLDAP" />
+    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
+    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
+</AttributeDefinition>
+
+<AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="nordu.net" sourceAttributeID="employeeType">
+    <Dependency ref="myLDAP" />
+    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
+    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
+</AttributeDefinition>
+
+	<!-- from swamid installer -->
+  <AttributeDefinition id="norEduOrgAcronym" xsi:type="Simple" sourceAttributeID="norEduOrgAcronym">
+    <Dependency ref="staticAttributes" />
+    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:norEduOrgAcronym" />
+    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.2428.90.1.6" friendlyName="norEduOrgAcronym" />
+  </AttributeDefinition>
+
+	<AttributeDefinition id="schacHomeOrganization" xsi:type="Simple" sourceAttributeID="schacHomeOrganization">
+		<Dependency ref="staticAttributes" />
+		<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" />
+		<AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" />
+	</AttributeDefinition>
+
+	<AttributeDefinition id="schacHomeOrganizationType" xsi:type="Simple" sourceAttributeID="schacHomeOrganizationType">
+		<Dependency ref="staticAttributes" />
+		<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" />
+		<AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" />
+	</AttributeDefinition>
+
+	<!-- If we want to use google apps at some point we need: friendlyCountryName, countryName and principal -->
+
+
+
+    <!-- ========================================== -->
+    <!--      Data Connectors                       -->
+    <!-- ========================================== -->
+
+    <!--
+    Example LDAP Connector
+
+    The connectivity details can be specified in ldap.properties to
+    share them with your authentication settings if desired.
+    -->
+    <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
+        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+        baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
+        <FilterTemplate>
+            <![CDATA[
+                %{idp.attribute.resolver.LDAP.searchFilter}
+            ]]>
+        </FilterTemplate>
+    </DataConnector>
+
+  	<DataConnector id="staticAttributes" xsi:type="Static">
+			<Attribute id="o">
+				<Value>NORDUnet A/S</Value>
+			</Attribute>
+  	  <Attribute id="schacHomeOrganization">
+  	    <Value>nordu.net</Value>
+  	  </Attribute>
+  	  <Attribute id="schacHomeOrganizationType">
+  	    <Value>urn:schac:homeOrganizationType:int:NREN</Value>
+  	  </Attribute>
+			<Attribute id="norEduOrgAcronym">
+				<Value>NORDUNet</Value>
+			</Attribute>
+  	</DataConnector>
+
+
+  <!-- Computed targeted ID connector -->
+<!--  The V3 IdP uses a new dedicated service for configuring NameID generation. The legacy V2 approach of encoding attributes into identifiers using attribute-resolver.xml and special attribute encoders that generate NameIdentifiers or NameIDs instead of Attributes is supported for compatibility purposes, but is deprecated and may be removed from a future version.-->
+
+<!--  <DataConnector id="ComputedId" xsi:type="ComputedId"
+      generatedAttributeID="computedId"
+      sourceAttributeID="uid"
+      salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym">
+      <resolver:Dependency ref="myLDAP" />
+  </DataConnector>
+
+also in old format the next block
+<resolver:DataConnector id="StoredId"
+    xsi:type="StoredId"
+    xmlns="urn:mace:shibboleth:2.0:resolver:dc"
+    generatedAttributeID="persistentId"
+    sourceAttributeID="uid"
+    salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym">
+    <resolver:Dependency ref="uid" />
+    <ApplicationManagedConnection
+        jdbcDriver="com.mysql.jdbc.Driver"
+        jdbcURL="jdbc:mysql://mysql:3306/shibboleth?autoReconnect=true&amp;useSSL=false"
+        jdbcUserName="idp"
+        jdbcPassword="shibboleth" />
+</resolver:DataConnector>
+-->
+
+
+</AttributeResolver>
diff --git a/idp/template-config/metadata-providers.xml b/idp/template-config/metadata-providers.xml
new file mode 100644
index 0000000..d813c06
--- /dev/null
+++ b/idp/template-config/metadata-providers.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- This file is an EXAMPLE metadata configuration file. -->
+<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
+    xmlns="urn:mace:shibboleth:2.0:metadata"
+    xmlns:resource="urn:mace:shibboleth:2.0:resource"
+    xmlns:security="urn:mace:shibboleth:2.0:security"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
+                        urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd
+                        urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
+                        urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">
+
+    <!-- ========================================================================================== -->
+    <!--                             Metadata Configuration                                         -->
+    <!--                                                                                            -->
+    <!--  Below you place the mechanisms which define how to load the metadata for SP(s) you will   -->
+    <!--  provide service to.                                                                       -->
+    <!--                                                                                            -->
+    <!--  Two examples are provided.  The Shibboleth Documentation at                               -->
+    <!--  https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration                -->
+    <!--  provides more details.                                                                    -->
+    <!--                                                                                            -->
+    <!--  NOTE.  This file SHOULD NOT contain the metadata for this IdP.                            -->
+    <!-- ========================================================================================== -->
+
+    <!--
+    <MetadataProvider id="HTTPMetadata"
+                      xsi:type="FileBackedHTTPMetadataProvider"
+                      backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
+                      metadataURL="http://WHATEVER">
+
+        <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
+        <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
+        <MetadataFilter xsi:type="EntityRoleWhiteList">
+            <RetainedRole>md:SPSSODescriptor</RetainedRole>
+        </MetadataFilter>
+    </MetadataProvider>
+    -->
+
+    <MetadataProvider id="SWAMID2"
+                      xsi:type="FileBackedHTTPMetadataProvider"
+                      metadataURL="https://mds.swamid.se/md/swamid-2.0.xml"
+                      backingFile="%{idp.home}/metadata/swamid-2.0.xml">
+
+      <MetadataFilter xsi:type="SignatureValidation"
+                      requireSignedRoot="true"
+                      certificateFile="%{idp.home}/credentials/md-signer2.crt" />
+      <MetadataFilter xsi:type="EntityRoleWhiteList">
+        <RetainedRole>md:SPSSODescriptor</RetainedRole>
+      </MetadataFilter>
+    </MetadataProvider>
+
+
+    <!--<MetadataProvider id="sp.nordu.dev" xsi:type="FilesystemMetadataProvider" metadataFile="/metadata/sp-metadata.xml" /> -->
+
+</MetadataProvider>
diff --git a/idp/template-config/test.xml b/idp/template-config/test.xml
new file mode 100644
index 0000000..ea5c36e
--- /dev/null
+++ b/idp/template-config/test.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- This file is an EXAMPLE metadata configuration file. 
+<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
+    xmlns="urn:mace:shibboleth:2.0:metadata"
+    xmlns:resource="urn:mace:shibboleth:2.0:resource"
+    xmlns:security="urn:mace:shibboleth:2.0:security"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
+                        urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd
+                        urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
+                        urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">
+
+    <!-- ========================================================================================== 
+    <!--                             Metadata Configuration                                         
+    <!--                                                                                            
+    <!--  Below you place the mechanisms which define how to load the metadata for SP(s) you will   
+    <!--  provide service to.                                                                       
+    <!--                                                                                            
+    <!--  Two examples are provided.  The Shibboleth Documentation at                               
+    <!--  https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration                
+    <!--  provides more details.                                                                    
+    <!--                                                                                            
+    <!--  NOTE.  This file SHOULD NOT contain the metadata for this IdP.                            
+    <!-- ========================================================================================== 
+
+    <!--
+    <MetadataProvider id="HTTPMetadata"
+                      xsi:type="FileBackedHTTPMetadataProvider"
+                      backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
+                      metadataURL="http://WHATEVER">
+
+        <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
+        <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
+        <MetadataFilter xsi:type="EntityRoleWhiteList">
+            <RetainedRole>md:SPSSODescriptor</RetainedRole>
+        </MetadataFilter>
+    </MetadataProvider>
+    
+
+    <MetadataProvider id="SWAMID2"
+                      xsi:type="FileBackedHTTPMetadataProvider"
+                      metadataURL="https://mds.swamid.se/md/swamid-2.0.xml"
+                      backingFile="%{idp.home}/metadata/swamid-2.0.xml">
+
+      <MetadataFilter xsi:type="SignatureValidation"
+                      requireSignedRoot="true"
+                      certificateFile="%{idp.home}/credentials/md-signer2.crt" />
+      <MetadataFilter xsi:type="EntityRoleWhiteList">
+        <RetainedRole>md:SPSSODescriptor</RetainedRole>
+      </MetadataFilter>
+    </MetadataProvider>
+
+
+    <MetadataProvider id="sp.nordu.dev" xsi:type="FilesystemMetadataProvider" metadataFile="/metadata/sp-metadata.xml" /> 
+
+</MetadataProvider>
diff --git a/install.properties b/install.properties
deleted file mode 100644
index 13ca6ad..0000000
--- a/install.properties
+++ /dev/null
@@ -1,48 +0,0 @@
-idp.src.dir=/opt/shibboleth-identity-provider
-idp.target.dir=/opt/shibboleth-idp
-idp.host.name=idp.nordu.dev
-idp.scope=nordu.dev
-# Shibboleth default password, don't change not used on runtime
-idp.sealer.password=password
-idp.keystore.password=password
-
-# Found via build.xml
-ldap.merge.properties=/opt/nordu-ldap.properties
-
-# Skinning it
-idp.title = IDP Dev Web Login Service
-idp.title.suffix = Error
-idp.logo = /images/nordunet.png
-idp.logo.alt-text = Nordic Gateway for Research & Education
-idp.message = An unidentified error occurred.
-idp.footer = IDP dev footer text.
-
-#PROPERTIES:
-#The following properties are used.  If they are not specified on the command line then
-#they will be prompted for if needed.
-#
-#idp.src.dir (update only):  Where to install from.  No default
-#idp.target.dir (all): where to install to.  Default is basedir.
-#idp.host.name: If we are creating certificates
-#idp.uri.subject.alt.name: If we are creating certificates.  Defaulted
-#idp.sealer.password:
-#idp.sealer.alias:
-#idp.keystore.password:
-#idp.scope: The scope to assert.  If present this should also be present in idp.merge.properties
-#idp.merge.properties: The name of a property file to merge with idp.properties.  This file only
-#  used when doing the initial create of idp.properties, and is deleted after processing
-#    - if idp.noprompt is set, then this file should contain a line setting idp.entityID.
-#    - if idp.sealer.password is set, then this file should contain a line setting idp.sealer.storePassword and idp.sealer.keyPassword
-#    - if idp.scope is present, then this file should contain a line setting idp.scope
-#services.merge.properties: The name of a property file to merge with services.properties
-#    - if idp.is.V2 is set, then this file should contain a line setting
-#        idp.service.relyingparty.resources=shibboleth.LegacyRelyingPartyResolverResources
-# nameid.merge.properties: The name of a property file to merge with saml-nameid.properties
-#     - if idp.is.V2 is set, then this file should contain lines enabling legacy nameid generation
-# idp.property.file: The name of a property file to fill in some or all of the above. This file is deleted after processing.
-# idp.no.tidy: Do not delete the two above files (debug only)
-# idp.jetty.config: Copy jetty configuration from distribution (Unsupported)
-# ldap.merge.properties:  The name of a property file to merge with ldap.properties
-# idp.conf.filemode (default "600"): The permissions to mark the files in conf with (UNIX only).
-
-# The property idp.noprompt will cause a failure rather than a prompt.
diff --git a/jetty_base/etc/jetty-http-forwarded.xml b/jetty_base/etc/jetty-http-forwarded.xml
deleted file mode 100644
index 50b8097..0000000
--- a/jetty_base/etc/jetty-http-forwarded.xml
+++ /dev/null
@@ -1,20 +0,0 @@
-<?xml version="1.0"?>
-<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">
-<Configure id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
-  <Call name="addCustomizer">
-    <Arg>
-      <New class="org.eclipse.jetty.server.ForwardedRequestCustomizer">
-        <Set name="forwardedOnly"><Property name="jetty.httpConfig.forwardedOnly" default="false"/></Set>
-        <Set name="proxyAsAuthority"><Property name="jetty.httpConfig.forwardedProxyAsAuthority" default="false"/></Set>
-        <Set name="forwardedHeader"><Property name="jetty.httpConfig.forwardedHeader" default="Forwarded"/></Set>
-        <Set name="forwardedHostHeader"><Property name="jetty.httpConfig.forwardedHostHeader" default="X-Forwarded-Host"/></Set>
-        <Set name="forwardedServerHeader"><Property name="jetty.httpConfig.forwardedServerHeader" default="X-Forwarded-Server"/></Set>
-        <Set name="forwardedProtoHeader"><Property name="jetty.httpConfig.forwardedProtoHeader" default="X-Forwarded-Proto"/></Set>
-        <Set name="forwardedForHeader"><Property name="jetty.httpConfig.forwardedForHeader" default="X-Forwarded-For"/></Set>
-        <Set name="forwardedHttpsHeader"><Property name="jetty.httpConfig.forwardedHttpsHeader" default="X-Proxied-Https"/></Set>
-        <Set name="forwardedSslSessionIdHeader"><Property name="jetty.httpConfig.forwardedSslSessionIdHeader" default="Proxy-ssl-id" /></Set>
-        <Set name="forwardedCipherSuiteHeader"><Property name="jetty.httpConfig.forwardedCipherSuiteHeader" default="Proxy-auth-cert"/></Set>
-      </New>
-    </Arg>
-  </Call>
-</Configure>
diff --git a/jetty_base/start.d/http.ini b/jetty_base/start.d/http.ini
deleted file mode 100644
index cda6a26..0000000
--- a/jetty_base/start.d/http.ini
+++ /dev/null
@@ -1,34 +0,0 @@
-# ---------------------------------------
-# Module: http
---module=http
-
-### HTTP Connector Configuration
-
-## Connector host/address to bind to
-# jetty.http.host=0.0.0.0
-
-## Connector port to listen on
-jetty.http.port=8080
-
-## Connector idle timeout in milliseconds
-# jetty.http.idleTimeout=30000
-
-## Connector socket linger time in seconds (-1 to disable)
-# jetty.http.soLingerTime=-1
-
-## Number of acceptors (-1 picks default based on number of cores)
-# jetty.http.acceptors=-1
-
-## Number of selectors (-1 picks default based on number of cores)
-# jetty.http.selectors=-1
-
-## ServerSocketChannel backlog (0 picks platform default)
-# jetty.http.acceptorQueueSize=0
-
-## Thread priority delta to give to acceptor threads
-# jetty.http.acceptorPriorityDelta=0
-
-## HTTP Compliance: RFC7230, RFC2616, LEGACY
-# jetty.http.compliance=RFC7230
-
-etc/jetty-http-forwarded.xml
diff --git a/jetty_base/webapps/idp.xml b/jetty_base/webapps/idp.xml
deleted file mode 100644
index dbe3671..0000000
--- a/jetty_base/webapps/idp.xml
+++ /dev/null
@@ -1,7 +0,0 @@
-<Configure class="org.eclipse.jetty.webapp.WebAppContext">
-  <Set name="war">/opt/shibboleth-idp/war/idp.war</Set>
-  <Set name="contextPath">/idp</Set>
-  <Set name="extractWAR">false</Set>
-  <Set name="copyWebDir">false</Set>
-  <Set name="copyWebInf">true</Set>
-</Configure>
diff --git a/metadata/test-rw.txt b/metadata/test-rw.txt
deleted file mode 100644
index e69de29..0000000
diff --git a/nordu-ldap.properties b/nordu-ldap.properties
deleted file mode 100644
index d265541..0000000
--- a/nordu-ldap.properties
+++ /dev/null
@@ -1,10 +0,0 @@
-idp.authn.LDAP.ldapURL=ldaps://ldap.nordu.net
-idp.authn.LDAP.authenticator = anonSearchAuthenticator
-idp.authn.LDAP.useStartTLS = false
-idp.authn.LDAP.useSSL = true
-idp.authn.LDAP.sslConfig = jvmTrust
-#idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt
-idp.authn.LDAP.baseDN = ou=People,dc=nordu,dc=net
-#idp.authn.LDAP.userFilter = (uid=$requestContext.principalName)
-idp.authn.LDAP.bindDN = dc=nordu,dc=net
-idp.authn.LDAP.bindDNCredential = blahblah
diff --git a/shibboleth-identity-provider-3.3.0.tar.gz b/shibboleth-identity-provider-3.3.0.tar.gz
deleted file mode 100644
index d076c1d..0000000
Binary files a/shibboleth-identity-provider-3.3.0.tar.gz and /dev/null differ
diff --git a/shibboleth-identity-provider-3.3.0.tar.gz.sha256 b/shibboleth-identity-provider-3.3.0.tar.gz.sha256
deleted file mode 100644
index ea5cafa..0000000
--- a/shibboleth-identity-provider-3.3.0.tar.gz.sha256
+++ /dev/null
@@ -1 +0,0 @@
-558c6b71e6eba8fbdff19ee8857368d1a6facdfe2c703afc70d5b1655411f552  shibboleth-identity-provider-3.3.0.tar.gz
diff --git a/shibboleth.db.ddl b/shibboleth.db.ddl
deleted file mode 100644
index 3799b91..0000000
--- a/shibboleth.db.ddl
+++ /dev/null
@@ -1,11 +0,0 @@
-CREATE TABLE shibpid (
-  localEntity VARCHAR(255) NOT NULL,
-  peerEntity VARCHAR(255) NOT NULL,
-  persistentId VARCHAR(50) NOT NULL,
-  principalName VARCHAR(50) NOT NULL,
-  localId VARCHAR(50) NOT NULL,
-  peerProvidedId VARCHAR(50) NULL,
-  creationDate TIMESTAMP NOT NULL,
-  deactivationDate TIMESTAMP NULL,
-  PRIMARY KEY (localEntity, peerEntity, persistentId)
-);
diff --git a/shibboleth.properties b/shibboleth.properties
deleted file mode 100644
index da0a7e7..0000000
--- a/shibboleth.properties
+++ /dev/null
@@ -1,6 +0,0 @@
-idp.src.dir=/opt/shibboleth-identity-provider
-idp.target.dir=/opt/shibboleth-idp
-idp.host.name=idp.nordu.dev
-idp.scope=nordu.dev
-idp.keystore.password=lemonade
-idp.sealer.password=lemonade
diff --git a/template-config/README.md b/template-config/README.md
deleted file mode 100644
index 6002238..0000000
--- a/template-config/README.md
+++ /dev/null
@@ -1,5 +0,0 @@
-# IDP config templates
-
-This directory contains the files which are being replaced after running install.
-
-Dockerfile should install these after running install.
diff --git a/template-config/attribute-filter.xml b/template-config/attribute-filter.xml
deleted file mode 100644
index f2aa5f7..0000000
--- a/template-config/attribute-filter.xml
+++ /dev/null
@@ -1,122 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-    This file is an EXAMPLE policy file.  While the policy presented in this
-    example file is illustrative of some simple cases, it relies on the names of
-    non-existent example services and the example attributes demonstrated in the
-    default attribute-resolver.xml file.
-
-    Deployers should refer to the documentation for a complete list of components
-    and their options.
--->
-<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
-        xmlns="urn:mace:shibboleth:2.0:afp"
-        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
-
-        <!-- Release some attributes to an SP. -->
-        <!-- Note: requester seems to need the path /shibboleth to be included to match this! -->
-        <AttributeFilterPolicy id="sp.nordu.dev">
-            <PolicyRequirementRule xsi:type="Requester" value="https://sp.nordu.dev/shibboleth" />
-            <!-- <PolicyRequirementRule xsi:type="ANY" /> -->
-            <AttributeRule attributeID="eduPersonPrincipalName">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="uid">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="mail">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="givenName">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="surname">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="displayName">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="commonName">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="employeeType">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="email">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="eduPersonEntitlement">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="mailLocalAddress">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-
-        </AttributeFilterPolicy>
-
-        <!--  Release the transient ID to anyone -->
-<!--        <AttributeFilterPolicy id="releaseTransientAndPermanentIdToAnyone">
-            <PolicyRequirementRule xsi:type="ANY" />
-            <AttributeRule attributeID="transientId">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="persistentId">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="eduPersonTargetedID">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-        </AttributeFilterPolicy>
--->
-        <!-- recommended initial attribute filter policy for swamid.se + same rule for edugain, incommon, uk and kalmar2 -->
-<!--        <AttributeFilterPolicy id="releaseStandardAttributesToFederations">
-            <PolicyRequirementRule xsi:type="OR">
-                <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="urn:mace:incommon" />
-                <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="http://ukfederation.org.uk" />
-                <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="http://md.swamid.se/md/swamid-1.0.xml" />
-                <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="http://mds.swamid.se/md/swamid-2.0.xml" />
-                <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="kalmarcentral2" />
-                <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="edugain" />
-            </PolicyRequirementRule>
-            <AttributeRule attributeID="givenName">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="surname">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="displayName">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="commonName">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="eduPersonPrincipalName">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="email">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="eduPersonEntitlement">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="mailLocalAddress">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-            <AttributeRule attributeID="eduPersonScopedAffiliation">
-                <PermitValueRule xsi:type="OR">
-                    <basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true" />
-                    <basic:Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true" />
-                    <basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true" />
-                    <basic:Rule xsi:type="basic:AttributeValueString" value="alum" ignoreCase="true" />
-                    <basic:Rule xsi:type="basic:AttributeValueString" value="member" ignoreCase="true" />
-                    <basic:Rule xsi:type="basic:AttributeValueString" value="affiliate" ignoreCase="true" />
-                    <basic:Rule xsi:type="basic:AttributeValueString" value="employee" ignoreCase="true" />
-                    <basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in" ignoreCase="true" />
-                </PermitValueRule>
-            </AttributeRule>
-            <AttributeRule attributeID="organizationName">
-                <PermitValueRule xsi:type="ANY" />
-            </AttributeRule>
-        </AttributeFilterPolicy>-->
-
-</AttributeFilterPolicyGroup>
diff --git a/template-config/attribute-resolver.xml b/template-config/attribute-resolver.xml
deleted file mode 100644
index 9d7b8de..0000000
--- a/template-config/attribute-resolver.xml
+++ /dev/null
@@ -1,373 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-    This file is an EXAMPLE configuration file. While the configuration
-    presented in this example file is semi-functional, it isn't very
-    interesting. It is here only as a starting point for your deployment
-    process.
-
-    Very few attribute definitions and data connectors are demonstrated,
-    and the data is derived statically from the logged-in username and a
-    static example connector.
-
-    Attribute-resolver-full.xml contains more examples of attributes,
-    encoders, and data connectors. Deployers should refer to the Shibboleth
-    documentation for a complete list of components and their options.
-
-    NOTE: This file is from the Nordunet template-config
-
--->
-<AttributeResolver
-        xmlns="urn:mace:shibboleth:2.0:resolver"
-        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
-
-
-    <!-- ========================================== -->
-    <!--      Attribute Definitions                 -->
-    <!-- ========================================== -->
-
-    <!--
-    The EPPN is the "standard" federated username in higher ed.
-    For guidelines on the implementation of this attribute, refer
-    to the Shibboleth and eduPerson documentation. Above all, do
-    not expose a value for this attribute without considering the
-    long term implications.
-    -->
-    <!-- This version not used at NORDUnet, see below
-    <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid">
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
-    </AttributeDefinition>
-    -->
-    <!--
-    The uid is the closest thing to a "standard" LDAP attribute
-    representing a local username, but you should generally *never*
-    expose uid to federated services, as it is rarely globally unique.
-    -->
-    <AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid">
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
-    </AttributeDefinition>
-
-    <!--
-    In the rest of the world, the email address is the standard identifier,
-    despite the problems with that practice. Consider making the EPPN value
-    the same as your official email addresses whenever possible.
-    -->
-    <AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="mail">
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="mailLocalAddress" xsi:type="Simple" sourceAttributeID="mailLocalAddress">
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mailLocalAddress" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.13" friendlyName="mailLocalAddress" encodeType="false" />
-    </AttributeDefinition>
-
-<!-- old format from IDPv2 - still works? -->
-    <AttributeDefinition id="homePhone" xsi:type="Simple" sourceAttributeID="homePhone">
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:homePhone" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.20" friendlyName="homePhone" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="homePostalAddress" xsi:type="Simple" sourceAttributeID="homePostalAddress">
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:homePostalAddress" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.39" friendlyName="homePostalAddress" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="mobileNumber" xsi:type="Simple" sourceAttributeID="mobile">
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mobile" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.41" friendlyName="mobile" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="pagerNumber" xsi:type="Simple" sourceAttributeID="pager">
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:pager" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.42" friendlyName="pager" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="commonName" xsi:type="Simple" sourceAttributeID="cn">
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:cn" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="displayName" xsi:type="Simple" sourceAttributeID="cn"><!-- yes for ndn ldap this is correct -->
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
-    </AttributeDefinition>
-
-
-    <AttributeDefinition id="surname" xsi:type="Simple" sourceAttributeID="sn">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="locality" xsi:type="Simple" sourceAttributeID="l">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:l" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.7" friendlyName="l" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="stateProvince" xsi:type="Simple" sourceAttributeID="st">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:st" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.8" friendlyName="st" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="street" xsi:type="Simple" sourceAttributeID="street">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:street" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.9" friendlyName="street" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="organizationName" xsi:type="Simple" sourceAttributeID="o">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="organizationalUnit" xsi:type="Simple" sourceAttributeID="ou">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:ou" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.11" friendlyName="ou" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="title" xsi:type="Simple" sourceAttributeID="title">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:title" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.12" friendlyName="title" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="postalAddress" xsi:type="Simple" sourceAttributeID="postalAddress">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postalAddress" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.16" friendlyName="postalAddress" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="postalCode" xsi:type="Simple" sourceAttributeID="postalCode">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postalCode" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.17" friendlyName="postalCode" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="postOfficeBox" xsi:type="Simple" sourceAttributeID="postOfficeBox">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postOfficeBox" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.18" friendlyName="postOfficeBox" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="telephoneNumber" xsi:type="Simple" sourceAttributeID="telephoneNumber">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:telephoneNumber" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.20" friendlyName="telephoneNumber" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="givenName" xsi:type="Simple" sourceAttributeID="givenName">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="initials" xsi:type="Simple" sourceAttributeID="initials">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:initials" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.43" friendlyName="initials" encodeType="false" />
-    </AttributeDefinition>
-
-
-    <!-- Schema: inetOrgPerson attributes-->
-    <AttributeDefinition id="departmentNumber" xsi:type="Simple" sourceAttributeID="departmentNumber">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:departmentNumber" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.2" friendlyName="departmentNumber" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="employeeNumber" xsi:type="Simple" sourceAttributeID="employeeNumber">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeNumber" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.3" friendlyName="employeeNumber" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="employeeType" xsi:type="Simple" sourceAttributeID="employeeType">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="jpegPhoto" xsi:type="Simple" sourceAttributeID="jpegPhoto">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:jpegPhoto" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.60" friendlyName="jpegPhoto" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="preferredLanguage" xsi:type="Simple" sourceAttributeID="preferredLanguage">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:preferredLanguage" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.39" friendlyName="preferredLanguage" encodeType="false" />
-    </AttributeDefinition>
-
-    <!-- Schema: eduPerson attributes -->
-    <AttributeDefinition id="eduPersonAffiliation" xsi:type="Simple" sourceAttributeID="eduPersonAffiliation">
-      <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonAffiliation" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" encodeType="false" />
-    </AttributeDefinition>
-
-    <AttributeDefinition id="memberOf" xsi:type="Simple" sourceAttributeID="memberOf">
-      <Dependency ref="myLDAPGROUPS" />
-    </AttributeDefinition>
-
-<!-- placeholder for scripted scriptEduPersonEntitlement -->
-
-<AttributeDefinition id="eduPersonNickname" xsi:type="Simple" sourceAttributeID="eduPersonNickname">
-    <Dependency ref="myLDAP" />
-    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonNickname" encodeType="false" />
-    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" friendlyName="eduPersonNickname" encodeType="false" />
-</AttributeDefinition>
-
-<AttributeDefinition id="eduPersonOrgDN" xsi:type="Simple" sourceAttributeID="eduPersonOrgDN">
-    <Dependency ref="myLDAP" />
-    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonOrgDN" encodeType="false" />
-    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" friendlyName="eduPersonOrgDN" encodeType="false" />
-</AttributeDefinition>
-
-<AttributeDefinition id="eduPersonOrgUnitDN" xsi:type="Simple" sourceAttributeID="eduPersonOrgUnitDN">
-    <Dependency ref="myLDAP" />
-    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" encodeType="false" />
-    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" friendlyName="eduPersonOrgUnitDN" encodeType="false" />
-</AttributeDefinition>
-
-<AttributeDefinition id="eduPersonPrimaryAffiliation" xsi:type="Simple" sourceAttributeID="eduPersonPrimaryAffiliation">
-    <Dependency ref="myLDAP" />
-    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" encodeType="false" />
-    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" encodeType="false" />
-</AttributeDefinition>
-
-<AttributeDefinition id="eduPersonPrimaryOrgUnitDN" xsi:type="Simple" sourceAttributeID="eduPersonPrimaryOrgUnitDN">
-    <Dependency ref="myLDAP" />
-    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" encodeType="false" />
-    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" friendlyName="eduPersonPrimaryOrgUnitDN" encodeType="false" />
-</AttributeDefinition>
-
-<AttributeDefinition id="eduPersonPrincipalName" xsi:type="Simple" sourceAttributeID="uid">
-    <Dependency ref="myLDAP" />
-    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
-    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
-</AttributeDefinition>
-
-<AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="nordu.net" sourceAttributeID="employeeType">
-    <Dependency ref="myLDAP" />
-    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
-    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
-</AttributeDefinition>
-
-<!-- placeholder for eduPersonTargetedID and persistentId and transientId -->
-
-
-    <!-- ========================================== -->
-    <!--      Data Connectors                       -->
-    <!-- ========================================== -->
-
-    <!--
-    Example LDAP Connector
-
-    The connectivity details can be specified in ldap.properties to
-    share them with your authentication settings if desired.
-    -->
-    <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
-        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
-        baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
-        <FilterTemplate>
-            <![CDATA[
-                %{idp.attribute.resolver.LDAP.searchFilter}
-            ]]>
-        </FilterTemplate>
-        <!-- Do we even need a connection pool? Got this:
-        WARN [org.ldaptive.pool.BlockingConnectionPool:882] - org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy@6ec7349e failed validation
-
-        <ConnectionPool
-                  minPoolSize="%{idp.pool.LDAP.minSize:3}"
-                  maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
-                  blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
-                  validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
-                  validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
-                  expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
-                  failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />-->
-
-
-    </DataConnector>
-<!--    <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
-        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
-        baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
-        principal="%{idp.attribute.resolver.LDAP.bindDN}"
-        principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
-        useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
-        connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
-        trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
-        responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
-        <FilterTemplate>
-            <![CDATA[
-                %{idp.attribute.resolver.LDAP.searchFilter}
-            ]]>
-        </FilterTemplate>
-  <ConnectionPool
-            minPoolSize="%{idp.pool.LDAP.minSize:3}"
-            maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
-            blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
-            validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
-            validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
-            expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
-            failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
-    </DataConnector>
-  -->
-
-  <DataConnector id="myLDAPGROUPS" xsi:type="LDAPDirectory"
-      ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
-      baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
-      <FilterTemplate>
-          <![CDATA[
-              %{idp.attribute.resolver.LDAP.searchFilter}
-          ]]>
-      </FilterTemplate>
-      <ReturnAttributes>memberOf</ReturnAttributes>
-  </DataConnector>
-
-
-  <!-- Computed targeted ID connector -->
-<!--  The V3 IdP uses a new dedicated service for configuring NameID generation. The legacy V2 approach of encoding attributes into identifiers using attribute-resolver.xml and special attribute encoders that generate NameIdentifiers or NameIDs instead of Attributes is supported for compatibility purposes, but is deprecated and may be removed from a future version.-->
-
-<!--  <DataConnector id="ComputedId" xsi:type="ComputedId"
-      generatedAttributeID="computedId"
-      sourceAttributeID="uid"
-      salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym">
-      <resolver:Dependency ref="myLDAP" />
-  </DataConnector>
-
-also in old format the next block
-<resolver:DataConnector id="StoredId"
-    xsi:type="StoredId"
-    xmlns="urn:mace:shibboleth:2.0:resolver:dc"
-    generatedAttributeID="persistentId"
-    sourceAttributeID="uid"
-    salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym">
-    <resolver:Dependency ref="uid" />
-    <ApplicationManagedConnection
-        jdbcDriver="com.mysql.jdbc.Driver"
-        jdbcURL="jdbc:mysql://mysql:3306/shibboleth?autoReconnect=true&amp;useSSL=false"
-        jdbcUserName="idp"
-        jdbcPassword="shibboleth" />
-</resolver:DataConnector>
--->
-
-
-</AttributeResolver>
diff --git a/template-config/metadata-providers.xml b/template-config/metadata-providers.xml
deleted file mode 100644
index 71b5967..0000000
--- a/template-config/metadata-providers.xml
+++ /dev/null
@@ -1,64 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- This file is an EXAMPLE metadata configuration file. -->
-<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
-    xmlns="urn:mace:shibboleth:2.0:metadata"
-    xmlns:resource="urn:mace:shibboleth:2.0:resource"
-    xmlns:security="urn:mace:shibboleth:2.0:security"
-    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
-                        urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd
-                        urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
-                        urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">
-
-    <!-- ========================================================================================== -->
-    <!--                             Metadata Configuration                                         -->
-    <!--                                                                                            -->
-    <!--  Below you place the mechanisms which define how to load the metadata for SP(s) you will   -->
-    <!--  provide service to.                                                                       -->
-    <!--                                                                                            -->
-    <!--  Two examples are provided.  The Shibboleth Documentation at                               -->
-    <!--  https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration                -->
-    <!--  provides more details.                                                                    -->
-    <!--                                                                                            -->
-    <!--  NOTE.  This file SHOULD NOT contain the metadata for this IdP.                            -->
-    <!-- ========================================================================================== -->
-
-    <!--
-    Example HTTP metadata provider.  Use this if you want to download the metadata
-    from a remote source.
-
-    You *MUST* provide the SignatureValidationFilter in order to function securely.
-    Get the public key certificate from the party publishing the metadata, and validate
-    it with them via some out of band mechanism (e.g., a fingerprint on a secure page).
-
-    The EntityRoleWhiteList saves memory by only loading metadata from SAML roles
-    that the IdP needs to interoperate with.
-    -->
-
-    <!--
-    <MetadataProvider id="HTTPMetadata"
-                      xsi:type="FileBackedHTTPMetadataProvider"
-                      backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
-                      metadataURL="http://WHATEVER">
-
-        <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
-        <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
-        <MetadataFilter xsi:type="EntityRoleWhiteList">
-            <RetainedRole>md:SPSSODescriptor</RetainedRole>
-        </MetadataFilter>
-    </MetadataProvider>
-    -->
-
-    <!--
-    Example file metadata provider.  Use this if you want to load metadata
-    from a local file.  You might use this if you have some local SPs
-    which are not "federated" but you wish to offer a service to.
-
-    If you do not provide a SignatureValidation filter, then you have the
-    responsibility to ensure that the contents on disk are trustworthy.
-    -->
-
-    <MetadataProvider id="sp.nordu.dev"  xsi:type="FilesystemMetadataProvider" metadataFile="/metadata/apache-sp/sp-metadata.xml"/>
-
-</MetadataProvider>
diff --git a/template-config/relying-party.xml b/template-config/relying-party.xml
deleted file mode 100644
index 327c8e2..0000000
--- a/template-config/relying-party.xml
+++ /dev/null
@@ -1,78 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
-       xmlns:context="http://www.springframework.org/schema/context"
-       xmlns:util="http://www.springframework.org/schema/util"
-       xmlns:p="http://www.springframework.org/schema/p"
-       xmlns:c="http://www.springframework.org/schema/c"
-       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
-                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
-                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
-       default-init-method="initialize"
-       default-destroy-method="destroy">
-
-    <!--
-    Unverified RP configuration, defaults to no support for any profiles. Add <ref> elements to the list
-    to enable specific default profile settings (as below), or create new beans inline to override defaults.
-
-    "Unverified" typically means the IdP has no metadata, or equivalent way of assuring the identity and
-    legitimacy of a requesting system. To run an "open" IdP, you can enable profiles here.
-    -->
-    <bean id="shibboleth.UnverifiedRelyingParty" parent="RelyingParty">
-        <property name="profileConfigurations">
-            <list>
-              <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
-              <ref bean="SAML1.AttributeQuery" />
-              <ref bean="SAML1.ArtifactResolution" />
-              <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" />
-              <ref bean="SAML2.ECP" />
-              <ref bean="SAML2.Logout" />
-              <ref bean="SAML2.AttributeQuery" />
-              <ref bean="SAML2.ArtifactResolution" />
-              <ref bean="Liberty.SSOS" />
-            </list>
-        </property>
-    </bean>
-
-    <!--
-    Default configuration, with default settings applied for all profiles, and enables
-    the attribute-release consent flow.
-    -->
-    <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
-        <property name="profileConfigurations">
-            <list>
-                <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
-                <ref bean="SAML1.AttributeQuery" />
-                <ref bean="SAML1.ArtifactResolution" />
-                <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" />
-                <ref bean="SAML2.ECP" />
-                <ref bean="SAML2.Logout" />
-                <ref bean="SAML2.AttributeQuery" />
-                <ref bean="SAML2.ArtifactResolution" />
-                <ref bean="Liberty.SSOS" />
-            </list>
-        </property>
-    </bean>
-
-    <!-- Container for any overrides you want to add. -->
-
-    <util:list id="shibboleth.RelyingPartyOverrides">
-
-        <!--
-        Override example that identifies a single RP by name and configures it
-        for SAML 2 SSO without encryption. This is a common "vendor" scenario.
-        -->
-        <!--
-        <bean parent="RelyingPartyByName" c:relyingPartyIds="https://sp.example.org">
-            <property name="profileConfigurations">
-                <list>
-                    <bean parent="SAML2.SSO" p:encryptAssertions="false" />
-                </list>
-            </property>
-        </bean>
-        -->
-
-    </util:list>
-
-</beans>
-- 
cgit v1.1